What is the difference between OpenID and SAML?

Question

What is the difference between OpenID and SAML?

Answer 1

Putting the technical details aside, being quite late for the party, what I understand that the biggest difference between SAML and other auth standards (inc. OpenID) is that

SAML requires the Identity Provider (IDP) and the Service Provider (SP), to know each other before hand, pre-configured, static authentication and authorization. OpenId (+Connect) doesn't have such a requirement.

This is important for IDPs that want full control over who's accessing the data. Part of the standard is to configure what is provided to specific SPs.

For example, a bank might not want its users to access any services except some predefined ones (because of regulations or other strict security rules).

This doesn't mean that an OpenId IDP, cannot enforce such a restriction. An OpenID implementer can control access, but that's not the purpose of OpenID.

Other than the predefined, strict, static, access control difference, conceptually (not technically), OpenID Connect and SAML are similar.

Bottom line, if you're an SP, you should support what your customers require:

1. If your customer is an individual end user customers (using their google id for example), forget about SAML. Use OpenID Connect.
2. If your customer is a bank that wants its employees to use your service and export only static list of data it will provide to your service, the bank will probably want you to support SAML. The bank might have an OpenID implementation with client restriction, which will be your lucky day :)