Claims-Based Authentication for a Web-Based Enterprise

Simpson, William R.; Chandersekaran, Coimbatore

Claims-Based Authentication for a Web-Based Enterprise

Active / Technical Report | Accession Number: ADA607070 |

Open PDF

Abstract:

Authentication is the process of determining whether someone or something is, in fact, who or what they are declared to be. The authentication process uses credentials claims containing authentication information within one of many possible authentication protocols to establish the identities of the parties that wish to collaborate. Claims are representations that are provided by a trusted entity and can be verified and validated. Of the many authentication protocols, including self-attestation, usernamepassword and presentation of credentials, only the latter can be treated as claims. This is a key aspect of our enterprise solution, in that all active entities persons, machines, and services are credentialed and the authentication is bi-lateral, that is, each entity makes a claim to the other entity in every communication session initiated. This paper describes authentication that uses the TLS protocols primarily since these are the dominant protocols above the transport layer on the Internet. Other higher layer protocols, such as WS-Security, WS-Federation and WS-Trust, that use a Public Key Infrastructure credential for authentication, integrate via middleware. This authentication is claims based and is a part of an enterprise level security solution that has been piloted and is undergoing operational standup.

Author(s):

Simpson, William R. ; Chandersekaran, Coimbatore

Author Organization(s):

INSTITUTE FOR DEFENSE ANALYSES ALEXANDRIA VA

Supplementary Note:

This work was prepared under Task BC-5-2283, Architecture, Design of Services for Air Force Wide Distributed Systems, for USAF HQ USAF SAF/CIO A6. DOI: 10.21236/ADA607070

Pagination:

0010

Security Markings

DOCUMENT & CONTEXTUAL SUMMARY

Distribution:

Approved For Public Release

Distribution Statement:

Approved For Public Release; Distribution Is Unlimited.

RECORD

Collection: TR

Identifying Numbers

Report Number(s):

IDA-NS-D-5091, IDA/HQ-2013-001838

Contract/Grant Number(s):

DASW01-04-C-0003

Project Number(s):

BC-5-2283

Monitor Series:

2013-001838, CIO/AF

Subject Terms

Joint Capability Areas:

JCA_6_Net Centric; JCA_6.2.3_Core Enterprise Services; JCA_6.4.1_Secure Information Exchange; JCA_6.2.1_Information Sharing; JCA_6.2.2_Computing Services; JCA_6.4_Information Assurance; JCA_6.2_Enterprise Services; JCA_5_Command and Control; JCA_6.1_Information Transport; JCA_5.2.3_Share Knowledge and Situational Awareness; JCA_5.2_Understand; JCA_4.6_Engineering; JCA_3.2_Engagement; JCA_3_Force Application; JCA_5.4_Decide; JCA_3.2.2_Non-Kinetic Means; JCA_5.3_Planning; JCA_5.4.3_Establish Rule Sets; JCA_7.1.2_Prevent Non-kinetic Attack; JCA_7.1_Prevent; JCA_7_Protection

Modernization Areas:

Cyber

Communities of Interest:

Cyber

Descriptor(s):

*COMPUTER NETWORK SECURITY, *CRYPTOGRAPHY, INFORMATION ASSURANCE, INTERNET

Field(s)/Group(s):

Computer Systems, Computer Systems Management and Standards

Keyword(s):

AUTHENTICATION, PUBLIC KEY INFRASTRUCTURE, CLAIMS BASED IDENTITY, WEB SERVICES, TRANSPORT LAYER SECURITY, BILATERAL AUTHENTICATION

Report Date:

2013 Jul 01

Creation Date:

2014 Sep 22