Inversoft CEO Brian Pontarelli reached out to us to provide his thoughts on OAuth vs SAML as a single sign on (SS0) option for developers needing to implement an SSO solution. Inversoft’s Passport platform leverages OAuth to provide a user management system for registration, login and single sign-on.
ADM: Why do you feel OAuth surpasses SAML?
Pontarelli: The main advantage with OAuth is the reduced complexity and developer simplicity. SAML is XML based which is heavy, bloated and hard to read (even for the most experienced developers). OAuth solves this decoding nightmare and can authenticate users with ease. OAuth improves security by not exposing user credentials unnecessarily and has become the defacto standard for mobile applications.
ADM: What are you thoughts on the security layers behind SAML?
Pontarelli: SAML requires two levels of encryption and signing, one at the application layer and one at the transport layer (i.e. SSL and XML signing and encryption). This adds additional overhead and complexity, but little in the way of additional security.
ADM: What problems do you run into when using SAML for mobile?
Pontarelli: SAML is an HTTP-based protocol which makes supporting SAML in a mobile app tricky. You must work around SAML’s HTTP POST binding by writing custom code, implementing a proxy server or ignoring the specifications recommendation altogether - a risky move. All of these solutions take time. The simplest and safest solution is to take a different approach entirely - OAuth.
While working with a customer to integrate CleanSpeak with their SSO backend, we were required to implement SAML 2.0 rather than OAuth. The customer also wanted to manage user roles and authorization in their backend systems rather than through CleanSpeak. After months of work and trial and error, we could not get the two systems integrated in a way that worked. We ripped out most of the integration and only used their SAML backend for login. Had we implemented OAuth instead, the project would have taken just a few days and achieved the same results.
ADM: From a management standpoint, what limitations do you see with SAML?
Pontarelli: While SAML provides SSO, it fails to provide user management features such as authorization, flexible user details and meta-data, active user reports, localization, discipline and reward capabilities or any type of moderation including username profanity filtering and approvals.
SAML dates back to 2002. Since then, there has been an undeniable shift towards cloud computing and mobile. SAML did not anticipate this change. Therefore, in order to use SAML with mobile clients, a complex and dated process is involved. Additionally, most providers have either never offered SAML support or removed it completely (i.e. LinkedIn and Twitter)
ADM: What are your recommendations for companies adding SSO in 2016?
Pontarelli: Use an off the shelf tool that provides OAuth for single sign-on. Using an OAuth provider will ensure that your applications and system are using the latest standards and have the most integration opportunities.