Cloud Knowledge

Your Go-To Hub for Cloud Solutions & Insights

Advertisement
Azure Cloud

Complete Guide to Authentication Protocols: SAML, OAuth, OIDC, Kerberos, NTLM, and LDAP Explained

Shivam Tiwari 0
Complete Guide to Authentication Protocols_ SAML, OAuth, OIDC, Kerberos, NTLM, and LDAP Explained

This document provides a comprehensive explanation of key authentication and authorization protocols used across modern enterprise systems: SAML, OAuth, OpenID Connect (OIDC), Kerberos, NTLM, and LDAP. Each section includes a clear technical description and two detailed real-world examples highlighting practical use cases and implementation.

1. SAML (Security Assertion Markup Language)

Overview:

SAML is an XML-based open standard for exchanging authentication and authorization data between parties, especially between an identity provider (IdP) and a service provider (SP). It is most used to enable Single Sign-On (SSO) for enterprise web applications.

Key Features:
  • Federated identity standard
  • Uses XML assertions
  • Browser-based SSO
  • Reduces password fatigue and improves security
How It Works:
  1. The user attempts to access a service provider (SP).
  2. The SP redirects the user to the identity provider (IdP).
  3. The user authenticates with the IdP.
  4. The IdP sends a signed SAML assertion to the SP.
  5. The SP validates the assertion and grants access.
Example 1: Azure AD SSO to Salesforce
  • Use Case: A company uses Microsoft Entra ID (Azure AD) to manage employee identities. Employees use Salesforce for CRM.
  • Implementation:
    • Azure AD acts as the IdP.
    • Salesforce is configured as the SP.
    • Users log in once to Azure AD and can seamlessly access Salesforce.
  • Keywords: Azure SSO, Salesforce integration, federated identity, enterprise authentication
Example 2: Google Workspace SSO to Zoom
  • Use Case: An organization uses Google Workspace as their IdP and needs users to access Zoom.
  • Implementation:
    • Configure SAML-based SSO in Zoom.
    • Link Google Workspace as the IdP.
    • Users log in with their Google credentials to access Zoom.

Keywords: Google SAML, Zoom authentication, federated SSO

Working of Saml
Working of Saml

2. OAuth 2.0

Overview:

OAuth 2.0 is an authorization framework that allows third-party applications to obtain limited access to user accounts on an HTTP service. It does not authenticate the user directly but issues access tokens for scoped permissions.

Key Features:

  • Delegated access
  • Token-based authorization
  • Widely used in mobile and web APIs

How It Works:

  1. The user logs into a third-party application.
  2. The application requests authorization from the resource owner (user).
  3. The authorization server issues an access token.
  4. The application uses the token to access protected resources.

Example 1: Facebook Login for Spotify

  • Use Case: A user wants to log into Spotify using their Facebook account.
  • Implementation:
    • Spotify redirects to Facebook for authorization.
    • Facebook issues an OAuth access token.
    • Spotify uses the token to get basic user data.
  • Keywords: Facebook OAuth, delegated access, third-party login

Example 2: GitHub Access via Jenkins CI/CD

  • Use Case: Jenkins pipelines access GitHub repositories to pull code.
  • Implementation:
    • Jenkins uses OAuth to request access to GitHub.
    • GitHub issues a token with read/write repo scope.
    • Jenkins uses the token for automated operations.
  • Keywords: DevOps authentication, GitHub OAuth, CI/CD token
How Oauth Works
How Oauth Works

3. OpenID Connect (OIDC)

Overview:

OIDC is an authentication layer built on top of OAuth 2.0. It allows clients to verify the identity of the end-user and obtain basic profile information via ID tokens.

Key Features:
  • Identity layer on OAuth
  • Returns ID token and access token
  • JSON Web Tokens (JWT)
  • Used for login and identity management
How It Works:
  1. The client requests authentication via OIDC.
  2. The user authenticates with the identity provider.
  3. The provider issues an ID token and access token.
  4. The client uses the ID token to verify identity.
Example 1: Google Sign-In for Web Apps
  • Use Case: A web app allows users to log in using their Google account.
  • Implementation:
    • Uses OIDC to authenticate users.
    • Receives a signed ID token with user info.
    • Verifies and logs in the user.
  • Keywords: Google OIDC, identity token, federated login
Example 2: Azure AD OIDC for Custom Applications

  • Use Case: A company builds a custom app and wants to use Azure AD for identity.
  • Implementation:
    • App is registered in Azure AD.
    • Uses OIDC to authenticate users.
    • ID tokens contain roles, groups, and user details.
  • Keywords: Azure AD OIDC, enterprise identity, JWT login
How OIDC Works
How OIDC Works

4. Kerberos

Overview:

Kerberos is a network authentication protocol designed to provide secure identity verification using tickets. It is based on symmetric-key cryptography and requires a trusted third-party (KDC).

Key Features:
  • Ticket-based authentication
  • Mutual verification
  • Time-sensitive (replay protection)
  • Mostly used in Windows domain environments
How It Works:
  1. User logs in and requests a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC).
  2. User presents the TGT to get a Service Ticket for the application.
  3. The application verifies the Service Ticket and grants access.
Example 1: Windows Domain Login
  • Use Case: Employee logs into a Windows computer joined to an Active Directory domain.
  • Implementation:
    • Kerberos authenticates user via domain controller.
    • TGT is issued; later used to access file shares, printers, etc.
  • Keywords: Active Directory, Kerberos TGT, domain login
Example 2: Hadoop Cluster Authentication

  • Use Case: A secure big data environment uses Kerberos for authentication.
  • Implementation:
    • Kerberos is integrated with Hadoop services like HDFS, YARN.
    • Each service and user has a keytab file for authentication.
  • Keywords: Kerberos Hadoop, secure big data, enterprise cluster auth
How Kerberos Works
How Kerberos Works

5. NTLM (NT LAN Manager)

Overview:

NTLM is an older challenge-response authentication protocol used to authenticate users in Windows environments. It has largely been replaced by Kerberos but still exists in legacy systems.

Key Features:

  • Hash-based authentication
  • No ticketing system
  • Vulnerable to replay and relay attacks
  • Still supported in SMB and HTTP for legacy apps

How It Works:

  1. The client sends a negotiation message to the server.
  2. The server responds with a challenge.
  3. The client hashes the challenge with the user’s password hash.
  4. Server verifies the response.

Example 1: Legacy File Server Access

  • Use Case: Accessing a legacy SMB file share from a Windows machine.
  • Implementation:
    • Windows authenticates using NTLM.
    • Challenge-response process occurs over SMB.
  • Keywords: NTLM authentication, SMB share, legacy Windows login

Example 2: Intranet Website Authentication

  • Use Case: Internal corporate site uses NTLM for seamless browser authentication.
  • Implementation:
    • Internet Explorer or Edge auto-authenticates with NTLM.
    • User is logged in using domain credentials.

Keywords: NTLM intranet, IIS auth, integrated Windows auth

How NTLM Works
How NTLM Works

6. LDAP (Lightweight Directory Access Protocol)

Overview:

LDAP is a protocol used to query and modify directory services over an IP network. It is commonly used for user and group management and supports authentication via bind requests.

Key Features:

  • Hierarchical directory structure
  • Used for read/write of user data
  • Often paired with AD or OpenLDAP
  • Supports simple or SASL bind auth

How It Works:

  1. A client connects to the LDAP server.
  2. Authenticates using a bind operation (simple or secure).
  3. Performs queries like search, add, modify, delete.

Example 1: User Login via OpenLDAP

  • Use Case: Linux users authenticate against a central OpenLDAP server.
  • Implementation:
    • PAM modules are configured to use LDAP for auth.
    • Users log in using LDAP credentials.
  • Keywords: OpenLDAP, Linux authentication, centralized directory

Example 2: Application Role Lookup from Azure AD DS

  • Use Case: A legacy app needs to look up user group membership.
  • Implementation:
    • Azure Active Directory Domain Services (AD DS) exposes LDAP.
    • App queries groups via LDAP bind and search.
  • Keywords: Azure AD DS, LDAP bind, group membership lookup
How LDAP Works
How LDAP Works

Conclusion

Understanding authentication and authorization protocols like SAML, OAuth, OIDC, Kerberos, NTLM, and LDAP is crucial for designing secure, scalable, and user-friendly identity systems. Each protocol serves unique use cases—ranging from web SSO to internal Windows authentication—and should be selected based on security requirements, infrastructure compatibility, and user experience goals.

SAML vs OAuth, Kerberos authentication example, OIDC login flow, LDAP vs NTLM, Azure AD SSO, identity and access management protocols, OAuth in API security, enterprise authentication methods

Related Story

Leave a Reply

Your email address will not be published. Required fields are marked *