Identity Management And Authentication Service
The Identity Management and Authentication Service implements the Identity Management and the Authentication interfaces. The main purpose of the Authentication Interface is to verify the identity of a real-world user or service (resp. their profiles) by evaluating a set of given credentials. The current specification of the Identity Management Interface supports username/password credentials but other types of credentials are possible. The Identity Management Interface features the management of identities (create, update, delete) and the assignment of credentials to certain identities. A common synonym for the Identity Management Interface is Authentication Provider (AP) or Identity provider (IP).
Upon successful authentication, the service issues an SAML Token (session information) which carries the properties of a default LDAP user profile and the ID(s) of the authenticated identity(s). This session token is valid for a defined period of time and can be used to perform actions that need authenticated identities, for example an access-controlled service request.
The Authentication Interface supports the verification of a previously issued SAML Token. Each service that relies on session information should typically have an Authorisation Service, a security-enabled service, or a Policy Enforcement Service validate the session information before performing any security-related actions. In our context the transport of session information can be handled either as additional operation parameter or, when using the SOAP protocol, transparently in the SOAP header.
Identities are managed in instances of the Identity Management Interface and are uniquely identified by an ID which also contains the URI of the service instance. Multiple instances of Identity Management and Authentication Services may coexist in a network and each organisation may maintain their own installation of the Identity Management and Authentication Service. Cross-organisational or single-sign-on is easily supported since identities represent only the identity of a (user) profile and one profile may refer to multiple identities, each registered at different instances of the service.
The Identity Management and Authentication Service supports heterogeneous security infrastructures with disparate authentication mechanisms. Different instances of Identity Management and Authentication Services may implement different authentication methods and may also support different types of identities.
The Identity Management and Authentication Service provides its functionality through the following interfaces and operations: