Summary¶

Authentication Open Service Interface Definitions authentication version 3.0.0

The Authentication OSID manages authenticated entities.

Agent

The Authentication OSID defines an Agent to represent the identity of the authenticated entity. An Agent may map to a specific authentication principal while some providers may elect to hide multiple authentication principals behind a single Agent. Because principal identities tend not to be durable and persistent, consumers should always persist the Id.

Resource Mapping

An Agent may be mapped to a Resource in the Resource OSID. A Resource may map to multiple Agents but an Agent may only map to a single Resource. In the case of a person, a person may be utilize a number of authentication technologies each with a different authentication identity. Decoupling the authentication identity from that of ther person is to provide a means of integrating multiple services where different authentication identities exist for a person that impact the handling of authorization.

Authorization

Authorization is a separate service. The Authorization OSID manages what functions the Agent is authorized to perform and references the Agent Id. The Authentication OSID is only responsible for identity management of the Agent.

Each Agent of a Resource may be used to define distinct security levels of assurance (although the paranoid may opt for defining a pseudo-resource for each Agent ). These security levels of assurance can be linked to the Agent Type and managed in the Authorization OSID. The Agent Type would be an indicator of the authentication strength and although it may correlate to a specific authentication technology, coupling it too tightly to a particular technology may limit flexibility.

Certain consumers may wish to be notified of changes within the service. Authentication supports notifications via an AgentNotificationSession.

if (manager.supportsAgentNotification()) {

AgentNotificationSession ans = manager.getAgentNotificationSession(receiver); ans.registerForNewAgents(); hangAround();

}

AgentReceiver receiver {

newAgent(Id agentId) { print(“new agent”); } changedAgent(Id agentId) { print(“updated agent”); } deletedAgent(Id agentId) { print(“deleted agent”); }

}

Agency Cataloging

Agents are organized into federateable Agency OsidCatalogs.

Sub Packages

The Authentication OSID includes an Authentication Key OSID for managing private keys associated with an Agent and an Authentication Process OSID for acquiring and validating authentication credentials. It slaos includes an Authentication Batch OSID for managing Agents and Agencies in bulk.