OIDC vs SAML - What are you missing & how do you solve that?

From IIW

Creating OIDC vs SAML - What are you missing and how do you solve that?

Tuesday 2H

Convener: Mark Dobrinic

Notes-taker(s): Yuri H Hirohashi

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

IIW21 TU 2H OIDCvSAML.jpg


Both meant to solve the same problem

Open ID connect was meant to make things simple

SAML known for making things complex :)  

SAML has a lot of solutions already

Open ID you may encounter problems along the way  

OIDC ID token has a very limited amount of definitions

Name ID contains many more specifications

  Interested in having a mechanism in   Univ. of Michigan's experience:

A lot of times SPs, especially commercial are pulling attributes

Wants name ID but they don’t honor definitions

Persistent ID is supposed to be opaque

  On campus students gets TV access, but not off campus - is this person entitled?  Problem is trying to identify where a given student lives   U of Michigan started SAML, which has slow adoption. 

OIDC faster adoption.  Everyone with Google account has OIDC. 

Google consumes SAML but does not produce SAML

People would rather work with Json or XML?

Writing PHP or ruby code is easier then web server configuration

  Linking identity   To integrate OIDC in SAML world   Federated logins   Need to figure out configuration and management of SAML and OIDC easier for people   iSELECT is another standard in Netherland   Don’t change protocol unless you need to, if it is working

OIDC is suitable for application integration

SAML Installation experience is easier   Have you operated SAML and Open ID simultaneously? Issuing ID token and assertion? - Not yet.  Using SAML but looking into Open ID   Account chooser.  Local storage

Discovery by email

IDP does not prompt you for email

Just type in credential   Open ID foundation is the governing body for the spec.  Not going to solve a problem if it is for one person.

SAML - Oasis   If people have problems in Open ID, let’s try to have a consistent approach to solving those.  Not individually.  Let's stay connected.   Want the trust of open ID connect   Meta data to be signed by federation.