What is the difference between SSO and OAuth?

Is SASL the same as SSL?

SASL and SSL, both are protocols used by applications to perform secure socket layers over unsecured transport layers.

Both protect against: Eavesdropping on network traffic. Session hijacking. Mapping out of network addresses. Data integrity attack ie sending fake data (or changing the destination of data). If no encryption algorithm is used, communication is unencrypted and hence vulnerable to passive attacks. SASL, or Secure Authentication Simple Language is a standard protocol for negotiating secure authentication methods with a server. It defines the protocol and a few keywords used in server responses such as nounce and mechlist, etc. SASL defines a set of well defined commands which the client would have to use, depending on the level of security desired.

SASL defines four levels of security, namely: Simple, which does no more than the standard authentication protocols already supported by a client/server. If a server is supporting multiple methods at once, it could pick one of the methods and return them to the client.

Service only which allows an application to negotiate authentication methods and other settings. This method can be useful when an application only needs secure access to a single service without the need to authenticate themselves to all remote hosts they want to talk to.

Mechanisms which define the mechanism for negotiation of authentication mechanism on behalf of an application, and. Mechanisms which describe how clients should interact with the protocol. Each of these is optional but often included in implementations of the protocol.

The three components of an SASL mechanism are. Nounce Key. Mechlist Keys. Response Keywords. Note that SASL implementations are not required to use any particular key sequence in nounce or mechlist, the following is defined as valid. GSSAPIAGNOSTIC. Mechanisms which do not support mechanism name, are said to use GSSAPI mechanisms. To perform authentication over SASL, the command to be sent is the auth method followed by its parameters.

What is SASL used for?

SASL is a new protocol.

To be able to understand the use of SASL, it's first necessary to understand the more general idea of authentication.

When talking about authentication, it's often helpful to think about the following two cases: Your system wants to tell me that I am who I say I am. My system wants to tell you that I am who I say I am. Each of us thinks that our system has successfully authenticated the other one. If it didn't, the systems would immediately detect an attack. In practice, however, we don't really want this. Instead, we may need the other person's identity and we would like to know that you will keep your identity secret. We would also like to know that we can trust your system not to impersonate us. This implies that we need two things:

An authenticated channel between you and my system. A secure cryptographically authenticated channel between my system and yours. The first part is easy, since all we need is the SASL protocol. The second part is difficult. The usual problem with authentication is that we can only trust a human after we have given that person access to our private key. If I am you, I must give you a password. I might do this by revealing it to you over the phone. I know that you are you and that you would not reveal your password to anyone else. In practice, it would usually mean something like the following:

I will pick a random string of characters which you will input as a password. Your system must accept that I know that you are you and that you are the only person in the world with access to this password. My system must accept that you know that I am me and that you are the only person in the world who has access to this password. The system must reject attempts to log in by other people, which it cannot detect. It must also reject attempts to guess the password. My system must reject attempts to log in by people whom it cannot detect.

Here's an example of what this looks like in practice. I might send you the following message: Hello, Bob. Password: gjklmn You then type the password gjklmn into your system.

Which is better, SAML or OAuth?

I'm planning to create an API that will need authentication.

I've seen SAML, OAuth, and a few other protocols as well. I'm not sure which protocol would best for my needs. I'm not sure if I need to look at the security implications of each protocol as well.

OAuth is good for public clients - it's about how the user authorizes the server (not really about the server). SAML is good for private clients - it's about how the server authenticates the client (not really about the client). But both are good for your use case.

It's an open standard and can be implemented in many ways. It's also used by Google, Facebook, Twitter, etc.

If you don't want to implement the whole thing yourself, you can use an existing implementation. You could use Spring's OAuth2 or Spring SAML providers for example.

If you're interested in more, here are some questions and answers about OAuth vs.