Difference between JWT and SAML?
What are the main difference between JWT (Json Web Token) and SAML? Please suggest me any example of these with spring security. Thanks in advance.
Both SAML and JWT are security token formats that are not dependent on any programming language. SAML is the older format and is based on XML. It's used commonly in protocols like SAML-P, WS-Trust and WS-Federation (although not strictly required).
JWT (JSON Web Token) tokens are based on JSON and used in new authentication and authorization protocols like OpenID Connect and OAuth 2.0.
Both are used for Exchanging Authentication and Authorization data between parties, but in different format. SAML is a Markup Language(like XML) and JWT is a JSON.
Security Assertion Markup Language (SAML,pronounced SAM-el) is an open standard for exchanging authentication and authorization data between security domains, i.e. IdP (Identity Provider) and a SP (Service Provider).
- An IdP (Identity Provider) : authenticates users and provides to Service Providers an Authentication Assertion if successful. Identity providers offer User Authentication As A Service.
- A SP (Service Provider): relies on the Identity Provider to authenticate users.
Term in SAML | Term in OAuth | Description |
---|---|---|
Client | Client | Example: A web browser |
Identity Provider(IdP) | Authorization Server | Server that owns the user identities and credentials |
Service Provider(SP) | Resource Server | The protected application |
JSON Web Token (JWT, pronounced jot) is a ID Token based on JSON to pass user information as Header, Payload and Signature structure. https://jwt.io/
Note: Access Tokens (which aren't always JWTs) are used to inform an API that the bearer of the token has been authorized to access the API
Use case | Standard to use |
---|---|
Access to application from a portal | SAML |
Centralized identity source | SAML |
Enterprise SSO | SAML |
Mobile use cases | OAuth(preferably with Bearer Tokens) |
Permanent or temporary access to resources such as accounts, files | OAuth |
source