Understanding Identity Protocols

OIDC, OAuth, SAML, Kerberos, RADIUS, and TACACS+ are protocols handling authentication and authorization. Each serves a niche, from web authentication (OIDC/OAuth) to network access (RADIUS/TACACS+) and cross-domain identity (SAML/Kerberos).

OAuth 2.0 is the industry-standard protocol for authorization. OpenID Connect (OIDC) is built atop OAuth 2.0, adding an identity layer for authentication. OIDC enables clients to verify user identity based on authentication performed by an authorization server.

Security Assertion Markup Language (SAML) is an XML-based framework for exchanging authentication and authorization data between parties, perfect for enterprise single sign-on (SSO). SAML can minimize password fatigue and IT overhead, improving security and user experience.

Kerberos protocol is named after the mythological three-headed dog guarding Hades' gates. It uses 'tickets' to avoid constant password sending over the network, providing a trusted third-party authentication service, often implemented in Windows Active Directory environments.

Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol providing centralized Authentication, Authorization, and Accounting (AAA) management for users accessing a network service. RADIUS is widely used by ISPs and enterprises to manage access to networks and computing resources.

Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol similar to RADIUS but offers more granular control over command authorization. Unlike RADIUS, which encrypts only passwords, TACACS+ encrypts the entire authentication process, enhancing security.