Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Saml vs Oauth : Which one should I use?

20,432 views

Published on

Published in: Technology

Saml vs Oauth : Which one should I use?

  1. 1. SAML vs OAuth Anil Saldhana anil@apache.org http://anil-identity.blogspot.com Reference: http://architects.dzone.com/articles/saml-versus-oauthwhich-one
  2. 2. Informal Definitions
  3. 3. Informal Definitions • SAML (Security Assertion Markup Language) is an umbrella standard that encompasses profiles, bindings and constructs to achieve – Single Sign On (SSO), – Federation and – Identity Management.
  4. 4. Informal Definitions • OAuth (Open Authorization) is a standard for authorization of resources. • It does not deal with authentication. – Look for OpenID Connect for Authentication.
  5. 5. Formal Definitions
  6. 6. Formal Definitions • Security Assertion Markup Language is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. • From Wikipedia Page on SAML
  7. 7. Formal Definitions • OAuth : An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. • From OAuth.net
  8. 8. Differences
  9. 9. Token or Message Format
  10. 10. Token Or Message Format • SAML deals with XML as the data construct or token format. • OAuth tokens can be binary, JSON or SAML as explained in OAuth Bearer Tokens (https://docs.jboss.org/author/display/PLINK/ OAuth+Bearer+Tokens).
  11. 11. Transport
  12. 12. Transport • SAML has Bindings that use HTTP such as HTTP POST Binding, HTTP REDIRECT Binding etc. – But there is no restriction on the transport format. You can use SOAP or JMS or any transport you want to use to send SAML tokens or messages.
  13. 13. Transport • OAuth uses HTTP exclusively.
  14. 14. Scope
  15. 15. Scope • Even though SAML was designed to be applicable openly, it is typically used in Enterprise SSO scenarios – within an enterprise or – enterprise to partner or – enterprise to cloud scenarios.
  16. 16. Scope • OAuth has been designed for use with applications on the internet, – primarily for delegated authorization of internet resources. • OAuth is designed for Internet Scale.
  17. 17. Which Versions Should Be Used?
  18. 18. Versions • SAML v2.0 • OAuth v2.0
  19. 19. Use Cases
  20. 20. Use Cases • If your use case involves SSO (when at least one actor or partner is an enterprise) – then use SAML.
  21. 21. Use Cases • If your use case involves providing access (temporarily or permanent) to resources (such as accounts, pictures, files etc.) – then use OAuth.
  22. 22. Use Cases • If your use case involves providing access to a partner or customer application to your portal – then use SAML.
  23. 23. Use Cases • If your use case requires a centralized identity source – then use SAML. You can also use an Open ID Provider as a central Identity Provider under the OpenID Connect Specification (under development).
  24. 24. Use Cases • If your use case involves mobile devices – then use OAuth (with some form of bearer tokens).
  25. 25. Using SAML with OAuth
  26. 26. SAML With OAuth • Use SAML for authentication. • Use SAML token/assertion as the OAuth bearer token in the HTTP bearer header to access protected resources.
  27. 27. Replace SAML with OAuth
  28. 28. Replace SAML With OAuth • Use JWT for authentication. • Use JWT as the OAuth bearer token in the HTTP bearer header to access protected resources.
  29. 29. References
  30. 30. References • PicketLink : http://www.picketlink.org • IETF OAuth2 (http://datatracker.ietf.org/doc/rfc6749/) • OpenID Connect http://openid.net/specs/openid-connectbasic-1_0-22.html
  31. 31. Full Article http://architects.dzone.com/articles/ saml-versus-oauth-which-one
  32. 32. Contact Me anil@apache.org

×