© 2018 Capita Business Services Ltd. All rights reserved.
Capita Education Software Solutions is a trading name of Capita Business Services Ltd. Our Registered office is 30 Berners Street, London, W1T 3LR and our registered number is 02299747. Further information about Capita plc can be found in our legal statement.
SSO enables a user to obtain a token (passport) from an identity provider (any number of governments) which is then kept and used to assert identity. Passports and Identity Tokens are very similar in concept as can be seen from the comparison below.
|
|
Passport |
Identity Token |
|---|---|---|
|
Manifestation |
A physical passport with a biometric chip |
A block of text containing the details of the token, e.g. a JWT (JSOn Web Token) saved as a cookie. |
|
Issuer |
Identity Service (Passport office on behalf of a Government) |
Identity Service (from a trusted provider) |
|
Validity |
5-10 years (configurable) |
Usually 1-60 minutes (configurable) |
|
Revalidation |
Passport/Token can be checked against the issuing authority. |
|
|
Entitlement (permissions) |
None – All that it does is to prove that you are who you claim to be. Each system that makes use of it needs to decide what that person can do. |
|
Hence identity tokens and passports are the same in principle.
The key point however is just because the token identifies someone, it is not an indicator as to what the holder (bearer) of that token can do. For example, I may have a passport but of itself, it doesn’t entitle me to take any particular flight. A check on permissions (does the holder have a valid ticket) must follow within the ‘consuming system’ before any ‘action’ is allowed.