Learn about user authentication and authorization process, and LDAP (Lightweight Directory Access Protocol) authentication, and ADFS(Active Directory Federation Services).
The VHQ user and role management help you configure and maintain user authorization and describe the theory behind how authentication and authorization work in VHQ. The section also defines the process of identifying a user and, then determining whether a user can take specific roles.
NOTE:
The token format is updated from SAML 1.0 to SAML 2.0.
Authentication is the process of identifying, and verifying, a user. Authentication information is extracted from the request. The authentication information is then checked to determine whether it is sufficient and/or correct. In VHQ, this is performed by the login modules. The VHQ verifies the identity of the user who wants to use data, resources or applications in external database table through Active Directory (AD) mode or Default VHQ mode and also encrypts passwords during transmission to ensure the security of network authentication. If the authentication mode is active directory supported by the customer, the VHQ tries to authenticate the user by using the VHQ common database. The authentication is made to validate the VHQ support person to login to a customer with active directory authentication mode. After authentication, authorization processes can allow or limit the levels of access and action permitted to the user. The VHQ authorization process determines whether a user is allowed to take action on specific areas within the system.
Authentication includes:
EXAMPLE:
A user can be authorized to read or update or delete.
Authorization is permitting only certain users to access, process, or alter data, and applying varying limitations on user access or actions (Add/Modify/View/ Execute/Delete).
Authorization includes:
Authorization is managed using a series of entries in VHQ.
a. User: The VHQ users access a system using their user accounts. The user account holds the details needed for accessing VHQ; a key purpose of an account is to provide the information for the authentication and login processes allowing the VHQ user to log in.
b. Groups: A group is a collection of users and/or other groups. A change in the permissions/privileges assigned to a group is automatically applied to all users in that group. All users are members of the group Everyone. In addition, users can belong to several other groups. Even if the group Everyone is deleted, all users remain part of the group because of the indirect relationship between users/groups and authorization.
c. Permissions: The VHQ user can add, modify, view, execute or delete.
d. Privileges: Privileges allow access to the functionality available within the application. Privileges are always granted or denied to principals rather than to users or groups. The link between users and groups and the authorization is indirect; there is always a principal associated with a user or group.
The Customer interacts with an AD server that stores user information centrally, eliminating the need for duplication, for authenticating the users against Active directory. After authentication, the VHQ STS (Security Token Service) allows the access control lists to be applied on the database. The VHQ STS authenticates the customer so that authorization and implementation can be implemented. The customer is redirected to a VHQ STS. The STS authenticates the client and issues a security token. Finally, the customer is redirected back to the VHQ where it presents the security token and the roles are mapped. The VHQ authorization process determines whether a user is allowed to take action on specific areas within the system.
EXAMPLE:
A user can be authorized to read or update or delete.
The customer uses Microsoft Active Directory as an external identifiable source to access resources such as users and groups. The authentication allows network access only to users and groups listed in AD. The users and groups are mapped to determine the authorization level. The AD enables the customers to retrieve information from its data store through STS. The customer communicates with an STS using a predetermined set of messages. The authentication of users is done by ADFS (Active Directory Federation Services). The ADFS validates the user and returns the information to STS. The STS verifies if the user is configured as an AD user and maps the AD roles. The VHQ authorization process determines whether a user is allowed to take action on specific areas within the system.
EXAMPLE:
A user can be authorized to read or update or delete.
On successful verification, STS returns a SAML (Security Assertion Markup Language) based authentication token designed in a single log in mode. The data service validates the token and processes the API.
NOTE:
- When authentication and authorization mode is AD and the isHierarchyaccessviaAdfs flag is set to True, the system will consider the hierarchy assignment for a user.
- When authentication and authorization mode is AD and the isHierarchyaccessviaAdfs flag is set to False, the system will not consider the hierarchy assignment for a user.
VHQ supports the Verifone Hosted Setup where the LDAP authenticates access to the hosted solution. In the process of authenticating, the certificate information is validated when the user exposes ADFS over the LDAP server.
