Background

In this article

    From CRM 7 we have one single, common database user where password no longer stored reversibly. It is a plugin-based, open-ended authentication system. It's safe, password-free reauthentication tickets for web requests and identity transfer. We use industry-standard algorithms for encryption, hashing and signing and everything is NetServer-based

    Security

    The old system stored passwords using a reversible encryption. This is inherently insecure (and obsolete); and code reflection makes it impossible to hide the method
    Storing passwords in a reversible way is a no-no, but as long as you're using username+password to reauthenticate (think of the old NetServer Secret), you have no choice. That is one reason why the changes are so pervasive and breaking - it all hangs together.

    Flexibility

    The world used to be simple, each system its own user/password concept. No more - people expect and require integrations, policies, control, ...

    Integration

    Integration with Active Directory (Windows) is a feature of CRM 7, and we needed a way to actually implement it, in a first-class manner and not as a by-product of some ODBC setting
    Federated security is not quite a reality, yet. The "Geneva" framework project at Microsoft, also known as Windows Identity Foundation, is not yet released. We have been tracking it closely and the concepts we use are in line with it.

    Principles

    Authentication and authorization are crucial, and separate, concepts

    Authentication is about identity - who you are

    We can delegate the identification of the user to anyone we trust to do so
    How we know who the user is, does not matter (unless we had different levels of trust, like the Norwegian tax website does)

    Authorization is about what you can do, once we know who you are

    We cannot delegate authorization; that is our own domain

    The importance of keeping authentication, identity and authorization clearly apart in your mind cannot be over-emphasized. Mix them up and bad things will happen, such as unpleasant dependencies creeping into your system.
    One important characteristic of the new system is that it tries to separate these concepts completely.

    Authentication is a process that resolves credentials (evidence) into an identity, and nothing else
    Identity defines who you are, and nothing else
    Authorization derives from identity, and defines what you can do, whoever you are