As more people fall victim to cybercrime, verifying user identity is vital. 94% of organizations have experienced an identity-related breach, and 99% believe their breaches could have been prevented.[i] With the right authentication protocols in place, organizations can boost their security by utilizing user authentication before granting someone access to sensitive data. Two of the most commonly used authentication protocols are:
- Security Assertion Markup Language (SAML)
- OpenID Connect (OIDC)
To best protect your organization, it’s important to understand each of these protocols and their respective benefits.
What are Authentication Protocols?
Authentication protocols are a set of instructions used to verify a user’s identity between two entities[ii]:
- An identity provider: The identity provider keeps users’ identity records. For example, it can be Windows Active Directory in a business setting, or a social media site such as Facebook, Google, or Twitter for consumer applications.
- A service provider: The service provider is the system or application the user wants to access such as Salesforce, Office 365, or an online banking account.
In the same way that someone must show their driver’s license in order to enter a bar, an identity provider uses a set of instructions to verify users’ digital identity to a service provider so they can gain entrance into a specific system or application. With standardized protocols to assure interoperability when exchanging information, authentication protocols help organizations centralize authentication, while enabling users to access the resources they need without having to memorize numerous usernames and passwords.
What is SAML?
A mature technology dating back to 2002, SAML is widely used in enterprise and government settings. The current SAML 2.0 standard was developed in 2005. It uses XML language as its identity data format and simple HTTP and SOAP for its data transport mechanisms.
SAML provides communication between identity providers and service providers using encrypted, digitally signed XML-based certificates. When a user is authenticated, a package of user identity data, known as the “SAML Assertion” is issued from the identity provider to the service provider and can include attributes such as a name, phone number, and email address. As an XML-based protocol, SAML is a feature-rich, versatile standard that can be used on nearly every platform.
It is widely used for Software-as-a-Service (SaaS) solutions and in single-sign on (SSO) applications, particularly in business settings where users need to unlock their computer screens or log in to the corporate intranet and several enterprise applications using a single username and password.
What is OIDC?
First published in 2014, OIDC is a simple identity layer on top of 0Auth 2.0, an authorization framework managed by the OpenID Foundation. The protocol uses RESTful API communication to transmit JSON web tokens between the identity provider and service provider, which contain common claims such as the user’s name, email address, birth date, picture, and other personal data. The tokens are digitally signed and can be encrypted as needed.
OIDC is easy to integrate with simple apps, but also provides security options that adhere to rigorous enterprise requirements. OIDC’s easy-to-consume tokens support a broad spectrum of signature and encryption algorithms.
OIDC is easy to implement with lightweight data processing requirements, which makes it the preferred authentication standard for mobile games, social media integrations, and other mobile applications.
SAML vs. OIDC: Which is Better?
The protocol you use depends on the specific systems and applications you need to protect. For authenticating enterprise applications, SAML has a long track record of secure data exchange and may be the preferred standard. For authenticating consumer websites and mobile applications, OIDC may be the right choice because of its lightweight, easy-to-implement JSON security tokens. Often, businesses use a combination of authentication protocols to protect their systems from possible threats.
Final thoughts.
As the risk of cyber-attacks increases, authentication is the first line of defense for today’s organizations. Both SAML and OIDC provide a standardized protocol for validating the digital identity of users, offering a fundamental layer of protection against cybersecurity threats.
See how SailPoint integrates with the right authentication providers.
[i] Identity Defined Security Alliance, “Identity Security: A Work in Progress,” www.idsalliance.org.
[ii] https://blog.vidizmo.com/authentication-protocols-openid-connect-vs.-saml
You might also be interested in:
Take control of your cloud platform.
Learn how SailPoint integrates with authentication providers.