OSID — Authentication Process Entities

Authentication Process

The Authentication Process OSID conducts an authentication process.

Authentication Process

The Authentication OSID helps an OSID Consumer acquire and validate authentication credentials without having to manage the details of a particular authentication environment. Authentication is generally a two step process. A user wishing to authenticate acquires a set of credentials and transports those credentials to a remote peer. The remote peer then validates those credentials and determines the identity of the user represented. This process is reflected in the Authentication OSID with the definition of two OSID sessions:

AuthenticationAcquisitionSession: A session to acquire credentials from a user and serialize them for transport to a remote peer for authentication.
AuthenticationValidationSession: A session to receive and validate authentication credentials from a remote peer wishing to authenticate.

The transport of authentication credentials is the responsibility of the consumer of the Authentication OSID as authentication generally supports an existing application protocol enviornment. Methods exist to extract and supply credentials at each end. An Authentication OSID Provider may support either or both sessions, and one or more credential formats. Methods also exist to support a challenge-response mechanism.

Circle of Trust

In the Authorization OSID, Authorizations may be managed for a set of Agents related to a Resource. The set of Agents may be filtered based on the level of confidence upon the authentication mechanism. A Trust is a category of Agents produced from an authentication mechanism that represent a level of confidence on which to specify an Authorization.

Trusts are not explicitly managed in the Authentication Process OSID. They serve to facilitate the orchestration between an Authentication OSID Provider and an Authorization OSID Provider. An Authorization OSID Provider may query the CircleOfTrustSession to determine if an Agent it has received belongs to a Trust specified in one of its Authorizations.

For example, an Authorization may be created by specifying a Resource. The Resource may be an individual person or a group of employees. While employees might be authorized to read their company email using their GMail account, requisitions in the ERP system must be made using the company authentication system and even perhaps a specific specific type of credential. An Authorization can be created for a set of employees based but restricted to a Trust where the Trust represents any Agent related to the set of employees that have authenticated in the desired fashion.

The multiplicity of Agents per Resource as aell as the alignment with an Authorization OSID Provider is a consideration in the design of an Authentication OSID Provider. It does only identify the authentication principal as a singular entity, but may also represent something about the authentication style that is used to perform an authorization.

Examples

Client side authentication:

if (manager.supportsAuthenticationAcquisition() &&
    manager.supportsAcquisitionInputType(krb5ServiceType) &&
    manager.supportsCredentialType(serialKRB5Type)) {
    AuthenticationAcquisitionSession aas = manager.getAuthenticationAcquisitionSession();

    // specify input parameters (interface extension)
    KRB5Service kService = new KRB5Service();
    kService.setName("host");
    kService.setInstance("server.osid.org");
    kService.setRealm("OSID.ORG");

    // get Credential (interface type)
    Authentication auth = aas.getAuthentication(kService, krb5ServiceType);
    SerializedKRB5Ticket ticket = (SerializedKRB5Ticket)        auth.getCredential(serialKRB5Type);
    send_data_to_peer(ticket); // app specific protocol
}

Server side authentication:

if (manager.supportsAuthenticationValidation() &&
    manager.supportsCredentialType(serialSAML2Type)) {
    AuthenticationValidationSession avs = manager.getAuthenticationValidationSession();

    Authentication auth = authenticate(SAML2Token, serialSAML2Type);

    if (auth.isValid()) {
        Agent agent = auth.getAgent(); // identity established
    }
}

Authentication

Osid Object

Authentication represents an authentication credential which contains set of bytes and a format Type. Once an Authentication is created from the AuthenticationValidationSession, the credential data can be extracted and sent to the remote peer for validation. The remote peer gets another Authentication object as a result of validating the serialized credential data.

An Authentication may or may not be valid. isValid() should be checked before acting upon the Agent identity to which the credential is mapped.

Inherited elements

Name	Syntax	Many	Description
Identifiable
`id`	id		the `Id`
Extensible
`recordTypes`	type	⋆	the record types available
Browsable
`properties`	Property	⋆	a list of properties
OsidObject
`displayName`	displaytext		the display name
`description`	displaytext		the description
`genusType`	type		the genus type of this object

Name	Syntax	Description
`agentId`	id	the `Agent Id`
`agent`	Agent	the `Agent`
`isValid`	boolean	`true` if this authentication credential is valid, `false` otherwise
`hasExpiration`	boolean	`true` if this authentication has an expiration, `false` otherwise
`expiration`	timestamp	the expiration date of this authentication credential
`hasCredential`	boolean	`true` if this authentication has a credential, `false` otherwise

Challenge

Osid Object

The challenge data.

Inherited elements

Name	Syntax	Many	Description
Identifiable
`id`	id		the `Id`
Extensible
`recordTypes`	type	⋆	the record types available
Browsable
`properties`	Property	⋆	a list of properties
OsidObject
`displayName`	displaytext		the display name
`description`	displaytext		the description
`genusType`	type		the genus type of this object

Trust

Osid Object

Trust represents the level of confidence in an authentication. An Authentication OSID Provider may issue different Agents based on the authentication mechanism. Trust is a grouping of Agent "types" that can be inferred as equivalent from an authorization point of view.

The relationship among Agents and Trust is not explicity managed but understood by an Authentication OSID Provider when orchestration to an Authorization OSID Provider is desired.

Inherited elements

Name	Syntax	Many	Description
Identifiable
`id`	id		the `Id`
Extensible
`recordTypes`	type	⋆	the record types available
Browsable
`properties`	Property	⋆	a list of properties
OsidObject
`displayName`	displaytext		the display name
`description`	displaytext		the description
`genusType`	type		the genus type of this object