KBA-01631: Authentication and Authorization


What is the difference between Authentication and Authorization?


Authentication is how someone’s identity is determined and verified. Single sign-on is when a predetermined identity is shared between applications.

Authorization is what determines if an identified user has permission to use the system (and in turn what features/capabilities they have been authorized to use).

Authentication w/Single Sign On Authorization Comments
sfPMS Yes n/a
Active Directory Yes ** via Group For Identities authenticated by AD, sfPMS password and expiration features are irrelevant.

** Single sign on requires IIS configuration and disables sfPMS authentication.

Google Yes Chrome & Andriod via sfPMS The Google identity is used as an alias for a specific, also Authenticated sfPMS Identity. Nothing about the Google identity is used by sfPMS.


Active Directory (LDAP)

If enabled in ICTool, LDAP authentication is attempted whenever the login ID includes a backslash (\) or @.

LDAP authentication includes authorization for users to access your site. An LDAP authenticated identity is matched to an sfPMS identity by account name or email address. If no match is found, a new identity is created in sfPMS and granted the ‘Everyone’ and ‘LDAP Authorization’ roles.  The contact created in sfPMS will include the following attributes mapped from the LDAP DirectoryServices.AccountManagement.UserPrincipal:

  • SortName = AD.Surname
  • FamiliarName = AD.GivenName
  • UserName = AD.DisplayName
  • EmployeeID = AD.EmployeeId
  • Phone = AD.VoiceTelephoneNumber
  • EMail = AD.EmailAddress

An sfPMS administrator can add or update attributes and sfPMS roles to the new identify as appropriate.

On-premise LDAPS authentication does not provide a single-sign on experience, but does centralize administration of accounts and credentials.

Google Authentication (OAuth)

Google authentication does NOT authorize users to access your site. Each Google authenticated identity is mapped (upon first use) to an existing sfPMS identity for authorization.  See KBA-01618.

Users of Chromium and Android devices benefit from what many perceive as Single Sign On.

Google authentication using Spitfire’s supplied client ID requires Spitfire Client Services to add your Site URL to the list of our trusted URLs.  See KBA-01615.

KBA-01631; Last updated: July 18, 2022 at 14:44 pm;
Keywords: none