Home · About · A-Z Index · Search · Contacts · Press · Register · Login

Security Forum


Return to Security home page
Current work:

- Managers Guides

- MGIS

- Data Privacy

- PKI

- Guide to PKI

- Identity Mgt

- Access Control

- Security Patterns

- Secure Messaging

Strategy/Roadmap

Useful links:

Security topics

Info sources

Liaisons

How we work

Open Group Security Standards/Guides

Scope of a Single Sign-On Standard

The scope of a Single Sign-On Standard must be to define services in support of:

  • the development of applications to provide a common, single end-user sign-on interface for an enterprise
  • the development of applications for the co-ordinated management of multiple user account management information bases maintained by an enterprise.

Functional Objectives

User Sign-on Interface

The following functional objectives are required in support of a user sign-on interface:

  • The interface shall be independent of the type of authentication information handled.
  • Change of user controlled authentication information shall be supported. This is interpreted as initially being restricted to change of user password although capability for future extension shall not be precluded.
  • Support shall be provided for a caller to establish a default user profile. User selection from a set of available user profiles is not required to be supported but shall not be precluded as a future extension.
  • Support for the initiation of cleanup services on session termination, or sign-off, shall be supported.
  • Provision of a service to enable a caller to notify the implementation of a change of user controlled authentication information by an application other than the implementation is an optional requirement and may be supported.
  • It shall not predefine the timing of secondary sign-on operations.
    Note: This means that it shall not require that all sign-on operations are performed at the same time as the primary sign-on operation. This would result in the creation of user sessions with all possible services even though those services may not actually be required by the user.

User Account Management Interface

The following functional objectives are required in support of a user account management interface:

  • The creation, deletion, and modification of user accounts shall be supported.
  • The setting of attributes for individual user accounts shall be supported. The attributes to be supported shall include as a minimum those necessary to support the XBSS.

Non-Functional Objectives

The non-functional objectives required of single sign-on are:

  • It should be authentication technology independent. The interface shall not prescribe the use of a specific authentication technology, nor preclude the use of any appropriate authentication technology.
    • Note: Some authentication technology, for example those based upon challenge-response mechanisms of which a user held device is a component may not be appropriate for use as part of secondary sign-on functions.
  • It should be independent of platform or operating system. It should not preclude the integration of common desktops or common servers, including mainframes. There is no expectation that such desktops or servers shall be capable of integration with a single sign-on facility without modification.

Security Objectives

The security objectives to be met by an implementation of single sign-on are:

  • It shall not adversely affect the resilience of the system within which it is deployed.
  • It shall not adversely impact the availability of any individual system service.
  • It shall not provide access by principals to User Account Information to which they would not be permitted access within the controlling security domain for that information.
  • An implementation shall audit all security relevant events which occur within its own context.
  • An implementation shall protect all security relevant information supplied to or generated by the  implementation, such that other services may adequately trust the integrity and origin of all security information provided to them as part of a secondary sign-on operation.
  • It shall provide protection to security relevant information when exchanged between its own constituent components and between those components and other services.

Out of Scope

The following aspects are not considered to be within the current scope of single sign-on:

  • Support for single sign-on across enterprise system boundaries.
  • User initiated change of non-user configured authentication information, for example magnetic badges, smartcards, etc.
  • Selection of alternative user profiles on user sign-on.
  • Configuration and management of alternative sets of user profiles.
  • Maintenance of the integrity of the single sign-on user account information base with underlying individual service user account information bases when those underlying user account information bases are modified by means other than functionality provided by single sign-on.
  • Graphical and command line user interfaces to single sign-on based services. These are the province of applications written to utilise the single sign-on service.

Home · Contacts · Legal · Copyright · Members · News
© The Open Group 1995-2012  Updated on Wednesday, 1 August 2001