What Is SAML vs OAuth vs OIDC: The Differences Explained
Three protocols, endless confusion. SAML proves who you are to enterprise apps. OAuth lets apps access your stuff without your password. OIDC tells modern apps who you are. Here's how they actually work, why they exist, and when to use each.
The alphabet soup of authentication protocols confuses even experienced engineers. SAML, OAuth, OIDC - they all seem to do similar things, they all involve tokens and redirects, and vendors often use the terms interchangeably.
But these protocols serve fundamentally different purposes, and using the wrong one creates security vulnerabilities. Understanding the distinctions is essential for making correct architectural decisions.
| Protocol | Purpose | Primary Use Case |
|---|---|---|
| SAML 2.0 | Authentication + basic authorization | Enterprise SSO |
| OAuth 2.0 | Authorization only | API access delegation |
| OpenID Connect | Authentication + authorization | Modern web/mobile apps |
The Core Distinction: Authentication vs Authorization
Before diving into protocols, understand the fundamental concepts they address.
| Concern | Question | Protocol |
|---|---|---|
| Authentication | Who are you? | SAML, OIDC |
| Authorization | What can you access? | OAuth, (SAML partially) |
| Both | Who are you and what can you do? | OIDC + OAuth |
SAML 2.0: The Enterprise Standard
Security Assertion Markup Language 2.0, released in 2005, remains the dominant protocol for enterprise SSO. Despite its age, SAML powers the vast majority of business-to-business authentication integrations.
How SAML Works
SAML uses XML-based messages called assertions that contain authentication statements. The flow involves browser redirects between three parties.
| Component | Description |
|---|---|
| Identity Provider (IdP) | Authenticates users, issues assertions |
| Service Provider (SP) | Application accepting assertions |
| Assertion | XML document proving authentication |
| Bindings | How messages travel (POST, Redirect) |
SAML Assertion Structure
A SAML assertion contains:
<saml:Assertion>
<saml:Issuer>https://idp.company.com</saml:Issuer>
<saml:Subject>
<saml:NameID>user@company.com</saml:NameID>
</saml:Subject>
<saml:Conditions NotBefore="..." NotOnOrAfter="..." />
<saml:AuthnStatement AuthnInstant="..." />
<saml:AttributeStatement>
<saml:Attribute Name="groups">
<saml:AttributeValue>admins</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
SAML Strengths and Weaknesses
| Strength | Weakness |
|---|---|
| Mature, well-understood | XML is verbose and complex |
| Wide enterprise support | Not designed for mobile/API |
| Rich attribute passing | Browser-dependent flow |
| Works with existing IdPs | No native refresh mechanism |
OAuth 2.0: Delegated Authorization
OAuth 2.0, finalized in 2012, solves a different problem than SAML. It enables applications to access user resources on other services without receiving the user's password.
The OAuth Problem
Consider this scenario: You want a third-party app to post to your Twitter account. Before OAuth:
- Option 1: Give the app your Twitter password (terrible idea)
- Option 2: Build custom integration per service (does not scale)
OAuth provides a standardized way to grant limited access without sharing credentials.
OAuth Actors and Tokens
| Actor | Role |
|---|---|
| Resource Owner | User who owns the data |
| Client | Application requesting access |
| Authorization Server | Issues tokens |
| Resource Server | API hosting the data |
| Token Type | Purpose | Lifetime |
|---|---|---|
| Access Token | Grants API access | Minutes to hours |
| Refresh Token | Obtains new access tokens | Days to months |
OAuth Grant Types
| Grant | Use Case | Security Level |
|---|---|---|
| Authorization Code | Web apps with backend | Highest |
| Authorization Code + PKCE | Mobile/SPA apps | High |
| Client Credentials | Machine-to-machine | High (no user) |
| Implicit | Legacy SPAs | Deprecated - do not use |
| Password | Trusted first-party apps | Deprecated - do not use |
OpenID Connect: Authentication Meets Modern Architecture
OpenID Connect, released in 2014, builds an authentication layer on top of OAuth 2.0. It answers the question OAuth deliberately avoided: "Who is this user?"
is when OIDC was finalized, making it the youngest of the three protocols - designed specifically for modern web and mobile architectures
OIDC = OAuth 2.0 + Identity Layer
| OAuth 2.0 Provides | OIDC Adds |
|---|---|
| Authorization framework | Authentication semantics |
| Access tokens | ID tokens |
| Scope-based permissions | Standard identity claims |
| Token endpoints | UserInfo endpoint |
The ID Token
OIDC introduces the ID token - a JWT containing identity claims:
{
"iss": "https://idp.company.com",
"sub": "user123",
"aud": "client_app_id",
"exp": 1699999999,
"iat": 1699999000,
"email": "user@company.com",
"name": "John Doe"
}
| Claim | Purpose |
|---|---|
| iss | Token issuer (IdP) |
| sub | Subject identifier (user ID) |
| aud | Intended audience (client) |
| exp/iat | Expiration and issued-at times |
| Standard claims | email, name, picture, etc. |
OIDC Flows
| Flow | Use Case | Tokens Returned |
|---|---|---|
| Authorization Code | Server-side apps | ID + Access (+ Refresh) |
| Implicit | Legacy SPAs | ID + Access (deprecated) |
| Hybrid | Specific security requirements | Combination |
Protocol Comparison: When to Use What
The choice between protocols depends on your specific requirements. There is no universal "best" option.
Feature Comparison
| Feature | SAML 2.0 | OAuth 2.0 | OIDC |
|---|---|---|---|
| Authentication | Yes | No | Yes |
| Authorization | Basic | Yes | Yes |
| Format | XML | JSON | JSON |
| Token type | Assertion | Access token | ID token + Access token |
| Mobile support | Poor | Good | Good |
| API protection | Poor | Good | Good |
| Enterprise IdP support | Excellent | Moderate | Good |
| Complexity | High | Medium | Medium |
Decision Matrix
| Scenario | Recommended Protocol |
|---|---|
| Enterprise SSO with existing IdP | SAML 2.0 |
| SaaS integration with enterprise | SAML 2.0 |
| Modern web application auth | OIDC |
| Mobile application auth | OIDC |
| API-to-API authorization | OAuth 2.0 (Client Credentials) |
| Social login | OIDC |
| Consumer-facing application | OIDC |
| Third-party API access | OAuth 2.0 |
Migration Considerations
| From | To | Difficulty | Approach |
|---|---|---|---|
| SAML | OIDC | Medium | Run in parallel, migrate apps gradually |
| Custom auth | OIDC | Medium-High | Requires application changes |
| OAuth (misused for auth) | OIDC | Low | Add ID token validation |
Security Considerations
Each protocol has unique security concerns that implementations must address.
SAML Security
| Attack | Mitigation |
|---|---|
| XML signature wrapping | Use validated libraries only |
| Replay attacks | Check NotOnOrAfter, use one-time assertion IDs |
| Man-in-the-middle | Always use HTTPS, validate IdP certificate |
| Assertion theft | Short validity windows, audience validation |
OAuth Security
| Attack | Mitigation |
|---|---|
| Authorization code interception | Use PKCE for all clients |
| Token leakage via referrer | Use POST, avoid tokens in URLs |
| Client impersonation | Use client authentication, PKCE |
| Scope creep | Request minimal scopes, validate on resource server |
OIDC Security
| Attack | Mitigation |
|---|---|
| ID token injection | Validate signature, issuer, audience |
| Nonce replay | Generate unique nonce per request, verify |
| State parameter manipulation | Generate cryptographically random state |
| Token substitution | Verify at_hash claim matches access token |
Common Mistakes Across Protocols
| Mistake | Consequence |
|---|---|
| Skipping signature validation | Authentication bypass |
| Long-lived tokens without refresh | Prolonged compromise window |
| Overly broad scopes | Excessive access on compromise |
| Missing audience validation | Token confusion attacks |
| Hardcoded secrets in code | Credential theft |
Implementation Patterns
Practical implementation differs by application architecture.
Server-Side Web Applications
Best choice: OIDC Authorization Code Flow
User → App → IdP login → Auth code → App backend → Token exchange → Session
| Step | Security Consideration |
|---|---|
| Redirect to IdP | Include state parameter |
| Auth code return | Validate state, exchange immediately |
| Token exchange | Happens server-side, secrets protected |
| Session creation | Use secure, HttpOnly cookies |
Single-Page Applications
Best choice: OIDC Authorization Code with PKCE
Mobile Applications
Best choice: OIDC Authorization Code with PKCE
| Platform | Implementation |
|---|---|
| iOS | Use ASWebAuthenticationSession |
| Android | Use Chrome Custom Tabs |
| Both | Avoid embedded WebViews (security risks) |
API-to-API (Machine-to-Machine)
Best choice: OAuth 2.0 Client Credentials
Service A → Auth server (client_id + secret) → Access token → Service B API
No user involved. Service authenticates itself to obtain tokens.
Enterprise SSO Integration
Best choice: SAML 2.0 (most enterprise IdPs prefer it)
| Configuration | Purpose |
|---|---|
| SP Metadata | Your app's endpoints, certificate |
| IdP Metadata | IdP's endpoints, certificate |
| Attribute mapping | Map IdP attributes to app fields |
| Just-in-time provisioning | Create users on first login |
Real-World Implementation Scenarios
Understanding how protocols combine in real architectures clarifies when to use each.
Scenario 1: Enterprise SaaS Product
A B2B SaaS product needs to support customer IdPs for SSO.
| Requirement | Solution |
|---|---|
| Customer SSO | SAML 2.0 (customers expect it) |
| Internal users | OIDC with your IdP |
| Mobile app | OIDC with PKCE |
| API access | OAuth 2.0 tokens |
Scenario 2: Consumer Application with Social Login
A consumer-facing app allowing social and email login.
| Provider | Protocol | Implementation |
|---|---|---|
| OIDC | Google Sign-In SDK | |
| OAuth 2.0 + proprietary | Facebook Login SDK | |
| Apple | OIDC | Sign in with Apple |
| Email/password | Custom | Your auth system |
Scenario 3: Microservices Architecture
Internal services need to communicate securely.
| Communication | Protocol | Token Type |
|---|---|---|
| User-initiated requests | OIDC | ID token → access token |
| Service-to-service | OAuth 2.0 Client Credentials | Access token |
| Background jobs | OAuth 2.0 Client Credentials | Access token |
Common Mistakes to Avoid
These mistakes appear repeatedly in real-world implementations.
Mistake 1: Using OAuth for Authentication
| Wrong | Right |
|---|---|
| Validate access token → "user is authenticated" | Validate ID token → user is authenticated |
| Use /userinfo to get identity | ID token contains identity claims |
Mistake 2: Storing Tokens Insecurely
| Storage Location | Risk Level | Use For |
|---|---|---|
| localStorage | High (XSS vulnerable) | Never for sensitive tokens |
| sessionStorage | Medium (XSS vulnerable) | Short-lived, low-risk tokens only |
| HttpOnly cookies | Low | Recommended for web apps |
| Secure mobile storage | Low | Keychain (iOS), Keystore (Android) |
Mistake 3: Not Validating All Token Claims
| Claim | Must Validate | Why |
|---|---|---|
| Signature | Always | Proves token integrity |
| Issuer (iss) | Always | Prevents cross-IdP attacks |
| Audience (aud) | Always | Prevents token confusion |
| Expiration (exp) | Always | Prevents replay attacks |
| Nonce | When present | Prevents injection |
Mistake 4: Overly Broad Scopes
Request minimal scopes. If your app only needs email, don't request full profile access.
| Bad | Good |
|---|---|
scope=openid profile email phone address | scope=openid email |
scope=https://graph.microsoft.com/.default | Specific Graph scopes needed |
Mistake 5: Long-Lived Access Tokens
| Token Lifetime | Appropriate Use |
|---|---|
| 5-15 minutes | Standard access tokens |
| 1-24 hours | Low-risk, internal APIs |
| 7-90 days | Refresh tokens with rotation |
| Never expires | Avoid - use refresh tokens |
Identity Provider Implementations
Major IdPs implement these protocols with platform-specific features.
Microsoft Entra ID (Azure AD)
| Protocol | Support | Notes |
|---|---|---|
| SAML 2.0 | Full | Enterprise app gallery |
| OAuth 2.0 | Full | Microsoft Graph API |
| OIDC | Full | Microsoft Identity Platform v2.0 |
Okta
| Protocol | Support | Notes |
|---|---|---|
| SAML 2.0 | Full | 7000+ pre-built integrations |
| OAuth 2.0 | Full | Authorization servers |
| OIDC | Full | Native support |
Auth0
| Protocol | Support | Notes |
|---|---|---|
| SAML 2.0 | Full | As both IdP and SP |
| OAuth 2.0 | Full | Multiple grant types |
| OIDC | Full | Primary focus |
Google Workspace
| Protocol | Support | Notes |
|---|---|---|
| SAML 2.0 | Full | Google as IdP only |
| OAuth 2.0 | Full | Google APIs |
| OIDC | Full | Google Sign-In |
Implementation Libraries
| Platform | SAML | OAuth/OIDC |
|---|---|---|
| .NET | ITfoxtec, Sustainsys | Microsoft.Identity |
| Java | Spring Security SAML | Spring Security OAuth |
| Node.js | passport-saml | passport-openidconnect |
| Python | python3-saml | Authlib, OAuthLib |
Troubleshooting Common Issues
Protocol debugging requires understanding the flow and knowing where to look.
SAML Troubleshooting
| Issue | Diagnostic Steps |
|---|---|
| Signature validation fails | Compare IdP certificate, check expiry |
| Audience mismatch | Verify SP Entity ID matches assertion |
| Time-based errors | Check server time sync (NTP) |
| Attribute not passed | Check IdP attribute release configuration |
| Redirect loop | Verify ACS URL, check session handling |
OAuth/OIDC Troubleshooting
| Error | Likely Cause |
|---|---|
| invalid_client | Wrong client ID or secret |
| invalid_grant | Expired auth code, already used code |
| invalid_scope | Requested scope not configured |
| access_denied | User denied consent |
| invalid_request | Missing required parameter |
Token Validation Issues
| Problem | Check |
|---|---|
| Token rejected | Signature algorithm matches IdP config |
| Wrong user | Validate sub claim, not just access |
| Permissions wrong | Check scopes in token vs requested |
| Token expired | Client clock sync, token lifetime config |
Common Integration Issues
| Symptom | Investigation |
|---|---|
| Works in test, fails in production | Environment-specific URLs, certificates |
| Intermittent failures | Clock skew, network timeouts |
| Works for some users | Group/role membership, conditional access |
| Mobile only issues | Custom tab/WebView configuration |
Conclusion: Choosing the Right Protocol
The choice between SAML, OAuth, and OIDC is not about which is "best" but which fits your requirements.
Quick Decision Guide
Key Takeaways
| Takeaway | Detail |
|---|---|
| SAML is not dead | Still dominant for enterprise B2B SSO |
| OAuth is not authentication | Use OIDC when you need identity |
| OIDC is the modern choice | For new apps, especially mobile |
| Multiple protocols coexist | Most organizations use several |
| Security requires attention | Each protocol has specific risks |
Implementation Priority
| Priority | Action |
|---|---|
| 1 | Use established libraries - never roll your own crypto |
| 2 | Validate all token claims - signatures, issuer, audience, expiry |
| 3 | Secure token storage - server-side or secure device storage |
| 4 | Minimal scopes - request only what you need |
| 5 | Short lifetimes - use refresh tokens for longevity |
For deeper protocol exploration, see our dedicated guides on SAML 2.0 Configuration, OAuth 2.0 Best Practices, and OpenID Connect Implementation.
Frequently Asked Questions
SAML is an authentication protocol - it proves who a user is. OAuth is an authorization protocol - it grants applications permission to access resources. SAML tells Salesforce 'This is Alice from Acme Corp.' OAuth tells Google Photos 'Alice allows this printing app to read her photos.' They solve fundamentally different problems.
You shouldn't. OAuth proves that authorization was granted, not who granted it. Using OAuth alone for authentication creates security vulnerabilities - attackers can use tokens obtained through other means to impersonate users. If you need authentication with OAuth-style flows, use OIDC, which was specifically designed to add authentication to OAuth.
OIDC is an authentication layer built on top of OAuth 2.0. It uses OAuth's authorization flows but adds identity information through ID tokens. When you authenticate with OIDC, you receive both an ID token (who the user is) and an access token (authorization for API access). Think of OIDC as 'OAuth plus identity.'
Use SAML when integrating with enterprise customers who require it, when connecting to applications that only support SAML, or when you're already operating in a SAML-heavy environment. Many enterprise SaaS applications only support SAML for SSO. For new development without enterprise constraints, OIDC is usually simpler and more developer-friendly.
An ID token contains claims about the authenticated user (who they are) and is consumed by your application. An access token grants permission to call APIs (what the app can do) and is presented to resource servers. In OIDC, you typically receive both: the ID token identifies the user; the access token authorizes API calls on their behalf.
PKCE (Proof Key for Code Exchange) is an OAuth extension that prevents authorization code interception attacks. When your app initiates the OAuth flow, it generates a secret and sends a hash of it. When exchanging the code for tokens, the app proves it has the original secret. PKCE is required for mobile apps and SPAs, and recommended for all OAuth implementations.
Logout is tricky in federated systems. SAML defines Single Logout (SLO) to propagate logout across applications, but reliable implementation is challenging. OIDC defines similar mechanisms (RP-Initiated Logout, Back-Channel Logout). In practice, applications handle local session termination easily, but ensuring logout propagates everywhere remains difficult.
Yes, and this is common. Identity providers like Okta and Azure AD support both SAML and OIDC for the same users. Applications can accept authentication from either protocol and normalize identity internally. Enterprise customers might use SAML while consumer users authenticate via OIDC social login.
For SAML: signature validation failures - ensure assertions are properly signed by the expected IdP. For OAuth: redirect URI validation and token storage - validate redirect URIs exactly and protect tokens from XSS. For OIDC: ID token validation - verify signatures, issuers, audiences, and expiration. All protocols require TLS for transport.
For a new application without specific SAML requirements, start with OIDC. It's simpler to implement, works well with modern architectures, and supports both mobile and web. If you're building APIs that third parties will consume, add OAuth for authorization. If enterprise customers will require corporate SSO, plan to add SAML support alongside OIDC.
Comments
Want to join the discussion?
Create an account to unlock exclusive member content, save your favorite articles, and join our community of IT professionals.
New here? Create a free account to get started.