SAML vs. OAuth: Understanding the Differences 

In our tech-centric world, passwords are a fact of life. They’re also the favorite target of external threat actors. According to Verizon’s 2024 Data Breach Investigation Report, credential attacks represent 71% of web application security incidents.  

Using strong identity and access management (IAM) protocols like SAML or OAuth allows you to give your employees secure access to company resources. More importantly, it minimizes your security risks from poor password management. 

What Is SAML? 

Definition and overview of Security Assertion Markup Language (SAML) 

Briefly, SAML (Security Assertion Markup Language) is an XML-based open standard protocol that allows users to access multiple applications with one login. SAML and OAuth 2.0 are both Identity Access Management (IAM) protocols, which are critical in securing remote workplaces. 

With SAML 2.0, authentication data is shared between an identity provider (IdP) and service provider (SP). This enables single sign-on (SSO), so your employees can access multiple applications with just one set of credentials.  

SAML-enabled SSO is a component of Federated Identity Management (FIM), which offers access to multiple applications across different organizations. 

SAML protocols and components 

Four (4) main SAML components facilitate the user authentication process. These are protocols, bindings, profiles, and assertions.  

Protocols: 

• Authentication Request Protocol: Defines how the SP requests authentication from the IdP. 
• Assertion Consumer Service Protocol: Defines how the SP parses the assertion or response from the IdP. 
• Single Sign-On Protocol (SSO): Enables one login to access multiple applications. 
• Single Logout Protocol: Allows users to log out from multiple service providers simultaneously. 
• Name Identifier Mapping Protocol: This allows one SP to ask an IdP for a user's identifier, which the SP can then use at another SP. 

Assertions: XML-based statements containing authentication, authorization, or attribute data the IdP sends the SP about a user’s identity. 

Bindings: Determines how messages are transmitted and formatted between an IdP and SP. The most common bindings are HTTP POST binding, SAML SOAP binding, and HTTP Redirect binding. In HTTP POST binding, for example, SAML protocol messages are sent in a base64-encoded HTML form. 

Profiles: A set of rules that determine how bindings, assertions, and protocols are combined to meet specific uses. For example, the Web Browser SSO profile defines how SSO is enabled on standard web browsers using the Authentication Request Protocol combined with HTTP Redirect, HTTP POST, and HTTP Artifact bindings. 

Benefits and use cases of SAML 

What is SAML used for?  

• Improved security posture: SAML uses digital signatures to secure the integrity of messages, reducing the risk of unauthorized modifications. 
• Centralized Identity Management: SAML simplifies identity verification and promotes zero trust security. “Zero trust” means no internal or external entities are automatically trusted. Thus, each person must be authenticated and authorized to access protected resources. 
• Interoperability: SAML enables seamless integration between diverse platforms and devices, promoting interoperability across your business ecosystem. 
• Single Sign-On (SSO): Your employees can log in once to access multiple applications. With fewer password reset requests and faster logins, they can perform their work duties faster and more efficiently. This results in improved workplace productivity and team morale.  
• Federated Identity: SAML facilitates trust relationships between organizations, allowing users from one organization to access resources in another. 

How Does SAML work? 

SAML request and response flows 

SAML operates through a well-defined request and response flow. Two of the most common are service provider-initiated flow and identity provider-initiated flow. 

In the first, the user begins the login process at the SP. And, in the second, the user begins the login process in the IdP. LastPass supports both IdP and SP-initiated flows. 

SP flows are best for users who already know which applications they want to access. Meanwhile, IdP flows are more convenient for users who want to explore what applications they can access. 

SAML assertions and assertion attributes 

• SAML assertions: A statement issued by the IdP containing information about the user. There are three (3) types of assertions: authorization, attribute, and authentication.  “Authentication” says the user is who they say they are. Meanwhile, “authorization” verifies the user is cleared to access resources. Finally, “attribute” data provides information about the user to the service provider. 
• SAML attributes: These are specific data included within an SAML assertion, such as the user's name, email, job title, and login times. 
  

SAML single sign-on (SSO) process 

In an SP-initiated sign-in, the following process occurs: 

1. Authentication request: The user initiates authentication by logging in to a service provider (SP). Salesforce, Microsoft 365, and AWS are popular service providers. 
2. Redirect to Identity Provider (IdP): The SP redirects the user to the IdP.  
3. Generation of SAML assertion or response: The IdP authenticates the user and sends an assertion or response back to the SP about the user’s authentication status. Microsoft Entra ID (formerly Azure Active Directory) and LastPass are SAML IdPs.  
4. Validation by Service Provider: The SP verifies the SAML assertion's authenticity and grants access to the user based on the data provided. 

An IdP-initiated sign-in involves the following steps: 

1. User authentication: The user logs in to an identity provider (IdP). 
2. Presentation of authorized applications: The IdP sends a list of applications the user has authorization to access.  
3. Generation of SAML assertion: After the user selects the desired applications, the IdP generates an SAML assertion with the user’s attributes and access permissions. 
4. Delivery of SAML assertion: The IdP sends the SAML assertion to the SP. 
5. Validation by Service Provider: The SP validates the SAML assertion and grants access to the user based on the provided information. 

What Is OAuth? 

Definition and overview of OAuth 

OAuth (Open Authorization) is an open standard protocol. It allows users to grant third-party applications access to their data without entering login credentials. For example, LinkedIn uses OAuth to authenticate users who want to sign in to another platform without their email and password. 

In a nutshell, OAuth simplifies identity and access management (IAM) across diverse platforms. 

OAuth 2.0 framework and its components 

OAuth 2.0 is the latest version of the OAuth framework and consists of several key components: 

• Resource owner: The user who owns the protected resources and grants access to them. 
• Client: The application making API requests for access to the user's resources. 
• Authorization server: The server issuing access tokens to client applications that want to access a resource owner’s protected resources. 
• Resource server: Generally, an API provider that hosts protected resources (such as videos, images, and contacts). This server verifies access tokens to grant or deny access.  
• Access token: A credential representing the user's authorization to access specific resources. It’s issued by the authorization server and sent to the resource server. 

Benefits and use cases of OAuth 

What is OAuth used for? 

• Enhanced security: OAuth eliminates the need for users to share their passwords with third-party applications, reducing the risk of credential theft and unauthorized access. 
• Granular access control: Users can grant granular permissions to third-party applications, specifying which resources they can access and for how long. 
• Scalability: OAuth enables secure access to resources across diverse platforms, promoting scalability (varied levels of access) and flexibility. 
• User convenience: Users can easily access multiple applications without juggling multiple sets of credentials. 
• API authorization: OAuth is widely used for securing APIs, allowing developers to control access to their APIs and enforce security policies more effectively. 

Best of all, there are many plug-and-play OAuth options, such as industry password managers that provide SAML-enabled SSO. 

How Does OAuth Work? 

OAuth authorization flow 

1. Authorization request: The client application requests authorization from the resource owner to access protected resources. 

2. User authentication: The resource owner confirms the user’s identity with the authorization server. 

3. Authorization grant: Upon authentication, the authorization server issues a code or grant to the client application. 

4. Access token request: The client application exchanges the authorization code or grant for an access token.  

5. Access token usage: The client application presents the access token to the resource server, which responds with the requested data or resources. 

OAuth access tokens and refresh tokens 

• Access tokens: These are credentials representing the client application’s authorization to access specific resources. These tokens can expire. Often, OAuth tokens are used with JWT (web tokens in JSON format) for added security. Here’s why: JSON tokens are digitally signed, which means its contents can’t be altered.  
• Refresh tokens: Refresh tokens are used by the client application to obtain new access tokens. They provide a way to maintain access to resources after access tokens expire. 

OAuth scopes and permissions 

• Scopes: The access token defines the resources the client application has authorization to access.  
• Permissions: This specifies the actions the client application is allowed to perform on behalf of the resource owner. OAuth 2.0 enables granular control, allowing client applications to request only the scopes needed. Here, scopes act as permissions to perform an action, such as accessing a user’s emails. 

A Comparison of OAuth vs SAML 

Differences in functionality and use cases 

What is the difference between SAML and OAuth? Both offer SSO capabilities. However, SAML focuses on managing users, while OAUTH manages access to applications.  

If you find the OAuth vs. SAML debate confusing and are wondering which to choose, consider this: 

• Functionality: Choose SAML if you need SSO to function as part of a robust identity and access management framework. If UX is key to your business, you’ll want to choose OAuth. For example, you manage an e-commerce business and want high CLV (customer lifetime value) customers to be able to access premier content by logging in through third-party sites like Twitter, LinkedIn, or Facebook. Either way, it doesn’t have to be a zero-sum choice. Both SAML and OAuth can be used to meet your business and security goals. 
• Special use cases: SAML enables federated identity management in enterprise, government, and healthcare environments, sectors where data privacy is critical. If you’re using Microsoft ADFS or Entra ID, LastPass has federated login integrations with both. 

Security considerations for OAuth vs SAML 

OAuth security considerations: 

• Access token security: OAuth access tokens should be securely transmitted to prevent unauthorized access to protected resources. 
• Scope and permission management: Proper management of OAuth scopes and permissions ensures that client applications perform only authorized actions. 
• Token expiration and refresh: Mechanisms that allow the revocation of access and refresh tokens can help mitigate the risk of unauthorized token usage. 

SAML security considerations: 

• Assertion & password security: Implement a digital signature and PBKDF2/SHA-256 hash function to mitigate brute force attacks or the stealing of SAML assertions from a man-in-the-middle attack. 
• Single logout handling: Proper handling of single logout requests is essential to prevent session hijacking. 

Choosing between OAuth and SAML based on requirements 

Requirement criteria: 

• OAuth: Choose OAuth for scenarios where API access authorization is a primary requirement, such as web and mobile applications. 
• SAML: Opt for SAML in enterprise environments requiring federated identity and seamless SSO from an IdP. 

When to Use SAML vs OAuth 

Factors to consider when selecting SAML vs OAuth 

• Use case compatibility: Choose the protocol that aligns best with the application's specific use cases. 
• Security and compliance: Consider the compliance requirements of your business to ensure the selected protocol meets the necessary standards. 
• Integration complexity: Assess the ease of integration with existing frameworks to minimize implementation challenges. 

Use cases for SAML in enterprise environments 

• Single sign-on (SSO): SAML provides seamless SSO across diverse enterprise applications. 
• Centralized Identity Management: SAML facilitates identity and access management (IAM), ensuring data confidentiality, integrity, and availability (CIA). 
• Federated Identity: IdPs like AWS and LastPass support identity federation with strong security agreements across multiple platforms. 

Use cases for OAuth in web and mobile applications 

• Protecting APIs from data exfiltration: OAuth 2.0 allows X.509 certificate-based mutual-TLS (Transport Layer Security), binding access tokens to a client’s mutual-TLS certificate. 
• Delegated authorization: OAuth allows users to grant 3rd-party applications limited access to their resources without sharing login credentials. 
• Granular access control: OAuth allows developers to specify explicit permissions and scopes for accessing resources, promoting security and compliance. 

In short, protocols like SAML or OAuth allow you to give your employees (and your employees alone) secure access to company resources. Combined with a password management tool, they can help you better protect your business’s data, reduce IT management burden, and safeguard a distributed workforce. Start your LastPass trial here.