Comprehensive Guide to IAM Protocols: From SAML to Kerberos
This blog post is complementary material of the IAM Crashcasts. The original episode can be found below.
In today's interconnected digital landscape, Identity and Access Management (IAM) plays a crucial role in securing our online interactions. This guide explores five key IAM protocols that form the backbone of modern authentication and authorization systems: SAML, OAuth 2.0, OpenID Connect, LDAP, and Kerberos.
Understanding IAM Protocols
IAM protocols are standardized methods for managing digital identities and controlling access to resources. They enable secure communication between different systems and services, ensuring that users can access the right resources with the appropriate permissions.
Cheatsheet
| Protocol | Type | Use Cases | Token/Ticket | Introduced | Key Players | Pros | Cons |
|---|---|---|---|---|---|---|---|
| SAML | Both | Enterprise SSO, Federated Identity | XML assertion | 2002 | Salesforce, AWS, Google Workspace | Strong security, Rich attribute exchange | Complex implementation, Primarily for web |
| OAuth 2.0 | Authorization | API access, Third-party authorization | Bearer token | 2012 | Google, Facebook, Twitter | Widely adopted, Flexible | Not for authentication, Potential misuse |
| OpenID Connect | Authentication | Consumer authentication, Mobile login | ID token (JWT) | 2014 | Google, Microsoft, Okta | Built on OAuth, Identity layer | Newer standard, Less enterprise adoption |
| LDAP | Both | Directory services, User authentication | None (uses bind operation) | 1993 | Microsoft AD, OpenLDAP | Lightweight, Widely supported | Less secure without proper configuration |
| Kerberos | Authentication | Network authentication, SSO | Ticket (TGT, ST) | 1988 | Microsoft AD, MIT | Strong security, Efficient | Complex setup, Primarily for on-premises |
SAML (Security Assertion Markup Language)
SAML is an XML-based protocol primarily used for Single Sign-On (SSO) in enterprise environments. It allows for the secure exchange of authentication and authorization data between an identity provider (IdP) and a service provider (SP).
Key features of SAML:
- XML-based assertions for identity information
- Support for federated identity management
- Strong security through digital signatures and encryption
Example SAML assertion:
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_123456789"
IssueInstant="2023-06-01T12:00:00Z"
Version="2.0">
<saml:Issuer><https://idp.example.com></saml:Issuer>
<ds:Signature>...</ds:Signature>
<saml:Subject>
<saml:NameID>john.doe@example.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
NotOnOrAfter="2023-06-01T12:10:00Z"
Recipient="<https://sp.example.com/acs>"/>
</saml:SubjectConfirmation>
</saml:Subject>
<!-- Additional assertion data -->
</saml:Assertion>
OAuth 2.0
OAuth 2.0 is an authorization framework that allows third-party applications to access resources on behalf of a user without exposing their credentials. It's widely used for API access and delegated authorization.
Key concepts in OAuth 2.0:
- Access tokens for resource access
- Refresh tokens for obtaining new access tokens
- Various grant types for different use cases (e.g., Authorization Code, Client Credentials)
Example OAuth 2.0 flow:
// OAuth 2.0 Authorization Code Flow (simplified)
const authorizationUrl = `${authorizationEndpoint}?response_type=code&client_id=${clientId}&redirect_uri=${redirectUri}&scope=${scope}`;
// After user authorization, exchange code for tokens
fetch(tokenEndpoint, {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'Authorization': 'Basic ' + btoa(`${clientId}:${clientSecret}`)
},
body: `grant_type=authorization_code&code=${code}&redirect_uri=${redirectUri}`
})
.then(response => response.json())
.then(data => {
const accessToken = data.access_token;
// Use accessToken for API requests
});
OpenID Connect
OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0. It extends OAuth's authorization capabilities to include authentication, providing a standardized way for clients to verify the identity of end-users.
Key features of OpenID Connect:
- ID tokens (JWTs) containing user identity information
- UserInfo endpoint for additional user details
- Discovery and dynamic registration capabilities
Example OpenID Connect authentication:
// OpenID Connect Authentication Request
const authorizationUrl = `${authorizationEndpoint}?response_type=code&client_id=${clientId}&redirect_uri=${redirectUri}&scope=openid profile email`;
// After receiving the ID token
function validateIdToken(idToken) {
const [header, payload, signature] = idToken.split('.');
const decodedPayload = JSON.parse(atob(payload));
// Verify token claims
if (decodedPayload.iss !== '<https://authorization-server.com>' ||
decodedPayload.aud !== clientId ||
decodedPayload.exp < Math.floor(Date.now() / 1000)) {
throw new Error('Invalid ID token');
}
// Use the validated claims
}
LDAP (Lightweight Directory Access Protocol)
LDAP is a protocol for accessing and maintaining distributed directory information services over an IP network. It's commonly used for user authentication and as a central repository for user information in organizations.
Key concepts in LDAP:
- Directory structure (DN, DC, OU, CN)
- Bind operations for authentication
- Search operations for querying the directory
Example LDAP search operation:
import ldap
# Connect to LDAP server
conn = ldap.initialize(ldap_server)
conn.simple_bind_s(username, password)
# Perform search
base_dn = "ou=users,dc=example,dc=com"
search_filter = "(objectClass=person)"
attributes = ["cn", "mail"]
result = conn.search_s(base_dn, ldap.SCOPE_SUBTREE, search_filter, attributes)
# Process results
for dn, entry in result:
print(f"DN: {dn}")
for attr, values in entry.items():
for value in values:
print(f"{attr}: {value.decode('utf-8')}")
Kerberos
Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications using secret-key cryptography. It's widely used in Windows domains and some Unix/Linux environments.
Key components of Kerberos:
- Ticket Granting Ticket (TGT) for initial authentication
- Service Tickets for accessing specific services
- Key Distribution Center (KDC) for managing tickets and keys
Simplified Kerberos authentication flow:
def kerberos_auth(username, password, target_service):
# Get Ticket Granting Ticket
tgt = request_tgt(username, password)
# Get Service Ticket
service_ticket = request_service_ticket(tgt, target_service)
# Access the service
result = access_service(service_ticket, target_service)
return result
Choosing the Right Protocol
Selecting the appropriate IAM protocol depends on various factors:
- SAML: Ideal for enterprise SSO and federated identity scenarios
- OAuth 2.0: Best for API authorization and delegated access
- OpenID Connect: Suitable for modern web and mobile app authentication
- LDAP: Useful for directory services and legacy system integration
- Kerberos: Excellent for on-premises network authentication and SSO
Consider your specific use case, security requirements, and existing infrastructure when making a decision.
Conclusion
Understanding these IAM protocols is crucial for implementing robust security architectures. Each protocol has its strengths and ideal use cases, and many modern systems use a combination of these protocols to achieve comprehensive identity and access management.
As the digital landscape continues to evolve, staying informed about these protocols and their best practices is essential for security professionals and developers alike.