OIDC (OpenID Connect)

E-invoicing in Germany: How to implement the obligation with SAP Business One

OpenID Connect (OIDC) is an open identity standard that builds on OAuth 2.0 and the authentication governs a user's interaction between an Identity Provider (IdP) and an application. While OAuth 2.0 describes authorisation („is this clients access this resource?"), OIDC provides the authentication layer („who is the user?") — via a standardised ID-Token in JWT format.

Context

In a typical flow, an application redirects the user to the IdP (e.g. Microsoft Entra ID, Google, Keycloak), the user authenticates there and is sent back with an authorisation code; the application exchanges the code for an ID token and an access token. The ID token contains standardised claims such as SUBSCRIPTION (stable user ID), Email, name, is Issuer and Experiment (Process), signed by the IdP. In the SAP Business One environment, OIDC is primarily encountered in modern integrations: the Web Client can be connected to Entra ID, custom apps based on the Versino Financial Suite or the B1 Helper use OIDC for Single Sign-On and map SAP B1 users via an SSO bridge or a service user on the Service Layer. The advantage is that passwords are not routed through the application and MFA, Conditional Access, and lifecycle management remain centrally managed at the IdP.

Demarcation

OIDC is not identical to SAML — both provide federated login, but OIDC works with JSONJWTs and HTTP redirects, SAML with XML assertions. It's also not the same as pure OAuth 2.0: OAuth provides access tokens for API calls, OIDC adds verifiable user identity. Configuring OIDC does not automatically replace the session authentication of the service layer – in practice, OIDC is used for user authentication on the frontend, and a technical B1 session is still established against the service layer in the backend.