KBA-01631: Authentication and Authorization

Question:

What is the difference between Authentication and Authorization?

Answer:

Authentication is how someone’s identity is determined and verified. Single sign-on is when a predetermined identity is shared between applications.

Authorization is what determines if an identified user has permission to use the system (and in turn what features/capabilities they have been authorized to use).

Authentication w/Single Sign On Authorization Comments
sfPMS Yes n/a via Roles
LDAP
(on Prem Active Directory)
Yes ** via Group and then via sfPMS roles For Identities authenticated by AD, sfPMS password and expiration features are irrelevant.

 

Google Yes Yes via sfPMS The Google identity provides an email ID.  If this ID is associated with an authorized sfPMS identity, then access is granted. The profile picture is enabled.  Nothing else about the Google identity is used by sfPMS.
Microsoft Entra Yes Yes via sfPMS Entra provides an email ID.  If this ID is associated with an authorized sfPMS identity, then access is granted. Nothing else about the Microsoft identity is used by sfPMS.

 

Active Directory (LDAP)

If enabled in ICTool, LDAP authentication is attempted whenever the login ID includes a backslash (\) or @.

LDAP authentication includes authorization for users to access your site. An LDAP authenticated identity is matched to an sfPMS identity by account name or email address. If no match is found, a new identity is created in sfPMS and granted the ‘Everyone’ and ‘LDAP Authorization’ roles.  The contact created in sfPMS will include the following attributes mapped from the LDAP DirectoryServices.AccountManagement.UserPrincipal:

  • SortName = AD.Surname
  • FamiliarName = AD.GivenName
  • UserName = AD.DisplayName
  • EmployeeID = AD.EmployeeId
  • Phone = AD.VoiceTelephoneNumber
  • EMail = AD.EmailAddress

An sfPMS administrator can add or update attributes and sfPMS roles to the new identify as appropriate.

On-premise LDAPS authentication does not provide a single-sign on experience, but does centralize administration of accounts and credentials.

Google Authentication (OAuth)

Google authentication does NOT authorize users to access your site. Each Google authenticated identity is matched to an existing sfPMS identity for authorization based on the provided EMail ID.  See KBA-01618.

Users of Chromium and Android devices benefit from what many perceive as Single Sign On.

Google authentication using Spitfire’s supplied client ID requires Spitfire Client Services to add your Site URL to the list of our trusted URLs.  See KBA-01615.


KBA-01631; Last updated: January 1, 2024 at 15:13 pm;
Keywords: none