SlideShare une entreprise Scribd logo

SAML VS OAuth 2.0 VS OpenID Connect

Ubisecure
Ubisecure

SAML, OAuth 2.0, and OpenID Connect are the three most common authentication protocols. SAML provides authentication and authorization assertions while OAuth 2.0 focuses on authorization. OpenID Connect builds on OAuth 2.0 by adding authentication features and using claims to provide user information. It has a lower implementation barrier than SAML and is well-suited for mobile and API use cases. The document compares the protocols and their applications, security considerations, and history of adoption.

Technologie
1  sur  12
Télécharger pour lire hors ligne
SAML VS OAUTH 2.0 VS OPENID CONNECT UNDERSTANDING THE DIFFERENCES BETWEEN THE THREE MOST COMMON AUTHORISATION PROTOCOLS WHITE PAPER Connecting Identity. Transforming Digital Business.
UBISECURE WHITE PAPER 2 info@ubisecure.com www.ubisecure.com INTRODUCTION The world of Identity and Access Management is ruled by two things, acronyms and standards. In our popular blog post at https://www.ubisecure.com/uncategorized/difference-between-saml-and-oauth/ we compared the two most common authorisation protocols - SAML2 and OAuth 2.0. This white paper extends that comparison with the inclusion of a third protocol, OpenID Connect. We also touch on the now obsolete OpenID 2.0 protocol. HISTORY Firstly, it is useful to understand the order of emergence of the various protocols. It helps follow the evolution that gave rise to OpenID Connect. ACRONYMS & TERMINOLOGY WEB SINGLE SIGN-ON Party Term in SAML Term in OAuth Term in OpenID Web browser that an end user uses to access a web application User agent User agent User agent Server that owns the user identities and credentials Identity Provider (IDP, IdP) Authorisation Server (AS) OpenID Provider (OP) Web application that requires permission to proceed or access a resource Service Provider (SP) Client Relying Party (RP) or Client Server that hosts the resource being accessed Service Provider (SP) Resource Server Resource Server
UBISECURE WHITE PAPER 3 info@ubisecure.com www.ubisecure.com APPLICATIONS AND PROTECTED APIS Party Term in OAuth Server that owns the user identities and credentials Authorisation Server (AS) Application that wants to access a protected API Client Protected API Resource Server (RS) ACRONYMS SAML Security Assertion Markup Language OAuth Open Authentication OP OpenID Provider SP Service Provider RP Relying Party AS Authorisation Server HTTP Hypertext Transfer Protocol OIDC OpenID Connect SSO Single Sign On CIAM Customer Identity and Access Management XML Extensible Markup Language API Application Program Interface AUTHORISATION PROTOCOLS OPENID 2.0 OpenID was the first mainstream standard for authentication, it is however now obsolete following the approval of OpenID Connect. OpenID 2.0 was widely used and supported by most large internet companies. OpenID provided user authentication and with extensions in 2007, user attributes. Today when ‘OpenID’ is being talked about, it will almost always refer to OpenID Connect 1.0 OAUTH 2.0 The basic sequential flow occurs as follows:
UBISECURE WHITE PAPER 4 info@ubisecure.com www.ubisecure.com The flow illustrated includes the following steps: 1. The client initiates the flow by directing the resource owner's user agent to the authorization endpoint. The client includes its client identifier, requested scope, local state, and a redirection URI to which the authorization server will send the user-agent back once access is granted (or denied). 2. The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource owner grants or denies the client's access request. 3. Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using the redirection URI provided earlier (in the request or during client registration). The redirection URI includes an authorization code and any local state provided by the client earlier. 4. The client requests an access token from the authorization server's token endpoint by including the authorization code received in the previous step. When making the request, the client authenticates with the authorization server. The client includes the redirection URI used to obtain the authorization code for verification. 5. The authorization server authenticates the client, validates the authorization code, and ensures that the redirection URI received matches the URI used to redirect the client in step (C). If valid, the authorization server responds back with an access token and, optionally, a refresh token. Authentication is all about the user in the context of the application, and a network authentication protocol like OpenID is able to do this across networks and security boundaries. An authentication protocols tells an application who the current user is and whether or not the user is present. In addition, the protocol will often return additional attributes, e.g. an e-mail address.
UBISECURE WHITE PAPER 5 info@ubisecure.com www.ubisecure.com However, OAuth 2.0 tells the application none of those things. OAuth 2.0 tells absolutely nothing about the user's identity, nor does it expose how the end user proved their presence or even if the user is still present or not. An OAuth 2.0 client asked for a token, received a token, and used that token to access some resource – for example an API. This delegated access, accessing a resource on the behalf of a user who may not even be present, is one of the great points of OAuth 2.0 and great for client authorisation. At the same time, it is very limited for authentication, where the whole point is figuring who the user is, how the user's identity was authenticated and whether the user is present or not. The authorisation code grant type is used to obtain both access tokens and refresh tokens and is optimised for confidential clients. Since this is a redirection based flow, the client must be capable of interacting with the resource owner’s user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorisation server. Note: the lines illustrating steps 1, 2, and 3 are broken into two parts as they pass through the user- agent. SAML 2.0 We have seen that OpenID 2.0 provides authentication information, OAuth2 provides authorisation information. SAML2 provides all of this in the form of assertions (be they authentication assertions, attribute assertions or authorisation assertions). The SAML2 basic flow is below for completeness:
UBISECURE WHITE PAPER 6 info@ubisecure.com www.ubisecure.com 1. The Client attempts to access a secured resource via the User Agent, without a security context. 2. The Service Provider obtains the location of an endpoint at an identity provider for the authentication request protocol. The means by which this is accomplished is implementation dependent. 3. The Service Provider issues an <AuthnRequest> message to be delivered by the user agent to the Identity Provider. 4. The Identity Provider authenticates the Client using some (undefined) method. 5. The Identity Provider issues a <Response> message to be delivered by the User Agent to the Service Provider. The message may indicate an error, or will include (at least) an authentication assertion. 6. Having received the response from the Identity Provider, the Service Provider can respond to the Client's User Agent with its own error, or can establish its own security context for the Clienty and return the requested resource. This flow is HTTP POST heavy rending it only really useful for interactive web sessions.
UBISECURE WHITE PAPER 7 info@ubisecure.com www.ubisecure.com OAUTH 2.0 EXTENSIBILITY Before jumping to OpenID Connect it is useful to understand a little about OAuth2 extensibility. As part of the specification work on OAuth2, the definition was created with extensibility in mind. This extensibility allows new protocols to be defined on top of the ‘basic’ OAuth2 protocol. A number of extension protocols have been defined (for example UMA) and a number more are in draft stages. Of specific note here is OpenID Connect, a protocol build on top of OAuth2 to provide: “authentication built on top of OAuth 2.0 and the use of claims to communicate information about the End-User”1 OPENID CONNECT 1.0 OpenID Connect or OIDC in short, layers on top of OAuth 2.0 to provide authentication information as well as authorisation information through the use of Claims. Being based on OAuth2.0 OpenID Connect flow is very similar to OAuth 2.0, as seen below, the major difference is the addition of the ID Token. 1 http://openid.net/developers/specs/
UBISECURE WHITE PAPER 8 info@ubisecure.com www.ubisecure.com 1. The client prepares an Authentication Request containing the desired request parameters. 2. The client sends the request to the Authorization Server. 3. The Authorization Server authenticates the end user. 4. The Authorization Server obtains user consent/authorization. 5. The Authorization Server sends the user back to the client with an access token and, if requested, an ID token. 6. The client requests a response using the Authorisation Code at the Token endpoint. 7. The client receives a response that contains an ID Token and Access Token in the response body. 8. The client validates the ID token and retrieves the subject identifier of the user. The OpenID Connect standard introduces additional parameters to the request and introduces the concepts of Claims and the ID Token.
UBISECURE WHITE PAPER 9 info@ubisecure.com www.ubisecure.com Feature Details Additional parameters When the Client makes a request to the IdP it can pass additional parameters to the IdP, for example language for the authentication UI, and required authentication level Claims Claims are ‘name-value’ pairs that provide attribute data about the user that has been authenticated. The OpenID Connect standard defines a number of standard Claims, for example: given_name, family_name, picture, email. In addition to the standard Claims, ‘additional claims’ can be defined. ID Token The ID Token is built by the IdP and returned to the Relying Party as the final part of the basic authentication. This token contains a number of authentication related claims and may contain additional user related claims. The token itself is in the form of a signed JSON Web Token (JWT), and may, optionally, be encrypted. An access token is also returned that can be used by the Client to make further requests to the IdP or a Resource Server. Again, being based on OAuth 2.0 OpenID Connect is ‘API friendly’ and can be used by web applications, desktop applications, mobile applications and devices. SECURITY CONSIDERATIONS SAML For SAML the most common and widely used protocol for securing message exchange between an IdP and service provider is sending signed SAML Assertion to the Service Provider using HTTP POST protocol. SAML uses XML Signature and XML Encryption for end-to-end message integrity and encryption. Key exchange in SAML happens either out of band or dynamically with SAML Metadata. See SAML V2.0 Implementation Profile for Federation Interoperability for a recent requirement specification for an interoperable and secure SAML implementation.
UBISECURE WHITE PAPER 10 info@ubisecure.com www.ubisecure.com OAUTH 2.0 AND OPENID CONNECT 1.0 OIDC defines different profiles for securing message exchange between an IdP and a Relying Party. The simplest model completely relies on security of DNS and TLS for integrity. The benefit is very low barrier of entry into integrating an application with an OIDC IdP where the application designer only needs capability of invoking a RESTful API of the OIDC IdP, no processing of digital signatures or other cryptography is necessary. By implementing signed and encrypted JWTs the security of an OIDC implementation is increased to the level of SAML with end-to-end message integrity and encryption. By using modern technologies such as Token Binding security increases even beyond what is possible with standards based interoperable SAML. When signed and encrypted JWTs are used, key exchange in OIDC happens either out of band or dynamically with OIDC Metadata. Dynamic Client Registration Protocol enables a very dynamic and completely automated management of Client identities at an OIDC IdP, very well suited for IoT and Mobile Application use cases. See OAuth 2.0 Threat Model and Security Considerations and OAuth 2.0 Security Best Current Practice for recent instructions and best practices into creating secure OAuth and OIDC integrations. COMPARING THE PROTOCOLS Firstly, OAuth 2.0 has a different purpose to both SAML 2.0 and OpenID Connect 1.0, OAuth is, at the base level, an authorisation protocol, whereas SAML and OpenID Connect are authentication/authorisation protocols. For access control, OAuth 2.0 provides a great solution. SAML and OpenID Connect both provide authentication as well as authorisation. SAML is definitely the more complex to implement. OpenID Connect, being based on OAuth has a very low barrier to entry and can be scaled once working (both security and feature wise). If you are looking to join large existing federations that SAML will have the edge, its age means many of the existing federations are SAML based (for example most university federations). Of course it is possible to translate between protocols, doing this manually is a significant amount of work, but using the Ubisecure Identity Server in an IdP Proxy role this is just a configuration option, so it is possible to have a simple implementation of OpenID Connect working with an existing SAML federation. SAML is effectively constrained to browser operation, so for application or device usage OpenID Connect will be the protocol of choice.
UBISECURE WHITE PAPER 11 info@ubisecure.com www.ubisecure.com When it comes to security, OAuth, and hence OpenID Connect, provides a flexible model which can scale. SAML benefits from being within the browser having a relatively fixed security model, but is also only as secure as the browser. OAuth is dependent upon the TLS stack and when incorporated in an application is only as good as the stack in the application. If the app is using the OS implementation then it will be parallel to the browser, however, device implementation will need to take care over stack selection and configuration. CONCLUSIONS The emergence and rapid growth of OpenID Connect is a physical manifestation of the ongoing mobile transformation. As identity and access management has split between the traditional enterprise SSO and external user centric CIAM, so has the protocol stack underneath. OpenID Connect combines OAuth 2.0 authorisation with authentication, and allows building a user-friendly mobile application “done right”. An inevitable question is “Which of the protocols is the right for my use case?” Making broad generalisations is one of the best ways to draw dissension from all directions, but the below table does just that. Protocol Best use cases SAML Enterprise SSO, existing federations OAuth 2.0 API authorisation, UMA OpenID Connect Customer SSO, CIAM, mobile If you are reading this to determine how to quantify, manage and reap the benefits of CIAM in your organisation please contact Ubisecure – we can guide you through the complexity and reduce your implementation time considerably.
UBISECURE WHITE PAPER 12 info@ubisecure.com www.ubisecure.com Ubisecure is a pioneering European b2b and b2c Customer Identity & Access Management (CIAM) software provider and cloud identity services enabler dedicated to helping its customers realise the true potential of digital business. Ubisecure provides a powerful Identity Platform to connect customer digital identities with customer- facing SaaS and enterprise applications in the cloud and on-premise. The platform consists of productised CIAM middleware and API tooling to help connect and enrich strong identity profiles; manage identity usage, authorisation and progressive authentication policies; secure and consolidate identity, privacy and consent data; and streamline identity based workflows and decision delegations. Uniquely, Ubisecure’s Identity Platform connects digital services and Identity Providers, such as social networks, mobile networks, banks and Governments, to allow Service Providers to use rich, verified identities to create frictionless login, registration and customer engagement while improving privacy and consent around personal data sharing to meet requirements such as GDPR and PSD2. Ubisecure is accredited by the Global Legal Entity Identifier Foundation (GLEIF) to issue Legal Entity Identifiers (LEI) under its RapidLEI brand, a cloud-based service that automates the LEI lifecycle to deliver LEIs quickly and easily. The company has offices in London and Finland. To learn more about Customer IAM and Company Identity solutions visit www.ubisecure.com or contact us at sales-team@ubisecure.com

Recommandé

Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
なんとなくOAuth怖いって思ってるやつちょっと来い
なんとなくOAuth怖いって思ってるやつちょっと来いなんとなくOAuth怖いって思ってるやつちょっと来い
なんとなくOAuth怖いって思ってるやつちょっと来いRyo Ito
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
OAuth
OAuthOAuth
OAuthIván Fernández Perea
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)Torsten Lodderstedt
 

Recommandé

Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
なんとなくOAuth怖いって思ってるやつちょっと来い
なんとなくOAuth怖いって思ってるやつちょっと来いなんとなくOAuth怖いって思ってるやつちょっと来い
なんとなくOAuth怖いって思ってるやつちょっと来いRyo Ito
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
OAuth
OAuthOAuth
OAuthIván Fernández Perea
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)Torsten Lodderstedt
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSITorsten Lodderstedt
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
なぜOpenID Connectが必要となったのか、その歴史的背景
なぜOpenID Connectが必要となったのか、その歴史的背景なぜOpenID Connectが必要となったのか、その歴史的背景
なぜOpenID Connectが必要となったのか、その歴史的背景Tatsuo Kudo
 
今更聞けないOAuth2.0
今更聞けないOAuth2.0今更聞けないOAuth2.0
今更聞けないOAuth2.0Takahiro Sato
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014Nov Matake
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceAmin Saqi
 

Contenu connexe

Tendances

An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
なぜOpenID Connectが必要となったのか、その歴史的背景
なぜOpenID Connectが必要となったのか、その歴史的背景なぜOpenID Connectが必要となったのか、その歴史的背景
なぜOpenID Connectが必要となったのか、その歴史的背景Tatsuo Kudo
 
今更聞けないOAuth2.0
今更聞けないOAuth2.0今更聞けないOAuth2.0
今更聞けないOAuth2.0Takahiro Sato
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014Nov Matake
 

Tendances (20)

OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
なぜOpenID Connectが必要となったのか、その歴史的背景
なぜOpenID Connectが必要となったのか、その歴史的背景なぜOpenID Connectが必要となったのか、その歴史的背景
なぜOpenID Connectが必要となったのか、その歴史的背景
 
今更聞けないOAuth2.0
今更聞けないOAuth2.0今更聞けないOAuth2.0
今更聞けないOAuth2.0
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
 
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
 

Similaire à SAML VS OAuth 2.0 VS OpenID Connect

OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceAmin Saqi
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Ubisecure
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 IntroductionArpit Suthar
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2Profesia Srl, Lynx Group
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Flaws in Oauth 2.0 Can Oauth be used as a Security Server
Flaws in Oauth 2.0 Can Oauth be used as a Security ServerFlaws in Oauth 2.0 Can Oauth be used as a Security Server
Flaws in Oauth 2.0 Can Oauth be used as a Security Serverijtsrd
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsStefan Weber
 
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356IOSR Journals
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedCalvin Noronha
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?Dave Syer
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authenticationijtsrd
 

Similaire à SAML VS OAuth 2.0 VS OpenID Connect (20)

OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and Performance
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 Introduction
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Flaws in Oauth 2.0 Can Oauth be used as a Security Server
Flaws in Oauth 2.0 Can Oauth be used as a Security ServerFlaws in Oauth 2.0 Can Oauth be used as a Security Server
Flaws in Oauth 2.0 Can Oauth be used as a Security Server
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated Permissions
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 Presentaion
 
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authentication
 

Plus de Ubisecure

User Management, Enablement, Directory
User Management, Enablement, DirectoryUser Management, Enablement, Directory
User Management, Enablement, DirectoryUbisecure
 
Identity Platform Use Cases
Identity Platform Use CasesIdentity Platform Use Cases
Identity Platform Use CasesUbisecure
 
Single Sign-On
Single Sign-OnSingle Sign-On
Single Sign-OnUbisecure
 
Multi-Factor Authentication & Authorisation
Multi-Factor Authentication & AuthorisationMulti-Factor Authentication & Authorisation
Multi-Factor Authentication & AuthorisationUbisecure
 
Identity Data & Credential Self-Service
Identity Data & Credential Self-ServiceIdentity Data & Credential Self-Service
Identity Data & Credential Self-ServiceUbisecure
 
Using Strong / Verified Identities
Using Strong / Verified IdentitiesUsing Strong / Verified Identities
Using Strong / Verified IdentitiesUbisecure
 
Using Social & Business Identities
Using Social & Business IdentitiesUsing Social & Business Identities
Using Social & Business IdentitiesUbisecure
 
Delegation of Authority
Delegation of AuthorityDelegation of Authority
Delegation of AuthorityUbisecure
 
Customer IAM vs Employee IAM (Legacy IAM)
Customer IAM vs Employee IAM (Legacy IAM)Customer IAM vs Employee IAM (Legacy IAM)
Customer IAM vs Employee IAM (Legacy IAM)Ubisecure
 
An Introduction to Authentication for Applications
An Introduction to Authentication for ApplicationsAn Introduction to Authentication for Applications
An Introduction to Authentication for ApplicationsUbisecure
 
Introduction to Mobile Connect
Introduction to Mobile ConnectIntroduction to Mobile Connect
Introduction to Mobile ConnectUbisecure
 
General Data Protection Regulation & Customer IAM
General Data Protection Regulation & Customer IAMGeneral Data Protection Regulation & Customer IAM
General Data Protection Regulation & Customer IAMUbisecure
 
Telia - The New Norm of the Digital World
Telia - The New Norm of the Digital WorldTelia - The New Norm of the Digital World
Telia - The New Norm of the Digital WorldUbisecure
 
SSH - Credentialess Cloud Access
SSH - Credentialess Cloud AccessSSH - Credentialess Cloud Access
SSH - Credentialess Cloud AccessUbisecure
 
Spellpoint - Securing Access for Microservices
Spellpoint - Securing Access for MicroservicesSpellpoint - Securing Access for Microservices
Spellpoint - Securing Access for MicroservicesUbisecure
 
Open Identity Exchange - the Global Growth of Digital Identity
Open Identity Exchange - the Global Growth of Digital IdentityOpen Identity Exchange - the Global Growth of Digital Identity
Open Identity Exchange - the Global Growth of Digital IdentityUbisecure
 
Nixu - Passwords must Die!
Nixu - Passwords must Die!Nixu - Passwords must Die!
Nixu - Passwords must Die!Ubisecure
 
Kantara - Digital Identity in 2018
Kantara - Digital Identity in 2018Kantara - Digital Identity in 2018
Kantara - Digital Identity in 2018Ubisecure
 
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...Ubisecure
 
FICORA - Building a Trust Network on Strong Identification
FICORA - Building a Trust Network on Strong IdentificationFICORA - Building a Trust Network on Strong Identification
FICORA - Building a Trust Network on Strong IdentificationUbisecure
 

Plus de Ubisecure (20)

User Management, Enablement, Directory
User Management, Enablement, DirectoryUser Management, Enablement, Directory
User Management, Enablement, Directory
 
Identity Platform Use Cases
Identity Platform Use CasesIdentity Platform Use Cases
Identity Platform Use Cases
 
Single Sign-On
Single Sign-OnSingle Sign-On
Single Sign-On
 
Multi-Factor Authentication & Authorisation
Multi-Factor Authentication & AuthorisationMulti-Factor Authentication & Authorisation
Multi-Factor Authentication & Authorisation
 
Identity Data & Credential Self-Service
Identity Data & Credential Self-ServiceIdentity Data & Credential Self-Service
Identity Data & Credential Self-Service
 
Using Strong / Verified Identities
Using Strong / Verified IdentitiesUsing Strong / Verified Identities
Using Strong / Verified Identities
 
Using Social & Business Identities
Using Social & Business IdentitiesUsing Social & Business Identities
Using Social & Business Identities
 
Delegation of Authority
Delegation of AuthorityDelegation of Authority
Delegation of Authority
 
Customer IAM vs Employee IAM (Legacy IAM)
Customer IAM vs Employee IAM (Legacy IAM)Customer IAM vs Employee IAM (Legacy IAM)
Customer IAM vs Employee IAM (Legacy IAM)
 
An Introduction to Authentication for Applications
An Introduction to Authentication for ApplicationsAn Introduction to Authentication for Applications
An Introduction to Authentication for Applications
 
Introduction to Mobile Connect
Introduction to Mobile ConnectIntroduction to Mobile Connect
Introduction to Mobile Connect
 
General Data Protection Regulation & Customer IAM
General Data Protection Regulation & Customer IAMGeneral Data Protection Regulation & Customer IAM
General Data Protection Regulation & Customer IAM
 
Telia - The New Norm of the Digital World
Telia - The New Norm of the Digital WorldTelia - The New Norm of the Digital World
Telia - The New Norm of the Digital World
 
SSH - Credentialess Cloud Access
SSH - Credentialess Cloud AccessSSH - Credentialess Cloud Access
SSH - Credentialess Cloud Access
 
Spellpoint - Securing Access for Microservices
Spellpoint - Securing Access for MicroservicesSpellpoint - Securing Access for Microservices
Spellpoint - Securing Access for Microservices
 
Open Identity Exchange - the Global Growth of Digital Identity
Open Identity Exchange - the Global Growth of Digital IdentityOpen Identity Exchange - the Global Growth of Digital Identity
Open Identity Exchange - the Global Growth of Digital Identity
 
Nixu - Passwords must Die!
Nixu - Passwords must Die!Nixu - Passwords must Die!
Nixu - Passwords must Die!
 
Kantara - Digital Identity in 2018
Kantara - Digital Identity in 2018Kantara - Digital Identity in 2018
Kantara - Digital Identity in 2018
 
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
 
FICORA - Building a Trust Network on Strong Identification
FICORA - Building a Trust Network on Strong IdentificationFICORA - Building a Trust Network on Strong Identification
FICORA - Building a Trust Network on Strong Identification
 

Dernier

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Dernier (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

SAML VS OAuth 2.0 VS OpenID Connect

  • 1. SAML VS OAUTH 2.0 VS OPENID CONNECT UNDERSTANDING THE DIFFERENCES BETWEEN THE THREE MOST COMMON AUTHORISATION PROTOCOLS WHITE PAPER Connecting Identity. Transforming Digital Business.
  • 2. UBISECURE WHITE PAPER 2 info@ubisecure.com www.ubisecure.com INTRODUCTION The world of Identity and Access Management is ruled by two things, acronyms and standards. In our popular blog post at https://www.ubisecure.com/uncategorized/difference-between-saml-and-oauth/ we compared the two most common authorisation protocols - SAML2 and OAuth 2.0. This white paper extends that comparison with the inclusion of a third protocol, OpenID Connect. We also touch on the now obsolete OpenID 2.0 protocol. HISTORY Firstly, it is useful to understand the order of emergence of the various protocols. It helps follow the evolution that gave rise to OpenID Connect. ACRONYMS & TERMINOLOGY WEB SINGLE SIGN-ON Party Term in SAML Term in OAuth Term in OpenID Web browser that an end user uses to access a web application User agent User agent User agent Server that owns the user identities and credentials Identity Provider (IDP, IdP) Authorisation Server (AS) OpenID Provider (OP) Web application that requires permission to proceed or access a resource Service Provider (SP) Client Relying Party (RP) or Client Server that hosts the resource being accessed Service Provider (SP) Resource Server Resource Server
  • 3. UBISECURE WHITE PAPER 3 info@ubisecure.com www.ubisecure.com APPLICATIONS AND PROTECTED APIS Party Term in OAuth Server that owns the user identities and credentials Authorisation Server (AS) Application that wants to access a protected API Client Protected API Resource Server (RS) ACRONYMS SAML Security Assertion Markup Language OAuth Open Authentication OP OpenID Provider SP Service Provider RP Relying Party AS Authorisation Server HTTP Hypertext Transfer Protocol OIDC OpenID Connect SSO Single Sign On CIAM Customer Identity and Access Management XML Extensible Markup Language API Application Program Interface AUTHORISATION PROTOCOLS OPENID 2.0 OpenID was the first mainstream standard for authentication, it is however now obsolete following the approval of OpenID Connect. OpenID 2.0 was widely used and supported by most large internet companies. OpenID provided user authentication and with extensions in 2007, user attributes. Today when ‘OpenID’ is being talked about, it will almost always refer to OpenID Connect 1.0 OAUTH 2.0 The basic sequential flow occurs as follows:
  • 4. UBISECURE WHITE PAPER 4 info@ubisecure.com www.ubisecure.com The flow illustrated includes the following steps: 1. The client initiates the flow by directing the resource owner's user agent to the authorization endpoint. The client includes its client identifier, requested scope, local state, and a redirection URI to which the authorization server will send the user-agent back once access is granted (or denied). 2. The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource owner grants or denies the client's access request. 3. Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using the redirection URI provided earlier (in the request or during client registration). The redirection URI includes an authorization code and any local state provided by the client earlier. 4. The client requests an access token from the authorization server's token endpoint by including the authorization code received in the previous step. When making the request, the client authenticates with the authorization server. The client includes the redirection URI used to obtain the authorization code for verification. 5. The authorization server authenticates the client, validates the authorization code, and ensures that the redirection URI received matches the URI used to redirect the client in step (C). If valid, the authorization server responds back with an access token and, optionally, a refresh token. Authentication is all about the user in the context of the application, and a network authentication protocol like OpenID is able to do this across networks and security boundaries. An authentication protocols tells an application who the current user is and whether or not the user is present. In addition, the protocol will often return additional attributes, e.g. an e-mail address.
  • 5. UBISECURE WHITE PAPER 5 info@ubisecure.com www.ubisecure.com However, OAuth 2.0 tells the application none of those things. OAuth 2.0 tells absolutely nothing about the user's identity, nor does it expose how the end user proved their presence or even if the user is still present or not. An OAuth 2.0 client asked for a token, received a token, and used that token to access some resource – for example an API. This delegated access, accessing a resource on the behalf of a user who may not even be present, is one of the great points of OAuth 2.0 and great for client authorisation. At the same time, it is very limited for authentication, where the whole point is figuring who the user is, how the user's identity was authenticated and whether the user is present or not. The authorisation code grant type is used to obtain both access tokens and refresh tokens and is optimised for confidential clients. Since this is a redirection based flow, the client must be capable of interacting with the resource owner’s user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorisation server. Note: the lines illustrating steps 1, 2, and 3 are broken into two parts as they pass through the user- agent. SAML 2.0 We have seen that OpenID 2.0 provides authentication information, OAuth2 provides authorisation information. SAML2 provides all of this in the form of assertions (be they authentication assertions, attribute assertions or authorisation assertions). The SAML2 basic flow is below for completeness:
  • 6. UBISECURE WHITE PAPER 6 info@ubisecure.com www.ubisecure.com 1. The Client attempts to access a secured resource via the User Agent, without a security context. 2. The Service Provider obtains the location of an endpoint at an identity provider for the authentication request protocol. The means by which this is accomplished is implementation dependent. 3. The Service Provider issues an <AuthnRequest> message to be delivered by the user agent to the Identity Provider. 4. The Identity Provider authenticates the Client using some (undefined) method. 5. The Identity Provider issues a <Response> message to be delivered by the User Agent to the Service Provider. The message may indicate an error, or will include (at least) an authentication assertion. 6. Having received the response from the Identity Provider, the Service Provider can respond to the Client's User Agent with its own error, or can establish its own security context for the Clienty and return the requested resource. This flow is HTTP POST heavy rending it only really useful for interactive web sessions.
  • 7. UBISECURE WHITE PAPER 7 info@ubisecure.com www.ubisecure.com OAUTH 2.0 EXTENSIBILITY Before jumping to OpenID Connect it is useful to understand a little about OAuth2 extensibility. As part of the specification work on OAuth2, the definition was created with extensibility in mind. This extensibility allows new protocols to be defined on top of the ‘basic’ OAuth2 protocol. A number of extension protocols have been defined (for example UMA) and a number more are in draft stages. Of specific note here is OpenID Connect, a protocol build on top of OAuth2 to provide: “authentication built on top of OAuth 2.0 and the use of claims to communicate information about the End-User”1 OPENID CONNECT 1.0 OpenID Connect or OIDC in short, layers on top of OAuth 2.0 to provide authentication information as well as authorisation information through the use of Claims. Being based on OAuth2.0 OpenID Connect flow is very similar to OAuth 2.0, as seen below, the major difference is the addition of the ID Token. 1 http://openid.net/developers/specs/
  • 8. UBISECURE WHITE PAPER 8 info@ubisecure.com www.ubisecure.com 1. The client prepares an Authentication Request containing the desired request parameters. 2. The client sends the request to the Authorization Server. 3. The Authorization Server authenticates the end user. 4. The Authorization Server obtains user consent/authorization. 5. The Authorization Server sends the user back to the client with an access token and, if requested, an ID token. 6. The client requests a response using the Authorisation Code at the Token endpoint. 7. The client receives a response that contains an ID Token and Access Token in the response body. 8. The client validates the ID token and retrieves the subject identifier of the user. The OpenID Connect standard introduces additional parameters to the request and introduces the concepts of Claims and the ID Token.
  • 9. UBISECURE WHITE PAPER 9 info@ubisecure.com www.ubisecure.com Feature Details Additional parameters When the Client makes a request to the IdP it can pass additional parameters to the IdP, for example language for the authentication UI, and required authentication level Claims Claims are ‘name-value’ pairs that provide attribute data about the user that has been authenticated. The OpenID Connect standard defines a number of standard Claims, for example: given_name, family_name, picture, email. In addition to the standard Claims, ‘additional claims’ can be defined. ID Token The ID Token is built by the IdP and returned to the Relying Party as the final part of the basic authentication. This token contains a number of authentication related claims and may contain additional user related claims. The token itself is in the form of a signed JSON Web Token (JWT), and may, optionally, be encrypted. An access token is also returned that can be used by the Client to make further requests to the IdP or a Resource Server. Again, being based on OAuth 2.0 OpenID Connect is ‘API friendly’ and can be used by web applications, desktop applications, mobile applications and devices. SECURITY CONSIDERATIONS SAML For SAML the most common and widely used protocol for securing message exchange between an IdP and service provider is sending signed SAML Assertion to the Service Provider using HTTP POST protocol. SAML uses XML Signature and XML Encryption for end-to-end message integrity and encryption. Key exchange in SAML happens either out of band or dynamically with SAML Metadata. See SAML V2.0 Implementation Profile for Federation Interoperability for a recent requirement specification for an interoperable and secure SAML implementation.
  • 10. UBISECURE WHITE PAPER 10 info@ubisecure.com www.ubisecure.com OAUTH 2.0 AND OPENID CONNECT 1.0 OIDC defines different profiles for securing message exchange between an IdP and a Relying Party. The simplest model completely relies on security of DNS and TLS for integrity. The benefit is very low barrier of entry into integrating an application with an OIDC IdP where the application designer only needs capability of invoking a RESTful API of the OIDC IdP, no processing of digital signatures or other cryptography is necessary. By implementing signed and encrypted JWTs the security of an OIDC implementation is increased to the level of SAML with end-to-end message integrity and encryption. By using modern technologies such as Token Binding security increases even beyond what is possible with standards based interoperable SAML. When signed and encrypted JWTs are used, key exchange in OIDC happens either out of band or dynamically with OIDC Metadata. Dynamic Client Registration Protocol enables a very dynamic and completely automated management of Client identities at an OIDC IdP, very well suited for IoT and Mobile Application use cases. See OAuth 2.0 Threat Model and Security Considerations and OAuth 2.0 Security Best Current Practice for recent instructions and best practices into creating secure OAuth and OIDC integrations. COMPARING THE PROTOCOLS Firstly, OAuth 2.0 has a different purpose to both SAML 2.0 and OpenID Connect 1.0, OAuth is, at the base level, an authorisation protocol, whereas SAML and OpenID Connect are authentication/authorisation protocols. For access control, OAuth 2.0 provides a great solution. SAML and OpenID Connect both provide authentication as well as authorisation. SAML is definitely the more complex to implement. OpenID Connect, being based on OAuth has a very low barrier to entry and can be scaled once working (both security and feature wise). If you are looking to join large existing federations that SAML will have the edge, its age means many of the existing federations are SAML based (for example most university federations). Of course it is possible to translate between protocols, doing this manually is a significant amount of work, but using the Ubisecure Identity Server in an IdP Proxy role this is just a configuration option, so it is possible to have a simple implementation of OpenID Connect working with an existing SAML federation. SAML is effectively constrained to browser operation, so for application or device usage OpenID Connect will be the protocol of choice.
  • 11. UBISECURE WHITE PAPER 11 info@ubisecure.com www.ubisecure.com When it comes to security, OAuth, and hence OpenID Connect, provides a flexible model which can scale. SAML benefits from being within the browser having a relatively fixed security model, but is also only as secure as the browser. OAuth is dependent upon the TLS stack and when incorporated in an application is only as good as the stack in the application. If the app is using the OS implementation then it will be parallel to the browser, however, device implementation will need to take care over stack selection and configuration. CONCLUSIONS The emergence and rapid growth of OpenID Connect is a physical manifestation of the ongoing mobile transformation. As identity and access management has split between the traditional enterprise SSO and external user centric CIAM, so has the protocol stack underneath. OpenID Connect combines OAuth 2.0 authorisation with authentication, and allows building a user-friendly mobile application “done right”. An inevitable question is “Which of the protocols is the right for my use case?” Making broad generalisations is one of the best ways to draw dissension from all directions, but the below table does just that. Protocol Best use cases SAML Enterprise SSO, existing federations OAuth 2.0 API authorisation, UMA OpenID Connect Customer SSO, CIAM, mobile If you are reading this to determine how to quantify, manage and reap the benefits of CIAM in your organisation please contact Ubisecure – we can guide you through the complexity and reduce your implementation time considerably.
  • 12. UBISECURE WHITE PAPER 12 info@ubisecure.com www.ubisecure.com Ubisecure is a pioneering European b2b and b2c Customer Identity & Access Management (CIAM) software provider and cloud identity services enabler dedicated to helping its customers realise the true potential of digital business. Ubisecure provides a powerful Identity Platform to connect customer digital identities with customer- facing SaaS and enterprise applications in the cloud and on-premise. The platform consists of productised CIAM middleware and API tooling to help connect and enrich strong identity profiles; manage identity usage, authorisation and progressive authentication policies; secure and consolidate identity, privacy and consent data; and streamline identity based workflows and decision delegations. Uniquely, Ubisecure’s Identity Platform connects digital services and Identity Providers, such as social networks, mobile networks, banks and Governments, to allow Service Providers to use rich, verified identities to create frictionless login, registration and customer engagement while improving privacy and consent around personal data sharing to meet requirements such as GDPR and PSD2. Ubisecure is accredited by the Global Legal Entity Identifier Foundation (GLEIF) to issue Legal Entity Identifiers (LEI) under its RapidLEI brand, a cloud-based service that automates the LEI lifecycle to deliver LEIs quickly and easily. The company has offices in London and Finland. To learn more about Customer IAM and Company Identity solutions visit www.ubisecure.com or contact us at sales-team@ubisecure.com