[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 878
  • Last Modified:

OAuth vs SAML

What are the advantages of one over the other.  Does one perform better security (encryption).  What one would be best to choose.

Anthony Lucia
Anthony Lucia
1 Solution
btanExec ConsultantCommented:
looks at it primarily from SSO aspects, and the two (SAML and OAuth) use similar terms for similar concepts. The entity such as resource server and identity (or authorization) server  applies.

The big advantage with OAuth flows are that the communication from the authorization Server back to the Client and resource Server is done over HTTP Redirects with the token information provided as query parameters. OAuth also doesn't assume the Client is a web-browser whereas the default SAML Web Browser SSO Profile does.

Also native mobile applications will just work out of the box. No workarounds necessary for OAuth compared with SAML. The latter implement HTTP binding and prefers HTTP POST for the SAML token exchanges while mobile apps don't have access to the HTTP POST body. The apps only have access to the URL use to launch the application - meaning not able to read the SAML token..

However, OAuth doesn't require signing messages by default. If you want to add that in, note that it is not "out of the box", and the OAuth spec works without it. And it does prescribe that all requests should be made over SSL/TLS. There is myth saying OAuth is for Authorization, not Authentication. Not really though - there is the OpenID Connect Basic Profile that is built directly on top of OAuth...

SAML has one feature that OAuth lacks - SAML token contains the user identity information (because of signing). With OAuth, not "out of the box", and instead, the resource server needs to make an additional round trip to validate the token with the authorization server.

In summary, both approaches have nice features and both will work for SSO. OAuth provides a simpler and more standardized solution which may covers most (but not so much of security driven) current needs and avoids the use of workarounds for interoperability with native applications. It is leading the way via standard and has advantage of being latest and do expect more security interoperability coming in and building on it (see OpenID a/m)

Quick ref - http://architects.dzone.com/articles/saml-versus-oauth-which-one

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now