The Authentication OSID manages authenticated entities.
Agent
The Authentication OSID defines an Agent
to represent the identity of the authenticated
entity. An Agent may map to a specific authentication
principal while some providers may elect to hide multiple
authentication principals behind a single Agent.
Because principal identities tend not to be
durable and persistent, consumers should always persist
the Id.
Resource Mapping
An Agent may be mapped to a
Resource in the Resource OSID. A Resource
may map to multiple Agents but an
Agent may only map to a single Resource. In
the case of a person, a person may be utilize a number of
authentication technologies each with a different
authentication identity. Decoupling the authentication
identity from that of ther person is to provide a means of
integrating multiple services where different
authentication identities exist for a person that impact
the handling of authorization.
Authorization
Authorization is a separate service. The Authorization
OSID manages what functions the Agent is
authorized to perform and references the Agent
Id. The Authentication OSID is only
responsible for identity management of the Agent.
Each Agent of a Resource
may be used to define distinct security levels of
assurance (although the paranoid may opt for defining a
pseudo-resource for each Agent ). These
security levels of assurance can be linked to the
Agent Type and managed in the
Authorization OSID. The Agent Type
would be an indicator of the authentication
strength and although it may correlate to a specific
authentication technology, coupling it too tightly to a
particular technology may limit flexibility.
Certain consumers may wish to be notified of changes
within the service. Authentication supports notifications
via an AgentNotificationSession.
if (manager.supportsAgentNotification()) {
AgentNotificationSession ans = manager.getAgentNotificationSession(receiver);
ans.registerForNewAgents();
hangAround();
}
AgentReceiver receiver {
newAgent(Id agentId) { print("new agent"); }
changedAgent(Id agentId) { print("updated agent"); }
deletedAgent(Id agentId) { print("deleted agent"); }
}
Agency Cataloging
Agents are organized into federateable
Agency OsidCatalogs.
Sub Packages
The Authentication OSID includes an Authentication Key
OSID for managing private keys associated with an
Agent and an Authentication Process OSID for
acquiring and validating authentication credentials. It
slaos includes an Authentication Batch OSID for managing
Agents and Agencies in bulk.
|