Scope of
the Single Sign-On Standard
The scope of the Single Sign-On
Standard (code-named XSSO at the present), is to
define services in support of:
- the development of
applications to provide a common, single end-user sign-on
interface for an enterprise, and
-
- the development of
applications for the co-ordinated management of multiple
user account management information bases maintained by
an enterprise.
Contents
- Functional
Objectives
- User
Sign-on Interface
- User
Account Management Interface
- Non-Functional
Objectives
- Security
Objectives
- Out of
Scope
The following functional
objectives have been defined for the XSSO in support of a user
sign-on interface:
- The interface shall be
independent of the type of authentication information
handled.
- Change of user controlled
authentication information shall be supported. This is
interpreted as initially being restricted to change of
user password although capability for future extension
shall not be precluded.
- Support shall be provided for
a caller to establish a default user profile. User
selection from a set of available user profiles is not
required to be supported but shall not be precluded as a
future extension.
- Support for the initiation of
cleanup services on session termination, or sign-off,
shall be supported.
- Provision of a service to
enable a caller to notify the XSSO implementation of a
change of user controlled authentication information by
an application other than the XSSO implementation is an
optional requirement and may be supported.
- XSSO shall not predefine the
timing of secondary sign-on operations.
- Note: This means that XSSO
shall not require that all sign-on operations are
performed at the same time as the primary sign-on
operation. This would result in the creation of user
sessions with all possible services even though those
services may not actually be required by the user.
The following functional
objectives have been defined for the XSSO in support of a user
account management interface:
- The creation, deletion, and
modification of user accounts shall be supported.
- The setting of attributes for
individual user accounts shall be supported. The
attributes to be supported shall include as a minimum
those necessary to support the XBSS.
The non-functional objectives of
the XSSO are:
- The XSSO shall be
authentication technology independent. The interface
shall not prescribe the use of a specific authentication
technology, nor preclude the use of any appropriate
authentication technology.
- Note:
Some authentication technology, for example those
based upon challenge-response mechanisms of which
a user held device is a component may not be
appropriate for use as part of secondary sign-on
functions.
- XSSO shall be independent of
platform or operating system. XSSO shall not preclude the
integration of common desktops or common servers,
including mainframes. There is no expectation that such
desktops or servers shall be capable of integration
within XSSO without modification.
The security objectives to be met
by an implementation of XSSO are:
- XSSO shall not adversely
affect the resilience of the system within which it is
deployed.
- XSSO shall not adversely
impact the availability of any individual system service.
- XSSO shall not provide access
by principals to User Account Information to which they
would not be permitted access within the controlling
security domain for that information.
- An XSSO implementation shall
audit all security relevant events which occur within the
context of the XSSO.
- An XSSO implementation shall
protect all security relevant information supplied to or
generated by the XSSO implementation such that other
services may adequately trust the integrity and origin of
all security information provided to them as part of a
secondary sign-on operation.
- The XSSO shall provide
protection to security relevant information when
exchanged between its own constituent components and
between those components and other services.
The following aspects are not
considered to be within the current scope of XSSO:
- Support for single sign-on
across enterprise system boundaries.
- User initiated change of
non-user configured authentication information, for
example magnetic badges, smartcards, etc.
- Selection of alternative user
profiles on user sign-on.
- Configuration and management
of alternative sets of user profiles.
- Maintenance of the integrity
of the single sign-on user account information base with
underlying individual service user account information
bases when those underlying user account information
bases are modified by means other than XSSO provided
functionality.
- Graphical and command line
user interfaces to XSSO based services. These are the
province of applications written to utilise the XSSO.
Return
to Security index page
© 1995-2018 Sales
Enquiries Site
Index