Both [SAML][1] and [JWT][2] are security token formats that are not dependent on any programming language. SAML is the older format and is based on XML. It&#39;s used commonly in protocols like SAML-P, WS-Trust and WS-Federation (although not strictly required).

JWT (JSON Web Token) tokens are based on JSON and used in new authentication and authorization protocols like OpenID Connect and OAuth 2.0.


  [1]: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
  [2]: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-json-web-token-31

Both are used for Exchanging Authentication and Authorization data between parties, but in different format. SAML is a Markup Language(like XML) and JWT is a JSON.


**S**ecurity **A**ssertion **M**arkup **L**anguage *(SAML,pronounced SAM-el)* is an open standard for exchanging authentication and authorization data between security domains, i.e. **IdP** (**Id**entity **P**rovider) and a **SP** (**S**ervice **P**rovider).

- An **IdP** (**Id**entity **P**rovider) : authenticates users and provides to Service Providers an Authentication Assertion if successful. Identity providers offer **User Authentication As A Service**.
- A **SP** (**S**ervice **P**rovider): relies on the Identity Provider to authenticate users. 
 

|      Term in SAML      |    Term in OAuth     |                     Description                      |
|------------------------|----------------------|------------------------------------------------------|
| Client                 | Client               | Example: A web browser                               |
| Identity Provider(IdP) | Authorization Server | Server that owns the user identities and credentials |
| Service Provider(SP)   | Resource Server      | The protected application                            |



---


**J**SON **W**eb **T**oken *(JWT, pronounced jot)* is a **ID Token** based on JSON to pass user information as Header, Payload and Signature structure. https://jwt.io/

Note: **Access Token**s (which aren&#39;t always JWTs) are used to inform an API that the bearer of the token has been authorized to access the API 




|                              Use case                              |           Standard to use            |
|--------------------------------------------------------------------|--------------------------------------|
| Access to application from a portal                                | SAML                                 |
| Centralized identity source                                        | SAML                                 |
| Enterprise SSO                                                     | SAML                                 |
| Mobile use cases                                                   | OAuth(preferably with Bearer Tokens) |
| Permanent or temporary access to resources such as accounts, files | OAuth                                |



[source][8]



  [3]: https://i.stack.imgur.com/TVDT1.png
  [7]: https://i.stack.imgur.com/LLZBC.png
  [8]: https://www.ubisecure.com/uncategorized/difference-between-saml-and-oauth/

In addition, SAML is a protocol and a token format while JWT is only a token format.

I&#39;m looking to create this overlapping circles shape in CSS:

![Desired overlapping cicles shape][1]


  [1]: http://i.stack.imgur.com/TFlHf.png

Basically, just stacked circles. I&#39;ve looked around, and all solutions I see include using multiple div elements for this effect. However, can&#39;t this be done with a single div, using CSS3? I looked at how it could be easily done, and figured that, if all colours are the same, you&#39;d have a pill shape like this:

http://jsfiddle.net/5wytm0r4/

   

&lt;!-- begin snippet: js hide: false --&gt;

&lt;!-- language: lang-css --&gt;

     #circles {
       background-color: red;
       width: 130px;
       height: 100px;
       border-radius: 50px;
     }

&lt;!-- language: lang-html --&gt;

    &lt;div id=&quot;circles&quot;&gt;&lt;/div&gt;


&lt;!-- end snippet --&gt;

And then simply draw a couple of quarter moons in it, and you&#39;re done. However, I can&#39;t figure out how to draw these moon shapes in my capsule shaped div.

Overlapping circles in CSS with 1 div

I have S3 access only to a specific directory in an S3 bucket.

For example, with the `s3cmd` command if I try to list the whole bucket:

        $ s3cmd ls s3://bucket-name

I get an error: `Access to bucket &#39;my-bucket-url&#39; was denied`

But if I try access a specific directory in the bucket, I can see the contents:

        $ s3cmd ls s3://bucket-name/dir-in-bucket

Now I want to connect to the S3 bucket with python boto. Similary with:

        bucket = conn.get_bucket(&#39;bucket-name&#39;)

I get an error: `boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden`

But if I try:

        bucket = conn.get_bucket(&#39;bucket-name/dir-in-bucket&#39;)

The script stalls for about 10 seconds, and prints out an error afterwards. Bellow is the full trace. Any idea how to proceed with this?

Note question is about the boto version 2 module, not boto3.

	Traceback (most recent call last):
	  File &quot;test_s3.py&quot;, line 7, in &lt;module&gt;
		bucket = conn.get_bucket(&#39;bucket-name/dir-name&#39;)
	  File &quot;/usr/local/lib/python2.7/dist-packages/boto/s3/connection.py&quot;, line 471, in get_bucket
		return self.head_bucket(bucket_name, headers=headers)
	  File &quot;/usr/local/lib/python2.7/dist-packages/boto/s3/connection.py&quot;, line 490, in head_bucket
		response = self.make_request(&#39;HEAD&#39;, bucket_name, headers=headers)
	  File &quot;/usr/local/lib/python2.7/dist-packages/boto/s3/connection.py&quot;, line 633, in make_request
		retry_handler=retry_handler
	  File &quot;/usr/local/lib/python2.7/dist-packages/boto/connection.py&quot;, line 1046, in make_request
		retry_handler=retry_handler)
	  File &quot;/usr/local/lib/python2.7/dist-packages/boto/connection.py&quot;, line 922, in _mexe
		request.body, request.headers)
	  File &quot;/usr/lib/python2.7/httplib.py&quot;, line 958, in request
		self._send_request(method, url, body, headers)
	  File &quot;/usr/lib/python2.7/httplib.py&quot;, line 992, in _send_request
		self.endheaders(body)
	  File &quot;/usr/lib/python2.7/httplib.py&quot;, line 954, in endheaders
		self._send_output(message_body)
	  File &quot;/usr/lib/python2.7/httplib.py&quot;, line 814, in _send_output
		self.send(msg)
	  File &quot;/usr/lib/python2.7/httplib.py&quot;, line 776, in send
		self.connect()
	  File &quot;/usr/lib/python2.7/httplib.py&quot;, line 1157, in connect
		self.timeout, self.source_address)
	  File &quot;/usr/lib/python2.7/socket.py&quot;, line 553, in create_connection
		for res in getaddrinfo(host, port, 0, SOCK_STREAM):
	socket.gaierror: [Errno -2] Name or service not known

Python boto, list contents of specific dir in bucket

What are the main difference between JWT (Json Web Token) and SAML? Please suggest me any example of these with spring security. Thanks in advance.

Difference between JWT and SAML?

<p>What are the main difference between JWT (Json Web Token) and SAML? Please suggest me any example of these with spring security. Thanks in advance.</p>


Before you put me down for asking too basic a question without doing any homework, I&#39;d like to say that I have been doing a lot of reading on these topics, but I&#39;m still confused.

My needs seem simple enough. At my company, we have a bunch of Ruby on Rails applications. I want to build an SSO authentication service which all those applications should use.

Trying to do some research on how to go about doing this, I read about `CAS`, `SAML` and `OAuth2`. (I know that the &quot;Auth&quot; in OAuth stands for authorization, and not authentication, but I read enough articles saying how OAuth can be used for authentication just fine - [this][1] is one of them.)

Could someone tell me in simple terms what these 3 are? Are they alternatives (competing)? Is it even right to be comparing them? 

And there are so many gems which all seem to be saying very similar stuff: 

* https://github.com/rubycas/rubycas-server and https://github.com/rubycas/rubycas-client
* https://github.com/nbudin/devise_cas_authenticatable
* https://github.com/onelogin/ruby-saml
* CASino and https://github.com/rbCAS/casino-activerecord_authenticator
* And I am sure there are hundreds of OAuth related gems.


I just want a separate Rails application which handles all the authentication for my other Rails apps. 

**Note:** I do not want to allow users to use their Google / Facebook accounts to login. Our users already have accounts on our site. I want them to be able to login using that account once and be able to access all our apps without signing in again. Signing out in any app should sign them out of all apps.

**UPDATE**

I have come across these two OAuth solutions: 

* http://dev.mikamai.com/post/110722727899/oauth2-on-rails
* http://blog.yorkxin.org/posts/2013/11/05/oauth2-tutorial-grape-api-doorkeeper-en/

They seem to be describing something very similar to what I want. But I haven&#39;t found any guide / blog post / tutorial showing how to do this with SAML / CAS.

Suggestions welcome.

**UPDATE 2**

More details about our use-case.

We do not have any existing SAML architecture in place. Primarily, it is going to be OUR users (registered directly on our website) who are going to be accessing all our applications. In the future, we may have third-party (partner) companies calling our APIs. We may also have users from these third-party (partner) companies (registered on their websites) accessing  our apps.

  [1]: http://www.mutuallyhuman.com/blog/2013/05/09/choosing-an-sso-strategy-saml-vs-oauth2/

CAS vs. SAML vs. OAuth2

I am trying to understand SSO using SAML. I have come across the RelayState parameter and am very confused exactly why it comes first in SSO to send encoded URLs? What exactly does it mean?

Please read the following from [the Google Developer documentation](https://developers.google.com/google-apps/sso/saml_reference_implementation):

&gt; Google generates a SAML authentication request. The SAML request is encoded and embedded into the URL for the partner&#39;s SSO service. The RelayState parameter containing the encoded URL of the Google application that the user is trying to reach is also embedded in the SSO URL. This RelayState parameter is meant to be an opaque identifier that is passed back without any modification or inspection

What is exactly RelayState parameter used in SSO (Ex. SAML)?

I&#39;ve been coding a RESTful service in Java. This is what I&#39;ve understood till now (correct me if i&#39;m wrong):

Token authorization is done using _JSON Web Tokens (JWT)_ which have three parts: the header, the payload, and the secret (shared between the client and the server). 

I understood this concept and stumbled over _JSON Web Signature (JWS)_ while reading about JWT.
 
JWS also is an encoded entity similar to JWT having a header, payload, and a shared secret.

**Question:** What is the difference between the two concepts, namely JWT and JWS? And if they are alike technically, then what&#39;s the difference in their *implementation*?

This is the first time I&#39;m working with token based auth, so it&#39;s possible I&#39;ve misunderstood the concept altogether.

P.S. I learned about JWS while browsing through the examples on [this website][1].


  [1]: http://connect2id.com/products/nimbus-jose-jwt

What is the difference between JSON Web Signature (JWS) and JSON Web Token (JWT)?

I&#39;m building a mobile app and am using JWT for authentication.

It seems like the best way to do this is to pair the JWT access token with a refresh token so that I can expire the access token as frequently as I want.

 1. What does a refresh token look like? Is it a random string? Is that string encrypted? Is it another JWT?
 2. The refresh token would be stored in the database on the user model for access, correct? It seems like it should be encrypted in this case
 3. Would I sent the refresh token back after a user login, and then have the client access a separate route to retrieve an access-token?


JWT refresh token flow

I&#39;m working on implementing OAuth 2.0 JWT access_token in my authentication server. But, I&#39;m not clear on what the differences are between the JWT `aud` claim and the `client_id` HTTP header value. Are they the same? If not, can you explain the difference between the two?

My suspicion is that `aud` should refer to the resource server(s), and the `client_id` should refer to one of the client applications recognized by the authentication server (i.e. web app, or iOS app).  

In my current case, my resource server is also my web app client.  

JWT (Json Web Token) Audience &quot;aud&quot; versus Client_Id - What&#39;s the difference?

I would like to know the best practices to invalidate JWT without hitting db while changing password/logout. 

I have the idea below to handle above 2 cases by hitting the user database. 

1.Incase of password changes, I check for password(hashed) stored in the user db.

2.Incase of logout, I save last-logout time in user db, hence by comparing the token created time and logout time, I can able to invalidate this case.

But these 2 cases comes at the cost of hitting user db everytime when the user hits the api. Any best practise is appreciated.


**UPDATE:**
 I dont think we can able to invalidate JWT without hitting db. So I came up with a solution. I have posted my answer, if you have any concern, you are welcome.

Best practices to invalidate JWT while changing passwords and logout in node.js?

The [JWT spec][1] mentions a jti claim which allegedly can be used as a nonce to prevent replay attacks: 

&gt; The &quot;jti&quot; (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The &quot;jti&quot; claim can be used to prevent the JWT from being replayed. The &quot;jti&quot; value is a case-sensitive string. Use of this claim is OPTIONAL.

My question is, how would I go about implementing this? Do I need to store the previously used jtis and issue a new JWT with every request? If so, doesn&#39;t this defeat the purpose of JWTs? Why use a JWT instead of just storing a randomly-generated session ID in a database?

My REST API has a Mongo database and I&#39;m not opposed to adding a Redis instance. Is there a better authentication option than JWT? I mainly just don&#39;t want to store passwords on the client which eliminates HTTP authentication as an option, however, as I&#39;m getting deeper into this JWT stuff, I&#39;m starting to feel as if a custom token implementation or different standard might better suit my needs. Are there any node/express packages for token based authentication that supports token revocation and rotating tokens?

Would appreciate any advice.

[1]: https://www.rfc-editor.org/rfc/rfc7519#section-4.1.7

Content Type	Original Author	Original Content on Stackoverflow
Question	Jamsheer	View Question on Stackoverflow
Solution 1 - Saml	MvdD	View Answer on Stackoverflow
Solution 2 - Saml	Premraj	View Answer on Stackoverflow
Solution 3 - Saml	Jamsheer	View Answer on Stackoverflow

Difference between JWT and SAML?

Saml Problem Overview

Saml Solutions

Solution 1 - Saml

Solution 2 - Saml

Solution 3 - Saml

Python boto, list contents of specific dir in bucket

Overlapping circles in CSS with 1 div

Attributions

Term in SAML	Term in OAuth	Description
Client	Client	Example: A web browser
Identity Provider(IdP)	Authorization Server	Server that owns the user identities and credentials
Service Provider(SP)	Resource Server	The protected application

Use case	Standard to use
Access to application from a portal	SAML
Centralized identity source	SAML
Enterprise SSO	SAML
Mobile use cases	OAuth(preferably with Bearer Tokens)
Permanent or temporary access to resources such as accounts, files	OAuth