Picking the right Single Sign On Protocol: WS-Fed, SAML2 or OpenID Connect - Anders Abel

preview_player
Показать описание
The three big Single Sign On Protocols being used are WS-Federation, SAML2 and OpenID Connect. Others are Radius, NTLM, Kerberos and OAuth2. They are all efforts to give the users one single password to control access to multiple applications and resources. Picking the right protocol depends on platform and vendor support as well as support for different deployment scenarios. Mobile apps are first-class citizens in the OpenID Connect stack, but they were not even invented when SAML2 was created.

By putting the protocols side by side and comparing them we can see how some problems and concepts are coming back in different shapes. For each protocol generation, the protection of the users’ secrets have become better and the number of supported scenarios have increased. And for each protocol generation there are less trusted elements in a solution. The current state of the art protocol, OpenID Connect, can be described as the solution where nobody trusts no one but themselves. A user owning a resource can give granular access to an untrusted third-party application without the third-party application ever coming near the user’s password.
Рекомендации по теме