SAML VS OAuth: Differences and similarities

When we start our daily work by logging into our computer, we are likely using SAML, yet we are unaware of it. SAML, an acronym of Security Assertion Markup Language, is an authentication process. Its primary role is to allow users to access multiple web applications by using a single set of login credentials. 

OAuth is an authorization process. This protocol allows a user to move from one application to another without entering a username and password every time. For example, if one is logged into Google and then uses the same credential to log in to Quora social website, then it means that one has used OAuth. 

Both the applications can be used for SSO, i.e., Single Sign-on, but while SAML tends to be specific to a user, OAuth is specific to applications. These two processes are not the same and not interchangeable either. There is no outright comparison, but they tend to work in tandem. Here we will see how they work together. 

How  SAML works 

Security Assertion Markup Language is an XML-based open-standard that identifies the user, verifies, and then authenticates. For example, an employee must log in to the system to be able to gain access to the company's internal functions and assets.  When the SAML authentication is complete and successful, the employee can access the entire suite of tools that includes Microsoft Office, browser, corporate intranet, official email account, and companies’ data. The employee can tap all these resources under one digital signature or single login id.

In many organizations, there are tighter controls where SAML will only allow the employee to unlock the computer screen but to access the files and other applications, authorization is required before the user can start any work. 

IT network administrators use SAML from a central location to manage users across the organization. One password unlocks all the services that the employee needs on the system. This protects the company's security too. 

A SAML workflow contains the following process:

• Request -   User taps in the login button
• Validation: SAML and identity prover verifies the identity and connects for authentication
• Login: the user sees a screen for username and password data.
• Token creation: The user enters the credentials. If the information is correct, then a SAML token is moved to the service provider that enables the user to log into the server. This process allows the SAML, browser, and identity provider to process information smoothly. The user is unaware of the process and does not notice it as the process is completed in seconds. 

How OAuth works

 While the short form "Auth" stands for Authentication or Authorisation, it refers to Authorization in OAuth. The OAuth protocol is used to give authorization from one service to another with a single login and at the same time protect the user's credential in those applications. 

As per estimates, an employee on average switches critical work applications at least 1100 times a day. Imagine the time consumed if one had to log in for each App. The OAuth is thus a crucial time-saver in an environment where productivity counts and all the time maintains the security aspect. 

 For example, an employee with an active Google account can use the same credentials to access data and information found on applications such as Microsoft 365, Salesforce, Box, Hootsuite, HotJar, SurveyMonkey, etc. The employee would require these web-based programs to do the job right. But if the same user had to create a username and password for each of these apps, then it would be pretty cumbersome and not secured.

It is also a considerable risk that users use the same username and password for different applications. It could be a security gamble because if one site is compromised, then the user data is exposed and could be used on other sites, making the user extremely vulnerable. But logging into different applications by just using the validation by protocols like OAuth is different. 

Many people think that using the OAuth protocol can be dangerous as this can provide platforms like Facebook for data mining. If a user uses a Facebook login to access other applications and websites, Facebook will get more customer insights. If hackers compromise Facebook, then a person's additional logins could get compromised too. In early 2021, a low-level hacking forum leaked 533 million Facebook users' data online.   

An OAuth workflow consists of:

• Request -   On a webpage, a user clicks the login button
• Choice - Third-party authorization credentials are selected for use by the client
• Log in - Access token created by the authorization server and then sent to the resource server.
• Connection - After token verification, the resource server grants access.

In this process, the two servers pass information back and forth. The tokens are encoded and usually signed but rarely encrypted as they pass between servers.

OAuth and SAML - Similarities and Differences

Both SAML and OAuth are protocols to standardize and encourage interoperability. These tools are used to prevent the usernames and passwords from expanding, which would require blocking them from accessing critical resources. For owners of App, the SAML and OAuth allows easy onboarding and provide user management delegation. These tools are meant for better and faster integration with centralized authentication and authorization for administrators. 

These tools handle different functions as authentication and authorization are not the same as thought by many.

• Authentication - This process refers to a user identity. It is like a house key that grants access inside the house. 
• Authorization – this refers to the privileges allowed to the user. 

OAuth is like the house rules where the user was allowed entry with the key. The rules say what the person can or cannot do once inside the house.  

When an employee logs in for the first time with SAML in an organization, this login grants the employee the entire suite available with SAML-based applications. No extra work or login is required for the user to click from one to the other.