1. https://appdevelopermagazine.com/security
  2. https://appdevelopermagazine.com/oauth-vs-saml-for-developers-needing-to-implement-single-sign-on-(sso)/
2/22/2016 9:26:06 AM
OAuth vs SAML for Developers Needing to Implement Single Sign On (SSO)
/Single-Sign-on-SSO-Compare-App-Developer-Magazine_63v92w6e.jpg
App Developer Magazine

Security

OAuth vs SAML for Developers Needing to Implement Single Sign On (SSO)


Monday, February 22, 2016

Richard Harris Richard Harris


Inversoft CEO Brian Pontarelli reached out to us to provide his thoughts on OAuth vs SAML as a single sign on (SS0) option for developers needing to implement an SSO solution. Inversoft’s Passport platform leverages OAuth to provide a user management system for registration, login and single sign-on.

ADM: Why do you feel OAuth surpasses SAML?

Pontarelli: The main advantage with OAuth is the reduced complexity and developer simplicity. SAML is XML based which is heavy, bloated and hard to read (even for the most experienced developers). OAuth solves this decoding nightmare and can authenticate users with ease. OAuth improves security by not exposing user credentials unnecessarily and has become the defacto standard for mobile applications. 

ADM: What are you thoughts on the security layers behind SAML?

Pontarelli: SAML requires two levels of encryption and signing, one at the application layer and one at the transport layer (i.e. SSL and XML signing and encryption). This adds additional overhead and complexity, but little in the way of additional security.

ADM: What problems do you run into when using SAML for mobile?

Pontarelli: SAML is an HTTP-based protocol which makes supporting SAML in a mobile app tricky. You must work around SAML’s HTTP POST binding by writing custom code, implementing a proxy server or ignoring the specifications recommendation altogether - a risky move. All of these solutions take time. The simplest and safest solution is to take a different approach entirely - OAuth. 

While working with a customer to integrate CleanSpeak with their SSO backend, we were required to implement SAML 2.0 rather than OAuth. The customer also wanted to manage user roles and authorization in their backend systems rather than through CleanSpeak. After months of work and trial and error, we could not get the two systems integrated in a way that worked. We ripped out most of the integration and only used their SAML backend for login. Had we implemented OAuth instead, the project would have taken just a few days and achieved the same results.

ADM: From a management standpoint, what limitations do you see with SAML?
Brian Pontarelli

Pontarelli: While SAML provides SSO, it fails to provide user management features such as authorization, flexible user details and meta-data, active user reports, localization, discipline and reward capabilities or any type of moderation including username profanity filtering and approvals.

SAML dates back to 2002. Since then, there has been an undeniable shift towards cloud computing and mobile. SAML did not anticipate this change. Therefore, in order to use SAML with mobile clients, a complex and dated process is involved. Additionally, most providers have either never offered SAML support or removed it completely (i.e. LinkedIn and Twitter)

ADM: What are your recommendations for companies adding SSO in 2016?

Pontarelli: Use an off the shelf tool that provides OAuth for single sign-on. Using an OAuth provider will ensure that your applications and system are using the latest standards and have the most integration opportunities.


OAuth vs SAML for Developers Needing to Implement Single Sign On (SSO)




Read more: https://www.inversoft.com/products/user-management...




Subscribe to App Developer Magazine

Become a subscriber of App Developer Magazine for just $5.99 a month and take advantage of all these perks.

MEMBERS GET ACCESS TO

  • - Exclusive content from leaders in the industry
  • - Q&A articles from industry leaders
  • - Tips and tricks from the most successful developers weekly
  • - Monthly issues, including all 90+ back-issues since 2012
  • - Event discounts and early-bird signups
  • - Gain insight from top achievers in the app store
  • - Learn what tools to use, what SDK's to use, and more

    Subscribe here



Stay Updated

Sign up for our newsletter for the headlines delivered to you

SuccessFull SignUp

Featured Stories


Enviromates new browser launches
Enviromates new browser launches Monday, July 6, 2026




AI Executive Order aims to balance security and innovation
AI Executive Order aims to balance security and innovation Monday, June 29, 2026


Top manufacturing trends for 2026
Top manufacturing trends for 2026 Tuesday, June 23, 2026


API scoring tool shows if your API is ready for AI
API scoring tool shows if your API is ready for AI Monday, June 22, 2026


Agentic AI Reality Check: The Million-Dollar Mistake Hiding Inside ERP
Agentic AI Reality Check: The Million-Dollar Mistake Hiding Inside ERP Friday, June 19, 2026


Influencer Debate AI Anthropic IPO Reveals Industry Concerns
Influencer Debate AI Anthropic IPO Reveals Industry Concerns Wednesday, June 17, 2026


Subscription apps are losing users faster than ever
Subscription apps are losing users faster than ever Tuesday, June 16, 2026


DomainTools announces real time threat feeds
DomainTools announces real time threat feeds Monday, June 15, 2026


Take It Down Act results in warning letters from FTC
Take It Down Act results in warning letters from FTC Friday, June 12, 2026


Nvidia valuation fears grow
Nvidia valuation fears grow Friday, June 12, 2026


Get More App News