https://stackoverflow.com/questions/23299413
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianAs OhadR says, you have managed to tag your post with the top 3 standards - OAuth, OpenID, and SAML. I don't however, agree with his statement on the level of complexity of SAML. In addition, your statements: "We would like our application to not rely on sessions, it would be more desirable to use tokens. I need to create an identity provider..." are somewhat at odds with one another. You talk about "your application" in one breath, but then say you need to "create an identity provider" in another... So, I'll just speak in general terms. To be open, I work for Ping Identity - we sell a product called PingFederate that does all of this.
With OpenID and OAuth, there is a lot of similarity (especially since OpenID Connect is essentially OAuth2 with an extension or two). Different companies are using these in different ways (consider Google, Facebook and Twitter, for example). All of them are trying to be your identity provider of choice, of course, but of those three, Google will also allow you to use it as a service provider. Both of these technologies are "token-based", meaning your application either generates and confirms tokens for authentication (and maybe authorization) when you are the identity provider, or it checks the validity of that token with the identity provider within a determined period of time when you are the service provider.
With SAML, you are talking sessions (which you indicate you DON'T want). The user shows up at your application, and it sends the user off to get authenticated for that session and return with an authenticated session and possibly some attributes to help your application do authorization.
As far as which to use... This is where it gets harder. SAML is definitely out there. Almost any real service provider will allow you to use SAML. Many enterprises have rolled out identity providers. If you're building an application for enterprises to use, you're going to be safe in making your application consume SAML. OpenID and OAuth are newer, to be sure, so fewer enterprises have made them available from the IdP standpoint - there's a lot to configure (storage of the tokens and the scopes). I would hazard to guess and say that only one of five (or maybe fewer) enterprises that do SAML as an IdP also do OAuth or OpenID. The same goes for enterprises that act as service providers.
Ultimately, you have to make your decision based on your use case. Are you acting as a service provider or identity provider? What is it that you are wanting to plug in to? What do those enterprises offer as service providers or identity providers? Do you start with SAML, and branch out later to OAuth/OpenID as your connections make it available?
Best of luck, and hope I've helped.
