RE: [security-services] SAML deployments that use consent step?

["Scott Cantor" <cantor.2@osu.edu>]

Thomas Hardjono wrote on 2009-11-12:
> I often get questions about OAUTH and SAML,
> and I often respond by saying that OAUTH as a "consent-giving" protocol
> (as opposed to an "authentication" protocol).

I think OAuth is a protocol for issuing combined authentication and
authorization tokens in one step, but like most "token" carriers, it really
doesn't specify how the token is interpreted. It gets used for pure
authentication as well as the more typical delegated authorization scenario.
Same goes for SAML at times. It's all in how you look at it.

> That is (using the OAUTH spec use-case), a user gives consent to RitzPhoto
> to download/print a JPEG file from the user's Flickr account.

Yes, but that consent takes the form of a token that the consumer uses to
authenticate itself to the service with some set of implied access rights.

> I'm thinking that all the steps in OAUTH can be expressed
> in SAML (right?)

Yes. OAuth "classically" assumes that the token issuer and the service are
the same thing, and SAML assumes they're probably different, which implies a
standard token format and the notion of formalized SubjectConfirmation to
communicate from the issuer to the service what the consumer has to do to
use the token.

Note that OAuth also includes a lot of orthogonal material on securing HTTP
messages that properly have nothing to do with the protocol pattern itself.
 
-- Scott