SlideShare una empresa de Scribd logo

Saml vs Oauth : Which one should I use?

Descargar como PPTX, PDF
Anil Saldanha
Anil Saldanha
Tecnología
1 de 32
SAML vs OAuth Anil Saldhana anil@apache.org http://anil-identity.blogspot.com Reference: http://architects.dzone.com/articles/saml-versus-oauthwhich-one
Informal Definitions
Informal Definitions • SAML (Security Assertion Markup Language) is an umbrella standard that encompasses profiles, bindings and constructs to achieve – Single Sign On (SSO), – Federation and – Identity Management.
Informal Definitions • OAuth (Open Authorization) is a standard for authorization of resources. • It does not deal with authentication. – Look for OpenID Connect for Authentication.
Formal Definitions
Formal Definitions • Security Assertion Markup Language is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. • From Wikipedia Page on SAML
Formal Definitions • OAuth : An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. • From OAuth.net
Differences
Token or Message Format
Token Or Message Format • SAML deals with XML as the data construct or token format. • OAuth tokens can be binary, JSON or SAML as explained in OAuth Bearer Tokens (https://docs.jboss.org/author/display/PLINK/ OAuth+Bearer+Tokens).
Transport
Transport • SAML has Bindings that use HTTP such as HTTP POST Binding, HTTP REDIRECT Binding etc. – But there is no restriction on the transport format. You can use SOAP or JMS or any transport you want to use to send SAML tokens or messages.
Transport • OAuth uses HTTP exclusively.
Scope
Scope • Even though SAML was designed to be applicable openly, it is typically used in Enterprise SSO scenarios – within an enterprise or – enterprise to partner or – enterprise to cloud scenarios.
Scope • OAuth has been designed for use with applications on the internet, – primarily for delegated authorization of internet resources. • OAuth is designed for Internet Scale.
Which Versions Should Be Used?
Versions • SAML v2.0 • OAuth v2.0
Use Cases
Use Cases • If your use case involves SSO (when at least one actor or partner is an enterprise) – then use SAML.
Use Cases • If your use case involves providing access (temporarily or permanent) to resources (such as accounts, pictures, files etc.) – then use OAuth.
Use Cases • If your use case involves providing access to a partner or customer application to your portal – then use SAML.
Use Cases • If your use case requires a centralized identity source – then use SAML. You can also use an Open ID Provider as a central Identity Provider under the OpenID Connect Specification (under development).
Use Cases • If your use case involves mobile devices – then use OAuth (with some form of bearer tokens).
Using SAML with OAuth
SAML With OAuth • Use SAML for authentication. • Use SAML token/assertion as the OAuth bearer token in the HTTP bearer header to access protected resources.
Replace SAML with OAuth
Replace SAML With OAuth • Use JWT for authentication. • Use JWT as the OAuth bearer token in the HTTP bearer header to access protected resources.
References
References • PicketLink : http://www.picketlink.org • IETF OAuth2 (http://datatracker.ietf.org/doc/rfc6749/) • OpenID Connect http://openid.net/specs/openid-connectbasic-1_0-22.html
Full Article http://architects.dzone.com/articles/ saml-versus-oauth-which-one
Contact Me anil@apache.org

Recomendados

SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
Mike Schwartz
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
Dan Brinkmann
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 

Recomendados

SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
Mike Schwartz
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
Dan Brinkmann
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
Programming Talents
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
Matt Raible
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
AkshaeyBhosale
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
What is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaWhat is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | Edureka
Edureka!
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
Spring Security
Spring SecuritySpring Security
Spring Security
Knoldus Inc.
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web API
Brad Genereaux
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
Microservice with OAuth2
Microservice with OAuth2Microservice with OAuth2
Microservice with OAuth2
◄ vaquar khan ► ★✔
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloud
Nagraj Rao
 

Más contenido relacionado

La actualidad más candente

What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
Matt Raible
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
What is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaWhat is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | Edureka
Edureka!
 

La actualidad más candente (20)

Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
What is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaWhat is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | Edureka
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web API
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 

Similar a Saml vs Oauth : Which one should I use?

Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the Web
Akana
 

Similar a Saml vs Oauth : Which one should I use? (20)

Microservice with OAuth2
Microservice with OAuth2Microservice with OAuth2
Microservice with OAuth2
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloud
 
Open source wso2 identity server sso with drupal 8
Open source wso2 identity server sso with drupal 8Open source wso2 identity server sso with drupal 8
Open source wso2 identity server sso with drupal 8
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the Web
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the Web
 
GHC18 Abstract - API Security, a Grail Quest
GHC18 Abstract - API Security, a Grail QuestGHC18 Abstract - API Security, a Grail Quest
GHC18 Abstract - API Security, a Grail Quest
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
A recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdMA recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdM
 
SAML 101
SAML 101SAML 101
SAML 101
 
Federated and fabulous identity
Federated and fabulous identityFederated and fabulous identity
Federated and fabulous identity
 
SAML Executive Overview
SAML Executive OverviewSAML Executive Overview
SAML Executive Overview
 
SSO - Presentation
SSO - PresentationSSO - Presentation
SSO - Presentation
 
SAML
SAMLSAML
SAML
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
oAuth presentation
oAuth presentationoAuth presentation
oAuth presentation
 
Presentation
PresentationPresentation
Presentation
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
 
SAML Smackdown
SAML SmackdownSAML Smackdown
SAML Smackdown
 

Más de Anil Saldanha

Anil saldhana identitycloud
Anil saldhana identitycloudAnil saldhana identitycloud
Anil saldhana identitycloud
Anil Saldanha
 
Advances inbrowsersecurity
Advances inbrowsersecurityAdvances inbrowsersecurity
Advances inbrowsersecurity
Anil Saldanha
 
Anil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseapAnil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseap
Anil Saldanha
 
Anil saldhana oasisid_cloud
Anil saldhana oasisid_cloudAnil saldhana oasisid_cloud
Anil saldhana oasisid_cloud
Anil Saldanha
 

Más de Anil Saldanha (11)

Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With Picketlink
 
Anil saldhana cloudidentitybestpractices
Anil saldhana cloudidentitybestpracticesAnil saldhana cloudidentitybestpractices
Anil saldhana cloudidentitybestpractices
 
Anil saldhana cloud identity
Anil saldhana cloud identityAnil saldhana cloud identity
Anil saldhana cloud identity
 
Oasis Identity In The Cloud Technical Committee
Oasis Identity In The Cloud Technical CommitteeOasis Identity In The Cloud Technical Committee
Oasis Identity In The Cloud Technical Committee
 
Oasis IDCloud TC - Anil Saldhana
Oasis IDCloud TC - Anil SaldhanaOasis IDCloud TC - Anil Saldhana
Oasis IDCloud TC - Anil Saldhana
 
Anil saldhana identitycloud
Anil saldhana identitycloudAnil saldhana identitycloud
Anil saldhana identitycloud
 
Secure Middleware with JBoss AS 5
Secure Middleware with JBoss AS 5Secure Middleware with JBoss AS 5
Secure Middleware with JBoss AS 5
 
Advances inbrowsersecurity
Advances inbrowsersecurityAdvances inbrowsersecurity
Advances inbrowsersecurity
 
Anil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseapAnil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseap
 
Anil saldhana oasisid_cloud
Anil saldhana oasisid_cloudAnil saldhana oasisid_cloud
Anil saldhana oasisid_cloud
 
Google App Engine
Google App EngineGoogle App Engine
Google App Engine
 

Último

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Último (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Saml vs Oauth : Which one should I use?

  • 1. SAML vs OAuth Anil Saldhana anil@apache.org http://anil-identity.blogspot.com Reference: http://architects.dzone.com/articles/saml-versus-oauthwhich-one
  • 3. Informal Definitions • SAML (Security Assertion Markup Language) is an umbrella standard that encompasses profiles, bindings and constructs to achieve – Single Sign On (SSO), – Federation and – Identity Management.
  • 4. Informal Definitions • OAuth (Open Authorization) is a standard for authorization of resources. • It does not deal with authentication. – Look for OpenID Connect for Authentication.
  • 6. Formal Definitions • Security Assertion Markup Language is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. • From Wikipedia Page on SAML
  • 7. Formal Definitions • OAuth : An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. • From OAuth.net
  • 10. Token Or Message Format • SAML deals with XML as the data construct or token format. • OAuth tokens can be binary, JSON or SAML as explained in OAuth Bearer Tokens (https://docs.jboss.org/author/display/PLINK/ OAuth+Bearer+Tokens).
  • 12. Transport • SAML has Bindings that use HTTP such as HTTP POST Binding, HTTP REDIRECT Binding etc. – But there is no restriction on the transport format. You can use SOAP or JMS or any transport you want to use to send SAML tokens or messages.
  • 13. Transport • OAuth uses HTTP exclusively.
  • 14. Scope
  • 15. Scope • Even though SAML was designed to be applicable openly, it is typically used in Enterprise SSO scenarios – within an enterprise or – enterprise to partner or – enterprise to cloud scenarios.
  • 16. Scope • OAuth has been designed for use with applications on the internet, – primarily for delegated authorization of internet resources. • OAuth is designed for Internet Scale.
  • 20. Use Cases • If your use case involves SSO (when at least one actor or partner is an enterprise) – then use SAML.
  • 21. Use Cases • If your use case involves providing access (temporarily or permanent) to resources (such as accounts, pictures, files etc.) – then use OAuth.
  • 22. Use Cases • If your use case involves providing access to a partner or customer application to your portal – then use SAML.
  • 23. Use Cases • If your use case requires a centralized identity source – then use SAML. You can also use an Open ID Provider as a central Identity Provider under the OpenID Connect Specification (under development).
  • 24. Use Cases • If your use case involves mobile devices – then use OAuth (with some form of bearer tokens).
  • 26. SAML With OAuth • Use SAML for authentication. • Use SAML token/assertion as the OAuth bearer token in the HTTP bearer header to access protected resources.
  • 28. Replace SAML With OAuth • Use JWT for authentication. • Use JWT as the OAuth bearer token in the HTTP bearer header to access protected resources.
  • 30. References • PicketLink : http://www.picketlink.org • IETF OAuth2 (http://datatracker.ietf.org/doc/rfc6749/) • OpenID Connect http://openid.net/specs/openid-connectbasic-1_0-22.html