What are the equivalent OpenID Connect and SAML actors/roles?

Question

I’m having trouble understanding OpenID Connect actors/roles. I’m coming from using SAML. In the scenario I’m familiar with, the Service Provider is a web application with protected resources and the Identity Provider server is where users authenticate. With SAML, the typical client is a web browser although SAML also has the ECP profile where a non-browser client (such as a native application) can be used. I understand how all of those pieces work and their various flows.

I’m trying to apply that same understanding to OpenID Connect. My understanding is the OpenID Provider is the same as the Identity Provider. But what about the other pieces? Is the Service Provider the Relying Party? What’s the client then? The OpenID Connect documentation substitutes "Relying Party" with "client" and that’s throwing me off.

To me, coming from SAML, a client is either a web browser or, in the case of ECP, a native or mobile application. So what role is that kind of client in the OpenID Connect world?

Since OpenID Connect is built on OAuth, I've familiarzed myself with it but that hasn't cleared up this SAML to OpenID Connect confusion. Any help would be greatly appreciated. Thanks!

Answer 1

The term "Client" is a generic name that is inherited from OAuth 2.0 for an entity that requests, receives and uses tokens. OpenID Connect builds on top of that but since there's an identity token in play now, the Client is also called Relying Party.

The Relying Party (or Client) is really the same as the SAML Service Provider and the ECP, being the entity that relies on the IDP to provide user identity to it.

The Relying Party (or Client) can be any of a web application, a native application or mobile application.