Appendix B. Relationship of JWTs to SAML Assertions

SAML 2.0 [OASIS.saml-core-2.0-os] provides a standard way to represent security assertions. SAML assertions are XML-based and therefore relatively verbose.

JWTs provide a compact way to represent similar information using JSON instead of XML, making them more suitable for use in space-constrained environments such as HTTP Authorization headers and URI query parameters.

Like SAML assertions, JWTs can be signed and/or encrypted to protect their contents. However, JWTs use the JOSE (JSON Object Signing and Encryption) standards to accomplish this, whereas SAML uses XML Signature and XML Encryption.

While both JWTs and SAML assertions can be used to represent identity and authorization information, they have different syntaxes and processing models. Applications can choose to use the format that best suits their needs.

---