OIDC vs SAML - What are you missing & how do you solve that?
Creating OIDC vs SAML - What are you missing and how do you solve that?
Convener: Mark Dobrinic
Notes-taker(s): Yuri H Hirohashi
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Both meant to solve the same problem
Open ID connect was meant to make things simple
SAML known for making things complex :)
SAML has a lot of solutions already
Open ID you may encounter problems along the way
OIDC ID token has a very limited amount of definitions
Name ID contains many more specifications
Interested in having a mechanism in Univ. of Michigan's experience:
A lot of times SPs, especially commercial are pulling attributes
Wants name ID but they don’t honor definitions
Persistent ID is supposed to be opaque
On campus students gets TV access, but not off campus - is this person entitled? Problem is trying to identify where a given student lives U of Michigan started SAML, which has slow adoption.
OIDC faster adoption. Everyone with Google account has OIDC.
Google consumes SAML but does not produce SAML
People would rather work with Json or XML?
Writing PHP or ruby code is easier then web server configuration
Linking identity To integrate OIDC in SAML world Federated logins Need to figure out configuration and management of SAML and OIDC easier for people iSELECT is another standard in Netherland Don’t change protocol unless you need to, if it is working
OIDC is suitable for application integration
SAML Installation experience is easier Have you operated SAML and Open ID simultaneously? Issuing ID token and assertion? - Not yet. Using SAML but looking into Open ID Account chooser. Local storage
Discovery by email
IDP does not prompt you for email
Just type in credential Open ID foundation is the governing body for the spec. Not going to solve a problem if it is for one person.
SAML - Oasis If people have problems in Open ID, let’s try to have a consistent approach to solving those. Not individually. Let's stay connected. Want the trust of open ID connect Meta data to be signed by federation.