SAML

SAML

https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth#saml

SAML is basically a session cookie in your browser that gives you access to webapps. It’s limited in the kinds of device profiles and scenarios you might want to do outside of a web browser.

When SAML 2.0 was launched in 2005, it made sense. However, a lot has changed since then. Now we have modern web and native application development platforms. There are Single Page Applications (SPAs) like Gmail/Google Inbox, Facebook, and Twitter. They have different behaviors than your traditional web application, because they make AJAX (background HTTP calls) to APIs. Mobile phones make API calls too, as do TVs, gaming consoles, and IoT devices. SAML SSO isn’t particularly good at any of this.

https://www.fortinet.com/resources/cyberglossary/oauth

The Security Assertion Markup Language (SAML) is another technology often discussed in the same context as OAuth. SAML is a protocol that allows an identity provider (IdP) to forward a user’s credentials to a service provider (SP) to perform both authentication and authorization for that user to access a service. SAML uses Extensible Markup Language (XML) to standardize communications between various systems.

Because open authorization only performs authorization, an SP would need an additional authentication layer, like OpenID, to perform authentication. SAML can provide single sign-on (SSO) functionality on its own.

SAML is older than the other framework protocols and because it is more often used in enterprise applications, the developer community sought to create a more lightweight and consumer-facing framework, especially as consumers increasingly access sites and applications using different endpoints, both personal and corporate. OAuth uses the more lightweight JSON open standard file format, which also performs better on mobile, for encoding data.