Authentication Protocols: LDAP vs Kerberos vs OAuth2 vs SAML vs RADIUS
Authentication of users towards applications is probably one of the biggest challenges the IT department is facing. There are a lot of different systems a user needs access to and that’s why the authentication protocols are typically open standards – we are introducing the five most commonly used ones. When reading questions about the “correct authentication protocol” on Stackoverflow like ”Could you help me determine which authentication protocol I should use for the following use case?” It becomes pretty clear that this can be an overwhelming topic.Tech republic and others have done a great job in summarizing the sheer chaos in providers and standards.
LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet.
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well.
OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and DigitalOcean.
Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is a product of the OASIS Security Services Technical Committee.
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service.
So which one to choose?
Most technology enabled organization interestingly use Google Apps for Business as directory and SSO. It also supports OAuth 2.0 and the Open ID connect endpoint which allows to build your own sign-in solution.