Understanding SSO: When to Use SAML vs OAuth2 & OIDC

What is Single Sign-On (SSO)?

SSO allows a user to log in once with a single set of credentials and gain access to multiple applications, reducing the need to remember many passwords. Example: Google login provides access to Gmail, Photos, Drive, etc.

Types of SSO

SAML (Security Assertion Markup Language)

OAuth

OpenID Connect (OIDC)

WS-Federation

Kerberos

The article will later detail SAML, OAuth2, and OIDC.

Benefits of SSO

Reduced risk when accessing third‑party sites

Less time re‑entering passwords

Simpler audit and management

Better administrative control

Increased user productivity

Improved security

Reduced attack surface

Seamless and secure user access

What is SAML?

SAML is an XML‑based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). It uses assertions (XML documents) and is optimized for web applications (SAML 2.0).

SAML Terminology

IdP – Identity Provider

SP – Service Provider

User – The person accessing the service

Typical SAML workflow: user clicks SAML login on SP, SP redirects to IdP, user authenticates, IdP validates credentials, sends XML assertion back, and user is logged in.

What is OAuth2?

OAuth2 is a newer standard developed by Google and Twitter in 2006 to address SAML’s limitations on mobile platforms. It uses JSON and JWT tokens, making it lighter and faster.

OAuth2 Terminology

Authorization Server – e.g., Google

Resource Server – e.g., Bitbucket

Resource Owner – the user who authorizes access

OAuth2 allows an authorization server to issue access tokens to third‑party apps after user consent. It is used for delegated access without sharing credentials.

What is OpenID Connect (OIDC)?

OIDC builds on OAuth2 to provide authentication. After the user authenticates with the authorization server, an ID token is issued, enabling SSO across multiple apps without sharing credentials.

OIDC is often seen when logging in with Google, Facebook, or Twitter.

Example Login Flow with OAuth2 and OIDC

OAuth2 Flow Integrated with OIDC

The diagram shows the steps when a user logs in to Bitbucket using Google: redirect to Google, user authenticates, Google issues an access token, token is sent to Bitbucket, which validates it and logs the user in.

When to Use SAML vs OAuth2 (with OIDC)

Government applications needing strong security – SAML (e.g., Singapore’s SingPass).

User experience is paramount – OAuth2, which is lightweight and mobile‑friendly.

Mobile and consumer apps – OAuth2 for short sessions.

Virtual Desktop Infrastructure (VDI) deployments – SAML.

Temporary resource access – OAuth2.

In summary, the article covered SSO types and benefits, examined SAML and OAuth2 (including OIDC), highlighted their differences, and suggested appropriate use cases for each protocol.