Your SlideShare is downloading. ×
Saml vs Oauth : Which one should I use?
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Saml vs Oauth : Which one should I use?


Published on

Published in: Technology
1 Comment
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. SAML vs OAuth Anil Saldhana Reference:
  • 2. Informal Definitions
  • 3. Informal Definitions • SAML (Security Assertion Markup Language) is an umbrella standard that encompasses profiles, bindings and constructs to achieve – Single Sign On (SSO), – Federation and – Identity Management.
  • 4. Informal Definitions • OAuth (Open Authorization) is a standard for authorization of resources. • It does not deal with authentication. – Look for OpenID Connect for Authentication.
  • 5. Formal Definitions
  • 6. Formal Definitions • Security Assertion Markup Language is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. • From Wikipedia Page on SAML
  • 7. Formal Definitions • OAuth : An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. • From
  • 8. Differences
  • 9. Token or Message Format
  • 10. Token Or Message Format • SAML deals with XML as the data construct or token format. • OAuth tokens can be binary, JSON or SAML as explained in OAuth Bearer Tokens ( OAuth+Bearer+Tokens).
  • 11. Transport
  • 12. Transport • SAML has Bindings that use HTTP such as HTTP POST Binding, HTTP REDIRECT Binding etc. – But there is no restriction on the transport format. You can use SOAP or JMS or any transport you want to use to send SAML tokens or messages.
  • 13. Transport • OAuth uses HTTP exclusively.
  • 14. Scope
  • 15. Scope • Even though SAML was designed to be applicable openly, it is typically used in Enterprise SSO scenarios – within an enterprise or – enterprise to partner or – enterprise to cloud scenarios.
  • 16. Scope • OAuth has been designed for use with applications on the internet, – primarily for delegated authorization of internet resources. • OAuth is designed for Internet Scale.
  • 17. Which Versions Should Be Used?
  • 18. Versions • SAML v2.0 • OAuth v2.0
  • 19. Use Cases
  • 20. Use Cases • If your use case involves SSO (when at least one actor or partner is an enterprise) – then use SAML.
  • 21. Use Cases • If your use case involves providing access (temporarily or permanent) to resources (such as accounts, pictures, files etc.) – then use OAuth.
  • 22. Use Cases • If your use case involves providing access to a partner or customer application to your portal – then use SAML.
  • 23. Use Cases • If your use case requires a centralized identity source – then use SAML. You can also use an Open ID Provider as a central Identity Provider under the OpenID Connect Specification (under development).
  • 24. Use Cases • If your use case involves mobile devices – then use OAuth (with some form of bearer tokens).
  • 25. Using SAML with OAuth
  • 26. SAML With OAuth • Use SAML for authentication. • Use SAML token/assertion as the OAuth bearer token in the HTTP bearer header to access protected resources.
  • 27. Replace SAML with OAuth
  • 28. Replace SAML With OAuth • Use JWT for authentication. • Use JWT as the OAuth bearer token in the HTTP bearer header to access protected resources.
  • 29. References
  • 30. References • PicketLink : • IETF OAuth2 ( • OpenID Connect
  • 31. Full Article saml-versus-oauth-which-one
  • 32. Contact Me