I’m evaluating authentication strategies for our performance analysis reporting system in SOC 4.0 and wanted to get the community’s perspective on SAML versus OAuth2.
We have about 200 users who need access to production reports, KPI dashboards, and analytics. Currently using basic authentication, but we need to implement SSO and improve our audit logging capabilities. Our corporate infrastructure already supports both SAML (via Azure AD) and OAuth2 (via Okta for some applications).
From what I understand, SAML is more traditional and better for web-based SSO, while OAuth2 is more flexible for API access and mobile apps. However, I’m concerned about attribute mapping complexity with SAML and token scope management with OAuth2.
What have others experienced with these protocols in Opcenter reporting scenarios? Are there specific gotchas with either approach? I’m particularly interested in how audit logging works with each protocol and whether one provides better visibility into who accessed what reports and when.
I’d lean toward OAuth2 if you have any plans for API access or mobile reporting apps in the future. SAML works great for browser-based access, but it’s clunky for programmatic access. With OAuth2, you can issue access tokens with specific scopes like ‘read:reports’ or ‘read:kpi-dashboards’ and control exactly what each token can access. This is much more granular than SAML’s attribute-based approach. However, token management becomes critical - you need proper refresh token rotation and secure token storage.
We implemented SAML for our reporting access about two years ago and it’s been solid. The attribute mapping was tricky initially - you need to carefully configure which user attributes from Azure AD map to Opcenter user properties. Once configured though, it’s very stable. The main advantage is seamless web SSO - users click a link and they’re authenticated automatically without any additional login prompts.
Good points on both sides. The API access angle is interesting - we don’t have immediate plans for mobile apps, but it’s definitely on the roadmap for next year. How do you handle the transition if you start with SAML and later need to support OAuth2 for APIs? Can both coexist or does it create a messy dual-authentication environment?