Saml vs Oauth : Which one should I use?


Published on

Published in: Technology
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Saml vs Oauth : Which one should I use?

  1. 1. SAML vs OAuth Anil Saldhana Reference:
  2. 2. Informal Definitions
  3. 3. Informal Definitions • SAML (Security Assertion Markup Language) is an umbrella standard that encompasses profiles, bindings and constructs to achieve – Single Sign On (SSO), – Federation and – Identity Management.
  4. 4. Informal Definitions • OAuth (Open Authorization) is a standard for authorization of resources. • It does not deal with authentication. – Look for OpenID Connect for Authentication.
  5. 5. Formal Definitions
  6. 6. Formal Definitions • Security Assertion Markup Language is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. • From Wikipedia Page on SAML
  7. 7. Formal Definitions • OAuth : An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. • From
  8. 8. Differences
  9. 9. Token or Message Format
  10. 10. Token Or Message Format • SAML deals with XML as the data construct or token format. • OAuth tokens can be binary, JSON or SAML as explained in OAuth Bearer Tokens ( OAuth+Bearer+Tokens).
  11. 11. Transport
  12. 12. Transport • SAML has Bindings that use HTTP such as HTTP POST Binding, HTTP REDIRECT Binding etc. – But there is no restriction on the transport format. You can use SOAP or JMS or any transport you want to use to send SAML tokens or messages.
  13. 13. Transport • OAuth uses HTTP exclusively.
  14. 14. Scope
  15. 15. Scope • Even though SAML was designed to be applicable openly, it is typically used in Enterprise SSO scenarios – within an enterprise or – enterprise to partner or – enterprise to cloud scenarios.
  16. 16. Scope • OAuth has been designed for use with applications on the internet, – primarily for delegated authorization of internet resources. • OAuth is designed for Internet Scale.
  17. 17. Which Versions Should Be Used?
  18. 18. Versions • SAML v2.0 • OAuth v2.0
  19. 19. Use Cases
  20. 20. Use Cases • If your use case involves SSO (when at least one actor or partner is an enterprise) – then use SAML.
  21. 21. Use Cases • If your use case involves providing access (temporarily or permanent) to resources (such as accounts, pictures, files etc.) – then use OAuth.
  22. 22. Use Cases • If your use case involves providing access to a partner or customer application to your portal – then use SAML.
  23. 23. Use Cases • If your use case requires a centralized identity source – then use SAML. You can also use an Open ID Provider as a central Identity Provider under the OpenID Connect Specification (under development).
  24. 24. Use Cases • If your use case involves mobile devices – then use OAuth (with some form of bearer tokens).
  25. 25. Using SAML with OAuth
  26. 26. SAML With OAuth • Use SAML for authentication. • Use SAML token/assertion as the OAuth bearer token in the HTTP bearer header to access protected resources.
  27. 27. Replace SAML with OAuth
  28. 28. Replace SAML With OAuth • Use JWT for authentication. • Use JWT as the OAuth bearer token in the HTTP bearer header to access protected resources.
  29. 29. References
  30. 30. References • PicketLink : • IETF OAuth2 ( • OpenID Connect
  31. 31. Full Article saml-versus-oauth-which-one
  32. 32. Contact Me