Sunday, May 23, 2010

Final Showdown


We can clarify the differences between the SAML and AWS authentication schemes by building a table that lists the method, description, English description (what it really means), and then some benefits and drawbacks.


Spec Description

English Description




The holder of a specified key is considered to be the subject of the assertion by the asserting party

“Verify this signed blob to reconfirm the subject”

Strong authentication by the receiver  of the subject.

Additional per-message signature verification processing. Requires additional trust processing for the public key;


Indicates that no other information is available about the context of use of the assertion

“Just trust me”

Fast and simple, no additional signature processing; if you trust the sender no additional processing is required

No additional confirmation possible; may require out-of-band or additional authentication



The subject of the assertion is the bearer of the assertion, subject to some optional constraints

“I am the subject”

Fast and simple, no additional signature processing

No additional confirmation possible; may require additional out-of-band or additional authentication

Amazon HMAC Authenticator

You calculate a keyed-hash message authentication code (HMAC-SHA) signature using your Secret Access Key

“Look-up the password for a specific user account and generated a message authentication code for the received message”

 Fast and simple;

 Additional per-message HMAC processing; authenticators are not guaranteed to be unique per user-id;  Non-standard code development required


As you can see, the mechanisms are quite different, especially between the AWS HMAC and the SAML confirmation methods. It may be useful to remember that of all four mechanisms, holder-of-key is the strongest because it ties the subject back to a specific private key. However, comparing AWS to SAML confirmation methods is a little bit like comparing apples and oranges because the confirmation method itself is independent of the outer digital signature (in the case of a signed WS-Security message) or the inner digital signature (in the case of a signed SAML assertion) that adds extra integrity checking and non-repudiation to the SAML structure. In many cases, when confirmation methods like sender-vouches and bearer are used, this is in the context of a signed assertion, so even though we may not be able to reconfirm the subject explicitly, trusting the issuer itself is enough to guarantee the authenticity of the subject for some security models.


  1. Finally, someone who can explain this in plain english. thank you.

  2. Agreed ! Finally there is someone who explained everything very clearly in plain English. This is very informative post for me. You cleared my all confusion about each and every method. :-)
    digital signature certificate