Mythics Blog

What to Consider When Integrating Authentication? (Part 1)

Posted on August 9, 2011 by Marc Boorshtein

Tags: Identity Management, Authentication, Single Sign On

SAML, OAuth and Browser ID, Oh My! (Part 1)

Recently the Mozilla foundation released a new federation system called BrowserID that's designed to simplify authentication to websites.  What is BrowserID?  How do you choose between BrowserID, SAML, WS-Federation, OpenID and OAuth, Certificate Authentication, Card Space, etc?  In a 3 part series of blog posts, I'm going to break down the different technologies and provide some questions you should answer when considering a Single Sign On (SSO) solution.  In this post I'm going to break down federation into its basic pieces

Before we get into the weeds, some basic terminology around authentication:

1. Identity – Describes who you are.
2. Credential – Something that proves who you are.
3. Identity Provider – A trusted system that collects your credentials and provides your validated identity to a service.
4. Service Provider – Some kind of service provided to the user that requires knowledge of the user's identity.
5. Trust – How does a service provider establish the integrity of an identity provider?

Now that we've gone into this basic terminology, how does it apply?  Every federation protocol uses these terms; they might just name them something different.  They also take slightly different slants on how they implement these ideas.  The below table has a basic break down of how the various protocols implement these ideas:

Protocol Identity Credential Identity Provider Service Provider Trust
SAML2 XML "Assertion" Multiple

SAML2 Identity Provider

SAML2 Service Provider

Established by digitally signing assertions of identity with pre-shared keys or pre-trusted certificate authorities
OAuth JSON "Token" Multiple but current standards for specifying OAuth endpoint OAuth endpoint OAuth verified identity providers using pre-shared "tokens" that are hard to guess, but not cryptographically verified
SSL Certificate Authentication Digitally signed certificate Digitally signed certificate Certificate authority Web server running SSL Established through the trust of certificate authorities
BrowserID Email address Certificate BrowserID provider Any web application Trust is established when a user is granted a certificate for authentication from their email provider


Each of these methods has their place and uses.  SAML is often used for enterprise applications, where as OAuth is often used for social networking applications.  SSL certificate authentication is used by the federal government and BrowserID is brand new, so it’s not in use at all (except for Mozilla's test site).  In my next blog post, I'll talk about some of the questions you should ask about your application when considering which federation protocol to use.


  • ! No comments yet

Leave a Comment