SAML vs OAuth

Anil Saldhanaanil@apache.org

http://anil-identity.blogspot.com

Reference: http://architects.dzone.com/articles/saml-versus-oauth-which-one

Informal Definitions

Informal Definitions

• SAML (Security Assertion Markup Language) is an umbrella standard that encompasses profiles, bindings and constructs to achieve– Single Sign On (SSO),– Federation and– Identity Management.

Informal Definitions

• OAuth (Open Authorization) is a standard for authorization of resources.

• It does not deal with authentication.– Look for OpenID Connect for Authentication.

Formal Definitions

Formal Definitions

• Security Assertion Markup Language is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

• From Wikipedia Page on SAML

Formal Definitions

• OAuth : An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.

• From OAuth.net

Differences

Token or Message Format

Token Or Message Format

• SAML deals with XML as the data construct or token format.

• OAuth tokens can be binary, JSON or SAML as explained in OAuth Bearer Tokens (https://docs.jboss.org/author/display/PLINK/OAuth+Bearer+Tokens).

Transport

Transport

• SAML has Bindings that use HTTP such as HTTP POST Binding, HTTP REDIRECT Binding etc.– But there is no restriction on the transport format.

You can use SOAP or JMS or any transport you want to use to send SAML tokens or messages.

Transport

• OAuth uses HTTP exclusively.

Scope

Scope

• Even though SAML was designed to be applicable openly, it is typically used in Enterprise SSO scenarios – within an enterprise or – enterprise to partner or – enterprise to cloud scenarios.

Scope

• OAuth has been designed for use with applications on the internet, – primarily for delegated authorization of internet

resources. • OAuth is designed for Internet Scale.

Which Versions Should Be Used?

Versions

• SAML v2.0• OAuth v2.0

Use Cases

Use Cases

• If your use case involves SSO (when at least one actor or partner is an enterprise) – then use SAML.

Use Cases

• If your use case involves providing access (temporarily or permanent) to resources (such as accounts, pictures, files etc.) – then use OAuth.

Use Cases

• If your use case involves providing access to a partner or customer application to your portal– then use SAML.

Use Cases

• If your use case requires a centralized identity source– then use SAML.

You can also use an Open ID Provider as a central Identity Provider under the OpenID Connect Specification (under development).

Use Cases

• If your use case involves mobile devices– then use OAuth (with some form of bearer

tokens).

Using SAML with OAuth

SAML With OAuth

• Use SAML for authentication. • Use SAML token/assertion as the OAuth

bearer token in the HTTP bearer header to access protected resources.

Replace SAML with OAuth

Replace SAML With OAuth

• Use JWT for authentication. • Use JWT as the OAuth bearer token in the

HTTP bearer header to access protected resources.

References

References

• PicketLink : http://www.picketlink.org• IETF OAuth2 (

http://datatracker.ietf.org/doc/rfc6749/)• OpenID Connect

http://openid.net/specs/openid-connect-basic-1_0-22.html

Full Article

http://architects.dzone.com/articles/saml-versus-oauth-which-one

Contact Me

anil@apache.org