The document discusses the differences and relationships between SAML, OAuth, and OpenID Connect, highlighting key components like assertions, tokens, and identity providers. It references multiple RFCs that outline the specifications and security protocols related to OAuth 2.0 and JWTs. The content is aimed at providing a comprehensive understanding of authentication and authorization frameworks.

1. SAML v. OAuth v. OpenID Connect
Michael Schwartz
CEO, Gluu

4. SAML OpenID Connect
Assertion (signed XML) id_token (signed JSON)
IDP (Identity Provider) OP (OpenID Provider)
SP (Service Provider) RP (Relying Party) or "Client”
User Attribute User Claim
Artifact Code
XML Canonicalization / Signing JOSE (JSON Object Signing and
Encryption)
IDP Metadata OP Discovery Endpoint
Authentication Context Class Reference acr

13. RFC 6749 The OAuth 2.0 Authorization Framework
RFC 6750 The OAuth 2.0 Authorization Framework: Bearer Token Usage
RFC 6755 An IETF URN Sub-Namespace for OAuth
RFC 6819 OAuth 2.0 Threat Model and Security Considerations Errata
RFC 7009 OAuth 2.0 Token Revocation
RFC 7519 JSON Web Token (JWT)
RFC 7521
Assertion Framework for OAuth 2.0 Client Authentication and Authorization
Grants
RFC 7522 SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
RFC 7523
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and
Authorization Grants
RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol
RFC 7592 OAuth 2.0 Dynamic Client Registration Management Protocol
RFC 7636 Proof Key for Code Exchange by OAuth Public Clients
RFC 7662 OAuth 2.0 Token Introspection Errata
RFC 7800 Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)