Question on OpenID Connect, Saml and OAuth

Question

• Our current product supports SAML and Oauth2.0 based authentication.
• Customer has Azure AD and wants Authentication using Open ID connect.

The authentication will be basically used for Api Calls where Customer system will be calling the API in our products.

Below are the questions - Can we use SAML for authentication in webservices - What changes will be required in the product to upgrade it from Oauth2.0 to Open ID based authentication.

Answer 1

No, you can not use SAML to call web services i.e. REST API.

REST API requires a JWT whereas SAML produces a SAML token.

There is a SAML profile (bearer token) that allows you to swop a SAML token for a JWT but that is not yet widely implemented.

Answer 2

OAuth2 is a protocol that allows a software application (called client) to get an access token to call an API on behalf of a user.

As part of that protocol, the authorization server needs to authenticate the user (to make sure it is delegating access to the correct resources).

The authorization server can do this by verifying the user's credentials (username and password, MFA token etc) or it can delegate this to another identity provider. In the latter case, SAML2 protocol is an often used protocol to delegate authentication to an external identity provider.

OpenID Connect is an extension on top of OAuth2 that gives the client an ID token telling it who the user actually is (access token does not necessarily contain the user's name for example) and when they signed in. It also provides some session management, like log out etc.

If your application uses a standard library for OAuth2, it may already support OpenID Connect. Whether your authorization server supports SAML based federation depends on the product you're using.