OSID Specifications
authentication process package
Version 3.0.0
Release Candidate Preview
TitleAuthentication Process Open Service Interface Definitions

The Authentication Process OSID conducts an authentication process.

Authentication Process

The Authentication OSID helps an OSID Consumer acquire and validate authentication credentials without having to manage the details of a particular authentication environment. Authentication is generally a two step process. A user wishing to authenticate acquires a set of credentials and transports those credentials to a remote peer. The remote peer then validates those credentials and determines the identity of the user represented. This process is reflected in the Authentication OSID with the definition of two OSID sessions:

  • AuthenticationAcquisitionSession: A session to acquire credentials from a user and serialize them for transport to a remote peer for authentication.
  • AuthenticationValidationSession: A session to receive and validate authentication credentials from a remote peer wishing to authenticate.

The transport of authentication credentials is the responsibility of the consumer of the Authentication OSID as authentication generally supports an existing application protocol enviornment. Methods exist to extract and supply credentials at each end. An Authentication OSID Provider may support either or both sessions, and one or more credential formats. Methods also exist to support a challenge-response mechanism.

Circle of Trust

In the Authorization OSID, Authorizations may be managed for a set of Agents related to a Resource. The set of Agents may be filtered based on the level of confidence upon the authentication mechanism. A Trust is a category of Agents produced from an authentication mechanism that represent a level of confidence on which to specify an Authorization.

Trusts are not explicitly managed in the Authentication Process OSID. They serve to facilitate the orchestration between an Authentication OSID Provider and an Authorization OSID Provider. An Authorization OSID Provider may query the CircleOfTrustSession to determine if an Agent it has received belongs to a Trust specified in one of its Authorizations.

For example, an Authorization may be created by specifying a Resource. The Resource may be an individual person or a group of employees. While employees might be authorized to read their company email using their GMail account, requisitions in the ERP system must be made using the company authentication system and even perhaps a specific specific type of credential. An Authorization can be created for a set of employees based but restricted to a Trust where the Trust represents any Agent related to the set of employees that have authenticated in the desired fashion.

The multiplicity of Agents per Resource as aell as the alignment with an Authorization OSID Provider is a consideration in the design of an Authentication OSID Provider. It does only identify the authentication principal as a singular entity, but may also represent something about the authentication style that is used to perform an authorization.


Client side authentication:

                         if (manager.supportsAuthenticationAcquisition() &&
                             manager.supportsAcquisitionInputType(krb5ServiceType) &&
                             manager.supportsCredentialType(serialKRB5Type)) {
                             AuthenticationAcquisitionSession aas = manager.getAuthenticationAcquisitionSession();
                             // specify input parameters (interface extension)
                             KRB5Service kService = new KRB5Service();
                             // get Credential (interface type) 
                             Authentication auth = aas.getAuthentication(kService, krb5ServiceType);
                             SerializedKRB5Ticket ticket = (SerializedKRB5Ticket)        auth.getCredential(serialKRB5Type);
                             send_data_to_peer(ticket); // app specific protocol

Server side authentication:

                         if (manager.supportsAuthenticationValidation() &&
                             manager.supportsCredentialType(serialSAML2Type)) {
                             AuthenticationValidationSession avs = manager.getAuthenticationValidationSession();
                             Authentication auth = authenticate(SAML2Token, serialSAML2Type);
                             if (auth.isValid()) {
                                 Agent agent = auth.getAgent(); // identity established