Fish and Game Accounts by itself provides Authentication, not Authorization. When coupled with the IIS7 Integrated Pipeline or your application code, the Authorization piece is added.
Please define your terms Sir.
- Authentication
- - the process of verifying a claim made by a subject that it should be allowed to act on behalf of a given principal (person, computer, process, etc.). Verifying identity.
- Authorization
- – verifying that an authenticated subject has permission to perform certain operations or access specific resources. Granting access.
Ok, how do we Authenticate then?
First, we check to see if the user exists in the Web Accounts, if not then we check against the IDFG Active Directory.
If in the Active Directory their Active Directory Groups and Profile is copied across to web groups on every login (synched).
Both Web and Active Directory Users may also have Web-Only Group membership. All users regardless of source are in the "authenticated" Group. Users and anonymous visitors are in the "public" Group.
It's a little confusing at first blanch, so here's a graphic explaining who can be a member of what:
Are you Authorized for this?
When a secured page or folder is accessed, IIS7 (and possibly your application) first test to see if the user requesting is in the allowed Group. A Group may be limited to only IDFG Users, to a Web Group that may be combination of IDFG and Web Users or the resource may even be public.
If the user is not able to access the page and not logged in, they will be instructed to login and try again.
If the user is logged in and still not able to access the page, they will see a Request Access form, which they may fill out and they will receive an email confirmation from the Application Administration when access is granted or denied.