Comparison
We can clarify the differences between the SAML and AWS authentication schemes by building a table that lists the method, description, English description (what it really means), and then some benefits and drawbacks.
Method |
Spec Description |
English Description |
Benefits |
Drawbacks |
urn:oasis:names:tc:SAML:2.0:cm:holder-of-key |
The holder of a specified key is considered to be the subject of the assertion by the asserting party |
“Verify this signed blob to reconfirm the subject” |
Strong authentication by the receiver of the subject. |
Additional per-message signature verification processing. Requires additional trust processing for the public key; |
urn:oasis:names:tc:SAML:2.0:cm:sender-vouches |
Indicates that no other information is available about the context of use of the assertion |
“Just trust me” |
Fast and simple, no additional signature processing; if you trust the sender no additional processing is required |
No additional confirmation possible; may require out-of-band or additional authentication |
urn:oasis:names:tc:SAML:2.0:cm:bear er |
The subject of the assertion is the bearer of the assertion, subject to some optional constraints |
“I am the subject” |
Fast and simple, no additional signature processing |
No additional confirmation possible; may require additional out-of-band or additional authentication |
Amazon HMAC Authenticator |
You calculate a keyed-hash message authentication code (HMAC-SHA) signature using your Secret Access Key |
“Look-up the password for a specific user account and generated a message authentication code for the received message” |
Fast and simple; |
Additional per-message HMAC processing; authenticators are not guaranteed to be unique per user-id; Non-standard code development required |
As you can see, the mechanisms are quite different, especially between the AWS HMAC and the SAML confirmation methods. It may be useful to remember that of all four mechanisms, holder-of-key is the strongest because it ties the subject back to a specific private key. However, comparing AWS to SAML confirmation methods is a little bit like comparing apples and oranges because the confirmation method itself is independent of the outer digital signature (in the case of a signed WS-Security message) or the inner digital signature (in the case of a signed SAML assertion) that adds extra integrity checking and non-repudiation to the SAML structure. In many cases, when confirmation methods like sender-vouches and bearer are used, this is in the context of a signed assertion, so even though we may not be able to reconfirm the subject explicitly, trusting the issuer itself is enough to guarantee the authenticity of the subject for some security models.