PhenixID Data model

This article explains the data model used. As an administrator of the system, you need to understand the data model to be able to configure the system.

Overview

PhenixID Server can access identity data used for authentication, CRUD operations etc stored in RAM during runtime. These objects may be addressed:

  • REQUEST object
  • SESSION object
  • ITEM object

Request

•Object created to reflect data passed from RADIUS or HTTP client

•Request objects only exist until respond is send to requesting client

RADIUS example:

Session

•Created and updated by the authenticator

-Used in RADIUS scenarios to verify a one-time password

-Used in HTTP scenarios for WebSSO

RADIUS example:

Note: What in RADIUS is called State we call Session

When are session objects removed?

• The session times out, default 10 min.

• Removed by the authenticator.

In RADIUS scenarios, when an Access-Accept or Accept-Reject is send to client the authentication process is ended and the session object will be removed

Session handling

 

HTTP

-WebSSO – is the user already successfully authenticated?

 * Yes – Do not prompt user with login info. User is allowed access to application.

 * No – Send user to appropriate authenticator and present login page

-Set the session to authenticated=true or false

 

RADIUS

-First auth. request is Username/Password. Session is created and also passed back to client

-Uses session to map second authentication request with first

Client comes back with OTP and the SessionID so PAS knows what session to map against

Item

ITEM objects are created within a pipe and are the PhenixID platform native format used to manipulate objects

•For example:

- When a search for a user is executed, by a valve within a pipe, an ITEM object is created for that user and populated with item properties. Which properties to collect is a Valve configuration.

•How are properties added to an ITEM?

- During search, e.g. LDAP query. Look for bclarke and fetch mobile, sn and givenName for example

- Added by another valve. An OTP is created and added to the ITEM for example

• Note: ITEM properties fetch or created in Pipes are passed back to the authenticator that will update the session object with corresponding data

E.g. OTP is created in an valve. The authenticator will update the session object.