Authentication
The WebSSO uses an authentication manager that in turn uses one or more authentication methods to allow users to authenticate. Since most of the authentication methods require user interaction, the manager maintains the state the user is in during the authentication process, so that it can direct the user to the right method. The figure below illustrates the position of the authentication phase in the complete authentication process.
Methods
An authentication method forms the interface between the WebSSO and the authentication backend. Function and behavior of each method can vary greatly, but knowing the properties of each method is essential when compiling an authentication profile. Four properties should always taken into account when forming the authentication profile:
- Delegated (remote) authentication - Authentication methods do not necessarily have to access local backends solely. Delegated authentication (or 'remote' authentication in A-Select vocabulary), allowing the user to authenticate at a different identity provider, is also possible. Of course, when a delegating method is chosen, the IdP to delegate to is responsible for the chosen form of authentication, so none of the properties below apply in that case;
- Identification - Methods may require a user identifier (user name) or not. The first method in an authentication profile should always be an identifying method, so the user can enter her identifier;
- User interaction - Most of the methods require user interaction, for instance to allow a user to enter her user name and password. However, some methods can authenticate a user using attributes that are sent together with the initial request to the method, thereby requiring no further user interaction (e.g. PKI authentication). This property influences the user experience of the authentication profile;
- Password involved - Methods that verify a user password have a common component holding the actual backend communication module. Configuring such a method is a little different from configuring a method that does not use the shared password authentication method functionality.
Flow
Authentication flow is described in the figure below.
The first step of the authentication process is to verify the current status of the user. The SSO session (represented by a Ticket Granting Ticket (TGT), as a cookie sent by the user) is checked. If the user does have an SSO session and it contains proof that at least the methods of the requested authentication profile are already executed, the user is sent through to the next phase immediately. If no TGT is found or it is not sufficient, the user is send to the authentication methods.
Each method can have three possible outcomes to be used by the WebSSO to determine the next step. If the authentication method was completed successfully, the next method (if present) is executed. If authentication fails, the user is notified with an error message. The error message can be displayed either by the WebSSO or by the relying party that initialized the authentication session. The third possible outcome is 'authentication in progress', indicating that the method could not yet succeed in authenticating the user, because not all necessary information was available. The method indicates a reference to a user interaction screen, that is used by the WebSSO to allow the user to enter the information. After the user interaction step has taken place, the newly gathered information is sent to the method, so that it can verify the authentication status.
Example authentication methods
The OpenASelect package includes some of these authentication methods. Other methods will be available in the future.
Guest authentication
The most basic authentication method is the guest method. This method automatically assigns a configurable, collective user name (guest account) to all users that sign in. It can be used in combination with the IP pre-authorization method, to assign a collective UID to be used for a certain range of IP addresses. Also, this method is used for testing purposes as it automatically assigns a user name to the authentication session. This method is part of the OpenASelect package.
Identifying
The identifying authentication method does not really authenticate, but allows the user to enter her user identifier. This method is used as the first method in a chain or for testing purposes. This method is part of the OpenASelect package.
JDBC
A Password method allowing a relational database, accessible via JDBC, to be used for authentication. The user name and password can be retrieved from the database in plain text or hashed. Therefore, the method is useful when an existing backend is already present. This method is part of the OpenASelect package.
JNDI
The JNDI method is a Password method that allows verification by an LDAP backend. This method is part of the OpenASelect package.
RADIUS
The Remote Authentication Dial In User Service (RADIUS) method allows authentication by a RADIUS backend.
PKI
The PKI method verifies certificates sent by the browser as an authentication method.
Remote A-Select
The remote A-Select method allows authentication to be delegated to another A-Select 1.5 or OpenASelect server. This method can be used in Federated Authentication. This method is part of the OpenASelect package.
DigiD
OpenASelect can be used to utilize the DigiD system for authentication. This is a common use of the A-Select 1.5 system.
Authentication method overview
An overview of the aforementioned properties for the standard authentication methods:
| Method | Remote | Identifying | User interaction | Password related |
| Guest | No | No | No | No |
| Identifying | No | Yes | Yes | No |
| JDBC | No | Yes | Yes | Yes |
| JNDI | No | Yes | Yes | Yes |
| RADIUS | No | Yes | Yes | Yes |
| PKI | No | Yes | No | No |
| Remote A-Select | Yes | - | - | - |
| DigiD | Yes | - | - | - |