Simple Authentication and Security Layer (SASL)

SASL (defined by RFC 2222) is a generic protocol framework that provides the means to use authentication mechanisms other than simple authentication and SSL over connection-based protocols. Protocols such as LDAP, POP, IMAP and SMTP specify a SASL profile, which describes how to encapsulate SASL negotiation and SASL messages for that protocol. Within the SASL framework, different authentication schemes are referred to as mechanisms.

One of the supported mechanisms for SASL is GSS-API. Kerberos is one of the standardized GSS-API mechanisms, so protocols that use SASL for authentication also support Kerberos authentication through the GSS-API.

To use the SASL specification, a protocol includes a command for identifying a user to a server and for (optionally) negotiating protection of subsequent protocol interactions. If the latter, a security layer is inserted between the protocol and and the connection.

During the authentication protocol exchange, the mechanism performs authentication, transmits an authorization identity (a userid) from the client to the server, and then negotiates the use of a mechanism specific security layer. The authorization identity may be different from the identity in the client's authentication credentials. This allows agents such as proxy servers to authenticate using their own credentials, while still requesting the access privileges of the identity for which they are proxying.

If the use of a security layer is negotiated, it is applied to all subsequent data sent over the connection.