Salesforce Certified Identity and Access Management Practice

Why would Salesforce choose to combine OAuth and SAML for single sign-on?

• A. OAuth means users can connect to apps
• B. Apps now use web browsers to authenticate instead of code
• C. SAML authenticates users
• D. Authentication and Authorisation are separated, so SAML can be run instead of asking for a username and password

The correct answer is: Authentication and Authorisation are separated, so SAML can be run instead of asking for a username and password

The choice of combining OAuth and SAML for single sign-on is founded on the principle of effectively separating authentication from authorization. SAML (Security Assertion Markup Language) primarily deals with authentication, verifying the identity of users, while OAuth focuses on authorization, granting access to resources based on the permissions assigned. In a typical single sign-on implementation, when a user logs in, SAML is responsible for providing the authentication token that confirms their identity. Subsequently, OAuth comes into play to manage what the authenticated user is permitted to do once logged in, thus enhancing the security and functionality of the system. This separation allows organizations to implement a more flexible and secure architecture where users do not need to repeatedly enter their credentials. By having a system where SAML handles the authentication aspect independently of OAuth's authorization capabilities, Salesforce can provide a seamless user experience while maintaining security protocols. The other choices, while they have some relevance to the overall discussion, do not capture the core reason why combining these two protocols is beneficial in the context of single sign-on.