# Authentication

## What is the Authentication ? <a href="#what-is-the-authentication" id="what-is-the-authentication"></a>

Authentication is a process in which an user’s identity is validated or verified based on the the credentials that the user provides when logging in to an application, service, computer or digital environment. This is important because it enables organizations to keep their networks secure by permitting only authenticated users (or processes) to access its protected resources, which may include computer systems, networks, databases, websites and other network-based applications or services.

#### Authentication vs Authorization (Access Control)

Once authenticated, an user or process is usually subjected to an authorization process as well, to determine whether the authenticated entity should be permitted access to a protected resource or system. An user can be authenticated but fail to be given access to a resource if that user was not granted permission toHere access it.

The terms authentication and authorization are often used interchangeably while they may often be implemented together the two functions are distinct. While authentication is the process of validating the identity of a registered user before allowing access to the protected resource, authorization is the process of validating that the authenticated user has been granted permission to access the requested resources. The process by which access to those resources is restricted to a certain number of users is called access control. The authentication process always comes before the authorization process.

### Authentication Factors <a href="#authentication-factors" id="authentication-factors"></a>

An authentication factor represents some piece of data or attribute that can be used to authenticate a user requesting access to a system.

![](https://blobscdn.gitbook.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-LEVE1v8OlinbM2tHaWZ%2F-LFTBolNW6VWP-_QahD2%2F-LFTE3240zNi7xjtAgQO%2FBlank%20Diagram%20-%20Page%201%20\(4\).png?alt=media\&token=838c4baa-b659-425c-b80c-72ca2ac6e537)

These three factors correspond to the knowledge factor, the possession factor and the inherence factor. Additional factors have been proposed and put into use in recent years, with location serving in many cases as the fourth factor, and time serving as the fifth factor.

## Use case  <a href="#use-case" id="use-case"></a>

Lets get a client web portal which is needed to include the user identification and verification to their users. Users are going to store in a database.

### Solution without an Identity Provider <a href="#solution-without-an-identity-provider" id="solution-without-an-identity-provider"></a>

Here are the very basic steps that you need to implement the above scenario with the client application itself without integrating any identity provider solution to this.

1. Implement the login input pages in the web application itself
2. Design the user database schema and prepare the databases
3. Implement the database connectivity for user authentication

<div align="left"><img src="https://blobscdn.gitbook.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-LEVE1v8OlinbM2tHaWZ%2F-LFTBV9xnO9qygnuWqyU%2F-LFTB_0AY0bB_52nKwST%2Fsimple-diag.png?alt=media&#x26;token=8c77ab62-db6b-41e3-bf01-0387d7dc5c99" alt=""></div>

This is very basic requirement which we want to have in many applications but still most of the developers are trying to implement these key features within the client application itself.

You can see further details by following the bellow sequence diagram. It shows how the communication will be happened with the above solution.

<div align="left"><img src="https://blobscdn.gitbook.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-LEVE1v8OlinbM2tHaWZ%2F-LFLecceRYTtzSxjKEuQ%2F-LFLeqSYJqJm02kyGwNZ%2Fsimple-seq-is.png?alt=media&#x26;token=63fc7f04-b951-4eee-8089-c9fb20a4d918" alt=""></div>

In addition to that, you have to concern about many more things which we will discuss in next few chapters.

### Integration with WSO2 Identity Provider <a href="#integration-with-wso2-identity-provider" id="integration-with-wso2-identity-provider"></a>

The WSO2 Identity Server is the identity provider and service provider should trust the identity provider in this solution. In this case, service provider will delegate the identification and verification of the user to the identity provider.

There are many public standard security protocols to communicate with the service provider and the identity provider.

* SAML (Security Assertion Markup Language)
* OpenID Connect (OAuth2)
* IWA for windows

To communicate identify the service provider configurations with the identity provider, there should be an unique representation of the service provider in the identity provider.

<div align="left"><img src="https://blobscdn.gitbook.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-LEVE1v8OlinbM2tHaWZ%2F-LFTBV9xnO9qygnuWqyU%2F-LFTBiU6jlPNStXujSqY%2Fsimple-diag-is.png?alt=media&#x26;token=022d4dcb-cf88-4e95-b0ef-59f6457206d6" alt=""></div>

As in above diagram, the service provider delegates its identity validation and verification to the identity server and expect the identified user information as the result in last.

Here is the sequence of the requests from the end user to the identity server.

<div align="left"><img src="https://blobscdn.gitbook.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-LEVE1v8OlinbM2tHaWZ%2F-LFLecceRYTtzSxjKEuQ%2F-LFLezy_VkU0xSB0BZTC%2Fsimple-seq.png?alt=media&#x26;token=1ea79381-35e4-428b-bb6e-7e17a8c8fc7b" alt=""></div>

\ <a href="#how-to-configure-the-sample" id="how-to-configure-the-sample"></a>
------------------------------------------------------------------------------


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ws02.gitbook.io/project/iam-concepts/authentication-and-authorization.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.