Selecting an interaction protocol#

When integrating the application with Blitz Identity Provider, one of the interaction protocols should be selected to identify and authenticate the user:

  • OpenID Connect 1.0 (OIDC) / OAuth 2.0 is a modern SSO protocol, initially focused on working with web and mobile applications on the Internet.

    Tip

    If a new application is being created, it is recommended to connect it to Blitz Identity Provider using OIDC/OAuth 2.0.

  • SAML 1.0/1.1/2.0 is an SSO protocol that allows you to connect various enterprise software or cloud applications to the login service.

    Attention

    The connected application must have built-in SAML support, or such support can be added as an additional option or through the installation of an integration connector/plugin.

The choice of protocol largely depends on which application you want to connect:

  • if the application supports one of the SSO protocols, then it is worth connecting it using this protocol;

  • if the proposal does not support protocols, then it should be finalized – in this case, it is recommended to support OIDC interaction;

  • if the application is just being created, then at this stage it is advisable to support one of the SSO protocols - it is easier to implement OIDC support, however, when using the available SAML libraries, this protocol can also be used.

The table below shows some of the features of the OIDC and SAML protocols.

Features of connection protocols

OIDC/OAuth 2.0

SAML 1.0/1.1/2.0

A way to ensure trust between the application and Blitz Identity Provider

The secret of the application (usually in the form of a string), known as Blitz Identity Provider

Electronic signature. Both authentication requests and responses are signed XML documents

Interaction method

Authentication takes place through the user’s web browser. To complete authentication, the backend of the application must generate an HTTP request to Blitz Identity Provider

Usually, the authentication request and response go through the user’s web browser. The application and Blitz Identity Provider may not have network connectivity

Getting user information

Two ways to get user data:

  • The application accesses the Blitz Identity Provider REST service and receives user data in JSON format. The application can continue to receive user data even when the user ends their online session

  • The application receives user data from the identification token (id_token in the JWT form) received from Blitz Identity Provider based on the login results

The user data is contained in the response to the authentication request in XML format. The application can receive data from Blitz Identity Provider only at the time of user login

Supported applications

Web and mobile applications

Web applications

Note

OIDC allows you to implement all the basic SAML scenarios, but it uses a simpler JSON/REST protocol. A significant advantage of OIDC is the support of mobile applications.

Important

If the application connected to Blitz Identity Provider cannot be finalized, but the application is a web application deployed in its own infrastructure (on-premise), then you can connect the application to Blitz Identity Provider using a web proxy and the Simple protocol specially implemented in Blitz Identity Provider.