Monday, July 05, 2004

Authentication Overview

Basic topics of interest:

  • Authentication
  • Single sign-on
  • Validation
  • Authorization

Authentication answers the question "Who are you?" The authentication process requires user credentials, typically a username and password. The credentials are passed to an authentication server and compared to credentials stored in a database or LDAP repository.

Single sign-on (SSO) alleviates the need to authenticate more than once. This may be accomplished by saving state (a session ID) in a client-side cookie, for example. The session ID is then associated with a username in a sessions table.

Single sign-on can occur at various levels:

  • Application
  • Server
  • Intranet
  • Extranet

We will concentrate on SSO at the intranet level, that is, across servers throughout a domain. (Later we will discuss SSO across domains.)

Validation is the process that protects web resources. When a protected resource is requested, the session ID is extracted from the cookie. If the session ID is valid (in the sessions table), the request is satisfied.

Authorization answers the question "Do you have access to this resource?" Authorization occurs in conjunction with validation. If the session ID is valid and the username associated with the session ID possesses the desired role (in a roles table), the request is satisfied.

The following system components are required to implement a simple authentication/SSO solution:

  • auth database
  • login page
  • auth controller
  • auth web service
  • XML template

We start by examining the database components necessary to support authentication and single sign-on.