Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) are the most widely used federation protocols for web-based single sign-on, and Kantega SSO Enterprise supports both. Both protocols are secure and works work across remote networks, and they . They allow you to login log in to your Atlassian Application through an identity provider service, such as AD FS, AzureAD, Google, Okta, AWS, Keycloak, and many more.

First, -What’s the Difference Between OAuth, OpenID Connect, and SAML?

The first thing to understand is that OAuth 2.0 is an authorization framework, not an authentication protocol.


The table below summarizes the differences between SAML and OIDC:


OpenID Connect

Message format






Website authentication

Mobile applications

User consent

SAML rely relies on browser redirects, which does not work well in native mobile apps. However, note that many mobile apps, including the Jira Server Mobile and Confluence Server Mobile apps, are built using embedded web views. Here, SAML will work perfectly fine.

Because OIDC is a layer placed upon the OAuth framework, OpenID Connect can provide a built-in layer of authorization, which prompts a user to first consent to what the service provider can access. The login screenshots below show how such user consent is requested. First, the user has to authenticate, and if it is their first login, a consent screen is showndisplayed, requesting consent permission to retrieve personal user data.


Both SAML and OIDC providers can be configured to make use of Multi-factor Authentication (MFA). More info about how to setup set up an identity provider in Kantega SSO Enterprise and enforce MFA.


Kantega SSO Enterprise allows you to setup set up multiple identity providers concurrently , and use SAML and OIDC in combination with other authentication mechanism mechanisms such as Kerberos and traditional username/password logins. More info about how to configure multiple authentication mechanisms and automatically route users based on user directory, group, and domain associations.