How does authentication work in Entrust?
The process for user authentication for Entrust TruePass is as follows:
1. The user attempts to access a URL secured by Entrust TruePass..
2. The Resource Protection Service is initiated through the Session Validation Module. It verifies whether the user has been authenticated by checking for the presence of
an Authentication cookie in the request.
3. If the user has not been authenticated, the Web server redirects the Web browser to the URL defined in the configuration data file for Entrust TruePass .
4. The Authentication page is downloaded to the Web browser. The page is secured with Secure Socket Layer (SSL) protocol and includes the Entrust TruePass applet and a Login button. SSL is a requirement for all URLs protected by Entrust TruePass.
5. The user completes the fields or chooses the digital ID to be used for that session on the Authentication page and clicks the Login button.
6. Depending on the deployment type, there are multiple possibilities:‧
Roaming Profile: The Entrust TruePass applet reads the username and password, creates a password token, and sends the token, the UID and a login request to the Entrust TruePass servlets. The token (T) is created based on multiple iterations of a one-way hash function (SHA1) on the username and password supplied by the user requesting the digital identity. If the user’s name & password hash match the corresponding data in the directory, the user has now been identified and the retrieval service is initiated by Entrust TruePass.
Desktop Profile: The Entrust TruePass applet reads the username and password, creates a password token, and compares it to the included token in the profile. If the two match, then the Profile will be unlocked and made available to Entrust TruePass for use.
Microsoft Windows digital ID store: In order to confirm that the correct digital ID is used, the user must choose the identity that is to be used with Entrust TruePass for each session The Entrust TruePass applet causes the user to see a dialog that includes all available digital IDs for the current Windows session. The user chooses the appropriate digital ID, and Entrust TruePass then proceeds to logon.
Smart card user: As with the user that has a digital ID in the Microsoft Windows digital ID store, smart card users are prompted to choose a digital ID to log in with. Once chosen, the user will be required to enter the PIN that protects the smart card; successfully doing so will allow Entrust TruePass to access the digital ID and proceed with the logon.
For roaming users, if an additional factor of authentication is mandated, this data is verified after the user has been identified, but before the identity retrieval service is invoked. The retrieval service is invoked after the user identification service has completed the necessary steps to identify the user. The following describes the process of the retrieval service:
The Entrust TruePass servlets obtain the digital ID securely through the use of the SPEKE protocol.
The Entrust TruePass servlets decrypt the outer layer of the double-encrypted digital ID and sends it to the Entrust TruePass applet. The digital ID is still protected by 128-bit encryption and the SSL connection.
The Entrust TruePass applet removes the final 128-bit layer of encryption and logs the user into the digital ID.
Once a user’s digital ID is available to Entrust TruePass, the secure session is established through the following steps:
1. A challenge-response mechanism confirms that a valid Entrust TruePass user is communicating with the Entrust TruePass server components
2. Once the challenge-response activity has been completed, the Entrust TruePass servlets also initiate the User Management Service to facilitate revocation checking and user status. If the user has not been revoked, an Authentication session cookie is sent to the Entrust TruePass applet and stored in browser memory.
3. The User Management Service verifies whether the identity is in a key update transition period. If it requires updating, Entrust TruePass automatically manages this process in a standard transparent Entrust manner (please refer to “User Management Service” for more details)
4. The Entrust TruePass applet redirects the Web browser to the URL the user initially attempted to access.
1. The user attempts to access a URL secured by Entrust TruePass..
2. The Resource Protection Service is initiated through the Session Validation Module. It verifies whether the user has been authenticated by checking for the presence of
an Authentication cookie in the request.
3. If the user has not been authenticated, the Web server redirects the Web browser to the URL defined in the configuration data file for Entrust TruePass .
4. The Authentication page is downloaded to the Web browser. The page is secured with Secure Socket Layer (SSL) protocol and includes the Entrust TruePass applet and a Login button. SSL is a requirement for all URLs protected by Entrust TruePass.
5. The user completes the fields or chooses the digital ID to be used for that session on the Authentication page and clicks the Login button.
6. Depending on the deployment type, there are multiple possibilities:‧
Roaming Profile: The Entrust TruePass applet reads the username and password, creates a password token, and sends the token, the UID and a login request to the Entrust TruePass servlets. The token (T) is created based on multiple iterations of a one-way hash function (SHA1) on the username and password supplied by the user requesting the digital identity. If the user’s name & password hash match the corresponding data in the directory, the user has now been identified and the retrieval service is initiated by Entrust TruePass.
Desktop Profile: The Entrust TruePass applet reads the username and password, creates a password token, and compares it to the included token in the profile. If the two match, then the Profile will be unlocked and made available to Entrust TruePass for use.
Microsoft Windows digital ID store: In order to confirm that the correct digital ID is used, the user must choose the identity that is to be used with Entrust TruePass for each session The Entrust TruePass applet causes the user to see a dialog that includes all available digital IDs for the current Windows session. The user chooses the appropriate digital ID, and Entrust TruePass then proceeds to logon.
Smart card user: As with the user that has a digital ID in the Microsoft Windows digital ID store, smart card users are prompted to choose a digital ID to log in with. Once chosen, the user will be required to enter the PIN that protects the smart card; successfully doing so will allow Entrust TruePass to access the digital ID and proceed with the logon.
For roaming users, if an additional factor of authentication is mandated, this data is verified after the user has been identified, but before the identity retrieval service is invoked. The retrieval service is invoked after the user identification service has completed the necessary steps to identify the user. The following describes the process of the retrieval service:
The Entrust TruePass servlets obtain the digital ID securely through the use of the SPEKE protocol.
The Entrust TruePass servlets decrypt the outer layer of the double-encrypted digital ID and sends it to the Entrust TruePass applet. The digital ID is still protected by 128-bit encryption and the SSL connection.
The Entrust TruePass applet removes the final 128-bit layer of encryption and logs the user into the digital ID.
Once a user’s digital ID is available to Entrust TruePass, the secure session is established through the following steps:
1. A challenge-response mechanism confirms that a valid Entrust TruePass user is communicating with the Entrust TruePass server components
2. Once the challenge-response activity has been completed, the Entrust TruePass servlets also initiate the User Management Service to facilitate revocation checking and user status. If the user has not been revoked, an Authentication session cookie is sent to the Entrust TruePass applet and stored in browser memory.
3. The User Management Service verifies whether the identity is in a key update transition period. If it requires updating, Entrust TruePass automatically manages this process in a standard transparent Entrust manner (please refer to “User Management Service” for more details)
4. The Entrust TruePass applet redirects the Web browser to the URL the user initially attempted to access.
posted by Seshu at 12:53 AM
0 Comments:
Post a Comment
<< Home