What Is Delegated Authentication?

Using a single digital identity for multiple logins was always considered risky from a cybersecurity perspective in the early days of the internet. And it is indeed true because the architecture of the early internet didn’t permit federated or delegated authentication. This partly explains why digital identities were dispersed across multiple websites and applications in those days. 

For example, whenever you wanted to access a new application or website, you had to make up credentials that were later stored on that platform. However, logging with different credentials into various websites and applications one by one was inconvenient, time-consuming, and disrupted the workflow. 

Developers began to realize these authentication challenges as the web grew more complex and interconnected. Recently, we’ve witnessed the emergence of federated and delegated identity management solutions, most noticeably in what we often call single sign-on (SSO). 

In this post, we’ll explore what delegated authentication is, how it works, its advantages, and how the JumpCloud Directory Platform^® can help you implement it in your organization.

Delegated Authentication Explained

Delegated authentication links a user’s identity across multiple identity and access management (IAM) systems. The “delegation” aspect in delegated authentication simply means that your apps rely on another platform — aka an identity provider (IdP) — to verify the user’s login credentials. 

Delegated authentication builds on SSO techniques to provide an improved experience to users. Typically, it extends secure access beyond web applications by brokering established IAM policies and credentials from one IdP to services offered by an open directory.

The IdP can be, for example, a Lightweight Directory Access Protocol (LDAP) server or a cloud-based directory platform, such as JumpCloud. Delegated authentication allows users to have seamless and appropriate access to enterprise resources. The terms “delegated authentication” and “federated authentication” are sometimes used interchangeably, albeit with different meanings.

Both forms of authentication are vital IAM elements of robust cybersecurity defense strategies, and validate that login credentials are accurate. In both authentication forms, the application relies on external parties involving the IdP to authenticate users to a service provider (SP) based on a trust relationship that has already been configured. 

However, while federated authentication largely focuses on web-based applications, delegated authentication goes even further by extending SSO to all the network resources. To demonstrate the power of delegated authentication, let’s consider a protocol such as Remote Authentication Dial-In User Service (RADIUS). 

RADIUS is a network protocol commonly used for authenticating and authorizing users who want to connect to embedded routers, modems, software, and wireless apps. In the recent past, IT admins have largely relied on RADIUS servers to enable secure access to Wi-Fi or virtual private networks (VPNs), allowing them to provide remote and on-prem working environments to employees. 

However, this process has often been complex, involving installing and deploying RADIUS servers, configuring network policies, and managing server access. In such circumstances, a better approach to managing enterprise resources would be to use a dedicated cloud RADIUS service provider. 

However, such an approach would increase the complexities of managing identities and their passwords across the on-prem Azure Active Directory (AAD) environment and in the cloud RADIUS solution itself. A delegated authentication solution can resolve this challenge by allowing users to leverage their existing AAD credentials to access RADIUS resources. 

When used in an organization, delegated authentication eliminates the need for duplicate passwords, IAM practices, and network policies across multiple IdPs. It also helps reduce IT admin workloads, allowing them to focus on more productive tasks that promote the organization’s competitive advantages. 

How Delegated Authentication Works

Like federated authentication, delegated authentication allows an SP to accept a user’s login credentials or authentication token but pass the token to an external IdP for validation. For example, you can configure a service provider such as Salesforce to use an LDAP server for validating login credentials. 

This way, you can log into Salesforce directly with your LDAP credentials. The login experience would work behind the scenes like this:

1. You enter your existing credentials on the Salesforce login page.
2. Salesforce securely sends your credentials to the LDAP server to be verified. 
3. LDAP server validates your credentials, returning a true or false result. 
4. If the output is true, Salesforce allows you to access its resources. If false, Salesforce displays an error message indicating invalid credentials.

Delegated Authentication Benefits

A delegated authentication architecture provides numerous benefits over traditional authentication mechanisms. Some of these benefits include:

• Enhanced security. In non-delegated authentication platforms, a user has to log into individual apps with a different set of credentials. Each such login becomes a point of vulnerability, such as man-in-the-middle (MitM) attacks that hackers can exploit. Delegated authentication, on the other hand, reduces the number of logins which minimizes hacking risks. 
• Streamlined user experience. Users provide their login credentials only once to access multiple apps. This enhances user convenience and efficiency. 
• Single-point provisioning. Delegated authentication enables single-point provisioning, making it easier for IT admins to provide secure access to apps to users outside the on-prem enterprise perimeter.
• Cost savings. Companies don’t need to build up their own user identities or manage their own SSO solutions, thus minimizing costs.

Delegated Authentication Use Cases

Delegated authentication is appropriate for authenticating Wi-Fi Protected Access 2 (WPA2)-Enterprise and 802.1x-based applications, switches, and network appliances. When used for these kinds of applications, delegated authentication eliminates the need for physical RADIUS servers and the configurations required on the device endpoints. 

In addition, delegated authentication is useful — much like the federated authentication mechanisms — for apps that need enterprise resources in multiple network domains. Below are a few of these use cases:

• New users that need to be added to the network after a merger or acquisition
• External vendors that need to access the company’s resources
• Users that need to access enterprise resources with credentials from public organizations

Delegated Authentication With JumpCloud

IT admins can leverage JumpCloud’s open directory platform to streamline delegated authentication and consolidate the organization’s IAM requirements, including combining RADIUS services into a unified component. 

JumpCloud Cloud RADIUS — the platform’s extension feature for the RADIUS protocol — extends the company’s user identities to Wi-Fi, VPN, and other resources that support the RADIUS protocol. IT admins can use this feature to create a cloud RADIUS server without the hassles of on-prem physical servers and quickly roll out a service that securely authenticates users to VPNs, switches, and other network appliances. 

Learn more about why you should consider using JumpCloud’s hosted RADIUS.