OAuth vs SAML

What are the advantages of one over the other.  Does one perform better security (encryption).  What one would be best to choose.

Anthony LuciaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
looks at it primarily from SSO aspects, and the two (SAML and OAuth) use similar terms for similar concepts. The entity such as resource server and identity (or authorization) server  applies.

The big advantage with OAuth flows are that the communication from the authorization Server back to the Client and resource Server is done over HTTP Redirects with the token information provided as query parameters. OAuth also doesn't assume the Client is a web-browser whereas the default SAML Web Browser SSO Profile does.

Also native mobile applications will just work out of the box. No workarounds necessary for OAuth compared with SAML. The latter implement HTTP binding and prefers HTTP POST for the SAML token exchanges while mobile apps don't have access to the HTTP POST body. The apps only have access to the URL use to launch the application - meaning not able to read the SAML token..

However, OAuth doesn't require signing messages by default. If you want to add that in, note that it is not "out of the box", and the OAuth spec works without it. And it does prescribe that all requests should be made over SSL/TLS. There is myth saying OAuth is for Authorization, not Authentication. Not really though - there is the OpenID Connect Basic Profile that is built directly on top of OAuth...

SAML has one feature that OAuth lacks - SAML token contains the user identity information (because of signing). With OAuth, not "out of the box", and instead, the resource server needs to make an additional round trip to validate the token with the authorization server.

In summary, both approaches have nice features and both will work for SSO. OAuth provides a simpler and more standardized solution which may covers most (but not so much of security driven) current needs and avoids the use of workarounds for interoperability with native applications. It is leading the way via standard and has advantage of being latest and do expect more security interoperability coming in and building on it (see OpenID a/m)

Quick ref - http://architects.dzone.com/articles/saml-versus-oauth-which-one

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.