Identity Management Protocols
With the rise of heterogenic integrated systems, such as the cloud, identity management has never been as important. Information security professionals are aware of the sensitivity of the data around identities. Questions such as Where do the identities reside ? How is user information exchanged ? What are the best practices for identity management? are common.
What is identity management?
Identity management is the practice of governing all the subjects inside an Information System, including their authentication, authorization (permissions), and accounting (audit). The practice evolves from managing internal procedures for access control to managing relations with external identity providers.
This includes both identity federation and access delegation, among others. Identity federation is the process of using third-party credentials database to authenticate users instead of maintaining multiple databases. It is the process by which a service can authenticate users by referring to the user database of another service. The former service doesn’t need to maintain a list of users. Thereby offloading this critical task to the later.
Access delegation is authorizing an entity to act on behalf of a user for a certain time and to do a specific task. For example, you may allow an app to access your Facebook wall and post on your behalf. It cannot issue a friend request nor access or modify the settings of your account.
What protocols are used in Identity Management ?
There are two main standards for Identity federation and access delegation: SAML and OAuth.
SAML
SAML stands for Security Assertion Markup Language and is a XML-based protocol used to exchange authentication and authorization information about a Principal between a Service Provider (SP) and an Identity Provider (IdP)
OAuth
OAuth stands for Open Auhorization. It is an access delegation framework whereby a resource owner (i.e., user of facebook.com) grants access to an application with specific permission(s) (i.e., publish a post) on a resource server (i.e., facebook.com).
OAuth doesn’t process user credentials. The authorization is done via temporary tokens for a limited time. There are three methods for securely exchanging the token: JWT, JWS and JWE. The resource server gets a request containing the access token in the Authorization header.
OIDC
OpenID Connect is an authentication framework built on top of OAuth. While OAuth only ensures authorization, OpenID Connect adds a layer for authentication.
OIDC uses JWT or JSON Web Tokens, also called Token IDs. It is a an alternative to SAML. SAML uses XML-based payloads, while OIDC uses JSON.
I want to implement SSO, which protocol should I use ?
Let’s give you here a comparative view of the three standards:
| Standard | Format | Environment | Function | Purpose |
|---|---|---|---|---|
| SAML | XML | Enterprise / Corporate | Authentication and authorization | Exchange authentication and authorization information between two entities |
| OAuth | JSON | APIs | Authorization only | Authorize a third-party to perform specific actions on the user’s behalf |
| OpenID Connect | JSON | Mobile / Internet | Authentication and authorization | To authenticate users using thrid-party crendentials |
So depending on your use case, choose the appropriate standard. SAML is more commonly used in corporate environments, whereas OAuth/OIDC are used on the internet.