As part of project PicketLink (http://www.picketlink.org ), I get asked questions on various aspects of security, trust and identity management.
One of the primary questions I get asked is - "What is the difference between SAML and OAuth?". I hope I can use this article to provide my thoughts on this important topic. I will also try to point out various use cases where each one is preferred.
What is the Big Difference Between SAML and OAuth?
Informally in my own words:
SAML (Security Assertion Markup Language) is an umbrella standard that encompasses profiles, bindings and constructs to achieve Single Sign On (SSO), Federation and Identity Management.
OAuth (Open Authorization) is a standard for authorization of resources. It does not deal with authentication.
For formal definitions,
According to wikipedia page on SAML:
Security Assertion Markup Language is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
according to OAuth.netAn open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.
What are the Other Differences?
1. Token or Message Format<
SAML deals with XML as the data construct or token format.
OAuth tokens can be binary, JSON or SAML as explained in OAuth Bearer Tokens.
SAML has Bindings that use HTTP such as HTTP POST Binding, HTTP REDIRECT Binding etc.
But there is no restriction on the transport format. You can use SOAP or JMS or any transport you want to use to send SAML tokens or messages.
OAuth uses HTTP exclusively.
Even though SAML was designed to be applicable openly, it is typically used in Enterprise SSO scenarios -
- within an enterprise or
- enterprise to partner or
- enterprise to cloud scenarios.
OAuth has been designed for use with applications on the internet, primarily for delegated authorization of internet resources. OAuth is designed for Internet Scale.
Which Versions of the Standards Should I Use?
SAML v2.0 and OAuth v2.0 are the latest versions of the standards.
When Should I Use Which?
- If your usecase involves SSO (when at least one actor or participant is an enterprise), then use SAML.
- If your usecase involves providing access (temporarily or permanent) to resources (such as accounts, pictures, files etc), then use OAuth.
- If you need to provide access to a partner or customer application to your portal, then use SAML.
- If your usecase requires a centralized identity source, then use SAML (Identity provider).
- If your usecase involves mobile devices, then OAuth2 with some form of Bearer Tokens is appropriate.
I Want to Use Both SAML and OAuth. Can I?
You can use SAML for authentication. Once you have a SAML token/assertion, you can use that as the OAuth bearer token in the HTTP bearer header to access protected resources.
Recently, we have had a requirement from the PicketLink community along these lines.
What is the Alternative to SAML XML Tokens in the OAuth World?
Look at JSON Web Token (JWT): https://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/
JWT Bearer Tokens can be used with OAuth2.
There is work going on at the OpenID foundation with OpenID Connect. http://openid.net/specs/openid-connect-basic-1_0-22.html
OpenID Connect is an identity layer on top of OAuth2 that can provide profile information of users from the authorization servers (based on the authentication it has performed).
- PicketLink Open Source Project at http://www.picketlink.org
- OAuth Theory on PicketLink site.
- IETF Web Authorization Working Group (http://datatracker.ietf.org/wg/oauth/charter/)
- IETF OAuth2 (http://datatracker.ietf.org/doc/rfc6749/)
- Google OAuth Document (https://developers.google.com/accounts/docs/OAuth2)
- Microsoft Windows Live OAuth2 Document (http://msdn.microsoft.com/en-us/library/live/hh243647.aspx)
- Amazon Web Services and SAML http://aws.typepad.com/aws/2013/11/aws-identity-and-access-management-using-saml.html
- Salesforce SAML. https://help.salesforce.com/apex/HTViewHelpDoc?id=sso_saml.htm&language=en
- Google Apps SAML. https://developers.google.com/google-apps/sso/saml_reference_implementation
- OpenID Connect http://openid.net/specs/openid-connect-basic-1_0-22.html