DEV Community

TiltedLunar123
TiltedLunar123

Posted on

SAML logs you in, OAuth lets you in: the Security+ protocols people keep confusing

If you are studying for the SY0-701 Security+ exam, there is a cluster of protocols that shows up again and again: RADIUS, TACACS+, Kerberos, LDAP, SAML, OAuth, and OpenID Connect. They all touch logging in, so on a first read they blur together. The exam knows this, and it writes questions that hinge on the one difference you skipped over.

Here is how I keep them straight.

First, split the pile in two

These protocols do two different jobs:

  • Getting into a network or a device (the AAA family): RADIUS, TACACS+, Kerberos, LDAP.
  • Getting into web apps across organizations (federation): SAML, OAuth, OpenID Connect.

If a question is about a VPN concentrator, a wireless controller, or an admin logging into a switch, you are in AAA territory. If it mentions "log in with Google," a third-party web app, or single sign-on between companies, you are in federation territory. Just sorting the question into the right pile knocks out half the answer choices.

The AAA pile

RADIUS versus TACACS+ is the classic trap. Both handle authentication, authorization, and accounting, but they differ in ways the exam loves:

  • RADIUS runs over UDP and encrypts only the password in the request. It is the default for network access: Wi-Fi, VPN, and 802.1X.
  • TACACS+ runs over TCP and encrypts the entire payload. It also separates the three A's, which is why it is favored for administering network devices when you want per-command authorization.

A memory hook: TACACS+ is Cisco-born, uses TCP, and encrypts the Complete payload. If the stem stresses device administration or granular command control, it wants TACACS+.

Kerberos is about tickets, not passwords crossing the wire. A client authenticates once to a Key Distribution Center, receives a ticket-granting ticket, and uses tickets after that. Two tells on the exam: it provides mutual authentication, and it is time sensitive. Clock skew breaks it, which is why you often see it tied to an NTP problem.

LDAP is the directory itself, the database of users and objects that the other protocols query. If the answer is "the protocol used to look up objects in a directory," that is LDAP, and LDAPS is just the TLS-protected version.

The federation pile

This is where most people bleed points, because they treat authentication and authorization as the same word. They are not.

  • SAML answers "who are you?" It is the XML-based standard behind enterprise single sign-on. Picture an employee clicking a tile in their identity provider and landing in Salesforce already logged in.
  • OAuth answers "what are you allowed to do?" It is authorization, not login. It is the framework that lets one app reach your data in another app without you handing over your password. When an app asks to read your Google Drive files, that is OAuth issuing a scoped token.
  • OpenID Connect is the missing piece. It is a thin authentication layer built on top of OAuth, which is what actually makes "log in with Google" a real login. OAuth by itself was never designed to prove identity. OIDC adds that.

The one-liner I use: SAML logs you in for enterprise SSO, OAuth lets an app in on your behalf, and OIDC is OAuth that also logs you in.

The question format to expect

The exam rarely asks "what is OAuth?" It hands you a scenario and makes you pick the protocol:

A user authenticates to a partner company's web application using their own company credentials, and no password is shared between the two organizations. Which technology enables this?

The phrases "web application," "across two organizations," and "no shared password" point straight at SAML. Change the scenario to "grant a third-party app permission to post on your behalf" and the same style of question now wants OAuth.

Train yourself to read for the verb. Prove identity means authentication, so think SAML, OIDC, or Kerberos. Grant access to a resource means authorization, so think OAuth. Log into a network or device means the AAA family.

How to actually drill this

Definitions do not survive exam pressure. Scenario reps do. Take each protocol and bury it in five or six question stems, then answer them until the jump from keyword to protocol is automatic. I built a bank of practice questions and short lessons around this kind of pattern drilling at SecPlus Mastery, and there is a free diagnostic at secplusmastery.com/diagnostic if you want to find which of these protocol families is your weak spot before you sink study hours into the rest.

Sort the question into a pile, read for the verb, and these seven acronyms stop being a wall you memorize and start being a decision you make.

Top comments (0)