Sometimes confused with an authentication “standard,” an authentication protocol is a set of specific rules and procedures that all entities must agree to use before communicating. The protocol language must be followed step by step by each party so that the requesting entity can safely authenticate the receiving entity and vice versa. There are many authentication protocols available to enterprises today. This article highlights Kerberos, Lightweight Directory Application Protocol (LDAP), and WS-Trust.
Kerberos was built to support both authentication and authorization so that once a user is authenticated, they’re also authorized. Used for single-sign on (SSO) by many enterprises, the Kerberos protocol doesn’t send passwords over the network for authentication. Instead, it uses strong, time-limited secret-key cryptography, multiple secret keys, and a third-party service to authenticate client-server applications and user identities.
Kerberos may be complicated on the backend, but it offers an almost frictionless experience on the front end. The user simply signs into one device and is automatically authenticated to access network resources and many third-party applications that they were previously authorized to use. Kerberos streamlines daily work so that employees can focus on the task at hand instead of continually signing into the systems and resources they need.
LDAP was originally created to provide secure authentication sessions for enterprise employees. It employs strong encoding rules that prevent users from creating weak passwords. An LDAP authentication session begins when a user (client) connects to an LDAP server that houses user data that was previously entered by administrators. Once connected, the two entities can exchange data.
LDAP is used in a network’s active directory to store data in a hierarchical fashion so users can find information they need quickly. When a user queries an LDAP database for a specific object, LDAP walks down the directory tree to find the object the user requested. All permissions are contained in the separate domains in the hierarchy, so authentication can be allowed or denied at this stage without having to go back to the general network administrator.
The WS-Trust protocol is used to establish and manage trust relationships between two or more applications or devices. Organizations can use the WS-Trust protocol to define the basic messaging framework for secure machine-to-machine messaging. WS-Trust can issue, renew, and validate security tokens. Specifically, the protocol uses a Security Token Service (STS) to perform operations on security tokens.
On the web service client side, WS-Trust allows STS to convert a local security token into a standard Security Assertion Markup Language (SAML) security token, which contains the identity of the user. On the web service provider side, the STS is used to validate those incoming security tokens and can also generate a new local token that can be consumed by other applications. The main role of WS-Trust is to function as a request-response message pair with the help of the STS.