May 8, 2013 Leave a comment
I’ve recently come across an analogy which perfectly sums up the use of ADFS and the requirement of certificates.
This kind of puts the whole process into context.
A woman, let’s call her Louise Smith, is offered the once-in-a-lifetime chance to buy a diamond for a great price. The seller, let’s call him Jonathan Jones, contacts Louise and, gives her his name, address, details of the gem registry entry for the diamond, and agrees on a price. She is a careful person by nature, so she makes enquiries. She confirms that the diamond is real, that it is worth the money, and that it really belongs to Jonathan Jones. Then she writes a cheque for the money and Jonathan Jones gives her the diamond.
A week later, the police call to collect the stolen diamond, because the seller wasn’t actually Jonathan Jones. It was all a question of identity. Adding amusement to injury, the police find that the actual buyer hasn’t lost anything either, because she wasn’t actually Louise Smith and was using a stolen chequebook.
The point being, is that all the permissions can exist to allow the participants to participate in a transaction, but if the identities are not verified, the security doesn’t have a firm base.
In this case we look at CA (Certificate Authorities) to issue certificates to organisations or individuals to ensure that ‘requests’ are who they say they are. This works much like a passport and the above analogy could have been prevented if each user had declared their passport to one another, however, this assumes a perfect world.
The CA’s basically ‘vouch’ for the subject for the usages agreed.
This is the basis for ADFS, creating trust and ensuring identity. A very complex subject that is difficult to visualise, so I’m hoping this short story helps!