Proton
The cover image for a Proton Pass blog comparing SAML and OAuth as protocols for business protection

When you’re configuring your business network, you need to ensure only authorized employees can access the right tools. But how do you enforce this? There are two common ways: SAML (Security Assertion Markup Language) is used to help you log into your business network and applications with a single login and password, while OAuth (Open Authorization) can authorize third party apps to log in without using your password.

In this article, we’re going to explore two of the common protocols used to authorize and authenticate identities: SAML and OAuth. We’ll also explain which is the best option for your business, and how you can use it to secure your business data.

Protocols: authorization vs. authentication

To begin with, we need to understand authorization and authentication as concepts. When an employee logs into your business network, you need to verify that they are who they say they are and that they have been granted access to your network. To do this, you set up access management protocols. Employees must prove their identities (authentication) and that they’re permitted to access the network (authorization).

Authentication

Authentication works in a similar way to a key card or an access pass. Once an employee shows it, they have access to the network. They’ll need to show it any time they need to re-enter your network. To authenticate an identity, a common protocol is SAML. SAML authorization is commonly used for enterprise applications. Once an employee has verified their identity, they’ll have access to all of the apps and services within your business network and they can use the same single set of credentials to log in to them all. SAML is currently supported by Proton VPN(new window).

Authorization

Authorization grants an employee certain permissions your business network. It’s similar to having a specific level of clearance to perform actions that other employees don’t have the authority to perform. To grant authority within your business network, you can use OAuth. This is a protocol that grants access to a single app or service, generating an access token each time an employee logs in. SAML can also be used for authorization, but as OAuth tends to be more lightweight than SAML, it’s usually the protocol of choice.

What are the benefits of deploying SAML vs. OAuth?

SAML and OAuth can improve security and efficiency for your team. Both protocols allow workers to access multiple apps, services, and networks without relying on many different usernames and passwords. Single sign-on (SSO) is an authentication system which uses protocols including SAML and OAuth to allow workers to use a single set of credentials to access their business networks.

The benefits of using these protocols with SSO and moving away from multiple static passwords include:

  • Improved onboarding and provisioning
  • Reduced requests for password resets
  • Fewer successful phishing or brute force attacks on your network
  • Increased productivity thanks to a lack of login barriers between apps
  • A fully centralized access management system

SAML and OAuth are similar, but not quite the same. Let’s examine how both protocols work in more detail.

What is SAML?

SAML transfers data between an identity provider (IdP) and a service provider (such as a business app like (new window)Proton VPN). Think of it like a security guard at the door of your business network: It ensures everyone who tries to enter is invited to do so. Here’s how that process works in practice:

  • An employee attempts to log in to a business app
  • To verify their identity, the app generates a SAML request
  • The employee is redirected to the IdP which will either ask them to log in or verify that they’ve already logged in to their current session
  • The IdP sends a completed SAML response back to the business app, letting the app know the user’s identity has been verified and they should be granted access

What is OAuth?

OAuth allows employees to grant third-party apps or services access to their information on other apps or services without using a password or login. Instead, access tokens are generated on a per-use basis to grant access. Essentially, it’s a way of sharing authorization between apps without sharing any personal information. Here’s how tokens are generated:

  • An employee attempts to log in to a business app
  • The employee then grants permission to the app to use their data
  • The authorization server creates an access token which is sent to the API server
  • The API server then verifies the access token and the employee is granted access to the app

These tokens are shared between servers, granting access as the employee logs in to different apps. They only verify access on a per-session basis.

OAUTH vs. SAML for beginners: What’s the best choice?

When we think SAML vs. OAuth, you don’t actually have to choose between one and the other. OAuth and SAML are both useful protocols that make it easier to work efficiently. They’re open-standard frameworks which can be used by businesses of any size in any industry to improve their access management. But authorization and authentication are different tools. You can deploy both if you choose, but if you’re looking for a place to start we recommend SAML.

While helping employees move from app to app seamlessly is convenient, verifying their identity is essential. If your business network can guarantee that all visitors have permission to do so, you reduce your risks of being affected by a data breach. Although SAML can be more complicated to deploy, we’d argue that it’s worth investing your time for the security benefits.

SAML is usually used alongside SSO, which is a session user and authentication service. Deploying enterprise SSO using a password manager helps employees not only work faster but protect your business data. Storing valuable information in an end-to-end encrypted environment which is managed by an admin gives additional protection beyond identity management.

SSO will become available for Proton Pass for Business customers in January 2025. You’ll be able to benefit from all of the security, efficiency, and speed that SSO and SAML working together can bring using a password manager built to protect your business’s privacy. If you don’t have a Proton Pass for Business plan yet, subscribe today or try our Free plan to experience the convenience of a secure password manager.

Protect your passwords
Create a free account

Related articles

Proton Lifetime Fundraiser 7th edition
Learn how to join our 2024 Lifetime Account Charity Fundraiser, your chance to win our most exclusive plan and fight for a better internet.
The cover image for a Proton Pass blog about zero trust security showing a dial marked 'zero trust' turned all the way to the right
Cybersecurity for businesses is harder than ever: find out how zero trust security can prevent data breaches within your business.
How to protect your inbox from an email extractor
Learn how an email extractor works, why your email address is valuable, how to protect your inbox, and what to do if your email address is exposed.
How to whitelist an email address and keep important messages in your inbox
Find out what email whitelisting is, why it’s useful, how to whitelist email addresses on different platforms, and how Proton Mail can help.
The cover image for Proton blog about cyberthreats businesses will face in 2025, showing a webpage, a mask, and an error message hanging on a fishing hook
Thousands of businesses of all sizes were impacted by cybercrime in 2024. Here are the top cybersecurity threats we expect companies to face in 2025—and how Proton Pass can protect your business.
A graphic interpretation of a block of how many gigabytes in a terabyte
Learn how many GB are in a TB and discover the best way to securely store and share your files — no matter their size.