Why Saml is the default option for registering Salesforce as an Enterprise Application is AAD

asked 2020-08-24T12:22:42.863+00:00
Walid Mougharbel 21 Reputation points

I am trying to integrate Salesforce with AAD, so I see two available options, either Saml or OpenId Connect.. I do not know which one is better, but I prefer OpenId Connect since it seems to be more modern. So I tried to register Salesforce App in AAD and Saml was the default options, so why is Saml the default option ?! is it better or what? Please note that I am building an API and I need to allow authentication and authorization with Single Sign On.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,587 questions
No comments
{count} votes

Accepted answer
  1. answered 2020-08-25T21:26:00.143+00:00
    JamesTran-MSFT 26,521 Reputation points Microsoft Employee

    @Walid Mougharbel
    Thank you for your post! In order to better understand why SAML is the default method, we have to first understand the difference between OAuth, OpenID Connect, and SAML. I found a Stack Overflow post that explains it perfectly and will post the answer below.

    OAuth2.0:
    OAuth2 builds the trust relation on a direct HTTPs call from the application to the identity. The request contains the access token (obtained by the application during the protocol flow) and the response contains the information about the user.

    OpenID Connect:
    OpenID Connect further expands this to make it possible to obtain the identity without this extra step involving the call from the application to the identity provider.

    SAML:
    SAML builds the trust relation on a digital signature, SAML tokens issued by the identity provider are signed XMLs, the application validates the signature itself and the certificate it presents. The user information is included in a SAML token, among other information. SAML is also based on an explicit trust between your site and the identity provider so it's rather uncommon to accept credentials from an unknown site.

    Looking at the SalesForce SSO documentation, it's utilizing SAML for multiple reasons, you can:
    -Control in AzureAD who has access to SalesForce
    -Enable your users to be automatically signed-in to Salesforce with their Azure AD accounts.
    -Manage your accounts in one central location - the Azure portal.

    SAML Authentication Protocol:
    20210-saml.jpg

    Please let me know if you have any other questions.
    Thank you for your time and patience!

    No comments

0 additional answers

Sort by: Most helpful