Which authentication protocols are commonly used in enterprise IAM?

In enterprise IAM, the aim is to securely identify users and grant appropriate access across many apps and systems, often with single sign-on and federated trust. The protocols that best support this are SAML, OAuth 2.0, OpenID Connect, and Kerberos. SAML enables web-based single sign-on by exchanging authentication and authorization data between an identity provider and service providers. This lets users sign in once and access multiple applications without re-entering credentials, which is a cornerstone of enterprise IAM. OAuth 2.0 provides a framework for delegated authorization. Instead of sharing passwords, applications obtain tokens that grant limited access to resources on behalf of a user, which is essential for secure API access and and third-party integrations in enterprise environments. OpenID Connect builds on OAuth 2.0 to add user authentication and identity information in a standardized way. It allows applications to verify who a user is and obtain profile details, enabling consistent login experiences across services. Kerberos offers strong mutual authentication within a trusted domain, using tickets issued by a central Key Distribution Center. This is widely used in corporate networks, especially where Windows Active Directory or similar ecosystems are in play, for securely proving a user’s identity to services. The other options aren’t primarily designed as authentication protocols for IAM in the same way: FTP, SMTP, and HTTP are foundational protocols for file transfer, email, and web traffic, not identity authentication. SOAP, REST, and XML-RPC are communication or API paradigms, not authentication mechanisms by themselves. RADIUS and TACACS+ cover network access and device management authentication, and SSH handles secure remote login, but they don’t represent the standard federation and identity frameworks that enterprise IAM typically relies on.