|
OpenID Connect, like others mention, but there's more in life, than only SSO? Organizations also want to automatically deactivate of user accounts? There's something called SCIM, "System for Cross-domain Identity Management", that does this, and which you can use together with OpenID Connect (OIDC). SCIM can automatically deactivate a user account, if the person leaves the organization or moves to a different department. And can auto add and remove him/her to/from various user groups. But with SAML, managers / admins still need to micro manage the user accounts, e.g. place the user in the correct group, if s/he gets a new job role. SAML only syncs user accounts upon login, from what I've understood. (So if the user stays logged in, then, with SAML, his/her account permissions can get out-of-date?) SCIM: https://docs.microsoft.com/en-us/azure/active-directory/app-... Azure AD uses this, and Okta, OneLogin, Github and some others too I suppose. If anyone has tried SCIM it'd be interesting to hear what you think about it? (I've just read about it) |