Search This Blog

Friday, December 28, 2007

Technical Comparison: OpenID and SAML

This document presents a technical comparison of the OpenID
Authentication protocol and the Security Assertion Markup Language
(SAML) Web Browser SSO Profile and the SAML framework itself. Topics
addressed include design centers, terminology, specification set
contents and scope, user identifier treatment, web single sign-on
profiles, trust, security, identity provider discovery mechanisms, key
agreement approaches, as well as message formats and protocol bindings.
An executive summary targeting various audiences, and presented from
the perspectives of end-users, implementors, and deployers, is provided.
We do not attempt to assign relative value between OpenID and SAML,
e.g., which is 'better'; rather, it attempts to present an objective
technical comparison... OpenID 1.X and 2.0, and SAML 2.0's Web Browser
SSO Profile (and earlier versions thereof), offer functionality quite
similar to each other. Obvious differentiators to a protocol designer
are the message encodings, security mechanisms, and overall profile
flows. Other differentiators include the layout and scope of the
specification, trust and security aspects, OP/IDP discovery mechanisms,
user-visible features such as identifier treatment, key agreement
provisions, and security assertion schema and features..."

No comments: