All Collections
Technical Notes
Federated Authentication
Federated Authentication

How Dispel performs federated authentication against Microsoft Active Directory and Okta

Ethan S avatar
Written by Ethan S
Updated over a week ago

Dispel follows the NIST SP 800-63C Digital Identity Guidelines: Federation and Assertions specification for federated authentication. Please visit the NIST SP 800-63C page for more details.

Dispel supports Active Directory and OIDC/OAuth2 identity providers.

Definitions

Credential Service Provider (CSP): A trusted entity that issues or registers subscriber authenticators and issues electronic credentials to subscribers. A CSP may be an independent third party or issue credentials for its own use.

Identity Provider (IdP): The party that manages the subscriber’s primary authentication credentials and issues assertions derived from those credentials. This is commonly the CSP as discussed within this document suite.

Relying Party (RP): An entity that relies upon the subscriber’s authenticator(s) and credentials or a verifier’s assertion of a claimant’s identity, typically to process a transaction or grant access to information or a system.

Schemas

Front Channel

The system uses a front channel RP and the IdP communication schema, which involves redirects involving the subscriber. The subscriber authenticates to the IdP and the result of that authentication event is asserted to the RP across the network. In this transaction, the IdP acts as the verifier for the credential, as described in SP 800-63B. The IdP can also make attribute statements about the subscriber as part of this process.

Dynamic Registration

Dispel uses a dynamic registration model for federation. In the dynamic registration model relationships between members of the federation are negotiated at the time of a transaction. This process allows IdPs and RPs to be connected together without manually establishing a connection between them using manual registration of subscribers.

As shown above, dynamic registration involves four steps:

  1. Discover. The RP goes to a well-known location at the IdP to find the IdP’s metadata.

  2. Validate. The RP and IdP determine each other’s validity. This can be accomplished through keying information, metadata, software statements, or other means.

  3. Register RP attributes. The RP sends its attributes to the IdP, and the IdP associates those attributes with the RP.

  4. Federation Protocol. The IdP and RP then communicate using a standard federation protocol.

Role of Federation Authorities

When federation is used for authentication, Dispel defers to the federation authority to assist in making federation decisions and to establish the working relationship between parties. In this model, the federation authority generally conducts some level of vetting on each party in the federation to verify compliance with predetermined security and integrity standards. The level of vetting — if it occurs at all — is unique to the use cases and models employed within the federation and out of Dispel’s scope when used.

References

NIST Special Publication 800-63C Digital Identity Guidelines Federation and Assertions [https://pages.nist.gov/800-63-3/sp800-63c.html]

Did this answer your question?