If you're a security enthusiast, you're probably already familiar with SAML (Security Assertion Markup Language). It's a reliable and relatively straightforward protocol for enabling Single Sign-On (SSO) in client applications. However, with more and more SAP applications supporting OIDC (OpenID Connect) for SSO, you might find yourself wondering which protocol to choose, especially if you're embarking on a new SSO journey.

Short Answer: Each option has its pros and cons, and if your application supports both, it shouldn't significantly affect user experience.

Long Answer: Keep reading to delve into the nuances and differences between these two protocols.

Characteristics of SAML and OIDC

Both SAML and OIDC play crucial roles in SSO implementation. While they offer similar end-user experiences, they differ significantly in how they are implemented and managed by developers. Here's a closer look:

SAML (Security Assertion Markup Language)

• Format: Uses XML-based messages to securely exchange authentication and authorization data.
• Interoperability: Widely adopted by a variety of commercial and open-source identity providers and service providers.
• Protocol Complexity: Generally complex to implement, involving verbose and cumbersome XML files.
• Attributes: Customizable attribute profiles for fine-grained access control and identity management.
• Security: Strong support for mechanisms like digital signatures and encryption.
• Use Case: Typically used in enterprises, educational institutions, and industries where detailed attribute-based access control is necessary.

OIDC (OpenID Connect)

• Format: Uses JSON Web Tokens (JWT) and RESTful APIs, making the data transmission lighter and less verbose compared to XML.
• Interoperability: Rapidly adopted across many platforms and services, often integrated with OAuth 2.0 for authorization.
• Protocol Complexity: Easier to implement with modern web technologies due to its JSON and REST-oriented architecture.
• Attributes: Relies on standardized scopes and claims to manage user information.
• Security: Secure with modern cryptographic algorithms and supports features like token revocation and refresh tokens.
• Use Case: Commonly used in consumer-facing applications, social logins, and scenarios where simplicity and speed are crucial, such as mobile applications and Single Page Applications (SPA).

Key Similarities and Differences

Here's a quick overview of the characteristics, similarities, and differences between SAML and OIDC:

SAP Context

In your  SAP landscape, both SAML and OIDC are supported with SAP Cloud Identity Services. Whether you’re working with SAP applications on-premises or in the cloud, you have the flexibility to choose either protocol. However, it's worth noting that more and more SAP solutions, like Task Center, are require OIDC to be able to interoperate between different applications (see here: https://help.sap.com/docs/btp/sap-business-technology-platform/migration-from-saml-trust-to-openid-c...)

What You Should Remember

1. Similarity in Functionality: Both SAML and OIDC perform similar roles in SSO implementation, providing secure authentication and authorization.
2. Support in SAP: Both protocols are supported by SAP applications using SAP Cloud Identity Services.
3. OIDC for Lower Latency: OIDC offers lower latency, making it better suited for lightweight service authentication and service-to-service contexts.
4. Reliability of SAML: If you’ve been using SAML in your architecture, rest assured it’s reliable and will likely remain a mainstay for SSO implementations in end-user applications.
5. Future with OIDC: For new applications and service-to-service authentication, consider embracing OIDC due to its efficient and easier-to-implement nature.

Choosing the right protocol ultimately depends on your specific needs and existing infrastructure, but both SAML and OIDC provide robust and secure frameworks for SSO, ensuring seamless user experiences across your SAP landscape.