|Networking government in New Zealand.

Tabs

Site map Access Keys Contact us About this site

You are here: Home » Services » SEEMail » S.E.E. PKI Paper 11 - S.E.E. Key enabling a web based application » 6 PKI Integrated systems

6 PKI Integrated systems

Within this section:

6.1 Account mapping
6.2 Application lookup tables and rich application specific authorisation
6.3 Directory integration
6.4 Ticket based systems (like Kerberos)

6.1 Account mapping

6.1.1 Some systems provide an environment for associating a certificate with a network account. The system can be configured to challenge the user for a certificate and log the user on using the user's account.

6.1.2 In this case, application designed to trust the standard network logon, are automatically PKI enabled.

6.1.3 This approach is also likely to integrate well with standard system audit trails.

6.2 Application lookup tables and rich application specific authorisation

6.2.1 Some environments give the developer access to the client certificate details, and the developer can then use these details to use in the application's own internal authorisation decisions.

6.2.2 This approach offers the developer great flexibility for diverse authorisation rules to the various parts of a system.

6.2.3 For systems that control access based on individuals (rather than, say, organisation membership), the application is likely to have internal lookup tables just like those discussed in section 5 above on Authentication Proxies.

6.2.4 Directory lookup could be used merely to determine the user's certificate DN when first creating the user and adding them to the lookup table.

6.3 Directory integration

6.3.1 As for 6.2 above but rather than using internal lookup tables, the system could look up a directory to determine access.

6.3.2 This can be done in a variety of ways. The DN of the certificate could match the DN of the directory entry, or the DN of the certificate could be stored in another attribute in the directory.

6.3.3 In any case, after mapping to the directory, other directory attributes are used to determine access to the system.

6.3.4 The directory's security and availability are critical to the security and availability of S.E.E. PKI enabled applications that rely on it for authorisation.

6.3.5 Directory management tools can be used to manage access to the system, and if more than one system integrates with the directory, a user's access to multiple systems can be readily managed.

6.4 Ticket based systems (like Kerberos)

6.4.1 In this approach the user visits a specialised authentication system that performs certificate based authentication. Its tables are used to issue a "ticket" which may be delivered to the user's browser in the form of a cookie that is marked accessible to the target application. Control is transferred to the target application which reads the cookie, confirms the validity of the ticket and grants access. An example of such a system is Netegrity SiteMinder http://www.netegrity.com/products/index.cfm?leveltwo=SiteMinder.

6.4.2 This approach has many of the same advantages and issues as the directory approach, but may be more proprietary.

[ Previous | Next ]