Javascript is actually
a good thing!
Make sure it's turned on
so that pingidentity.com can work properly.
Master Authentication Protocols: Kerberos, LDAP & WS-Trust
Identity Fundamentals
What is Identity and Access Management (IAM)?
Identity Providers and Service Providers
Centralized Identity Management
What is Centralized Identity Management?
How Does Centralized Identity Management Work?
Centralized Identity Standards
SAML
OAuth
OpenID Connect (OIDC)
Decentralized Identity Management
What is Decentralized Identity Management?
How Does Decentralized Identity Management Work?
How is Decentralized Identity Different?
Decentralized Identity Standards
Common Terms
Zero Trust Security
Orchestration
Authentication
Single-factor, Two-factor, and Multi-factor Authentication
Passwordless Authentication
FIDO (Fast Identity Online)
Risk-based Authentication
Certificate-based Authentication
Token-based Authentication
Single Sign-On (SSO)
Federated Identity Management
Continuous Authentication
CHAP Authentication
Authorization
Authorization Methods
User and Account Provisioning
Single Sign-on with a Directory
Dynamic Authorization
Protocols
LDAP
SCIM
WebAuthn
Kerberos
WS-Trust
What Is B2B Identity and Access Management (B2B IAM)
Agentic AI
Key IAM Considerations to Support Agentic AI
AI Agent Classes and Use Cases
IAM Best Practices for AI Agents
Reference Implementations and Patterns
Expand All | Collapse All

Authentication and Authorization Protocols



Sometimes confused with an authentication “standard,” an authentication protocol is a set of specific rules and procedures that all entities must agree to use before communicating. The protocol language must be followed step by step by each party so that the requesting entity can safely authenticate the receiving entity and vice versa. There are many authentication protocols available to enterprises today. This article highlights Kerberos, Lightweight Directory Application Protocol (LDAP), and WS-Trust.

 

Kerberos

 

Kerberos was built to support both authentication and authorization so that once a user is authenticated, they’re also authorized. Used for single-sign on (SSO) by many enterprises, the Kerberos protocol doesn’t send passwords over the network for authentication. Instead, it uses strong, time-limited secret-key cryptography, multiple secret keys, and a third-party service to authenticate client-server applications and user identities. 

 

Kerberos may be complicated on the backend, but it offers an almost frictionless experience on the front end. The user simply signs into one device and is automatically authenticated to access network resources and many third-party applications that they were previously authorized to use. Kerberos streamlines daily work so that employees can focus on the task at hand instead of continually signing into the systems and resources they need.

 

Lightweight Directory Access Protocol (LDAP)

 

LDAP was originally created to provide secure authentication sessions for enterprise employees. It employs strong encoding rules that prevent users from creating weak passwords. An LDAP authentication session begins when a user (client) connects to an LDAP server that houses user data that was previously entered by administrators. Once connected, the two entities can exchange data. 

 

LDAP is used in a network’s active directory to store data in a hierarchical fashion so users can find information they need quickly. When a user queries an LDAP database for a specific object, LDAP walks down the directory tree to find the object the user requested. All permissions are contained in the separate domains in the hierarchy, so authentication can be allowed or denied at this stage without having to go back to the general network administrator.

 

WS-Trust

 

The WS-Trust protocol is used to establish and manage trust relationships between two or more applications or devices. Organizations can use the WS-Trust protocol to define the basic messaging framework for secure machine-to-machine messaging. WS-Trust can issue, renew, and validate security tokens. Specifically, the protocol uses a Security Token Service (STS) to perform operations on security tokens. 

 

 

On the web service client side, WS-Trust allows STS to convert a local security token into a standard Security Assertion Markup Language (SAML) security token, which contains the identity of the user. On the web service provider side, the STS is used to validate those incoming security tokens and can also generate a new local token that can be consumed by other applications. The main role of WS-Trust is to function as a request-response message pair with the help of the STS. 

Start Today

Contact Sales

sales@pingidentity.com

See how Ping can help you deliver secure employee, partner, and customer experiences in a rapidly evolving digital world.