For more than 15 years, the SWITCHaai federation was entirely based on the SAML protocol. SWITCH is happy to announce that as of March 1st 2021 the edu-ID identity provider (IdP) officially also supports OpenID Connect.
OpenID Connect (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol which allows clients to authenticate an end-user and to obtain attribute information about that end-user. OIDC implementations on the client side are typically much more lightweight than SAML implementations. This opens up new use cases: in addition to server based applications, OIDC is also well suited for
- browser-based web applications
- mobile apps
- native applications
The OpenID Connect protocol is provided by the same Shibboleth IdP instance that also supports SAML. This means that many functionalities known from edu-ID with SAML are also available under OpenID Connect. Features that are commonly available with OIDC and SAML
- Both protocols use the same underlying user accounts and attribute information.
- A user encounters the same login flow and login user interface.
- A user gets the same user consent
- Both protocols support 2-step authentication
However, there are also some differences: OIDC applications need to be configured as edu-ID only services. Classic model configurations with prior organization selection in the WAYF are not supported. Furthermore, not all attributes from the private part of the edu-ID identity are available yet, and some attribute names (claims) are different. Finally, client registration requires other OIDC-specific information and it is performed manually for the time being.
It is planned to continuously extend the service according to the requirements of the community and feedbacks we receive through the support channel firstname.lastname@example.org.
For more details check the OIDC information page on the edu-ID website.