Claims-Based Authentication for a Web-Based Enterprise

July, 2013
IDA document: D-5091
FFRDC: Systems and Analyses Center
Type: Documents
Division: Information Technology and Systems Division
William R. Simpson, Coimbatore Chandersekaran See more authors
Authentication is the process of determining whether someone or something is, in fact, who or what they are declared to be. The authentication process uses credentials (claims) containing authentication information within one of many possible authentication protocols to establish the identities of the parties that wish to collaborate. Claims are representations that are provided by a trusted entity and can be verified and validated. Of the many authentication protocols, including self-attestation, username/password and presentation of credentials, only the latter can be treated as claims. This is a key aspect of our enterprise solution, in that all active entities (persons, machines, and services) are credentialed and the authentication is bi-lateral, that is, each entity makes a claim to the other entity in every communication session initiated. This paper describes authentication that uses the TLS protocols primarily since these are the dominant protocols above the transport layer on the Internet. Other higher layer protocols, such as WS-Security, WS-Federation and WS-Trust, that use a Public Key Infrastructure credential for authentication, integrate via middleware. This authentication is claims based and is a part of an enterprise level security solution that has been piloted and is undergoing operational standup.