{"id":72473,"date":"2022-11-21T12:00:00","date_gmt":"2022-11-21T17:00:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=72473"},"modified":"2022-12-30T16:21:39","modified_gmt":"2022-12-30T21:21:39","slug":"what-is-delegated-authentication","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/what-is-delegated-authentication","title":{"rendered":"What Is Delegated Authentication?"},"content":{"rendered":"\n

Using a single digital identity for multiple logins was always considered risky from a cybersecurity perspective in the early days of the internet. And it is indeed true because the architecture of the early internet didn\u2019t permit federated or delegated authentication. This partly explains why digital identities were dispersed across multiple websites and applications in those days. <\/p>\n\n\n\n

For example, whenever you wanted to access a new application or website, you had to make up credentials that were later stored on that platform. However, logging with different credentials into various websites and applications one by one was inconvenient, time-consuming, and disrupted the workflow. <\/p>\n\n\n\n

Developers began to realize these authentication challenges as the web grew more complex and interconnected. Recently, we\u2019ve witnessed the emergence of federated and delegated identity management solutions, most noticeably in what we often call single sign-on (SSO)<\/a>. <\/p>\n\n\n\n

In this post, we\u2019ll explore what delegated authentication is, how it works, its advantages, and how the JumpCloud Directory Platform\u00ae<\/sup> can help you implement it in your organization.<\/p>\n\n\n\n

Delegated Authentication Explained<\/h2>\n\n\n\n

Delegated authentication links a user\u2019s identity across multiple identity and access management (IAM)<\/a> systems. The \u201cdelegation\u201d aspect in delegated authentication simply means that your apps rely on another platform \u2014 aka an identity provider (IdP) \u2014 to verify the user\u2019s login credentials. <\/p>\n\n\n\n

Delegated authentication builds on SSO techniques to provide an improved experience to users. Typically, it extends secure access beyond web applications by brokering established IAM policies and credentials from one IdP to services offered by an open directory.<\/p>\n\n\n\n

The IdP can be, for example, a Lightweight Directory Access Protocol (LDAP)<\/a> server or a cloud-based directory platform, such as JumpCloud. Delegated authentication allows users to have seamless and appropriate access to enterprise resources. The terms \u201cdelegated authentication\u201d and \u201cfederated authentication\u201d<\/a> are sometimes used interchangeably, albeit with different meanings.<\/p>\n\n\n\n

Both forms of authentication are vital IAM elements of robust cybersecurity defense strategies, and validate that login credentials are accurate. In both authentication forms, the application relies on external parties involving the IdP to authenticate users to a service provider (SP) based on a trust relationship that has already been configured. <\/p>\n\n\n\n

However, while federated authentication largely focuses on web-based applications, delegated authentication goes even further by extending SSO to all the network resources. To demonstrate the power of delegated authentication, let\u2019s consider a protocol such as Remote Authentication Dial-In User Service (RADIUS)<\/a>. <\/p>\n\n\n\n

RADIUS is a network protocol commonly used for authenticating and authorizing users who want to connect to embedded routers, modems, software, and wireless apps. In the recent past, IT admins have largely relied on RADIUS servers to enable secure access to Wi-Fi or virtual private networks (VPNs), allowing them to provide remote and on-prem working environments to employees. <\/p>\n\n\n\n

However, this process has often been complex, involving installing and deploying RADIUS servers, configuring network policies, and managing server access. In such circumstances, a better approach to managing enterprise resources would be to use a dedicated cloud RADIUS service provider. <\/p>\n\n\n\n

However, such an approach would increase the complexities of managing identities and their passwords across the on-prem Azure Active Directory (AAD) environment and in the cloud RADIUS solution itself. A delegated authentication solution<\/a> can resolve this challenge by allowing users to leverage their existing AAD credentials to access RADIUS resources. <\/p>\n\n\n\n

When used in an organization, delegated authentication eliminates the need for duplicate passwords, IAM practices, and network policies across multiple IdPs. It also helps reduce IT admin workloads, allowing them to focus on more productive tasks that promote the organization\u2019s competitive advantages. <\/p>\n\n\n\n

How Delegated Authentication Works<\/h2>\n\n\n\n

Like federated authentication, delegated authentication allows an SP to accept a user\u2019s login credentials or authentication token but pass the token to an external IdP for validation. For example, you can configure a service provider such as Salesforce to use an LDAP server for validating login credentials. <\/p>\n\n\n\n

This way, you can log into Salesforce directly with your LDAP credentials. The login experience would work behind the scenes like this:<\/p>\n\n\n\n

    \n
  1. You enter your existing credentials on the Salesforce login page.<\/li>\n\n\n\n
  2. Salesforce securely sends your credentials to the LDAP server to be verified. <\/li>\n\n\n\n
  3. LDAP server validates your credentials, returning a true or false result. <\/li>\n\n\n\n
  4. If the output is true, Salesforce allows you to access its resources. If false, Salesforce displays an error message indicating invalid credentials.<\/li>\n<\/ol>\n\n\n\n

    Delegated Authentication Benefits<\/h2>\n\n\n\n

    A delegated authentication architecture provides numerous benefits over traditional authentication mechanisms. Some of these benefits include:<\/p>\n\n\n\n