Identity Management Protocols

Identity Management Protocols

Article's structure:

Introduction

What is identity management?

  • Identity federation
  • Access delegation

What protocols are used for identity management?

  • SAML
  • OAuth
  • OIDC

So you decided to implement Single Sign-On, which protocol should you use?

Conclusion


With the rise of heterogenic integrated systems, such as the cloud, identity management has never been as important. Information security professionals are aware of the sensitivity of the data around identities. Questions such as Where do the identities reside ? How is user information exchanged ? What are the best practices for identity management? are common.

What is identity management?

Identity management is the practice of governing all the subjects inside an Information System, including their authentication, authorization (permissions), and accounting (audit). The practice evolves from managing internal procedures for access control to managing relations with external identity providers.

This includes both identity federation and access delegation, among others. Identity federation is the process of using third-party credentials database to authenticate users instead of maintaining multiple databases. It is the process by which a service can authenticate users by referring to the user database of another service. The former service doesn't need to maintain a list of users. Thereby offloading this critical task to the later.

Access delegation is authorizing an entity to act on behalf of a user for a certain time and to do a specific task. For example, you may allow an app to access your Facebook wall and post on your behalf. It cannot issue a friend request nor access or modify the settings of your account.

What protocols are used in Identity Management ?

There are two main standards for Identity federation and access delegation: ?SAML and OAuth.

SAML

SAML stands for Security Assertion Markup Language and is a XML-based protocol used to exchange authentication and authorization information about a Principal between a Service Provider (SP) and an Identity Provider (IdP)

OAuth

OAuth stands for Open Auhorization. It is an access delegation framework whereby a resource owner (i.e., user of facebook.com) grants access to an application with specific permission(s) (i.e., publish a post) on a resource server (i.e., facebook.com).

OAuth doesn't process user credentials. The authorization is done via temporary tokens for a limited time. There are three methods for securely exchanging the token: JWT, JWS and JWE. The resource server gets a request containing the access token in the Authorization header.

What about the famous OIDC?

OpenID Connect is an authentication framework built on top of OAuth. While OAuth only ensures authorization, OpenID Connect adds a layer for authentication.

OIDC uses JWT or JSON Web Tokens, also called Token IDs. It is a an alternative to SAML. SAML uses XML-based payloads, while OIDC uses JSON.

I want to implement SSO, which protocol should I use ?

OAuth is just an authorization mechanism. So if you desire to set up SSO, your choice will be either SAML or OIDC. Let's give you here a comparative view of the three standards:?

No alt text provided for this image
Identity management protocol comparison

Depending on your use case, choose the appropriate standard by?referring?to the environment, function, purpose and format. SAML is more commonly used in corporate environments, whereas OAuth/OIDC are used on the internet.??

Daniel Keets

Security Engineer, Mentor, Veteran

2 年

Nice write up Taoufik!

要查看或添加评论,请登录

Taoufik Z.的更多文章

  • Get Ready for DORA

    Get Ready for DORA

    DORA stands for Digital Operational Resilience Act. It is a cybersecurity regulation in the European Union that will be…

  • Guide to Running Effective Honeypots

    Guide to Running Effective Honeypots

    Taking cyber defense to the next level A honeypot is a fake system intended to lure hackers away from the real network…

  • Navigating AI Risks and Opportunities in the Workplace

    Navigating AI Risks and Opportunities in the Workplace

    We all can agree that AI moved from just a marketing pitch to a real thing in our minds once OpenAI has announced in…

    2 条评论
  • Top 5 biggest cyber risks that you must address right now

    Top 5 biggest cyber risks that you must address right now

    From years of consulting businesses of all sizes, I came to realize that the threats that make the most damage remain…

  • NIS 2 - The New European Law on Cybersecurity

    NIS 2 - The New European Law on Cybersecurity

    ----- French version below ----- NIS 2 - Network and Information Security 2 - directive is new legislation that…

  • 3 Zero Trust Principles

    3 Zero Trust Principles

    Not trusting your own environment, including employees, network and devices, seems an unpopular and unfair thought…

    1 条评论
  • Why should you care about Intellectual Property ?

    Why should you care about Intellectual Property ?

    Copyright, trademark, patent, …. all these terms are related to Intellectual Property (IP).

  • Understanding Race Conditions

    Understanding Race Conditions

    Article structure: Introduction What is a race condition? What can you do about it? Introduction CVE-2017-2533 is a…

    1 条评论
  • Is your DNS secure ?

    Is your DNS secure ?

    Over the past decades, the Domain Name System has been involved in all kinds of attacks ranging from simple advertising…

  • APT Threat Hunting

    APT Threat Hunting

    Article's structure: Introduction What is APT? What is Threat Hunting? APT Threat Hunting Lifecycle Conclusion In the…

    2 条评论

社区洞察

其他会员也浏览了