SAML vs OAuth vs OIDC OpenID

When devising a plan to keep data and identities secure, IT administrators and security analysts must first select the protocol or framework to deploy to keep federated identity, or the means of connecting a person's electronic identity and attributes, safe.

The benefit of a single sign-on (SSO) account is that employees can log in once to an application or network and not need to keep logging in to different applications or networks throughout the duration of the workday. 

While this is certainly convenient for employees—making them more productive because they do not have to remember multiple passwords—it is also convenient for IT. With fewer passwords registered in the system, the identity and access management (IAM) platform responsible for managing employees' credentials can help make it more manageable.

However, it is no easy decision. The two top contenders in the federation process are Security Assertion Markup Language (SAML) and open authorization (OAuth). Let us take a look at these technologies more closely, and figure out when to use SAML vs. OAuth vs. OpenID Connect (OIDC) technology.

Security Assertion Markup Language (SAML) is a protocol that lets an identity provider (IdP) transmit a user's credentials to a service provider (SP) to both authenticate and authorize that user to access a service. SAML simplifies password management and enables SSO. It is helpful for enterprises because employees access more and more applications to carry out their jobs. In fact, according to a study by Okta, large companies use an average of 129 software apps and nearly 10% of businesses deploy more than 200 applications in their enterprise IT systems.

Managing passwords for hundreds of applications used by hundreds or even thousands of employees can be extremely challenging. SAML comes to the rescue by offering enterprises a single sign-on protocol.

OAuth 2.0 is a standard for secure authorization. It provides secure delegated access and does this by giving access tokens to third-party services without exposing user credentials. However, it only authorizes—it does not authenticate. For authentication, the OpenID Connect (OIDC) standard is used. Identity providers, or those that create and manage identities, use OIDC so users can first sign in with their IdP and then access applications without having to log in and share credentials.  

Although open authorization performs better on mobile devices, largely because it is built on the more lightweight JSON open standard file format for encoding data, it is not robust enough for enterprise use, especially since it only authorizes users and does not authenticate them.   

Although SAML may seem superior in enterprise settings, there are some scenarios where OAuth makes sense.

1. Identity management for a government application: Use SAML. The confidential, sensitive nature of government data needs the strongest security possible. 
2. User experience is a priority: Use OAuth. It performs better on mobile.
3. Mobile and consumer applications: Use OAuth. It performs better on mobile, and consumer login sessions tend to be shorter.
4. Virtual desktop infrastructure (VDI) implementation: Use SAML. The VDI will be used by a number of employees within the enterprise.
5. Temporary access is needed for resources: Use OAuth. It is more lightweight.

SAML and OAuth can be used together. A SAML assertion and an OAuth token can both be used to access a protected resource.

OAuth can provide authorization to a protected resource, such as a set of files. It does not authenticate the user and does not allow the user to access all parts of an application—only certain ones. As for OIDCC vs.SAML both are protocols for federated authentication or the verification of the link between an identity and its attributes. OAuth can be used simultaneously with either authentication standard. 

The Fortinet IAM solution allows IT administrators to securely confirm the identities of users and devices as they enter the corporate network and interact with devices and applications. IAM is critical for organizations that have adopted the zero-trust networking philosophy, which states that no one should be trusted unless their identity has been verified. 

The Fortinet IAM, which includes FortiAuthenticator and FortiToken, allows organizations to control and manage identity at all times. This ensures that authenticated users are authorized to access the right devices, applications, and systems at the right time, while protecting against unauthorized access. In this case, SAML, OAuth, and OpenID Connect doesn't matter as all three are are used in Fortinet SSO and Fortinet IAM.