CIAM isn't just OIDC and SAML

I thought this article about upcoming changes to NTLM, a major authentication protocol for Windows, was a good reminder about the sheer variety of CIAM protocols and solutions.

I’ve been a web developer for most of my career, so it is easy for me to overfocus on the two main modern players that are browser based: OIDC/OAuth and SAML.

But customers use other protocols too, like NTLM and Kerberos. This is often the case if the client customers use is a desktop Windows application rather than a web browser. You can run photoshop in the browser, and I just saw there’s an NTLM over HTTP spec, so maybe NTLM has a new lease on life!

Or, if you are in a B2B2E context (running a business with customers who have their own directories for employees) and sell to companies which have existed for a while, then you will run into LDAP/Active Directory. I talked with an employee of a company at Identiverse a few years ago whose entire business was virtualized LDAP directories. Their customers were companies who had made a large number of acquisitions and needed to rationalize their employee directories with minimal fuss.

If your customers are brand new companies, they may not use a standardized protocol at all; instead they might have a session based solution, either built into their application or using a third party provider.

Coming back to the article, I think it is also a reminder of how technologies change and evolve over time. Because of where I focus, I’ve seen that happen in the OAuth space. Things like PKCE, OAuth 2.1 and DPoP all evolutions of that protocol to meet new needs or address security issues.

Even though the standard web authentication technologies have been around for a long time, they must change to address new threats and capabilities or be passed by.

Dan