67

What are the main difference between JWT (Json Web Token) and SAML?

Can you suggest me any examples of these with spring security?

starball
  • 20,030
  • 7
  • 43
  • 238
Jamsheer
  • 3,673
  • 3
  • 29
  • 57
  • 1
    Have a look at this, more indepth, comparison and explanation: http://security.stackexchange.com/questions/82587/json-web-tokens-vs-saml – Jørgen Tvedt Oct 24 '16 at 06:43

3 Answers3

91

Both SAML and JWT are security token formats that are not dependent on any programming language. SAML is the older format and is based on XML. It's used commonly in protocols like SAML-P, WS-Trust and WS-Federation (although not strictly required).

JWT (JSON Web Token) tokens are based on JSON and used in new authentication and authorization protocols like OpenID Connect and OAuth 2.0.

Community
  • 1
  • 1
MvdD
  • 22,082
  • 8
  • 65
  • 93
  • would you please suggest any spring sample implementation – Jamsheer Dec 08 '14 at 04:39
  • I can't recommend anything from experience as I'm not a Java developer. But have a look at slide 50 of this deck: http://www.slideshare.net/JAX_London/spring-day-identity-management-with-spring-security-dave-syer – MvdD Dec 08 '14 at 06:06
  • 59
    the SAML spec encompasses a protocol as well as a token format, JWT is token format only – Hans Z. Dec 23 '14 at 21:25
  • 1
    I found this useful, even though it compares SAML2 with JWT: https://medium.com/@robert.broeckelmann/saml2-vs-jwt-a-comparison-254bafd98e6 – oislek Dec 20 '17 at 23:49
22

Both are are used for authentication and authorization, commonly used for Single Sign-On (SSO) solutions.

Security Assertion Markup Language (SAML,pronounced SAM-el) is an XML-based standard for exchanging authentication and authorization data between parties, i.e. IdP (Identity Provider) and a SP (Service Provider).

  • An IdP (Identity Provider) : authenticates users and provides to Service Providers an Authentication Assertion if successful. Identity providers offer User Authentication As A Service.
  • A SP (Service Provider): relies on the Identity Provider to authenticate users.
Term in SAML Term in OAuth Description
Client Client Example: A web browser
Identity Provider(IdP) Authorization Server Server that owns the user identities and credentials
Service Provider(SP) Resource Server The protected application

JSON Web Token (JWT, pronounced jot) is a ID Token based on JSON to pass user information as Header, Payload and Signature structure. https://jwt.io/

OpenID Connect(OIDC) is built on the OAuth 2.0 protocol and uses an additional JSON Web Token (JWT), called an ID token. This token is a compact and self-contained (i.e. piece of data that is able to function independently) authentication mechanism that uses a JSON object to encode claims that are signed and encrypted. JWT can be used to authenticate clients, pass information between parties, or to authenticate APIs.

Use case:

  • OIDC is specifically focused on user authentication and is widely used to enable user logins on consumer websites and mobile apps. for example Stackoverflow login with Google account.

  • SAML commonly used to help enterprise users sign in to multiple applications using a single login.

  • OIDC is a more modern, lightweight, and easier-to-use protocol compared to SAML, while SAML provides a more complete and complex solution for SSO and identity management in enterprise scenarios.

Premraj
  • 72,055
  • 26
  • 237
  • 180
10

In addition, SAML is a protocol and a token format while JWT is only a token format.

bvdb
  • 22,839
  • 10
  • 110
  • 123
Jamsheer
  • 3,673
  • 3
  • 29
  • 57