Anil Saldanha, profile picture
Uploaded byAnil Saldanha
PPTX, PDF22,109 views

Saml vs Oauth : Which one should I use?

SAML and OAuth are both standards for authentication and authorization but have key differences. SAML is an XML standard that enables single sign-on, federation, and identity management through security assertions. OAuth is a standard for authorization that allows secure access to internet resources without sharing passwords. While SAML uses XML tokens and supports SOAP/JMS transport, OAuth uses HTTP and JSON/binary tokens. SAML is commonly used for enterprise SSO and identity federation, while OAuth is designed for authorization of internet resources from applications. The document recommends using SAML for SSO and OAuth for delegated access to resources.

Embed presentation

Downloaded 618 times
SAML vs OAuth Anil Saldhana anil@apache.org http://anil-identity.blogspot.com Reference: http://architects.dzone.com/articles/saml-versus-oauthwhich-one
Informal Definitions
Informal Definitions • SAML (Security Assertion Markup Language) is an umbrella standard that encompasses profiles, bindings and constructs to achieve – Single Sign On (SSO), – Federation and – Identity Management.
Informal Definitions • OAuth (Open Authorization) is a standard for authorization of resources. • It does not deal with authentication. – Look for OpenID Connect for Authentication.
Formal Definitions
Formal Definitions • Security Assertion Markup Language is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. • From Wikipedia Page on SAML
Formal Definitions • OAuth : An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. • From OAuth.net
Differences
Token or Message Format
Token Or Message Format • SAML deals with XML as the data construct or token format. • OAuth tokens can be binary, JSON or SAML as explained in OAuth Bearer Tokens (https://docs.jboss.org/author/display/PLINK/ OAuth+Bearer+Tokens).
Transport
Transport • SAML has Bindings that use HTTP such as HTTP POST Binding, HTTP REDIRECT Binding etc. – But there is no restriction on the transport format. You can use SOAP or JMS or any transport you want to use to send SAML tokens or messages.
Transport • OAuth uses HTTP exclusively.
Scope
Scope • Even though SAML was designed to be applicable openly, it is typically used in Enterprise SSO scenarios – within an enterprise or – enterprise to partner or – enterprise to cloud scenarios.
Scope • OAuth has been designed for use with applications on the internet, – primarily for delegated authorization of internet resources. • OAuth is designed for Internet Scale.
Which Versions Should Be Used?
Versions • SAML v2.0 • OAuth v2.0
Use Cases
Use Cases • If your use case involves SSO (when at least one actor or partner is an enterprise) – then use SAML.
Use Cases • If your use case involves providing access (temporarily or permanent) to resources (such as accounts, pictures, files etc.) – then use OAuth.
Use Cases • If your use case involves providing access to a partner or customer application to your portal – then use SAML.
Use Cases • If your use case requires a centralized identity source – then use SAML. You can also use an Open ID Provider as a central Identity Provider under the OpenID Connect Specification (under development).
Use Cases • If your use case involves mobile devices – then use OAuth (with some form of bearer tokens).
Using SAML with OAuth
SAML With OAuth • Use SAML for authentication. • Use SAML token/assertion as the OAuth bearer token in the HTTP bearer header to access protected resources.
Replace SAML with OAuth
Replace SAML With OAuth • Use JWT for authentication. • Use JWT as the OAuth bearer token in the HTTP bearer header to access protected resources.
References
References • PicketLink : http://www.picketlink.org • IETF OAuth2 (http://datatracker.ietf.org/doc/rfc6749/) • OpenID Connect http://openid.net/specs/openid-connectbasic-1_0-22.html
Full Article http://architects.dzone.com/articles/ saml-versus-oauth-which-one
Contact Me anil@apache.org

More Related Content

PDF
Introduction to SAML 2.0
byMika Koivisto
 
PPTX
IdP, SAML, OAuth
byDan Brinkmann
 
PDF
SAML Protocol Overview
byMike Schwartz
 
PDF
Selenium Maven With Eclipse | Edureka
byEdureka!
 
PPTX
Single Sign On Considerations
byVenkat Gattamaneni
 
PDF
Postman
byIgor Shubovych
 
PPTX
Services comparison among Microsoft Azure AWS and Google Cloud Platform
byindu Yadav
 
PDF
Api presentation
byTiago Cardoso
 
Introduction to SAML 2.0
byMika Koivisto
 
IdP, SAML, OAuth
byDan Brinkmann
 
SAML Protocol Overview
byMike Schwartz
 
Selenium Maven With Eclipse | Edureka
byEdureka!
 
Single Sign On Considerations
byVenkat Gattamaneni
 
Postman
byIgor Shubovych
 
Services comparison among Microsoft Azure AWS and Google Cloud Platform
byindu Yadav
 
Api presentation
byTiago Cardoso
 

What's hot

PPTX
Power Automate
byFausto Capellan Jr
 
PDF
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
byVinay Manglani
 
PDF
Data Driven Framework in Selenium
byKnoldus Inc.
 
PPTX
Draft: building secure applications with keycloak (oidc/jwt)
byAbhishek Koserwal
 
PDF
Katalon Studio - Best automation solution for software testing team
byKatalon Studio
 
PDF
Single Sign On - The Basics
byIshan A B Ambanwela
 
PPTX
Selenium ppt
byAneesh Rangarajan
 
PPT
Data power use cases
bysflynn073
 
PPTX
Deep-Dive to Application Insights
byGunnar Peipman
 
ODP
Selenium ppt
byAnirudh Raja
 
ODP
Kong API Gateway
byChris Mague
 
PDF
A Tour of Google Cloud Platform
byColin Su
 
PPTX
Test automation using selenium
byCynoteck Technology Solutions Private Limited
 
PDF
Keycloak SSO basics
byJuan Vicente Herrera Ruiz de Alejo
 
PDF
Single sign on using SAML
byProgramming Talents
 
PPT
Test Automation Framework Designs
bySauce Labs
 
PDF
Automation Testing using Selenium
byNaresh Chintalcheru
 
PPTX
Azure
byKiran Bavariya
 
PPTX
Single Sign On 101
byMike Schwartz
 
PPTX
Microsoft Azure cloud services
byNajeeb Khan
 
Power Automate
byFausto Capellan Jr
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
byVinay Manglani
 
Data Driven Framework in Selenium
byKnoldus Inc.
 
Draft: building secure applications with keycloak (oidc/jwt)
byAbhishek Koserwal
 
Katalon Studio - Best automation solution for software testing team
byKatalon Studio
 
Single Sign On - The Basics
byIshan A B Ambanwela
 
Selenium ppt
byAneesh Rangarajan
 
Data power use cases
bysflynn073
 
Deep-Dive to Application Insights
byGunnar Peipman
 
Selenium ppt
byAnirudh Raja
 
Kong API Gateway
byChris Mague
 
A Tour of Google Cloud Platform
byColin Su
 
Test automation using selenium
byCynoteck Technology Solutions Private Limited
 
Keycloak SSO basics
byJuan Vicente Herrera Ruiz de Alejo
 
Single sign on using SAML
byProgramming Talents
 
Test Automation Framework Designs
bySauce Labs
 
Automation Testing using Selenium
byNaresh Chintalcheru
 
Azure
byKiran Bavariya
 
Single Sign On 101
byMike Schwartz
 
Microsoft Azure cloud services
byNajeeb Khan
 

Similar to Saml vs Oauth : Which one should I use?

PPTX
Microservice with OAuth2
by◄ vaquar khan ► ★✔
 
PPTX
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
bySaloni Shah
 
PDF
JDD2015: Security in the era of modern applications and services - Bolesław D...
byPROIDEA
 
PDF
"Securing SSO Authentication: Strategies to eliminate vulnerabilities", Oleh ...
byFwdays
 
PPTX
A recipe for standards-based Cloud IdM
byPaul Madsen
 
PDF
Introduction to SAML & OIDC
byForgeRock Identity Tech Talks
 
PDF
Open Standards in Identity Management
byPrabath Siriwardena
 
PPTX
SAML Smackdown
byPat Patterson
 
PDF
Launching a Successful and Secure API
byNordic APIs
 
PDF
Openstack identity protocols unconference
byDavid Waite
 
PPTX
Introduction to SAML and how to create it by JoeSelian.pptx
byimcheaterid
 
PDF
CIS13: Introduction to OAuth 2.0
byCloudIDSummit
 
PDF
[4developers2016] - Security in the era of modern applications and services (...
byPROIDEA
 
DOCX
SAML 2
bySteward_John
 
PPTX
LASCON 2017: SAML v. OpenID v. Oauth
byMike Schwartz
 
PDF
SAML Executive Overview
byPortalGuard
 
PDF
Patterns to Bring Enterprise and Social Identity to the Cloud
byCA API Management
 
PDF
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
byCloudIDSummit
 
PPTX
IAM Overview Identiverse 2018
byBrian Campbell
 
PDF
Implementing Microservices Security Patterns & Protocols with Spring
byVMware Tanzu
 
Microservice with OAuth2
by◄ vaquar khan ► ★✔
 
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
bySaloni Shah
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
byPROIDEA
 
"Securing SSO Authentication: Strategies to eliminate vulnerabilities", Oleh ...
byFwdays
 
A recipe for standards-based Cloud IdM
byPaul Madsen
 
Introduction to SAML & OIDC
byForgeRock Identity Tech Talks
 
Open Standards in Identity Management
byPrabath Siriwardena
 
SAML Smackdown
byPat Patterson
 
Launching a Successful and Secure API
byNordic APIs
 
Openstack identity protocols unconference
byDavid Waite
 
Introduction to SAML and how to create it by JoeSelian.pptx
byimcheaterid
 
CIS13: Introduction to OAuth 2.0
byCloudIDSummit
 
[4developers2016] - Security in the era of modern applications and services (...
byPROIDEA
 
SAML 2
bySteward_John
 
LASCON 2017: SAML v. OpenID v. Oauth
byMike Schwartz
 
SAML Executive Overview
byPortalGuard
 
Patterns to Bring Enterprise and Social Identity to the Cloud
byCA API Management
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
byCloudIDSummit
 
IAM Overview Identiverse 2018
byBrian Campbell
 
Implementing Microservices Security Patterns & Protocols with Spring
byVMware Tanzu
 

More from Anil Saldanha

PDF
Securing Applications With Picketlink
byAnil Saldanha
 
PDF
Anil saldhana cloudidentitybestpractices
byAnil Saldanha
 
PDF
Anil saldhana cloud identity
byAnil Saldanha
 
PDF
Oasis Identity In The Cloud Technical Committee
byAnil Saldanha
 
PDF
Oasis IDCloud TC - Anil Saldhana
byAnil Saldanha
 
PPT
Anil saldhana identitycloud
byAnil Saldanha
 
PDF
Secure Middleware with JBoss AS 5
byAnil Saldanha
 
PDF
Advances inbrowsersecurity
byAnil Saldanha
 
PDF
Anil saldhana securityassurancewithj_bosseap
byAnil Saldanha
 
PDF
Anil saldhana oasisid_cloud
byAnil Saldanha
 
PDF
Google App Engine
byAnil Saldanha
 
Securing Applications With Picketlink
byAnil Saldanha
 
Anil saldhana cloudidentitybestpractices
byAnil Saldanha
 
Anil saldhana cloud identity
byAnil Saldanha
 
Oasis Identity In The Cloud Technical Committee
byAnil Saldanha
 
Oasis IDCloud TC - Anil Saldhana
byAnil Saldanha
 
Anil saldhana identitycloud
byAnil Saldanha
 
Secure Middleware with JBoss AS 5
byAnil Saldanha
 
Advances inbrowsersecurity
byAnil Saldanha
 
Anil saldhana securityassurancewithj_bosseap
byAnil Saldanha
 
Anil saldhana oasisid_cloud
byAnil Saldanha
 
Google App Engine
byAnil Saldanha
 

Recently uploaded

PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
AI in the Real World: From University to Industry
byDarvan Shvan
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
final.pdf
byomarbishtawi04
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
apidays New York 2025 | AI in Application Security
byapidays
 
AI in the Real World: From University to Industry
byDarvan Shvan
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
Workflow and decision Automation with Flowable
bychakib ch
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
final.pdf
byomarbishtawi04
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 

Saml vs Oauth : Which one should I use?

  • 1.
    SAML vs OAuth AnilSaldhana anil@apache.org http://anil-identity.blogspot.com Reference: http://architects.dzone.com/articles/saml-versus-oauthwhich-one
  • 2.
  • 3.
    Informal Definitions • SAML(Security Assertion Markup Language) is an umbrella standard that encompasses profiles, bindings and constructs to achieve – Single Sign On (SSO), – Federation and – Identity Management.
  • 4.
    Informal Definitions • OAuth(Open Authorization) is a standard for authorization of resources. • It does not deal with authentication. – Look for OpenID Connect for Authentication.
  • 5.
  • 6.
    Formal Definitions • SecurityAssertion Markup Language is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. • From Wikipedia Page on SAML
  • 7.
    Formal Definitions • OAuth: An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. • From OAuth.net
  • 8.
  • 9.
  • 10.
    Token Or MessageFormat • SAML deals with XML as the data construct or token format. • OAuth tokens can be binary, JSON or SAML as explained in OAuth Bearer Tokens (https://docs.jboss.org/author/display/PLINK/ OAuth+Bearer+Tokens).
  • 11.
  • 12.
    Transport • SAML hasBindings that use HTTP such as HTTP POST Binding, HTTP REDIRECT Binding etc. – But there is no restriction on the transport format. You can use SOAP or JMS or any transport you want to use to send SAML tokens or messages.
  • 13.
    Transport • OAuth usesHTTP exclusively.
  • 14.
  • 15.
    Scope • Even thoughSAML was designed to be applicable openly, it is typically used in Enterprise SSO scenarios – within an enterprise or – enterprise to partner or – enterprise to cloud scenarios.
  • 16.
    Scope • OAuth hasbeen designed for use with applications on the internet, – primarily for delegated authorization of internet resources. • OAuth is designed for Internet Scale.
  • 17.
  • 18.
  • 19.
  • 20.
    Use Cases • Ifyour use case involves SSO (when at least one actor or partner is an enterprise) – then use SAML.
  • 21.
    Use Cases • Ifyour use case involves providing access (temporarily or permanent) to resources (such as accounts, pictures, files etc.) – then use OAuth.
  • 22.
    Use Cases • Ifyour use case involves providing access to a partner or customer application to your portal – then use SAML.
  • 23.
    Use Cases • Ifyour use case requires a centralized identity source – then use SAML. You can also use an Open ID Provider as a central Identity Provider under the OpenID Connect Specification (under development).
  • 24.
    Use Cases • Ifyour use case involves mobile devices – then use OAuth (with some form of bearer tokens).
  • 25.
  • 26.
    SAML With OAuth •Use SAML for authentication. • Use SAML token/assertion as the OAuth bearer token in the HTTP bearer header to access protected resources.
  • 27.
  • 28.
    Replace SAML WithOAuth • Use JWT for authentication. • Use JWT as the OAuth bearer token in the HTTP bearer header to access protected resources.
  • 29.
  • 30.
    References • PicketLink :http://www.picketlink.org • IETF OAuth2 (http://datatracker.ietf.org/doc/rfc6749/) • OpenID Connect http://openid.net/specs/openid-connectbasic-1_0-22.html
  • 31.
  • 32.