Identity Focus

AUTHENTICATION SYSTEMS

SAML

Security Assertion Markup Language (SAML) is an open, XML-based standard widely used to facilitate the exchange of authentication and authorization (AA) information between federated organizations. It supports Single Sign-On (SSO) for browser-based access. Developed by the Organization for the Advancement of Structured Information Standards (OASIS), a nonprofit consortium promoting open standards, SAML 2.0 was adopted as an OASIS standard in 2005 and has been actively maintained since.

The SAML 2.0 specification defines three key entities: the principal, the service provider, and the identity provider. An example would be a user accessing an investment account at Iwanttobeamillionair.com. The site requires the user to logon, the site also uses SAML.

The above example will be:

  • Principle or user agent – The user
  • Service Provider – The bank website
  • Identify provider – The entity that holds the user authentication and authorization data (Azure AD for example)

The user is prompted to enter their credentials. Upon submission, the site forwards their credentials to the Identity Provider (IdP). The IdP responds with XML messages either validating or rejecting their credentials and specifying the access permissions. Based on this response, the site grants the user access to their account.

The IdP can send three types of XML messages known as assertions:

Authentication Assertion: This provides proof that the user agent provided the proper credentials, identifies the identification method, and identifies the time the user agent logged on.

Authorization Assertion: This indicates whether the user agent is authorized to access the requested service. If the message indicates access is denied, it indicates why.

Attribute Assertion: Attributes can be any information about the user agent.

OAuth

OAuth 2.0, short for open authorization, is an authorization framework defined in RFC 6749 and maintained by the Internet Engineering Task Force (IETF). It is widely used by companies such as Facebook, Twitter & Amazon. Its purpose is to enable secure sharing of account information with third-party websites without exposing passwords. For instance, if you have a Twitter account and download an app called MyTweets to schedule Tweets, the process begins when you try to use this feature. The app redirects you to Twitter, where you log in, Twitter reviews the permissions the app is requesting, and decide whether to authorize it. If you approve, Twitter provides the app with an authorization token. This token can be entered automatically or manually into the app’s settings. When MyTweets interacts with your Twitter account, it sends an API request, including the token, to verify authorization.

Auth 2.0 does not handle authentication directly but instead authorizes access to an account. One key advantage in this example, is that your Twitter credentials are never shared with the MyTweets app. Even if the app is compromised, your credentials remain secure and are not exposed.

OIDC

OpenID Connect (OIDC) is an authentication layer built on the OAuth 2.0 authorization framework. Unlike OAuth 2.0, it supports both authentication and authorization. Maintained by the OpenID Foundation and uses a JavaScript Object Notation (JSON) Web Token (JWT), also known as an ID token. OpenID Connect relies on a web service to retrieve the JWT, which not only authenticates the user but can also include profile information about them.

OpenID Connect extends OAuth 2.0 by adding an identity layer for authentication through an Identity Token. For example, consider the MyTweets app attempting to access Twitter. When the user clicks “Sign in with Twitter,” the app is redirected to the authorization server and requests specific scopes defined in the API, such as the user’s email address. This information is then sent to the requesting app or third party.

Comparing SAML, OAuth2 and ODIC

When comparing SAML, OAuth, and OIDC, it can be challenging to distinguish between them. This section provides a summary of each and highlights their key differences.

SAML (Security Assertion Markup Language):

  • SAML 2.0 is an open XML-based standard, adopted by OASIS in 2005.
  • It involves three entities: a principal (e.g., a user), a service provider (e.g., a website), and an identity provider (a third party holding authentication and authorization data).
  • SAML provides authentication, authorization, and attribute information about the principal.

OAuth:

  • OAuth is an authorization framework, not an authentication protocol.
  • Defined in RFC 6749, OAuth 2.0 allows information exchange through APIs.
  • An app obtains an access token from an identity provider, which it then uses for authorization in subsequent requests.

OIDC (OpenID Connect):

  • OIDC is an authentication layer built on OAuth 2.0.
  • It extends OpenID to provide both authentication and authorization.
  • OIDC uses a JSON Web Token (JWT) for authentication and can include user profile data.