Why Saml is the default option for registering Salesforce as an Enterprise Application is AAD

Walid Mougharbel 21 Reputation points
2020-08-24T12:22:42.863+00:00

I am trying to integrate Salesforce with AAD, so I see two available options, either Saml or OpenId Connect.. I do not know which one is better, but I prefer OpenId Connect since it seems to be more modern. So I tried to register Salesforce App in AAD and Saml was the default options, so why is Saml the default option ?! is it better or what? Please note that I am building an API and I need to allow authentication and authorization with Single Sign On.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,457 questions
0 comments
Accepted answer
  1. JamesTran-MSFT 36,366 Reputation points Microsoft Employee
    2020-08-25T21:26:00.143+00:00

    @Walid Mougharbel
    Thank you for your post! In order to better understand why SAML is the default method, we have to first understand the difference between OAuth, OpenID Connect, and SAML. I found a Stack Overflow post that explains it perfectly and will post the answer below.

    OAuth2.0:
    OAuth2 builds the trust relation on a direct HTTPs call from the application to the identity. The request contains the access token (obtained by the application during the protocol flow) and the response contains the information about the user.

    OpenID Connect:
    OpenID Connect further expands this to make it possible to obtain the identity without this extra step involving the call from the application to the identity provider.

    SAML:
    SAML builds the trust relation on a digital signature, SAML tokens issued by the identity provider are signed XMLs, the application validates the signature itself and the certificate it presents. The user information is included in a SAML token, among other information. SAML is also based on an explicit trust between your site and the identity provider so it's rather uncommon to accept credentials from an unknown site.

    Looking at the SalesForce SSO documentation, it's utilizing SAML for multiple reasons, you can:
    -Control in AzureAD who has access to SalesForce
    -Enable your users to be automatically signed-in to Salesforce with their Azure AD accounts.
    -Manage your accounts in one central location - the Azure portal.

    SAML Authentication Protocol:
    20210-saml.jpg

    Please let me know if you have any other questions.
    Thank you for your time and patience!

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest