SURFconext also supports OpenID Connect (OIDC) for Service Providers (or Relying Party in OIDC terminology. For the sake of consistency, the term Service Provider will be used onwards). OIDC has several advantages in comparison with SAML:
- For OIDC, more standard implementations are available that can easily be integrated into an (existing) application; connecting to SURFconext therefore becomes easier
- OIDC is a RESTful API-like service; it is less complex than SAML
- For Service Providers who also use mobile apps, OIDC can be used as the only technology (whereas in the case of SAML, supporting an additional standard is necessary (OAuth))
There are also some attention points:
- No support yet for interfederation via eduGAIN
If you intend to enable your Service Provider for that use case, SAML is for you.
A schematic overview of the OpenID Connect authentication flow can be found on this page: OpenID Connect authentication flow.
More information on the features of the OIDC gateway can be found here
Ready to connect to SURFconext? Please continue at Preparation with OpenID Connect.
We strongly advise you not to build your own OpenID Connect implementation, but use one of the products already available.
The official OpenID website provides a nice overview of certified and uncertified implementations.