Authentication and Authorisation

Let’s talk about one of the important tools in the Enterprise which is used for a number of purposes and one of the main purpose being Authentication, in fact, without understanding Active Directory (AD) you may not understand any aspect of authentication in an enterprise, almost more than 90 percent of the world uses AD for authentication in their enterprises, but do remember that authentication is not the only use of AD in an enterprise there is much more. Let me break it and simplify it for you.

Starting with definition: AD (a Microsoft tool) is a centralized hierarchical database which is used to manage all the elements of a computer network such as Users, Groups, Printers, Shared folders, etc. When I say elements, these are some physical and logical entities which are required to be managed, one method is that you use excel and start managing them which would be the worst way to do it when it comes for organizations having more than 10000 users, the other is you use a sophisticated software platform which can store, manage and control the elements mentioned below, ofcourse one of the controls being authentication, for e.g. if elements such as users need to login on elements such as laptop then it needs a central database from where it can get authenticated to complete the login

Note: I have been referring these elements as "elements" but in AD terminology they are termed as "Objects"

So ideally if you have 10000 users in your organization then definitely you need a database to keep a track or manage these user accounts, AD is the database where you create and manage these accounts, when I say manage it means creating user accounts, storing their passwords, managing their group memberships, managing their permissions to access all assets across enterprise, everyday authentication and login on to their laptops / desktops, everyday login on to the business applications, controlling what the internal users can access on their laptop / desktop using group policy

It’s the centralized repository where you find all the employee user accounts and it’s the central database which is used for authentication by all the business applications for internal users, I am deliberately emphasizing the word "Internal" so that there should be no confusion about the customer accounts as customer accounts are not stored in the Active directory database, although partner accounts can be stored in Active Directory.

The active directory database is not like an SQL or Oracle database, it’s a very light weight database which can be queried using a protocol called Ldap (Light-weight Directory access protocol)

This AD database is accessed continuously by all the internal business applications, in fact any internal authentication done by any user whether to access a shared folder, a printer, an internal application, an external AD integrated SaaS based application, or any network device or servers or infra-applications, anything and everything internal is dependent on AD for authentication and Authorization.

Some different types of AD Authentication Scenarios are as follows:

Ldap Integration

If it’s an internal On-Premise application then for authentication purpose you may need a service account from AD along with the domain controller IP address, the application would be connecting to this IP address with the help of the service account to authenticate the application requests

ADFS Integration for SAML based token

If your application is an externally hosted application on some internet-based cloud and you want the authentication to happen via our internal AD then you can go for ADFS based authentication, the on-cloud application should ideally be getting into a federation with the On-prem AD via ADFS servers

OAuth 2.0 for Azure based applications.

If your application is hosted on your own tenant on a Cloud such as Azure, AWS or Google then the authentication can happen via Oauth 2.0