Demystifying SAML 2.0,Oauth 2.0, OpenID Connect

-Bhavna Bhatnagar-
Demystifying
SAML, OAuth 2.0, OpenID Connect

Topics
• SAML 2.0
• Benefits of SAML
• SAML Assertion explained
• OAuth 2.0
• OAuth 2.0 Vs SAML
• OpenID Connect
• OpenID Connect Vs SAML
• Q&A

What is SAML?
• Security Assertion Mark-up Language (SAML) is an open XML based standard
that allows identity providers (IdP) to pass authentication and authorization
credentials to service providers (SP)
• The OASIS Consortium approved SAML 2.0 in 2005
• Link to SAML 2.0 profiles:
https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0.os.pdf

SAML (some common terms)
• Identity Provider
• Client (web browser)
• Service Provider
• Token
• SAMLRequest
• AuthnRequest
• SAMLResponse
• AuthnResponse
• Assertion
• Web Browser SSO Profile
- POST Profile - “push”
- Artifact profile- “pull”

Benefits of SAML
• Single sign-on
• Standardization: SAML is a standard format, seamless interoperability
• Improved User Experience: Sign in once
• Password management, ease of recovery
• Increased Security: Secure identity provider (single point of authentication)
• Credentials safety: don’t leave firewall boundary
• Loose Coupling of Directories: SAML doesn’t require user information to be maintained
and synchronized between directories.
• Reduced Costs for Service Providers: Don’t have to maintain account information across
multiple services. The identity provider bears this burden.

SAML 2.0 Flow
Generate
Authn
request
User accesses a service
Authn
request is
verifiesHTTP POST to IdP w/authn Request
User is redirected to a login page at the
IdP
User logs in
Redirect to service w/SAML Token
User is logged in to the service

AuthnRequest and AuthnResponse with SAML Assertion embedded (sample)
Request
Response
*Picture credit: www.auth0.com

OAuth 2.0 Myths
Oauth2 is for Authentication !!!

OAuth 2.0 – Delegated Authorization With OAuth 2.0
profile and contacts?

OAuth 2.0 Terminology
• Resource Owner
• Client
• Authorization Server
• Resource Server
• Authorization grant
• Access Token

OAuth 2.0 Authorization Code Flow
Back to direct URI with
authorization code
Back to redirect URI with
authorization code

More OAuth 2.0 Terminology
• Scope
• Consent

OAuth 2.0 Authorization Code Flow
authorization code

Even more OAuth Terminology
• Authorization code flow (front channel + back channel)
• Implicit code flow (front channel only), used in pure JS applications
(eg. Pure Angular or pure React, Single Page Applications, that do
not have a backend web server)

OAuth 2.0 authorization code flow
authorization code
(front channel)

OAuth 2.0 implicit code flow
token

OAuth 2.0 vs SAML
OAuth2 SAML
Purpose Delegated Authorization SSO (mainly)
Artifacts exchanged HTTP XML over HTTP
Terminology
Has concept of flows Has concept of binding (IDP to SP
communication)
Authorization Server Identity Provider
Resource Provider Service Provider
Applications Client app could be web app or mobile
app
SAML Web browser SSO profile assumes it
is web app
HTTP Binding HTTP redirect with query parameters HTTP POST recommended for security
and long messages
Age 2010 2005
Signed token Signature is optional POST Profile its mandatory

OAuth 2.0 Limitations for Authentication
• No standard way to get user’s information
• Every implementation is different
• No common set of scopes

OAuth 2.0 and OpenID Connect
OpenID Connect
OAuth 2.0
HTTP
• OpenID Connect is for
authentication
• OAuth 2.0 is for authorization

OAuth 2.0 vs. OpenID Connect
OAuth 2.0 is an authorized
framework meant for
delegated authorization.
Authorization server returns
an access token.
OpenID connect is “profile” of
OAuth 2.0 specifically
designed for federated
authentication.
In addition to the access-
token, an Id token is returned
by the authorization server.
OAuth 2.0 is an authorization
framework meant for
delegated authorization.
Authorization Server returns
an access token
OpenID Connect is a “profile”
of OAuth 2.0 specifically
designed for federated
authentication.
In addition to the access-
token, an Id token is
returned by the
authorization server.

OpenID Connect
What OpenID Connect adds over OAuth
• In addition to the access-token, an Id-token is returned by the authorization server.
• Userinfo end point for getting more user information (if the Id token is not sufficient)
• “openid” is passed as a parameter in the Scope during the initial call to the Authorization server.
• Standardized implementation
https://account.google.com/o/oauth2/v2/auth?
response_type=code
&client_id=s6BhdRkqt3
&redirect_uri=https//yelp.com/callback
&scope=openid profile
&state=foobar

OpenID Connect authorization code flow
profile ?
authorization code
Get user info
with access
token
Scope: openid profile

OpenID Connect (OIDC) Vs SAML
OpenID Connect SAML
Purpose Federated Authentication Federated Authentication
Token ID Token (JWT JSON Web token) SAML Assertion (XML)
Terminology OpenID Provider (OP) Identity Provider (IDP)
Service Provider Called Relying party and mostly web or
mobile app
SAML Web browser SSO profile assumes SP
is a web site.
Used where Consumer websites, web apps, mobile apps Enterprise setting for SSO amongst various
apps.
Age New built over OAuth 2.0 Older technology
Channel used Front channel + back channel Mostly front channel

Which Protocol when ?
• Mobile applications: no question – use OpenID Connect.
• If the application already support SAML: use SAML.
• If you are writing a new application, use OpenID – newer.
• If you need to protect APIs, or you need to create an API
Gateway… Short answer: use OAuth 2.0

SAML AuthnRequest sample
<<Message>>
<samlp:AuthnRequest
xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”ID=“ONELOGIN_809707f0030
a5d00620c9d9df97f627afe9dcc24” Version=“2.0” ProviderName=“SP test” IssueInstant=“2014-07-
16T23:52:45Z”Destination=“http://idp.example.com/SSOServices.php” ProtocolBinding=“urn:oasis:name:tc:SAML:2.0:bindings:HTTP-
POST”AssertionConsumerServiceURL=“http://sp.example.com/demo1/index.php?acs”>
<saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer>
<saml:NameIDPolicy Format=“urn:oasis:name:tc:SAML:1:1nameid-format:emailAddress” AllowCreate=“true”/>
<samlp:RequestedAuthnCOntext Comparison=“”exact”>
<saml:AuthnCotextClassRef>urn:oasis:name:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

OpenID Userinfo endpoint
<<Message>>
GET/userinfo?schema=openid HTTP/1.1
Host:server.example.com
Authorization: Bearer SIAV32hkKG < --- Access Token
The response is a JSON object:
{
“sub”: “248289761001” ,
“name”: “”Jane Doe” ,
“given_name”: “Jane” ,
“family_name” : “Doe” ,
“preferred_username”: “jane.doe” ,
“email” : “janedoe@example.com” ,
“picture” : http://example.com/janedoe/me.jpg
}

Bibliography
Google.com
Okta.com (developer lectures)

Demystifying SAML 2.0,Oauth 2.0, OpenID Connect

More Related Content

What's hot (20)

Similar to Demystifying SAML 2.0,Oauth 2.0, OpenID Connect (20)

Recently uploaded (20)

Demystifying SAML 2.0,Oauth 2.0, OpenID Connect