Protocols

OIDC 1.0 vs SAML 2.0

OpenID Connect (OIDC) and SAML are quite different in how they operate. Both are supported. Each has advantages. If only one is supported by your IdP, then use that one.

With SAML, there is no direct connection between the SingleStore Helios identity system and the IdP. All communication takes place using browser redirects. If the IdP is behind a firewall and inaccessible to SingleStore Helios’s identity platform, then SAML is the only choice.

SAML configuration is done by exchanging XML configuration blobs and configuring, on both sides, the attributes used for first name, last name, and email address. With SAML, there is fine-grain control over what information is sent from the IdP to the Service Provider (SP). This allows sending group membership and any other arbitrary data that is desired. At the current time, SingleStore Helios does not use anything besides first name, last name, and email address.

ODIC is generally easier to set up, but the instructions for any given IdP platform (Okta, Ping, etc.) are not obvious as the set of scopes is not well standardized. SingleStore Helios’s identity system supports IdP-initiated authentication with ODIC. SingleStore Helios Portal authentication sessions will last only as long as the access token granted by the customer IdP lasts or can be refreshed. This allows the IdP to force all sessions to close by invalidating the refresh token which may happen, for example, because an administrator removed the corresponding user. With the refresh token invalidated, the access token will expire and the session will close. SingleStore Helios does not limit the session length – that is up to the customer IdP’s policies.

Currently, IdP-initiated login and logout with SAML are not supported.