Comparing SAML, OAuth, OpenID, OIDC
SAML(Security Assertion Markup Language)
The key points about SAML:
- SAML 2.0 is an open XML-based standard.
- OASIS adopted it as a standard in 2005.
- Three entities:
- Principal(such as a user)
- Service Provider(such as a website)#SAML consumer
- Identity Provider(a 3rd party that holds the authentication and authorization information)#SAML Authority
- Can provide authentication and authorization, and attribute information on the principal.
OAuth(Open Authorization)
The key points about OAuth:
- Is an authorization framework, not an authentication protocal.
- RFC 6749 describes OAuth 2.0.
- Exchanges information using APIs.
- An app abtains an access token from an identity provider.
- Later, the app includes the access token for authorization.
OpenID
The key points about OpenID:
- Is an authentication standard.
- Is maintained by the OpenID Foundation.
- An OpenID provider providers decentralized authentication.
- Users enter their Open ID identifier on a site and the OpenID provider verifies the identifier.
OIDC(OpenID Connect)
The key points about OIDC:
- Is an authentication layer using OAuth 2.0.
- Builds on the OpenID authentication standard.
- Provides both authentication and authorization.
- Builds on OpenID but used a JSON Web Token(JWT).