Anders Abel

Sustainsys

Picking the right Single Sign On Protocol: WS-Fed, SAML2 or OpenID Connect

The three big Single Sign On Protocols being used are WS-Federation, SAML2 and OpenID Connect. Others are Radius, NTLM, Kerberos and OAuth2. They are all efforts to give the users one single password to control access to multiple applications and resources. Picking the right protocol depends on platform and vendor support as well as support for different deployment scenarios. Mobile apps are first-class citizens in the OpenID Connect stack, but they were not even invented when SAML2 was created.

By putting the protocols side by side and comparing them we can see how some problems and concepts are coming back in different shapes. For each protocol generation, the protection of the users’ secrets have become better and the number of supported scenarios have increased. And for each protocol generation there are less trusted elements in a solution. The current state of the art protocol, OpenID Connect, can be described as the solution where nobody trusts no one but themselves. A user owning a resource can give granular access to an untrusted third-party application without the third-party application ever coming near the user’s password.

Anders Abel

Anders Abel is an independent senior .NET developer in Stockholm. He has been programming since he was 9 and still thinks it’s tremendously fun. With experiences ranging from assembly and C on embedded systems for machine control to authentication solutions in web applications in modern .NET Anders is a relentless learner that always takes the chance to get to know more. He regularly shares his knowledge as a speaker, at Stack Overflow, on his blog Passion for Coding, is an active Open Source Maintainer and a Microsoft MVP.