Guidance for SAML vs OIDC


#1

Hi,

I am trying to find a good source of information for when to use SAML vs OIDC with OKTA.
Can you point me to something in the docs where I can read what is/isn’t supported with both scenarios?

Thx in advance.


#2

Hi @brang

When using SAML, you are sending an assertion containing the user and/or group attributes to a service provider which then evaluates the details and logs in the user.

When using OIDC, you are requesting specific details from Okta through scopes which sends afterwards the JWT tokens to the service provider. This gives a more granular approach, as you can request only specific details for each OIDC application.

Here are a few references in the documentation to set-up an application that uses either of the methods


#3

Hi @dragos,

Can I use SAML for authenticating service-to-service? There are 2 scenarios there:

  • with user context - so after OKTA SAML redirect have been done, my code is running in the frontend web app and I have a user context (ClaimsIdentity in .NET) - is it possible to pass the SAML assertions back when calling a web service for example (SOAP Header/JWT?)?
  • without a user context - I have a service that needs to do some background processing without user context, still it needs to call other services that I want to authenticate with - is this scenario supported with SAML?

thx in advance


#4

Hi @brang

Unfortunately we do not support this SAML scenario in Okta. The best way to achieve the use-cases would be by using OIDC.


#5

OAuth client credentials flow should be used: https://developer.okta.com/authentication-guide/implementing-authentication/client-creds