Authentication protocols

ProxyIdP supports two authentication protocols for connecting a service - SAML2 and OpenID Connect.

SAML2

Security Assertion Markup Language 2.0 is a version of the SAML standard for exchanging authorization data between the identity provider and the service provider. SAML is an XML-based protocol.

Two major roles play a part in the SAML protocol:

  • Identity Provider (IdP) - Retains authoritative information about users, authenticates users and passes on information about users

  • Service Provider (SP) - Provides a service offered to be used by users. SP delegates user authentication to an IdP and consumes user data provided by the IdP.

Both of these entities have to have a published file containing metadata describing them. An exchange of the metadata between the entities is needed to provide functionality.

SAML2 has technical limitations - it cannot be used in JavaScript applications, native applications, from the command line etc. For new applications, we highly recommend using OpenID Connect (OIDC) instead.

OpenID Connect

OpenID Connect (OIDC) is an extension of the OAuth2 authorization protocol. It specifies an authentication procedure and describes a standardized API for obtaining user information. In terms of applications, OIDC is similar to SAML2, but:

  • SAML SP is called Relying Party (RP)

  • SAML IdP is called OpenID Provider (OP)

  • no metadata exchange between IdP and SP is required

  • users may choose which personal data will be accessible for the application

  • applications are not limited to be web-based only (they can be mobile, desktop, command-line, SmartTV)

Comparison of SAML2 and OIDC

 

SAML2

OIDC

Web applications

Yes

Yes

Native applications (desktop, mobile)

No

Yes

JavaScript applications

No

Yes

Command line applications

No

Yes

Format

XML

JSON

Set-up difficulty

Hard to implement

Easy to implement and use

Can invalidate access tokens?

No

Yes

 

replaces Protocols [aai.cesnet.cz]

Support: perun@cesnet.cz