Tag: IdM Comparison

Comparison of OpenID Connect with OAuth2.0 & SAML2.0

mustnotgrumbleLeave a comment

The following is a high level feature comparison between OpenID Connect 1.0, OAuth 2.0 & SAML 2.0

  • OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
  • OAuth 2.0 focuses on client developer simplicity while providing specific authorisation flows for web applications, desktop applications, mobile phones, and living room device
  • SAML 2.0 provides a standard for exchanging authentication and authorisation data between security domains using an XML-based protocol which uses security tokens containing assertions to pass information about a principal between an identity provider and a service provider.

Usage:

  • OpenID Connect allows a user to authenticate to an on-device App, a service or a site using an identity established with an Identity Provider (IdP).
  • Integration of OAuth 1.0 and OpenID 2.0 required an extension. In OpenID Connect this OAuth 2.0 capability is built into the protocol itself.
  • Mobile apps don’t have access to the HTTP POST body which is required in SAML to post the token back to the Service Provider. As such SAML 2.0 has a native app (yes you could use a blended app) limitation

APIs:

  • All three have extensive libraries (OAuth libraries, OpenID Connect libraries, simple SAML PHP library)
  • OpenID Connect is REST based encapsulating JSON Web Tokens while SAML is XML based
  • OpenID Connect performs many of the same tasks OpenID 2.0, OAuth2.0 and SAML, but does so in a way that is standardised and API-friendly.
  • OpenID Connect can also be extended to include more robust mechanisms for signing and encryption

Tokens (Signing & Encryption):

  • OpenID Connect is REST based encapsulating JSON Web Tokens which do not only sign the payload (does not encrypt it)
  • SAML is XML based and supports signing & encrypted certificates
  • OAuth 2.0 uses bearer token (similar to cookies) which do not require a bearer to prove possession of cryptographic key material (proof-of-possession). Risks for the enterprise.

Feature Comparison:

OpenID Connect 1.0:

  • ✔ SP & IdP Initiated Login
  • ✔ High Security Identity tokens (JSON Web Token)
  • ✔ Collects user’s consent before sharing attributes
  • ✔ Token contains user identity information
  • ✔ Distributed & Aggregated Claims
  • ✔ Dynamic Introductions (client discovery & on-boarding)
  • ✔ Session Timeout (future)

OAuth 2.0:

  • ✔ SP & IdP Initiated Login
  • ✘ High Security Identity tokens (uses bearer token which have no proof of possession)
  • ✔ Collects user’s consent
  • ✘ Token contains user identity information
  • ✘ No Distributed & Aggregated Claims
  • ✘ No Dynamic Introductions (client discovery & on-boarding)
  • ✘ No Session Timeout

SAML 2.0:

  • ✔ SP & IdP Initiated Login
  • ✘ Does not support embedded applications
  • ✔ High Security Identity tokens (e.g. X.509)
  • ✘ Not Responsible for collecting user’s consent
  • ✘ Token contains user identity information
  • ✘ No Distributed & Aggregated Claims
  • ✘ No Dynamic Introductions (client discovery & on-boarding)
  • ✘ No Session Timeout