A lot of organizations have heterogeneous systems that need security services, and many of these systems interact with users that have already declared who they are, for example, during the login phase of their workstation at the beginning of their working day.

This is the basis to introduce the concept of a Perimeter, where authentication is made once and then always trusted during the day. The same happens when you use your badge to enter into your company; you are trusted to be allowed into the buildings, with the need to expose the badge to express that you are an employee. In case of Perimeter Authentication, a token released by a third party is used to extract who the user is, by performing an Identity Assertion and not full authentication.

This means that when developing LoginModule interfaces for Identity Assertion providers, Credentials are used not to decide if the user is authenticated, but simply to populate the Subject with the Principals that can be found using the token.