!!! Overview

!! [OpenID Connect] vs. [SAML]
Choosing between [OpenID Connect] and [SAML] is not just a matter of using a newer protocol ([OIDC]) instead of the older more mature protocol ([SAML]).

!! In most cases we recommend using [OIDC].
[SAML] tends to be a bit more verbose than [OIDC].

Beyond verbosity of exchanged data, if you compare the specifications you’ll find that [OIDC] was designed to work with the web while [SAML] was retrofitted to work on top of the web. 

For example, [OIDC] is also more suited for [HTML5]/[JavaScript] applications because it is easier to implement on the client side than [SAML]. As tokens are in the [JSON] format, they are easier to consume by [JavaScript]. You will also find several nice features that make implementing security in your web applications easier. 

For [example], check out the [iframe] trick that the specification uses to easily determine if a user is still logged in or not.

[SAML] has its uses though. As you see the [OIDC] specifications evolve you see they implement more and more features that [SAML] has had for years. What we often see is that people pick [SAML] over [OIDC] because of the perception that it is more mature and also because they already have existing applications that are secured with [SAML]

!! Comparison Table
A table comparing aspects of [{$pagename}] Certainly [WEB Single Sign-On].

%%zebra-table-cccccc
%%sortable
%%table-filter
||Description||[SAML V2.0]||[OAuth 2.0]||[OpenID Connect]
|Initiating user’s login session|YES|NO|YES
|Collecting user [consent]|NO|YES|YES
|[Identity Tokens]|YES|NO|YES [JWT]
|Distributed and aggregated claims|NO|NO|YES
|Dynamic introduction|NO|NO|YES
|[Session] [timeout]|NO|NO|YES
/%
/%
/%

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]