GateKeeper Identifier

Summary :

With GateKeeper, end user authentication happens with an authentication portail that may operates from another domain than the one of the web application which has issued the authentication request.
End user identifier, uniquely corresponds to a end user account and shall contain the necessary informations to resolve the url at which the authentication portail operates.
The identifier also contains informations that allows to determine the type of credentials that the end user is expected to deliver for authentication to take place with the portail.

Identifier structure :

explicit identifiers :

Explicit identifier are valid email address structured as : userid@[ct].domain, where :

  • userid : is the unique account identifier indexed by the authentication portail.
  • ct : an optional element in ['up' , 'uo' , 'upo'] determining the type of credentials
  • domain : is a valid Internet domain such as site.com

credentials type :

The gatekeeper bar will react to the presence of this optional element by providing relevant input fields.
The possible options are :

  • up : default stands for (user, password)
  • uo : stands for (user, one time password)
  • upo : stands for (user, password, one time password)

url resolution :

  • userid@site.com --> http://gkauth.site.com/up/
  • userid@up.site.com --> http://gkauth.site.com/up/
  • userid@uo.site.com --> http://gkauth.site.com/uo/
  • userid@upo.site.com --> http://gkauth.site.com/upo/
  • userid@foo.site.net --> http://gkauth.foo.site.net/up/

Note that gatekeeper authentication does not rely on https to be secure.

Implicit identifier

Implicit identifiers do not have a domain part. The domain is guessed from the url where the authentication request has been issued.

url resolution :

Let's assume that the authentication request has been issued at : https://some.site.com/path/to/subdir/auth-requested

  • userid --> https://some.site.com/path/to/subdir/gkauth/up/
  • userid@uo --> https://some.site.com/path/to/subdir/gkauth/uo/
  • userid@upo --> https://some.site.com/path/to/subdir/gkauth/upo/

Validation of identifiers :

Parsing the identifier :

The identifier is userid@ct.site.com

At time the end user has entered a new value of the identifier into the gatekeeper bar, the ct if present is parsed and the gui shows input fields relevant for the selected authentication method.

At time the end user submit, the url of the authentication portail is resolved. The gatekeeper extension checks that the domain is part of the list of trusted authentication portail in the authentication request.