dewijones92
Reputation: 1359
What can SAML 2.0 do that OID connect can not?
I have spent days researching into both technologies but I am still confused.
Thanks
Upvotes: 0
Views: 111
Answers (1)
Anders Abel
Reputation: 69250
Saml 2.0 is an older standard, invented before single page applications, REST APIs and mobile phone apps. It focuses on web application single sign on and single sign out.
OpenID Connect does web apps too, but adds support for SPAs and mobile apps and handles API security. So in many ways OIDC is the more capable of them.
There are however some things that SAML2 can do that is not in OIDC:
- Federations, where one central entity presents an aggregated metadata file containing information about many Identity Providers and applications (Service Providers). InCommon in the US is one. The new European eID system eIDAS is a SAML2 federation too.
- Idp initiated sign on - where the Idp is a kind of application portal. Note that this opens to session pinning attacks and is sometimes not appropriate to allow.
- Application (Service Provider / Relying Party) metadata that allows the Idp to be configured by importing metadata describing the application.
Note that API security is offered in the SAML2 specs, through the ECP profile but hardly anyone uses it and there are very few implementations.
Upvotes: 3
Related Questions
- OpenID connect VS SAML flows
- Question on OpenID Connect, Saml and OAuth
- How does SAML Service Provider understand identity after initial authentication (vs OIDC)?
- Why is OpenID Connect considered mobile friendly compared to SAML
- Achieving authentication flow similar to SAML in OIDC
- Differences between SAML/OpenSAML/Shibboleth and OAuth/OpenId
- Advantage of OpenID connect over SAML
- What are the equivalent OpenID Connect and SAML actors/roles?
- OAuth 2.0 , Open ID connect, and SAML
- SAML 2.0 vs OpenID