The Future of Single Sign-On Belongs to OpenID Connect
Categories: Agile DevOps
by Nathan Noble –
One absolute truism about the world of technology is that it’s never static. It’s always changing, always evolving and advancing. If that weren’t true you might be reading this on parchment by the light of a candle. And perhaps I’d be writing about tips for keeping your quill pen properly sharpened.
Constant change is simply the nature of technology. And it’s not that the technology that is replaced is bad – something better simply comes along. Consider a few classic examples:
- Public telephones (are you old enough to remember trying to find one?) replaced by mobile phones replaced by smart phones
- DVD and VCR dethroned by the likes of Netflix, Hulu, and Amazon Prime
- CD players and stacks of disks replaced by tiny MP3 players and iPods
- GPS navigation devices eclipsed by Google Maps and Waze
But in spite of the rapid change inherent with technology, certain technological niches may appear to be static simply because we’ve used a particular tool for a long time. That might be the case with the long-entrenched standard tool for web single sign-on, the Security Assertion Markup Language (SAML).
SAML has been with us for a long time – at least in technological terms. SAML’s reign of dominance stretches back almost to the turn of the century. In the years since, SAML has been the dominant player in SSO.
SAML isn’t going away anytime soon; it will be a major player in SSO for some time yet. SAML is deeply entrenched technology, and is particularly dominant in certain areas – government and education, for example.
But the signs are clear. SAML will soon be eclipsed by a much newer tool: OpenID Connect.
OpenID Connect Becoming Dominant
OpenID Connect is the up-and-coming authentication protocol for the Internet. It’s built on top of OAuth2. That’s a great combo, because where OAuth2 shines in authorization, OpenID Connect excels in authentication.
OpenID Connect is a young technology; it’s been around for only a couple of years. And though SAML is still widely used, OpenID Connect is rapidly growing in popularity.
In terms of sheer numbers, OpenID Connect might already be challenging SAML for dominance. OpenID Connect has been implemented by some heavy-hitters such as Google, Twitter, PayPal, Microsoft, and Amazon Web Services. (Facebook also uses a customized version of OpenID Connect, which they’ve named Facebook Connect.)
Currently OpenID Connect is used more as a consumer-oriented protocol. But the use of OpenID Connect is growing rapidly in B2B – though somewhat slower in government and education.
Great Reasons for Growth
Why is the adoption of OpenID Connect happening so quickly? It’s simply because OpenID Connect is the right technology for our time.
Unlike SAML, OpenID Connect lives naturally in the cloud environment. (When SAML was first introduced, the term ‘cloud’ mostly invoked images of those fluffy things that float in the sky and produce rain.)
Specific reasons for OpenID Connect’s exploding popularity include:
- It’s Adaptable: OpenID Connect is adaptable to newer, burgeoning areas of technology, such as the Internet of Things and native mobile applications.
- It’s Nimble: SAML utilizes XML-based communication protocols, which is heavy and ponderous compared to OpenID Connect’s use of JSON.
- It’s RESTful: OpenID Connect uses an architectural style called Representational State Transfer (REST). REST is a rapidly growing technology that offers significant performance advances.
- It’s Mobile-Friendly: Use of mobile is exploding, and that’s a trend that won’t be slowing anytime soon. OpenID Connect enables the superior authentication APIs that are important for mobile, and is easily implemented on platforms such as Android and iOS.
Security is certainly of vital importance to any organization. But implementing and maintaining security protocols doesn’t have to be as difficult as it is important.
And that’s one of the great advantages of OpenID Connect: simplifying security. OpenID Connect essentially provides a means of outsourcing SSO security. You can do that by leveraging large identity providers: Google, Salesforce, Twitter, Microsoft, Amazon, etc.
Consider, for example, a user that signs up for your online services. If that user has granted consent to their identity to one of those large providers, there’s no need for you to build that user’s identity yourself. Instead, you can use the identity that’s already been established, verified, and maintained by one of those major players.
Essentially, you’re just delegating the authentication to entities that are better positioned in terms of resources to keep the authentication secure.
Every Technology Has Its Day
Every technology — no matter how popular — has a finite lifespan. That’s a good thing, because it’s a byproduct of the evolution and advancement of technology. Old technologies must inevitably give way to newer, better technologies.
But the incessant march of progress does require that we continuously evaluate the technologies we’re using. In the world of business, particularly, it’s important not to fall behind.
If your organization is still using SAML, it might be time for a change. SAML has had its day. Though SAML will be around a while longer, there’s little doubt that the day now belongs to OpenID Connect.