SAML and oAuth are two popular authentication methods used in web application, but they are for different purposes.
SAML is more similar to other authentication methods, such as basic, client cert, etc., in which, the web server must manage user's authorization information, and decide which user can perform what kind of operation. The major benefit of SAML over other authentication methods are Single-Sign-On, so that a independent identity provider can handle authentication request for multiple service providers. The key thing is although different service providers cannot share their authentication session with each other, the authentication session in the common identity provider can be used by all service providers, so as long as user has a valid authentication session on the SAML identity provider, then multiple service provider can reuse it without requiring user to authenticate again.
oAuth, on other hand, is quite different. When a web server uses oAuth, it no longer manager each user or user group's information, instead, it relies on the oauth provider's instruction on what operation can be performed on a oauth session. The oauth provider will authenticate the user and also authorization user' permission. As web server no longer manages user's information, so it does not need to expose the user credential to web server. Note oauth provider still needs to authenticate the user, using SAML, Basic, or client certificate. So it moves both authentication and authorization task out of the web server to third party oauth provider.
When oauth provider returns an oauth access token to web server, the web server must decide whether to allow the session to access the required web resource, this means there is a close coupling between the oauth authorization provider and web server. That is why, usually oauth provider from one company only support the web service from the same company. While on the other hand, SAML provider from one company can be easily used in other company's web service.
When oauth provider returns an oauth access token to web server, the web server must decide whether to allow the session to access the required web resource, this means there is a close coupling between the oauth authorization provider and web server. That is why, usually oauth provider from one company only support the web service from the same company. While on the other hand, SAML provider from one company can be easily used in other company's web service.
As oAuth can use SAML for user authentication, so SSO benefit from SAML authentication can also be used by oAuth. If user is already authenticated with the SAML IDP, the SAML session can also be used by any SAML service provider powered oauth web server, so the oauth provider can directly return an access token without requiring user to input his credential on the oAuth login page.
No comments:
Post a Comment