惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threatpost
The Hacker News
The Hacker News
AWS News Blog
AWS News Blog
Spread Privacy
Spread Privacy
T
Tenable Blog
C
CERT Recently Published Vulnerability Notes
Cisco Talos Blog
Cisco Talos Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
S
Securelist
P
Privacy & Cybersecurity Law Blog
Know Your Adversary
Know Your Adversary
T
The Exploit Database - CXSecurity.com
Latest news
Latest news
D
Darknet – Hacking Tools, Hacker News & Cyber Security
I
Intezer
F
Fortinet All Blogs
Engineering at Meta
Engineering at Meta
Simon Willison's Weblog
Simon Willison's Weblog
The Register - Security
The Register - Security
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
L
Lohrmann on Cybersecurity
C
Cyber Attacks, Cyber Crime and Cyber Security
Microsoft Azure Blog
Microsoft Azure Blog
P
Proofpoint News Feed
H
Help Net Security
T
Threat Research - Cisco Blogs
D
DataBreaches.Net
S
Schneier on Security
Cyberwarzone
Cyberwarzone
Google DeepMind News
Google DeepMind News
P
Privacy International News Feed
S
Secure Thoughts
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Recorded Future
Recorded Future
C
Cybersecurity and Infrastructure Security Agency CISA
MyScale Blog
MyScale Blog
M
MIT News - Artificial intelligence
Stack Overflow Blog
Stack Overflow Blog
IT之家
IT之家
人人都是产品经理
人人都是产品经理
NISL@THU
NISL@THU
博客园 - Franky
T
Tor Project blog
G
GRAHAM CLULEY
博客园 - 【当耐特】
Jina AI
Jina AI
Security Archives - TechRepublic
Security Archives - TechRepublic
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
A
About on SuperTechFans
Hacker News - Newest:
Hacker News - Newest: "LLM"

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
SSO, SAML, OIDC, and SCIM: What Actually Happens When You Click "Sign in with Google"
M TOQEER ZIA · 2026-05-21 · via DEV Community

 You click "Sign in with Google" on GitHub. Seconds later, you are in. No new account. No new password.

That felt simple. The system behind it is not.

This article breaks down the four protocols that power modern identity management: SSO, SAML, OIDC, and SCIM. You will understand what each one does, where they differ, and how they work together in real companies like Netflix and Airbnb.


The Problem These Protocols Solve

Before SSO, every app had its own login database. A new employee joining a company needed separate accounts in Gmail, Slack, Jira, Salesforce, and every other tool. IT teams created each account by hand. When someone left, accounts often lingered for weeks, open to misuse.

Three problems emerged:

  • Users carried dozens of passwords, and reused them
  • IT spent hours on account creation and resets
  • Every separate login system was a separate attack surface

SSO solves this by centralizing authentication. You log in once to a trusted Identity Provider (IDP) and every other app trusts that login. One credential. One place to enforce MFA. One place to revoke access.

But SSO is not a single technology. It is a goal. SAML, OIDC, and SCIM are the tools that achieve it.


The Three Main Players in Any SSO Flow

Before going into protocols, know these three roles:

User: The person trying to access a service.

Identity Provider (IDP): The system that verifies the user's identity. Examples: Okta, Azure AD, Google Workspace.

Service Provider (SP): The application the user wants to access. Examples: Salesforce, GitHub, Slack.

The IDP and SP are separate systems. They trust each other through a formal agreement called federation. Federation lets your company's IDP issue a kind of digital passport, and every connected app checks that passport at the door.


SAML: The Enterprise Veteran

SAML stands for Security Assertion Markup Language. It is an open standard that has powered enterprise SSO since 2002.

SAML Flow Diagram

Here is the step-by-step SAML flow:

  1. You try to access Salesforce (the Service Provider)
  2. Salesforce redirects you to your IDP (say, Okta)
  3. Okta asks for your credentials and verifies them, including MFA
  4. Okta generates a SAML Assertion, an XML document containing your identity, roles, and group memberships
  5. Okta sends that assertion back to Salesforce
  6. Salesforce verifies the IDP's digital signature on the assertion and grants access

The assertion is the key artifact. It carries signed proof of who you are and what roles you hold. Salesforce does not store your password. It trusts Okta's signature.

Where SAML excels:

  • Legacy enterprise apps (Salesforce, Workday, ServiceNow)
  • Organizations with strict compliance requirements (healthcare, government)
  • Web browser-based SSO flows

Where SAML struggles:

  • Mobile apps, which do not handle XML-based browser redirects well
  • APIs and microservices that prefer JSON
  • Modern single-page applications

Real example: A hospital network uses SAML to give doctors access to patient record systems, billing tools, and scheduling software with one login. Auditors get a single log of every access event. SAML's verbose XML is worth the overhead when the data is sensitive and regulated.


OIDC: The Modern API-Friendly Option

OpenID Connect, or OIDC, is built on top of OAuth 2.0. OAuth handles authorization (what an app is allowed to do on your behalf). OIDC adds the missing authentication layer (who you actually are).

When you click "Sign in with Google" on GitHub, you are using OIDC.

Here is the flow:

  1. You click "Sign in with Google" on GitHub
  2. GitHub redirects you to Google's authorization server
  3. Google asks for your credentials
  4. Google sends back two tokens: an Access Token and an ID Token
  5. The ID Token is a JWT (JSON Web Token) signed by Google, containing your identity
  6. GitHub reads the JWT, verifies Google's signature, and logs you in

The JWT looks like this (decoded):

{
  "sub": "1234567890",
  "name": "Jane Doe",
  "email": "jane@example.com",
  "iss": "https://accounts.google.com",
  "exp": 1716560000
}

Enter fullscreen mode Exit fullscreen mode

This is lightweight, JSON-based, and works seamlessly in mobile apps, SPAs, and API calls.

SAML vs OIDC at a glance:

Feature SAML OIDC
Format XML JSON (JWT)
Age 2002 2014
Best for Enterprise web apps Mobile, APIs, SPAs
Complexity Higher Lower
Adoption Legacy enterprise Modern cloud apps

Real example: Spotify's mobile app uses OIDC when you log in with Facebook. The app receives a JWT, verifies it, and creates your session without ever touching Facebook's password system.


SCIM: The Account Lifecycle Manager

SAML and OIDC handle authentication. They answer: who is this user?

SCIM (System for Cross-domain Identity Management) answers a different question: does this user's account exist in the first place, and does it have the right attributes?

SCIM is a REST API specification. If your app implements SCIM endpoints, an IDP like Okta or Azure AD can automatically:

  • Create accounts when someone joins
  • Update attributes when someone changes teams
  • Deactivate accounts when someone leaves

Here is what SCIM looks like in practice:

Create a new user (IDP calls your app):

POST /scim/v2/Users
{
  "userName": "jane.doe@company.com",
  "name": { "givenName": "Jane", "familyName": "Doe" },
  "department": "Engineering",
  "active": true
}

Enter fullscreen mode Exit fullscreen mode

Deactivate a user on departure:

PATCH /scim/v2/Users/12345
{
  "Operations": [{ "op": "replace", "path": "active", "value": false }]
}

Enter fullscreen mode Exit fullscreen mode

When Jane joins the company, her IDP account triggers SCIM calls to Slack, Zoom, GitHub, and Jira. Her accounts appear before her first day. When Jane leaves, one deactivation in the IDP removes access everywhere within minutes.

Real example: Netflix built an internal "People Service" that ingests identity data from Workday and Azure AD, then distributes it to hundreds of internal tools via SCIM and internal APIs. Without this, onboarding a new engineer would require tickets to a dozen different teams.


How the Three Protocols Work Together

These are not competing standards. Each solves a different layer of the same problem.

HR System
    |
    | (triggers onboarding event)
    v
Identity Provider (Okta / Azure AD)
    |
    |-- SCIM --> Creates accounts in Slack, GitHub, Zoom, Salesforce
    |
    |-- SAML --> Authenticates users in legacy enterprise apps
    |
    |-- OIDC --> Authenticates users in modern apps and APIs

Enter fullscreen mode Exit fullscreen mode

A concrete scenario:

  1. A new engineer joins. HR updates their record.
  2. Azure AD receives the event and uses SCIM to create accounts in GitHub, Slack, and Jira with the correct team permissions overnight.
  3. The next morning, she logs into Azure AD once.
  4. Azure AD uses OIDC to authenticate her into the internal developer portal.
  5. Azure AD uses SAML to authenticate her into the legacy finance system.
  6. She accesses everything without logging in again.
  7. Six months later, she leaves. Azure AD deactivates her account. SCIM removes her access from every connected app within minutes. SAML and OIDC stop issuing tokens for her identity.

The Pros and Cons

SSO (the goal):

Pros:

  • One set of credentials for all apps
  • Centralized MFA enforcement
  • Single audit log for access events
  • Faster onboarding and offboarding

Cons:

  • If the IDP goes down, users lose access to everything
  • Requires careful configuration between IDP and each service provider
  • Single point of compromise if the IDP is breached without strong MFA

SAML:

Pros:

  • Mature, battle-tested in enterprises
  • Carries rich attributes (roles, groups, departments)
  • Strong support in legacy enterprise apps

Cons:

  • XML is verbose and complex to debug
  • Poor fit for mobile apps and APIs
  • Implementation errors (like signature validation mistakes) are a common source of vulnerabilities

OIDC:

Pros:

  • Lightweight JSON tokens
  • Works everywhere: web, mobile, APIs
  • Built on OAuth 2.0, which developers already know

Cons:

  • JWT misconfiguration (like skipping signature validation) creates security holes
  • Token expiry and refresh logic requires careful handling

SCIM:

Pros:

  • Eliminates manual account management
  • Reduces orphaned accounts (a major security risk)
  • Standardized, so IDPs support it out of the box

Cons:

  • Not every app supports SCIM endpoints
  • Centralizing SCIM in a sync service adds architectural complexity
  • Debugging sync failures across many apps is non-trivial

Where This Fits in the Bigger Picture: IAM

SSO, SAML, OIDC, and SCIM are components of a broader discipline called Identity and Access Management (IAM).

IAM covers:

  • Authentication (AuthN): Proving who you are. SAML, OIDC, MFA.
  • Authorization (AuthZ): Controlling what you can do. RBAC, ABAC, policy engines like OPA.
  • Provisioning: Managing account lifecycles. SCIM.
  • Federation: Trust between organizations. SAML, OIDC across org boundaries.

A practical distinction worth knowing: AWS IAM is Amazon's system for controlling access to AWS resources (S3, EC2, Lambda). It is not a general enterprise IDP. Most companies use Okta or Azure AD as their central IDP and connect to AWS through federation and role mappings.

When a developer logs into AWS through Okta SSO, Okta authenticates them (via SAML or OIDC) and passes their identity to AWS IAM, which then decides what resources they can access.


A Real Security Consideration: The SSO Risk Trade-Off

SSO reduces password sprawl and improves user experience. But it concentrates risk.

If an attacker compromises an employee's IDP credentials and MFA, they gain access to every federated application at once. This is why:

  • MFA on the IDP is not optional, it is the primary defense layer
  • Conditional access policies (blocking logins from unrecognized devices or locations) are critical
  • Session timeouts should be enforced at the IDP level
  • Privileged accounts should use hardware security keys (FIDO2), not TOTP codes

The 2023 MGM Resorts breach reportedly started with social engineering an IT help desk into resetting an Okta account. The attacker then moved laterally across MGM's systems using the SSO trust relationships. SSO amplified the blast radius of a single credential compromise.

The lesson: SSO is more secure than password sprawl when configured correctly. The IDP is the crown jewel. Protect it accordingly.


Summary

  • SAML handles authentication for enterprise web apps using XML assertions. Mature, verbose, and essential for legacy systems.
  • OIDC handles authentication for modern apps and APIs using lightweight JSON tokens. Built on OAuth 2.0.
  • SCIM handles account lifecycle management. It creates, updates, and removes user accounts automatically across all your apps.
  • SSO is the goal. SAML and OIDC are the protocols that deliver it. SCIM keeps the underlying accounts in sync.
  • IAM is the full framework. SSO is one piece of it.

If you are building a product today, start with OIDC for authentication and implement SCIM endpoints if you want enterprise customers (they will ask for it). If you are connecting to legacy enterprise systems, SAML support is non-negotiable.


Found this useful? Share it with your team. If you want a deeper breakdown of OAuth 2.0 flows, JWT security, or RBAC versus ABAC authorization models, drop a comment below.