Gluu Web Authentication / SSO Protocol Adoption Predictions


Its hard to make accurate predictions about adoption for SSO protocols. Its impossible to make a detailed model when the known inputs are so vast.

With that inherent disclaimer about the difficulty of forecasting, the following graph represents Gluu’s view about the likely adoption and un-adoption of three very important web authentication standards: SAML, CAS, and OAuth2 (specifically OpenID Connect).



It makes sense to start any conversation about web authentication standards with the grand-daddy of Web SSO, the Security Assertion Markup Language–SAML. This is the current leading standard for enterprise inter-domain authentication. It is widely supported by off-the-shelf software, and major SaaS vendors like Google, SalesForce, WorkDay, Box, Amazon, and many others. SAML is the basis for extensive B2B, government and educational networks around the globe. Gluu’s prediction is that providing SAML endpoints and services will be critical for domains for years to come. In the next 15 years or so, organizations will look to consolidate on OAuth2 based trust networks, and will look to end-of-life and de-commission SAML relationships.


The “Central Authentication Server” defined one of the first Web SSO protocols. Its a simple to use API, and supported by several open CMS platforms. Backed by LDAP, it was a good choice for many organizations to centralize username / password authentication. It also allowed access control based on network address, to restrict which servers can use the enterprise web authentication service. With the availability of newer, more functional authentication standards, like SAML and OpenID Connect, new applications should be directed away from CAS. Older applications should also be asked to upgrade to one of the newer protocols. CAS was great, but there are better options now.

OpenID Connect

OpenID Connect is a profile of OAuth2 that provides several services related to authentication. In years past, federation experts thought OpenID would be ubiquitous. Then a smaller subset of federation experts thought OpenID 2 would be ubiquitous. However, the community has coalesced, and now a large group of federation experts are predicting that OpenID Connect will become ubiquitous. Its a risky position, but it holds up when you look at some simple indicators:

  • Support of large consumer IDPs: Google, Microsoft, Yahoo probably Facebook
  • Consolidation of several protocol communities such as OpenID, Oauth2, WS-*, a subset of the SAML community.
  • Move in consumer market to JSON/REST Authentication API’s
  • Explosion of mobile applications requiring better authentication API’s for non-web interactions
  • Expanded role of a “client” acting as an agent of the Person to access Web APIs
  • New standards that are building on OpenID Connect authentication, such as UMA and the new OpenID Connect Native SSO working group.
  • Even Scott Cantor has acknowledged at InCommon Camp that Shibboleth 3.0 is being designed to make it easier to support OpenID Connect in the future!


So we’re going out on a limb here… and predict that OpenID Connect is actually going to catch on this time. We are also perhaps going to help our own cause by providing a scalable, production quality open source implementation of OpenID Connect: oxAuth.

If anyone disagrees or agrees with the admittedly arbitrarily drawn graphs above, feel free to comment below!


  • Why do you think “organizations will look to consolidate on OAuth2 based trust networks, and will look to end-of-life and de-commission SAML relationships”?

  • Mike Schwartz

    Because OAuth2 offers more features and capabilities… a static SAML is not getting the job done.

  • Pingback: Gluu Web Authentication / SSO Protocol Adoption...()

  • Hi Mike,

    I missed that post, but I’m pretty sure I could also find my own picture with a super raising curve of CAS after 2014, now that we have the right cloud provider for it ;-)

    My opinion is obviously biased as I’m the Chairman of the CAS open source project and the Founder of CAS in the cloud (

    For me, things are more complicated than that and many more factors are involved in the success or failure of a product / protocol, which makes forecasts really difficult: integration costs, libraries availability, powerful proclaimers (the next Facebook), etc. I believe more in products / protocols combination / integration to offer a seamless solution and handle legacy installations. That’s what I somehow try to achieve with pac4j at the client level and for Java:

    Best regards,

  • Alik Elzin

    3+ years later.
    Looks like OpenID Connect if rolling good…