Identity Management Protocols

Article's structure:

Introduction

What is identity management?

• Identity federation
• Access delegation

What protocols are used for identity management?

• SAML
• OAuth
• OIDC

So you decided to implement Single Sign-On, which protocol should you use?

Conclusion

With the rise of heterogenic integrated systems, such as the cloud, identity management has never been as important. Information security professionals are aware of the sensitivity of the data around identities. Questions such as Where do the identities reside ? How is user information exchanged ? What are the best practices for identity management? are common.

What is identity management?

Identity management is the practice of governing all the subjects inside an Information System, including their authentication, authorization (permissions), and accounting (audit). The practice evolves from managing internal procedures for access control to managing relations with external identity providers.

This includes both identity federation and access delegation, among others. Identity federation is the process of using third-party credentials database to authenticate users instead of maintaining multiple databases. It is the process by which a service can authenticate users by referring to the user database of another service. The former service doesn't need to maintain a list of users. Thereby offloading this critical task to the later.

Access delegation is authorizing an entity to act on behalf of a user for a certain time and to do a specific task. For example, you may allow an app to access your Facebook wall and post on your behalf. It cannot issue a friend request nor access or modify the settings of your account.

What protocols are used in Identity Management ?

There are two main standards for Identity federation and access delegation: ?SAML and OAuth.

SAML

SAML stands for Security Assertion Markup Language and is a XML-based protocol used to exchange authentication and authorization information about a Principal between a Service Provider (SP) and an Identity Provider (IdP)

OAuth

OAuth stands for Open Auhorization. It is an access delegation framework whereby a resource owner (i.e., user of facebook.com) grants access to an application with specific permission(s) (i.e., publish a post) on a resource server (i.e., facebook.com).

OAuth doesn't process user credentials. The authorization is done via temporary tokens for a limited time. There are three methods for securely exchanging the token: JWT, JWS and JWE. The resource server gets a request containing the access token in the Authorization header.

What about the famous OIDC?

OpenID Connect is an authentication framework built on top of OAuth. While OAuth only ensures authorization, OpenID Connect adds a layer for authentication.

OIDC uses JWT or JSON Web Tokens, also called Token IDs. It is a an alternative to SAML. SAML uses XML-based payloads, while OIDC uses JSON.

I want to implement SSO, which protocol should I use ?

OAuth is just an authorization mechanism. So if you desire to set up SSO, your choice will be either SAML or OIDC. Let's give you here a comparative view of the three standards:?

Depending on your use case, choose the appropriate standard by?referring?to the environment, function, purpose and format. SAML is more commonly used in corporate environments, whereas OAuth/OIDC are used on the internet.??