Your SlideShare is downloading. ×
Saml vs Oauth : Which one should I use?
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Saml vs Oauth : Which one should I use?

8,782

Published on

Published in: Technology
1 Comment
5 Likes
Statistics
Notes
No Downloads
Views
Total Views
8,782
On Slideshare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
234
Comments
1
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. SAML vs OAuth Anil Saldhana anil@apache.org http://anil-identity.blogspot.com Reference: http://architects.dzone.com/articles/saml-versus-oauthwhich-one
  • 2. Informal Definitions
  • 3. Informal Definitions • SAML (Security Assertion Markup Language) is an umbrella standard that encompasses profiles, bindings and constructs to achieve – Single Sign On (SSO), – Federation and – Identity Management.
  • 4. Informal Definitions • OAuth (Open Authorization) is a standard for authorization of resources. • It does not deal with authentication. – Look for OpenID Connect for Authentication.
  • 5. Formal Definitions
  • 6. Formal Definitions • Security Assertion Markup Language is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. • From Wikipedia Page on SAML
  • 7. Formal Definitions • OAuth : An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. • From OAuth.net
  • 8. Differences
  • 9. Token or Message Format
  • 10. Token Or Message Format • SAML deals with XML as the data construct or token format. • OAuth tokens can be binary, JSON or SAML as explained in OAuth Bearer Tokens (https://docs.jboss.org/author/display/PLINK/ OAuth+Bearer+Tokens).
  • 11. Transport
  • 12. Transport • SAML has Bindings that use HTTP such as HTTP POST Binding, HTTP REDIRECT Binding etc. – But there is no restriction on the transport format. You can use SOAP or JMS or any transport you want to use to send SAML tokens or messages.
  • 13. Transport • OAuth uses HTTP exclusively.
  • 14. Scope
  • 15. Scope • Even though SAML was designed to be applicable openly, it is typically used in Enterprise SSO scenarios – within an enterprise or – enterprise to partner or – enterprise to cloud scenarios.
  • 16. Scope • OAuth has been designed for use with applications on the internet, – primarily for delegated authorization of internet resources. • OAuth is designed for Internet Scale.
  • 17. Which Versions Should Be Used?
  • 18. Versions • SAML v2.0 • OAuth v2.0
  • 19. Use Cases
  • 20. Use Cases • If your use case involves SSO (when at least one actor or partner is an enterprise) – then use SAML.
  • 21. Use Cases • If your use case involves providing access (temporarily or permanent) to resources (such as accounts, pictures, files etc.) – then use OAuth.
  • 22. Use Cases • If your use case involves providing access to a partner or customer application to your portal – then use SAML.
  • 23. Use Cases • If your use case requires a centralized identity source – then use SAML. You can also use an Open ID Provider as a central Identity Provider under the OpenID Connect Specification (under development).
  • 24. Use Cases • If your use case involves mobile devices – then use OAuth (with some form of bearer tokens).
  • 25. Using SAML with OAuth
  • 26. SAML With OAuth • Use SAML for authentication. • Use SAML token/assertion as the OAuth bearer token in the HTTP bearer header to access protected resources.
  • 27. Replace SAML with OAuth
  • 28. Replace SAML With OAuth • Use JWT for authentication. • Use JWT as the OAuth bearer token in the HTTP bearer header to access protected resources.
  • 29. References
  • 30. References • PicketLink : http://www.picketlink.org • IETF OAuth2 (http://datatracker.ietf.org/doc/rfc6749/) • OpenID Connect http://openid.net/specs/openid-connectbasic-1_0-22.html
  • 31. Full Article http://architects.dzone.com/articles/ saml-versus-oauth-which-one
  • 32. Contact Me anil@apache.org

×