zlacker

SAML has been around longer and handles AuthN and AuthZ

OAuth only does AuthZ. I've always found OAuth more complicated because you have to combine it with other technologies to get AuthN

>>kube-s+(OP)
For those like me who had never heard these abbreviations:

AuthN: Authentication (who you are) AuthZ: Authorization (what you are allowed to do)

>>kube-s+(OP)
OpenID Connect is the standardized AuthN process built on top of OAuth. It’s “on top of” but in practice it’s a simplification if OAuth for the specific purpose of AuttN

>>thinkh+P3
I know, I just personally find it to be a fragmented and confusing set of standards. And a lot of people say OAuth when they mean OpenID Connect, which doesn't help with the confusion... or they abbreviate OpenID Connect as "OpenID" which also means something else.

I've never had to clarify what someone is actually trying to accomplish when they want "SAML 2.0"

>>kube-s+95
You said "OAuth only does authz and must be combined with other technologies to get authn"; obviously, that's not true, in the sense that you can simply use OIDC --- a dialect of OAuth --- to get both.

Since OIDC is better than SAML, which is probably the scariest security standard on the Internet, I think it's worth being clear to people that OIDC/OAuth is viable.

The SAML authz story, for what it's worth, is pretty shady.

>>tptace+d7
For sure. I never said SAML was any good -- I said I found it to be simpler. :)

>>kube-s+F9
For developers, they're both just libraries. As protocols to implement, SAML is drastically harder.