How-to: OAuth and SAML – A Love Story for Valentine’s Day

Naturally, OAuth 2.0 is the shining star of the OAuth Toolkit (OTK), the prima donna that performs center stage in Layer7’s API security implementation. But waiting in the wings with a bouquet of slightly wilted flowers is an older standard who once shone just as brightly before all those mobile apps came along. His name is SAML.

SAML (Security Assertion Markup Language) is a set of open standards used with web browsers to provide single sign-on (SSO) authentication for Enterprise applications. His complex tap dance of authentication involves browser redirects, HTTP post, sometimes SOAP, and signed X.509 certificates. Still, SAML made it all look easy and seamless. One login, and the SAML assertion was used for subsequent authentication. The audience loved it.

Then the world changed. Mobile apps became prevalent, and SAML’s browser-based routine stumbled. All eyes turned to OAuth, a younger standard with her own graceful dance of authorization. While SSO and authentication itself wasn’t really her thing, she could still pull it off with class, and everyone agreed that REST instead of SOAP was really more elegant. Instead of a SAML assertion, she used an OAuth access token. Big deal, thought SAML, but the people ate it up.

Watching OAuth dance, SAML could have been bitter, but instead he fell in love. 

Now, OAuth had secretly admired SAML before she took the stage and was also in love. They exchanged gifts. OAuth accepted SAML’s assertion (wilted flowers) and in return, gave him a shiny OAuth access token to access her protected API endpoints. Romance bloomed.

If you use SAML authentication and SSO with your Enterprise apps, but also want to access OAuth protected resources, the Layer7 OTK can help. By default, SAML authentication with OAuth is turned off, but enabling it is simple. You provide the federated identity provider (FIP) details then activate custom policies that are pre-configured to support the SAML authentication workflow.

The entire process of enabling the exchange of the SAML assertion for the OAuth token, then using a test client to verify the workflow is clearly demonstrated in the accompanying video. Activating the interaction between OAuth and SAML is just another example of how flexible and powerful the policy-driven OTK can be. 

And how true love was eventually found between authentication and authorization.

blog written by Simon Crum

Aric Day

Aric Day

Aric is based in Minneapolis, MN and has been managing Enterprise API programs for more than 10 years as both an operations sysadmin and an api security consultant designing api integration standards. He currently serves Layer7 North American core accounts within the central and western regions. In previous roles he has worked as an automation and api security consultant with both Accenture and Best Buy. Aric has an engineering degree from the University of Minnesota. He is active as a youth hockey coach in winter and enjoys getting outdoors during the brief MN summer months.

Share With Your Network

Share on twitter
Share on linkedin
Share on facebook
Share on email
Share on print

More From The API Academy