See: Description
| Interface | Description |
|---|---|
| Authentication |
Authentication represents an authentication credential
which contains set of bytes and a format Type. |
| AuthenticationAcquisitionSession |
This session acquires authentication credentials.
|
| AuthenticationInput |
An authorization condition interface.
|
| AuthenticationProcessManager |
The authentication process manager provides access to authentication
sessions and provides interoperability tests for various aspects of this
service.
|
| AuthenticationProcessProfile |
The
AuthenticationProcessProfile describes the
interoperability among authentication process services. |
| AuthenticationProcessProxyManager |
The authentication process proxy manager provides access to
authentication sessions and provides interoperability tests for various
aspects of this service.
|
| AuthenticationValidationSession |
This session is the remote end of a transport link from the acquisition
session and validates authentication credentials sent to it.
|
| Challenge |
The challenge data.
|
| CircleOfTrustSession |
This session examines the relationship between
Agents
and Trusts. |
| Trust |
Trust represents the level of confidence in an
authentication. |
| TrustList |
Like all
OsidLists, TrustList provides a
means for accessing Trust elements sequentially either one
at a time or many at a time. |
| TrustLookupSession |
This session provides methods for retrieving
Trusts. |
The Open Service Interface Definitions for the org.osid.authentication.process service.
The Authentication Process OSID conducts an authentication process.
The Authentication OSID helps an OSID Consumer acquire and validate authentication credentials without having to manage the details of a particular authentication environment. Authentication is generally a two step process. A user wishing to authenticate acquires a set of credentials and transports those credentials to a remote peer. The remote peer then validates those credentials and determines the identity of the user represented. This process is reflected in the Authentication OSID with the definition of two OSID sessions:
AuthenticationAcquisitionSession: A session to
acquire credentials from a user and serialize them for transport to a
remote peer for authentication. AuthenticationValidationSession: A session to
receive and validate authentication credentials from a remote peer
wishing to authenticate. The transport of authentication credentials is the responsibility of the consumer of the Authentication OSID as authentication generally supports an existing application protocol enviornment. Methods exist to extract and supply credentials at each end. An Authentication OSID Provider may support either or both sessions, and one or more credential formats. Methods also exist to support a challenge-response mechanism.
In the Authorization OSID, Authorizations may be managed for a set of
Agents related to a Resource. The set of Agents may be
filtered based on the level of confidence upon the authentication
mechanism. A Trust is a category of Agents
produced from an authentication mechanism that represent a level of
confidence on which to specify an Authorization.
Trusts are not explicitly managed in the Authentication
Process OSID. They serve to facilitate the orchestration between an
Authentication OSID Provider and an Authorization OSID Provider. An
Authorization OSID Provider may query the CircleOfTrustSession
to determine if an Agent it has received belongs to
a Trust specified in one of its Authorizations.
For example, an Authorization may be created by
specifying a Resource. The Resource may be an
individual person or a group of employees. While employees might be
authorized to read their company email using their GMail account,
requisitions in the ERP system must be made using the company
authentication system and even perhaps a specific specific type of
credential. An Authorization can be created for a set of
employees based but restricted to a Trust where the Trust
represents any Agent related to the set of employees that
have authenticated in the desired fashion.
The multiplicity of Agents per Resource as aell as the
alignment with an Authorization OSID Provider is a consideration in the
design of an Authentication OSID Provider. It does only identify the
authentication principal as a singular entity, but may also represent
something about the authentication style that is used to perform an
authorization.
Client side authentication:
if (manager.supportsAuthenticationAcquisition() &&
manager.supportsAcquisitionInputType(krb5ServiceType) &&
manager.supportsCredentialType(serialKRB5Type)) {
AuthenticationAcquisitionSession aas = manager.getAuthenticationAcquisitionSession();
// specify input parameters (interface extension)
KRB5Service kService = new KRB5Service();
kService.setName("host");
kService.setInstance("server.osid.org");
kService.setRealm("OSID.ORG");
// get Credential (interface type)
Authentication auth = aas.getAuthentication(kService, krb5ServiceType);
SerializedKRB5Ticket ticket = (SerializedKRB5Ticket) auth.getCredential(serialKRB5Type);
send_data_to_peer(ticket); // app specific protocol
}
Server side authentication:
if (manager.supportsAuthenticationValidation() &&
manager.supportsCredentialType(serialSAML2Type)) {
AuthenticationValidationSession avs = manager.getAuthenticationValidationSession();
Authentication auth = authenticate(SAML2Token, serialSAML2Type);
if (auth.isValid()) {
Agent agent = auth.getAgent(); // identity established
}
}
Copyright © 2002-2004, 2007-2009 Massachusetts Institute of Technology. All Rights Reserved.
This Work is being provided by the copyright holder(s) subject to the following license. By obtaining, using and/or copying this Work, you agree that you have read, understand, and will comply with the following terms and conditions.
Permission to use, copy and distribute unmodified versions of this Work, for any purpose, without fee or royalty is hereby granted, provided that you include the above copyright notices and the terms of this license on ALL copies of the Work or portions thereof.
You may nodify or create Derivatives of this Work only for your internal purposes. You shall not distribute or transfer any such Derivative of this Work to any location or to any third party. For the purposes of this license, "Derivative" shall mean any derivative of the Work as defined in the United States Copyright Act of 1976, such as a translation or modification.
This Work and the information contained herein is provided on an "AS IS" basis WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS IN THE WORK.
The export of software employing encryption technology may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting this Work.