OpenWGA 7.10 - OpenWGA Concepts and Features


Authentication

Authentication describes the technique to determine the identity of a user in a secure way. It should be clearly distinguished from authorisation, which determines the rights that an already identified user has on the system resources. Authentication is mostly about secure user identification.

This is most of the time accomplished by a "shared secret" in form of a user/password combination that only the user and the system know.  This is also the methodology that OpenWGA uses in most situations. Another way of authentication, also supported by OpenWGA, is a client certificate owned by the user featuring a public/private key pair that can be used to ensure the users identity in a less vulnerable way with a password that might get "sniffed" rather easily.

Other authentication methodologies may be available through OpenWGA plugins. For example: The OpenWGA Enterprise Edition allows Single-Signon-Authentication against a Microsoft Windows Domain-Controller.

OpenWGA uses authentication on all interfaces that allow any access to contents and to the systems administration. The most important interface is of course Content-serving via HTTP for web browsers. OpenWGA supports all described authentication methodologies here, defaulting to username/password.

The authentication that OpenWGA uses to access a database is configured on its domain. There an authentication source is selected and configured. If no authentication source is configured on a domain OpenWGA regards every user as "anonymous" when he tries to access databases under that domain.

The result of an successful authentication is validated user information, which then may be used in Authorisation to determine what the user is actually allowed. This information consists mainly of:

  • A distinguished name, which is a primary user name that should be absolutely unique
  • A custom number of user name aliases, which are also used to identify the user and which still should but must not necessarily be unique
  • A custom number of names of user groups, i.e. groups that the user is member of. 
Additionally authentication may serve additional information about this user, for example his eMail address and other custom information, but this is up to the concrete authentication module implementation.

Table of contents: