Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

This page is no longer being updated and the information may be out of date.

5.2 Identity Management - User Authentication in the Cloud

****WORKING DOCUMENT****

5.2      Identity Management - User Authentication in the Cloud

Actors: cloud-subscriber, cloud-subscriber-user, cloud-provider, identity-provider (optional)

Goals: The cloud-subscriber-user's should be able to authenticate themselves using a standard-based protocol, such as SAML, OpenID or Kerberos, to gain access to the cloud application/service. Alternatively, the cloud-subscriber-user should be able to transparently log in to the cloud application/service once they are authenticated against any system that's part of single-sign-on federation of systems.

Assumption: The cloud-subscriber-user's account has been already provisioned in the cloud, see use case Identity Management – User Account Provisioning. In the case of single-sign-on, prior trust relationships have been established (e.g., using trusted crypto keys) among the identity provider/authentication service and the cloud applications/services that are sharing the federated identity attributes of authenticated users.

Success Scenario 1 (PaaS, SaaS): This scenario illustrates how a cloud-subscriber-user can authenticate against a cloud-based authentication service using the appropriate credentials to gain access to the cloud-based applications/services.

Steps: The cloud-subscriber-user provides his/her credentials (e.g., using password tokens or smart card) to the cloud-provider's authentication service interface. The authentication request gets authenticated by the authentication service and an appropriate authentication token is issued using a standard-based protocol (such as a SAML authentication assertion). The cloud-subscriber-user then accesses cloud-deployed applications/services using the authentication token until the authenticated session expires or the user explicitly logs out using the authentication service' logout interface.

Success Scenario 2 (PaaS, SaaS, Single-Sign-On): This scenario illustrates how a cloud-subscriber-user authenticates against an authentication service (identity provider deployed either in the cloud or within the enterprise's IT infrastructure) and transparently gains access to cloud applications/services without presenting authentication credentials again, achieving single-sign-on

            Steps: The cloud-subscriber-user authenticates against the enterprise's authentication service/identity provider, obtains an authentication token (such as a digitally signed SAML authentication assertion); the cloud-subscriber-user accesses (through Web browser) applications/services deployed in the cloud with the authentication token; the authentication sub system provided by the cloud-provider transparently trusts the authentication token and obtains the federated identity attributes for access control decisions.

Failure Condition/Failure Handling: trust relationship among cloud-provider's services and the identity provider is not established;

Credit: Cloud Security Alliance's Guidance for Identity and Access Management, V2.1

Created November 2, 2010, Updated August 12, 2025
Was this page helpful?