217 - OAuth vs. SAML vs. OpenID Connect - Michael Schwartz

OAuth, SAML and OpenID Connect are the most important identity federation protocols in use today. Yet the many security architects struggle to express the differences between them. Front-channel, back-channel, assertion, JWT, claims, attributes, IDP, SP, OP, RP--there is a lot of jargon, and some of it seems to overlap. This compare / contrast session will help you understand the differences! Many application security experts are making important decisions about which identity federation protocol to use for single sign-on for their next-generation application platform. There has been a lot of innovation in the area of identity federation in the last few years, and it's hard to keep up. It's really helpful if security architects can be presented with a summary of what's the same (or just re-named), what's different, and what's new. No assumptions will be made about previous expertise. Each protocol will be given a summary introduction, with references to the parts of the standard that are most commonly used, and which parts are esoteric. The security level of an application is impacted based on the protocol and features used. SAML, OpenID Connect and OAuth offer several profiles, enabling the implementation of both high and low assurance trust frameworks. This topic will also be addressed to help clarify which solutions are best suited for which requirements.