The pasPortal web application is entirely dependent on a layered approach to authentication and authorization that includes a combination of role-based security, federated authentication, claims-based security, and advanced encryption.
Authentication
Before users can access resources and content secured by the pasPortal security framework a user must first undergo the authentication process to establish their identity. Essentially authentication is the process of proving who you are - not what you can do. Authentication is performed using one of two methods.
In the first method users authenticate against pasPortal using a combination of registered email address and password which is validated against a centrally maintained database of account definitions. pasPortal user names are supplied in the form of registered email addresses and paired with a password. Passwords in pasPortal are protected with a combination of symmetric and asymmetric high grade encryption keys to prevent theft or tampering. Account authentication details are combined with password complexity, password aging, and password history policies to ensure that even the strictest client authentication policies can be tailored and enforced. The primary benefits of this model are simplicity, ease of use, and no reliance on external resources. Limitation of this model are that customers must maintain security account information in pasPortal possibly (and likely) in addition to local authentication repositories.
In the second method authentication is delegated outside of the pasPortal security framework using what is known as Claims-Based Authentication. This option is a special form of authentication using what is known as Federated Single Sign On (SSO) in which an end-user authenticates against an identity provider other than pasPortal but whom is known to and trusted by pasPortal. SSO is not available to all customers and requires special configuration between pasPortal and client security environments. When enabled SSO enables end-users to authenticate against an external identity provider (such as a local Active Directory implementation) and to have their identity information relayed to pasPortal via a Security Token Service (STS) of their choice (such as Active Directory Federation Services). The primary benefits of this model include the ability authenticate to pasPortal without needing to enter explicit email and password information into the web browser and the ability to delegate user administration outside of the pasPortal environment to the customer's local security infrastructure. Limitations of this model are that end-users must have access to both the federated security environment and the pasPortal web application at the time of authentication which may create problems for mobile users. Additionally, a lack of availability in the remote federation services will make pasPortal inaccessible to end-users. If your organization is interested in establishing an SSO authentication mechanism with pasPortal please contact the pasPortal administration team.
Authorization
In order to access resources and content secured by the pasPortal security framework a user undergoes a process that digests role membership, assigned permissions, and permission inheritance to determine if actions a user wishes to take are permissible. Essentially authorization is the process of determining what you are allowed to do - regardless of how you were authenticated. Authorization is managed by the pasPortal role-based security framework. The idea behind role-based security frameworks are that users are represented by accounts and those accounts are assigned membership in roles to which permissions are assigned. pasPortal takes a somewhat novel and unique approach to role-based security. Unlike other authorization systems many of which compute role membership at the moment of authentication pasPortal recognizes that security changes can happen at any time and as such security actions are authorized constantly - not just at logon. This makes it easy to test changes in security without forcing users to log off and on again. It also requires that administrators approach their security architectures holistically to properly plan roles as permissions are not assigned to individual accounts.
Provisioning
Users authenticated via claims-based Single Sign On are subject to provisioning rules that allow for assignment to specific roles based on rules that transform claims into role assignments. For additional details on how to author provisioning claims see the Role Manager module.
Copyright © 2024 pasUNITY, Inc.
Send comments on this topic.