- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Summary: In this article, we will provide a high-level overview of the Security Assertion Markup Language (SAML) and Open Authorization (OAuth) information access frameworks. You’ll learn about the key similarities and differences between SAML and OAuth, the unique benefits of each framework, and specific use cases for each. By the end of this article, you’ll have a clear understanding of SAML and OAuth to help you determine which is right for your organization.
What are SAML and OAuth?
SAML and OAuth are open standard frameworks utilized by organizations for authentication and authorization strategies, respectively. SAML authenticates the user’s identity to a service, while OAuth authorizes the user to access specific resources owned by the service provider. Both can be used for single sign-on (SSO), which permits users to access IT resources with only one set of login credentials (e.g., username and password). Consolidating accounts and passwords via SSO helps improve system security and user experiences, among other benefits.
Security Assertion Markup Language (SAML)
SAML (SAML 2.0 since 2005) is an authentication and authorization standard. Authentication proves that users are who they claim to be, while authorization allows authenticated parties to do what they request. SAML is an extensible markup language (XML) variant for exchanging security information online.
SAML exchanges take place between system entities referred to as an asserting party (also called a SAML authority) and a relying party that processes the security assertions it receives. Security assertions are standardized statements in the markup language that determine access control decisions.
There are two types of SAML SSO: Identity Provider (IdP) initiated and Service Provider (SP) initiated. Both use an IdP to authenticate the user, the main difference is the starting point.
- IdP-initiated SAML SSO: The user attempts to log into an IdP, and the IdP can directly verify the user’s identity with a SAML response.
- SP-initiated SAML SSO: The user attempts to log into a SP, and the SP must generate a SAML request. The request and user are sent to an IdP for authentication, and then back to the SP to complete the log in.
Open Authorization (OAuth)
OAuth (OAuth 2.0 since 2013) is an authentication standard that allows a resource owner logged-in to one system to delegate limited access to protected information to a third party without sharing the owner’s security credentials. Instead, the third-party system obtains approval from the resource owner for a short-lived access token from an authorization server with approval of the resource owner.
OAuth focuses on developer simplicity while providing specific authorization flows for web, mobile, and desktop applications, mobile devices, and smart devices. It allows users authenticated in one application or system to authorize third-party applications or systems to gain limited access to user data, without sharing authentication information.
A typical OAuth workflow is based on interactions among four roles:
- Resource owner: grants access to protected resources
- Resource server: hosts protected resources and responds to access requests
- Client: an application that submits access requests on behalf of the resource owner
- Authorization server: issues access tokens to the client after successfully authenticating the resource owner and obtaining authorization
SAML vs. OAuth: What’s the Difference?
The primary difference between SAML and OAuth is that SAML generally facilitates exchange of a single user’s authentication and authorization data across secure domains. In contrast, OAuth typically works on behalf of a specific application to share user information on a limited basis with other applications.
SAML is more commonly used by large organizations and government entities, in which XML use is widespread. It’s also used by enterprise applications such as Salesforce and Marketo for authentication. Key drivers to SAML adoption include SSO evolution, federated identity management expansion, and changing industry standards that govern authorization services, identity frameworks, and web services security.
Created and strongly supported by companies including Twitter and Google, OAuth is more commonly used on the open internet. Typically, two or more unrelated websites, apps or services are trying to accomplish something on behalf of end users and need multiple security approvals to complete an authorized transaction. Major OAuth users include Amazon, Facebook, Instagram, LinkedIn, Microsoft, Netflix, and Paypal, which often partner on co-promotional activities.
Similarities Between SAML and OAuth
SAML and OAuth were both created to standardize and encourage interoperability of infrastructure access management systems. They share three important characteristics:
- Are open standard frameworks
- Support federated identity management (FIM)
- Enable SSO
SAML and OAuth eliminate the need for implementing multiple authentication systems and simplify how organizations authorize access to protected information. Both are building blocks for FIM because they let users access multiple IT resources with one login credential.
SAML vs. OAuth: Which One Is Better?
An organization’s specific needs and existing infrastructure dictate whether one framework is better suited than the other. While both can be used for SSO, they are not interchangeable or mutually exclusive. SAML supports both user authentication and authorization while OAuth is only for authorization. If the business priority is confirming user identity, SAML is the only choice. If the business priority is securely and easily managing user privileges, OAuth may be the better choice.
SAML and OAuth Use Cases
Multi-domain SSO with SAML
SAML solves the multi-domain SSO problem by providing a standard, vendor-independent protocol for transferring information about a user from one web server to another.
For example, a customer logs in to their account on an airline website to book a flight. During the process, the customer is offered a rental car deal as part of a partnership arrangement between the airline and the rental agency. Assuming the customer has a federated identity, the identity provider (the airline) transmits a SAML security assertion to the service provider (the rental agency) that the user is known and authenticated. Because the rental agency website “trusts” the SAML assertion, it creates a local session for the user without requiring the user to re-authenticate.
Consumer privacy with OAuth
OAuth can grant access to private resources on one website or mobile application (the service provider), to another (the consumer) without sharing the end user’s identity.
For example, a Google Photos user wants to get digital images printed. The end user, known as the resource owner, can grant the photo printing service access to images on a resource server at Google Photos. Instead of sharing their Google username and password, the customer authenticates directly with a Google authorization server that then issues an access token with specific credentials to the printing service.
Can SAML and OAuth Work Together?
Organizations can use both standards to provide employees and customers with an SSO experience across a wide range of applications and services. For instance, a SAML assertion from an IdP can verify user identity when communicating between an authorization server and a resource server. The authorization server can then use an OAuth token to provide the end user with access to resources based upon their security credentials.
Additionally, some environments may require both SAML and OAuth, as is the case in Microsoft environments where SAML grants system access and OAuth grants access to protected resources.
SAML vs. OAuth: Frequently Asked Questions
Should I use OAuth or SAML?
OAuth is designed to support a variety of client types that access application programming interfaces (APIs), which makes it a valuable tool for today’s mobile-first application developers. On the other hand, organizations with large investments in XML resources and heavy authentication workloads are likely to benefit from SAML.
What is the difference between SAML and SSO?
SAML enables SSO by defining how organizations can offer both authentication and authorization services as part of their infrastructure access strategy. As an open standard, SAML can be implemented by a wide variety of identity and access management (IAM) vendors. Additionally, IdPs and service providers that adhere to the standard can communicate freely, regardless of vendor.
Is OAuth more secure than SAML?
SAML is considered more secure because, unlike OAuth, it allows users to encrypt assertions. This makes it ideal for large enterprises working with sensitive data.
How StrongDM Can Help with SAML and OAuth
StrongDM provides a SAML-compliant authorization server that also supports OAuth. That means organizations can use SAML and OAuth to authenticate and authorize users according to business needs. Our Infrastructure Access Platform (IAP) allows you to customize SSO experiences, including the use of OAuth so users can delegate authentication to third-party systems through an existing SAML identity provider.
Security Meets Simplicity with StrongDM
Infrastructure access is about giving employees, customers, vendors, and partners the tools they need when they need them. That means eliminating obstacles that prevent or delay logging in to systems and accessing applications, data, and services. Optimizing user authentication and authorization is a major factor for eliminating such obstacles.
By understanding the difference between SAML and OAuth, enterprises can make informed decisions about which open standard for infrastructure access best addresses their needs.
Learn more about controlling access to your resources with a no-BS, two-week demo of StrongDMtoday.
About the Author
Schuyler Brown, Co-founder / CCO, began working with startups as one of the first employees at Cross Commerce Media. Since then, he has worked at the venture capital firms DFJ Gotham and High Peaks Venture Partners. He is also the host of Founders@Fail and author of Inc.com's "Failing Forward" column, where he interviews veteran entrepreneurs about the bumps, bruises, and reality of life in the startup trenches. His leadership philosophy: be humble enough to realize you don’t know everything and curious enough to want to learn more. He holds a B.A. and M.B.A. from Columbia University. To contact Schuyler, visit him on LinkedIn.