Thursday, 29 October 2015

Claim based Authentication Tutorial Part 1

Topics which we are going to cover :
1.) What is claim based authentication
2.) Definition of basic terms.
Now a days when we create a Application which has authentication page, we need to understand, how it works. Actually when user logs in an Identity is assigned to that session and that Identity is maintained throughout the session until user logs out or it expires. So let’s view the current scenario.
Means every application which has some authentication mechanism first authenticates the user and gives an Identity and then user gets the rights to access the application. So somehow if we can externalize the authentication part from the application then this will be very helpful and the same authentication application used by several application. I explain it pictorially

So the basic Idea is, If there are some applications that do the authentication and provides the Identity (Called Identity Provider), and applications rely on this Identity. Like in our daily life

Above picture explains everything about itself.

Claim Based Authentication

The same mechanism is also followed in Claim based Authentication. There are some authentication provider/Identity provider which are used by various applications so whenever a user tries to access some application, Application checks whether user is authenticated or not, if not, it forwards the user to Identity provider which actually authenticates the user, gives a token to user and forward the user to application. Application verifies the token and user is allowed to access the application.
But this is not so easy in web scenario. There are few challenges – Who are the Identity Providers? – What all the data is needed to the relying party ie what data can be transferred from Identity provider and in which form – If there are multiple Identity providers. How application trust on them.
Actually there are couple of Identity providers nowadays like Google, facebook, WindowsLive Id and many more.. And even we can develop our own Identity provider for on premise applications. This also can be used on Cloud as well.
Now if I am making an application and my application uses some Identity provider to authenticate a user. Then application must understand the token of that Identity provider and also there must be trust relation between application and Identity providers, so that application can rely on the token sent by that Identity provider.

Basics of Claim based Authentication

Now let us discuss what are the basic things involved in it. These are mainly Identity, Tokens, Claims, Identity Provider or Security Token Service, RP (Relying Party) etc. To move ahead we need to understand all these. Lets discuss one be One.

What is an Identity

You can say Identity is a group of information that can uniquely identify anything. Most of the other things also have identity like your own PC, Vehicle etc. But here as we are talking about person. So in this digital era, we can say a digital identity is a group of information to identify a person.

Token and Claims

When this digital identify is passed over wire. It is passed as stream of bytes and that is known as token. Token contains some set of Information about the user in the Claim format. A token can contain multiple claims and every claim contains some specific information. The token is digitally signed so that it can be verified at receiver end. So we can show the pictorially as

Sometimes token be XML based Security Assertion Markup Language (SAML) format. But now application use rather simpler token call as Simple web Token( SWT). So the benefit is here we just not pass user credential but also we can pass some other information of the user to the application.

Identity Provider and STS

Identity provider is the key in this technology, this is actually authenticate the user and create the token with claims, as per the requirement and digitally sign it before sending. Identity provider is also known as Security token service. So how STS work lets have a view.

RP (Relying Party)

Relying party are the applications those uses these Identity Provider for authentication. They just need to understand and verify the token and get all the data from the token itself which is required. But before all this, RP needs to build a trust relationship and tell the Identity provider what all data needs for a user. So that next time a token it receives, it can verify the issuer and get the required data.

Complete Scenario

Now you guys got all the basic information about Claim based Authentication. Now let us have a look, how these Identity provider is used

No comments: