Why is SAML still used for enterprise SSO instead of OIDC?
I'm trying to wrap my head around the difference between SAML/OIDC/and OAuth.
Is the only reason SAML is the most popular choice for enterprise SSO that it's been around much longer? Is it expected to eventually be replaced by OIDC and OAuth for SSO, or is there something inherent to SAML that makes it better suited to SSO than OIDC and OAuth? SAML uses SOAP, which has been pretty much 100% usurped by REST (which OIDC uses), so I would expect SAML to also be replaced by OIDC.
It seems like SAML includes support for authentication and authorization if the SP is written to read SAML attributes and uses them to determine what access the user has.
Open ID Connect only supports authentication and must be used with OAuth to include authorization, right? Does that make SAML easier to configure?
This isn't an open ended question about which is better. I'm asking if SAML is inherently better-suited for enterprise SSO or is only still popular for historical reasons. I've been reading articles like this one that say stuff like "Ideally, organizations are going to use both SAML as well as OIDC depending on the use case." I don't understand why, because the overlap for SSO use cases appears to be 100% to me. It feels like we are stuck with SAML because it's more widely supported for enterprise systems—at least for now. Is that an accurate assessment?
In trying to find more info about the situation, this article is especially helpful, but this part still confuses me:
"SAML is still our preferred approach and I think the best approach, when a user is trying to get to a resource in a browser," says David Meyer, vice president of product for OneLogin. "It is super-efficient and super secure. People say SAML is dead, but we see it exponentially increasing in adoption every year. Literally, exponentially."
I'm having trouble understanding what makes it better or more efficient and secure than OIDC with OAuth.
The article also reminded me of Open ID 1.0 years ago and how it died. That death and resurrection as Open ID Connect was important historical context missing from the other articles I was reading.
Can the SSO use case can be fully serviced by OIDC, at least as well as it is by SAML? I'm pretty sure at this point it can be, but I'm reading some confusing stuff about it.
