Integrating highly critical applications with governance solutions allows you to manage your identity and security processes more efficiently and effectively. Identity management protocols enable the identity provider (the system that stores the digital identities) to send users’ credentials to the service provider for authentication and authorization before allowing the user the level of access that the system has assigned.
Identity management protocols vary based on what type of assets need to be authenticated (for example, web assets or operating systems). The market has a variety of standard identity management protocols. Here are eight of the most-common ones.
LDAP.
The Lightweight Directory Access Protocol, or LDAP, is a popular protocol for on-premise directories such as Microsoft’s Active Directory. One of the oldest identity management protocols established by the industry, LDAP stores and arranges data—such as user or device information— so it’s easy to search.
LDAP runs above the TCP/IP stack to search the directory contents and relay the authentication and authorization information. Legacy LDAP by itself is not a secure protocol because it’s based on plain text, and organizations have been moving to LDAPS, or LDAP over SSL. LDAPS enables the encryption of LDAP data in transit between server and client, preventing credential theft.
SAML.
Security Assertion Markup Language, or SAML, is an open-standard identity management protocol commonly used for single sign-on (SSO), which allows users to share the same credentials across different services and applications. SAML links users’ identities and attributes—which may be stored in different identity management systems—with SSO to provide a seamless user login experience.
SAML uses extensible markup language (XML) to communicate between the identity provider and the service provider (such as a SaaS application), and to assert the user authentication. This technology eliminates password use by relying on digital signatures instead. For the authentication process to work, both the service and the identity providers must use the same configurations.
SCIM.
System for Cross-domain Identity Management, or SCIM, is an open-standard protocol for cloud-based applications and services. It provides a common user schema to automate provisioning for apps such as Microsoft 365, G Suite, Slack, and Salesforce.
SCIM streamlines processes by synchronizing user data between applications. For example, when you onboard a new employee and create an Active Directory record, a SCIM connector can automatically provision the new user to your organization’s cloud services. Likewise, when the employee leaves the company, admins only need to terminate the user in the central directory to revoke access to all the SCIM-enabled apps.
OAuth.
OAuth is an open-standards identity management protocol that provides secure access for websites, mobile apps, and Internet of Things and other devices. It uses tokens that are encrypted in transit and eliminates the need to share credentials. OAuth 2.0, the latest release of OAuth, is a popular framework used by major social media platforms and consumer services, from Facebook and LinkedIn to Google, PayPal, and Netlix.
Typically, OAuth scenarios include unrelated services or websites and is primarily used to authorize the user. The framework doesn’t provide a mechanism that shows who the user actually is or how the user authenticated. Rather, users delegate an app to act on their behalf, with the token serving as the delegation method.
OpenID.
OpenID is an open-standard, decentralized authentication protocol that can be used across multiple websites and applications. Like with OAuth, users don’t need to log in and share credentials. OpenID-enabled websites, apps, and services delegate user authentication to OpenID providers, which include Google and Microsoft.
With the release of the OpenID Connect (which uses public-key encryption), OpenID became a widely adopted authentication layer for OAuth. Like SAML, OpenID Connect (OIDC) is widely used for SSO, but OIDC uses REST/JSON instead of XML. By using REST/JSON protocols, OIDC was designed to work with both native and mobile apps, whereas the primary use case for SAML is web-based apps.
XACML.
Another XML-based protocol, XACML stands for eXtensible Access Control Markup Language. It’s a structured language specific to identity and access management (IAM) solutions that use attribute-based access control (ABAC) or policy-based access control (PBAC)—which grants access rights by using policies made of attributes that work together.
The advantage of XACML is that it’s flexible and dynamic and allows for fine-grained controls that have complex authorization mechanisms. XACML is tightly intertwined with SAML architecture because it was originally designed to support the SAML basic authorization decision query protocol; however, XACML can be used for other access control and authorization systems that need finer, granular access controls.
RADIUS.
RADIUS, which stands for Remote Authentication Dial-In User Service, is a protocol for authenticating and authorizing remote and wireless network access. RADIUS runs on the application layer and can also be used for accounting and reporting network activity.
RADIUS uses a client (typically a network access server) to pass user information to a designated server (like a daemon process). When the server receives a connection request and authenticates the user, it returns configuration data for the client to deliver the service to the end-user. RADIUS supports a variety of authentication mechanisms. While it was originally indented for use cases such as point-to-point protocol (PPP) for dial-up and DSL internet providers, RADIUS has evolved and can be implemented for secure web forms using HTPPS, Wi-Fi controls, and VPN access.
Kerberos.
Another network authentication protocol, Kerberos uses symmetric-key cryptography to provide strong authentication for applications that use a client-server model (running on a client computer but making requests to a remote server). Developed by the Massachusetts Institute of Technology, Kerberos is an open-source protocol that authenticates service requests between trusted hosts across an untrusted network such as the internet.
Kerberos is the default authorization protocol in Microsoft Windows and has also been implemented in other operating systems such as Linux and Apple OS. It’s also popular for SSO, especially for large networks. For SSO processes, Kerberos can use different authentication methods, including passwords, NFC devices, and smart cards.
Wrapping up.
Regardless of what identity management protocols you implement, they often add complexity to your identity ecosystem. But you can simplify your identity governance and administration (IAG) by taking advantage of the connectors integrated into many of the IAM solutions.
Some integrations are available out of the box, while others are provided for standard protocols such as SCIM or Auth 2.0. The connectors make it easy to configure your protocols and save admins time. When you assess IAG and IAM solutions, consider what capabilities they offer to do the heavy lifting for you.
