Informal Definitions • SAML (Security Assertion Markup Language) is an umbrel a standard that encompasses profiles, bindings and constructs to achieve – Single Sign On (SSO), – Federation and – Identity Management.
Informal Definitions • OAuth (Open Authorization) is a standard for authorization of resources. • It does not deal with authentication. – Look for OpenID Connect for Authentication.
Formal Definitions • Security Assertion Markup Language is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. • From Wikipedia Page on SAML
Formal Definitions • OAuth : An open protocol to al ow secure authorization in a simple and standard method from web, mobile and desktop applications. • From OAuth.net
Transport • SAML has Bindings that use HTTP such as HTTP POST Binding, HTTP REDIRECT Binding etc. – But there is no restriction on the transport format. You can use SOAP or JMS or any transport you want to use to send SAML tokens or messages.
Transport • OAuth uses HTTP exclusively.
Scope • Even though SAML was designed to be applicable openly, it is typical y used in Enterprise SSO scenarios – within an enterprise or – enterprise to partner or – enterprise to cloud scenarios.
Scope • OAuth has been designed for use with applications on the internet, – primarily for delegated authorization of internet resources. • OAuth is designed for Internet Scale.
Which Versions Should Be Used?
Versions • SAML v2.0 • OAuth v2.0
Use Cases • If your use case involves SSO (when at least one actor or partner is an enterprise) – then use SAML.
Use Cases • If your use case involves providing access (temporarily or permanent) to resources (such as accounts, pictures, files etc.) – then use OAuth.
Use Cases • If your use case involves providing access to a partner or customer application to your portal – then use SAML.
Use Cases • If your use case requires a centralized identity source – then use SAML. Yo Y u o u ca c n a n al a so o us u e s an a n Ope p n n ID D Prov o i v de d r as a sa a ce c nt n ral a Ide d n e ti n t ti y y Prov o i v de d r un u d n e d r the h Ope p nI n D D Co C n o n n e n c e t tSp S e p cicfic fi a c ti a o ti n o n (u ( n u d n e d r de d v e e v lop o m p e m n e t n ).)
Use Cases • If your use case involves mobile devices – then use OAuth (with some form of bearer tokens).
Using SAML with OAuth
SAML With OAuth • Use SAML for authentication. • Use SAML token/assertion as the OAuth bearer token in the HTTP bearer header to access protected resources.
Replace SAML with OAuth
Replace SAML With OAuth • Use JWT for authentication. • Use JWT as the OAuth bearer token in the HTTP bearer header to access protected resources.