IT:AD:SAML:HowTo:Understand/Comparison with other Protocols
Summary
- They are both similar but incompatible.
- SAMLP/ and WS-Federation/ are both standards.
- Both
- allow users that have already logged into one site to access another site without logging in again.
* They both do this by allowing sites ([[IT/#RP/]]) to present proof that a site and a user are who they say they are. * support [[IT/#SSO/]] and they both support metadata to exchange SSO information between parties.
* SAMLP is older specification than WS-Federation/.
- Supported by many vendors.
* WS-Federation/: championed by Microsoft Corporation which has invested heavily into incorporating WS-Federation into its products.
- MS is moving towards supporting SOAP.
- Differences:
- They both use different terminology.
- SAML is an older protocol. Wider support beyond MS.
- WS-Federation
In reality, most people only use the “passive” features that allow single sign-on between web sites.
For solving single sign-on problems, not much.
One may be easier to set up depending on the environment. But, either can meet your SSO needs.
So which should you choose? SAML is an older protocol and enjoys widespread support. Software-as-a-Service (SaaS) vendors are more likely to support it than WS-Federation.
On the other hand, if you are in a mostly Microsoft world, WS-Federation is more ubiquitous.
Microsoft’s Active Directory Federation Services (ADFS) comes with Active Directory supports both WS-Federation and SAML but is easier to configure for WS-Federation.
Microsoft’s Windows Identity Foundation (WIF) toolkits make it easy to enable home-grown ASP.NET applications for WS-Federation. WIF SAML support is currently in a community technology preview (CTP) release.