Choosing the right Protocol

Authentication vs Authorization

Authentication is verifying your identity whereas authorization is verifying what you have access to.

Authentication is validating the login credentials before giving the user access to the system. When it comes to security, it’s recommended to use at least two authentication factors before granting the user access to anything. (2FA, MFA, digital & physical tokens, etc.).

Authorization occurs after the authentication process by verifying your rights before granting you access to the required resources such as databases, files, repositories, etc. A practical example would be once an employee’s logins have been verified, is to see to which floors he has access.

SSO

It all started with organizations needing a way to centralize their authentication systems for better management and security. That’s where Single Sign On (SSO) came in. Single sign-on (SSO) is a centralized session and user authentication service in which one set of login credentials can be used to access multiple applications. It simplifies the service authenticates you on one platform, enabling you to transparently login to several internal services without having to log in and out each time.

Third-party app developers wanting to use internal APIs to integrate it with their products and solutions, this was clearly a challenge. Then came social networks and made things even more complicated, we currently have thousands of apps that support authentication through social networks like Facebook, Google, Twitter, LinkedIn, etc. The problem in these architectures is the challenge of keeping things as simple as possible and increasing security at the same time. The Solution? Federated Identities.

Currently, the three major protocols for federated identity are: SAML, OAuth2 & OpenID Connect.

Identity Management: SAML vs. OAuth2 vs. OpenID Connect

Let us see each protocol in-depth

SAML

Security Assertion Markup Language (SAML) is an XML-based open standard used for single sign on (SSO) implementations. SAML 2.0 was released in 2005 and is the current version of the standard.

SAML is used for both authentication & authorization between two parties: a Service Provider (Office365, Salesforce, G Suite, etc.) & an Identity Provider (Okta, OneLogin, Ping Identity, etc.). The Service Provider (SP) agrees to trust the Identity Provider (IdP) in the authentication process. This is done through a SAML XML document sent by the IdP containing the user authorization & authentication and then redirected to the service provider.

Let’s consider this example:

1.     Identity Provider (IdP): Okta

2.     Service Provider (SP): Salesforce application

3.     User tries to login to his company’s Salesforce application from Chrome.

4.     Salesforce app responds by generating a SAML request

5.     Chrome redirects the user to an SSO URL, Okta parses the SAML request, authenticates the user (this could be via username and password, two-factor authentication or MFA is user is not on company’s internal network; if the user is already authenticated on Okta, this step will be skipped) and generates a SAML response.

6.     Okta resends the encoded SAML response to Chrome

7.     Chrome redirects the SAML response to the Salesforce app

8.     If the verification is successful, the user will be logged in to the Salesforce application and granted access to all the various resources.

OAuth2

How can I allow an app to access my data without necessarily giving it my password?OAuth2 is an open standard used for authorization, it allows apps to provide application with ‘delegated authorization’. Unlike other frameworks that provide authentication, OAuth only authorizes devices, API, servers with access tokens rather than credentials and it works over HTTPS.

If you’ve seen one of the dialogs below, that’s what we’re talking about. This is an application asking if it can access data on your behalf. This is OAuth.

You can think of this like hotel key cards, but for apps. If you have a hotel key card, you can get access to your room. How do you get a hotel key card? You have to do an authentication process at the front desk to get it. After authenticating and obtaining the key card, you can access resources across the hotel.

OAuth defines four roles:

1.     Resource Owner: Generally the user himself

2.     Client: Application requesting access to a resource server

3.     Resource Server: Server hosting protected data (for example Facebook hosting your profile and personal information)

4.     Authorization Server: Server issuing access token to the client. This token will be used for the client to request the resource server.

Let’s consider this example:

1.     Spotify wants to access your friends list from your facebook account.

2.     You are redirected by Spotify to the authorization server (facebook in this case)

3.     If you authorize access, the authorization server sends an authorization code to the client (Spotify) in the callback response.

4.     Then, this code is exchanged against an access token between the Facebook and Spotify.

5.     Now Spotify is able to use this access token to query the resource server (Facebook) and retrieves your friends list.

One thing to note is that the user never gets to see the access token, it will stored in the session. The authorization server also sends other information such as the token lifetime and a refresh token.

OpenID Connect

OpenID Connect is simple identity layer on top of the OAuth 2.0 protocol that extends OAuth2 and allows for ‘Federated Authentication’.

The OpenID Connect process flow is similar to the OAuth2 authorization flow with the major difference being a ‘id-token’ that allows the user authentication.

Note that Federated Authentication is a completely different from Delegated Authorization. Let’s take again the example of Facebook and Spotify

1.     Federated Authentication is logging to Spotify using your facebook credentials.

2.     Delegated Authorization is the ability of an external app to access resources. In this case,Spotify trying to access your facebook friends list to import it into Spotify.