SAML v/s Oauth
“Problem-solving, inventing, hacking and coding is more of an adrenaline rush of endorphins rather than a feeling”- Walter O’Brien
Lot of time you might have come across some apps asking you to Signing up with the following options:
- Entering uername/emailid and password
- Using google account
- Using facebook account
But majority of the people either opt for the second or the third option because they are less time taking.
But have you ever wondered how the authentication takses place in such case?
Ok them me give you another scenario.
Lets say you want to give order for printing the digital photos that you have. You went to the respective service providers website for giving the order. After submitting all details they ask you for the photographs. But you have all of your photos in google drive, how will you share your photos to them? I am sure you don’t want to give your gmail id and password to them, then what’s the option, how can you give limited access such that they are only able to access the photos on the drive. This is where Oauth comes into picture.
So what Oauth is?
Oauth is basically an authorization machanism using which one service verfies other service on the behalf of any user say you without compromising much of your crendentials.
Without confusing you further lets follow the above example.
If Oauth for google and that photo serice if configured then the photo service provider can request google for the access to your drive photos, the request is further taken by google who further ask you about the permission for so. After you all google to give the photoservice provider access, what google does is it shares one token with the photoservice provider containing all perm required in json format called JWT(Java web token). Using this the photoservice provider can make future request to google and things works fine.
This is how Oauth works.
Now coming back to SAML?
SAML stands for Security Assertion Markup Language. It is an open standard which allows identity access providers to provide authroization credentials to service providers.
Sounding complicated, right?
OK let me explain.
You might have remebered time when you created your first gmail account. But after browsing creating gmail account in broswer, google may have asked you to first created google account. It is then you go on to enter your new gmail id, date of birth, phone number etc. After few steps your google account is created. Suddenly you are redirected to gmail link where you see your first view of inbox, totally empty. Now if you try opening you tube you will find you are already login in to it. But how? How creating google account verfied you to all google service? This is where SAML kicks in.
Now going with the above definition here Google is identity access provider and services are gmail, youtube etc.
Now when you open you tube, you tube goes to google account for your credentials, which after some verfication verfified you to you tube.
Same as oAuth both identity provider and service provider must agree on the same configuration of SAML.
All the credentials and other details between identity and service provider is done using a format called XML.
SAML is used for Single Sign on in the large corporated and organization where you are required to login once and you are able to access many services without the overhead of multiple sign in.
