Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. In private and public computer networks (including the Internet), authentication is commonly done through the use of logon passwords. Knowledge of the password is assumed to guarantee that the user is authentic. Each user registers initially (or is registered by someone else), using an assigned or self-declared password. On each subsequent use, the user must know and use the previously declared password. The weakness in this system for transactions that are significant (such as the exchange of money) is that passwords can often be stolen, accidentally revealed, or forgotten.
For this reason, Internet business and many other transactions require a more stringent authentication process. The use of digital certificates issued and verified by a Certificate Authority (CA) as part of a public key infrastructure is considered likely to become the standard way to perform authentication on the Internet.
Logically, authentication precedes authorization (although they may often seem to be combined).
In the Microsoft world, authentication is usually performed by Active Directory. I claim to be Sushant, and i prove this to Active Directory by providing my password. Other systems don’t trust me, they trust Active Directory. Active Directory gives systems a bit of data that says “yes, I personally know this guy. He is really Sushant.”
Now, if everyone used the same Active Directory installation in the same environment, then that’s all we would need. Claims based authentication is not needed in a simple environment like that.
But in the real world, things are different. We face three big challenges:
- Privacy regulations and other pieces of legislation are impacting what kind of information we are allowed to capture and store about users, so in some cases we can’t just demand that people give us all of their personal details.
- Businesses want to interoperate with other businesses, and government organisations want to provide more integrated services to citizens. However, different systems use different authentication systems (not everyone uses Active Directory, and even when they do, they have different instances.), and businesses want to integrate in a secure, legally compliant manner.
Claims based authentication is designed to address the two challenges mentioned above.
Claims based authentication addresses privacy and other compliance concerns by requesting less specific, less personal information about people, and by trusting other parties or systems to do the “proof of identity” check.
No comments:
Post a Comment