Which connection type? SCIM, SAML, OAuth or OpenID

Steph O'Brien 5 Reputation points
2023-02-23T14:18:46.2466667+00:00

Hi there

Total noob to Azure AD, so apologies in advance for such a fundamental question.

I have a web application I want to add Azure AD support to, but I am not sure which method I should use. Other software within the industry seems to use SAML to connect, but reading the docs it says for a new application I should look at OAuth or OpenID.

I spoke to one of my client using the software and they recommended SCIM.

Are there use cases/limitations on each?

Thanks in advance!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,511 questions
0 comments No comments
{count} vote

3 answers

Sort by: Most helpful
  1. Danny Zollner 10,486 Reputation points Microsoft Employee
    2023-02-23T20:04:36.02+00:00

    SAML and OIDC are for authentication (i.e.: is this user who they say they are). OAuth is an authorization standard - i.e. "What resources does this user/other entity have access to". SCIM is a standard for provisioning of identity data (users, groups/members, etc) across systems.

    Between SAML and OIDC, OIDC is more modern, SAML is more widely adopted thanks to being around longer. You can potentially implement either or both of those to cover the initial user authentication/sign-in experience between an identity provider (IDP) and your app. If you adopt OIDC, you'll also want to implement OAuth 2.0.

    Whether SCIM is needed to enrich the quality of user/identity data present in your app is a separate question.

    2 people found this answer helpful.

  2. David Broggy 5,986 Reputation points MVP
    2023-02-23T15:07:46.8033333+00:00

    Hi Steph,

    Is this a corporate app or a public facing app?

    If it's corporate then likely SAML is the way to go.

    The advantage of SAML may be that if your users are already authenticating with Azure AD, they should not have to authenticate again with your app.

    If this is a public facing app and your users don't use Azure AD to authenticate then SAML may provide less advantages.

    Also consider future requirements as some things may only support oauth2 over saml.

    https://auth0.com/intro-to-iam/saml-vs-oauth

    1 person found this answer helpful.
    0 comments No comments

  3. Sandeep G-MSFT 20,166 Reputation points Microsoft Employee
    2023-02-27T03:56:42.8433333+00:00

    @Steph O'Brien

    You can use any protocol to integrate your application with Azure AD.

    First you need to check and confirm as to what authentication protocols does your web application supports.

    OpenID, SAML and Oauth are the authentication protocols that Azure AD supports.

    OpenID and SAML are both authentication and authorization protocols. Oauth is an authorization protocol.

    Integrating your application with Azure AD with OpenID or SAML would handle both authentication and authorization.

    You can refer to below article to get more information about authentication protocols supported by Azure AD,

    https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-vs-authorization

    How Open ID connect authentication works:

    https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/auth-oidc

    SCIM is a provisioning service. Azure AD make use of SCIM to provision user, and group from Azure AD to integrated applications.

    You cannot use SCIM for authentication.

    https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/sync-scim

    https://learn.microsoft.com/en-us/azure/databricks/administration-guide/users-groups/scim/aad

    https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/how-provisioning-works

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.