Cupcake 17041's dashboard

SAML is about identity assertions, identity attributes and identifier federation. The SAML assertions are often used in web services calls as the mechanism to securely identify the identity in the transaction. OAuth is less about identity federation and more about a simple HTTP based identity web service invocation framework. If you were to equate OAuth to something in the SAML "sphere" it would be the Liberty ID-WSF 2.0 specification.

The value of the simple HTTP based framework is that it is much easier to integrate into AJAX and "widget" based applications. Trying to parse and manage SAML and SOAP based XML in Javascript, while not impossible, is not the normal developer programming model.

Finally, I believe that it is possible to combine both SAML and OAuth such that a relying party that supports OAuth for identity web services, and SAML for authentication and federation, could use SAML assertions and artifacts as the token and keys used in the OAuth protocol. [Note, I have not mapped this out in detail]

I'm not as technical as other folks, but I think, just looking at that Wikipedia page, it has to do with simplicity and with extracting best practices from existing delegated authentication/authorization protocols like BBAuth, FlickrAuth, AuthSub and others.

Perhaps a better question to ask is why the organizations behind those protocols didn't just adopt SAML 2 and instead develop their own nearly-identical protocols?

In any case, I'm sure there are more differences, so I'll ask around and get some other replies. Thanks!