IAM Protocols and Standards

Core Protocols

  1. Security Assertion Markup Language (SAML):
    • An XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP).
    • Enables single sign-on (SSO), allowing users to access multiple applications with a single login.
    • Commonly used in enterprise environments and for federated identity management.
  2. OpenID Connect (OIDC):
    • A simple identity layer built on top of the OAuth 2.0 authorization framework.
    • Provides a standardized way to verify user identity and obtain basic profile information.
    • Well-suited for web and mobile applications, enabling social logins and other identity-related features.
  3. OAuth 2.0:
    • An authorization framework that allows third-party applications to access user-held resources on another service.
    • Employs tokens to grant limited access without sharing user credentials directly.
    • Widely used for granting access to APIs, social media integrations, and other services.
  4. WS-Federation:
    • A Microsoft-specific protocol similar to SAML.
    • Often used in conjunction with Active Directory Federation Services (ADFS) for federated identity.
    • Primarily used in Windows-based environments.

Key Standards

  1. System for Cross-domain Identity Management (SCIM):
    • A standard for automating the exchange of user identity information between identity providers and service providers.
    • Simplifies user provisioning and deprovisioning, improving efficiency and reducing errors.
  2. eXtensible Access Control Markup Language (XACML):
    • A standard for expressing access control policies in a machine-readable format.
    • Allows for fine-grained, attribute-based access control (ABAC) policies.
    • Used in various industries for complex authorization scenarios.
  3. Security Token Service (STS):
    • A service that issues security tokens, such as SAML assertions or JSON Web Tokens (JWTs).
    • Plays a central role infederated identity and SSO architectures.

Other Notable Protocols

  • Kerberos: A network authentication protocol that uses secret-key cryptography to authenticate service requests between hosts across an untrusted network.
  • Lightweight Directory Access Protocol (LDAP): A protocol used to access and maintain directory information services over an IP network.
  • RADIUS (Remote Authentication Dial-In User Service): A networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users connecting and using a network service.