e-Authentication Models
There are two basic models for establishing an e-authentication system.
Direct Authentication
When both the user and service provider participate in a trust relationship that allows them to exchange and validate credentials, direct authentication can be performed. Direct authentication requires the presentation of credentials from the user, which are typically a username and password. The service provider uses these credentials to authenticate the request.
Brokered Authentication
In a situation where the user and the service provider do not share a direct trust relationship, a 'broker' can be used to perform authentication. The broker authenticates the client and then issues a security assertion that the service can use to authenticate the user.
Below is a table showing the comparison between the two models.
| Aspects | Direct Authentication | Brokered Authentication |
|---|---|---|
| Trust Relationship | Service provider establishes trust with the user directly. | Service provider trusts on the broker who will perform authentication with the user. |
| Infrastructure Support | Direct Authentication works with most infrastructures. | Brokered Authentication requires an infrastructure that supports the use of security assertion. |
| Cross-domain Access | Requires authentication for every connection to a different service. | The same assertion could be used to access all services within an organization. |
| Usage Example | Direct username and password authentication. | PKI-based Authentication which makes use of the verification service (i.e. OCSP) of the certification authority. Federation systems that depend on each other to authenticate their respective users and vouch for their access to services offered by other members of the federation. |
|