====== Protocols ====== Proxy IdP supports two protocols for connecting a service - **[[http://docs.oasis-open.org/security/saml/v2.0/sstc-saml-approved-errata-2.0.html |SAML2]]** and **[[https://openid.net/connect/ |OpenID Connect]]**. ====== SAML2 ====== Security Assertion Markup Language 2.0 is a version of the SAML standard for exchanging authorization data between the identity provider and the service provider. SAML is an XML-based protocol. Two major roles play a part in the SAML protocol - Identity Provider(IdP - Retains authoritative information about users, authenticates users and passes on information about users.) and Service Provider(SP - Provides a service offered to be used by users. SP delegates user authentication to an IdP and consumes user data provided by the IdP). Both of these entities have to have a published file containing metadata describing them. En exhcange of the metadata between the entities is needed to provide functionality. ====== OpenID Connect ====== OpenID Connect (OIDC) is an extension of the OAuth2 authorization protocol. It specifies authentication procedure and describes standardized API for obtaining user information. In terms of applications, OIDC is similar to SAML2, but: * SAML SP is called Relying Party (RP) * SAML IdP is called OpenID Provider (OP) * no metadata exchange between IdP and SP is required * the user chooses by himself which personal data wants to make accessible for the application * applications are not limited be web-based only (they can be mobile, desktop, command-line, SmartTV) For more information about the OpenID Connect protocol please look at our {{ :en:index:documentation:sp:proxy:oidc_handson.pdf |presentation}}. ====== SAML2 vs OIDC ====== | ^ SAML2 ^ OIDC ^ ^ Application type | Web application | Web and native application | ^ Format | XML | JSON | ^ Set-up difficulty | Hard to implement | Easy to implement and use | ^ Can invalidate an access tokens? | No | Yes |