DES is an encryption function, but the DES-based crypt is not DES; the internal function is altered (by the salt, namely), executed 25 times, and, more importantly, the roles of the key and the message are swapped. The end result is that the name “crypt” is improper (though traditional): this is no longer an encryption function; it should be called the “DES-based hash“.
Anything is known as an entity if it exists in the world, regardless of its form: abstract concepts or physical things, and has an identity (or ID for short) to distinguish it from others. Simply put, every entity has an identity or ID. For instance, users, computers, devices, applications, services, networks, etc., are entities because they all have identities to uniquely identify them. An entity’s inherent characteristics are called attributes. An identity is an entity’s attribute or a combination of attributes to distinguish it from others. An entity that can initiate or respond to actions is a security principal, while one that doesn’t is a resource. The active party that initiates actions is known as the subject, while the passive party that responds to the active party or is accessed by the active party as a resource is the object.
Entities or security principals have accounts stored in a directory (account database). An account is the technical means of representing an entity; the fields of an account in a directory represent an entity’s attributes. An ID provider is an entity that 1) holds and manages a directory, 2) responds to queries, 3) verifies a subject’s identity through authenticators, 4) issues tokens or tickets, and 5) provides assertions or claims to assure statements about entities are true. In Microsoft’s Active Directory, a directory can be divided into one or more physical partitions (schema, configuration, and domain partitions) or logical domains for performance or administrative purposes. The machine that holds the account database is a domain controller, and the service on the domain controller that manages the directory is called a directory service.
Authentication is based on the secrecy of authenticators and trust in tokens and tickets issued by the ID provider; itis the process by which an ID provider verifies an entity’s identity through one or more authenticators by searching accounts and comparing data against the directory. A subject in the authentication processis an entity that actively professes its identity to the ID provider; this process for a subject to profess its identity is known as identification. However, it is also called identification when an ID provider searches the directory and locates the account that represents the entity. An authenticator is a secret used to prove an entity’s identity. There are three types of authenticators, aka authentication factor: something you know, something you have, and something you are.
Multi-factor authentication (MFA) refers to the authentication process using two or more authenticator types. The combination of a subject’s identity and its authenticators is collectively called a credential. Assertions or claims are statements about an entity that are always true, issued by the ID provider after verifying the entity’s identity. In SAML or OIDC, assertions or claims are pairs of attributes and values or key-value pairs represented in XML or JSON. Tokens and tickets are technical or physical means to convey assertions or claims.
Single Sign-On (SSO) is a system feature that allows a user to sign on once and access resources across various systems based on agreed-upon protocols and token or ticket formats. SAML and OIDC are commonly used protocols in a federation-based SSO. A federation is a collection of systems that share common protocols to facilitate the SSO feature.
