Im trying to wrap my head around the difference between SAML/OIDC/and OAuth
Is the only reason SAML is the most popular choice for enterprise SSO that its been around much longer? Is it expected to eventually be replaced by OIDC and OAuth for SSO OR is there something inherent to SAML that makes it better suited to SSO than OIDC and OAuth? SAML uses SOAP which has been pretty much 100% usurped by REST which OIDC uses so I would expect SAML to also be replaced by OIDC.
It seems like SAML includes support for authentication and authorization if the SP is written to read SAML attributes and use them to determine what access the user has.
Open ID Connect only supports authentication and must be used with OAuth to include authorization right? Does that make SAML easier to configure usually?
This isn't an open ended question about which is better, Im asking if SAML is inherently better suited for enterprise SSO or is only still popular for historical reasons. I've been reading articles like this one that say stuff like "Ideally, organizations are going to use both SAML as well as OIDC depending on the use case."
and I don't understand why because the overlap for SSO use cases appears to be 100% to me. It feels like we are "stuck" with SAML because its more widely supported for enterprise systems- at least for now. Is that an accurate assessment?
EDIT: Trying to find more info about this and this article is really helpful especially, but this still confuses me:
"SAML is still our preferred approach and I think the best approach, when a user is trying to get to a resource in a browser," says David Meyer, vice president of product for OneLogin. "It is super-efficient and super secure. People say SAML is dead, but we see it exponentially increasing in adoption every year. Literally, exponentially."
I'm having trouble understanding what makes it better or more efficient and secure than OIDC with OAuth
The article also reminded me of Open ID 1.0 years ago and how it died. That death and resurrection as Open ID Connect was important historical context missing from the other articles I was reading.
Basically what I want to get to the bottom of is if the SSO use case can be fully serviced by OIDC at least as well as it is by SAML- Im pretty sure at this point it can be, but reading some confusing stuff about it.