Let’s start by defining SAML (Security Assertion Markup Language)
SAML (Security Assertion Markup Language) is a standard protocol for exchanging user authentication and authorization data across computer systems.
In a nutshell, SAML allows users to access numerous web apps with a single login by utilizing credentials from one application to authenticate with another. When a user registers into a SAML-enabled application, the application sends an authentication request to the user's identity provider (IDP). So, SAML operates by exchanging authentication information in a certain format between two parties, often an identity provider (idP) and a web application.
Why do organizations need SAML? What benefits does it yield?
While there are many benefits to this type of encryption, we are listing 2 main pain points that SML deals successfully with:
1. Increasing the level of cyber security and reducing the attack surface
Since user credentials are never directly exchanged across apps, SAML provides a more secure method of handling user authentication and authorization. Instead, SAML sends a sequence of encrypted communications between the user's identity provider (IDP) and the application to transfer authentication and authorization data. This aids in the prevention of identity theft, man-in-the-middle attacks, and other security flaws.
2. Single Sign On (SSO) as a feature
SAML provides Single sign-on (SSO) across various apps, allowing users to access all of their approved applications with a single login. This enhances the user experience by eliminating the need for users to remember numerous usernames and passwords. SSO also makes it easier for IT departments to manage user access and authorization by allowing them to govern and monitor user access from a single location.
At this point, it is wise to discuss what exactly SSO does and why this handshake protocol is such a prominent feature that it basically floods the web. Unlike password vaults, where you can use the same login and password using password vaulting, but you must input them each time you access a different program or website. The password vaulting system simply stores your credentials for each application and inserts them as needed. The apps and the password vaulting system have no established trust relationship.
SSO, or Single Sign-On, allows you to log in once and access all company-approved applications and websites without having to log in again. This is the convenience of tracking via a token and securing connections on the go.
What is the difference between SAML and OIDC?
Both are protocols used for web-based authentication and authorization. That is what makes the two similar.
OIDC (OpenID Connect) is a standard used in online applications for user authentication and authorization. It is built on top of the OAuth 2.0 authorization framework, which gives safe access to APIs and other resources and includes an authentication layer that allows users to log in to a web application using their current social network or email accounts.
The two major distinctions between these protocols are:
- 1. Scope of applicability
The Relying Party (RP) and the IdP, like in SAML, must exchange metadata before they may communicate. The basic information-sharing requirements for OIDC, on the other hand, are quite straightforward. Both sides must agree on potential scopes, the IdP must issue the RP a secret and client-ID, and the RP must reveal the endpoint where codes and/or tokens will be received.
- 2. User Experience
OIDC allows users to specify how much information they wish to share with an application. For example, an application may merely request the user's email address rather of their whole profile. This creates a win-win situation between the user and the program: the application receives what it needs to improve the user's experience, and the user just has to provide a minimum of personal information.
Both SAML and OIDC have made a big impact on the way web applications communicate. The level of security these protocols apply to the web are a standard that everyone using the web adheres to.
While focusing on the differences may be difficult, it is not appropriate to recommend one over the other, ie. to always start with SAML vs OIDC and have the capacity to extend to other protocols.