Webinar: Learn how to improve WFH security in our Sept. 29 webinar with a former General Electric CIO & an industry analyst Register today

Which Protocols Should Be Used for IAM?




A core, foundational element to understand with identity and access management (IAM) solutions is protocols.

Identity solutions often depend on industry-standard authentication protocols. Unfortunately, different types of IT resources generally support different authentication protocols. 

Different Authentication Protocols Make Things Complicated

Organizations have a mixture of all of these types of resources, but their identity and access management solutions may only support only one or a couple of these authentication protocols. That causes IT organizations to build a collection of solutions that ultimately comprise their entire IAM infrastructure.

Generally, this type of cobbled together infrastructure gets the job done. But rarely does this work efficiently and securely, and in a way that requires minimal maintenance. And, that should be your goal with an identity management architecture.

The best approach is to determine which authentication protocols are in use (or should be), find an identity management solution that supports those protocols, and then employ one single IAM solution that doesn’t have to be modified just to reach bare minimum functionality.

So What Authentication Protocols Are You Using?

Below, we provide an overview of the major identity protocols in use today.

Native Authentication

Okay, so native authentication isn’t exactly a protocol. In fact, it’s just the opposite.

We include it on this list to emphasize the point that most devices have their own authentication mechanisms. While some devices can access LDAP, for example, the challenges to connect those devices to LDAP are significant.

Specifically, Windows® and macOS® devices are challenging to manage with third party protocols. As a result, while there may not be a specific protocol, the APIs to create and manage users on Windows, Mac, and Linux® devices are critical for any identity management solution.

LDAP

One of the oldest and most durable authentication protocols, LDAP has been an industry standard since the mid-1990s. Lightweight Directory Access Protocol is often used for connecting to Linux devices, NAS devices / file servers, and more technical applications, as in DevOps environments. Many on-premises applications and storage devices still authenticate to the LDAP protocol.

LDAP is flexible and customizable, which is powerful, but it is notoriously difficult to configure and administer. In recent years, LDAP-as-a-Service solutions emerged to streamline LDAP’s capabilities for organizations (see 5 Reasons to Leverage LDAP-as-a-Service).

Use LDAP for:  Linux devices, NAS devices/file servers, technical applications, on-prem applications.

Kerberos

Invented at MIT, Kerberos is used extensively under the hood by Microsoft as the authentication protocol for Windows and Windows-related systems.

The primary benefit in Windows networks is the ability to automatically sign-in users to any resources connected to the domain. With the steady move to SaaS-based applications, Kerberos has become a less important authentication protocol, but it is still used widely by Microsoft for their on-prem domain controller. Also, it’s important to note that, with the changing IT landscape, many organizations have shifted away from an on-prem domain to the domainless enterprise architecture, relegating Kerberos to be somewhat less relevant than it was a decade or so ago.

Use Kerberos for:  Windows systems, on-prem Microsoft applications / server infrastructure

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is an authentication protocol primarily used by networking solutions such as wireless networks, VPNs, and network infrastructure equipment. RADIUS servers generally connect back to a central directory service which contains user credentials. RADIUS was primarily used by ISPs and the like early on, but has since been repurposed to control WiFi networks and VPNs.

As with LDAP, there are options for companies that would rather not deal with their own RADIUS servers. RADIUS-as-a-Service (RaaS) provides you with pre-built, pre-configured, scalable, redundant, and fully managed and maintained RADIUS servers.

Use RADIUS for:  wireless networks, VPNs, network infrastructure equipment.

SAML

Security Assertion Markup Language (SAML) is the authentication protocol most often associated with single sign-on solutions for web applications. The open standard is employed widely by service providers (web application providers) and identity providers (web application SSO solutions).

SAML implementations are defined by an identity provider and a service provider. A service provider is, for example, a web application that a user wants to access. The service provider will request authentication from an identity provider, which is ultimately backed by a directory service. Historically, identity providers were merely proxies for the core directory service, but with platforms such as Directory-as-a-Service, those functions (IdP & SSO) are merging.

SAML has made great inroads into the web application sector, but is generally not relevant for devices and generally not used by internal applications due to the overhead to adopt it.

Use SAML for: web applications.

OpenID

Another authentication mechanism for web applications, OpenID has gained some adoption due to support from significant consumer facing web applications such as Google® and Yahoo!. OpenID works similar to SAML but is less complex to implement. Using OpenID, a third party web application could allow users to log in to their services via a Google, Microsoft, Facebook, Twitter, or Yahoo ID, for example.

This authentication mechanism is used for consumer facing web applications, although it is starting to gain some traction in business scenarios due to the popularity of G Suite™ (formerly Google Apps for Work).

Use OpenID for: web applications.

OAuth

A similar protocol to OpenID, OAuth is used by major consumer Internet sites such as Google, Facebook, and Twitter to federate their identities to third party sites.

Use OAuth for:  web applications.

TACACS

Adopted extensively in the network infrastructure market, TACACS is a relatively simple authentication protocol. TACACS was first developed in the mid-1980s to manage authentication for the U.S. Department of Defense unclassified network.

The need behind this protocol was to allow users to jump between machines or network infrastructure without having to re-login.

Use TACACS for:  network infrastructure.

The Right Authentication Protocols for Your Identity Management Solution

As you can see, there are a variety of authentication protocols on the market (and many more that we didn’t list). While it seems that they may be consolidating, ultimately, new innovations in the IT sector end up creating new authentication standards (e.g. while not authentication protocols necessarily, Just-in-Time (JIT) and SCIM have emerged as methods for support provisioning / deprovisioning of users within web applications). A multiprotocol environment is likely a reality for most, if not all organizations.

Your identity management strategy needs to account for the fact that your diverse set of IT resources will involve a diverse set of authentication protocols. Your goal is to limit that from having many different components within your identity infrastructure to account for all of those different protocols.

So how do you accomplish that feat? Check out our newly released IT Guide to Identity Management. It’s an info-packed document completely available to you right now, one click away, and it offers an overview of the current IAM market, along with the biggest challenges and most effective solutions available today.

Interested in SaaS-Based Identity Management?

More and more companies are realizing that they don’t really want to master the mix of protocols in use today and would rather outsource identity management to a company that specializes in it. That’s exactly what we do at JumpCloud® through Directory-as-a-Service® (DaaS).

Learn more here or get started today with a free account for your first 10 users. We include 10 systems and 10 days of free premium 24×7 in-app chat support as well.


Recent Posts
With the major macOS update coming this fall, IT admins need an Apple MDM to manage their Big Sur Macs. You can find one here for free.

Blog

Free Apple MDM

With the major macOS update coming this fall, IT admins need an Apple MDM to manage their Big Sur Macs. You can find one here for free.

Many IT admins signed-up for G Suite and were able to rid themselves of the pain of Microsoft Exchange, but they’re still holding on to AD.

Blog

Using G Suite and Active Directory? There’s a better way.

Many IT admins signed-up for G Suite and were able to rid themselves of the pain of Microsoft Exchange, but they’re still holding on to AD.

IT Manager Justin Price joined a recent JumpCloud Office Hours panel to share his journey to implement his company’s first directory platform.

Blog

Office Hours Recap: Talking Favorite Features and More With Justin Price

IT Manager Justin Price joined a recent JumpCloud Office Hours panel to share his journey to implement his company’s first directory platform.