Basic Authentication and Form based Authentication

What are Basic Authentication and Form Based Authentication? And Kerberos Single sign-on

Basic authentication and Form based authentication allow a user to authentication to a server via a browser. Both these authentication mechanisms use the HTTP/HTTPS protocols with HTTPS being the secure channel. Basic authentication is formally defined in an RFC (there is no RFC for Form based authentication). Both authentication mechanisms will allow a remote user to authenticate to a server. However, Basic authentication does not use cookies, hence there is no concept of a session or loggin out a user. Form based authentication are implemented via HTML forms which have username and password fields for a user to enter and send over to the remote server for authentication. Form based authentication use cookies for session management so user logout can be controlled.

Another popular browser based authentication is via Kerberos Single Sign-on which allows a user to login to trusted website seamlessly via single sign on. In order to enable or use Kerberos browser based authentication, kerberos authentication must be enabled at the remote server and the user on his client computer must be authenticated to Active Directory via kerberos authentication with a valid Kerberos Ticket Granting Ticket (TGT). In addition the browser on the user's client computer should be configured to support kerberos authentication, i.e Integrated Windows authentication should be enabled in the Internet Explorer (IE) browser settings. (Note: Both IE, chrome support kerberos SSO).

With IE browser, a user can authenticate to the remote web server seamlessly with single sign on, meaning the user will not be challenged to enter his credentials. The browser with negotiate and provide the required credentials using the user's kerberos TGT, provided the user has already authenticated to the Active Directory with a valid TGT ticket and the browser settings have been configured/enabled.

Note: When implementing kerberos based authentication in your network with IE browser, you may need to also implement a fall back mechanism when users do not use IE browser or a browser that does not support kerberos. In that case the fall back mechanism of Form based authentication can be used.

Here is a reference which explains the difference between Basic and Form based authentication

QUESTION
What is the difference between "basic authentication" and "form-based authentication"?
ANSWER
Basic authentication, or “basic auth” is formally defined in the Hypertext Transfer Protocol standard, RFC 1954. When a client (your browser) connects to a web server, it sends a “WWW-Authenticate: Basic” message in the HTTP header. Shortly after that, it sends your login credentials to the server using a mild obfuscation technique called base64 encoding. When HTTPS is used, these credentials are protected, so it’s not considered insecure, which is why basic auth gained widespread use over the years. The biggest problem with basic auth has to do with the logging off the server, as most browsers tend to cache sessions and have inconsistently dealt with the need to properly close and clear connection states (or sessions) so that another (different) user couldn’t log back in by refreshing the browser.
Form-based authentication is not formalized by any RFC. In essence, it is a programmatic method of authentication that developers create to mitigate the downside of basic auth. Most implementations of form-based authentication share the following characteristics:
1) They don’t use the formal HTTP authentication techniques (basic or digest).
2) They use the standard HTML form fields to pass the username and password values to the server.
3) The server validates the credentials and then creates a “session” that is tied to a unique key that is passed between the client and server on each http put and get request.
4) When the user clicks “log off” or the server logs the user off (for example after certain idle time), the server will invalidate the session key, which makes any subsequent communication between the client and server require re-validation (resubmission of login credentials via the form) in order to establish a new session key.
As with basic auth, form-based auth does not protect login credentials when connected over HTTP, therefore it is not more “secure” than basic auth in how it handles user credentials. It is however more secure when it comes to properly logging the user off after a certain period of inactivity or if the user no longer requires use of the system and decides to log out.
For details of basic auth and form-based auth in EFT Server, refer to End-User Log In to EFT Server.
-----------------------------------------------------------------------


Great post and basics   http://fusionsecurity.blogspot.com/2011/04/oam-11g-single-sign-on-and-oam-11g.html
Identity propagation flow in OAM, and OSB  http://fusionsecurity.blogspot.com/2010/03/identity-propagation-in-flow-involving.html google search   (what is difference between basic authentication and form based authentication)
--------------------------


Comments

Popular posts from this blog

VMware fix for Invalid manifest and ova file import failed errors

SOAPUI - import certificate

Session Timeout in Oracle Access Manager