SAML Or OAuth – Which Is Best For Your Organization?

A couple of years ago if you asked Americans about cloud computing, half would tell you that stormy weather could interfere with cloud computing. Despite not understanding what cloud computing was, 97 percent were using some form of it and a third were already concerned about both security and privacy based on what they had read or heard in the media. 

Fast forward two years: The adoption of cloud computing by enterprises has indisputable benefits such as cost savings and productivity.

A 2013 cloud computing survey reported that security is still the top inhibitor to cloud computing adoption. When creating enterprise applications, developers must provide secure access to data center, cloud and SaaS data and applications for their employees natively in their applications.

Tying everything together is a loose network of APIs sprawled across the hybrid enterprise – both inside and outside the corporate firewall. This presents serious challenges for enterprise application architects and developers who have to find a way to secure access to and from these APIs.

While some organizations still use manual coding and pre-built adapters to provide access to these systems, this often poses potential security issues. Application access through these methods allow unsecured and uncertified custom code, which could lead to a serious security flaw in your network infrastructure. Identity and authentication, Single Sign-On (SSO) and secure API access are what plagues these developers.

Enter SAML and OAuth.

But as an enterprise organization, which one should you use? Which one is better?

In many cases, the answer to both of these questions may depend both on the application and access needed. The bottom line is that they provide some similar functionality but they solve different problems. Many of our customers come to us because they start using one or the other and determine that there are needs for both.

Let’s look at some basic definitions of SAML and OAuth, and their differences.

SAML stands for Security Assertion Markup Language. OAuth is an open standard to authorization. The latest version of SAML has been around since 2005, and OAuth was created in 2010. While SAML couldn’t foresee the rise in mobile devices and web applications that are used today, it provides user authentication, whereas the AUTH in OAuth stands for authorization, not authentication.

SAML provides information about who a user is and provides a way to authorize and authenticate users. OAuth allows organizations to delegate or grant access to APIs allowing someone (whoever is authorized) to act as the user (secure delegated access).

So, again, when should you use one or the other? It’s helpful to consider some examples.

OAuth:

Let’s say we have a sales executive who wants access to the contact details of his top 500 accounts from saleforce.com on his mobile phone. The application developers use OAuth in writing the application, as Salesforce.com uses OAuth. When the user logs in for the first time to the application, they sign in using OAuth, which establishes trust between your application and Salesforce.com (federated identity). Once the trust has been established, the application can act as the user within Salesforce.com – and depending on the access granted can read or write data back to Salesforce.com.

Popular cloud service providers such as Google, Salesforce.com and Dropbox use OAuth to enable enterprise applications to use their services.

SAML:

Let’s say your accounting team executive needs access to your custom accounting software, the bank account and an ERP database. These applications need to be able to communicate with each other using a common authentication scheme to provide a seamless user experience that enables one login to provide access to all the parts of the online banking web portal. SAML provides the agreement and authentication between the unrelated systems to accomplish this. And, SAML doesn’t only do single sign-on, but it also has authorization services and back office transaction capabilities. SAML works with nearly any application with APIs – custom or not to provide these services. The SAML Web SSO Profile provides the ability for users to access multiple applications with a single set of credentials entered once.

While cloud computing may be still be confusing to many end users, hopefully this high level overview of SAML and OAuth can help you decide which you need to implement and when each is best used in your organization. The proper implementation of each standard is often invisible to your users, but each has its own use case.

To learn more about SAML SSO, download the white paper: How to Implement Enterprise SAML SSO

To learn more about OAuth, download the white paper: Cloud-based Enterprise Identity Management using OAuth