Identity, authentication and authorization protocols

By , Contributor, CSO | DEC 5, 2019 3:00 AM PST

Whether you host your authentication system internally or externally, you need to select an authentication protocol carefully. The correct protocol for your use case will allow the overall system to operate securely with minimal effort and enable future expansion and compatibility with standards. In addition, if you want to make your users’ identities available to external services, it is important to consider how easy it is for these services to consume that data while keeping the process secure.

Authentication means identifying a user in some way that allows you to authorize access to resources. The protocols discussed here cover SAML 2.0, OpenID Connect (OIDC) and OAuth2. Note that OAuth2 is not an authentication protocol, but because of the popularity of its use in cases such as enabling users to sign in with a social provider such as Facebook or Amazon, it is included here.

Identity, authentication and authorization protocols

These three protocols overlap frequently in functionality:

  • Identity protocols supply information about a user — such as a persistent identifier, phone or email address — that may be used for long-term identification of that user to your system and hence for authenticating the user and authorizing access to resources. SAML and OIDC are the best-known examples.
  • Authentication protocols do not necessarily carry a personal identifier. For example, the Kerberos system is based on the exchange of transient anonymous keys that, in themselves, include no identification data.
  • Authorization protocols, such as OAuth2 and UMA provide a means to acquire access-protected resources without requiring the resource owner to share credentials. Interactive user consent is an important aspect of these protocols. The OAuth2 protocol is often used, casually, for identity and authentication using user data, such as an identifier, returned in the OAuth2 process.

Because of their flexibility, identity protocols are increasingly used in government, enterprise and consumer areas, covering web, mobile app and desktop applications as a best-practice approach to authentication. All these protocols may be used for single sign-on (SSO) applications, bearing in mind the caveat with OAuth2.




Federal, State and Local Government

SecureDAM™ Class Codes | NAICS Code: 541330, 541511, 511210, 611420, 541112, 541519, 541611, 541990, 611430, 333316, 423410, 541513, 518210, 928110, 611519, 541430, 335210, 519120, 541690 .