OpenID Connect I’ve been working in identity for about a decade now – since the days of SAML 1.1, in fact. Back then, the standard example for federated identity was airline customers accessing a rental car site without needing a second login. As things turned out, travel sites such as Expedia and Kayak did all that integration on the back end, but, as with many aspects of IT, the cloud changed everything for identity. With the rise of SaaS, it seems like we all acquired usernames and passwords for Gmail,, Concur, and a host of other online service providers, and mitigating password proliferation by leveraging credentials across services – single sign-on for short – is hotter than ever.

The new kid on the single sign-on block is OpenID Connect, which actually has more in common with OAuth than OpenID. Basically, OpenID Connect, like SAML, allows one site, such as (termed the Client in the protocol), to verify the identity of a user based on the authentication performed by another site, such as Google (the Authorization Server). Where SAML was built in the last decade on technologies such as XML and SOAP, OpenID Connect is engineered for the current toolset of JSON and REST. In fact, OpenID Connect is still on the road to standardization (real soon now!), but it has been stable enough for some time for providers such as Google, PayPal and, now, to build implementations.

The Winter ’14 release includes OpenID Connect Authentication Providers, allowing your org to be an OpenID Connect Client, and leverage an Authorization Server for user login. Let’s take a look at how this works:


If you want to walk through the protocol in detail, there’s an excellent, detailed description on Google’s Developer site, and if you want to try it out, sign up for a Winter ’14 pre-release account and give it a go!

UPDATE: the security rules in the pre-release environment don’t allow callouts, so this does not work in pre-release. It should work just fine in a sandbox, though, so give it a go there after they cut over tomorrow (Sept 7). Apologies if you spent time trying to get this working in pre-rel!

Get the latest Salesforce Developer blog posts and podcast episodes via Slack or RSS.

Add to Slack Subscribe to RSS