What is recommended for our scenario: OpenID + self-provider or SAML?

4
votes

Here's our situation:

  • we own a main portal, developed in ASP.Net 4.0
  • There are a few other web portals within our organization, which would like to use our portal for authentication & SSO. These portals could be in any platform: PHP, classic ASP, JSP, etc
  • And there are a few more external portals for which also we would like SSO. These external portals are well-known in advance and they are in a closed environment: meaning they would not prefer login attempts using random public OpenID authentications.

I've been going through various articles, both on StackOverflow and in general, for e.g What is the difference between OpenID and SAML? but I could not conclude which of the following is the best option for the above scenario:

All tips will be highly appreciated :)

1
openidsingle-sign-ondotnetopenauthsaml

1 Answers

4
votes

Let me highlight one important difference between OpenID and SAML. In OpenID, the Service provider is not coupled to an Identity Provider. Service provider do not know about the Identity Provider until it do the discovery on the user provided OpenID Identifier. But in SAML, the Service provider is coupled to the Identity provider/s. There is a predefined trust between them.

Therefor, when looking into your case the best solution is to use SAML. SAML will allow users in your organization to login to the portals withing the organization. And the external portal can trust your organizations Identity Provider and let your organization's users to login to those external portals as well. Or if those external portals already have their own Identity Providers then you can built a trust between external Identity Providers and your organization's Identity Provider using SAML (such as passive STS) and let your organization's users to login to those external portals.