Page tree
Skip to end of metadata
Go to start of metadata

Intro topic on the main federation protocols

  • SAML2
    • mature stable XML based protocol
    • example use cases
      • on premise based SSO to cloud based applications
      • supply chain / partner lead federation
      • education sector SSO
    • use "circle of trust" approach which creates operational boundary
    • "service providers" consume assertions from "identity providers"
    • metadata exchanges need to take place before useage
    • metadata would contain things like attribute mappings, certificates used for signing
    • main challenge around rolling certificates and management of entities


  • OAuth2
    • modern authorization protocol
    • based on REST/JSON allows mobile/SPA/web apps to easily integrate
    • spec is quite open and not too prescriptive - can lead to some confusion at implementation time
    • different "flows" are used to receive tokens - main one being the authorization code flow
    • bearer token payload contains access_token (short lived) and a refresh_token (longer lived)
    • refresh_token used to generate new access_tokens
    • access_tokens bound to scopes at issuance time
    • scopes used as permissions to gain access to resource servers
    • tokens can be stateful or stateless - movement towards stateless for large scale microservices/API projects
    • example use cases
      • "login with Facebook" (or any other social network provider) to 3rd party
      • sharing to "yourself" use case
      • mobile app integration


  • No labels