SlideShare a Scribd company logo

SAML VS OAuth 2.0 VS OpenID Connect

Ubisecure
Ubisecure

SAML, OAuth 2.0, and OpenID Connect are the three most common authentication protocols. SAML provides authentication and authorization assertions while OAuth 2.0 focuses on authorization. OpenID Connect builds on OAuth 2.0 by adding authentication features and using claims to provide user information. It has a lower implementation barrier than SAML and is well-suited for mobile and API use cases. The document compares the protocols and their applications, security considerations, and history of adoption.

Technology
1 of 12
Download to read offline
SAML VS OAUTH 2.0 VS OPENID CONNECT UNDERSTANDING THE DIFFERENCES BETWEEN THE THREE MOST COMMON AUTHORISATION PROTOCOLS WHITE PAPER Connecting Identity. Transforming Digital Business.
UBISECURE WHITE PAPER 2 info@ubisecure.com www.ubisecure.com INTRODUCTION The world of Identity and Access Management is ruled by two things, acronyms and standards. In our popular blog post at https://www.ubisecure.com/uncategorized/difference-between-saml-and-oauth/ we compared the two most common authorisation protocols - SAML2 and OAuth 2.0. This white paper extends that comparison with the inclusion of a third protocol, OpenID Connect. We also touch on the now obsolete OpenID 2.0 protocol. HISTORY Firstly, it is useful to understand the order of emergence of the various protocols. It helps follow the evolution that gave rise to OpenID Connect. ACRONYMS & TERMINOLOGY WEB SINGLE SIGN-ON Party Term in SAML Term in OAuth Term in OpenID Web browser that an end user uses to access a web application User agent User agent User agent Server that owns the user identities and credentials Identity Provider (IDP, IdP) Authorisation Server (AS) OpenID Provider (OP) Web application that requires permission to proceed or access a resource Service Provider (SP) Client Relying Party (RP) or Client Server that hosts the resource being accessed Service Provider (SP) Resource Server Resource Server
UBISECURE WHITE PAPER 3 info@ubisecure.com www.ubisecure.com APPLICATIONS AND PROTECTED APIS Party Term in OAuth Server that owns the user identities and credentials Authorisation Server (AS) Application that wants to access a protected API Client Protected API Resource Server (RS) ACRONYMS SAML Security Assertion Markup Language OAuth Open Authentication OP OpenID Provider SP Service Provider RP Relying Party AS Authorisation Server HTTP Hypertext Transfer Protocol OIDC OpenID Connect SSO Single Sign On CIAM Customer Identity and Access Management XML Extensible Markup Language API Application Program Interface AUTHORISATION PROTOCOLS OPENID 2.0 OpenID was the first mainstream standard for authentication, it is however now obsolete following the approval of OpenID Connect. OpenID 2.0 was widely used and supported by most large internet companies. OpenID provided user authentication and with extensions in 2007, user attributes. Today when ‘OpenID’ is being talked about, it will almost always refer to OpenID Connect 1.0 OAUTH 2.0 The basic sequential flow occurs as follows:
UBISECURE WHITE PAPER 4 info@ubisecure.com www.ubisecure.com The flow illustrated includes the following steps: 1. The client initiates the flow by directing the resource owner's user agent to the authorization endpoint. The client includes its client identifier, requested scope, local state, and a redirection URI to which the authorization server will send the user-agent back once access is granted (or denied). 2. The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource owner grants or denies the client's access request. 3. Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using the redirection URI provided earlier (in the request or during client registration). The redirection URI includes an authorization code and any local state provided by the client earlier. 4. The client requests an access token from the authorization server's token endpoint by including the authorization code received in the previous step. When making the request, the client authenticates with the authorization server. The client includes the redirection URI used to obtain the authorization code for verification. 5. The authorization server authenticates the client, validates the authorization code, and ensures that the redirection URI received matches the URI used to redirect the client in step (C). If valid, the authorization server responds back with an access token and, optionally, a refresh token. Authentication is all about the user in the context of the application, and a network authentication protocol like OpenID is able to do this across networks and security boundaries. An authentication protocols tells an application who the current user is and whether or not the user is present. In addition, the protocol will often return additional attributes, e.g. an e-mail address.
UBISECURE WHITE PAPER 5 info@ubisecure.com www.ubisecure.com However, OAuth 2.0 tells the application none of those things. OAuth 2.0 tells absolutely nothing about the user's identity, nor does it expose how the end user proved their presence or even if the user is still present or not. An OAuth 2.0 client asked for a token, received a token, and used that token to access some resource – for example an API. This delegated access, accessing a resource on the behalf of a user who may not even be present, is one of the great points of OAuth 2.0 and great for client authorisation. At the same time, it is very limited for authentication, where the whole point is figuring who the user is, how the user's identity was authenticated and whether the user is present or not. The authorisation code grant type is used to obtain both access tokens and refresh tokens and is optimised for confidential clients. Since this is a redirection based flow, the client must be capable of interacting with the resource owner’s user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorisation server. Note: the lines illustrating steps 1, 2, and 3 are broken into two parts as they pass through the user- agent. SAML 2.0 We have seen that OpenID 2.0 provides authentication information, OAuth2 provides authorisation information. SAML2 provides all of this in the form of assertions (be they authentication assertions, attribute assertions or authorisation assertions). The SAML2 basic flow is below for completeness:
UBISECURE WHITE PAPER 6 info@ubisecure.com www.ubisecure.com 1. The Client attempts to access a secured resource via the User Agent, without a security context. 2. The Service Provider obtains the location of an endpoint at an identity provider for the authentication request protocol. The means by which this is accomplished is implementation dependent. 3. The Service Provider issues an <AuthnRequest> message to be delivered by the user agent to the Identity Provider. 4. The Identity Provider authenticates the Client using some (undefined) method. 5. The Identity Provider issues a <Response> message to be delivered by the User Agent to the Service Provider. The message may indicate an error, or will include (at least) an authentication assertion. 6. Having received the response from the Identity Provider, the Service Provider can respond to the Client's User Agent with its own error, or can establish its own security context for the Clienty and return the requested resource. This flow is HTTP POST heavy rending it only really useful for interactive web sessions.
UBISECURE WHITE PAPER 7 info@ubisecure.com www.ubisecure.com OAUTH 2.0 EXTENSIBILITY Before jumping to OpenID Connect it is useful to understand a little about OAuth2 extensibility. As part of the specification work on OAuth2, the definition was created with extensibility in mind. This extensibility allows new protocols to be defined on top of the ‘basic’ OAuth2 protocol. A number of extension protocols have been defined (for example UMA) and a number more are in draft stages. Of specific note here is OpenID Connect, a protocol build on top of OAuth2 to provide: “authentication built on top of OAuth 2.0 and the use of claims to communicate information about the End-User”1 OPENID CONNECT 1.0 OpenID Connect or OIDC in short, layers on top of OAuth 2.0 to provide authentication information as well as authorisation information through the use of Claims. Being based on OAuth2.0 OpenID Connect flow is very similar to OAuth 2.0, as seen below, the major difference is the addition of the ID Token. 1 http://openid.net/developers/specs/
UBISECURE WHITE PAPER 8 info@ubisecure.com www.ubisecure.com 1. The client prepares an Authentication Request containing the desired request parameters. 2. The client sends the request to the Authorization Server. 3. The Authorization Server authenticates the end user. 4. The Authorization Server obtains user consent/authorization. 5. The Authorization Server sends the user back to the client with an access token and, if requested, an ID token. 6. The client requests a response using the Authorisation Code at the Token endpoint. 7. The client receives a response that contains an ID Token and Access Token in the response body. 8. The client validates the ID token and retrieves the subject identifier of the user. The OpenID Connect standard introduces additional parameters to the request and introduces the concepts of Claims and the ID Token.
UBISECURE WHITE PAPER 9 info@ubisecure.com www.ubisecure.com Feature Details Additional parameters When the Client makes a request to the IdP it can pass additional parameters to the IdP, for example language for the authentication UI, and required authentication level Claims Claims are ‘name-value’ pairs that provide attribute data about the user that has been authenticated. The OpenID Connect standard defines a number of standard Claims, for example: given_name, family_name, picture, email. In addition to the standard Claims, ‘additional claims’ can be defined. ID Token The ID Token is built by the IdP and returned to the Relying Party as the final part of the basic authentication. This token contains a number of authentication related claims and may contain additional user related claims. The token itself is in the form of a signed JSON Web Token (JWT), and may, optionally, be encrypted. An access token is also returned that can be used by the Client to make further requests to the IdP or a Resource Server. Again, being based on OAuth 2.0 OpenID Connect is ‘API friendly’ and can be used by web applications, desktop applications, mobile applications and devices. SECURITY CONSIDERATIONS SAML For SAML the most common and widely used protocol for securing message exchange between an IdP and service provider is sending signed SAML Assertion to the Service Provider using HTTP POST protocol. SAML uses XML Signature and XML Encryption for end-to-end message integrity and encryption. Key exchange in SAML happens either out of band or dynamically with SAML Metadata. See SAML V2.0 Implementation Profile for Federation Interoperability for a recent requirement specification for an interoperable and secure SAML implementation.
UBISECURE WHITE PAPER 10 info@ubisecure.com www.ubisecure.com OAUTH 2.0 AND OPENID CONNECT 1.0 OIDC defines different profiles for securing message exchange between an IdP and a Relying Party. The simplest model completely relies on security of DNS and TLS for integrity. The benefit is very low barrier of entry into integrating an application with an OIDC IdP where the application designer only needs capability of invoking a RESTful API of the OIDC IdP, no processing of digital signatures or other cryptography is necessary. By implementing signed and encrypted JWTs the security of an OIDC implementation is increased to the level of SAML with end-to-end message integrity and encryption. By using modern technologies such as Token Binding security increases even beyond what is possible with standards based interoperable SAML. When signed and encrypted JWTs are used, key exchange in OIDC happens either out of band or dynamically with OIDC Metadata. Dynamic Client Registration Protocol enables a very dynamic and completely automated management of Client identities at an OIDC IdP, very well suited for IoT and Mobile Application use cases. See OAuth 2.0 Threat Model and Security Considerations and OAuth 2.0 Security Best Current Practice for recent instructions and best practices into creating secure OAuth and OIDC integrations. COMPARING THE PROTOCOLS Firstly, OAuth 2.0 has a different purpose to both SAML 2.0 and OpenID Connect 1.0, OAuth is, at the base level, an authorisation protocol, whereas SAML and OpenID Connect are authentication/authorisation protocols. For access control, OAuth 2.0 provides a great solution. SAML and OpenID Connect both provide authentication as well as authorisation. SAML is definitely the more complex to implement. OpenID Connect, being based on OAuth has a very low barrier to entry and can be scaled once working (both security and feature wise). If you are looking to join large existing federations that SAML will have the edge, its age means many of the existing federations are SAML based (for example most university federations). Of course it is possible to translate between protocols, doing this manually is a significant amount of work, but using the Ubisecure Identity Server in an IdP Proxy role this is just a configuration option, so it is possible to have a simple implementation of OpenID Connect working with an existing SAML federation. SAML is effectively constrained to browser operation, so for application or device usage OpenID Connect will be the protocol of choice.
UBISECURE WHITE PAPER 11 info@ubisecure.com www.ubisecure.com When it comes to security, OAuth, and hence OpenID Connect, provides a flexible model which can scale. SAML benefits from being within the browser having a relatively fixed security model, but is also only as secure as the browser. OAuth is dependent upon the TLS stack and when incorporated in an application is only as good as the stack in the application. If the app is using the OS implementation then it will be parallel to the browser, however, device implementation will need to take care over stack selection and configuration. CONCLUSIONS The emergence and rapid growth of OpenID Connect is a physical manifestation of the ongoing mobile transformation. As identity and access management has split between the traditional enterprise SSO and external user centric CIAM, so has the protocol stack underneath. OpenID Connect combines OAuth 2.0 authorisation with authentication, and allows building a user-friendly mobile application “done right”. An inevitable question is “Which of the protocols is the right for my use case?” Making broad generalisations is one of the best ways to draw dissension from all directions, but the below table does just that. Protocol Best use cases SAML Enterprise SSO, existing federations OAuth 2.0 API authorisation, UMA OpenID Connect Customer SSO, CIAM, mobile If you are reading this to determine how to quantify, manage and reap the benefits of CIAM in your organisation please contact Ubisecure – we can guide you through the complexity and reduce your implementation time considerably.
UBISECURE WHITE PAPER 12 info@ubisecure.com www.ubisecure.com Ubisecure is a pioneering European b2b and b2c Customer Identity & Access Management (CIAM) software provider and cloud identity services enabler dedicated to helping its customers realise the true potential of digital business. Ubisecure provides a powerful Identity Platform to connect customer digital identities with customer- facing SaaS and enterprise applications in the cloud and on-premise. The platform consists of productised CIAM middleware and API tooling to help connect and enrich strong identity profiles; manage identity usage, authorisation and progressive authentication policies; secure and consolidate identity, privacy and consent data; and streamline identity based workflows and decision delegations. Uniquely, Ubisecure’s Identity Platform connects digital services and Identity Providers, such as social networks, mobile networks, banks and Governments, to allow Service Providers to use rich, verified identities to create frictionless login, registration and customer engagement while improving privacy and consent around personal data sharing to meet requirements such as GDPR and PSD2. Ubisecure is accredited by the Global Legal Entity Identifier Foundation (GLEIF) to issue Legal Entity Identifiers (LEI) under its RapidLEI brand, a cloud-based service that automates the LEI lifecycle to deliver LEIs quickly and easily. The company has offices in London and Finland. To learn more about Customer IAM and Company Identity solutions visit www.ubisecure.com or contact us at sales-team@ubisecure.com

Recommended

OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 

Recommended

OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Vinay Manglani
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
Torsten Lodderstedt
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
Json web token
Json web tokenJson web token
Json web token
Mayank Patel
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
Ravi Yasas
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
Torsten Lodderstedt
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Introduction to SAML & OIDC
Introduction to SAML & OIDCIntroduction to SAML & OIDC
Introduction to SAML & OIDC
ForgeRock Identity Tech Talks
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
Torsten Lodderstedt
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and Performance
Amin Saqi
 

More Related Content

What's hot

Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Vinay Manglani
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
Torsten Lodderstedt
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
Json web token
Json web tokenJson web token
Json web token
Mayank Patel
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
Ravi Yasas
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
Torsten Lodderstedt
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Introduction to SAML & OIDC
Introduction to SAML & OIDCIntroduction to SAML & OIDC
Introduction to SAML & OIDC
ForgeRock Identity Tech Talks
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
Torsten Lodderstedt
 

What's hot (20)

Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
Json web token
Json web tokenJson web token
Json web token
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Introduction to SAML & OIDC
Introduction to SAML & OIDCIntroduction to SAML & OIDC
Introduction to SAML & OIDC
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 

Similar to SAML VS OAuth 2.0 VS OpenID Connect

OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and Performance
Amin Saqi
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0
Ubisecure
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 Introduction
Arpit Suthar
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
Profesia Srl, Lynx Group
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Flaws in Oauth 2.0 Can Oauth be used as a Security Server
Flaws in Oauth 2.0 Can Oauth be used as a Security ServerFlaws in Oauth 2.0 Can Oauth be used as a Security Server
Flaws in Oauth 2.0 Can Oauth be used as a Security Server
ijtsrd
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
Bixlabs
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated Permissions
Stefan Weber
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 Presentaion
Bhargav Surimenu
 
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
IOSR Journals
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
shyamraj55
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
Calvin Noronha
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
Amin Saqi
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
Dave Syer
 

Similar to SAML VS OAuth 2.0 VS OpenID Connect (20)

OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and Performance
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 Introduction
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Flaws in Oauth 2.0 Can Oauth be used as a Security Server
Flaws in Oauth 2.0 Can Oauth be used as a Security ServerFlaws in Oauth 2.0 Can Oauth be used as a Security Server
Flaws in Oauth 2.0 Can Oauth be used as a Security Server
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated Permissions
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 Presentaion
 
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
 

More from Ubisecure

User Management, Enablement, Directory
User Management, Enablement, DirectoryUser Management, Enablement, Directory
User Management, Enablement, Directory
Ubisecure
 
Identity Platform Use Cases
Identity Platform Use CasesIdentity Platform Use Cases
Identity Platform Use Cases
Ubisecure
 
Single Sign-On
Single Sign-OnSingle Sign-On
Single Sign-On
Ubisecure
 
Multi-Factor Authentication & Authorisation
Multi-Factor Authentication & AuthorisationMulti-Factor Authentication & Authorisation
Multi-Factor Authentication & Authorisation
Ubisecure
 
Identity Data & Credential Self-Service
Identity Data & Credential Self-ServiceIdentity Data & Credential Self-Service
Identity Data & Credential Self-Service
Ubisecure
 
Using Strong / Verified Identities
Using Strong / Verified IdentitiesUsing Strong / Verified Identities
Using Strong / Verified Identities
Ubisecure
 
Using Social & Business Identities
Using Social & Business IdentitiesUsing Social & Business Identities
Using Social & Business Identities
Ubisecure
 
Delegation of Authority
Delegation of AuthorityDelegation of Authority
Delegation of Authority
Ubisecure
 
Customer IAM vs Employee IAM (Legacy IAM)
Customer IAM vs Employee IAM (Legacy IAM)Customer IAM vs Employee IAM (Legacy IAM)
Customer IAM vs Employee IAM (Legacy IAM)
Ubisecure
 
An Introduction to Authentication for Applications
An Introduction to Authentication for ApplicationsAn Introduction to Authentication for Applications
An Introduction to Authentication for Applications
Ubisecure
 
Introduction to Mobile Connect
Introduction to Mobile ConnectIntroduction to Mobile Connect
Introduction to Mobile Connect
Ubisecure
 
General Data Protection Regulation & Customer IAM
General Data Protection Regulation & Customer IAMGeneral Data Protection Regulation & Customer IAM
General Data Protection Regulation & Customer IAM
Ubisecure
 
Telia - The New Norm of the Digital World
Telia - The New Norm of the Digital WorldTelia - The New Norm of the Digital World
Telia - The New Norm of the Digital World
Ubisecure
 
SSH - Credentialess Cloud Access
SSH - Credentialess Cloud AccessSSH - Credentialess Cloud Access
SSH - Credentialess Cloud Access
Ubisecure
 
Spellpoint - Securing Access for Microservices
Spellpoint - Securing Access for MicroservicesSpellpoint - Securing Access for Microservices
Spellpoint - Securing Access for Microservices
Ubisecure
 
Open Identity Exchange - the Global Growth of Digital Identity
Open Identity Exchange - the Global Growth of Digital IdentityOpen Identity Exchange - the Global Growth of Digital Identity
Open Identity Exchange - the Global Growth of Digital Identity
Ubisecure
 
Nixu - Passwords must Die!
Nixu - Passwords must Die!Nixu - Passwords must Die!
Nixu - Passwords must Die!
Ubisecure
 
Kantara - Digital Identity in 2018
Kantara - Digital Identity in 2018Kantara - Digital Identity in 2018
Kantara - Digital Identity in 2018
Ubisecure
 
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
Ubisecure
 
FICORA - Building a Trust Network on Strong Identification
FICORA - Building a Trust Network on Strong IdentificationFICORA - Building a Trust Network on Strong Identification
FICORA - Building a Trust Network on Strong Identification
Ubisecure
 

More from Ubisecure (20)

User Management, Enablement, Directory
User Management, Enablement, DirectoryUser Management, Enablement, Directory
User Management, Enablement, Directory
 
Identity Platform Use Cases
Identity Platform Use CasesIdentity Platform Use Cases
Identity Platform Use Cases
 
Single Sign-On
Single Sign-OnSingle Sign-On
Single Sign-On
 
Multi-Factor Authentication & Authorisation
Multi-Factor Authentication & AuthorisationMulti-Factor Authentication & Authorisation
Multi-Factor Authentication & Authorisation
 
Identity Data & Credential Self-Service
Identity Data & Credential Self-ServiceIdentity Data & Credential Self-Service
Identity Data & Credential Self-Service
 
Using Strong / Verified Identities
Using Strong / Verified IdentitiesUsing Strong / Verified Identities
Using Strong / Verified Identities
 
Using Social & Business Identities
Using Social & Business IdentitiesUsing Social & Business Identities
Using Social & Business Identities
 
Delegation of Authority
Delegation of AuthorityDelegation of Authority
Delegation of Authority
 
Customer IAM vs Employee IAM (Legacy IAM)
Customer IAM vs Employee IAM (Legacy IAM)Customer IAM vs Employee IAM (Legacy IAM)
Customer IAM vs Employee IAM (Legacy IAM)
 
An Introduction to Authentication for Applications
An Introduction to Authentication for ApplicationsAn Introduction to Authentication for Applications
An Introduction to Authentication for Applications
 
Introduction to Mobile Connect
Introduction to Mobile ConnectIntroduction to Mobile Connect
Introduction to Mobile Connect
 
General Data Protection Regulation & Customer IAM
General Data Protection Regulation & Customer IAMGeneral Data Protection Regulation & Customer IAM
General Data Protection Regulation & Customer IAM
 
Telia - The New Norm of the Digital World
Telia - The New Norm of the Digital WorldTelia - The New Norm of the Digital World
Telia - The New Norm of the Digital World
 
SSH - Credentialess Cloud Access
SSH - Credentialess Cloud AccessSSH - Credentialess Cloud Access
SSH - Credentialess Cloud Access
 
Spellpoint - Securing Access for Microservices
Spellpoint - Securing Access for MicroservicesSpellpoint - Securing Access for Microservices
Spellpoint - Securing Access for Microservices
 
Open Identity Exchange - the Global Growth of Digital Identity
Open Identity Exchange - the Global Growth of Digital IdentityOpen Identity Exchange - the Global Growth of Digital Identity
Open Identity Exchange - the Global Growth of Digital Identity
 
Nixu - Passwords must Die!
Nixu - Passwords must Die!Nixu - Passwords must Die!
Nixu - Passwords must Die!
 
Kantara - Digital Identity in 2018
Kantara - Digital Identity in 2018Kantara - Digital Identity in 2018
Kantara - Digital Identity in 2018
 
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
 
FICORA - Building a Trust Network on Strong Identification
FICORA - Building a Trust Network on Strong IdentificationFICORA - Building a Trust Network on Strong Identification
FICORA - Building a Trust Network on Strong Identification
 

Recently uploaded

Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 

Recently uploaded (20)

Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 

SAML VS OAuth 2.0 VS OpenID Connect

  • 1. SAML VS OAUTH 2.0 VS OPENID CONNECT UNDERSTANDING THE DIFFERENCES BETWEEN THE THREE MOST COMMON AUTHORISATION PROTOCOLS WHITE PAPER Connecting Identity. Transforming Digital Business.
  • 2. UBISECURE WHITE PAPER 2 info@ubisecure.com www.ubisecure.com INTRODUCTION The world of Identity and Access Management is ruled by two things, acronyms and standards. In our popular blog post at https://www.ubisecure.com/uncategorized/difference-between-saml-and-oauth/ we compared the two most common authorisation protocols - SAML2 and OAuth 2.0. This white paper extends that comparison with the inclusion of a third protocol, OpenID Connect. We also touch on the now obsolete OpenID 2.0 protocol. HISTORY Firstly, it is useful to understand the order of emergence of the various protocols. It helps follow the evolution that gave rise to OpenID Connect. ACRONYMS & TERMINOLOGY WEB SINGLE SIGN-ON Party Term in SAML Term in OAuth Term in OpenID Web browser that an end user uses to access a web application User agent User agent User agent Server that owns the user identities and credentials Identity Provider (IDP, IdP) Authorisation Server (AS) OpenID Provider (OP) Web application that requires permission to proceed or access a resource Service Provider (SP) Client Relying Party (RP) or Client Server that hosts the resource being accessed Service Provider (SP) Resource Server Resource Server
  • 3. UBISECURE WHITE PAPER 3 info@ubisecure.com www.ubisecure.com APPLICATIONS AND PROTECTED APIS Party Term in OAuth Server that owns the user identities and credentials Authorisation Server (AS) Application that wants to access a protected API Client Protected API Resource Server (RS) ACRONYMS SAML Security Assertion Markup Language OAuth Open Authentication OP OpenID Provider SP Service Provider RP Relying Party AS Authorisation Server HTTP Hypertext Transfer Protocol OIDC OpenID Connect SSO Single Sign On CIAM Customer Identity and Access Management XML Extensible Markup Language API Application Program Interface AUTHORISATION PROTOCOLS OPENID 2.0 OpenID was the first mainstream standard for authentication, it is however now obsolete following the approval of OpenID Connect. OpenID 2.0 was widely used and supported by most large internet companies. OpenID provided user authentication and with extensions in 2007, user attributes. Today when ‘OpenID’ is being talked about, it will almost always refer to OpenID Connect 1.0 OAUTH 2.0 The basic sequential flow occurs as follows:
  • 4. UBISECURE WHITE PAPER 4 info@ubisecure.com www.ubisecure.com The flow illustrated includes the following steps: 1. The client initiates the flow by directing the resource owner's user agent to the authorization endpoint. The client includes its client identifier, requested scope, local state, and a redirection URI to which the authorization server will send the user-agent back once access is granted (or denied). 2. The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource owner grants or denies the client's access request. 3. Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using the redirection URI provided earlier (in the request or during client registration). The redirection URI includes an authorization code and any local state provided by the client earlier. 4. The client requests an access token from the authorization server's token endpoint by including the authorization code received in the previous step. When making the request, the client authenticates with the authorization server. The client includes the redirection URI used to obtain the authorization code for verification. 5. The authorization server authenticates the client, validates the authorization code, and ensures that the redirection URI received matches the URI used to redirect the client in step (C). If valid, the authorization server responds back with an access token and, optionally, a refresh token. Authentication is all about the user in the context of the application, and a network authentication protocol like OpenID is able to do this across networks and security boundaries. An authentication protocols tells an application who the current user is and whether or not the user is present. In addition, the protocol will often return additional attributes, e.g. an e-mail address.
  • 5. UBISECURE WHITE PAPER 5 info@ubisecure.com www.ubisecure.com However, OAuth 2.0 tells the application none of those things. OAuth 2.0 tells absolutely nothing about the user's identity, nor does it expose how the end user proved their presence or even if the user is still present or not. An OAuth 2.0 client asked for a token, received a token, and used that token to access some resource – for example an API. This delegated access, accessing a resource on the behalf of a user who may not even be present, is one of the great points of OAuth 2.0 and great for client authorisation. At the same time, it is very limited for authentication, where the whole point is figuring who the user is, how the user's identity was authenticated and whether the user is present or not. The authorisation code grant type is used to obtain both access tokens and refresh tokens and is optimised for confidential clients. Since this is a redirection based flow, the client must be capable of interacting with the resource owner’s user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorisation server. Note: the lines illustrating steps 1, 2, and 3 are broken into two parts as they pass through the user- agent. SAML 2.0 We have seen that OpenID 2.0 provides authentication information, OAuth2 provides authorisation information. SAML2 provides all of this in the form of assertions (be they authentication assertions, attribute assertions or authorisation assertions). The SAML2 basic flow is below for completeness:
  • 6. UBISECURE WHITE PAPER 6 info@ubisecure.com www.ubisecure.com 1. The Client attempts to access a secured resource via the User Agent, without a security context. 2. The Service Provider obtains the location of an endpoint at an identity provider for the authentication request protocol. The means by which this is accomplished is implementation dependent. 3. The Service Provider issues an <AuthnRequest> message to be delivered by the user agent to the Identity Provider. 4. The Identity Provider authenticates the Client using some (undefined) method. 5. The Identity Provider issues a <Response> message to be delivered by the User Agent to the Service Provider. The message may indicate an error, or will include (at least) an authentication assertion. 6. Having received the response from the Identity Provider, the Service Provider can respond to the Client's User Agent with its own error, or can establish its own security context for the Clienty and return the requested resource. This flow is HTTP POST heavy rending it only really useful for interactive web sessions.
  • 7. UBISECURE WHITE PAPER 7 info@ubisecure.com www.ubisecure.com OAUTH 2.0 EXTENSIBILITY Before jumping to OpenID Connect it is useful to understand a little about OAuth2 extensibility. As part of the specification work on OAuth2, the definition was created with extensibility in mind. This extensibility allows new protocols to be defined on top of the ‘basic’ OAuth2 protocol. A number of extension protocols have been defined (for example UMA) and a number more are in draft stages. Of specific note here is OpenID Connect, a protocol build on top of OAuth2 to provide: “authentication built on top of OAuth 2.0 and the use of claims to communicate information about the End-User”1 OPENID CONNECT 1.0 OpenID Connect or OIDC in short, layers on top of OAuth 2.0 to provide authentication information as well as authorisation information through the use of Claims. Being based on OAuth2.0 OpenID Connect flow is very similar to OAuth 2.0, as seen below, the major difference is the addition of the ID Token. 1 http://openid.net/developers/specs/
  • 8. UBISECURE WHITE PAPER 8 info@ubisecure.com www.ubisecure.com 1. The client prepares an Authentication Request containing the desired request parameters. 2. The client sends the request to the Authorization Server. 3. The Authorization Server authenticates the end user. 4. The Authorization Server obtains user consent/authorization. 5. The Authorization Server sends the user back to the client with an access token and, if requested, an ID token. 6. The client requests a response using the Authorisation Code at the Token endpoint. 7. The client receives a response that contains an ID Token and Access Token in the response body. 8. The client validates the ID token and retrieves the subject identifier of the user. The OpenID Connect standard introduces additional parameters to the request and introduces the concepts of Claims and the ID Token.
  • 9. UBISECURE WHITE PAPER 9 info@ubisecure.com www.ubisecure.com Feature Details Additional parameters When the Client makes a request to the IdP it can pass additional parameters to the IdP, for example language for the authentication UI, and required authentication level Claims Claims are ‘name-value’ pairs that provide attribute data about the user that has been authenticated. The OpenID Connect standard defines a number of standard Claims, for example: given_name, family_name, picture, email. In addition to the standard Claims, ‘additional claims’ can be defined. ID Token The ID Token is built by the IdP and returned to the Relying Party as the final part of the basic authentication. This token contains a number of authentication related claims and may contain additional user related claims. The token itself is in the form of a signed JSON Web Token (JWT), and may, optionally, be encrypted. An access token is also returned that can be used by the Client to make further requests to the IdP or a Resource Server. Again, being based on OAuth 2.0 OpenID Connect is ‘API friendly’ and can be used by web applications, desktop applications, mobile applications and devices. SECURITY CONSIDERATIONS SAML For SAML the most common and widely used protocol for securing message exchange between an IdP and service provider is sending signed SAML Assertion to the Service Provider using HTTP POST protocol. SAML uses XML Signature and XML Encryption for end-to-end message integrity and encryption. Key exchange in SAML happens either out of band or dynamically with SAML Metadata. See SAML V2.0 Implementation Profile for Federation Interoperability for a recent requirement specification for an interoperable and secure SAML implementation.
  • 10. UBISECURE WHITE PAPER 10 info@ubisecure.com www.ubisecure.com OAUTH 2.0 AND OPENID CONNECT 1.0 OIDC defines different profiles for securing message exchange between an IdP and a Relying Party. The simplest model completely relies on security of DNS and TLS for integrity. The benefit is very low barrier of entry into integrating an application with an OIDC IdP where the application designer only needs capability of invoking a RESTful API of the OIDC IdP, no processing of digital signatures or other cryptography is necessary. By implementing signed and encrypted JWTs the security of an OIDC implementation is increased to the level of SAML with end-to-end message integrity and encryption. By using modern technologies such as Token Binding security increases even beyond what is possible with standards based interoperable SAML. When signed and encrypted JWTs are used, key exchange in OIDC happens either out of band or dynamically with OIDC Metadata. Dynamic Client Registration Protocol enables a very dynamic and completely automated management of Client identities at an OIDC IdP, very well suited for IoT and Mobile Application use cases. See OAuth 2.0 Threat Model and Security Considerations and OAuth 2.0 Security Best Current Practice for recent instructions and best practices into creating secure OAuth and OIDC integrations. COMPARING THE PROTOCOLS Firstly, OAuth 2.0 has a different purpose to both SAML 2.0 and OpenID Connect 1.0, OAuth is, at the base level, an authorisation protocol, whereas SAML and OpenID Connect are authentication/authorisation protocols. For access control, OAuth 2.0 provides a great solution. SAML and OpenID Connect both provide authentication as well as authorisation. SAML is definitely the more complex to implement. OpenID Connect, being based on OAuth has a very low barrier to entry and can be scaled once working (both security and feature wise). If you are looking to join large existing federations that SAML will have the edge, its age means many of the existing federations are SAML based (for example most university federations). Of course it is possible to translate between protocols, doing this manually is a significant amount of work, but using the Ubisecure Identity Server in an IdP Proxy role this is just a configuration option, so it is possible to have a simple implementation of OpenID Connect working with an existing SAML federation. SAML is effectively constrained to browser operation, so for application or device usage OpenID Connect will be the protocol of choice.
  • 11. UBISECURE WHITE PAPER 11 info@ubisecure.com www.ubisecure.com When it comes to security, OAuth, and hence OpenID Connect, provides a flexible model which can scale. SAML benefits from being within the browser having a relatively fixed security model, but is also only as secure as the browser. OAuth is dependent upon the TLS stack and when incorporated in an application is only as good as the stack in the application. If the app is using the OS implementation then it will be parallel to the browser, however, device implementation will need to take care over stack selection and configuration. CONCLUSIONS The emergence and rapid growth of OpenID Connect is a physical manifestation of the ongoing mobile transformation. As identity and access management has split between the traditional enterprise SSO and external user centric CIAM, so has the protocol stack underneath. OpenID Connect combines OAuth 2.0 authorisation with authentication, and allows building a user-friendly mobile application “done right”. An inevitable question is “Which of the protocols is the right for my use case?” Making broad generalisations is one of the best ways to draw dissension from all directions, but the below table does just that. Protocol Best use cases SAML Enterprise SSO, existing federations OAuth 2.0 API authorisation, UMA OpenID Connect Customer SSO, CIAM, mobile If you are reading this to determine how to quantify, manage and reap the benefits of CIAM in your organisation please contact Ubisecure – we can guide you through the complexity and reduce your implementation time considerably.
  • 12. UBISECURE WHITE PAPER 12 info@ubisecure.com www.ubisecure.com Ubisecure is a pioneering European b2b and b2c Customer Identity & Access Management (CIAM) software provider and cloud identity services enabler dedicated to helping its customers realise the true potential of digital business. Ubisecure provides a powerful Identity Platform to connect customer digital identities with customer- facing SaaS and enterprise applications in the cloud and on-premise. The platform consists of productised CIAM middleware and API tooling to help connect and enrich strong identity profiles; manage identity usage, authorisation and progressive authentication policies; secure and consolidate identity, privacy and consent data; and streamline identity based workflows and decision delegations. Uniquely, Ubisecure’s Identity Platform connects digital services and Identity Providers, such as social networks, mobile networks, banks and Governments, to allow Service Providers to use rich, verified identities to create frictionless login, registration and customer engagement while improving privacy and consent around personal data sharing to meet requirements such as GDPR and PSD2. Ubisecure is accredited by the Global Legal Entity Identifier Foundation (GLEIF) to issue Legal Entity Identifiers (LEI) under its RapidLEI brand, a cloud-based service that automates the LEI lifecycle to deliver LEIs quickly and easily. The company has offices in London and Finland. To learn more about Customer IAM and Company Identity solutions visit www.ubisecure.com or contact us at sales-team@ubisecure.com