Core Protocols
- Security Assertion Markup Language (SAML):
- An XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP).
- Enables single sign-on (SSO), allowing users to access multiple applications with a single login.
- Commonly used in enterprise environments and for federated identity management.
- OpenID Connect (OIDC):
- A simple identity layer built on top of the OAuth 2.0 authorization framework.
- Provides a standardized way to verify user identity and obtain basic profile information.
- Well-suited for web and mobile applications, enabling social logins and other identity-related features.
- OAuth 2.0:
- An authorization framework that allows third-party applications to access user-held resources on another service.
- Employs tokens to grant limited access without sharing user credentials directly.
- Widely used for granting access to APIs, social media integrations, and other services.
- WS-Federation:
- A Microsoft-specific protocol similar to SAML.
- Often used in conjunction with Active Directory Federation Services (ADFS) for federated identity.
- Primarily used in Windows-based environments.
Key Standards
- System for Cross-domain Identity Management (SCIM):
- A standard for automating the exchange of user identity information between identity providers and service providers.
- Simplifies user provisioning and deprovisioning, improving efficiency and reducing errors.
- eXtensible Access Control Markup Language (XACML):
- A standard for expressing access control policies in a machine-readable format.
- Allows for fine-grained, attribute-based access control (ABAC) policies.
- Used in various industries for complex authorization scenarios.
- Security Token Service (STS):
- A service that issues security tokens, such as SAML assertions or JSON Web Tokens (JWTs).
- Plays a central role infederated identity and SSO architectures.
Other Notable Protocols
- Kerberos: A network authentication protocol that uses secret-key cryptography to authenticate service requests between hosts across an untrusted network.
- Lightweight Directory Access Protocol (LDAP): A protocol used to access and maintain directory information services over an IP network.
- RADIUS (Remote Authentication Dial-In User Service): A networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users connecting and using a network service.