Inversoft CEO Brian Pontarelli reached out to us to provide his thoughts on OAuth vs SAML as a single sign on (SS0) option for developers needing to implement an SSO solution. Inversoft’s Passport platform leverages OAuth to provide a user management system for registration, login and single sign-on.
ADM: Why do you feel OAuth surpasses SAML?
Pontarelli: The main advantage with OAuth is the reduced complexity and developer simplicity. SAML is XML based which is heavy, bloated and hard to read (even for the most experienced developers). OAuth solves this decoding nightmare and can authenticate users with ease. OAuth improves security by not exposing user credentials unnecessarily and has become the defacto standard for mobile applications.
ADM: What are you thoughts on the security layers behind SAML?
Pontarelli: SAML requires two levels of encryption and signing, one at the application layer and one at the transport layer (i.e. SSL and XML signing and encryption). This adds additional overhead and complexity, but little in the way of additional security.
ADM: What problems do you run into when using SAML for mobile?
Pontarelli: SAML is an HTTP-based protocol which makes supporting SAML in a mobile app tricky. You must work around SAML’s HTTP POST binding by writing custom code, implementing a proxy server or ignoring the specifications recommendation altogether - a risky move. All of these solutions take time. The simplest and safest solution is to take a different approach entirely - OAuth.
While working with a customer to integrate CleanSpeak with their SSO backend, we were required to implement SAML 2.0 rather than OAuth. The customer also wanted to manage user roles and authorization in their backend systems rather than through CleanSpeak. After months of work and trial and error, we could not get the two systems integrated in a way that worked. We ripped out most of the integration and only used their SAML backend for login. Had we implemented OAuth instead, the project would have taken just a few days and achieved the same results.
From a management standpoint, what limitations do you see with SAML?
Pontarelli: While SAML provides SSO, it fails to provide user management features such as authorization, flexible user details and meta-data, active user reports, localization, discipline and reward capabilities or any type of moderation including username profanity filtering and approvals.
SAML dates back to 2002. Since then, there has been an undeniable shift towards cloud computing and mobile. SAML did not anticipate this change. Therefore, in order to use SAML with mobile clients, a complex and dated process is involved. Additionally, most providers have either never offered SAML support or removed it completely (i.e. LinkedIn and Twitter)
ADM: What are your recommendations for companies adding SSO in 2016?
Pontarelli: Use an off the shelf tool that provides OAuth for single sign-on. Using an OAuth provider will ensure that your applications and system are using the latest standards and have the most integration opportunities.
Read more: https://www.inversoft.com/products/user-management...
Are you paying more taxes than you have to as a developer or freelancer? The IRS is certainly not going to tell you about a deduction you failed to take, and your accountant is not likely to take the time to ask you about every deduction you’re entitled to. As former IRS Commissioner Mark Everson admitted, “If you don’t claim it, you don’t get it.
Get hands-on experience in performing simple to complex mobile forensics techniques Retrieve and analyze data stored not only on mobile devices but also through the cloud and other connected mediums A practical guide to leveraging the power of mobile forensics on popular mobile platforms with lots of tips, tricks, and caveats.
The Chirp GPS app is a top-ranked location sharing app available for Apple and Android that is super easy to use, and most of all, it's reliable.
Write and run code every step of the way, using Android Studio to create apps that integrate with other apps, download and display pictures from the web, play sounds, and more. Each chapter and app has been designed and tested to provide the knowledge and experience you need to get started in Android development.