SAML VS联合登录使用OAuth [英] SAML vs federated login with OAuth

问题描述

有什么用OAuth的SAML和联合登录的区别？哪种方案更有意义，如果一个公司希望使用第三方web应用程序，并且也点登录想要进入单，并成为认证权威？

What's the difference between SAML and federated login with OAuth? Which solution makes more sense, if a company wants to use a third-party webapp, and but also wants single sign-on and be the authentication authority?

推荐答案

他们解决不同的问题。

They solve different problems.

SAML 是已定义共享关于谁一个信息的一套标准用户，他有什么属性集是，给你一个方法可以授予/拒绝访问的东西，甚至请求验证。

SAML is a set of standards that have been defined to share information about who a user is, what his set of attributes are, and give you a way to grant/deny access to something or even request authentication.

的OAuth 更多的是委托给一些访问。你基本上是允许某人行为为你。其最常用的授予访问权限的API，可以做一些事情以您的名义。

OAuth is more about delegating access to something. You are basically allowing someone to "act" as you. Its most commonly used to grant access api's that can do something on your behalf.

他们是两个完全不同的事情。

They are two completely different things.

一些例子，可能会帮助了。

Some examples that might help out.

的OAuth想到一个叽叽喳喳的。比方说，你正在使用谷歌巴兹和Twitter，以及你想要写一个应用程序，以便能够保持两个同步。你基本上可以将应用和Twitter之间建立信任。你去链接应用叽叽喳喳第一次，你做的经典提示登录微博，然后将该确认框弹出，并询问你愿意授权访问«的程序名称»？一旦你点击是，信托已经成立，现在你的应用程序可以在Twitter上为你的行为。它可以读取您的文章，以及结交新朋友。

OAuth think of an twitter. Lets say you are using Google Buzz and Twitter, and you want to write an app to be able to keep the two synchronised. You basically can establish trust between your app and twitter. First time you go to link the app to twitter, you do the classic prompt to log into twitter, and then that confirmation box pops up and asks "Would you like to grant access to «your app name»?" once you click "yes", the trust has been established, and now your app can act as you on Twitter. It can read your posts, as well as make new ones.

SAML - 对于SAML觉得有些类型的两个不相关的会员系统之间的协议的。在我们的例子中，我们可以使用美国航空公司和赫兹。没有共享一套可以把你从一个网站到另一个凭据，但可以说赫兹希望提供一个交易美国航空公司。 （当然我知道这是一个极端的例子，但裸与我）。购买飞行后，他们会提供免费的汽车租赁及其主席成员。美国航空公司和赫兹将建立某种形式的信任，以及一些方法来识别用户。在我们的例子我们的联合号将是电子邮件地址，它会设置信任赫兹相信，美国航空公司身份提供商将提供一个令牌是准确的，并以安全的方式的一种方式。预定飞行美国航空公司身份提供者会生成令牌和填充他们如何认证的用户，以及属性有关我们的情况下，最重要的属性将是美国航空公司的他的状态水平的人后。一旦令牌已填充它通过某种类型的引用传递，或EN codeD的网址，一旦我们得到赫兹，它着眼于令牌，验证它，现在可以允许免费提供租车服务。

SAML - For SAML think of some type of "agreement" between two unrelated membership systems. In our case we can use US Airways and Hertz. There is no shared set of credentials that can take you from one site to another, but lets say Hertz wants to offer a "deal" to US Airways. (Granted I know this is an extreme example, but bare with me). After buying a flight, they will offer a free rental car to its Chairman members. US Airways and Hertz would setup some form of trust, and some way to identify the user. In our case our "federated id" would be the email address, and it would be a one way set of trust Hertz trusts that US Airways identity provider will deliver a token that is accurate and in a secure manner. After booking the flight US Airways identity provider would generate a token and populate how they have authenticated the user, as well as "attributes" about the person in our case the most important attribute would be his status level in US Airways. Once the token has been populated it passes it via some type of reference, or encoded in a url and once we get to Hertz, it looks at the token, validates it and now can allow for the free rental car.

本SAML例子的问题是它是唯一一个专门的用例出了许多。 SAML是一个标准，有一些可以实现几乎太多的方法。

The problem with this SAML example is it's only one specialized use case out of many. SAML is a standard and there are almost too many ways that you can implement it.

另外，如果你不介意那些授权护理，你几乎可以认为，通过SAML断言验证和 OpenID的。

Alternatively, if you dont care about authorization, you could almost argue that asserting authentication via SAML and OpenID.

这篇关于SAML VS联合登录使用OAuth的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！