SSO
2026-03-07
Edited: 2026-05-31
Authentication vs Authorization
Authentication proves who you are while authorization allows you to grant permission to perform some action to another party, without directly authenticating using that party.
In particular
- OpenID allows using third party to authenticate you, without using the first party's own original authentication
- OAuth removes the need to provide passwords to third parties just to perform an action
These have a lot of overlapping features which makes this very confusing. Note that OAuth came after OpenID. In both cases, the user is redirected to some third party to provide their credentials, but OpenID is more about granting access to the account while OAuth is more about performing actions.
SAML vs OpenID Connect
Two different protocols,
- SAML is more common for enterprise, uses XML tokens
- OpenID Connect is better for mobile, uses JWT tokens
These are used for authentication. In particular OpenID connect defines how to use OAuth for authentication as well as for authorization (its original purpose).
CAS vs OAuth vs OpenID
CAS centralizes authentication while OpenID decentralizes it
- CAS is good when internal services all point to a single CAS server controlled by you
- OpenID is good when you want the users to decide what authentication server to use (such as using Microsoft's or Google's or whatever)
Note that OAuth is not for SSO and is different from OpenID. The Auth in OAuth is for authorization and not authentication.
Shibboleth
OIDC
References
- https://stackoverflow.com/questions/49859130/differences-between-saml-opensaml-shibboleth-and-oauth-openid
- https://stackoverflow.com/questions/2033026/sso-with-cas-or-oauth
- https://stackoverflow.com/questions/1087031/whats-the-difference-between-openid-and-oauth
- https://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thing/
- https://www.okta.com/identity-101/whats-the-difference-between-oauth-openid-connect-and-saml/