Authentication Protocols: LDAP vs Kerberos vs OAuth2 vs SAML vs RADIUS

By Bernhard Mehl
June 11, 2018

Authentication of users towards applications is probably one of the biggest challenges the IT department is facing. There are a lot of different systems a user needs access to and that’s why the authentication protocols are typically open standards – we are introducing the five most commonly used ones. When reading questions about the “correct authentication protocol” on Stackoverflow like ”Could you help me determine which authentication protocol I should use for the following use case?” It becomes pretty clear that this can be an overwhelming topic.Tech republic and others have done a great job in summarizing the sheer chaos in providers and standards.

LDAP

LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet.

LDAP protocol
Source

5cf6e8428ea8d3a68f6c93e3
template-3
container

Kerberos

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well.

Kerberos authentication protocol
Source

Oauth 2

OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and DigitalOcean.

Oauth2
Source: Digital Ocean

SAML

Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is a product of the OASIS Security Services Technical Committee.

SAML authentication
Source

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service.

RADIUS authentication protocol
Source

So which one to choose?

Most technology enabled organization interestingly use Google Apps for Business as directory and SSO. It also supports OAuth 2.0 and the Open ID connect endpoint which allows to build your own sign-in solution.

Relevant Links

Bernhard Mehl

Bernhard is the co-founder and CEO of Kisi. His philosophy, "security is awesome," is contagious among tech-enabled companies.

Access Control Experts
Useful Resources