OAuth vs SAML

Posted on 2014-08-07
Last Modified: 2014-08-08
What are the advantages of one over the other.  Does one perform better security (encryption).  What one would be best to choose.

Question by:Anthony Lucia
    1 Comment
    LVL 60

    Accepted Solution

    looks at it primarily from SSO aspects, and the two (SAML and OAuth) use similar terms for similar concepts. The entity such as resource server and identity (or authorization) server  applies.

    The big advantage with OAuth flows are that the communication from the authorization Server back to the Client and resource Server is done over HTTP Redirects with the token information provided as query parameters. OAuth also doesn't assume the Client is a web-browser whereas the default SAML Web Browser SSO Profile does.

    Also native mobile applications will just work out of the box. No workarounds necessary for OAuth compared with SAML. The latter implement HTTP binding and prefers HTTP POST for the SAML token exchanges while mobile apps don't have access to the HTTP POST body. The apps only have access to the URL use to launch the application - meaning not able to read the SAML token..

    However, OAuth doesn't require signing messages by default. If you want to add that in, note that it is not "out of the box", and the OAuth spec works without it. And it does prescribe that all requests should be made over SSL/TLS. There is myth saying OAuth is for Authorization, not Authentication. Not really though - there is the OpenID Connect Basic Profile that is built directly on top of OAuth...

    SAML has one feature that OAuth lacks - SAML token contains the user identity information (because of signing). With OAuth, not "out of the box", and instead, the resource server needs to make an additional round trip to validate the token with the authorization server.

    In summary, both approaches have nice features and both will work for SSO. OAuth provides a simpler and more standardized solution which may covers most (but not so much of security driven) current needs and avoids the use of workarounds for interoperability with native applications. It is leading the way via standard and has advantage of being latest and do expect more security interoperability coming in and building on it (see OpenID a/m)

    Quick ref -

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    Video by: Michael
    Viewers learn about how to reduce the potential repetitiveness of coding in main by developing methods to perform specific tasks for their program. Additionally, objects are introduced for the purpose of learning how to call methods in Java. Define …
    Viewers will learn about basic arrays, how to declare them, and how to use them. Introduction and definition: Declare an array and cover the syntax of declaring them: Initialize every index in the created array: Example/Features of a basic arr…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now