The Access and Authorization Gap in OIDC and SAML

OIDC and SAML 2.0 have become foundational to modern access and federation, but they solve for convenience and authorization—not identity assurance. Authentication remains weak, and once a session is established it is largely trusted without continued verification. This disconnect leaves enterprises exposed to session-level attacks despite investments in modern identity infrastructure. In short, OIDC and SAML enable access, but they do not secure the session.

Federated Identity Provider Services

Connect is the federation layer of the AffirmedID framework, providing standards-based identity brokering between applications, identity providers, and authentication services. It enables organizations to modernize and unify authentication without rewriting applications or fragmenting assurance.

Built on proven identity standards—OpenID Connect (OIDC), OAuth 2.0, and SAML 2.0—Connect acts as a secure, interoperable control plane that delivers phishing-resistant authentication and consistent policy enforcement across cloud, SaaS, and legacy environments.

What Connect Does and How It’s Different

Unlike conventional identity federation services that make a one-time access decision at login, Connect is designed to participate in continuous identity assurance.

Key differentiators include:

1. Native support for phishing-resistant authentication
• Supports both Passkey (FIDO2) single-factor authentication and Auth (FIDO2) multi-factor authentication
• Enables higher assurance without introducing proprietary protocols or breaking federation standards
2. Policy Enforcement beyond initial authentication
• Connect operates as a Policy Enforcement Point (PEP) for session access
• It receives and processes real-time outputs from Pulse, reflecting ongoing user presence, engagement, and risk signals
3. Dynamic, policy-driven session control
• Enforcement decisions are based on policies retrieved from the AffirmedID API cloud, scoped by client and user identity
• Access can be maintained, restricted, or terminated based on changing conditions during the session—not just at login
4. Standards preserved, assurance elevated
• OIDC, OAuth 2.0, and SAML 2.0 behaviors remain fully standards-compliant
• Continuous signals augment—not replace—federated identity flows, allowing adoption without application rewrites

Why This Matters (One-line takeaway)

Connect turns federation from a point-in-time gate into an active control surface for session security.

Use Cases

Universal federation replacement or complement

Connect can be deployed anywhere an OIDC or SAML provider is accepted, allowing it to replace or augment existing federation services without application changes.

Behind existing IAM or IdP platforms

Connect can operate behind an IAM or third-party IdP, elevating assurance by introducing phishing-resistant authentication and continuous session enforcement without disrupting upstream identity systems.

Independent identity provider

In environments without an existing IAM or IdP, Connect can function as a standalone identity provider, delivering standards-based federation with built-in high-assurance authentication.

High-security and regulated applications

Connect’s inclusion of a Policy Enforcement Point (PEP) enables real-time, policy-driven session control, making it well suited for applications requiring continuous identity assurance, not just login-time validation.

---

Connect fits wherever federation is required—and excels where continuous control is non-negotiable.