OAuth Vs SAML for Modern Web and Native apps - oauth

I am at a point in a project where I might be needed to bring to table concerns/reasons why OAuth (or even OpenID Connect) should be taken up as the way to go for any future Web and Native Apps over using SAML.
The documentation I have gone through makes the case for the simplicity of OAuth (to which I can attest) but doesn't say it cannot be done in SAML. I've worked with OAuth and I can attest to it's simlpicity but not with SAML that much, but still know that it can be done using SAML, but I think it's way more complicated in that case.
Can anyone point me to an authoritative source that can make that claim and produce any numbers/documentation in favor of OAuth ?

SAML and WS-Fed are enterprise protocols. They have complicated cryptography standards. In the most used profiles, they require browser functionality since the protocol is driven via browser redirects. The token used is a SAML token, XML based and can be large.
If you want to federate with SaaS applications e.g. Salesforce, Workday they only support SAML.
SAML and WS-Fed support SOAP and WCF, no web API.
OAuth is a light-weight protocol suitable for native devices (headless, desktop, WPF), mobile applications etc. There is no browser functionality here so SAML etc. cannot be used. Also these devices are not suitable for complex cryptography
OAuth has a range of profiles e.g. authorization code grant (where OpenID Connect comes into play) and client confidential (that depends on mutual knowledge of a secret key).
It supports web API only.
The token used is JWT - far less bandwidth.
The choice is by use case. One is not "better" than the other.
Refer the scenarios here - Authentication Scenarios for Azure AD.

Related

Login Persistence across SSO Protocols with CAS

I have an existing CAS4 instance that is in use for SSO across several web applications using the CAS protocol. CAS4 and later CAS versions, including CAS5, support other SSO protocols as well. CAS4 has support for SAML, OAuth2 and OpenID 2.0. CAS5 has support for OpenID Connect, etc.
I am wondering if one application authenticates with CAS via the CAS Protocol and a second subsequent application requests access via SAML or OAuth2 if the second application will be prompted to login, i.e. defeating the "Single Sign On" feature/capability?
I would really hope that the "Single Sign On" pseudo session spans different protocols. My worry is that it does not.
CAS4 has support for SAML, OAuth2 and OpenID 2.0. CAS5 has support for OpenID Connect, etc.
Let's be slightly more accurate that CAS4 has basic support for SAML1.1 and OAuth2 and its SAML2 support is limited only to handling an integration with Google Apps. Some have managed to extend it beyond that capability and turn it into a more general-purpose SAML2 integration strategy
CAS5 on the other hand as you note has support for SAML2 and OpenID Connect and a more improved version of OAuth2. The CAS protocol and related REST API implementations also gain quite a number of improvements in the way of working with JWTs as service tickets, etc.
I am wondering if one application authenticates with CAS via the CAS Protocol and a second subsequent application requests access via SAMPL or OAuth2 if the second application will be prompted to login, i.e. defeating the "Single Sign On" feature/capability?
No. That is the purpose of Single Sign-On. Regardless of what protocol you use, SSO/Authentication will continue to work fine because these are different subsystems. The thing that speaks a protocol language and the thing that validates credentials and the thing that creates and manages an SSO session all are very much independent of each other. If you find the opposite to be true in practice, that is a defect that needs a diagnosis.
I recommend you take a look at this blog post:
https://apereo.github.io/2018/02/26/cas-delegation-protocols/

CAS vs. SAML vs. OAuth2

Before you put me down for asking too basic a question without doing any homework, I'd like to say that I have been doing a lot of reading on these topics, but I'm still confused.
My needs seem simple enough. At my company, we have a bunch of Ruby on Rails applications. I want to build an SSO authentication service which all those applications should use.
Trying to do some research on how to go about doing this, I read about CAS, SAML and OAuth2. (I know that the "Auth" in OAuth stands for authorization, and not authentication, but I read enough articles saying how OAuth can be used for authentication just fine - this is one of them.)
Could someone tell me in simple terms what these 3 are? Are they alternatives (competing)? Is it even right to be comparing them?
And there are so many gems which all seem to be saying very similar stuff:
https://github.com/rubycas/rubycas-server and https://github.com/rubycas/rubycas-client
https://github.com/nbudin/devise_cas_authenticatable
https://github.com/onelogin/ruby-saml
CASino and https://github.com/rbCAS/casino-activerecord_authenticator
And I am sure there are hundreds of OAuth related gems.
I just want a separate Rails application which handles all the authentication for my other Rails apps.
Note: I do not want to allow users to use their Google / Facebook accounts to login. Our users already have accounts on our site. I want them to be able to login using that account once and be able to access all our apps without signing in again. Signing out in any app should sign them out of all apps.
UPDATE
I have come across these two OAuth solutions:
http://dev.mikamai.com/post/110722727899/oauth2-on-rails
http://blog.yorkxin.org/posts/2013/11/05/oauth2-tutorial-grape-api-doorkeeper-en/
They seem to be describing something very similar to what I want. But I haven't found any guide / blog post / tutorial showing how to do this with SAML / CAS.
Suggestions welcome.
UPDATE 2
More details about our use-case.
We do not have any existing SAML architecture in place. Primarily, it is going to be OUR users (registered directly on our website) who are going to be accessing all our applications. In the future, we may have third-party (partner) companies calling our APIs. We may also have users from these third-party (partner) companies (registered on their websites) accessing our apps.
CAS-Server:
A stand-alone central login page where the user enters their credentials (i.e. their username and password).
CAS supports the standardized SAML 1.1 protocol primarily to support
attribute release to clients and single sign-out.
(a table in a SQL database, ActiveDirectory/LDAP, Google accounts, etc.)
Full compatibility with the open, multi-platform CAS protocol (CAS clients are implemented for a wide range of platforms, including PHP, various Java frameworks, .NET, Zope, etc.)
Multi-language localization -- RubyCAS-Server automatically detects the user's preferred language and presents the appropriate interface.
SAML :
Security Assertion Markup Language is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
SAML authorization is a two step process and you are expected to implement support for both.
OAuth 2.0:
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing the
third-party application to obtain access on its own behalf.
Important Note :
SAML has one feature that OAuth2 lacks: the SAML token contains the user identity information (because of signing). With OAuth2, you don't get that out of the box, and instead, the Resource Server needs to make an additional round trip to validate the token with the Authorization Server.
On the other hand, with OAuth2 you can invalidate an access token on the Authorization Server, and disable it from further access to the Resource Server.
Both approaches have nice features and both will work for SSO. We have proved out both concepts in multiple languages and various kinds of applications. At the end of the day OAuth2 seems to be a better fit for our needs (since there isn't an existing SAML infrastructure in place to utilize).
OAuth2 provides a simpler and more standardized solution which covers
all of our current needs and avoids the use of workarounds for
interoperability with native applications.
When should I use which?
1.If your usecase involves SSO (when at least one actor or participant is an enterprise), then use SAML.
2.If your usecase involves providing access (temporarily or permanent) to resources (such as accounts, pictures, files etc), then use OAuth.
3.If you need to provide access to a partner or customer application to your portal, then use SAML.
4.If your usecase requires a centralized identity source, then use SAML (Identity provider).
5.If your usecase involves mobile devices, then OAuth2 with some form of Bearer Tokens is appropriate.
Reference 1,Reference 2,Reference 3
If you need to authenticate for LDAP or ActiveDirectory then a solution like one of the CAS gems you mentioned above is right for you (RubyCAS, CASino).
If you can afford it, one of the commercial vendors (like Okta) is your best option because they will stay on top of security patches and manage your authentication needs for you. In particular, if you have to support ActiveDirectory, they've already implemented it.
OAuth is most useful for third party authentication, though it can do SSO. So if you wanted to support Google / Facebook logins or be a third party authenticator then it's a great choice. Since you don't want to support Google / Facebook then OAuth is probably not what you want.
If you are only intending to use HTTP POST for your SSO needs then the ruby-saml gem could be the way to go. You would have to implement your own Identity provider and add a service provider component to all your websites (possibly in the form of a gem.) Part of what you would need is a rails api to act as your identity provider. This gem helps support writing API's in rails.
EDIT
You mention the possibility that future third party users might be logging on to your site. This changes your calculus away from rolling your own ruby-saml solution.
The best way to share your authentication API is to implement an OAuth layer. Doorkeeper is a popular solution and is fast becoming the standard for Rails authentication. It's community support, flexibility and ease of use make it the best way to go for a consumable authentication API.
Railscast for implementing doorkeeper
Anjan.
I've used CAS and OAuth in my work. Here are some of my opinions, and hope to help.
Basically
Both CAS and SAML aim to solve SSO situation. And CAS is a service or an authentication system, which can support SAML protocol.
OAuth aims to solve authorization and authentication.
And in practice,
Both CAS and SAML act as an gateway in front of a group of applications which belong to one organization. Just like your case.
OAuth is used to authorize and authenticate between different organizations.
Just my thoughts, and hope to hear more voices.
We have used CAS and SAML in our architecture (Mobile App, Online Portal, and MicroServices) and both are used for different purpose.
Our Online Portal is like online banking that runs in public domain and has to be secure. We don't want to store password and other secure token's in the DB of the online portal, therefore, we use CAS for authentication and authorization. During registration, when user chooses the password, we store the password in CAS and store corresponding token in the DB of Portal
When user login next time, User enters the user name and password in Portal. Portal fetches the token corresponding to user from DB and sends User_name, password, and token to CAS for validation.
But, in case user has already logged in into one application and we redirect user to our another application then we dont want to user to enter username and password again for second application. We use SAML to solve this. First application shares user details with SAML server and gets token in return. First application passes the token to second application. Second application sends token to SAML server to get user details and on success lands user to desired page. Our first application can be Mobile App and second can be Portal in the scenario of App2Web.
Since you have got lot of answers for this question, I would like to suggest you an identity product that can be cater these kind of all protocol in one hand with lot of authentication and user management features. You can just try WSO2 Identity Server version for this.

Best authentication method for Node.JS RESTful API

I'm suppose to build a web application and a mobile application (for iOS) that share the same database. Currently I'm thiking about having a RESTful API and have both applications (web and iOS) comunicate with the API to access data. My problem is the authentication method that I should use. I've been researching about OAuth2.0 but that's not quite the thing I want because I don't want the user to have to authorize the connection as it happens when you log in somewhere using facebook or google+. I just want to make the login with a username and password and then stay logged in. And this for both the apps (web and iOS).
I'm using Node.JS and MongoDB to build the API.
I'm trying to do things "the correct way" because this is suppose to be the final project for my masters.
Can you guys give me some lights in how I can achieve this?
Use OAuth 2.0 so you have an extensible standard and token-based authentication which enables users to revoke authentication tickets, e.g. if their phone was stolen.
OAuth 2.0 supports various grant types. Those that you from facebook and twitter logins can be summarized as '3-legged oauth', but there's also two grant types for 2-legged OAuth, especially the resource owner password credentials grant (section 4.3 at the end of the page) which will simply exchange username and password for an authentication token. There's no need to implement 3-legged oauth if you don't want to.
I'd suggest to use database-stored tokens over crypto-based self-validating tokens for most use cases. The possibility to revoke individual grants, or all grants of specific client applications is super helpful in practice. It also shortens tokens a lot and reduces the risk of a catastrophic security leak because of a flaw in the implementation. Make sure the token itself is crypto-strong random and use a simple crypto-wrapper around the actual token value to enable cheap identification of (badly) faked tokens.
Something like Passport (no, not the whisky, but the middleware) could be a good thing to test
It allows to choose among many different authentication methods in an easy and transparent way

Why does Google provide a client secret for a Native application?

I'm writing a native application that works against a Google API. Upon registering my application, and despite its explicit designation as Native, the Google Developers Console provides me with a client secret.
As far as I understand the OAuth 2.0 protocol, native apps should never have a client secret, since they cannot guarantee its secrecy. Is Google mistaken in its implementation of OAuth 2.0? How should I proceed?
You are correct, the client secret isn't terribly useful in a native application from a being kept secret perspective. I suspect it's there mainly for consistency with the web application flow.
It does however have at least 1 useful feature... the original developer can reset it at any time, effectively revoking all refresh tokens bound to that client ID.

OAuth provider that is an OpenID consumer?

I would like to use OpenID to unify logins across projects that my group is working on. One of the projects may need to be an OAuth provider in the future so that users can sync data with other sites as well. Is it possible to setup an OAuth Provider that uses OpenID for authentication?
Yes.
Not sure which version of OAuth your are talking about here. But basically it would entail making the OAuth authorization step into an OpenID process which when successfully completed, resumes the OAuth process.
NB: OAuth is primarily for authorization of third party applications, OpenID is for user authentication. There is nothing impossible about mashing up the two, they are in essence dealing with different problem domains.
Basic Authentication(OpenID) or OAuth both require your permission, but there is an important difference. With Basic Authentication, you provide your username and password for the app to access application, and the application has to store and send this information over the Internet each time you use the app. OAuth attempts to provide a standard way for developers to offer their services via an API without forcing their users to expose their passwords (and other credentials).
It doesn’t mean to say we cannot use the two together. OAuth talks about getting users to grant access while OpenID talks about making sure the users are really who they say they are. They should work great together.
Here is an example(OpenID+OAuth Hybrid protocol) lets aware you, how to use hybrid protocol.
Twitter, Facebook are working on now OAuth only while
Google, Yahoo work on OpenID as well as OAuth.

Resources