An open Single Sign On (SSO) solution for the web, a problem also addressed by OpenID.
Questions tagged [saml]
142 questions
32
votes
1 answer
What are the differences between JSON Web Tokens, SAML and OAuth 2?
What are the differences between JSON Web Tokens, SAML and OAuth 2. Please provide some pointers and high level overview of their functions.
Specifically, why would one use SAML over JSON Web Tokens or viceversa? Does one need to have OAuth 2 to use…
Jadiel de Armas
- 421
- 1
- 4
- 3
18
votes
1 answer
What is the purpose of AudienceRestriction in SAML 2.0?
Having read through the core specification for SAML 2.0 section 2.5.1.4 (page 23) I still cannot fully understand the purpose of the AudienceRestriction tag and what problem it is attempting to rectify.
My, probably incorrect, interpretation of the…
Christoffer
- 1,030
- 1
- 6
- 14
16
votes
4 answers
How is SAML solving the cross domain single sign-on problem?
Let's say I have two websites that live on separate domains, and their service providers both talk to the same identity provider on a third domain. I log into the first website and authenticate, and now I decide to visit the second website. The…
user3127
15
votes
4 answers
How do the STS token formats compare to each other SAML vs SWT vs JWT?
I'm configuring an Azure ACS STS and would like to know if there is any impact on security based on the following token formats or how they are used. The answers to this questions should apply to other STSs such as CA Siteminder, Ping Identity,…
makerofthings7
- 50,090
- 54
- 250
- 536
13
votes
1 answer
SAML, and forcing a re-authentication
I have a use case forced upon me by industry regulation. I wish it wasn't there, but it is.
A user logs in to my service, navigates around, etc. The user can perform many actions, but one of the actions requires (by industry regulation) that the…
Alan C.
- 245
- 2
- 6
13
votes
1 answer
SAML and kerberos what to use where
I came across SAML and kerberos, both are used to establish identity using assertions (tickets) so is there an overlap in their use ?
Can somebody highlight their differences and point which technology is a better fit where.
thanks
update to add…
mzzzzb
- 269
- 1
- 2
- 6
12
votes
1 answer
SAML 2.0 IdP metadata security
Identity Providers (IdP) often provide a metadata file that is used when setting up SAML. This file needs to be entered into a Service Provider (SP). Do we need to keep this metadata file private and secure? Or is the information within it all safe…
Ben McCann
- 319
- 2
- 10
12
votes
3 answers
SAML2 vs. OAuth - What are some reasonable relationships?
I have a service that allows SSO via SAML2. When SAML2 is used, we delegate the entire authentication process to the Identity Provider.
We are considering adding OAuth in order to support some mobile applications. (We don't want the user to have to…
brendanjerwin
- 255
- 2
- 7
12
votes
2 answers
Definition of "passive" and "active" authentication?
I came across the concepts of passive authentication and active authentication in my work related to SAML 2.0 single-sign-on integration. I tried very hard to find a clear, generic definition and a proper explanation on these two concepts but almost…
Chiranga Alwis
- 221
- 2
- 5
12
votes
2 answers
Where should a keystore (.jks) be stored in a repository
I've got a question about the best practice in storing a Keystore file (.jks) in source control. This Keystore is called by a stand-alone Java component that retrieves a private key for the purpose of signing SAML assertions.
For security purposes I…
rdChris
- 181
- 1
- 1
- 6
10
votes
3 answers
How to achieve seamless SSO without having the user to login again (SAML 2.0 & ADFS using OpenSSO)
We need to implement seamless SSO with ADFS SAML 2.0 using OpenSSO & we plan to go with IdP initiated GET binding. The user in client network will log in to ADFS with Windows credentials once every morning. Thereon, whenever he accesses our…
user36009
- 163
- 1
- 1
- 5
10
votes
4 answers
Does OpenID, SAML pose a threat to Tor's anonymity? How can I protect from a compromised .exit node?
This is a thought experiment on the interaction between Tor, OpenID and one (or more) compromised nodes in the secure path. I'm focused on how to use technology in a way that adds value to a secure cloud solution. I have no interest in using this…
makerofthings7
- 50,090
- 54
- 250
- 536
10
votes
2 answers
SAML 2.0 Multiple AuthnStatements
If I interpret the SAML 2.0-protocol correctly you can have multiple AuthnStatements. What is the purpose of this? I cannot see a use case of having multiple AuthnStatements really.
Robert
- 233
- 1
- 6
9
votes
0 answers
SolarWinds Orion SAML compromise mass cert update
SolarWinds Orion customers have suffered some network compromises according to news reports.
One report says, right at the end of the article, that SAML2.0 signing certificates may have been compromised.
From the point of view of a SAML service…
O. Jones
- 359
- 1
- 4
8
votes
1 answer
Why not use same certificate for webserver TLS and Signing in SAML?
I have read a bit about configuring shibboleth, and recommendations for SAML at internet2
I get the point that a certificate does not have to be signed when used for SAML, because actually only the key is needed.
However, I keep seeing people…
Jens Timmerman
- 252
- 1
- 9