← Back to Blog
Security2026-04-3010 min read

SAML vs OIDC vs OAuth2: Which One Your B2B SaaS Actually Needs in 2026

UK
DevOps & Cybersecurity Engineer · MS Cybersecurity, MS CS · CEH · AWS Certified · 10+ years securing enterprise infrastructure. Editorial standards

Three protocols that all do "single sign-on" in different ways, with different vocabularies, and different sets of customers who refuse to use anything else. The choice is not academic. The wrong answer delays enterprise deals by months while the procurement team waits for your team to implement what they wanted in the first place.

The 60-second summary

  • OAuth2 is for authorization. It answers "is this app allowed to access this user's data?" It does not authenticate users by itself.
  • OIDC (OpenID Connect) is OAuth2 with an authentication layer added on top. It answers "who is this user, and is this app allowed to act on their behalf?"
  • SAML 2.0 is the older XML-based protocol that does authentication and authorization in one assertion. It is what every Fortune 500 IT department has been running for 20 years.

If you are building a B2B SaaS in 2026 and selling to enterprises, you will end up supporting both SAML and OIDC. The order matters. Build OIDC first because it is easier to implement and most modern identity providers support it. Add SAML when you need it for the enterprise deal that will not move forward without it.

OAuth2: not actually for sign-in

OAuth2 was designed for one specific scenario: a third-party app needs to access data in another service on behalf of a user, without that user handing over their password. The classic example is "Connect to Google Drive to import files." Google does not give the third-party app your Google password. Instead, Google issues an access token that the third-party app uses for limited operations.

That is OAuth2. Authorization, not authentication.

The misuse of OAuth2 as authentication is widespread. "Sign in with Google" looks like authentication but is actually an OAuth2 flow that asks for the user's profile data, then trusts the access token as proof of identity. This worked in practice but had subtle security holes that OIDC was designed to fix.

Use OAuth2 directly when:

  • You are integrating with an API that exposes user data on behalf of users (Slack, Stripe, GitHub, Google Workspace).
  • You are building an integration platform where users authorize your app to act on their behalf in another service.

Do not use OAuth2 directly for user sign-in to your own application. Use OIDC instead, which is built on OAuth2 and adds the missing authentication primitives.

OIDC: the right choice for modern B2C and most B2B SaaS

OIDC adds an ID token to OAuth2. The ID token is a signed JWT that proves who the user is. The flow is:

  1. User clicks "Sign in with Google" (or Microsoft, or Auth0, or Okta).
  2. Your app redirects to the identity provider with an OIDC authorization request.
  3. User authenticates at the IdP.
  4. IdP redirects back to your app with an authorization code.
  5. Your app exchanges the code for an ID token (and optionally an access token and refresh token).
  6. Your app verifies the ID token signature, checks the audience claim matches your app, checks the issuer, checks expiry, and reads the user's identity from the claims.
  7. You now have an authenticated session.

What OIDC gives you that raw OAuth2 does not:

  • Cryptographically verifiable proof of who the user is via signed ID token.
  • Standardized claims: sub (subject ID), email, name, email_verified, etc.
  • Discovery endpoint at /.well-known/openid-configuration that tells your app where to find the IdP's URLs and public keys.
  • Support for refresh tokens, token revocation, and other operational primitives.

Every modern identity provider supports OIDC. Auth0, Okta, Azure AD (now Entra ID), Google Workspace, AWS Cognito, Keycloak, FusionAuth. If your app supports OIDC, your customers can plug in their existing identity provider in 30 minutes.

For implementation, see our OAuth2 deep-dive which covers the mechanics. Use a library, not handwritten code. openid-client for Node.js, authlib for Python, spring-security-oauth2 for Java. JWT verification mistakes are how OIDC implementations get broken.

SAML 2.0: ugly, XML-based, and the only thing your enterprise customers will accept

SAML predates OIDC by a decade. It is XML-based, uses signed XML assertions, and was designed for federated identity in enterprise environments. Compared to OIDC, it is verbose, harder to implement correctly, and easier to misconfigure into security holes.

So why does it still matter? Because enterprise IT departments standardized on SAML 15 years ago, and changing identity standards is something enterprises do never. If your customer's IT team uses Okta, Azure AD, or PingFederate to manage SSO across hundreds of SaaS applications, they will plug your app into the same SSO platform. They will demand SAML because that is what they have running, what their compliance auditors approve, and what their procurement contract specifies.

The SAML flow:

  1. User goes to your app and clicks "Sign in with SSO."
  2. Your app generates a SAML Authentication Request, redirects user to the customer's IdP with the request encoded in URL or POST body.
  3. User authenticates at the IdP.
  4. IdP generates a signed SAML Assertion containing the user's identity and attributes.
  5. IdP POSTs the assertion to your app's Assertion Consumer Service URL.
  6. Your app verifies the XML signature, validates the assertion (issuer, audience, time bounds, signature), reads the user's identity from the attributes.
  7. You have an authenticated session.

What makes SAML hard:

  • XML signature canonicalization. Real CVEs have come from libraries that did this wrong.
  • SAML metadata exchange. You and the customer trade XML files containing each other's certificates and URLs.
  • Just-In-Time provisioning vs SCIM. SAML alone authenticates, but does not provision users. Enterprise customers usually want SCIM 2.0 alongside.
  • Attribute mapping. Different IdPs send different attribute names for the same data. Your app needs admin UI for customers to configure this.
  • IdP-initiated vs SP-initiated flows. Some IdPs let users start at the IdP and "launch" your app. This flow has historically had security issues and most modern advice is to disable it.

The B2B SaaS reality: you need both

Here is the honest truth nobody puts in a marketing comparison: B2B SaaS that sell to enterprises end up supporting both protocols. The breakdown:

  • OIDC for "Sign in with Google" or "Sign in with Microsoft," for individual users on your website.
  • SAML for enterprise SSO where the customer's IT team controls authentication centrally.

You will hear arguments that "modern enterprises use OIDC now." Some do. Microsoft Entra ID supports both. Okta supports both. Auth0 supports both. But the SaaS in the customer's existing portfolio probably uses SAML, and the contract that requires "SAML 2.0 with SHA-256 signing" was written by a procurement team that has not heard about OIDC.

If you are an early-stage SaaS, start with OIDC. The day a customer says "we need SAML before we can sign," add SAML. Most identity-as-a-service vendors (Auth0, WorkOS, Stytch, Frontegg) provide both behind a single integration point so you do not have to implement either yourself.

The "WorkOS pattern" and why most teams should not build SSO themselves

Identity is one of those domains where you should almost certainly buy, not build. The reasons:

  1. SAML XML signature parsing has security CVEs every couple years. SimpleSAMLphp had several. python-saml had one. libxml2 still has them.
  2. Every IdP has quirks. Okta sends attributes one way. Azure AD sends them another. ADFS adds its own dialect. You will spend years discovering edge cases.
  3. SCIM provisioning is a separate spec. When the customer fires an employee, the IdP should automatically deactivate that user in your app. SCIM does that. SAML does not.
  4. Enterprise customers ask for IP allowlisting, mandatory MFA, session timeout policies, audit logs. All of these compose with SSO and all need separate configuration UIs.

Vendors like WorkOS, Auth0, Stytch, and Frontegg solve this. WorkOS specifically markets itself as "the modern SSO for B2B" and provides a single API that abstracts SAML, OIDC, SCIM, and MFA across every major IdP. Cost runs from free for early-stage to $5,000+/month for enterprise tier, but the operational cost of implementing this in-house is substantially higher.

The two cases where building yourself makes sense:

  • You are an authentication-as-a-service vendor yourself.
  • You are a hyperscale company where the per-customer cost of an SSO vendor adds up to more than building it.

For most B2B SaaS, neither applies. Buy the SSO layer.

Common implementation pitfalls that delay enterprise deals

  1. Not validating the SAML signature against the IdP's certificate. Catastrophic. Anyone can forge assertions. Always validate signatures against the IdP's public key from the metadata file.
  2. Not validating the audience. A SAML assertion intended for another vendor can be replayed against your app if you do not check the audience claim.
  3. Hardcoded SAML config per customer. When you have 5 enterprise customers, manageable. When you have 50, your engineering team is full-time updating XML configs. Build admin UI from day one.
  4. JIT provisioning without SCIM. User signs in via SAML and gets created in your app. User leaves the company. Their account is still in your app forever because SAML cannot tell you they were deactivated. Implement SCIM 2.0 alongside.
  5. Treating OIDC ID tokens as access tokens. Different purpose. ID tokens prove identity. Access tokens authorize API calls. Never use an ID token to call your backend API.
  6. Not supporting role/group attributes. Enterprise customers want to map IdP groups to roles in your app. Build group attribute support from the start.

The decision framework

  • You are a B2C product. OIDC, plus social login. Skip SAML.
  • You are a B2B SaaS targeting SMB customers. OIDC for individual sign-in, plus "Sign in with Google Workspace / Microsoft 365." Add SAML when the first enterprise deal demands it.
  • You are a B2B SaaS targeting mid-market and enterprise. Both OIDC and SAML, plus SCIM for provisioning. Use a vendor.
  • You are integrating with another service's API on user's behalf. OAuth2.

Securely share SSO setup details with your customers

SAML and OIDC integrations require trading certificates, metadata URLs, and shared secrets. Share these securely with zero-knowledge encryption instead of email or chat.

Create Encrypted Paste

The bottom line

OAuth2 is for authorization between services. OIDC is for authentication of users. SAML is for enterprise SSO. Most B2B SaaS that sell to enterprises end up needing OIDC and SAML. Most should buy this from a vendor like WorkOS or Auth0 rather than build in-house, because the security stakes and operational complexity make in-house implementation expensive over time.

Start with OIDC, add SAML when an enterprise deal requires it, support SCIM provisioning when you have more than five enterprise customers, and never let an engineer roll their own XML signature verification.

Related reading: OAuth2 Explained Simply, JWT Tokens Explained, API Authentication Best Practices, Two-Factor Authentication Guide, and Identity Access Management Best Practices.