Authentication protocols
ProxyIdP supports two authentication protocols for connecting a service - SAML2 and OpenID Connect.
SAML2
Security Assertion Markup Language 2.0 is a version of the SAML standard for exchanging authorization data between the identity provider and the service provider. SAML is an XML-based protocol.
Two major roles play a part in the SAML protocol:
Identity Provider (IdP) - Retains authoritative information about users, authenticates users and passes on information about users
Service Provider (SP) - Provides a service offered to be used by users. SP delegates user authentication to an IdP and consumes user data provided by the IdP.
Both of these entities have to have a published file containing metadata describing them. An exchange of the metadata between the entities is needed to provide functionality.
SAML2 has technical limitations - it cannot be used in JavaScript applications, native applications, from the command line etc. For new applications, we highly recommend using OpenID Connect (OIDC) instead.
OpenID Connect
OpenID Connect (OIDC) is an extension of the OAuth2 authorization protocol. It specifies an authentication procedure and describes a standardized API for obtaining user information. In terms of applications, OIDC is similar to SAML2, but:
SAML SP is called Relying Party (RP)
SAML IdP is called OpenID Provider (OP)
no metadata exchange between IdP and SP is required
users may choose which personal data will be accessible for the application
applications are not limited to be web-based only (they can be mobile, desktop, command-line, SmartTV)
Comparison of SAML2 and OIDC
| SAML2 | OIDC |
---|---|---|
Web applications | Yes | Yes |
Native applications (desktop, mobile) | No | Yes |
JavaScript applications | No | Yes |
Command line applications | No | Yes |
Format | XML | JSON |
Set-up difficulty | Hard to implement | Easy to implement and use |
Can invalidate access tokens? | No | Yes |
replaces Protocols [aai.cesnet.cz]
Support: perun@cesnet.cz