SAML, OAuth 2.0, and OpenID Connect are the three most common authentication protocols. SAML provides authentication and authorization assertions while OAuth 2.0 focuses on authorization. OpenID Connect builds on OAuth 2.0 by adding authentication features and using claims to provide user information. It has a lower implementation barrier than SAML and is well-suited for mobile and API use cases. The document compares the protocols and their applications, security considerations, and history of adoption.
OAuth and OpenID Connect are the two most important security specs that API providers need to be aware of. In this session, Travis Spencer, CEO of Curity, will cram in as much about these two protocols as will fit into 20 minutes.
An introduction to OAuth2 and OpenID Connect intended for a technical audience. This covers terminology, core concepts, and all the core grants/flows for OAuth2 and OpenID Connect
OAuth and OpenID Connect are the two most important security specs that API providers need to be aware of. In this session, Travis Spencer, CEO of Curity, will cram in as much about these two protocols as will fit into 20 minutes.
An introduction to OAuth2 and OpenID Connect intended for a technical audience. This covers terminology, core concepts, and all the core grants/flows for OAuth2 and OpenID Connect
How to integrate the complex use cases in the hyper-connected world with millions of devices and services.
Bhavna Bhatnagar (VigourSoft Technical Advisor and Industry expert) talks about SAML, OAuth, OpenID and what you need to make your place in the complex scenario this presents
OpenID Connect 4 SSI is an initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation. It aims at specifying a set of protocols based on OpenID Connect to enable SSI applications.
OpenID for Verifiable Credentials is a family of protocols supporting implementation of applications with Verifiable Credentials, i.e. verifiable credential issuance, credential presentation, and pseudonyms authentication.
What is JWT?
When should you use JSON Web Tokens?
WHAT IS THE JSON WEB TOKEN STRUCTURE?
JWT Process
PROS AND CONS
JWT.IO
Using JSON Web Tokens as API Keys
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
Using Keycloak to Provide Authentication, Authorization, and Identity Management Services for Your Gateway
Presentation to accompany blog post: https://sciencegateways.org/-/eds-tech-blog-using-keycloak-to-provide-authentication-authorization-and-identity-management-services-for-your-gateway
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
The slides from the talk I gave in Java.IL's Apr 2019 session.
These slides describe Keycloak, OAuth 2.0, OpenID and SparkBeyond's integration with Keycloak
http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth
Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
OAuth 2.0 seems to be a comprehensive framework for authorizing access to protected resources, but is it really? We can argue that OpenID Connect will make it enterprise ready, but level of adoption in the enterprise is yet to be seen. This primer describes the framework fundamentals,the good, the bad, and common OAuth 2.0 flows.
Introducing OpenID 1.0 Protocol: Security and PerformanceAmin Saqi
In this document we review the security and performance of the OpenID Connect 1.0 protocol. OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
How to integrate the complex use cases in the hyper-connected world with millions of devices and services.
Bhavna Bhatnagar (VigourSoft Technical Advisor and Industry expert) talks about SAML, OAuth, OpenID and what you need to make your place in the complex scenario this presents
OpenID Connect 4 SSI is an initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation. It aims at specifying a set of protocols based on OpenID Connect to enable SSI applications.
OpenID for Verifiable Credentials is a family of protocols supporting implementation of applications with Verifiable Credentials, i.e. verifiable credential issuance, credential presentation, and pseudonyms authentication.
What is JWT?
When should you use JSON Web Tokens?
WHAT IS THE JSON WEB TOKEN STRUCTURE?
JWT Process
PROS AND CONS
JWT.IO
Using JSON Web Tokens as API Keys
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
Using Keycloak to Provide Authentication, Authorization, and Identity Management Services for Your Gateway
Presentation to accompany blog post: https://sciencegateways.org/-/eds-tech-blog-using-keycloak-to-provide-authentication-authorization-and-identity-management-services-for-your-gateway
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
The slides from the talk I gave in Java.IL's Apr 2019 session.
These slides describe Keycloak, OAuth 2.0, OpenID and SparkBeyond's integration with Keycloak
http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth
Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
OAuth 2.0 seems to be a comprehensive framework for authorizing access to protected resources, but is it really? We can argue that OpenID Connect will make it enterprise ready, but level of adoption in the enterprise is yet to be seen. This primer describes the framework fundamentals,the good, the bad, and common OAuth 2.0 flows.
Introducing OpenID 1.0 Protocol: Security and PerformanceAmin Saqi
In this document we review the security and performance of the OpenID Connect 1.0 protocol. OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
APIs are now the standard entry point to the majority of newly created ‘back-end’ functionality. These APIs exist to provide not only a standardized, structured way to access the required features or functions, but also to act as ‘gatekeepers’, ensuring appropriate security, auditing, accounting etc. Security is always underpinned by identity and as such, APIs need to know if not who is accessing them, what is the context in which they are being accessed.
1. Intro - Auth - Authentication & Authorization & SSO
2. OAuth2 in Depth
3. Where does JWT fit in ?
4. How to do stateless Authorization using OAUTH2 & JWT ?
5. Some Sample Code ? How easy is it to implement ?
Profesia, Lynx Group, presenta la quinta puntata della serie di master class sulla tecnologia WSO2 di cui è Distributore esclusivo per l'Italia.
Il webinar, con la partecipazione straordinaria di WSO2, descrive come implementare nei client l'autorizzazione OAUTH2.
Scrivi a contact@profesia.it se stai pensando a una trasformazione digitale per evolvere verso un business agile
As part of MobiliYa Spread Knowledge Initiative Presentation Series.
Agenda
1.Intro -Auth-Authentication & Authorization & SSO
2.OAuth2 in Depth
3.Where does JWT fit in ?
4.How to do stateless Authorization using OAUTH2 & JWT ?
5.Some Sample Code ? How easy is it to implement ?
Flaws in Oauth 2.0 Can Oauth be used as a Security Serverijtsrd
OAuth 2.0 is the business standard convention for approval. OAuth 2.0 spotlights on customer engineer straightforwardness while giving explicit approval streams to web applications, work area applications, cell phones, and lounge room gadgets. The scientists analyzed 600 top U.S. also, ChAndroid versatile applications that utilization OAuth 2.0 APIs from Facebook, Google and Sina"”which works Weibo in China"”and backing SSO for outsider applications. The scientists found that 41.2 percent of the applications they tried were defenseless against their attackinese. Pooja Krushna Paste | Pratik Ramakant Vaidya "Flaws in Oauth 2.0: Can Oauth be used as a Security Server" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-4 , June 2020, URL: https://www.ijtsrd.com/papers/ijtsrd31319.pdf Paper Url :https://www.ijtsrd.com/computer-science/other/31319/flaws-in-oauth-20-can-oauth-be-used-as-a-security-server/pooja-krushna-paste
Microsoft Graph API Delegated PermissionsStefan Weber
Slidedeck presented during a webinar i held on13th December 2023 about how to consume Microsoft Graph API using user level permissions.
Webinar Recording https://youtu.be/2cSsg5ws1H4
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356IOSR Journals
Abstract: Web services are application based programming interfaces (API) or web APIs that are accessed
through Hypertext Transfer Protocol (HTTP) to execute on a remote system hosting the requested services. A
RESTFUL web service is a budding technology, and a light weight approach that do not restrict the clientserver
communication. The open authorization (OAuth) 2.0 protocol enables the users to grant third-party
application access to their web resources without sharing their login credential data. The Authorization Server
includes authorization information with the Access Token and signs the Access Token. An access token can be
reused until it expires. An authentication filter is used for business services. This paper presents a secure
communication at the message level with minimum overhead and provides a fine grained authenticity using the
Jersey framework.
Keywords: Open authorization (oauth), Restful web services, HTTP protocols and uniform resource
identifier(URI).
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
Learn about the basics of OAuth 2.0 and the different OAuth flows in this introductory video. Understand how OAuth works and the various authorization mechanisms involved.
An introduction to OAuth 2.0 from a Salesforce perspective to establish the foundations of OAuth 2.0. Discusses the key concepts of Authentication and Authorization and distinguishes the two. Also discusses Open ID connect.
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
In this document we survey some of Single-Sign-On web authentication protocols and compare their security and performance. In this survey we concentrate on OAuth 2.0 Authorization Framework, OpenID Connect 1.0, Central Authentication Service (CAS) 3.0 and Security Assertion Markup Language (SAML) 2.0 protocols.
Slides from SpringOne 2012 (http://www.springone2gx.com/conference/speaker/dave_syer).
One of the questions we get asked the most by developers and architects is: when and why would I use OAuth2? The answer, as often with such questions, is “it depends”, but there are some features of OAuth2 that make it compelling in some situations, especially in systems composed of many lightweight web services, which becoming a very common architectural pattern.
This presentation will not go into a lot of detail about the OAuth2 protocol and related specifications, but will attempt to show some of the key features of a system secured with OAuth2 and the decision points when choosing to build such a system.
Similar to SAML VS OAuth 2.0 VS OpenID Connect (20)
Using externally verified strong identities can reduce the risk of fraud and improve the customer experience in registering and engaging with your services.
Streamline customer registration, login and engagement with your applications and services by supporting bring-your-own social and business network identity credentials.
Customer IAM vs Employee IAM (Legacy IAM)Ubisecure
Internal or enterprise IAM solutions are driven by the HR systems and concentrate on provisioning. Customer IAM solutions provide flexibility and features that facilitate the management of external users. CIAM is a tool to increase capture & conversion, reduce cost, improve the customer experience and journey.
An Introduction to Authentication for ApplicationsUbisecure
This whitepaper is an ideal introduction on authentication categories and their suitability to different requirements. Recommended reading to anyone who wants to get more familiar with online authentication.
Mobile Connect, an initiative by GSMA, has the potential to change online authentication and how we consume online services, on a global basis. This presentation will explain what Mobile Connect is, how it can benefit your organisation and the end users.
General Data Protection Regulation & Customer IAMUbisecure
The “General Data Protection & Customer IAM” white paper outlines the legal premise of the GDPR, and then delves into the specific parts where Customer Identity and Access Management solutions can help your organisation.
Telia - The New Norm of the Digital WorldUbisecure
Telia presentation slides from Ubisecure's IAMwithUBI Nordic IAM event May 2018. How Telia is helping make internationally federated identities the new norm, and how Telia’s ID service (an authentication provider brokering service) replaces the need for Service Providers to manage a dozen separate authentication provider contracts and integrations with one single brokering platform.
SSH presentation slides from Ubisecure's IAMwithUBI Nordic IAM event May 2018. How cloud characteristics and the rules of the game have changed for cloud services. Monolith Architecture to Microservices Architecture. Production Updates go from 2/year to 100/day. Roles change from 2 to 10s.
Spellpoint - Securing Access for MicroservicesUbisecure
Spellpoint presentation slides from Ubisecure's IAMwithUBI Nordic IAM event May 2018. How Customer IAM (CIAM) principles and technology can be applied to identities for microservices to provide authentication and authorization of APIs.
Open Identity Exchange - the Global Growth of Digital IdentityUbisecure
Keynote presentation slides from Ubisecure's IAMwithUBI Nordic IAM event May 2018. The Global Growth of Digital Identity - cases studies on Digital Identity in the UK, Open Banking and The Passenger Journey.
Keynote presentation slides from Ubisecure's IAMwithUBI Nordic IAM event May 2018. Digital Identity in the style of an age-old wedding rhyme, how digital identity in 2018 can be explained through something old (Facebook), something new (GDPR, AI, Blockchain Identity), something borrowed (Consent Receipts), something blue (Ubisecure!).
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...Ubisecure
eIDAS - Mobile Connect Pilot: How To Combine Cross-border eID Recognition With Convenience For Users And Online Services. GSMA presentation slides from Ubisecure's IAMwithUBI Nordic IAM event May 2018
FICORA - Building a Trust Network on Strong IdentificationUbisecure
Building a Trust Network on Strong Identification - Finnish Communications Regulatory Authority (FICORA) presentation slides from Ubisecure's IAMwithUBI Nordic IAM event May 2018
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
SAML VS OAuth 2.0 VS OpenID Connect
1. SAML VS OAUTH 2.0
VS OPENID CONNECT
UNDERSTANDING THE DIFFERENCES BETWEEN THE
THREE MOST COMMON AUTHORISATION PROTOCOLS
WHITE PAPER
Connecting Identity.
Transforming Digital Business.
2. UBISECURE WHITE PAPER
2 info@ubisecure.com
www.ubisecure.com
INTRODUCTION
The world of Identity and Access Management is ruled by two things, acronyms and standards. In our
popular blog post at https://www.ubisecure.com/uncategorized/difference-between-saml-and-oauth/
we compared the two most common authorisation protocols - SAML2 and OAuth 2.0. This white paper
extends that comparison with the inclusion of a third protocol, OpenID Connect. We also touch on the
now obsolete OpenID 2.0 protocol.
HISTORY
Firstly, it is useful to understand the order of emergence of the various protocols. It helps follow the
evolution that gave rise to OpenID Connect.
ACRONYMS & TERMINOLOGY
WEB SINGLE SIGN-ON
Party Term in SAML Term in OAuth Term in OpenID
Web browser
that an end user
uses to access a
web application
User agent User agent User agent
Server that owns
the user
identities and
credentials
Identity Provider
(IDP, IdP)
Authorisation Server
(AS)
OpenID Provider (OP)
Web application
that requires
permission to
proceed or
access a resource
Service Provider
(SP)
Client Relying Party (RP) or
Client
Server that hosts
the resource
being accessed
Service Provider
(SP)
Resource Server Resource Server
3. UBISECURE WHITE PAPER
3 info@ubisecure.com
www.ubisecure.com
APPLICATIONS AND PROTECTED APIS
Party Term in OAuth
Server that owns the user
identities and credentials
Authorisation Server (AS)
Application that wants to
access a protected API
Client
Protected API Resource Server (RS)
ACRONYMS
SAML Security Assertion Markup Language
OAuth Open Authentication
OP OpenID Provider
SP Service Provider
RP Relying Party
AS Authorisation Server
HTTP Hypertext Transfer Protocol
OIDC OpenID Connect
SSO Single Sign On
CIAM Customer Identity and Access Management
XML Extensible Markup Language
API Application Program Interface
AUTHORISATION PROTOCOLS
OPENID 2.0
OpenID was the first mainstream standard for authentication, it is however now obsolete following the
approval of OpenID Connect. OpenID 2.0 was widely used and supported by most large internet
companies.
OpenID provided user authentication and with extensions in 2007, user attributes.
Today when ‘OpenID’ is being talked about, it will almost always refer to OpenID Connect 1.0
OAUTH 2.0
The basic sequential flow occurs as follows:
4. UBISECURE WHITE PAPER
4 info@ubisecure.com
www.ubisecure.com
The flow illustrated includes the following steps:
1. The client initiates the flow by directing the resource owner's user agent to the authorization
endpoint. The client includes its client identifier, requested scope, local state, and a redirection
URI to which the authorization server will send the user-agent back once access is granted (or
denied).
2. The authorization server authenticates the resource owner (via the user-agent) and establishes
whether the resource owner grants or denies the client's access request.
3. Assuming the resource owner grants access, the authorization server redirects the user-agent back
to the client using the redirection URI provided earlier (in the request or during client registration).
The redirection URI includes an authorization code and any local state provided by the client
earlier.
4. The client requests an access token from the authorization server's token endpoint by including
the authorization code received in the previous step. When making the request, the client
authenticates with the authorization server. The client includes the redirection URI used to obtain
the authorization code for verification.
5. The authorization server authenticates the client, validates the authorization code, and ensures
that the redirection URI received matches the URI used to redirect the client in step (C). If valid,
the authorization server responds back with an access token and, optionally, a refresh token.
Authentication is all about the user in the context of the application, and a network authentication
protocol like OpenID is able to do this across networks and security boundaries. An authentication
protocols tells an application who the current user is and whether or not the user is present. In
addition, the protocol will often return additional attributes, e.g. an e-mail address.
5. UBISECURE WHITE PAPER
5 info@ubisecure.com
www.ubisecure.com
However, OAuth 2.0 tells the application none of those things. OAuth 2.0 tells absolutely nothing about
the user's identity, nor does it expose how the end user proved their presence or even if the user is still
present or not. An OAuth 2.0 client asked for a token, received a token, and used that token to access
some resource – for example an API.
This delegated access, accessing a resource on the behalf of a user who may not even be present, is
one of the great points of OAuth 2.0 and great for client authorisation. At the same time, it is very
limited for authentication, where the whole point is figuring who the user is, how the user's identity
was authenticated and whether the user is present or not.
The authorisation code grant type is used to obtain both access tokens and refresh tokens and is
optimised for confidential clients. Since this is a redirection based flow, the client must be capable of
interacting with the resource owner’s user-agent (typically a web browser) and capable of receiving
incoming requests (via redirection) from the authorisation server.
Note: the lines illustrating steps 1, 2, and 3 are broken into two parts as they pass through the user-
agent.
SAML 2.0
We have seen that OpenID 2.0 provides authentication information, OAuth2 provides authorisation
information. SAML2 provides all of this in the form of assertions (be they authentication assertions,
attribute assertions or authorisation assertions).
The SAML2 basic flow is below for completeness:
6. UBISECURE WHITE PAPER
6 info@ubisecure.com
www.ubisecure.com
1. The Client attempts to access a secured resource via the User Agent, without a security context.
2. The Service Provider obtains the location of an endpoint at an identity provider for the
authentication request protocol. The means by which this is accomplished is implementation
dependent.
3. The Service Provider issues an <AuthnRequest> message to be delivered by the user agent to the
Identity Provider.
4. The Identity Provider authenticates the Client using some (undefined) method.
5. The Identity Provider issues a <Response> message to be delivered by the User Agent to the
Service Provider. The message may indicate an error, or will include (at least) an authentication
assertion.
6. Having received the response from the Identity Provider, the Service Provider can respond to the
Client's User Agent with its own error, or can establish its own security context for the Clienty and
return the requested resource.
This flow is HTTP POST heavy rending it only really useful for interactive web sessions.
7. UBISECURE WHITE PAPER
7 info@ubisecure.com
www.ubisecure.com
OAUTH 2.0 EXTENSIBILITY
Before jumping to OpenID Connect it is useful to understand a little about OAuth2 extensibility. As part
of the specification work on OAuth2, the definition was created with extensibility in mind. This
extensibility allows new protocols to be defined on top of the ‘basic’ OAuth2 protocol.
A number of extension protocols have been defined (for example UMA) and a number more are in
draft stages.
Of specific note here is OpenID Connect, a protocol build on top of OAuth2 to provide: “authentication
built on top of OAuth 2.0 and the use of claims to communicate information about the End-User”1
OPENID CONNECT 1.0
OpenID Connect or OIDC in short, layers on top of OAuth 2.0 to provide authentication information as
well as authorisation information through the use of Claims.
Being based on OAuth2.0 OpenID Connect flow is very similar to OAuth 2.0, as seen below, the major
difference is the addition of the ID Token.
1 http://openid.net/developers/specs/
8. UBISECURE WHITE PAPER
8 info@ubisecure.com
www.ubisecure.com
1. The client prepares an Authentication Request containing the desired request parameters.
2. The client sends the request to the Authorization Server.
3. The Authorization Server authenticates the end user.
4. The Authorization Server obtains user consent/authorization.
5. The Authorization Server sends the user back to the client with an access token and, if requested,
an ID token.
6. The client requests a response using the Authorisation Code at the Token endpoint.
7. The client receives a response that contains an ID Token and Access Token in the response body.
8. The client validates the ID token and retrieves the subject identifier of the user.
The OpenID Connect standard introduces additional parameters to the request and introduces the
concepts of Claims and the ID Token.
9. UBISECURE WHITE PAPER
9 info@ubisecure.com
www.ubisecure.com
Feature Details
Additional parameters When the Client makes a request to the IdP it can pass
additional parameters to the IdP, for example language for the
authentication UI, and required authentication level
Claims Claims are ‘name-value’ pairs that provide attribute data about
the user that has been authenticated. The OpenID Connect
standard defines a number of standard Claims, for example:
given_name, family_name, picture, email. In addition to the
standard Claims, ‘additional claims’ can be defined.
ID Token The ID Token is built by the IdP and returned to the Relying
Party as the final part of the basic authentication. This token
contains a number of authentication related claims and may
contain additional user related claims. The token itself is in the
form of a signed JSON Web Token (JWT), and may, optionally,
be encrypted. An access token is also returned that can be used
by the Client to make further requests to the IdP or a Resource
Server.
Again, being based on OAuth 2.0 OpenID Connect is ‘API friendly’ and can be used by web applications,
desktop applications, mobile applications and devices.
SECURITY CONSIDERATIONS
SAML
For SAML the most common and widely used protocol for securing message exchange between an IdP
and service provider is sending signed SAML Assertion to the Service Provider using HTTP POST
protocol. SAML uses XML Signature and XML Encryption for end-to-end message integrity and
encryption.
Key exchange in SAML happens either out of band or dynamically with SAML Metadata.
See SAML V2.0 Implementation Profile for Federation Interoperability for a recent requirement
specification for an interoperable and secure SAML implementation.
10. UBISECURE WHITE PAPER
10 info@ubisecure.com
www.ubisecure.com
OAUTH 2.0 AND OPENID CONNECT 1.0
OIDC defines different profiles for securing message exchange between an IdP and a Relying Party.
The simplest model completely relies on security of DNS and TLS for integrity. The benefit is very low
barrier of entry into integrating an application with an OIDC IdP where the application designer only
needs capability of invoking a RESTful API of the OIDC IdP, no processing of digital signatures or other
cryptography is necessary.
By implementing signed and encrypted JWTs the security of an OIDC implementation is increased to
the level of SAML with end-to-end message integrity and encryption.
By using modern technologies such as Token Binding security increases even beyond what is possible
with standards based interoperable SAML.
When signed and encrypted JWTs are used, key exchange in OIDC happens either out of band or
dynamically with OIDC Metadata.
Dynamic Client Registration Protocol enables a very dynamic and completely automated management
of Client identities at an OIDC IdP, very well suited for IoT and Mobile Application use cases.
See OAuth 2.0 Threat Model and Security Considerations and OAuth 2.0 Security Best Current Practice
for recent instructions and best practices into creating secure OAuth and OIDC integrations.
COMPARING THE PROTOCOLS
Firstly, OAuth 2.0 has a different purpose to both SAML 2.0 and OpenID Connect 1.0, OAuth is, at the
base level, an authorisation protocol, whereas SAML and OpenID Connect are
authentication/authorisation protocols.
For access control, OAuth 2.0 provides a great solution.
SAML and OpenID Connect both provide authentication as well as authorisation. SAML is definitely the
more complex to implement. OpenID Connect, being based on OAuth has a very low barrier to entry
and can be scaled once working (both security and feature wise).
If you are looking to join large existing federations that SAML will have the edge, its age means many of
the existing federations are SAML based (for example most university federations). Of course it is
possible to translate between protocols, doing this manually is a significant amount of work, but using
the Ubisecure Identity Server in an IdP Proxy role this is just a configuration option, so it is possible to
have a simple implementation of OpenID Connect working with an existing SAML federation.
SAML is effectively constrained to browser operation, so for application or device usage OpenID
Connect will be the protocol of choice.
11. UBISECURE WHITE PAPER
11 info@ubisecure.com
www.ubisecure.com
When it comes to security, OAuth, and hence OpenID Connect, provides a flexible model which can
scale. SAML benefits from being within the browser having a relatively fixed security model, but is also
only as secure as the browser. OAuth is dependent upon the TLS stack and when incorporated in an
application is only as good as the stack in the application. If the app is using the OS implementation
then it will be parallel to the browser, however, device implementation will need to take care over
stack selection and configuration.
CONCLUSIONS
The emergence and rapid growth of OpenID Connect is a physical manifestation of the ongoing mobile
transformation. As identity and access management has split between the traditional enterprise SSO
and external user centric CIAM, so has the protocol stack underneath. OpenID Connect combines
OAuth 2.0 authorisation with authentication, and allows building a user-friendly mobile application
“done right”.
An inevitable question is “Which of the protocols is the right for my use case?” Making broad
generalisations is one of the best ways to draw dissension from all directions, but the below table does
just that.
Protocol Best use cases
SAML Enterprise SSO, existing federations
OAuth 2.0 API authorisation, UMA
OpenID Connect Customer SSO, CIAM, mobile
If you are reading this to determine how to quantify, manage and reap the benefits of CIAM in your
organisation please contact Ubisecure – we can guide you through the complexity and reduce your
implementation time considerably.
12. UBISECURE WHITE PAPER
12 info@ubisecure.com
www.ubisecure.com
Ubisecure is a pioneering European b2b and b2c Customer Identity & Access Management (CIAM)
software provider and cloud identity services enabler dedicated to helping its customers realise the
true potential of digital business.
Ubisecure provides a powerful Identity Platform to connect customer digital identities with customer-
facing SaaS and enterprise applications in the cloud and on-premise. The platform consists of
productised CIAM middleware and API tooling to help connect and enrich strong identity profiles;
manage identity usage, authorisation and progressive authentication policies; secure and consolidate
identity, privacy and consent data; and streamline identity based workflows and decision delegations.
Uniquely, Ubisecure’s Identity Platform connects digital services and Identity Providers, such as social
networks, mobile networks, banks and Governments, to allow Service Providers to use rich, verified
identities to create frictionless login, registration and customer engagement while improving privacy
and consent around personal data sharing to meet requirements such as GDPR and PSD2.
Ubisecure is accredited by the Global Legal Entity Identifier Foundation (GLEIF) to issue Legal Entity
Identifiers (LEI) under its RapidLEI brand, a cloud-based service that automates the LEI lifecycle to
deliver LEIs quickly and easily. The company has offices in London and Finland.
To learn more about Customer IAM and Company Identity
solutions visit www.ubisecure.com or contact us at
sales-team@ubisecure.com