Which SSO strategy is more secure SAML 2.0 or OpenId Connect?

Question

I want to use single sign on and totally confused what to use after reading so many articles about both of these (Saml 2.0 and OIDC) standards. I have a basic idea about how they work but not sure which is best in terms of security.

My specific doubt is that the hybrid flow of openid-connect is less secure as it sends id_token and access_token with auth_code which can expose these token to user agents. The hybrid flow is generally used for SSO (single sign on).

Is OIDC as strong as SAML in case of SSO ?

Answer 1

OpenID Connect is more modern and supports more scenarios. SAML2 is older and has more wide spread support on various platforms and cloud offerings.

I'd go with OpenID Connect for anything new.

In any case I would recommend you to use an existing software stack for whichever alternative you use. Writing a correct SAML2 or OpenID Connect implementation is hard.

Answer 2

Totally agree with @anders and @Hans - don't roll your own.

I don't think one is less secure than the other.

OIDC / OAuth has four main flows and some are more secure than others - resource owner password probably being the least secure.

Facebook / Google / Twitter etc. all use OIDC.

Saleforce / Workday etc all use SAML.

They wouldn't do this if the protocols weren't secure.

Probably a better question is which one is best for your use case.