11‐ Authentication and Authorization

SAML is a standard that allows identity providers and service providers (websites and apps) to exchange authentication and authorization data.

It is an alternative to OIDC, which can also be used to implement SSO.
SAML is complementary to OAuth – you can implement SAML with OAuth as the authorization layer. It is common to use OAuth with either OIDC or SAML.

OAuth + | OIDC 
        | SAML

OAuth:

If you use OAuth to allow an app to access your Facebook account,

• the app acts as a consumer,
• while Facebook is the service provider. Facebook produces tokens, which the application can use to access your account data.

OAuth is an open standard authorization framework used for token-based authorization that is highly popular across the globe.

• OAuth provides end-user’s account details to third-party services, including Google and Facebook, without revealing the user’s account credentials to the third-party.
• It provides a go-between on behalf of the end-user, giving the third-party service an access token that authorizes the sharing of specific account information.
• The process of gaining the token is known as the authorization flow.
• Its main focus is on secure authorization for a user who has already been authenticated and reducing friction as much as possible to improve the user experience.

Third party authentication:

OpenID Connect is suitable for private users. If you use OIDC, you can first authenticate your account in another application. One common use case is Gmail.

• In this case, Google is your identity provider, and you can sign in to third-party applications via your Google account.
• If the third-party app is compromised, Google still stores credential data safely, so hackers cannot access it.
• • See: https://frontegg.com/guides/oidc-vs-oauth2
• OpenID C is a specification for Single Sign-On (SSO) and authentication purposes
• The specification, which has the support of various cloud providers, including Microsoft and Google, is believed to provide a way for organizations to replace their on-premise access management (IAM)
• Its main focus is on authenticating a user to ensure they really are who they say they are. OIDC uses the OAuth 2.0 specs to authorize resources on a target server.
• The main difference between OIDC and OAuth 2.0 is that the token is provided using JSON Web Token (JWT), meaning it is digitally signed, and the Relying Party can verify the token has not been tampered with

Enterprise authentication

SAML is preferred for enterprise authentication. You can use SAML to allow internal users to log in to an organization’s network.

• Once users have logged in, they don’t have to re-enter their credentials to gain access to any app in the protected network.

References

• https://frontegg.com/guides/oidc-authentication
• https://devops.pingidentity.com/get-started/getStartedExample/
• https://www.secureauth.com/solutions/zero-trust/
• OpenID Connect: https://openid.net/connect/
• Authorization Code Flow: https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow
• Microsoft identity platform and OAuth 2.0 authorization code flow