Understanding Single Sign-On (SSO): SAML, OAuth2, and OpenID Connect

In this article we explore Single Sign‑On (SSO) and the two protocols most widely used for SSO: SAML and OAuth2 (including OpenID Connect). Understanding these technologies is essential for any developer working with authentication.

What is Single Sign‑On? SSO allows a user to authenticate once and then access multiple applications without re‑entering credentials. It improves convenience and security, as illustrated by Google’s ecosystem where a single login grants access to Gmail, Photos, Drive, and other services.

SSO Types Common standards and protocols that provide SSO include:

Security Assertion Markup Language (SAML)

OAuth

OpenID Connect (OIDC)

Web Services Federation (WS‑Federation)

Kerberos

Later sections dive deeper into SAML, OAuth2, and OIDC.

Benefits of SSO

Reduced risk when accessing third‑party sites

Less time spent re‑entering passwords

Simpler audit and management

Better administrative control

Increased user productivity

Enhanced network security

Smaller attack surface

Seamless and secure user access

What is SAML? SAML is an XML‑based standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). It uses signed XML assertions to convey user identity and permissions. SAML 2.0, released in 2005, is optimized for web applications.

SAML Terminology

IdP – Identity Provider

SP – Service Provider

User – The person accessing the SP’s services

A typical SAML workflow involves the IdP, SP, and the user. The user initiates login at the SP, which redirects to the IdP, the IdP authenticates the user, issues an XML assertion, and the SP grants access.

User clicks SAML login on the SP.

SP redirects the request to the IdP.

IdP presents a login page.

User submits credentials; IdP validates them against AD or a database.

IdP sends a signed XML response containing the assertion.

User is logged into the application.

What is OAuth2? OAuth2 is a newer, JSON‑based standard created by Google and Twitter in 2006 to address SAML’s limitations on mobile platforms. It issues JWT access tokens, making it lighter and faster than SAML.

OAuth2 Terminology

Authorization Server – e.g., Google

Resource Server – e.g., Bitbucket

Resource Owner – the user who authorizes access to resources

OAuth2 allows an authorization server, with the user’s consent, to issue an access token to a third‑party application, which then uses the token to access protected resources on the resource server. OAuth2 handles authorization only; authentication is performed by protocols such as OIDC.

What is OpenID Connect (OIDC)? OIDC builds on OAuth2 to provide authentication. After the user authenticates with the authorization server, an ID token is issued, enabling the user to access multiple applications without re‑entering credentials. OIDC is widely used for social‑login scenarios (Google, Facebook, Twitter).

Example Login Page with OAuth2 and OIDC

OAuth2 Flow Integrated with OIDC

The diagram shows the steps when a user logs in to an application using Google. The process completes in milliseconds to seconds.

User navigates to the application login page.

User clicks “Login with Google”.

Browser redirects to Google’s login page.

User enters Google credentials.

Google validates credentials and issues an access token.

Browser sends the token in the Authorization header to the application server.

Application server validates the token with Google.

User is logged into the application.

When to Use SAML vs. OAuth2 (with OIDC)

Government or enterprise identity management – SAML for strong security (e.g., Singapore’s SingPass).

User experience priority – OAuth2 for lighter, mobile‑friendly flows.

Mobile and consumer apps – OAuth2 works well with short sessions.

Virtual Desktop Infrastructure (VDI) – SAML is preferred.

Temporary resource access – OAuth2 is designed for this use case.

In summary, the article covered SSO concepts, its benefits, and detailed the two major protocols—SAML and OAuth2 (including OIDC). It also explained the subtle differences between OAuth2 and OIDC and provided guidance on selecting the appropriate protocol for specific scenarios.