When comparing Kerberos to SAML, a common argument on StackOverflow sites and the rest of Internet is that SAML is for Internet / cloud applications while Kerberos is for enterprise LAN. There are several claims to support such an argument:
Kerberos requires client and service to be domain joined.
However, from my understanding:
- Kerberos requires trust between client and KDC, as well as service and KDC
- Domain-join is just one way to establish the trust in an AD environment. There should be other ways (e.g. manual configuration). The protocol does not mandate domain-join.
- On the other hand, to use SAML, the IdP and SP must be configured to trust each other as well.
Kerberos requires client to have direct access to KDC
However, from my understanding:
- It is true that again, in an AD environment, the KDC (domain controller) is not usually exposed to the Internet.
- But generally it is safe to make a KDC publicly accessible (provided other security measures) because Kerberos was designed to operate in untrusted networks.
Kerberos has strict requirement on clock synchronization
However, from my understanding:
- Most machines have access to NTP / Internet if they need to sign into cloud apps
- The protocol now is able to handle clock out of sync
- SAML (TLS) has requirement on clock as well (although less strict)
In addition to those seemingly invalid arguments to me, there is software (e.g. ADFS) that acts as an adapter between Kerberos and SAML. So my question is, why don't we just use Kerberos for SSO into cloud apps (like Salesforce)? Why was SAML invented to address what problem Kerberos has?