[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] SAML deployments that use consent step?
Thomas Hardjono wrote on 2009-11-12: > I often get questions about OAUTH and SAML, > and I often respond by saying that OAUTH as a "consent-giving" protocol > (as opposed to an "authentication" protocol). I think OAuth is a protocol for issuing combined authentication and authorization tokens in one step, but like most "token" carriers, it really doesn't specify how the token is interpreted. It gets used for pure authentication as well as the more typical delegated authorization scenario. Same goes for SAML at times. It's all in how you look at it. > That is (using the OAUTH spec use-case), a user gives consent to RitzPhoto > to download/print a JPEG file from the user's Flickr account. Yes, but that consent takes the form of a token that the consumer uses to authenticate itself to the service with some set of implied access rights. > I'm thinking that all the steps in OAUTH can be expressed > in SAML (right?) Yes. OAuth "classically" assumes that the token issuer and the service are the same thing, and SAML assumes they're probably different, which implies a standard token format and the notion of formalized SubjectConfirmation to communicate from the issuer to the service what the consumer has to do to use the token. Note that OAuth also includes a lot of orthogonal material on securing HTTP messages that properly have nothing to do with the protocol pattern itself. -- Scott