3. Informal Definitions
• SAML (Security Assertion Markup Language) is
an umbrella standard that encompasses
profiles, bindings and constructs to achieve
– Single Sign On (SSO),
– Federation and
– Identity Management.
4. Informal Definitions
• OAuth (Open Authorization) is a standard for
authorization of resources.
• It does not deal with authentication.
– Look for OpenID Connect for Authentication.
6. Formal Definitions
• Security Assertion Markup Language is an
XML-based open standard data format for
exchanging authentication and authorization
data between parties, in particular, between
an identity provider and a service provider.
• From Wikipedia Page on SAML
7. Formal Definitions
• OAuth : An open protocol to allow secure
authorization in a simple and standard
method from web, mobile and desktop
applications.
• From OAuth.net
10. Token Or Message Format
• SAML deals with XML as the data construct or
token format.
• OAuth tokens can be binary, JSON or SAML as
explained in OAuth Bearer Tokens
(https://docs.jboss.org/author/display/PLINK/
OAuth+Bearer+Tokens).
12. Transport
• SAML has Bindings that use HTTP such as
HTTP POST Binding, HTTP REDIRECT Binding
etc.
– But there is no restriction on the transport format.
You can use SOAP or JMS or any transport you
want to use to send SAML tokens or messages.
15. Scope
• Even though SAML was designed to be
applicable openly, it is typically used in
Enterprise SSO scenarios
– within an enterprise or
– enterprise to partner or
– enterprise to cloud scenarios.
16. Scope
• OAuth has been designed for use with
applications on the internet,
– primarily for delegated authorization of internet
resources.
• OAuth is designed for Internet Scale.
20. Use Cases
• If your use case involves SSO (when at least
one actor or partner is an enterprise)
– then use SAML.
21. Use Cases
• If your use case involves providing access
(temporarily or permanent) to resources (such
as accounts, pictures, files etc.)
– then use OAuth.
22. Use Cases
• If your use case involves providing access to a
partner or customer application to your portal
– then use SAML.
23. Use Cases
• If your use case requires a centralized identity
source
– then use SAML.
You can also use an Open ID Provider as
a central Identity Provider under the
OpenID Connect Specification (under
development).
24. Use Cases
• If your use case involves mobile devices
– then use OAuth (with some form of bearer
tokens).
26. SAML With OAuth
• Use SAML for authentication.
• Use SAML token/assertion as the OAuth
bearer token in the HTTP bearer header to
access protected resources.