How To Choose an SSO Protocol: SAML vs OAuth vs OpenID Connect
When devising a plan to keep data and identities secure, IT administrators and security analysts must first select the protocol or framework to deploy to keep federated identity, or the means of connectinga person's electronic identity and attributes, safe.
The benefit of asingle sign-on (SSO)account is that employees can log in once to an application or network and not need to keep logging in to different applications or networks throughout the duration of the workday.
While this is certainly convenient for employees—making them more productive because they do not have to remember multiple passwords—it is also convenient for IT. With fewer passwords registered in the system, the identity and access management (IAM) platform responsible for managing employees' credentials can help make it more manageable.
However, it is no easy decision. The two top contenders in the federation process are Security Assertion Markup Language (SAML) and open authorization (OAuth). Let us take a look at these technologies more closely, and figure out when to use SAML vs. OAuth vs. OpenID Connect (OIDC) technology.
What Is the Difference Between SAML and OAuth?
SAML is designed for authentication and authorization while OAuth was built solely for authorization. Understanding the different purposes of each is key to understanding how an access management system works.
Tokens
The envelope of credentials for each user is stored in a token. The SAML token is known as a SAML assertion. In OAuth, it is known as an access token.
Flows
When a user logs in to a service, such as a document-sharing service or customer relationship management (CRM) database, the following flows occur:
- For SAML: The first step is user authentication. The SP makes a SAML authentication request to the IdP, redirecting the user's browser to the IdP for authentication. The user then enters their credentials (username and password) into the form. Once logged in, the IdP generates the SAML assertion (token) and sends it to the SP. The SP verifies the SAML assertion, takes the user identity along with the proper permissions (authorization for certain features or data access), and logs the user into the service.
- For OAuth: The process is similar except there is no encryption of the access tokens and only authorization is granted, not authentication of identity.
Enterprise security
SAML is designed to focus on enterprise security, while OAuth, because it lacks encryption and relies on secure sockets layer/transport layer security (SSL/TLS) protocols for security, is generally not a good choice for securing an enterprise of hundreds or thousands of employees.
How does OAuth work?
OAuth 2.0 is a standard for secure authorization. It provides secure delegated access and does this by giving access tokens to third-party services without exposing user credentials.However, it only authorizes—it does not authenticate. For authentication, the OpenID Connect (OIDC) standard is used. Identity providers, or those that create and manage identities, use OIDC so users can first sign in with their IdP and then access applications without having to log in and share credentials.
Although open authorization performs better on mobile devices, largely because it is built on the more lightweight JSON open standard file format for encoding data, it is not robust enough for enterprise use, especially since it only authorizes users and does not authenticate them.
How does SAML work?
Security Assertion Markup Language (SAML)is a protocol that lets an identity provider (IdP) transmit a user's credentials to a service provider (SP) to bothauthenticate and authorizethat user to access a service. SAML simplifies password management and enables SSO. Itis helpful for enterprises because employees access more and more applications to carry out their jobs. In fact, according to astudy by Okta, large companies usean average of 129 software appsand nearly 10% of businesses deploy more than 200 applications in their enterprise IT systems.
Managing passwords for hundreds of applications used by hundreds or even thousands of employees can be extremely challenging. SAML comes to the rescue by offering enterprises a single sign-on protocol.