Client identities and credentials

Edit online

The result of authentication is a client identity. WebSEAL requires the client identity to build a credential for the user. The authorization service uses this credential to permit or deny access to protected resources requested by the user.

The following process flow explains the relationship between authentication, a client identity, and a credential:
  1. WebSEAL always builds an unauthenticated credential for unauthenticated users.

    An unauthenticated user can still participate in the secure domain because ACLs can contain rules that specifically govern unauthenticated users.

  2. When a user requests a protected object and is required to authenticate, WebSEAL first examines the user request for authentication data.

    Authentication data includes method-specific authentication information, such as passwords and certificates, that represent physical identity properties of the user.

  3. The result of successful authentication is a client identity.

    The client identity is a data structure that includes the user name and any extended attribute information that is to be added to the resulting credential.

  4. Verify Identity Access uses the client identity information to build a credential for that user.

    Verify Identity Access matches the client identity with a registered Verify Identity Access user and builds a credential appropriate to this user. This action is known as credentials acquisition.

    The credential is a complex structure that includes the user name, any group memberships, and any special extended security attributes associated with the user's session. The credential describes the user in a specific context and is valid only for the lifetime of that session.

    The authorization service uses this credential to permit or deny access to protected resources after evaluating the authorization policies governing each object.

    Credential acquisition can succeed only if the user has an account defined in the Verify Identity Access user registry.

    If credential acquisition fails (the user is not a member of the Verify Identity Access user registry), WebSEAL returns an error.

Credentials can be used by any Verify Identity Access service that requires information about the user. Credentials allow Verify Identity Access to securely perform a multitude of services such as authorization, auditing, and delegation.