Last updated on March 10, 2025
RADIUS and SAML are popular protocols for exchanging authentication and authorization data between two or more parties. Consequently, both RADIUS and SAML are a good fit for data transfer during both Single-Factor Authentication (SFA) and Multi-Factor Authentication (MFA). But what’s the difference between these two protocols? Let’s take a look at RADIUS vs. SAML.
MFA For RADIUS & SAML
Interested? Try our robust multi-factor authentication for 30 days for free and see how simple it is.
Preliminary Definitions
To understand RADIUS and SAML, you first have to understand what a protocol is.
A protocol is a set of defined rules describing how two or more entities can communicate by transmitting data.
In other words, a protocol outlines the steps and describes all intricacies of data exchange between one or more parties.
When talking about RADIUS and SAML, it is hard not to mention the identity provider (IdP) and the service provider (SP). Hence, the importance of understanding what these two terms mean. But do not fret; we will make IdP and SP easy for you.
An identity provider (IdP) is a central database that contains user credentials.
A service provider (SP) is an application your users want to access.
Nowadays, federated identity management (FIM) is the norm. Each modern company has at least one identity provider to identify and verify users.
Examples of identity providers include:
- Active Directory
- OpenLDAP
- FreeIPA
- FreeRADIUS (which is a RADIUS server; not to be confused with the RADIUS protocol)
A service provider is just a fancy all-embracing name for any application or service you can think of; any cloud app or VPN your users sign in to and use.
Examples of service providers include:
- Dropbox
- Cisco ASA Any Connect VPN
- Awingu
- And many more
Haven’t Started With Rublon MFA Yet?
Secure your RADIUS, SAML, and LDAP protocol with an extra layer of security from hackers with our robust multi-factor authentication. Integrate with any VPN and cloud app via RADIUS, SAML, or LDAP authentication protocol.
RADIUS vs. SAML
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that allows exchanging of authentication, authorization, and accounting (AAA) data between an identity provider (IdP) and a service provider (SP).
Security Assertion Markup Language (SAML) is an XML-based open-standard protocol for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP).
The preceding definitions may be hard to digest at first glance, so let’s get deeper into the differences between RADIUS and SAML protocols. Here’s a table outlining the differences:
| RADIUS | SAML |
| Open standard described in RFC 2865 | Open standard described in RFC 7522 |
| Uses UDP as the transport protocol | Uses HTTP or HTTPS as the transport protocol |
| Operates on ports 1812 and 1813 | Operates on ports 80 and 443. |
| Used during Authentication, Authorization, and Accounting | Used during Authentication and Authorization. No Accounting support. |
| Can only encrypt the password; does not encrypt other data such as username | Can encrypt all sent data |
| Mainly used for network access | Primarily used to enable Single Sign-On (SSO) |
| A request-response protocol based on Access-Requests packets | A token-based protocol based on assertions |
| Weaker user experience due to the lack of SSO | Better and more consistent user experience thanks to SSO |
| Supported by Rublon | Supported by Rublon |
Operation
Both RADIUS and SAML are open standards described in RFC documents. Differences start from the transmission protocol these two employ to transmit data between the parties. RADIUS uses UDP and operates on ports 1812 and 1813. On the other hand, SAML uses HTTP or HTTPS and operates on ports 80 and 443. You can use both these protocols during authentication and authorization. Additionally, RADIUS also supports accounting, while SAML does not.
Authentication
It is important to note that SAML does not perform authentication but only communicates the assertion data. SAML uses so-called assertions to establish trust between an identity provider and a service provider. Once trust is established, a user can sign in to one cloud application and then gain access to another cloud application via SSO without having to reenter their password. Nevertheless, performing authentication is up to the identity provider. As a result, you need to use SAML in tandem with LDAP or RADIUS protocol to verify the user credentials against data in the identity provider. Cybersecurity experts highly recommend enabling MFA for SAML.
Encryption
An essential feature of SAML is that it can encrypt all sent data. Contrarily, RADIUS only encrypts the password. You can achieve encryption of all packets on RADIUS thanks to the RadSec protocol, but this is a different protocol that requires additional configuration. You can also implement a virtual private network (VPN) between the RADIUS server and RADIUS clients.
Use Cases
The main difference between RADIUS and SAML is that RADIUS is mainly used for network access, whereas SAML is chiefly employed for Single Sign-On (SSO) needs.
Technical Differences
Furthermore, RADIUS is a request-response protocol based on Access-Request packets for authentication and Accounting-Request packets for accounting. Conversely, SAML is a token-based protocol based on assertions. Without getting deeper into technical jargon, these two protocols are inherently different technologically.
User Experience
Relative to SAML, which ensures a good user experience thanks to Single Sign-On (SSO), RADIUS provides a weaker user experience because it is text-based. User experience is essential in Multi-Factor Authentication (MFA), where, when coupled with SSO, SAML outdoes RADIUS as the communication protocol.
Still, if you want to combine Single Sign-On (SSO) and an identity provider (IdP) like FreeRADIUS, you can achieve such a configuration using the Rublon Access Gateway. The Rublon Access Gateway allows you to use SAML in conjunction with RADIUS or LDAP protocol. The Rublon Access Gateway works with both LDAP servers (e.g., OpenLDAP, Active Directory) and RADIUS servers (e.g., FreeRADIUS), which means that it effectively supports all major identity providers.
You can use Rublon to add robust Multi-Factor Authentication (MFA) to services compatible with both RADIUS and SAML protocols to considerably improve your security posture.
Get started by signing up for a Free 30-Day Rublon Trial →
RADIUS and SAML With MFA
You can use RADIUS or SAML as the protocol for information exchange between two parties during Single-Factor Authentication (SFA) and Multi-Factor Authentication (MFA). Since both the RADIUS and SAML protocols are data transfer protocols, you can combine them with almost any major IdP of your choice. Rublon supports both of these protocols during MFA.
If you wish to learn more about how RADIUS and SAML work with Rublon MFA, refer to these:
SAML or RADIUS: Which One to Choose?
Both RADIUS and SAML come with their unique set of capabilities. In the end, the choice is yours and depends on what you need and what your service providers are compatible with. As a rule of thumb, RADIUS is usually a better fit for virtual private networks (VPNs), while SAML is better suited for cloud applications. You may end up using SAML and RADIUS protocols simultaneously, even in unison. If you decide to use just one of these, you may still be forced to use the other as well, especially if you have a lot of applications and services in your workforce.
All in all, unless you are a developer and have to choose between these two, it is best to use both RADIUS and SAML to cover all kinds of services and applications in your organization. Suppose you want to enable Multi-Factor Authentication (MFA) on a service that supports both RADIUS and SAML protocols. In that case, we recommend using SAML, which allows for Single Sign-On (SSO) and a streamlined user experience.
Rublon Adds MFA to Your RADIUS and SAML Compatible Applications
Rublon can secure almost all your applications and VPNs compatible with RADIUS and SAML protocols.
The Rublon Authentication Proxy is an on-premises RADIUS proxy server you can use to enable Multi-Factor Authentication (MFA) on any service that supports the RADIUS authentication protocol.
The Rublon Access Gateway is a web application that allows you to enable Multi-Factor Authentication (MFA) on any service that supports the SAML protocol. Users can access integrated applications using the SSO Portal, which employs the mechanics of Single Sign-On to make sign-ins faster and easier for your users.
Jump straight ahead and start your Free 30-Day Trial:
