SAML vs. OAuth: A Plain Language Explanation

by Erin Risk

SAML vs. OAuth: A Plain Language Explanation

As corporate technology assets diversify and spread beyond the network perimeter, the proliferation of passwords undermines network security. Single Sign-On technologies promise to solve this problem by letting workers use one credential across every protected system. Many rely on open-standard frameworks such as SAML and OAuth to avoid vendor lock-in. But how do you know when to use SAML vs OAuth?

That is a critical question to answer as you begin the move to Zero Trust Network Access (ZTNA). When every access attempt gets challenged by your ZTNA security system, Single Sign-On (SSO) technologies improve the user experience and simplify credential management. To help, we will provide a plain language explanation of the similarities and differences between SAML and OAuth, how they work, and when it makes sense to use each one.

What is SAML?

Developed and maintained by the Organization for the Advancement of Structured Information Standards (OASIS), the Security Assertion Markup Language (SAML) is a standardized framework for federating identity so SSO authentication can work across multiple services.

Strictly speaking, SAML is only concerned with the authentication of a user’s identity. Each service provider executes its own authorization process. However, authentication and authorization solutions such as Azure Active Directory or Okta may use SAML to support both processes.

SAML defines the flow of information between three entities:

  • User: The person, device, or system requesting access to a resource or service.
  • Service provider (SP): The system or organization that owns the resource or service.
  • Identity provider (IdP): A separate system or third-party service that performs identity verification.

A simple SAML process flow works like this:

  1. The User requests access from the SP.
  2. The SP contacts the IdP.
  3. The IdP issues an identity prompt to the User.
  4. The User confirms their identity.
  5. The IdP issues an authentication token to the SP.
  6. The SP grants the User access.

With SAML, service providers avoid the cost, security, and compliance issues associated with maintaining users’ identity information. Users avoid the hassles associated with creating passwords for, and logging into, every service provider. And by federating authentication through a central identity provider, the user’s identity information is more secure.

Enterprise SSO is the most common application of SAML. Organizations no longer rely on centralized, on-premises applications for everything they do. Their users need to access a growing range of cloud-hosted applications and third-party X-as-a-Service providers. SAML defines a standards-based method for distributing authentication information internally and externally while using a single identity provider. B2B platforms like Salesforce and Workplace use SAML to support SSO with their customers’ IdP.

What is OAuth?

The Internet Engineering Task Force (IETF) developed OAuth (pronounced “oh-auth”) as an open-standard framework to let internet-based services exchange limited information over HTTP/HTTPS on a user’s behalf. OAuth lets a user delegate to one service limited access authorization to another service. Using OAuth eliminates the need for deep integrations between the two services, limits access, and protects users’ credentials.

The OAuth standard defines four roles in a typical exchange:

  • Resource owner: Often an end-user, the owner is able to grant access to a protected resource.
  • Resource server: The application or service that holds the protected resource.
  • Client: An application or service that the owner wants the protected resource to go to.
  • Authorization server: The service authorizing the resource exchange.

In a simple OAuth exchange,

  1. The client asks the owner for permission to get the resource.
  2. The owner’s approval creates an authorization grant.
  3. The client sends this authorization grant to the authorization server.
  4. The authorization server issues an access token to the client.
  5. The client presents the access token to the resource server.
  6. The resource server gives the client the resource.

Typically, the access tokens give the client a limited-duration subset of the resource owner’s access to the resource server. Note that OAuth is only an authorization framework. Typically, the authorization server will also verify the owner’s identity but that process happens outside the OAuth framework’s structure.

Web SSO is the most common use of OAuth. Cloud-based platforms use OAuth to let third-party apps access APIs and private user content. For example, OAuth lets you give a list management app access to your Twitter account.

Enterprises use OAuth to control partner access to their API platforms. If you integrate Salesforce’s customer relationship management functions or Square’s point-of-sale systems into your organization’s processes, you can use OAuth to manage user access.

What are the differences between SAML & OAuth?

In many respects, the SAML vs OAuth question is one of apples and oranges. Both technologies support SSO. However, SAML and OAuth come at it from different directions. SAML’s purpose is to federate identity and reduce the friction associated with authentication. OAuth, on the other hand, lets an already-authenticated user delegate authorization. Each technology can be part of an overall authentication and authorization process, either with each other or with complementary technologies.

Azure Active Directory, for example, uses both technologies. Rather than requiring unique logins for each application, an organization can use the SAML-based Microsoft identity platform to centralize authentication. Similarly, the Microsoft identity platform can use OAuth to distribute authorization tokens.

How should your company be using SAML or OAuth?

SAML and OAuth are not mutually exclusive. Whether you use one or the other or both will depend on what you need from a Single Sign-On system.

When user identity does not matter

OAuth is a good choice for B2C or B2B projects serving a general population of users where user identity is not important. You can implement OAuth-based SSO by integrating various sign-in services from companies like Google or Twitter. This frees you from having to store, maintain, and secure users’ passwords. In addition, your users get a frictionless experience while having to manage fewer passwords.

Within an enterprise, applications and services often do not need identity information. The central identity management system does the verification work. OAuth’s access token is all the application needs to grant the user appropriate access.

Light integrations with web services

OAuth lets you add APIs from third-party web services to enhance the features of your app. Rather than develop your own cloud storage system for a consumer app, for example, OAuth lets your users store and access files in their Google Drive accounts.

Organizations can use the same model for their internally-developed, API-driven applications and services. OAuth will let an app developed in one department use APIs developed in another.

Control user access

Modern enterprises rely on resources outside their direct control, for example by letting developers use the enterprise GitHub account. SAML lets these services authenticate user access requests through the company’s IdP. This gives administrators more control and visibility over their users’ access to third-party resources.

Twingate’s Approach to Zero Trust Security

Simple, fast, and reliable processes for authenticating and authorizing user access are essential elements of Zero Trust security. In today’s threat landscape, the only way to protect networked resources is to challenge every access attempt. Rigid, difficult-to-use processes add friction and overhead that undermine your security.

Twingate’s modern approach to security implements Zero Trust Network Access by wrapping each protected resource within a Software-Defined Perimeter (SDP). Whether on-premises or in the cloud, the Twingate SDP hides your resources and will not grant access without authentication and authorization. We integrate with top IdPs including Okta, Azure ID, Google Workspace, and OneLogin so you do not need to replace your existing security stack. We also enable multi-factor authentication (MFA) to be applied to resources of all types, including legacy applications that don’t natively support SSO or MFA.

Twingate makes it easier to apply granular, role-based access control policies to reduce the attack surface and mitigate successful breaches. Our single, centralized administrative console lets you provision and deprovision access quickly to eliminate privilege creep and zombie accounts. Our detailed, device- and identity-indexed activity logs give you a complete picture of resource usage and allow you to quickly identify unusual behavior.

Simplify Zero Trust with Twingate and Single Sign-On

Giving your users a frictionless sign-on experience across on-premises, cloud-hosted, and third-party assets helps ensure security compliance. Users only need one password to access the resources they need to do their jobs. Okta, Azure, and other identity providers offer SAML authentication, OAuth authorization, and similar technologies so security administrators can control resource access within a single system.

Twingate’s Zero Trust Network Access solution integrates your existing security stack to protect sensitive resources with Software-Defined Perimeters.

  • Make it easier for users to access resources wherever they are.
  • Limit user access to just the resources they need for their work.
  • Improve your security posture and minimize the impact of successful breaches.

Contact Twingate today to learn how your authentication and authorization system can be part of our larger Zero Trust platform.