SAML and OAUTH comparison DevConf 2014, Brno JBoss by Red Hat Peter Škopek, pskopek@redhat.com, twitter: @pskopek Feb 7, 2014 Abstract SAML and OAuth are one of the most used protocols/standards for single sign on of applications. This session will perform comparison and describe use cases of both of them.
Section 1 Welcome
Welcome Agenda 1 Welcome 2 Overview SAML 2.0 OAuth 2.0 3 Comparison Differences Security Considerations
Section 2 Overview
Overview SAML 2.0 Security Assertion Markup Language SAML is XML based data format for exchanging authentication and authorization information between parties. SAML defines the syntax and processing semantics of assertions made about a subject by a system entity. SAML system entities may use other protocols to communicate either regarding an assertion itself, or the subject of an assertion. SAML assertions and protocol messages are encoded in XML and use XML namespaces. They are typically embedded in other structures for transport, such as HTTP POST requests or XML-encoded SOAP messages.
Overview SAML 2.0 SAML Sub Specifications The SAML bindings specification provides frameworks for the embedding and transport of SAML protocol messages. The SAML profiles specification provides a baseline set of profiles for the use of SAML assertions and protocols to accomplish specific use cases or achieve interoperability when using SAML features. The SAML metadata specification The SAML authentication context specification The SAML conformance requirements specification
Overview SAML 2.0 SAML actors There are three key actors in SAML specification. Principal : typically a user Service Provider (SP) : system entity provides services to principals or other system entities Identity Provider (IdP) : A kind of provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles.
Basic SAML SSO Use Case Overview SAML 2.0
Overview OAuth 2.0 The OAuth 2.0 Authorization Framework OAuth is authorization framework enables a third-party application to obtain limited access to an HTTP service on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service allowing the third-party application to obtain access on its own behalf
Overview OAuth 2.0 OAuth Actors There are four key actors in the OAuth framework. Resource Owner typically a (end-)user Resource Server The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens. Equivalent of Service Provider in SAML. Client An application making protected resource requests on behalf of the resource owner and with its authorization. Authorization Server The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization. Equivalent of Identity Provider in SAML.
Overview OAuth 2.0 Protocol Endpoints Authorization Endpoint used by the client to obtain authorization from the resource owner via user-agent redirection Token Endpoint used by the client to exchange an authorization grant for an access token, typically with client authentication Client Redirection Endpoint used by the authorization server to return responses containing authorization credentials to the client via the resource owner user-agent
Overview OAuth 2.0 Obtaining Authorization The authorization in OAuth is expressed in the form of an authorization grant, which the client uses to request the access token. There are four grant types in OAuth: Authorization Code Grant - used for web server applications in general and it s the most frequently used grant Implicit Grant - used for client applications that are not capable of keeping the credentials secure Resource Owner Password Credentials Grant - frequently used in scenarios where an already existing solution is migrating over to OAuth 2.0 username/password are sent in exchange of an access token Client Credentials Grant - used for client applications that want to request access to some service provider on behalf of themselves and not on behalf of some end user
OAuth Protocol Flow Overview OAuth 2.0
Section 3 Comparison
Comparison Differences Differences SAML v2.0 OAuth v2.0 Token Format XML binary or JSON Communication Protocol well defined bindings to different protocols exclusively HTTP HTTP(redirect, POST, artifact bind), SOAP, PAOS, protocol independent SAML URI Binding User Identity SAML token contains user identity information not out of the box but possible thanks to signing Primary Usage Federated SSO - inside company internet apps with delegated authorization to resources - B2B - cloud scenarios Mobile Devices possible but harder to implement due to complex XML parsing easier to parse OAuth messages more client libraries to choose from Enterprise Apps better interoperability more solutions to choose from more standardized possible but nature of current apps gives favor to SAML
Comparison Security Considerations Security Considerations Consideration SAML v2.0 OAuth v2.0 Message Transport TLS 1.0 or SSL 3.0 TLS 1.0 or 1.2 mandatory Authentication authentication information is part of SAML assertion can be extended to include authentication assertions - SAML assertions are possible - JWT Assertion Profile (JWT for requesting access tokens and client authentication) Key Management very important not in terms of PKI, but client id and secret, tokens and client credentials Denial of Service susceptible to DoS better resistent to DoS Eavesdropping in-message confidentiality, but in-transit sensitive, in-transit confidentiality mandatory confidentiality recommended Replay Attack prone, several countermeasures possible prone, countermeasures possible
Comparison Security Considerations Bibliography Security Assertion Markup Language (SAML) v2.0 https://www.oasis-open.org/standards#samlv2.0 JSON Web Token (JWT) draft https://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/ Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants Draft http://tools.ietf.org/html/draft-ietf-oauth-assertions-14 PicketLink Web Site http://www.picketlink.org/ Anil Saldhana s Blog http://anil-identity.blogspot.com/ Martin Spasovski: OAuth 2.0 Identity and Access Management Patterns Pakt Publishing: http://www.packtpub.com/oauth-2-0-identity-and-access-management-patterns/book
Comparison Security Considerations Feedback Form Provide to this talk at http://devconf.cz/f/73, please.
The end. Thanks for listening.