Posted on August 9, 2011 by Marc Boorshtein
SAML, OAuth and Browser ID, Oh My! (Part 1)
Recently the Mozilla foundation released a new federation system called BrowserID that's designed to simplify authentication to websites. What is BrowserID? How do you choose between BrowserID, SAML, WS-Federation, OpenID and OAuth, Certificate Authentication, Card Space, etc? In a 3 part series of blog posts, I'm going to break down the different technologies and provide some questions you should answer when considering a Single Sign On (SSO) solution. In this post I'm going to break down federation into its basic pieces
Before we get into the weeds, some basic terminology around authentication:
1. Identity – Describes who you are.
2. Credential – Something that proves who you are.
3. Identity Provider – A trusted system that collects your credentials and provides your validated identity to a service.
4. Service Provider – Some kind of service provided to the user that requires knowledge of the user's identity.
5. Trust – How does a service provider establish the integrity of an identity provider?
Now that we've gone into this basic terminology, how does it apply? Every federation protocol uses these terms; they might just name them something different. They also take slightly different slants on how they implement these ideas. The below table has a basic break down of how the various protocols implement these ideas:
|Protocol||Identity||Credential||Identity Provider||Service Provider||Trust|
SAML2 Identity Provider
SAML2 Service Provider
|Established by digitally signing assertions of identity with pre-shared keys or pre-trusted certificate authorities|
|OAuth||JSON "Token"||Multiple but current standards for specifying||OAuth endpoint||OAuth endpoint||OAuth verified identity providers using pre-shared "tokens" that are hard to guess, but not cryptographically verified|
|SSL Certificate Authentication||Digitally signed certificate||Digitally signed certificate||Certificate authority||Web server running SSL||Established through the trust of certificate authorities|
|BrowserID||Email address||Certificate||BrowserID provider||Any web application||Trust is established when a user is granted a certificate for authentication from their email provider|
Each of these methods has their place and uses. SAML is often used for enterprise applications, where as OAuth is often used for social networking applications. SSL certificate authentication is used by the federal government and BrowserID is brand new, so it’s not in use at all (except for Mozilla's test site). In my next blog post, I'll talk about some of the questions you should ask about your application when considering which federation protocol to use.