SAML, OAuth 2.0, OpenID Connect (OIDC)

-

 

๐Ÿšช Quick Definitions

ProtocolWhat it DoesUsed For
SAMLAuthenticationWeb-based SSO (Single Sign-On)
OAuth 2.0Authorization (not authentication)Letting apps access resources on behalf of a user
OpenID Connect (OIDC)Authentication (built on OAuth 2.0)Logging users into apps securely

๐Ÿง  What Each One Is

๐Ÿ” SAML (Security Assertion Markup Language)

  • Old but gold — XML-based standard.

  • Used for authentication (NOT authorization).

  • Popular for SSO in enterprise environments (e.g., login to Salesforce, Google Workspace, etc.).

  • Works with browsers and web apps.

๐Ÿ” Flow Summary:

  1. User tries to access an app (called Service Provider).

  2. App redirects user to Identity Provider (IdP) (like Azure AD, Okta).

  3. User logs in.

  4. IdP sends back a SAML assertion (XML) to the app.

  5. App verifies the assertion → user gets access.

✅ Common Use Case:

  • Enterprise SSO: "Log in to Workday using your company credentials."

๐Ÿ”‘ OAuth 2.0

  • framework for authorization.

  • Doesn't deal with identity directly (so it doesn’t log users in).

  • It lets apps access data on behalf of a user, without sharing the user’s password.

๐Ÿ” Flow Summary:

  1. User logs into App A.

  2. App A asks App B (like Google or Microsoft): "Can I access this user’s calendar?"

  3. User is redirected to App B to approve access.

  4. App B gives App A a token to access calendar data.

✅ Common Use Case:

  • Giving a third-party app permission to access your Google DriveMicrosoft Graph, or GitHub repo.

๐Ÿงพ OpenID Connect (OIDC)

  • An identity layer built on top of OAuth 2.0.

  • Adds authentication to OAuth.

  • Returns an ID token (JWT) that confirms who the user is.

  • Supports mobile appsweb appsAPIs, and SPAs (single-page apps).

๐Ÿ” Flow Summary:

  1. User logs into an app.

  2. App redirects to an Identity Provider (IdP) like Microsoft, Google, or Auth0.

  3. User authenticates.

  4. IdP sends back:

    • ID token → proves user’s identity

    • Access token → lets app access user data (optional)

✅ Common Use Case:

  • Logging into a mobile app using "Sign in with Google" or Microsoft.

๐Ÿ” Key Differences

FeatureSAMLOAuth 2.0OpenID Connect (OIDC)
PurposeAuthenticationAuthorizationAuthentication + Authorization
Standard FormatXMLJSON (tokens)JSON (JWTs)
Main Use CaseSSO for enterprise web appsDelegated access to APIsUser login (web, mobile, APIs)
Mobile Friendly❌ Not ideal✅ Yes✅ Yes
Token TypeSAML Assertion (XML)Access TokenID Token (JWT) + Access Token
Password Shared?NoNoNo
Built OnN/AN/ABuilt on top of OAuth 2.0

๐ŸŽฏ When to Use What?

ScenarioBest Protocol
SSO for enterprise web appsSAML
Letting a 3rd party app access user data (e.g., calendar, files)OAuth 2.0
Logging users into a web/mobile app using Google/MicrosoftOpenID Connect

๐Ÿงช Real-Life Example:

Imagine you're building a mobile app that lets users view their Outlook calendar.

  • Use OpenID Connect to authenticate the user.

  • Use OAuth 2.0 to get a token that allows you to access their calendar data via Microsoft Graph API.

Popular posts from this blog

Autodiscover

-
  "Autodiscovery" (or  Autodiscover , more precisely in Microsoft terms) is a service that automatically configures email clients, mainly Outlook, to connect to mailboxes without users having to enter all the settings manually. ๐Ÿ’ก  What is Autodiscover? Autodiscover  is a Microsoft Exchange service that provides configuration information to email clients (like Outlook or mobile devices) so they can set themselves up with minimal user input. ๐Ÿ”ง  What Does Autodiscover Do? When a user enters just their  email address and password , Autodiscover helps the client automatically find: Mail server addresses (Exchange or Microsoft 365) Mailbox settings Calendar and contact URLs Offline address book (OAB) settings Outlook Anywhere settings Unified Messaging (if used) Internal and external URLs ๐Ÿง   How It Works (Simplified Flow): User opens Outlook and enters their email address + password. Outlook sends a request to the  Autodiscover service : Tries a few ...
Read more

Azure Active Directory (Azure AD)

-
  Azure Active Directory (Azure AD)  is Microsoft’s  cloud-based identity and access management service , which is the cloud counterpart to the traditional  on-premises Active Directory (AD) . While  Active Directory (AD)  is designed for managing users, groups, and devices within an organization's  internal network ,  Azure AD  extends this functionality to manage identities across cloud-based resources, applications, and services. Azure AD helps organizations manage user access to cloud services (like  Office 365 ,  Azure services ,  third-party apps , etc.) and provides features like  Single Sign-On (SSO) ,  Multi-Factor Authentication (MFA) , and more — all while maintaining security and compliance in the cloud. Key Differences Between Active Directory (AD) and Azure Active Directory (Azure AD): Deployment Location : AD  is  on-premises , running in an organization's internal network. Azure AD  is...
Read more

Active Directory (AD)

-
   Active Directory (AD)  is a  directory service  developed by Microsoft to manage and organize a network's resources, such as users, computers, printers, and other devices. It’s a central component in managing permissions, security, and access control across the entire network. AD allows admins to control who can access what within the network and apply policies and settings consistently. Here’s a more detailed breakdown of  Active Directory : Key Features of Active Directory: Directory Service : It acts as a  centralized database  for storing and managing directory information (like users, computers, groups, and resources). It uses  LDAP (Lightweight Directory Access Protocol)  for communication between client machines and the server. User Authentication and Authorization : Active Directory ensures  only authorized users  and  computers  can access the network resources. It enforces  user policies  (like ...
Read more