• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Saml vs Oauth : Which one should I use?
 

Saml vs Oauth : Which one should I use?

on

  • 3,908 views

 

Statistics

Views

Total Views
3,908
Views on SlideShare
3,253
Embed Views
655

Actions

Likes
3
Downloads
54
Comments
1

6 Embeds 655

http://www.scoop.it 337
http://picketlink.org 256
http://localhost 54
http://webcache.googleusercontent.com 4
https://twitter.com 3
http://translate.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Saml vs Oauth : Which one should I use? Saml vs Oauth : Which one should I use? Presentation Transcript

    • SAML vs OAuth Anil Saldhana anil@apache.org http://anil-identity.blogspot.com Reference: http://architects.dzone.com/articles/saml-versus-oauthwhich-one
    • Informal Definitions
    • Informal Definitions • SAML (Security Assertion Markup Language) is an umbrella standard that encompasses profiles, bindings and constructs to achieve – Single Sign On (SSO), – Federation and – Identity Management.
    • Informal Definitions • OAuth (Open Authorization) is a standard for authorization of resources. • It does not deal with authentication. – Look for OpenID Connect for Authentication.
    • Formal Definitions
    • Formal Definitions • Security Assertion Markup Language is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. • From Wikipedia Page on SAML
    • Formal Definitions • OAuth : An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. • From OAuth.net
    • Differences
    • Token or Message Format
    • Token Or Message Format • SAML deals with XML as the data construct or token format. • OAuth tokens can be binary, JSON or SAML as explained in OAuth Bearer Tokens (https://docs.jboss.org/author/display/PLINK/ OAuth+Bearer+Tokens).
    • Transport
    • Transport • SAML has Bindings that use HTTP such as HTTP POST Binding, HTTP REDIRECT Binding etc. – But there is no restriction on the transport format. You can use SOAP or JMS or any transport you want to use to send SAML tokens or messages.
    • Transport • OAuth uses HTTP exclusively.
    • Scope
    • Scope • Even though SAML was designed to be applicable openly, it is typically used in Enterprise SSO scenarios – within an enterprise or – enterprise to partner or – enterprise to cloud scenarios.
    • Scope • OAuth has been designed for use with applications on the internet, – primarily for delegated authorization of internet resources. • OAuth is designed for Internet Scale.
    • Which Versions Should Be Used?
    • Versions • SAML v2.0 • OAuth v2.0
    • Use Cases
    • Use Cases • If your use case involves SSO (when at least one actor or partner is an enterprise) – then use SAML.
    • Use Cases • If your use case involves providing access (temporarily or permanent) to resources (such as accounts, pictures, files etc.) – then use OAuth.
    • Use Cases • If your use case involves providing access to a partner or customer application to your portal – then use SAML.
    • Use Cases • If your use case requires a centralized identity source – then use SAML. You can also use an Open ID Provider as a central Identity Provider under the OpenID Connect Specification (under development).
    • Use Cases • If your use case involves mobile devices – then use OAuth (with some form of bearer tokens).
    • Using SAML with OAuth
    • SAML With OAuth • Use SAML for authentication. • Use SAML token/assertion as the OAuth bearer token in the HTTP bearer header to access protected resources.
    • Replace SAML with OAuth
    • Replace SAML With OAuth • Use JWT for authentication. • Use JWT as the OAuth bearer token in the HTTP bearer header to access protected resources.
    • References
    • References • PicketLink : http://www.picketlink.org • IETF OAuth2 (http://datatracker.ietf.org/doc/rfc6749/) • OpenID Connect http://openid.net/specs/openid-connectbasic-1_0-22.html
    • Full Article http://architects.dzone.com/articles/ saml-versus-oauth-which-one
    • Contact Me anil@apache.org