Great summary Hubert. In addition, using the use case Tom provided, in OAuth the SP and IdP are the same entity. This is why a token format is not defined in OAuth. Since the SP and IdP are the same, they can use whatever token format they want as no other entity will ever need to consume the token.
It is also important to note that while OAuth is a delegated authorization protocol, in order to delegate authorization, authentication is required. Thanks, George Hubert Le Van Gong wrote: > One big difference is that SAML messages can carry various type > of assertions (authentication, authorization...). In practice though, > authorization is now handled by XACML so most SAML deployments > (and I presume Shibboleth ones too) focus on authentication. > This does bring up the main difference IMO which is that OAuth is > a delegated authorization protocol when SAML is mostly about > delegated authentication. > > Other differences would include (1) SAML defines both a set of protocols > as well as a token format where OAuth only addresses the protocol part > and (2) SAML is based on federation. > > HTH > Hubert > > > On Tue, Jan 20, 2009 at 12:52 AM, Tom Scavo <[email protected]> wrote: > >> On Mon, Jan 19, 2009 at 5:42 PM, Jack <[email protected]> wrote: >> >>> I am planning to start a project that will use token authorization and >>> was wondering what the difference was between OAuth and Shibboleth. So >>> far, the only thing I gather is that Shibboleth is used more in an >>> educational environment while OAuth seems more commercial... am I >>> missing something else here? >>> >> Shibboleth is an implementation of the SAML Web Browser SSO Profile >> [1]. The use case involves a SAML identity provider, a SAML service >> provider, and a browser user. The user, wishing to obtain access to a >> protected resource at the service provider, first authenticates to the >> identity provider (using a password, for instance) to obtain a SAML >> assertion, which the browser transmits back to the service provider. >> The service provider consumes the SAML assertion, which contains user >> identity and other attributes that the service provider can use to >> make an access control decision. >> >> >>> They seem to do very similar things, but >>> what are the advantages/disadvantages of using one or the other? >>> >> I only have a vague idea what OAuth is about, so I can't really >> compare the two, sorry. >> >> Tom >> >> [1] http://wiki.oasis-open.org/security/Saml2TechOverview >> >> > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
