VS
SAML VS OAUTH
Lazarus Mason
IS431
Abstract
SAML VS OAUTH
While researching for this assignment, I came across a lot of good points about each access control measure, along with some bad points. Each measure was implemented with the best intentions for the user. The fact that SAML simplifies logon procedures was a big factor. Security Assertion Markup Language is an XML based open standard for exchanging authentication and authorization data between security domains. Open Authorization allows you to use a common username and password to access different sites. These sites are linked together in one form or another to share information on these sites. It’s important to note, not all information on the sites are shared, but some things such as address book, what you read, watch, or other bits of useable information can transfer.
Security Assertion Markup Language uses assumptions that the user is enrolled with an identity provider. This identity provider is expected to provide local authentication services to the principal. However, SAML does not specify the implementation of these local services; indeed, SAML does not care how local authentication services are implemented. With this, a service provider relies on an identity provider to identify a principal. At the principal's request, the identity provider passes a SAML assertion to the service provider. On the basis of this assertion, the service provider makes an access control decision. SAML ensures the resource in the assertion matches that configured in the filter, checks the client's access permissions for the resource, and ensures the assertion has not expired. The main problem with Security Assertion Markup Language is trying to solve the Web Based Single Sign On. This is where Open Authorization kind of excelled where SAML did not. OAUTH uses single sign on to help a user connect to different sites through one common username and password. For instance, with everything seeming to revolve around Facebook nowadays, websites such as Pinterest and Yahoo will use your Facebook login and password to gain access to their sites. This can be good and this can be bad. For instance, this gives third party websites access to your Facebook account to technically do what they want to it. They could theoretically go into your Facebook account and change your password, locking you out of it. That is a downside to OAUTH. It grants the website certain permissions to post something on Facebook on your behalf. What I mean by this is if you have your Yahoo account linked to Facebook and you read an article, Yahoo will post something on Facebook saying you recently read a certain article. Granted Yahoo gives you an option to show friends on Facebook what you read or not, but websites such as SocialCam do not give you that option. If you watch a video on SocialCam it will show on Facebook what you watched. The reasons behind these actions are so friends will drive friends to read potential stories and to drive people to the websites to gain more viewers. So they essentially use your Facebook to further their website.
Also websites can use recent trends from your Facebook page to try to entice you with advertisements. The advertisements may proclaim that friend of yours on Facebook uses a certain product, or is interested in certain things that you may be interested in. Now which one do I prefer? Personally they both have their downsides, but for ease of access I actually prefer OAUTH. IT has its flaws, but so does any software or ease of access program. Depending on how it is used, I would prefer to use it only to access certain websites where I don’t keep valuable information such as something like Yahoo, Google, or somewhere that is news related. I don’t mind letting people see what I read about. It is usually just news anyway. I wouldn’t want to use a single sign on for something like bank access or anything like that because it just opens up a larger chance of getting hacked and having your identity stolen.
References
Saml authorization assertion. (n.d.). Retrieved from http://docs.oracle.com/cd/E21455_01/common/tutorials/authz_saml_assertion.html
Saml tokens and claims. (2012). Retrieved from http://msdn.microsoft.com/en-us/library/ms733083.aspx Hammer-Lehav, E. (2007, September 05).
Introduction oauth. Retrieved from http://oauth.net/about/