Difference between JWT and SAML?

问题

What are the main difference between JWT (Json Web Token) and SAML? Please suggest me any example of these with spring security. Thanks in advance.

回答1:

Both SAML and JWT are security token formats that are not dependent on any programming language. SAML is the older format and is based on XML. It's used commonly in protocols like SAML-P, WS-Trust and WS-Federation (although not strictly required).

JWT (JSON Web Token) tokens are based on JSON and used in new authentication and authorization protocols like OpenID Connect and OAuth 2.0.

回答2:

Additional information is that the SAML is a protocol and a token format but JWT is the only token format.

回答3:

Both are used for Exchanging Authentication and Authorization data between parties, but in different format. SAML is a Markup Language(like XML) and JWT is a JSON.

SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data betweenbetween security domains, i.e. IdP (Identity Provider) and a SP (Service Provider).

• An IdP (Identity Provider) : authenticates users and provides to Service Providers an Authentication Assertion if successful. Identity providers offer User Authentication As A Service.S
• A SP (Service Provider): relies on the Identity Provider to authenticate users.

SAML in Auth0

JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.

JWT in Auth0

Usecase:

The single most important use case that SAML addresses is web browser single sign-on (SSO i.e. login once and get a token and don't need to login to other services). Single sign-on is relatively easy to accomplish within a security domain (using cookies, for example) but extending SSO across security domains is more difficult and resulted in the proliferation of non-interoperable proprietary technologies. The SAML Web Browser SSO profile was specified and standardized to promote interoperability. (For comparison, the more recent OpenID Connect protocol is an alternative approach to web browser SSO.) The ID Token, usually referred to as id_token in code samples, is a JSON Web Token (JWT) that contains user profile information.

来源：https://stackoverflow.com/questions/27314076/difference-between-jwt-and-saml