- Welcome to Part 7 of the Authentication & Identity Security series.
- This article explains OAuth2, OpenID Connect (OIDC), and SAML in simple enterprise language.
- Designed for Middleware, DevOps, Cloud, Security, and Application Support Engineers.
- Includes examples using Azure Entra ID, SSO, APIs, JWT tokens, enterprise applications, and identity federation.
Table of Contents
- Introduction
- What is OAuth2?
- What is OpenID Connect (OIDC)?
- What is SAML?
- OAuth2 vs OIDC
- OIDC vs SAML
- Azure Entra ID Example
- Enterprise SSO Architecture
- Access Token, ID Token & SAML Assertion
- Where OAuth2, OIDC and SAML are Used
- OAuth2 vs OIDC vs SAML Comparison
- How to Setup OAuth2, OIDC and SAML - Practical Example
- Common Issues
- Best Practices
- Key Takeaways
- What’s Next?
Introduction
In Part 6, we learned about API Authentication and API Gateway Security. In this article, we will understand three very important identity and access technologies: OAuth2, OpenID Connect (OIDC), and SAML.
These technologies are widely used in modern enterprises for API access, Single Sign-On (SSO), cloud applications, Microsoft Entra ID integrations, and identity federation.
Simple Understanding:
OAuth2 is mainly for authorization. OIDC is for authentication on top of OAuth2. SAML is commonly used for enterprise Single Sign-On using XML-based assertions.
OAuth2 is mainly for authorization. OIDC is for authentication on top of OAuth2. SAML is commonly used for enterprise Single Sign-On using XML-based assertions.
What is OAuth2?
OAuth2 stands for Open Authorization 2.0.
OAuth2 is an authorization framework that allows an application to access protected resources on behalf of a user without sharing the user's password with that application.
OAuth2 Simple Flow
User │ ▼ Client Application │ ▼ Authorization Server │ ▼ Access Token Issued │ ▼ Protected API
OAuth2 answers this question:
What can this application access?
OAuth2 Example
Client Application
│
▼
Azure Entra ID
│
▼
Access Token
│
▼
API Gateway / Backend API
OAuth2 is heavily used for API access, mobile applications, web applications, machine-to-machine integrations, and cloud services.
What is OpenID Connect (OIDC)?
OIDC stands for OpenID Connect.
OIDC is an identity layer built on top of OAuth2. It is used to authenticate users and provide identity information to applications.
OAuth2 provides access tokens. OIDC adds an ID Token, which tells the application who the user is.
OIDC Simple Flow
User │ ▼ Application │ ▼ Identity Provider │ ▼ ID Token + Access Token │ ▼ Application Login Successful
OIDC answers this question:
Who is the user?
OIDC Example
User logs in to application
│
▼
Azure Entra ID authenticates user
│
▼
Application receives ID Token
│
▼
Application knows user's identity
Important:
OIDC is commonly used for modern web application login and Single Sign-On with Azure Entra ID, Okta, Keycloak, and other identity providers.
OIDC is commonly used for modern web application login and Single Sign-On with Azure Entra ID, Okta, Keycloak, and other identity providers.
What is SAML?
SAML stands for Security Assertion Markup Language.
SAML is an XML-based standard used for exchanging authentication and authorization data between an Identity Provider and a Service Provider.
SAML Simple Flow
User │ ▼ Service Provider Application │ ▼ Identity Provider Login │ ▼ SAML Assertion Issued │ ▼ Application Access Granted
SAML is commonly used for enterprise SSO with older and traditional enterprise applications.
SAML Example
User opens HR portal
│
▼
Redirect to Azure Entra ID / ADFS
│
▼
User authenticates
│
▼
SAML Assertion sent to HR portal
│
▼
User login successful
OAuth2 vs OIDC
OAuth2 and OIDC are closely related, but they are not the same.
| OAuth2 | OIDC |
|---|---|
| Authorization framework | Authentication layer on top of OAuth2 |
| Used to access APIs | Used to log in users |
| Issues Access Token | Issues ID Token and Access Token |
| Answers: What can the app access? | Answers: Who is the user? |
| Common in API security | Common in SSO login |
Memory Shortcut:
OAuth2 = Access to APIs
OIDC = Login and user identity
OAuth2 = Access to APIs
OIDC = Login and user identity
OIDC vs SAML
| Point | OIDC | SAML |
|---|---|---|
| Format | JSON / JWT | XML |
| Modern Usage | Modern web apps, APIs, mobile apps | Enterprise SSO, older web apps |
| Token / Assertion | ID Token | SAML Assertion |
| Protocol Base | OAuth2 | SAML standard |
| Cloud Native Friendly | High | Medium |
| Common Providers | Azure Entra ID, Okta, Keycloak | Azure Entra ID, ADFS, PingFederate |
Azure Entra ID Example
Microsoft Entra ID supports OAuth2, OIDC, and SAML for application authentication and authorization.
Modern Application Using OIDC
User │ ▼ Web Application │ ▼ Microsoft Entra ID │ ▼ ID Token + Access Token │ ▼ Application Login Successful
API Access Using OAuth2
Client Application
│
▼
Microsoft Entra ID
│
▼
OAuth2 Access Token
│
▼
Azure API Management
│
▼
Backend API
Enterprise SSO Using SAML
User │ ▼ Legacy Enterprise Application │ ▼ Microsoft Entra ID / ADFS │ ▼ SAML Assertion │ ▼ Application Access Granted
Enterprise SSO Architecture
User Browser
│
▼
Enterprise Application
│
▼
Identity Provider
(Azure Entra ID / Okta / ADFS)
│
▼
Authentication + MFA
│
▼
Token / Assertion
│
▼
Application Access
In this architecture, applications do not manage user passwords directly. Authentication is delegated to a centralized identity provider.
Benefits
- Centralized identity management
- Single Sign-On
- Multi-Factor Authentication
- Conditional Access
- Better audit and compliance
- Reduced password handling by applications
Access Token, ID Token & SAML Assertion
| Item | Used By | Purpose |
|---|---|---|
| Access Token | OAuth2 | Access protected APIs |
| ID Token | OIDC | Prove user identity to application |
| SAML Assertion | SAML | Provide authentication result to service provider |
Example Access Token Usage
GET /api/customer Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
Example ID Token Purpose
Application receives ID Token Application reads user identity claims User login is established
Example SAML Assertion Purpose
Identity Provider sends SAML Assertion Service Provider validates assertion User gets access to application
Where OAuth2, OIDC and SAML are Used
| Use Case | Recommended Protocol |
|---|---|
| REST API access | OAuth2 |
| Modern web application login | OIDC |
| Mobile app login | OIDC |
| Single Page Application | OIDC with Authorization Code + PKCE |
| Legacy enterprise SSO | SAML |
| Microsoft Graph API access | OAuth2 |
| Partner enterprise federation | SAML or OIDC |
OAuth2 vs OIDC vs SAML Comparison
| Feature | OAuth2 | OIDC | SAML |
|---|---|---|---|
| Full Form | Open Authorization 2.0 | OpenID Connect | Security Assertion Markup Language |
| Main Purpose | Authorization | Authentication | Enterprise SSO |
| Common Format | Token | JWT / JSON | XML |
| Common Output | Access Token | ID Token | SAML Assertion |
| Best For | APIs | Modern login | Enterprise web SSO |
| Modern Cloud Usage | High | High | Medium |
How to Setup OAuth2, OIDC and SAML - Practical Example
Below is a high-level enterprise setup example using Microsoft Entra ID as the Identity Provider. The same concept applies to Okta, Keycloak, PingFederate, and other identity platforms.
Important:
Exact screens may differ based on the identity provider, but the core setup flow remains almost the same: register application, configure redirect URI, assign users, generate client details, and configure the application.
Exact screens may differ based on the identity provider, but the core setup flow remains almost the same: register application, configure redirect URI, assign users, generate client details, and configure the application.
Example 1: Setup OIDC Login for a Web Application
Use OIDC when your application needs user login and Single Sign-On.
User │ ▼ Web Application │ ▼ Microsoft Entra ID │ ▼ ID Token + Access Token │ ▼ Application Login Successful
High-Level Setup Steps
- Login to Microsoft Entra Admin Center.
- Go to App registrations.
- Create a new application registration.
- Configure the application redirect URI.
- Create a client secret if the application is confidential.
- Configure required API permissions.
- Assign users or groups if required.
- Configure the application with Client ID, Tenant ID, Client Secret, and Redirect URI.
Example OIDC Configuration
Tenant ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Client ID : yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy
Redirect URI : https://app.company.com/signin-oidc
Authority URL : https://login.microsoftonline.com/{tenant-id}
Scope : openid profile email
Common OIDC Use Cases
- Enterprise web application login
- Single Sign-On for internal portals
- Cloud-native application authentication
- Modern replacement for application-managed passwords
Example 2: Setup OAuth2 for API Access
Use OAuth2 when an application needs to access a protected API using an access token.
Client Application
│
▼
Microsoft Entra ID
│
▼
OAuth2 Access Token
│
▼
API Gateway / Backend API
High-Level Setup Steps
- Register the backend API in Microsoft Entra ID.
- Expose an API scope such as api.read or api.write.
- Register the client application.
- Grant the client application permission to call the API.
- Use OAuth2 flow to request an access token.
- Send the access token to the API using the Authorization header.
- Validate token issuer, audience, expiry, and signature at API Gateway or backend API.
Example API Request
GET /api/customer HTTP/1.1 Host: api.company.com Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
Example Token Validation Points
- Issuer should match Microsoft Entra ID tenant.
- Audience should match the API Application ID URI.
- Token should not be expired.
- Signature should be valid.
- Required scope or role should be present.
Example 3: Setup SAML SSO for an Enterprise Application
Use SAML when integrating legacy enterprise applications that support SAML-based Single Sign-On.
User │ ▼ Enterprise Application │ ▼ Microsoft Entra ID / ADFS │ ▼ SAML Assertion │ ▼ Application Login Successful
High-Level Setup Steps
- Create or select an Enterprise Application in Microsoft Entra ID.
- Select Single sign-on and choose SAML.
- Configure Identifier / Entity ID.
- Configure Reply URL / ACS URL.
- Configure Sign-on URL if required.
- Download Federation Metadata XML or certificate.
- Upload metadata or certificate to the Service Provider application.
- Map claims such as username, email, name, and groups.
- Assign users or groups to the application.
- Test SSO login.
Example SAML Configuration
Identifier / Entity ID : https://app.company.com/saml/metadata Reply URL / ACS URL : https://app.company.com/saml/acs Sign-on URL : https://app.company.com NameID Format : emailAddress
Common SAML Use Cases
- Legacy enterprise web applications
- HR portals
- Vendor applications
- Enterprise SaaS applications
- Applications integrated with ADFS or Entra ID
Quick Setup Comparison
| Requirement | Recommended Setup | Example |
|---|---|---|
| User login for modern web app | OIDC | App receives ID Token |
| API access | OAuth2 | API receives Access Token |
| Legacy enterprise SSO | SAML | Application receives SAML Assertion |
| Mobile app login | OIDC with PKCE | Mobile app receives tokens securely |
| System-to-system API | OAuth2 Client Credentials | Service principal gets access token |
Middleware Engineer Tip:
For troubleshooting, always check Redirect URI, Reply URL, Entity ID, Audience, Issuer, Certificate, Token Expiry, and Claim Mapping first. Most OAuth2, OIDC, and SAML issues are caused by mismatch in these values.
For troubleshooting, always check Redirect URI, Reply URL, Entity ID, Audience, Issuer, Certificate, Token Expiry, and Claim Mapping first. Most OAuth2, OIDC, and SAML issues are caused by mismatch in these values.
Common Issues
| Issue | Possible Cause |
|---|---|
| Invalid redirect URI | Application redirect URL mismatch in identity provider |
| Invalid audience | Token issued for different API or application |
| Invalid issuer | Wrong identity provider or tenant configured |
| SAML assertion validation failed | Certificate, timestamp, or metadata mismatch |
| OIDC login loop | Cookie, redirect URI, or session issue |
| Access denied after login | Authentication successful but authorization missing |
Best Practices
- Use OIDC for modern application login.
- Use OAuth2 for API access and delegated authorization.
- Use SAML for legacy enterprise SSO where required.
- Always validate issuer, audience, expiry, and signature.
- Use HTTPS for all authentication and token flows.
- Use Authorization Code Flow with PKCE for modern applications.
- Do not store secrets in frontend applications.
- Rotate certificates and signing keys regularly.
- Enable MFA and Conditional Access in enterprise environments.
- Keep redirect URIs strict and controlled.
Key Takeaways
- OAuth2 stands for Open Authorization 2.0.
- OAuth2 is mainly used for authorization and API access.
- OIDC stands for OpenID Connect.
- OIDC is used for authentication and user login.
- SAML stands for Security Assertion Markup Language.
- SAML is commonly used for enterprise SSO.
- Azure Entra ID supports OAuth2, OIDC, and SAML.
- OAuth2 issues access tokens, OIDC issues ID tokens, and SAML uses assertions.
What’s Next?
Next Article:
Part 8 – SSO, MFA & Azure Entra ID Authentication
Part 8 – SSO, MFA & Azure Entra ID Authentication
In the next article, we will understand Single Sign-On, Multi-Factor Authentication, and how Azure Entra ID helps secure enterprise applications.
Series: Authentication & Identity Security for Middleware, DevOps & Cloud Engineers
Author: Pradeep V
Blog:
MiddlewareBox.com
