SAML 1.1 vs SAML 2.0

Posted on 2014-08-18
Last Modified: 2014-08-19
I understand that with OAuth, there is the following distinction

OAuth 1.1:  Very simple protocol directed towards the mobile community
OAuth 2.0:  More complex and secure update, but without popularity

What would be the comparison between SAML 1.1 and SAML 2.0.  

How are they different and how should I decide on which to use

Question by:Anthony Lucia
    LVL 60

    Assisted Solution

    It is good to see the details listed in OASIS community on the standard.

    The key takeaway is as highlighted is the SAML V2.0 assertions and protocol messages are incompatible with SAML V1.x processors - however only new major versions of SAML typically cause this sort of incompatibility. For such major release, it is done for consistency and better component symmetry.

    For security enhancement in v2.0, I see it more from having now supports the use of the W3C XML Encryption recommendation to satisfy privacy requirements for several important SAML constructs. This is on top of existing digital signing of assertions and protocol messages been positioned .

    Also on related security changes, the Authentication Request Protocol provides support for SP-initiated web SSO exchanges. This protocol allows the SP to make requests to an IdP and potentially control various aspects of the user authentication at the IdP

    Overall, the use case for SAML v2.0 is recommended nonetheless if just started and if riding on SAML v1.1, I see it more of riding on legacy build up and should plan for upgrade as most of public e-service provider will demand for this newer (v2) compatibility which v1.1 is not. Note that SSO is a potential major driver for v2.0 in a seamless user experience for consuming the requested web services...
    LVL 30

    Accepted Solution

    SAML 2.0 is better to use as it is an improvement over 1.1.
    LVL 60

    Expert Comment

    agreed and with wider compatibility and forward looking in web service and security provisioning as mentioned in my earlier post

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    This tutorial covers a step-by-step guide to install VisualVM launcher in eclipse.
    This video teaches viewers about errors in exception handling.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now