Which Protocols Should Be Used for IAM?

Written by Zach DeMeyer on August 6, 2020

Share This Article

A core, foundational element to understand with identity and access management (IAM) solutions is protocols.

Identity solutions often depend on industry-standard authentication protocols. Unfortunately, different types of IT resources generally support different authentication protocols. 

Different Authentication Protocols Make Things Complicated

Organizations have a mixture of all of these types of resources, but their identity and access management solutions may only support only one or a couple of these authentication protocols. That causes IT organizations to build a collection of solutions that ultimately comprise their entire IAM infrastructure.

Generally, this type of cobbled together infrastructure gets the job done. But rarely does this work efficiently and securely, and in a way that requires minimal maintenance. And, that should be your goal with an identity management architecture.

The best approach is to determine which authentication protocols are in use (or should be), find an identity management solution that supports those protocols, and then employ one single IAM solution that doesn’t have to be modified just to reach bare minimum functionality.

So What Authentication Protocols Are You Using?

Below, we provide an overview of the major identity protocols in use today.

Native Authentication

Okay, so native authentication isn’t exactly a protocol. In fact, it’s just the opposite.

We include it on this list to emphasize the point that most devices have their own authentication mechanisms. While some devices can access LDAP, for example, the challenges to connect those devices to LDAP are significant.

Specifically, Windows and macOS devices are challenging to manage with third party protocols. As a result, while there may not be a specific protocol, the APIs to create and manage users on Windows, Mac, and Linux® devices are critical for any identity management solution.

LDAP

One of the oldest and most durable authentication protocols, LDAP has been an industry standard since the mid-1990s. Lightweight Directory Access Protocol is often used for connecting to Linux devices, NAS devices / file servers, and more technical applications, as in DevOps environments. Many on-premises applications and storage devices still authenticate to the LDAP protocol.

LDAP is flexible and customizable, which is powerful, but it is notoriously difficult to configure and administer. In recent years, cloud-based and managed LDAP solutions emerged to streamline LDAP’s capabilities for organizations.

Use LDAP for:  Linux devices, NAS devices/file servers, technical applications, on-prem applications.

Kerberos

Invented at MIT, Kerberos is used extensively under the hood by Microsoft as the authentication protocol for Windows and Windows-related systems.

The primary benefit in Windows networks is the ability to automatically sign-in users to any resources connected to the domain. With the steady move to SaaS-based applications, Kerberos has become a less important authentication protocol, but it is still used widely by Microsoft for their on-prem domain controller.

Also, it’s important to note that, with the changing IT landscape, many organizations have shifted away from an on-prem domain to the domainless enterprise architecture, relegating Kerberos to be somewhat less relevant than it was a decade or so ago.

Use Kerberos for:  Windows systems, on-prem Microsoft applications / server infrastructure

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is an authentication protocol primarily used by networking solutions such as wireless networks, VPNs, and network infrastructure equipment. RADIUS servers generally connect back to a central directory service which contains user credentials. RADIUS was primarily used by ISPs and the like early on, but has since been repurposed to control WiFi networks and VPNs.

As with LDAP, there are options for companies that would rather not deal with their own RADIUS servers. RADIUS-as-a-Service (RaaS) provides you with pre-built, pre-configured, scalable, redundant, and fully managed and maintained RADIUS servers.

Use RADIUS for:  wireless networks, VPNs, network infrastructure equipment.

SAML

Security Assertion Markup Language (SAML) is the authentication protocol most often associated with single sign-on solutions for web applications. The open standard is employed widely by service providers (web application providers) and identity providers (web application SSO solutions).

SAML implementations are defined by an identity provider and a service provider. A service provider is, for example, a web application that a user wants to access. The service provider will request authentication from an identity provider, which is ultimately backed by a directory service. Historically, identity providers were merely proxies for the core directory service, but with platforms such as Directory-as-a-Service, those functions (IdP & SSO) are merging.

SAML has made great inroads into the web application sector, but is generally not relevant for devices and generally not used by internal applications due to the overhead to adopt it.

Use SAML for: web applications.

OpenID

Another authentication mechanism for web applications, OpenID has gained some adoption due to support from significant consumer facing web applications such as Google® and Yahoo!. OpenID works similar to SAML but is less complex to implement. Using OpenID, a third party web application could allow users to log in to their services via a Google, Microsoft, Facebook, Twitter, or Yahoo ID, for example.

This authentication mechanism is used for consumer facing web applications, although it is starting to gain some traction in business scenarios due to the popularity of G Suite™ (formerly Google Apps for Work).

Use OpenID for: web applications.

JumpCloud

Securely connect to any resource using Google Workspace and JumpCloud.

OAuth

A similar protocol to OpenID, OAuth is used by major consumer Internet sites such as Google, Facebook, and Twitter to federate their identities to third party sites.

Use OAuth for:  web applications.

TACACS

Adopted extensively in the network infrastructure market, TACACS is a relatively simple authentication protocol. TACACS was first developed in the mid-1980s to manage authentication for the U.S. Department of Defense unclassified network.

The need behind this protocol was to allow users to jump between machines or network infrastructure without having to re-login.

Use TACACS for:  network infrastructure.

The Right Authentication Protocols for Your Identity Management Solution

As you can see, there are a variety of authentication protocols on the market (and many more that we didn’t list). While it seems that they may be consolidating, ultimately, new innovations in the IT sector end up creating new authentication standards (e.g. while not authentication protocols necessarily, Just-in-Time (JIT) and SCIM have emerged as methods for support provisioning / deprovisioning of users within web applications). A multiprotocol environment is likely a reality for most, if not all organizations.

Your identity management strategy needs to account for the fact that your diverse set of IT resources will involve a diverse set of authentication protocols. Your goal is to limit that from having many different components within your identity infrastructure to account for all of those different protocols.

So how do you accomplish that feat? Check out our newly released IT Guide to Identity Management. It’s an info-packed document completely available to you right now, one click away, and it offers an overview of the current IAM market, along with the biggest challenges and most effective solutions available today.

Interested in SaaS-Based Identity Management?

More and more companies are realizing that they don’t really want to master the mix of protocols in use today and would rather outsource identity management to a company that specializes in it. That’s exactly what we do at JumpCloud.

Get started today with a free 30 Day Trial.

Zach DeMeyer

Zach is a Product Marketing Specialist at JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, music, and soccer.

Continue Learning with our Newsletter