DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Related

  • Understanding Properties of Zero Trust Networks
  • When APIs Go Wrong: Neglecting Rate Limiting
  • Modern Digital Authentication Protocols
  • Role-Based Multi-Factor Authentication

Trending

  • Bonsai Checklist: 5 Rules to Make Your Open-Source Project Popular
  • High-Performance Reactive REST API and Reactive DB Connection Using Java Spring Boot WebFlux R2DBC Example
  • Building Scalable AI-Driven Microservices With Kubernetes and Kafka
  • How Dynamic Internal Developer Platforms Boost Developer Experience and Productivity
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. SAML vs. OAuth: Which One Should I Use?

SAML vs. OAuth: Which One Should I Use?

Learn about the differences between SAML and OAuth plus use cases for each one.

By 
Anil Saldanha user avatar
Anil Saldanha
·
Nov. 21, 13 · Tutorial
Likes (10)
Comment
Save
Tweet
Share
294.5K Views

Join the DZone community and get the full member experience.

Join For Free

As part of project PicketLink (http://www.picketlink.org ), I get asked questions on various aspects of security, trust and identity management.

One of the primary questions I get asked is - "What is the difference between SAML and OAuth?". I hope I can use this article to provide my thoughts on this important topic. I will also try to point out various use cases where each one is preferred.

What is the Big Difference Between SAML and OAuth?

Informally in my own words:

SAML (Security Assertion Markup Language) is an umbrella standard that encompasses profiles, bindings and constructs to achieve Single Sign On (SSO), Federation and Identity Management.

OAuth (Open Authorization) is a standard for authorization of resources. It does not deal with authentication.

For formal definitions,

According to wikipedia page on SAML:

Security Assertion Markup Language is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. 

according to OAuth.net

An open protocol to allow secure authorization  in a simple and standard method from web, mobile and desktop applications.

What are the Other Differences?

 1. Token or Message Format<

SAML deals with XML as the data construct or token format.

OAuth tokens can be binary, JSON or SAML as explained in OAuth Bearer Tokens.

2. Transport

SAML has Bindings that use HTTP such as HTTP POST Binding, HTTP REDIRECT Binding etc.

But there is no restriction on the transport format. You can use SOAP or JMS or any transport you want to use to send SAML tokens or messages.

OAuth uses HTTP exclusively.

3. Scope

Even though SAML was designed to be applicable openly, it is typically used in Enterprise SSO scenarios -

  • within an enterprise or
  • enterprise to partner or
  • enterprise to cloud scenarios.

OAuth has been designed for use with applications on the internet, primarily for delegated authorization of internet resources. OAuth is designed for Internet Scale.


Which Versions of the Standards Should I Use?

SAML v2.0 and OAuth v2.0 are the latest versions of the standards.

When Should I Use Which?

  • If your usecase involves SSO (when at least one actor or participant is an enterprise), then use SAML.
  • If your usecase involves providing access (temporarily or permanent) to resources (such as accounts, pictures, files etc), then use OAuth.
  • If you need to provide access to a partner or customer application to your portal, then use SAML.
  • If your usecase requires a centralized identity source, then use SAML  (Identity provider).
  • If your usecase involves mobile devices, then OAuth2 with some form of Bearer Tokens is appropriate.

I Want to Use Both SAML and OAuth. Can I?

You can use SAML for authentication. Once you have a SAML token/assertion, you can use that as the OAuth bearer token in the HTTP bearer header to access protected resources.

Recently, we have had a requirement from the PicketLink community along these lines.

https://docs.jboss.org/author/display/PLINK/REST+Service+to+convert+SAML+Tokens+Into+OAuth+Tokens

What is the Alternative to SAML XML Tokens in the OAuth World?

Look at JSON Web Token (JWT): https://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/

JWT Bearer Tokens can be used with OAuth2.

There is work going on at the OpenID foundation with OpenID Connect. http://openid.net/specs/openid-connect-basic-1_0-22.html

OpenID Connect is an identity layer on top of OAuth2 that can provide profile information of users from the authorization servers (based on the authentication it has performed). 

References

  • PicketLink Open Source Project at http://www.picketlink.org
  • OAuth Theory  on PicketLink site.
  • IETF Web Authorization Working Group (http://datatracker.ietf.org/wg/oauth/charter/)
  • IETF OAuth2 (http://datatracker.ietf.org/doc/rfc6749/)
  • Google OAuth Document (https://developers.google.com/accounts/docs/OAuth2)
  • Microsoft Windows Live OAuth2 Document (http://msdn.microsoft.com/en-us/library/live/hh243647.aspx)
  • Amazon Web Services and SAML http://aws.typepad.com/aws/2013/11/aws-identity-and-access-management-using-saml.html
  • Salesforce SAML. https://help.salesforce.com/apex/HTViewHelpDoc?id=sso_saml.htm&language=en
  • Google Apps SAML. https://developers.google.com/google-apps/sso/saml_reference_implementation
  • OpenID Connect http://openid.net/specs/openid-connect-basic-1_0-22.html
authentication security

Opinions expressed by DZone contributors are their own.

Related

  • Understanding Properties of Zero Trust Networks
  • When APIs Go Wrong: Neglecting Rate Limiting
  • Modern Digital Authentication Protocols
  • Role-Based Multi-Factor Authentication

Partner Resources

Comments

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: