There are two basic models for establishing an e-authentication system.
When both the user and service provider participate in a trust relationship that allows them to exchange and validate credentials, direct authentication can be performed. Direct authentication requires the presentation of credentials from the user, which are typically a username and password. The service provider uses these credentials to authenticate the request.
In a situation where the user and the service provider do not share a direct trust relationship, a 'broker' can be used to perform authentication. The broker authenticates the client and then issues a security assertion that the service can use to authenticate the user.
Below is a table showing the comparison between the two models.
||Service provider establishes trust with the user directly.
||Service provider trusts on the broker who will perform authentication with the user.
||Direct Authentication works with most infrastructures.
||Brokered Authentication requires an infrastructure that supports the use of security assertion.
||Requires authentication for every connection to a different service.
||The same assertion could be used to access all services within an organization.
||Direct username and password authentication.
- PKI-based Authentication which makes use of the verification service (i.e. OCSP) of the certification authority.
- Federation systems that depend on each other to authenticate their respective users and vouch for their access to services offered by other members of the federation.