KeyMaster Concepts

This page describes a number of key terms and concepts that will enable you to get a better understanding of how KeyMaster works.

Single sign-on

A single sign-on system may be a customer or third party application and may be an existing part of the web site infrastructure. It typically runs under the control of the application server and allows end-users to sign on just once to the server. The system authenticates the user, for example via a name and password entered at the user’s workstation, or perhaps using more sophisticated technology such as a Smart Card. Successfully authenticated users can then access all the applications to which they have been given access rights, without needing to explicitly log in separately to each application. See here for more information on how KeyMaster operates alongside single sign-on systems when logging into Liberator.

Application server

The application server is customer-supplied and may already be implemented as part of an existing web site infrastructure. In the context of KeyMaster the application server is responsible for primary authentication of the end-user, for example through a login sequence requiring the user to supply a valid username and password. The components of the application server include the single sign-on system and the KeyMaster Signature Generator.

Signature generator

The Signature Generator runs under the control of the application server behind the single sign-on system. It creates a signed user credentials token; the token is digitally signed (encrypted) using the KeyMaster private key. A Liberator server can use this token to validate an end-user’s login to the server. Learn more about the Liberator authentication process using tokens by looking at tokenauth module for use with KeyMaster.NET.

Key generator (pre-KeyMaster 6.2.0 only)

For older versions of KeyMaster (pre-6.2.0), the Key Generator is a Java application used to create an encryption key pair; one key is the private key and the other is the public key. KeyMaster uses the private key to sign the user credentials token that authenticates a user’s access to the Liberator. The public key is exported to the data provider’s Caplin Liberator for use during the authentication process. The KeyMaster Key Generator can be used to generate key pairs for use with the Java-based Signature Generator. Key pairs can also be generated using third-party tools, such as the OpenSSL key generation commands (see; this is necessary if the Signature Generator is implemented using KeyMaster.NET, or if KeyMaster is to be integrated with a secure key storage hardware module..

See also: