A core, foundational element to understand with identity and access management (IAM) solutions is protocols.
Identity solutions often depend on industry-standard authentication protocols. Unfortunately, different types of IT resources generally support different authentication protocols.
Different Authentication Protocols Make Things Complicated
Organizations have a mixture of all of these types of resources, but their identity and access management solutions may only support only one or a couple of these authentication protocols. That causes IT organizations to build a collection of solutions that ultimately comprise their entire IAM infrastructure.
Generally, this type of cobbled together infrastructure gets the job done. But rarely does this work efficiently and securely, and in a way that requires minimal maintenance. And, that should be your goal with an identity management architecture.
The best approach is to determine which authentication protocols are in use (or should be), find an identity management solution that supports those protocols, and then employ one single IAM solution that doesn鈥檛 have to be modified just to reach bare minimum functionality.
So What Authentication Protocols Are You Using?
Below, we provide an overview of the major identity protocols in use today.
Native Authentication
Okay, so native authentication isn鈥檛 exactly a protocol. In fact, it鈥檚 just the opposite.
We include it on this list to emphasize the point that most devices have their own authentication mechanisms. While some devices can access LDAP, for example, the challenges to connect those devices to LDAP are significant.
Specifically, Windows and macOS devices are challenging to manage with third party protocols. As a result, while there may not be a specific protocol, the APIs to create and manage users on Windows, Mac, and Linux庐 devices are critical for any identity management solution.
LDAP
One of the oldest and most durable authentication protocols, LDAP has been an industry standard since the mid-1990s. Lightweight Directory Access Protocol is often used for connecting to Linux devices, NAS devices / file servers, and more technical applications, as in DevOps environments. Many on-premises applications and storage devices still authenticate to the LDAP protocol.
LDAP is flexible and customizable, which is powerful, but it is notoriously difficult to configure and administer. In recent years, cloud-based and managed LDAP solutions emerged to streamline LDAP鈥檚 capabilities for organizations.
Use LDAP for: Linux devices, NAS devices/file servers, technical applications, on-prem applications.
Kerberos
Invented at MIT, Kerberos is used extensively under the hood by Microsoft as the authentication protocol for Windows and Windows-related systems.
The primary benefit in Windows networks is the ability to automatically sign-in users to any resources connected to the domain. With the steady move to SaaS-based applications, Kerberos has become a less important authentication protocol, but it is still used widely by Microsoft for their on-prem domain controller.
Also, it鈥檚 important to note that, with the changing IT landscape, many organizations have shifted away from an on-prem domain to the domainless enterprise architecture, relegating Kerberos to be somewhat less relevant than it was a decade or so ago.
Use Kerberos for: Windows systems, on-prem Microsoft applications / server infrastructure
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is an authentication protocol primarily used by networking solutions such as wireless networks, VPNs, and network infrastructure equipment. RADIUS servers generally connect back to a central directory service which contains user credentials. RADIUS was primarily used by ISPs and the like early on, but has since been repurposed to control WiFi networks and VPNs.
As with LDAP, there are options for companies that would rather not deal with their own RADIUS servers. RADIUS-as-a-Service (RaaS) provides you with pre-built, pre-configured, scalable, redundant, and fully managed and maintained RADIUS servers.
Use RADIUS for: wireless networks, VPNs, network infrastructure equipment.
SAML
Security Assertion Markup Language (SAML) is the authentication protocol most often associated with single sign-on solutions for web applications. The open standard is employed widely by service providers (web application providers) and identity providers (web application SSO solutions).
SAML implementations are defined by an identity provider and a service provider. A service provider is, for example, a web application that a user wants to access. The service provider will request authentication from an identity provider, which is ultimately backed by a directory service. Historically, identity providers were merely proxies for the core directory service, but with platforms such as Directory-as-a-Service, those functions (IdP & SSO) are merging.
SAML has made great inroads into the web application sector, but is generally not relevant for devices and generally not used by internal applications due to the overhead to adopt it.
Use SAML for: web applications.
OpenID
Another authentication mechanism for web applications, OpenID has gained some adoption due to support from significant consumer facing web applications such as Google庐 and Yahoo!. OpenID works similar to SAML but is less complex to implement.