Which Protocols Should Be Used for IAM?

By Greg Keller Posted June 20, 2016

A core, foundational element to understand with identity management solutions is protocols.

Identity solutions are often built on standard protocols. Unfortunately, different types of IT resources have decided to support different protocols. Devices support specific protocols, applications support another set (and different types of applications support different ones), and network devices support yet other protocols.

All these different protocols make things complicated

Organizations end up having a mixture of all of these types of resources, but their identity management solutions may only support only one or a couple of these protocols. That causes IT organizations to build a collection of solutions that ultimately comprise their entire identity management infrastructure.

Generally, these types of cobbled together infrastructures get the job done. But rarely do the work efficiently and securely, in way that requires minimal maintenance. And, that should be your goal in IAM.

The best approach is to determine which protocols are in use (or should be), find an identity management solution that supports those protocols, and then employ one single solution that doesn’t have to be modified just to reach bare minimum functionality.

So What Protocols Should You Be Using?

Below, we provide an overview of the major identity protocols in use today.

Native Authentication

Okay, so native authentication isn’t exactly a protocol. In fact, it’s just the opposite.

We’ve included it on this list to emphasize the point that most devices end up leveraging their own authentication mechanisms. While some devices can leverage LDAP, for example, the challenges to connect those devices to leverage those applications is significant.

Specifically, Windows and OS X devices are challenging to manage with third party protocols. As a result, while there may not be a specific protocol, the APIs to create and manage users on Windows, Mac, and Linux devices are critical for any identity management solution.


One of the oldest and most durable authentication protocols, LDAP has been an industry standard since the mid-1990s. Lightweight Directory Access Protocol has largely been used recently for connecting to Linux devices and for more technical applications. Many on-premises applications still leverage the LDAP protocol.

LDAP is flexible and customizable which is powerful, but it is notoriously difficult to configure and work with. In recent years, LDAP-as-a-Service solutions have emerged which streamline LDAP’s capabilities for organizations (see 5 Reasons to Leverage LDAP-as-a-Service).

Use LDAP for:  Linux devices, technical applications, on-premises applications.


Invented at MIT, Kerberos has been used extensively under the covers by Microsoft as the authentication protocol for Windows and Windows related systems.

The primary benefit in Windows networks has been the ability to automatically sign-in users to any resources connected to the domain. Although recently with the move to SaaS-based applications, Kerberos has become a less important authentication protocol, it is still used widely by Microsoft.

Use Kerberos for:  Windows systems, Microsoft applications / server infrastructure


Remote Authentication Dial-In User Service (RADIUS) is an authentication protocol primarily used by network services such as wireless networks, VPNs, and network infrastructure equipment. RADIUS servers generally connect back to a central directory service which contains user credentials. RADIUS was primarily used by ISPs and the like early on, but has since moved to be consumed by organizations to control wireless access.

As with LDAP, there are options for companies that would rather not deal with their own RADIUS servers. RADIUS-as-a-Service (RaaS) provides you with pre-built, pre-configured, scalable, and fully managed and maintained RADIUS servers.

Use RADIUS for:  wireless networks, VPNs, network infrastructure equipment.


Security Assertion Markup Language (SAML) is the authentication protocol most often associated with single sign-on solutions for web applications. The open standard has been leveraged widely by web application and web service providers.

SAML implementations are defined by an identity provider and a service provider. A service provider is, for example, a web application that a user wants to access. The service provider will request authentication from an identity provider, which can ultimately be backed by a directory service.

SAML has made great inroads into the web application sector, but is not leveraged for devices and generally not utilized by internal applications.

Use SAML for:  web applications.


Another authentication mechanism for web applications, OpenID has gained some adoption due to support from significant consumer facing web applications such as Google and Yahoo!. OpenID works similar to SAML but is less complex to implement. Using OpenID, a third party web application could allow users to log in to their services via a Google or Yahoo ID.

This authentication mechanism has largely been used for consumer facing web applications, although is starting to gain some traction in business scenarios due to the popularity of Google Apps for Work.

Use OpenID for: web applications.


A similar protocol to OpenID, OAuth is leveraged by major consumer Internet sites such as Google, Facebook, and Twitter to federate their identities to third party sites.

Use OAuth for:  web applications.



Used extensively in the network infrastructure market, TACACS is a relatively simple authentication protocol. TACACS was first developed in the mid-1980s to manage authentication for the U.S. Department of Defense unclassified network.

The need behind this protocol was to allow users to jump between machines or network infrastructure without having to relogin.

Use TACACS for:  network infrastructure.

The Right Protocols for Your Identity Management Solution

As you can see there are a variety of authentication protocols on the market. While it seems that they may be consolidating, ultimately, new innovations in the IT sector end up creating new authentication standards. A multiprotocol environment is likely a reality for most, if not all organizations.

Your identity management strategy needs to account for the fact that your diverse set of IT resources will leverage a diverse set of authentication protocols. Your goal is to limit that to cascading into having many different components with your identity infrastructure to account for all of those different protocols.

So how do you accomplish that feat? I recommend you check out our newly released IT Guide to Identity Management 2016. It’s an info-packed pdf that’s completely available to you right now, one click away, and it offers an overview of the current IAM market, along with the biggest  challenges and most effective solutions available today.

Interested in SaaS-Based Identity Management?

More and more companies are realizing that they don’t really want to master the plethora of protocols in use today and would rather outsource identity management to a company that specializes in it. That’s exactly what we do at JumpCloud through Directory-as-a-Service® (DaaS).

Learn more here or get started today with a free account for your first ten users.

Greg Keller

Greg is JumpCloud's Chief Product Officer, overseeing the product management team, product vision and go-to-market execution for the company's Directory-as-a-Service offering. The SaaS-based platform re-imagines Active Directory and LDAP for the cloud era, securely connecting and managing employees, their devices and IT applications.

Recent Posts