SAML vs. OAuth: Comparison and Differences

Security assertion markup language (SAML) is an authentication process. Head to work in the morning and log into your computer, and you've likely used SAML.

Open authorization (OAuth) is an authorization process. Use it to jump from one service to another without tapping in a new username and password. If you're logged into Google and used those credentials for Hootsuite, you've used OAuth.

Both applications can be used for web single sign on (SSO), but SAML tends to be specific to a user, while OAuth tends to be specific to an application. The two are not interchangeable, so instead of an outright comparison, we’ll discuss how they work together.

How Does SAML Work?

SAML is an open standard that verifies identity and offers authentication. In a typical office environment, an employee must log on to gain access to any part of the company's inner functions.

With SAML authentication complete, the user may have access to an entire suite of tools, including a corporate intranet, Microsoft Office, and a browser. SAML allows the user to tap into all of these resources under one digital signature.

Or in companies with tighter security, SAML only allows the user to open a door or unlock a computer screen. Authorization is required before the user can do anything else, including accessing files.

Network administrators can use SAML to manage users from a central location. One password unlocks all the services a person needs, and it protects the company's security too.

A typical SAML workflow looks like this:

  • Request: A user taps on a "Log in" button.
  • Validation: The SAML and the identity provider connect for authentication.
  • Login: The user sees a screen waiting for username and password data.
  • Token creation: If the user enters the right information, a SAML token moves to the service provider, which allows the user to log into the server.

This workflow allows a service provider, a browser, and an identity provider to trade information seamlessly. The user may not even notice the delay, as this process is typically handled in seconds.

How Does OAuth Work?

While “auth” can mean Authentication or Authorization, for the OAuth protocol, we mean specifically authorization. This protocol is used to pass authorization from one user to another, all while protecting someone's username and password.

Think of OAuth as a critical timesaver in an environment where the average employee switches job-critical applications a whopping 1,100 times per day. Sometimes, employees want a way to jump from one app to another without logging in again. OAuth makes that possible.

Consider an employee with an active Google account. That person could use the same credentials to tap into data found on:

  • Hootsuite
  • SurveyMonkey
  • HotJar
  • Microsoft 365
  • Salesforce
  • Marketo
  • Box

The employee needs all of these web-based programs to do the job right. But that same person may shudder at creating (and remembering) five different sets of usernames and passwords.

Duplicating the usernames and passwords is a security gamble. If one site fails, the user's critical data is exposed and vulnerable on all the platforms. But logging into another site with validation provided by the first is very different.

Some consumers worry about datamining, and they suggest using a tool like this gives companies like Facebook too much power. Each time a user selects a Facebook login for other apps and sites, Facebook gains more customer insight. And if Facebook's data is compromised, that person's additional logins could fail too.

But most employees would be thankful for the ability to save time during busy, stressful periods.

An OAuth workflow looks like this:

  • Request: A user clicks on a "Log in" button on a web page.
  • Choice: The client chooses the third-party authorization credentials to use.
  • Log in: The authorization server creates an access token, and that’s sent to the resource server.
  • Connection: After verifying the token, the resource server grants access.

Throughout this process, the two servers are passing information back and forth. Typically, OAuth uses JWT for tokens, but it can also use JavaScript Object Notation instead.

No matter how they are created, tokens are always encoded, usually signed, but rarely encrypted as they pass from one server to another.

OAuth vs. SAML: Similarities and Differences

Both OAuth and SAML are protocols to encourage and standardize interoperability.

People use these tools to avoid an ever-expanding list of usernames and passwords that block them from accessing critical resources. For app owners, OAuth and SAML allow for easy onboarding and the ability to delegate user management. For admins, these tools mean fast integration and centralized authentication and authorization.

But the two tools handle very different functions involving:

  • Authentication. This process involves a user's identity. SAML is a bit like a house key. It grants you access to the facility.
  • Authorization. This process involves a user's privileges. OAuth is a bit like the rules of the house that dictate what the person can and can't do once inside.

To break this down further, consider an employee on an average workday. That person logs in one time in the morning with SAML. That login grants access to the entire suite of SAML-based applications. No more work is required for the user to click from one to the other.

When Should You Use SAML or OAuth?

Both SAML and OAuth allow for SSO opportunities, and they're critical for productive employees. They’re not exactly alternatives, more like technologies that can work together.

In the Microsoft environment, for example, OAuth handles authorization, and SAML handles authentication. You could use the two at the same time to grant access (via SAML) and allow access to a protected resource (via OAuth).

You could also eliminate both of these tools. Some web pages, for example, don't require either authentication or authorization.

But most businesses with digital systems need some type of authentication and authorization system to function effectively. Users must be allowed to sign in and move throughout the company's systems as they complete their daily work.

What About OpenID Connect (OIDC)?

OAuth could be important if you're developing a secondary tool for consumers, such as apps or portals. Your market might appreciate the opportunity to get inside your tools without creating a new username and password. And OAuth could be helpful for your employees if they use non-SAML tools.

But for a true comparison with SAML, you’ll want to  explore the difference between SAML, OAuth, and OpenID Connect.

Work With Okta

Okta is best known for its SSO services that allow you to seamlessly authenticate to the applications you use on a daily basis. Secure single sign-on often uses SAML as the protocol of choice, but Okta also provides several other options, including a Sign-in Widget, Auth SDK (a JavaScript-based library), Social Login, and an Authentication API for any client.

Learn more about Okta’s pre-built identity solutions here.

References

A Survey on Single Sign-On Techniques. (2012). Procedia Technology. 

Employees Switch Apps More Than 1,100 Times a Day, Decreasing Productivity. (December 2018). TechRepublic. 

Stop Synching Your Contacts with Facebook. (August 2019). Mashable. 

Authentication vs. Authorization. (September 2018). Medium.

Authentication vs. Authorization. (May 2020). Microsoft. 

Why SAML? (Security Assertion Markup Language). (July 2018). Medium.

Understanding Authentication, Authorization, and Encryption. Boston University.