Overview
The differences between two authentication protocols, WS-FED and SAML, that are commonly used for Single Sign-On (SSO). Here is an overview of how SSO works with these two protocols, as well as a comparison of the authentication steps in SAML and WS-Fed.
Read more: Understanding the Differences Between WS-FED and SAML- WS-FED
- SAML
- SSO
SSO with SAML or WS-Fed works in a similar way, with the details of what is sent and received varying between the two protocols. Here is a brief comparison of the two:
SAML (Secure Assertion Markup Language):
- The web application sends a SAML request to the identity provider
- After verifying the user’s identity, the identity provider returns a SAML response. Inside that SAML response is a SAML assertion.
- You can specify to sign the SAML assertion, the SAML response, or both.
WS-Federation (Web Services Federation):
- The web application sends query parameters in a Request Security Token (RST) as the request to the Identity provider
- After verifying the user’s identity, the identity provider returns a Request Security Token Response (RSTR). Inside that RSTR is a SAML assertion.
- RSTRs are always signed.
Authentication Steps in SAML vs WS-Fed
SAML authentication steps:
- A user visits the login page of a web application
- The web application generates a SAML request and redirects the user to the SSO URL.
- The identity provider parses the SAML request, verifies the user’s identity in Active Directory or other user stores, and verifies the user’s identity.
- The identity provider generates a SAML assertion in a SAML response, and sends it all back to the web application.
- The web application receives the SAML response, and logs the user in to the application.
WS-Fed authentication steps:
- A user visits the login page of a web application
- The web application generates a Request Security Token (RST) and redirects the user to the SSO URL.
- The identity provider parses the RST request, verifies the user’s identity in Active Directory or other user stores, and verifies the user’s identity.
- The identity provider generates a SAML assertion inside a Request Security Token Response (RSTR), and sends it all back to the web application.
- The web application receives the RSTR response, and logs the user in to the application.