Current work:
- Managers Guides
- MGIS
- Data Privacy
- PKI
- Guide to PKI
- Identity Mgt
- Access Control
- Security Patterns
- Secure Messaging
Strategy/Roadmap
Useful links:
Security topics
Info sources
Liaisons
How we work
Open Group Security Standards/Guides
|
Scope of a Single Sign-On Standard
The scope of a Single Sign-On Standard must be to define services in
support of:
- the development of applications to provide a common, single end-user
sign-on interface for an enterprise
- the development of applications for the co-ordinated management of
multiple user account management information bases maintained by an enterprise.
Functional Objectives
User Sign-on Interface
The following functional objectives are required in support of a user
sign-on interface:
- The interface shall be independent of the type of authentication
information handled.
- Change of user controlled authentication information shall be supported.
This is interpreted as initially being restricted to change of user password although
capability for future extension shall not be precluded.
- Support shall be provided for a caller to establish a default user
profile. User selection from a set of available user profiles is not required to be
supported but shall not be precluded as a future extension.
- Support for the initiation of cleanup services on session termination, or
sign-off, shall be supported.
- Provision of a service to enable a caller to notify the implementation of
a change of user controlled authentication information by an application other than the
implementation is an optional requirement and may be supported.
- It shall not predefine the timing of secondary sign-on operations.
Note: This means that it shall not require that all sign-on operations are performed at
the same time as the primary sign-on operation. This would result in the creation of user
sessions with all possible services even though those services may not actually be
required by the user.
User Account Management Interface
The following functional objectives are required in support of a user
account management interface:
- The creation, deletion, and modification of user accounts shall be
supported.
- The setting of attributes for individual user accounts shall be
supported. The attributes to be supported shall include as a minimum those necessary to
support the XBSS.
Non-Functional Objectives
The non-functional objectives required of single sign-on are:
- It should be authentication technology independent. The interface shall
not prescribe the use of a specific authentication technology, nor preclude the use of any
appropriate authentication technology.
- Note: Some authentication technology, for example those based
upon challenge-response mechanisms of which a user held device is a component may not be
appropriate for use as part of secondary sign-on functions.
- It should be independent of platform or operating system. It should not
preclude the integration of common desktops or common servers, including mainframes. There
is no expectation that such desktops or servers shall be capable of integration with a
single sign-on facility without modification.
Security Objectives
The security objectives to be met by an implementation of single sign-on
are:
- It shall not adversely affect the resilience of the system within which
it is deployed.
- It shall not adversely impact the availability of any individual system
service.
- It shall not provide access by principals to User Account Information to
which they would not be permitted access within the controlling security domain for that
information.
- An implementation shall audit all security relevant events which occur
within its own context.
- An implementation shall protect all security relevant information
supplied to or generated by the implementation, such that other services may
adequately trust the integrity and origin of all security information provided to them as
part of a secondary sign-on operation.
- It shall provide protection to security relevant information when
exchanged between its own constituent components and between those components and other
services.
Out of Scope
The following aspects are not considered to be within the current scope
of single sign-on:
- Support for single sign-on across enterprise system boundaries.
- User initiated change of non-user configured authentication information,
for example magnetic badges, smartcards, etc.
- Selection of alternative user profiles on user sign-on.
- Configuration and management of alternative sets of user profiles.
- Maintenance of the integrity of the single sign-on user account
information base with underlying individual service user account information bases when
those underlying user account information bases are modified by means other than
functionality provided by single sign-on.
- Graphical and command line user interfaces to single sign-on based
services. These are the province of applications written to utilise the single sign-on
service.
|