Understanding SSO: When to Choose SAML vs OAuth2 & OIDC

What is Single Sign‑On (SSO)?

SSO allows a user to authenticate once and then access multiple applications without re‑entering credentials, improving convenience and security. Popular examples include Google’s login that grants access to Gmail, Photos, Drive, and other services.

Types of SSO protocols

Security Assertion Markup Language (SAML)

OAuth

OpenID Connect (OIDC)

Web Services Federation (WS‑Federation)

Kerberos

Benefits of SSO

Reduced risk when accessing third‑party sites

Less time spent re‑entering passwords

Simpler audit and management

Better administrative control

Increased user productivity

Improved network security

Reduced attack surface

Seamless and secure user access

What is SAML?

SAML is an XML‑based standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). SAML 2.0, released in 2005, is optimized for web applications and uses XML assertions to convey user attributes.

SAML terminology

IdP – Identity Provider

SP – Service Provider

User – The person accessing the SP’s services

SAML workflow

User navigates to the Service Provider and clicks the SAML login button.

SP redirects the request to the IdP.

IdP presents a login page for the user to enter credentials.

IdP validates the credentials against Active Directory or another store.

Upon successful validation, the IdP sends a SAML response containing an XML assertion.

User is logged into the application.

What is OAuth2?

OAuth2 is a newer, JSON‑based authorization framework originally created by Google and Twitter in 2006 to address SAML’s limitations on mobile platforms. It issues JWT access tokens, making it lighter and faster than SAML.

OAuth2 terminology

Authorization server – e.g., Google

Resource server – e.g., Bitbucket

Resource owner – the user who grants access

OAuth2 allows the authorization server, with the user’s consent, to issue an access token that third‑party applications (e.g., Slack, Bitbucket) use to access protected resources on the resource server.

What is OpenID Connect (OIDC)?

OIDC builds on OAuth2 to provide authentication. After the user authenticates with the authorization server, an ID token is issued, enabling a single login session across multiple applications without sharing credentials.

OIDC for authentication

OIDC sits on top of OAuth2, adding user identity information to the OAuth flow, thus enabling true SSO where a social login (Google, Facebook, Twitter) can be used to access other services.

Example login flow with OAuth2 and OIDC

User visits the Bitbucket login page.

User clicks “Login with Google”.

Browser redirects to Google’s login page.

Google displays a credential entry page.

User enters Google credentials and submits.

Google validates credentials, generates an access token, and returns it to the browser.

Browser includes the Bearer token in the Authorization header when requesting Bitbucket.

Bitbucket validates the token with Google and responds.

User is logged into Bitbucket.

When to use SAML vs OAuth2 (with OIDC)

Government or highly sensitive applications – SAML provides stronger security (e.g., Singapore’s SingPass).

Prioritizing user experience, especially on mobile – OAuth2 is lighter and more user‑friendly.

Mobile and consumer apps – OAuth2’s short‑lived sessions suit these environments.

Virtual Desktop Infrastructure (VDI) deployments – SAML is preferred for enterprise‑wide access.

Temporary resource access – OAuth2 is designed for short‑term permissions.

In summary, the article covered SSO concepts, listed common protocols, detailed SAML and OAuth2 (including OIDC), illustrated their workflows with diagrams, and provided guidance on selecting the appropriate protocol for specific use cases.