OpenID Connect will eventually replace SAML as the dominant protocol for SSO?

StackOverflow https://stackoverflow.com/questions/21248519

Question

I have seen in the some articles, It is said that OpenID Connect would replace SAML as the dominant protocol for SSO. I am not sure how openID connect would handle the session management capabilities with different service providers and how it could be used to implement single logout? Currently, Are there are IDM servers (open source or commercial) that supports OpenID connect as a SSO IDP (as replacement for SAML2 SSO IDP)?

Was it helpful?

Solution

PingFederate [disclaimer: as it says in my name, I work for PingIdentity] built OIDC into the product in April 2013 - version 7.0. Additionally, we've supported OpenID since December 2010 via an integration kit.

That said, "SLO" (Single Logout) under OIDC is a whole new ballgame. I'd suggest having a read through the Session Management portion of the OID Spec. The gist of it is that SLO is done completely different than the way most SAML systems implemented it, and it's very user-centric, rather than OP or RP specific.

One last thing... While it's possible that OIDC will replace SAML eventually, I'd just like to point out that we've finally got a serious snowball effect going with SAML. OIDC isn't yet final, and it's going to take time to migrate to. Will the focus shift? Quite possible. But it won't happen this year, or next, and most likely not for a couple more after that. If you're looking at products that are bleeding edge that support OIDC, fair enough... But if you're actually wanting to implement, the opportunities are few and far between. There just aren't a lot of RPs out there yet - primarily because the spec isn't "final".

I should also mention that some of our competitors, like Gluu, Okta, IBM, and Layer7 have shown support for OIDC (by competing in interop testing), but I can't speak to the extent of their support in current products.

OTHER TIPS

OpenAM seems to support it from release 11. wikis.forgerock.org/confluence/display/openam/OpenAM+Roadmap

Yes, no question. No one wants to use a SOAP/XML standard from 2005 (pre-mobile) when they can use a JSON/REST API from 2014. See Gluu's protocol predictions: http://www.gluu.co/sso-protocol-predictions

If you doubt it, see Forrester's predictions... http://www.gluu.org/blog/wp-content/uploads/2014/06/eve_uma_irmsummit_2014-300x225.jpg Notice SAML on the "moderate success" curve, and OpenID Connect on the "significant success" curve.

The problem is that SAML vendors would not agree to breaking changes, and mobile/headless API's broke some of the assumptions made in the design of SAML.

I would expect that OIDC will replace SAML based authentication over time.

Apache Fediz (since version 1.3.0) provides support for * SAML Web SSO * WS-Federation * OIDC

The great think about Fediz is, that is also supports a protocol bridge. So you can login with an IDP using SAML Web SSO and finally login to an OIDC Web Portal. https://cxf.apache.org/fediz.html http://janbernhardt.blogspot.de/2015/12/fediz-with-openid-connect-support-and.html

However SLO is currently not supported for OIDC. But since it is an open source project it should be simple to add this, as contributions are always welcome.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top