1) I don't concretely underdstand fundamental differences between SAML and OAuth. OAuth is for authorization but OpenId for authentication too and SAML both authorization and authentication ? And why to use a combination of both technologies ?
2) Inside SAML tehcno, what is the difference between shibboleth and OpenSAML ?
I know OpenSAML has been developped by Shibboleth and is used for Shibboleth solution but why to not use it directly without Shibbloeht ? What does Shibboleth bring ?
Thank you,
They are two different protocols and you would never use them together.
SAML is older - not good for mobile - mainly for enterprise - XML tokens.
OpenId Connect is newer - good for mobile - JWT tokens.
OpenID Connect is a standard for how to use OAuth for authentication. OAuth is for authorisation.
SAML is a protocol definition - you can't use it as such - it's a document.
OpenSAML is an implementation of the SAML protocol.
Shibboleth is an identity provider that uses OpenSAML to deliver the SAML functionality.
Related
What is the difference between oauth 2.0, auth0 and wso2? I saw some related post where are explained, more or less well, what are the differences between oauth 2.0 and auth0 but ws02 is not included in the explanation.
OAuth 2.0 is a widely used specification for authorization aspects of resources: https://oauth.net/2/
Auth0 and WSO2 Identity Server are two identity providers (IAM solutions). Both support OAuth 2.0.
Auth0: https://auth0.com/docs/protocols/protocol-oauth2
WSO2 IS: https://is.docs.wso2.com/en/latest/learn/working-with-oauth/
Implementing SSO in my application and from app-1 i need to make a rest call to app-2. Login in app-1 with SAML and authenticated successfully and trying for rest call from app-1 with openid but since authentication is using saml only so not able to get the access/bearer token. Please help how to get the access/bearer token from saml request/response. I'm using Keycloak Server for SSO implementation.
You can't.
REST API need a JWT token not a SAML one.
Change SAML to OpenID Connect and it will work.
(1) OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
(2) Presently there is no IETF draft document regarding SAML 2.0 Profile for OpenID Connect client.
We can refer to the IETF draft document SAML 2.0 Profile for OAuth 2.0 client.
The OAuth 2.0 Access Token using SAML Assertion filter enables an OAuth client to request an access token using a SAML assertion. This supports the OAuth 2.0 SAML flow, which is used when a client wishes to utilize an existing trust relationship, expressed through the semantics of the SAML assertion, without a direct user approval step at the authorization server. For more details on supported OAuth flows, see API Gateway OAuth 2.0 authentication flows.
(3) Both Auth0 and open-source WSO2 Identity Server implement the SAML profile for OpenID Connect/OAuth to convert SAML token to OpenID Connect/OAuth token, as demonstrated by Auth0 SAML Configuration and WSO2 Adding and Configuring an Identity Provider. In other words, Auth0 and WSO2 Identity Server can relay SAML authentication provided by SAML IdP to either OpenID Connect client or OAuth 2.0 client.
What is the difference between OAuth 2.0 and Auth0? Which one should I use to develop the authentication system?
OAuth 2.0 is a standardized authorization protocol, Auth0 is a company that sells an identity management platform with authentication and authorization services that implements the OAuth2 protocol (among others).
OAuth 2.0 is a protocol that allows a user to grant limited access to their resources on one site, to another site, without having to expose their credentials.
Auth0 is an organisation, who manages Universal Identity Platform for web, mobile and IoT can handle any of them — B2C, B2B, B2E, or a combination.
Source
In case if you cannot understand any of above,
OAuth 2 - is a standard or protocol to implement authorization for any kind of software (windows, mobile or web)
Auth0 - is a software product (cloud and on-prem), that implements the OAuth2 protocol. You can use Auth0 to simplify your
authentication and authorization requirements.
We mainly use auth 2.0 for session based security management at server side. OAuth 2.0 is an authorisation framework that enables a third-party application to obtain limited access to resources the end-user owns. It is about resource access and sharing. While https://auth0.com is a company that sells an identity management platform for authentication related task. So with the help of auth0.com services an app developer don't need to write code for login/registration/social login and its not needed to think about its security. Complete user management task manages by auth0 organisation.
What Identity Provider are you aiming to use?
Auth0, identityserver, ADFS 4.0 etc. all support the OAuth stack.
Using implicit OAuth flow you can connect your Angular application to any of these.
I have the following methods: OAuth, SAML, OpenID Connect, XACML, Shibboleth.
Do they work to authorize client to web API ? In practice, which one is the best?
Does they all support JSON?
These are different standards with different purposes.
OAuth is about delegation of authorization e.g. I grant Twitter the right to post on my Facebook account. Look into UMA (user-managed access) in addition to OAuth.
OpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, an authorization framework. It brings together OAuth and OpenID.
XACML is an access control / authorization standard based on attributes and policies. It is about defining access control policies that govern access to resources.
Shibboleth is / was a federation protocol based on SAML.
SAML is the de facto standard for identity federation across multiple enterprises.
OAuth, OpenID Connect, SAML, and Shibboleth focus on user identities, authentication, and federation.
XACML is exclusively about access control / authorization and can be used in conjunction with any of the other standards.
Whether any of these standards support JSON is a vague question. What for? SAML, AFAIK, is typically XML-encoded but the standard itself is not about its encoding. XACML usually uses XML for its policies but the access control flow can be expressed as JSON. In OpenID it is possible to use JWT, the JSON Web Token.
JSON Web Token (JWT) is a means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS) and/or encrypted using JSON Web Encryption (JWE)
There are 2 websites you can look into to learn more:
Ping Identity provide lots of great information on SAML, OAuth, JWT, and more.
Axiomatics provide lots of great information on XACML.
Is it possible to use Spring Security SAML module for enabling SAML 2.0 Service Provider functionality with CAS? Native SAML support in CAS does not support this. We have a web application which already uses CAS for authentication and now there is a requirement to enable SAML SP and IdP Initiated federated SSO into this application. CASShib makes this possible but we would have to use Shibboleth in addition to CAS and there are also some issues with CASShib.
If you want to use Shibboleth as your SAML Idp, you can use CAS for authenticating users using this method: https://github.com/Unicon/shib-cas-authn2