Enterprise Integration Zone is brought to you in partnership with:

Anil Saldhana is the Lead Identity Management Architect at JBoss. He blogs at http://anil-identity.blogspot.com Anil has posted 16 posts at DZone. You can read more from them at their website. View Full User Profile

SAML vs OAuth: Which One Should I Use?

11.21.2013
| 14375 views |
  • submit to reddit

As part of project PicketLink (http://www.picketlink.org ), I get asked questions on various aspects of security, trust and identity management.

One of the primary questions I get asked is - "What is the difference between SAML and OAuth?". I hope I can use this article to provide my thoughts on this important topic. I will also try to point out various use cases where each one is preferred.


What is the big difference between SAML and OAuth?

Informally in my own words:

SAML (Security Assertion Markup Language) is an umbrella standard that encompasses profiles, bindings and constructs to achieve Single Sign On (SSO), Federation and Identity Management.

OAuth (Open Authorization) is a standard for authorization of resources. It does not deal with authentication.

For formal definitions,

According to wikipedia page on SAML:

Security Assertion Markup Language is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

according to OAuth.net

An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.

What are the other differences?

 1. Token or Message Format<

SAML deals with XML as the data construct or token format.

OAuth tokens can be binary, JSON or SAML as explained in OAuth Bearer Tokens.


2. Transport
SAML has Bindings that use HTTP such as HTTP POST Binding, HTTP REDIRECT Binding etc.
But there is no restriction on the transport format. You can use SOAP or JMS or any transport you want to use to send SAML tokens or messages.
OAuth uses HTTP exclusively.

3. Scope

Even though SAML was designed to be applicable openly, it is typically used in Enterprise SSO scenarios -

  • within an enterprise or
  • enterprise to partner or
  • enterprise to cloud scenarios.

OAuth has been designed for use with applications on the internet, primarily for delegated authorization of internet resources. OAuth is designed for Internet Scale.


Which versions of the standards should I use?


SAML v2.0 and OAuth v2.0 are the latest versions of the standards.


When should I use which?

  • If your usecase involves SSO (when at least one actor or participant is an enterprise), then use SAML.
  • If your usecase involves providing access (temporarily or permanent) to resources (such as accounts, pictures, files etc), then use OAuth.
  • If you need to provide access to a partner or customer application to your portal, then use SAML.
  • If your usecase requires a centralized identity source, then use SAML  (Identity provider).
  • If your usecase involves mobile devices, then OAuth2 with some form of Bearer Tokens is appropriate.


I want to use both SAML and OAuth. Can I?

You can use SAML for authentication. Once you have a SAML token/assertion, you can use that as the OAuth bearer token in the HTTP bearer header to access protected resources.

Recently, we have had a requirement from the PicketLink community along these lines.

https://docs.jboss.org/author/display/PLINK/REST+Service+to+convert+SAML+Tokens+Into+OAuth+Tokens

What is the alternative to SAML XML Tokens in the OAuth World?

Look at JSON Web Token (JWT): https://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/

JWT Bearer Tokens can be used with OAuth2.

There is work going on at the OpenID foundation with OpenID Connect. http://openid.net/specs/openid-connect-basic-1_0-22.html

OpenID Connect is an identity layer on top of OAuth2 that can provide profile information of users from the authorization servers (based on the authentication it has performed). 


References

Published at DZone with permission of its author, Anil Saldhana.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)

Comments

Rainer Hörbe replied on Sat, 2013/12/07 - 5:45pm

I would add a few considerations:

The scope of SAML WebSSO includes large federations with thousands of services. The ecosystem for other technologies is not mature yet to support that kind of scalability.

For a full comparison OpenID Connect should be added on the OAuth side to have the matching use case to SAML WebSSO.

If high assurance is required, SAML provides holder-of-key patterns, whereas OAuth2 currently comes with bearer token.

Delegation is specified, but not very much used in SAML. OAuth2 provides options in that area.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.