Post Pages

Understanding the Differences Between WS-FED and SAML

The differences between two authentication protocols, WS-FED and SAML, that are commonly used for Single Sign-On (SSO). Here is an overview of how SSO works with these two protocols, as well as a comparison of the authentication steps in SAML and WS-Fed.

Overview

The differences between two authentication protocols, WS-FED and SAML, that are commonly used for Single Sign-On (SSO). Here is an overview of how SSO works with these two protocols, as well as a comparison of the authentication steps in SAML and WS-Fed.

Read more: Understanding the Differences Between WS-FED and SAML
  • WS-FED
  • SAML
  • SSO

SSO with SAML or WS-Fed works in a similar way, with the details of what is sent and received varying between the two protocols. Here is a brief comparison of the two:

SAML (Secure Assertion Markup Language):

  • The web application sends a SAML request to the identity provider
  • After verifying the user’s identity, the identity provider returns a SAML response. Inside that SAML response is a SAML assertion.
  • You can specify to sign the SAML assertion, the SAML response, or both.

WS-Federation (Web Services Federation):

  • The web application sends query parameters in a Request Security Token (RST) as the request to the Identity provider
  • After verifying the user’s identity, the identity provider returns a Request Security Token Response (RSTR). Inside that RSTR is a SAML assertion.
  • RSTRs are always signed.

Authentication Steps in SAML vs WS-Fed

SAML authentication steps:

  1. A user visits the login page of a web application
  2. The web application generates a SAML request and redirects the user to the SSO URL.
  3. The identity provider parses the SAML request, verifies the user’s identity in Active Directory or other user stores, and verifies the user’s identity.
  4. The identity provider generates a SAML assertion in a SAML response, and sends it all back to the web application.
  5. The web application receives the SAML response, and logs the user in to the application.

WS-Fed authentication steps:

  1. A user visits the login page of a web application
  2. The web application generates a Request Security Token (RST) and redirects the user to the SSO URL.
  3. The identity provider parses the RST request, verifies the user’s identity in Active Directory or other user stores, and verifies the user’s identity.
  4. The identity provider generates a SAML assertion inside a Request Security Token Response (RSTR), and sends it all back to the web application.
  5. The web application receives the RSTR response, and logs the user in to the application.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: