SAML OIDC Architecture June 4, 2025 7 min read

SAML vs OIDC: choosing the right protocol for LMS SSO

Compare SAML 2.0 and OpenID Connect so you can pick the best fit for your Thinkific deployment.

SAML 2.0 and OpenID Connect (OIDC) both solve the same problem — letting users sign in once and access many applications — but they use different mechanics. For a Thinkific LMS deployment, the right choice depends on your existing identity stack, mobile requirements, and how much metadata you need to exchange.

SAML in a nutshell

SAML is XML-based and was designed for browser-based enterprise SSO. It exchanges signed assertions between an identity provider (IdP) and a service provider (SP). SAML is mature, well supported by on-premise directories, and the default choice for higher-education federation networks like InCommon.

OIDC in a nutshell

OIDC is a thin identity layer on top of OAuth 2.0. It uses JSON Web Tokens (JWT) and REST-style endpoints. OIDC is generally easier for modern cloud IdPs, supports mobile and SPA flows natively, and has smaller payloads than SAML.

When to choose SAML for Thinkific

  • Your organisation already uses Okta, OneLogin, Shibboleth, ADFS, or an institutional federation.
  • You need rich attribute statements and group memberships in the assertion.
  • Your security team prefers signed XML assertions and established metadata exchange.
  • You participate in InCommon, eduGAIN, or similar federation programs.

When to choose OIDC for Thinkific

  • Your identity provider is Microsoft Entra ID, Auth0, Google Workspace, or a cloud-native platform.
  • You want simpler configuration with discovery URLs and client credentials.
  • You need modern flows such as PKCE for native or single-page apps.
  • You prefer JSON-based claims and REST APIs over XML metadata.

Can you support both?

Yes. WooNinja SSO lets you configure separate connections for different business units or environments. Many customers standardise on SAML for corporate users and OIDC for external contractors or acquired companies with different IdPs.

Security comparison

Both protocols are secure when configured correctly. SAML relies on XML signatures and certificate exchange. OIDC relies on JWT signatures, TLS, and client secrets or certificates. The bigger risk in either case is misconfiguration — weak endpoints, missing signature validation, or overly broad attribute release.

Making the decision

If your IdP team has a preference, follow it. The protocol matters less than correct configuration, attribute mapping, and lifecycle automation. WooNinja SSO supports both, so you are not locked into one choice.

For a personalised recommendation, share your IdP and use case with our team and we will propose the simplest, most secure path.

Written by WooNinja Team
Back to blog

Related articles