Token Comments: SAML and AWS Authentication

We are now at a point where Enterprises are beginning to use cloud-based services, such as Amazon Web Services, along with more traditional WS-* services and the confusion continues to grow around which tokens and token options are appropriate for various security models. A common area of confusion concerns SAML and the different confirmation methods: bearer, holder-of-key, and sender-vouches and how these compare to the security model used by Amazon Web Services, which is an hash-based message authentication code scheme. What is the difference between these security models? Which is more secure? How do the models differ?

For those just getting started in this area, let's provide a short primer and some links for further initiation. SAML stands for Security Assertion Markup Language. It is a XML-based standard which sends authentication and authorization information across security domains. Amazon Web Services (AWS) are available cloud services like storage (S3) or cpu power (EC2) which are accessed over HTTP using both REST and SOAP protocols.

Going right to the source:
OASIS
SAML
AWS

The practical aspect of this for an Enterprise Architect is that as cloud computing continues to grow, a dynamic enterprise perimeter is created which expands beyond the datacenter. It is dynamic as various outside services are added over time or even eventually incorporated on demand. Business may necessitate using various types of tokens. Decisions must be made on which methods fit the security model and how one can translate between one token and another when necessary.

Next: Exploring SAML