How-to: OAuth and SAML – A Love Story for Valentine’s Day

Naturally, OAuth 2.0 is the shining star of the OAuth Toolkit (OTK), the prima donna that performs center stage in Layer7’s API security implementation. But waiting in the wings with a bouquet of slightly wilted flowers is an older standard who once shone just as brightly before all those mobile apps came along. His name is SAML.

SAML (Security Assertion Markup Language) is a set of open standards used with web browsers to provide single sign-on (SSO) authentication for Enterprise applications. His complex tap dance of authentication involves browser redirects, HTTP post, sometimes SOAP, and signed X.509 certificates. Still, SAML made it all look easy and seamless. One login, and the SAML assertion was used for subsequent authentication. The audience loved it.

Then the world changed. Mobile apps became prevalent, and SAML’s browser-based routine stumbled. All eyes turned to OAuth, a younger standard with her own graceful dance of authorization. While SSO and authentication itself wasn’t really her thing, she could still pull it off with class, and everyone agreed that REST instead of SOAP was really more elegant. Instead of a SAML assertion, she used an OAuth access token. Big deal, thought SAML, but the people ate it up.

Watching OAuth dance, SAML could have been bitter, but instead he fell in love. 

Now, OAuth had secretly admired SAML before she took the stage and was also in love. They exchanged gifts. OAuth accepted SAML’s assertion (wilted flowers) and in return, gave him a shiny OAuth access token to access her protected API endpoints. Romance bloomed.

If you use SAML authentication and SSO with your Enterprise apps, but also want to access OAuth protected resources, the Layer7 OTK can help. By default, SAML authentication with OAuth is turned off, but enabling it is simple. You provide the federated identity provider (FIP) details then activate custom policies that are pre-configured to support the SAML authentication workflow.

The entire process of enabling the exchange of the SAML assertion for the OAuth token, then using a test client to verify the workflow is clearly demonstrated in the accompanying video. Activating the interaction between OAuth and SAML is just another example of how flexible and powerful the policy-driven OTK can be. 

And how true love was eventually found between authentication and authorization.

blog written by Simon Crum

Recent Posts