Client identities and credentials

The result of authentication is a client identity. WebSEAL requires the client identity to build a credential for the user. The authorization service uses this credential to permit or deny access to protected resources requested by the user. The following process flow explains the relationship between authentication, a client identity, and a credential:

1. WebSEAL always builds an unauthenticated credential for unauthenticated users.

   An unauthenticated user can still participate in the secure domain because ACLs can contain rules that specifically govern unauthenticated users.

2. When a user requests a protected object and is required to authenticate, WebSEAL first examines the user request for authentication data.

   Authentication data includes method-specific authentication information, such as passwords and certificates, that represent physical identity properties of the user.

3. The result of successful authentication is a client identity.

   The client identity is a data structure that includes the user name and any extended attribute information that is to be added to the resulting credential.

4. ISAM uses the client identity information to build a credential for that user.

   Security Verify Access matches the client identity with a registered Security Verify Access user and builds a credential appropriate to this user. This action is known as credentials acquisition.

   The credential is a complex structure that includes the user name, any group memberships, and any special extended security attributes associated with the user's session. The credential describes the user in a specific context and is valid only for the lifetime of that session.

   The authorization service uses this credential to permit or deny access to protected resources after evaluating the authorization policies governing each object.

   Credential acquisition can succeed only if the user has an account defined in the ISAM user registry.

   If credential acquisition fails (the user is not a member of the ISAM user registry), WebSEAL returns an error.

Credentials can be used by any Security Verify Access service that requires information about the user. Credentials allow ISAM to securely perform a multitude of services such as authorization, auditing, and delegation.

Parent topic: Authentication overview

Related concepts

• Definition and purpose of authentication
• Authentication process flow
• Authenticated and unauthenticated access to resources

Related reference

• Information in a user request
• Supported authentication methods
• Authentication challenge based on user agent