Authentication with SAML, OpenID and OAuth – demystifying the terms
SAML, OpenID and OAuth are three different authentication and/or authorization standards that can be used in automation. Each of these solutions provides security for users in intranet and Internet applications. In this article, we will explain the differences between these standards.
SAML, OpenID and OAuth are three different authentication and/or authorization standards that can be used in automation. Each of these solutions provides security for users in intranet and Internet applications.
First, let’s clarify the differences between the terms authentication and authorization. Authentication is the process by which the identity of a subject is verified. Authorization occurs when the system checks whether an already authenticated subject has permissions to the resource on which it wants to perform a specific operation: reading, writing, modifying or deleting data.
SAML – Security Assertion Markup Language
SAML is a protocol that enables secure authentication and transfer of user information between different systems. It makes it possible to integrate multiple applications and services into a single authentication system, making it easier to manage access to different resources. The current version of SAML 2.0 is a combination of three standards: SAML 1.1, ID-FF 1.2 (Identity Federation Framework) and Shibboleth. The most important application of the SAML protocol is single sign-on (SSO). SAML can be used in automation to enable secure access to various applications and services from a single user interface.
Example
A company wants to allow its employees to access network resources using their own company accounts. It uses SAML to authenticate these accounts and authorize access to specific resources. With this solution, employees can access resources from anywhere, without having to log in to each resource separately.
SAML can also be used in automation to ensure the security of data exchanged between IT systems, such as by encrypting that data using private keys.
OpenID and Oauth
OpenID and OAuth are authentication and authorization standards that allow users to use a single account for different web applications and services. With this solution, users do not have to create separate logins and passwords for each service, making it much easier to use the Web and reducing the risk of data loss. Users can log in to their accounts on one website and then use other services that support OpenID without having to re-enter their login and password.
OpenID solves the problem of distributing the components of a user’s identity (first name, last name, e-mail, address, etc.) among multiple web services (e.g. newsgroups, online stores, etc.). The advantages of the OpenID solution are ease of use, decentralization, ease of updating and privacy control.
OAuth is an authorization framework that allows one application to access data stored in another application without sharing user passwords. It is designed to work with the HTTP protocol and allows external clients to issue access tokens through an authorization server. The external client uses the received token to access protected resources. The solution is useful for process automation, as it allows integration of different applications without the need to store and transfer sensitive data.
Example
If we want to automate the process of ordering products with our favorite shopping app, we can use OAuth to authenticate our account with that app without revealing our password, using only our username and token. This will allow our automation app to make purchases on our behalf, without having to share our login information with other apps.
OAuth is a complementary and separate service from OpenID. OAuth is also distinct from OATH, which is a reference architecture for the identification process, not a standard. However, OAuth is directly related to OpenID Connect (OIDC) because OIDC is an identity layer built on top of OAuth 2.0.
Federated Authentication (Federated Identity Management) is another related concept and model in which an entity can use multiple services provided by different providers using the same credentials. In this approach, the identity of the entity is confirmed by a trusted party. This model takes advantage of SSO while removing the restriction of operating within a single network or domain by adding an external trusted party to confirm identity. It is commonly used by companies when using cloud services.
Summary
Authentication protocols are technologies that are used to confirm the identity of a user or device. Authentication protocols, on the other hand, are used to determine whether a person, or device, has access to certain resources or services. They are essential to ensure security and privacy on computer networks.