Security Model/Architecture
Identifiers
There are four identifiers associated with a user:
- the user's login name - what the user types into the login page (along with their password) (step 1 above).
- the user's authentication-id - the id returned by the login service when validating a ticket (step 3 above).
- the user's internal (Ambra) id - the id used to identify a user's account in Ambra.
- the user's display name - displayed on web-pages wherever a reference to a user is made.
A given user may have multiple login names and authentication-ids (for example if they have accounts with multiple login services); however, they will only have a single internal Ambra id and display name (two different internal ids are considered two different users).
While the user only sees the login and display names (1 and 4), the Ambra software only deals with the authentication-id and internal id (2 and 3).
When a user logs in they provide their login name. Next, when the user's ticket is verified, the login service returns the user's authentication-id, i.e. the login service maps user names to authentication-ids. The authentication-id may be the same as the user's login name (often the case), but need not be - this allows the login service to provide the capability for a user to change their login name without requiring notifications and updates to the Ambra accounts. This is useful, for example, when the user's email address is used as the login name.
After retrieving the authentication-id, it is mapped to the user's internal id (this functionality is provided by the UserAccountsInterceptor). This second mapping is to allow support for multiple login services and for easy mobility among those; any number of authentication-ids may be mapped to a single internal id.
Additional Functions
The presumably common case will be for a user's login name to be their email address, and presumably in most cases the login service will verify that email address during registration. In order to avoid the user having to enter their email address a second time when setting up the Ambra account and having to go through email address verification a second time, the login service may provide a mechanism to retrieve the user's login name. In the case where the authentication-id is the same as the login name, this is not needed of course.
Attachments
- PLoS-CAS.png (101.5 kB) - added by pradeep on 05/04/06 17:39:51.
- PLoS-CAS.dia (4.6 kB) -
Authentication Model (DIa source)
, added by pradeep on 05/04/06 18:00:17. - CAS-Proxy-Authentication.png (50.8 kB) -
CAS Proxy Authentication
, added by pradeep on 05/11/06 13:07:44. - CAS-Proxy-Authentication.dia (2.7 kB) -
CAS Proxy Authentication
, added by pradeep on 05/11/06 13:11:25. - Ambra-CAS.png (32.7 kB) -
Update the description for (3) to mention authentication-id
, added by pradeep on 10/03/08 17:48:40. - Ambra-CAS.dia (2.2 kB) -
Updated dia source
, added by pradeep on 10/03/08 17:51:41.
