Extensis has selected OpenID Connect (OIDC) as the main protocol used for authentication and authorization for Connect with Azure / Entra and soon with Okta.
This consideration was due to OIDC being a modern protocol built on top of OAuth 2.0, primarily designed for web and mobile applications using JSON as the data format. This is was best suited for our application(s) moving forward as it includes single-page applications (SPAs), native mobile apps, and APIs.
OIDC also offered ways for us to be more flexible and interoperable with a variety of modern web and mobile technologies that we plan to leverage heavily in the future of our products. Not to mention OIDC is gaining widespread adoption in most modern web and mobile applications due to its simplicity and alignment with current development practices.
In summary, Extensis selected OIDC as the modern, lightweight, and flexible protocol suited for current web products and potential mobile applications, while understanding SAML is a well established, XML-based protocol, we typically see it dedicated more for on-premise SSO solutions.
Using both SAML and OIDC in Azure
Before leveraging Azure AD’s support for both SAML and OIDC, please check with Microsoft directly for service and Support. This may allow your organization to create a flexible and secure authentication architecture that accommodates various application requirements and legacy systems.
—
Microsoft Azure has the ability to combine SAML and OIDC for authentication and authorization. Azure Active Directory (Azure AD), the cloud-based identity and access management service, supports both protocols and can be configured to handle different use cases depending on the requirements of the applications and services in your environment.
Here’s how Azure AD can combine SAML and OIDC:
1. Single Sign-On (SSO)
Azure AD can provide SSO capabilities using both SAML and OIDC. For example, an organization might use SAML for integrating with older, enterprise applications and OIDC for newer, cloud-native applications. Users can authenticate once and gain access to all applications, regardless of the underlying protocol.
2. Identity Provider (IdP) Integration
Azure AD can act as an identity provider that supports both SAML and OIDC. This allows you to integrate applications that use either protocol with Azure AD as the central authentication authority.
3. Application Configuration
When configuring applications in Azure AD, you can choose the appropriate protocol (SAML or OIDC) based on the application's requirements. Azure AD provides step-by-step guides and templates for configuring both types of applications.
4. Conditional Access and Security
Azure AD’s conditional access policies and security features apply uniformly across both SAML and OIDC applications. This ensures that security measures such as multi-factor authentication (MFA), conditional access, and identity protection are consistently enforced.
5. Hybrid Environments
In a hybrid environment where some applications are on-premises (using SAML) and others are in the cloud (using OIDC), Azure AD can bridge these environments. Azure AD Application Proxy can enable SSO for on-premises applications using SAML while simultaneously supporting OIDC for cloud-based applications.
6. Custom Policies with Azure AD B2C
For customer-facing applications, Azure AD B2C supports custom policies that can integrate with external identity providers using either SAML or OIDC. This allows for a seamless user experience across different authentication protocols.