Wednesday Feb 13, 2013

Standards Corner: Is OAuth the End of SAML? Or a New Opportunity?

Author: Phil Hunt

I mentioned in my year in review post that rather then spell the end of SAML, OAuth2 might in fact greatly expand SAML's adoption. Why is that?

The OAuth2 Working Group is nearing completion on the OAuth2 SAML Bearer draft which defines how SAML Bearer assertions can be used with OAuth2 essentially replacing less secure user-id and passwords with more secure federated assertions.

Before I describe how this works, here is some quick terminology:
* Resource Service - A service offering access to resources, some or all of which may be "owned" or "controlled by" users known as "Resource Owners".
* Resource Owner - An end user, who is authorizing delegated scoped access by a client to resources offered by a Resource Service
* Client - An application (e.g. mobile app, or web site) that wants to access resources on a Resource Service on behalf of a Resource Owner.
* Authorization Service - A service authorized to issue access tokens to Clients on behalf of a resource server.

While the resource service and the authorization service may be authenticated by means of TLS domain name certificate, both the client application and the end-user often need to be authenticated. In "classic" OAuth, you can use simple user-id's and passwords for both. The SAML2 Bearer draft describes how federated SAML assertions can be used instead.

A typical scenario goes much like this.

1. Alice (resource owner) accesses a corporate travel booking application.
2. In order to log into the corporate travel application, Alice is redirected to her employer's Identity Provider to obtain a SAML Authentication Assertion. 
3. Upon logging in to the Corporate Travel Application, Alice wishes to update her seat preferences with her selected airline. In order to do this, the corporate travel application goes to the authorization server for the airline. The travel application provides two SAML authentication assertions: 1) An assertion representing the identity of the client application, and 2) an assertion representing Alice.  The scope requested is "readProfile seat".
4. Upon verifying the SAML assertions and delegated authority requested, the authorization server issues an access token enabling the corporate travel application to act on behalf of Alice.
5. Upon receiving the access token, the corporate travel app is then able to access the frequent flyer account web resource by passing the token in the header of the HTTP Request. The Access token, acts as a session token that encapsulates the fact that the travel app is acting for Alice with scope read & seat update. 

This SAML Bearer flow is actually very similar to the classic OAuth 3-leg flow. However instead of redirecting the user's browser to the authorization server in the first leg, the corporate travel app works with the user's IDP to obtain a delegation (or simple authentication) assertion direct from the IDP. Instead of swapping a code in the second leg, the client app now swaps a SAML Bearer assertion for the user.

OAuth2's ability to leverage different authentication systems makes it possible for SAML to enhance OAuth2 security going even further to eliminate the propagation of dreaded user-ids and passwords in much the same way SAML did for classic federate web sign-on. Rather than making SAML redundant, OAuth2 has in fact increased SAML's utility.

About the Writer:
Phil Hunt joined Oracle as part of the November 2005 acquisition of OctetString Inc. where he headed software development for what is now Oracle Virtual Directory. Since joining Oracle, Phil works as CMTS in the Identity Standards group at Oracle where he developed the Kantara Identify Governance Framework and provided significant input to JSR 351. Phil participates in several standards development organizations such as IETF and OASIS working on federation, authorization (OAuth), and provisioning (SCIM) standards.  Phil blogs at and a Twitter handle of @independentid.

Previous Posts:
2012: No Time to REST for the Holidays
Standards Corner: A Look at OAuth2
A Look at OAuth2 - A Follow-Up to the Reader's Comments

Wednesday Jan 04, 2012

A Case Study in Building a Secure Cloud with Identity Management

Security is the number one barrier to cloud adoption. Organizations that move applications into the cloud have to bridge the security gap between the enterprise and the cloud by providing user administration, application authorization, authentication and compliance reporting to restore control and address regulatory mandates. 

Identity Management can bridge this security gap across various cloud deployment scenarios. With directory services, organizations can synchronize identities stored in multiple different places. 

With Access Management, enterprises can enable users to use a single log in to securely access various applications regardless of whether they are on-premise or in the cloud. Authorization policies can restrict access to sensitive information based on the roles and entitlements of users. Password policy management can be used to enforce strong password policies and be compliant with regulations.

With Identity Administration, enterprises can simplify the management of user and role lifecycles. Identity analytics can help address the stern challenges of complex regulations.

Adaptive Access solutions help detect and prevent fraud in real-time. Adaptive Access solutions can be used to layer additional authentication security on top of existing authentication schemes for sensitive applicatons.

SaskTel has successfully overcome the cloud security barrier by utilizing Oracle Identity Management to restore control and governance in the cloud environment. Join us for a live webcast on Jan 25 to listen to how SaskTel accomplished this. In this webcast, SaskTel Chief Technology Officer Brian Baird will discuss how SaskTel created a foundation for cloud applications to secure user access and restore audit visibility to reduce the adoption barrier. We will also discuss the architecture needed for Identity Management in the cloud, and how organizations can get started.

Register here for this webcast.

Monday Oct 03, 2011

Identity Management at Oracle OpenWorld - Monday WrapUp

Oracle OpenWorld has officially kicked off in high gear. There were three highlights from today’s Identity Management activities: 

  • Identity Management Demos: If you haven’t already checked out the Identity Management demogrounds in Moscone South, don’t miss it. This year, the Oracle IDM product team has pulled out all stops to bring together one of the most exciting set of demos we have seen. The 9 Identity Management demos are all designed to prove why Oracle Identity Management is the most complete and most integrated solution in the world. Each demo validates several real world use case scenarios that need an end to end solution. And this year, there is an added bonus. If you check out all the 9 IDM demos, you can enter to win an Apple TV. 
  • Identity Management Keynote: In his general session address, Amit Jasuja - VP of Oracle Identity Management and Security Products, discussed several key identity management trends and how innovation is the key driver behind Oracle’s Identity Management momentum. One of the key industry trends over the last couple of years has been the consumerization of IT and how it has fueled some secular trends like cloud, social and mobile computing. Identity Management and security are now important than ever as workforces everywhere need anywhere anytime access. Amit’s session showcased 3 cool demos –cloud-social-mobile integration, self serve access, and privileged user access control.
  • Customer Successes: One of the best barometers of a product’s success is its customer adoption. This year Oracle is showcasing several case studies that underscore why Oracle Identity Management leads the industry. In Amit Jasuja’s keynote, the CISO of Toyota discussed how Toyota is using Oracle Identity Management to bring social networking straight to your automobile. Earlier in the day, we had ING and Kaiser discuss how they are winning with Oracle Identity Analytics. Later in the day, we had Sasktel talk about how they are leveraging Oracle Identity Management to deliver identity services in the cloud. During the next three days, you will get an opportunity to hear from several other customers who have realized the benefits of Oracle Identity Management.

For a complete listing of Identity Management demos and sessions at OpenWorld, see the Identity Management Focus On. 


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« July 2016