OpenID和SAML有什么区别? [英] What is the difference between OpenID and SAML?

问题描述

OpenID和SAML有什么区别?

What is the difference between OpenID and SAML?

推荐答案

原始OpenID 2.0与SAML

它们是两种不同的身份验证协议，在技术水平上也有所不同.

Original OpenID 2.0 vs SAML

They are two different protocols of authentication and they differ at the technical level.

从远处看，当用户启动身份验证时，差异就开始了.使用OpenID，用户登录名通常是负责身份验证的资源的HTTP地址.另一方面，SAML基于您的站点与身份提供者之间的显式信任，因此很少接受来自未知站点的凭据.

From a distance, differences start when users initiate the authentication. With OpenID, a user login is usually an HTTP address of the resource which is responsible for the authentication. On the other hand, SAML is based on an explicit trust between your site and the identity provider so it's rather uncommon to accept credentials from an unknown site.

OpenID身份很容易在网上流连忘返.作为开发人员，您可以只接受来自完全不同的OpenID提供程序的用户.另一方面，通常必须事先对SAML提供程序进行编码，并且您仅与选定的身份提供程序联合应用程序.可以缩小接受的OpenID身份提供者的列表，但是我认为这与一般的OpenID概念背道而驰.

OpenID identities are easy to get around the net. As a developer you could then just accept users coming from very different OpenID providers. On the other hand, a SAML provider usually has to be coded in advance and you federate your application with only selected identity providers. It is possible to narrow the list of accepted OpenID identity providers but I think this would be against the general OpenID concept.

使用OpenID，您可以接受来自任意服务器的身份.有人声称是http://someopenid.provider.com/john.smith.您将如何与数据库中的用户进行匹配?以某种方式，例如，通过使用新帐户存储此信息，并在用户再次访问您的网站时识别出该信息.请注意，关于用户的任何其他信息(包括他的姓名或电子邮件)都不能被信任！

With OpenID you accept identities coming from arbitrary servers. Someone claims to be http://someopenid.provider.com/john.smith. How you are going to match this with a user in your database? Somehow, for example by storing this information with a new account and recognizing this when user visits your site again. Note that any other information about the user (including his name or email) cannot be trusted!

另一方面，如果您的应用程序和SAML Id Provider之间存在显式信任，则可以获取有关用户的完整信息，包括姓名和电子邮件，并且由于信任关系，该信息可以被信任.这意味着您倾向于相信Id Provider以某种方式验证了所有信息，并且您可以在应用程序级别信任它.如果用户使用未知提供商提供的SAML令牌，则您的应用程序将拒绝身份验证.

On the other hand, if there's an explicit trust between your application and the SAML Id Provider, you can get full information about the user including the name and email and this information can be trusted, just because of the trust relation. It means that you tend to believe that the Id Provider somehow validated all the information and you can trust it at the application level. If users come with SAML tokens issued by an unknown provider, your application just refuses the authentication.

(该部分于2017年7月7日添加，已于08-2018年扩展)

(section added 07-2017, expanded 08-2018)

此答案的日期为2011年，当时OpenID代表 OpenID 2.0 .后来，在2012年的某个地方， OAuth2.0 已发布； 2014年， OpenID Connect (更详细的时间表

This answer dates 2011 and at that time OpenID stood for OpenID 2.0. Later on, somewhere at 2012, OAuth2.0 has been published and in 2014, OpenID Connect (a more detailed timeline here).

对于今天阅读此书的任何人- OpenID Connect与原始答案所指的OpenID不同，而是OAuth2.0的一组扩展.

To anyone reading this nowadays - OpenID Connect is not the same OpenID the original answer refers to, rather it's a set of extensions to OAuth2.0.

虽然此答案可以从概念的角度阐明一些问题，对于使用OAuth2的用户来说，这是一个非常简洁的版本.0背景是OpenID Connect实际上是OAuth2.0，但它添加了

While this answer can shed some light from the conceptual viewpoint, a very concise version for someone coming with OAuth2.0 background is that OpenID Connect is in fact OAuth2.0 but it adds a standard way of querying the user info, after the access token is available.

请参考原始问题-OpenID Connect(OAuth2.0)和SAML之间的主要区别是如何在应用程序和身份提供者之间建立信任关系:

Referring to the original question - what is the main difference between OpenID Connect (OAuth2.0) and SAML is how the trust relation is built between the application and the identity provider:

• SAML在数字签名上建立信任关系，身份提供商提供的SAML令牌是经过签名的XML，应用程序将验证签名本身及其所提供的证书.除了其他信息外，用户信息还包含在SAML令牌中.

• SAML builds the trust relation on a digital signature, SAML tokens issued by the identity provider are signed XMLs, the application validates the signature itself and the certificate it presents. The user information is included in a SAML token, among other information.

OAuth2在从应用程序到身份的直接HTTPs调用上建立信任关系.该请求包含访问令牌(在协议流程中由应用程序获取)，响应包含有关用户的信息.

OAuth2 builds the trust relation on a direct HTTPs call from the application to the identity. The request contains the access token (obtained by the application during the protocol flow) and the response contains the information about the user.

OpenID Connect进一步扩展了此功能，从而使得无需即可获取身份，这一额外步骤涉及从应用程序到身份提供商的调用.该想法基于以下事实:OpenID Connect提供程序实际上发出了两个令牌(access_token)，一个是相同的OAuth2.0令牌，而新的令牌是id_token，这是一个 JWT 令牌，由身份提供商进行签名.应用程序可以基于JWT令牌中包含的声明使用id_token建立本地会话，但是id_token 无法用于来进一步查询其他服务，对第三方服务的此类调用应仍使用access_token.您可以将OpenID Connect视为SAML2(签名令牌)和OAuth2(访问令牌)之间的混合体，因为OpenID Connect仅涉及两者.

OpenID Connect further expands this to make it possible to obtain the identity without this extra step involving the call from the application to the identity provider. The idea is based on the fact that OpenID Connect providers in fact issue two tokens, the access_token, the very same one OAuth2.0 issues and the new one, the id_token which is a JWT token, signed by the identity provider. The application can use the id_token to establish a local session, based on claims included in the JWT token but the id_token cannot be used to further query other services, such calls to third party services should still use the access_token. You can think of the OpenID Connect then as a hybrid between the SAML2 (signed token) and OAuth2 (access token), as OpenID Connect just involves both.

这篇关于OpenID和SAML有什么区别?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！