Identity and authentication
An end user (either a human or another system) has an identifier (user
name) or a set of identifiers (titles, roles, alias) and proofs (password).
To authenticate, the user presents the identifier and proof to an application
when prompted to identify itself to the application. If the application
validates the identifier and proof, the user has successfully "authenticated"
and the identity is now an authenticated identity. When an application
implements business logic and enforces its own security policies, it needs to
keep its data and metadata in an identity data or metadata repository (file
system, database). On the Web, the end users no longer solely have application
client code on their own systems. They often accesses applications through a
browser, and the network locates the application through a URI (universal resource
identifier) that is supplied by the end user.
Single sign-on
When a user has multiple applications with different identifiers and
proofs, it sometimes becomes difficult to manage the identity data and metadata
to make the appropriate decisions. Single sign-on (SSO) is a term applied to
various techniques (human and automated) to reduce this complexity.
Solutions for SSO can be client-based or server- or service-based, and they
can be tightly coupled or loosely coupled to the applications. Web-based SSO
refers to browser-based solutions, and it typically include cookies. In tightly
a coupled client-based SSO, the responsibility is on the user to register and
synchronize multiple IDs and passwords that are maintained in multiple application
repositories. Some SSO relies on "identity mapping." Others provide "identity
propagation" or "identity assertions." New initiatives in Federated SSO enable
a user to register with a third party Identity Service Provider, which then
manages the user information, thus providing a loosely coupled alternative.
In enterprises, a backend SSO can include the enterprise acting as the ISP.
A backend SSO includes a common repository for all applications, and each application
or server is reconfigured to not use a local repository. Backend SSO solutions
can also maintain multiple repositories for user information and use a management
process to force the synchronization of the identity data in multiple repositories.
When multiple identities are involved, there are often requirements to isolate
applications into realms that often correlate to administrative domains.
Digital identities
As people and businesses have become more dependent on computer technology,
there has been a proliferation of identity-related information. With the awareness
of identity theft, governments are legislating requirements for businesses to
protect the identity information for which they are serving as custodians.
There are two major strategies for managing digital identities:
- The first is user-centric. It relies on users actively
participating in identity protection by "registering" with third-party
providers, and then granting permission to providers that they trust to access
their identity data and metadata. The Liberty Alliance is a consortium that
has been leading this strategy, but there is also an open source effort underway
with the Higgins initiative in partnership within The Apache Foundation.
- The second is a business-centered model in which a business
provides identity management services to its customers, partners, and employees.
Businesses deal with different volumes of information than individuals do
and, therefore, have different scaling requirements. Businesses also need
to have their own systems for managing user access, based on business roles
and changing business conditions (that is, you might always be "My Name,"
but you might not always work for XYZ Company).
Authorization
As people and businesses have become more dependent on computer technology,
rules about who can access what resource have become codified. When designing
applications, the decision about who can access what information might depend
on business context information, or it might be externalized to the application
and handled by a separate set of middleware. Most products and computer systems
have implemented a set of "access control" mechanisms, but each one
usually keeps its own record of authorized user names mapped to resource names.
These are called access control lists.
Message protection
There are two basic types of protection:
- Integrity protection (proof that the message has not been
changed while in transit)
- Confidentiality (application of cryptography to ensure
that only authorized recipients can see the message)
When messages are sent over a protocol, each message can be digitally signed
or encrypted, or the network protocol can sign and encrypt all traffic between
the two entry points. When the protocol provides the protection, it is often
said to be point-to-point (that is, network endpoint to network
endpoint). |