Identity and Access Management. Part 3: Protocols

In part 1 of this series we understood Authentication and Authorization.
In part 2 we understood “Identity Federation, Authentication Broker, and Identity Providers”.
Now lets understand some common protocols

Protocols

1. Security Assertion Markup Language (SAML) — Introduced in 2001: SAML is an XML-based protocol introduced in 2001 used for exchanging authentication and authorization data between an Identity Provider (IdP) and Service Providers (SPs). It enables SSO and federated identity management. SAML defines how assertions about user identities are generated, transmitted, and validated.
   Examples: Logging into a cloud-based service using credentials from an organization’s internal IdP.
   Tools: Open-source: Keycloak, Shibboleth, Paid: Okta, Azure Active Directory.
2. OAuth 2.0 — Introduced in 2012: OAuth 2.0 is an industry-standard protocol introduced in 2012 for delegated authorization, allowing users to grant limited access to resources on behalf of third-party applications. It separates the authorization process from authentication, enabling secure and controlled access to protected resources.
   Examples: Authorizing a social media application to access a user’s profile information on another platform, such as Facebook.
   Tools: Open-source: Keycloak, Spring Security, Paid: Okta, Azure Active Directory.
3. OpenID Connect — Introduced in 2014: OpenID Connect is an identity layer built on top of OAuth 2.0, providing secure authentication. It adds an authentication layer to the OAuth 2.0 framework, allowing applications to verify the identity of the end user. OpenID Connect supports identity assertions using JSON web tokens (JWT).
   Examples: Using OpenID Connect for user authentication in a web or mobile application.
   Tools: Open-source: Keycloak, Spring Security, Paid: Okta, Azure Active Directory.
4. Lightweight Directory Access Protocol (LDAP) — Introduced in 1993: LDAP is a protocol introduced in 1993 for accessing and managing directory services. It is commonly used for centralized user authentication, directory services, and storing user attributes. LDAP allows applications to query and modify directory information.
   Examples: Using LDAP to authenticate users against a central directory server in an organization.
   Tools: Open-source: OpenLDAP, Apache Directory Server, Paid: Microsoft Active Directory (AD), IBM Security Directory Server.
5. Kerberos — Introduced in the 1980s: Kerberos is a network authentication protocol introduced in the 1980s that provides secure authentication for client-server applications. It uses tickets to authenticate users and encrypts communication between clients and servers, reducing the risk of credential interception or replay attacks. Examples: Authenticating users in a Windows Active Directory domain environment.
   Tools: Microsoft Active Directory (AD), MIT Kerberos.

These protocols have been widely adopted and provide standardized mechanisms for authentication and authorization in various scenarios. Organizations can choose the most suitable protocol based on their requirements, compatibility with existing systems, and the level of security and interoperability needed. Implementing these protocols often involves leveraging identity management platforms, such as Keycloak, Okta, or Azure Active Directory, which provide built-in support for these authentication and authorization protocols.

To get deeper into the topic, please follow remaining parts here

Identity and Access Management. Part 1 : Authentication and Authorization

Identity and Access Management Part2: Identity Providers, Auth Brokers and Identity Federation

Identity and Access Management. Part 4: API Authorization

Identity and Access Management. Part 5: Microservices