Choose SAML
For legacy enterprise apps, established B2B partnerships, and when compliance specifically requires it. SAML Guide →
SAML vs OAuth vs OIDC - Complete Comparison Guide for 2024
THE EXECUTIVE SUMMARY
SAML is the enterprise SSO standard (XML-based, mature). OAuth 2.0 is for API authorization (JSON-based, modern). OIDC adds authentication to OAuth 2.0 and is replacing SAML for new implementations.
The Travel Analogy: SAML is like an old-school paper passport with visa stamps—detailed, formal, and universally accepted for decades. OAuth 2.0 is like a hotel keycard—it grants access to specific rooms but doesn’t prove your identity. OIDC is like a modern digital passport on your phone—lightweight, verifiable, and contains your identity plus access credentials.
At-a-Glance Comparison
Section titled “At-a-Glance Comparison”| Feature | SAML 2.0 | OAuth 2.0 | OpenID Connect |
|---|---|---|---|
| Year Released | 2005 | 2012 | 2014 |
| Primary Purpose | SSO / Authentication | Authorization | Authentication + Authorization |
| Data Format | XML | JSON | JSON (JWT) |
| Token Type | SAML Assertion | Access Token | ID Token + Access Token |
| Transport | HTTP POST / Redirect | HTTP Headers (Bearer) | HTTP Headers (Bearer) |
| Signature Algorithm | XML DSig (RSA-SHA256) | JWT Signature (RS256/HS256) | JWT Signature (RS256/HS256) |
| Mobile Support | ❌ Poor (XML parsing) | ✅ Excellent | ✅ Excellent |
| API Integration | ❌ Not designed for APIs | ✅ Primary use case | ✅ Excellent |
| Enterprise Adoption | ✅ Dominant | ✅ Growing | ✅ Rapidly growing |
| Learning Curve | Steep | Moderate | Moderate |
Understanding SAML 2.0
Section titled “Understanding SAML 2.0”Security Assertion Markup Language (SAML) 2.0 has been the enterprise SSO standard for nearly 20 years. It was designed before mobile apps and REST APIs existed.
How SAML Works
Section titled “How SAML Works”1
User Accesses Service Provider (SP)
User tries to access Salesforce (the SP). Salesforce doesn’t have the user’s session.
2
SP Redirects to Identity Provider (IdP)
Salesforce generates a SAML Request (AuthnRequest) and redirects user to Okta (the IdP).
3
User Authenticates at IdP
Okta challenges the user (password, MFA). Once verified, Okta creates a SAML Assertion.
4
IdP Sends SAML Response to SP
The signed SAML Assertion (XML) is POSTed back to Salesforce via the user’s browser.
5
SP Validates and Creates Session
Salesforce validates the signature, checks conditions, and creates a local session for the user.
SAML Assertion Structure
Section titled “SAML Assertion Structure”A SAML Assertion contains three key sections:
<saml:Assertion> <!-- 1. Subject: WHO is this user? --> <saml:Subject> <saml:NameID>jane.doe@company.com</saml:NameID> </saml:Subject>
<!-- 2. Conditions: WHEN is this valid? --> <saml:Conditions NotBefore="2024-01-15T10:00:00Z" NotOnOrAfter="2024-01-15T10:05:00Z"> <saml:AudienceRestriction> <saml:Audience>https://salesforce.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions>
<!-- 3. Attributes: WHAT do we know about them? --> <saml:AttributeStatement> <saml:Attribute Name="firstName"> <saml:AttributeValue>Jane</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="department"> <saml:AttributeValue>Engineering</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement></saml:Assertion>When to Use SAML
Section titled “When to Use SAML”✅ Use SAML when:
- Integrating with legacy enterprise apps (Salesforce, Workday, ServiceNow)
- Your IdP and SPs only support SAML
- You need mature, battle-tested SSO
- Compliance requires it (some regulations reference SAML specifically)
❌ Avoid SAML when:
- Building mobile or single-page apps (XML is heavy)
- You need API authorization
- Starting a greenfield project (use OIDC instead)
Understanding OAuth 2.0
Section titled “Understanding OAuth 2.0”OAuth 2.0 solved a different problem: delegated authorization. It allows apps to access resources on behalf of users without sharing passwords.
OAuth 2.0 Is NOT for Authentication
Section titled “OAuth 2.0 Is NOT for Authentication”This is the most common misconception:
| ❌ What OAuth 2.0 Tells You | ✅ What OAuth 2.0 Actually Does |
|---|---|
| "Bearer of this token can read photos" | |
| "Access is authorized for scope X" | |
| "Token expires in 3600 seconds” |
OAuth 2.0 Flows
Section titled “OAuth 2.0 Flows”| Flow | Use Case | Security Level |
|---|---|---|
| Authorization Code | Web apps with backend | ✅ High |
| Authorization Code + PKCE | Mobile apps, SPAs | ✅ High |
| Client Credentials | Machine-to-machine | ✅ High |
| Device Code | Smart TVs, CLI tools | ✅ Moderate |
| ❌ Deprecated | ❌ Insecure | |
| ❌ Deprecated | ❌ Insecure |
When to Use OAuth 2.0 (Alone)
Section titled “When to Use OAuth 2.0 (Alone)”✅ Use OAuth 2.0 when:
- Authorizing API access without user identity
- Machine-to-machine communication (Client Credentials)
- Third-party integrations (Slack bot posting to channels)
❌ Avoid using OAuth 2.0 alone when:
- You need to know WHO the user is (use OIDC)
- Implementing user login (use OIDC)
Understanding OpenID Connect
Section titled “Understanding OpenID Connect”OpenID Connect (OIDC) is an identity layer on top of OAuth 2.0. It answers: “Who is this user?”
OIDC = OAuth 2.0 + Identity
Section titled “OIDC = OAuth 2.0 + Identity”| OAuth 2.0 Only | OIDC Adds |
|---|---|
| Access Token | ID Token (JWT with user identity) |
| resource scopes | openid, profile, email scopes |
| Token endpoint | UserInfo endpoint |
| - | Discovery (.well-known/openid-configuration) |
| - | Standard claims (sub, name, email) |
The ID Token
Section titled “The ID Token”The ID Token is a signed JWT proving user identity:
{ "iss": "https://idp.example.com", "sub": "user-12345", "aud": "your-client-id", "exp": 1735142400, "iat": 1735138800, "auth_time": 1735138795, "nonce": "abc123", "name": "Jane Doe", "email": "jane@example.com", "email_verified": true}When to Use OpenID Connect
Section titled “When to Use OpenID Connect”✅ Use OIDC when:
- Implementing user login (SSO)
- You need user profile information
- Building modern web/mobile apps
- Replacing SAML in new projects
- “Login with Google/Microsoft/Okta”
Side-by-Side Protocol Comparison
Section titled “Side-by-Side Protocol Comparison”SAML Assertion (XML):
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:Subject> <saml:NameID>jane@company.com</saml:NameID> </saml:Subject> <ds:Signature>...</ds:Signature></saml:Assertion>- Verbose XML format
- ~2-10 KB typical size
- Requires XML parser
OIDC ID Token (JWT):
eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VyLTEyMyIsIm5hbWUiOiJKYW5lIn0.signature...- Compact, URL-safe
- ~500 bytes typical size
- Native JSON parsing
SAML Metadata:
- Static XML file
- Manually exchanged or hosted at URL
- Contains certificates, endpoints, bindings
OIDC Discovery:
GET https://idp.example.com/.well-known/openid-configuration- Dynamic JSON document
- Auto-discovered at standard URL
- Lists all endpoints and supported features
SAML Single Logout (SLO):
- Complex, multi-party coordination
- Often unreliable across vendors
- Requires SAML LogoutRequest/LogoutResponse
OIDC Logout:
- RP-Initiated Logout (redirect to IdP)
- Back-channel logout (server-to-server notification)
- Front-channel logout (iframe-based)
- Generally more reliable
Decision Matrix: Which Protocol Should You Use?
Section titled “Decision Matrix: Which Protocol Should You Use?”| Scenario | Recommended Protocol | Reason |
|---|---|---|
| New web/mobile app login | OIDC | Modern, lightweight, excellent tooling |
| Enterprise SSO to legacy apps | SAML | Legacy apps often only support SAML |
| API authorization | OAuth 2.0 | Designed specifically for API access |
| ”Login with Google” | OIDC | Social providers use OIDC |
| B2B partner federation | SAML or OIDC | Depends on partner capabilities |
| Machine-to-machine | OAuth 2.0 (Client Credentials) | No user involved |
| IoT device authentication | OAuth 2.0 (Device Code) | Designed for limited-input devices |
| Replacing SAML | OIDC | Modern equivalent with better developer experience |
Migrating from SAML to OIDC
Section titled “Migrating from SAML to OIDC”Many organizations are migrating from SAML to OIDC. Here’s the strategic approach:
Migration Checklist
Section titled “Migration Checklist”-
Inventory SAML Applications
- Which apps support OIDC in addition to SAML?
- Which are SAML-only?
-
Configure IdP for Both Protocols
- Okta, Azure AD, and Auth0 all support SAML and OIDC simultaneously
- Run both protocols during migration
-
Migrate Apps in Phases
- Start with apps that already support OIDC
- Prioritize mobile-accessible apps
- Leave legacy SAML-only apps for last
-
Update Attribute Mappings
- SAML attributes → OIDC claims
NameID→subclaim- Custom attributes → custom claims
-
Test Single Logout
- OIDC logout behavior may differ from SAML SLO
- Verify session termination across apps
Claim Mapping Example
Section titled “Claim Mapping Example”| SAML Attribute | OIDC Standard Claim |
|---|---|
NameID | sub |
firstName | given_name |
lastName | family_name |
email | email |
groups | groups (custom claim) |
department | Custom claim in ID token |
Platform Protocol Support
Section titled “Platform Protocol Support”Major identity platforms support all three protocols:
Microsoft Entra ID
Full support for SAML, OAuth 2.0, and OIDC. Enterprise app gallery with pre-configured SSO.
Okta
Native support for all protocols. Extensive app catalog with SAML and OIDC templates.
Auth0
OIDC-first with SAML support. Developer-friendly SDKs for modern apps.
Keycloak
Open-source with protocol adapters. Can act as broker between SAML and OIDC.
Summary: The Right Protocol for the Job
Section titled “Summary: The Right Protocol for the Job”Choose OAuth 2.0
For API authorization, third-party integrations, and machine-to-machine communication. OAuth 2.0 Guide →
Choose OIDC
For new user-facing applications, modern SSO, and replacing SAML in greenfield projects. OIDC Guide →
Use Multiple
Most enterprise IdPs support all protocols. Use the right protocol for each application’s needs. SSO Patterns →