SAML 2.0 and OpenID Connect (OIDC) are the two dominant federation protocols for Single Sign-On. SAML, finalized in 2005, exchanges XML assertions over HTTP redirects or POSTs; it is deeply entrenched in enterprise IT, integrates well with on-prem Active Directory, and is what most "SSO available on Enterprise plan" vendor checkboxes mean. OIDC, finalized in 2014 on top of OAuth 2.0, exchanges signed JSON Web Tokens (JWTs) and is the default choice for new mobile, single-page, and API-first applications. Most modern identity providers speak both.

In a self-hosting context

When self-hosting an identity provider like Keycloak or Authentik, you usually configure SAML for legacy on-prem apps and OIDC for everything new. Modern self-hostable SaaS replacements — Mattermost, Nextcloud, Gitea — all support both, so the choice is dictated by what the client app expects, not by what the IdP can issue.