<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Struggling to implement least privilege in your organization? Join StrongDM featuring Forrester for this upcoming webinar. Register now!

SAML vs. OAuth: Everything You Need to Know

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

Summary: In this article, we will provide a high-level overview of the Security Assertion Markup Language (SAML) and Open Authorization (OAuth) information access frameworks. You’ll learn about the key similarities and differences between SAML and OAuth, the unique benefits of each framework, and specific use cases for each. By the end of this article, you’ll have a clear understanding of SAML and OAuth to help you determine which is right for your organization.

What are SAML and OAuth?

SAML and OAuth are open standard frameworks utilized by organizations for authentication and authorization strategies, respectively. SAML authenticates the user’s identity to a service, while OAuth authorizes the user to access specific resources owned by the service provider. Both can be used for single sign-on (SSO), which permits users to access IT resources with only one set of login credentials (e.g., username and password). Consolidating accounts and passwords via SSO helps improve system security and user experiences, among other benefits.

Security Assertion Markup Language (SAML)

SAML (SAML 2.0 since 2005) is an authentication and authorization standard. Authentication proves that users are who they claim to be, while authorization allows authenticated parties to do what they request. SAML is an extensible markup language (XML) variant for exchanging security information online.

SAML exchanges take place between system entities referred to as an asserting party (also called a SAML authority) and a relying party that processes the security assertions it receives. Security assertions are standardized statements in the markup language that determine access control decisions.

There are two types of SAML SSO: Identity Provider (IdP) initiated and Service Provider (SP) initiated. Both use an IdP to authenticate the user, the main difference is the starting point.

  • IdP-initiated SAML SSO: The user attempts to log into an IdP, and the IdP can directly verify the user’s identity with a SAML response.
  • SP-initiated SAML SSO: The user attempts to log into a SP, and the SP must generate a SAML request. The request and user are sent to an IdP for authentication, and then back to the SP to complete the log in.

Open Authorization (OAuth)

OAuth (OAuth 2.0 since 2013) is an authentication standard that allows a resource owner logged-in to one system to delegate limited access to protected information to a third party without sharing the owner’s security credentials. Instead, the third-party system obtains approval from the resource owner for a short-lived access token from an authorization server with approval of the resource owner.

OAuth focuses on developer simplicity while providing specific authorization flows for web, mobile, and desktop applications, mobile devices, and smart devices. It allows users authenticated in one application or system to authorize third-party applications or systems to gain limited access to user data, without sharing authentication information.

A typical OAuth workflow is based on interactions among four roles:

  • Resource owner: grants access to protected resources
  • Resource server: hosts protected resources and responds to access requests
  • Client: an application that submits access requests on behalf of the resource owner
  • Authorization server: issues access tokens to the client after successfully authenticating the resource owner and obtaining authorization

SAML vs. OAuth: What’s the Difference?

The primary difference between SAML and OAuth is that SAML generally facilitates exchange of a single user’s authentication and authorization data across secure domains. In contrast, OAuth typically works on behalf of a specific application to share user information on a limited basis with other applications.

SAML is more commonly used by large organizations and government entities, in which XML use is widespread. It’s also used by enterprise applications such as Salesforce and Marketo for authentication. Key drivers to SAML adoption include SSO evolution, federated identity management expansion, and changing industry standards that govern authorization services, identity frameworks, and web services security.

Created and strongly supported by companies including Twitter and Google, OAuth is more commonly used on the open internet. Typically, two or more unrelated websites, apps or services are trying to accomplish something on behalf of end users and need multiple security approvals to complete an authorized transaction. Major OAuth users include Amazon, Facebook, Instagram, LinkedIn, Microsoft, Netflix, and Paypal, which often partner on co-promotional activities.

Similarities Between SAML and OAuth

SAML and OAuth were both created to standardize and encourage interoperability of infrastructure access management systems. They share three important characteristics:

SAML and OAuth eliminate the need for implementing multiple authentication systems and simplify how organizations authorize access to protected information. Both are building blocks for FIM because they let users access multiple IT resources with one login credential.

SAML vs. OAuth: Which One Is Better?

An organization’s specific needs and existing infrastructure dictate whether one framework is better suited than the other. While both can be used for SSO, they are not interchangeable or mutually exclusive. SAML supports both user authentication and authorization while OAuth is only for authorization. If the business priority is confirming user identity, SAML is the only choice. If the business priority is securely and easily managing user privileges, OAuth may be the better choice.

SAML and OAuth Use Cases

Multi-domain SSO with SAML

SAML solves the multi-domain SSO problem by providing a standard, vendor-independent protocol for transferring information about a user from one web server to another.

For example, a customer logs in to their account on an airline website to book a flight. During the process, the customer is offered a rental car deal as part of a partnership arrangement between the airline and the rental agency. Assuming the customer has a federated identity, the identity provider (the airline) transmits a SAML security assertion to the service provider (the rental agency) that the user is known and authenticated. Because the rental agency website “trusts” the SAML assertion, it creates a local session for the user without requiring the user to re-authenticate.

Consumer privacy with OAuth

OAuth can grant access to private resources on one website or mobile application (the service provider), to another (the consumer) without sharing the end user’s identity.

For example, a Google Photos user wants to get digital images printed. The end user, known as the resource owner, can grant the photo printing service access to images on a resource server at Google Photos. Instead of sharing their Google username and password, the customer authenticates directly with a Google authorization server that then issues an access token with specific credentials to the printing service.

Can SAML and OAuth Work Together?

Organizations can use both standards to provide employees and customers with an SSO experience across a wide range of applications and services. For instance, a SAML assertion from an IdP can verify user identity when communicating between an authorization server and a resource server. The authorization server can then use an OAuth token to provide the end user with access to resources based upon their security credentials.

Additionally, some environments may require both SAML and OAuth, as is the case in Microsoft environments where SAML grants system access and OAuth grants access to protected resources.

SAML vs. OAuth: Frequently Asked Questions

Should I use OAuth or SAML?

OAuth is designed to support a variety of client types that access application programming interfaces (APIs), which makes it a valuable tool for today’s mobile-first application developers. On the other hand, organizations with large investments in XML resources and heavy authentication workloads are likely to benefit from SAML.

What is the difference between SAML and SSO?

SAML enables SSO by defining how organizations can offer both authentication and authorization services as part of their infrastructure access strategy. As an open standard, SAML can be implemented by a wide variety of identity and access management (IAM) vendors. Additionally, IdPs and service providers that adhere to the standard can communicate freely, regardless of vendor.

Is OAuth more secure than SAML?

SAML is considered more secure because, unlike OAuth, it allows users to encrypt assertions. This makes it ideal for large enterprises working with sensitive data.

How StrongDM Can Help with SAML and OAuth

StrongDM provides a SAML-compliant authorization server that also supports OAuth. That means organizations can use SAML and OAuth to authenticate and authorize users according to business needs. Our Infrastructure Access Platform (IAP) allows you to customize SSO experiences, including the use of OAuth so users can delegate authentication to third-party systems through an existing SAML identity provider.

Security Meets Simplicity with StrongDM

Infrastructure access is about giving employees, customers, vendors, and partners the tools they need when they need them. That means eliminating obstacles that prevent or delay logging in to systems and accessing applications, data, and services. Optimizing user authentication and authorization is a major factor for eliminating such obstacles.

By understanding the difference between SAML and OAuth, enterprises can make informed decisions about which open standard for infrastructure access best addresses their needs.

Learn more about controlling access to your resources with a no-BS, two-week demo of StrongDMtoday.


About the Author

, Co-founder / CCO, began working with startups as one of the first employees at Cross Commerce Media. Since then, he has worked at the venture capital firms DFJ Gotham and High Peaks Venture Partners. He is also the host of Founders@Fail and author of Inc.com's "Failing Forward" column, where he interviews veteran entrepreneurs about the bumps, bruises, and reality of life in the startup trenches. His leadership philosophy: be humble enough to realize you don’t know everything and curious enough to want to learn more. He holds a B.A. and M.B.A. from Columbia University. To contact Schuyler, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

AWS Management Console resources
Connect to Even More Resources with StrongDM’s AWS Management Console
We’ve just launched our AWS Management Console, adding yet another supported authentication method to improve control and auditability–so you can protect your business and improve employee productivity.
Token-based Authentication: Everything You Need to Know
Token-based Authentication: Everything You Need to Know
Secured authentication to databases and applications is crucial to enterprise cybersecurity management. Unfortunately, 82% of all breaches involve human error, including misused or compromised credentials that give threat actors unauthorized access to network resources. Luckily, there’s a solution that ensures security without the risks that come with traditional, credential-based authentication. This article discusses token-based authentication and explains why it's a reliable and flexible alternative to verifying users, especially for cloud applications.
LDAP vs. Active Directory: Everything You Need to Know
LDAP vs. Active Directory: Everything You Need to Know
Struggling to understand the difference between Active Directory and LDAP? Don't worry, we’ll make it simple. These are just two among many methods that can provide secure user authentication and authorization. The information in this article will help you decide if LDAP or Active Directory is right for your organization. Robust security and a seamless user experience are attainable, and you can have both!
What Is Credential Stuffing? Definition, Prevention & More
Credential Stuffing: How to Detect and Prevent It
In this article, we’ll define credential stuffing and explain the risks that credential stuffing attacks pose to organizations and customers. We’ll cover recent examples of credential stuffing attacks and discuss how to detect and prevent them. By the end of the article, you should understand the full scope of credential stuffing, including how to protect your customers’ and employees’ account credentials with the right tools. 
Brute Force Attack: Types, Examples & Prevention
What is a Brute Force Attack? Types, Examples & Prevention
In this article, we’ll take a comprehensive look at brute force attacks: what they are, how they work, and the different shapes they can take. You'll learn about popular tools utilized by hackers and examples of brute force attacks in action. By the end of this article, you'll be able to understand critical prevention measures for brute force attacks.