OpenID Connect vs. SAML 2.0: Choosing the Right Authentication Protocol for AWS

3 min readApr 6, 2023

Introduction

Single sign-on (SSO) is a vital feature for modern applications, allowing users to access multiple services using a single set of credentials. Two widely used open standards for SSO are Security Assertion Markup Language 2.0 (SAML 2.0) and OpenID Connect (OIDC). Both standards facilitate authentication and authorization but differ in terms of protocol, token format, and use cases. This article will discuss the key differences between OIDC and SAML 2.0 and explore their use cases within the AWS ecosystem.

OIDC vs. SAML 2.0: A Brief Comparison

Before diving into the AWS-specific use cases, let’s briefly compare OIDC and SAML 2.0:

Protocol

OIDC is built on OAuth 2.0 and uses JSON Web Tokens (JWT) for token exchange. It relies on RESTful API communication.
SAML 2.0 is an XML-based standard that uses SOAP for communication.

Token Format

OIDC uses compact, URL-safe JWTs.
SAML 2.0 uses verbose XML-based SAML assertions.

Complexity

OIDC is relatively simple to implement, thanks to OAuth 2.0 and JWTs.
SAML 2.0 is more complex due to XML verbosity and SOAP-based communication.

OIDC and SAML 2.0 in the AWS Context

Now let’s explore how OIDC and SAML 2.0 can be used within the AWS ecosystem:

AWS Cognito

AWS Cognito is a fully managed service that provides user sign-up, sign-in, and access control for web and mobile applications. Cognito supports both OIDC and SAML 2.0 identity providers (IdPs).

OIDC: Cognito integrates easily with OIDC providers such as Google, Facebook, and Amazon. This benefits developer who want a quick and straightforward SSO implementation for their web or mobile applications.
SAML 2.0: Cognito supports SAML 2.0 IdPs, like Active Directory Federation Services (AD FS) and Okta. This is useful for organizations with existing SAML 2.0-based infrastructure and wanting to incorporate AWS services into their SSO environment.

AWS Single Sign-On (SSO)

AWS SSO simplifies the management of multiple AWS accounts and business applications by providing a central location for managing SSO access. In addition, AWS SSO supports SAML 2.0-based identity providers.

SAML 2.0: Organizations can use AWS SSO with their existing SAML 2.0-based IdPs, like AD FS, Okta, or Azure AD, to streamline user access to AWS accounts, AWS Management Console, and third-party applications.

API Gateway and Lambda Authorizers

AWS API Gateway is a managed service that help developers in creating, publishing, and managing APIs for applications easy. In addition, Lambda authorizers provide a way to control access to your APIs using custom logic.

OIDC: You can use an OIDC token to authenticate and authorize access to your APIs by implementing a Lambda authorizer. This approach is suitable for modern applications with API-based services.
SAML 2.0: While using SAML 2.0 tokens with Lambda authorizers is possible, it’s less common due to the complexity and verbosity of XML-based tokens. Typically, OIDC is preferred in this scenario.

Conclusion

Choosing between OIDC and SAML 2.0 for your AWS environment depends on factors such as your existing infrastructure, the applications you’re working with, and your security and scalability requirements. OIDC is often more suitable for modern web and mobile applications, API-based services, and cloud-based solutions due to its simplicity and scalability. SAML 2.0 is more commonly used in enterprise environments with existing SAML 2.0-based infrastructure and a need for compatibility with legacy applications.

When deciding, evaluating your organization’s specific needs and constraints is crucial. By understanding the differences between OIDC and SAML 2.0 and their use cases in the AWS ecosystem, you can make an informed choice and implement a robust, secure, and efficient authentication and authorization solution for your applications and services.