Support: 888-4-BiTKOO or +1-818-985-4700 | Contact Us

• Products
  • Keystone
  • Keystone for SharePoint
  • DB-Wall
  • SecureWithin
  • Agent-Less SSO
• Solutions
  • XACML
  • SharePoint 2010 Security
  • Database Security
  • Cloud Security
• Services
  • Implementation
  • Training
  • Support
• Resources
• News & Events
  • Blog
• Partners
• About BiTKOO
  • Company Overview
  • Management Team
  • Careers
  • Contact Us

Product

• Keystone
  • Features and Benefits
  • How it Works
  • Delivery Models

• Schedule
• demo
• Download

How it Works

In the diagram, a user (person, application, machine, web services, etc.) provides credentials to the application. Once the credentials are provided, the application invokes a method in the instantiated application-side “auth component.”

The auth component provides an abstraction layer around the Keystone auth web service, with caching and persistence capabilities. The application invokes simple API methods of the auth component. The application passes the collected credentials from the principal and invokes one of the various methods exposed by the auth component.

The auth component invokes a web service call over HTTPS to the Keystone authentication and authorization web service. The web service uses its Directory Abstraction Layer (DAL) to determine which directory to call for authentication.

Once authentication is done, the web service queries the Keystone metadata store which contains authorization information about the user. In addition to static information about the user, Keystone has a sophisticated web services based rule engine that can process any rule at runtime. When the authorization metadata for the principal in the context of the application and other context is calculated by the web service, it returns to the calling application-side auth component an XML assertion. The assertion may be digitally signed, depending on property settings specified by the calling client.

The application-side auth component then caches the assertion in-memory. The application can now query the auth component about 200,000+ times per second. The queries can be resource specific, role specific or use case specific. In addition, Keystone can extract directory attributes about the authenticated principal. The attribute values are also a part of the assertion. The application-side auth component “knows” when to expire the cache, when to obtain a new assertion, etc.

For applications requiring disconnected mode – the auth component contains functionality to persist the assertion to disk, encrypted and it can detect any attempt to tamper with the assertion on disk.

Auth components easily provide single sign-on from any authentication source to Keystone. Alternatively, there are various overloaded methods for other types of authentication such as user name and password, SiteMinder or other Web SSO token, Keystone token, an array of objects that can represent any authentication source and various other methods that make obtaining authentication services straight forward and easy.

© Copyright 2011 Quest Software, Inc. All Rights Reserved

• 
• 
• 

• Sitemap | Legal | privacy Contact Us