XSSO Architecture

XSSO Single Sign-on Model

SSO Sign-on Model is a top-level view of the sign-on model. The model illustrates a combination of primary and secondary sign-on operations.

The initial user sign-on is performed by the primary sign-on application. Secondary sign-on operations are invoked when a user invokes an application that interfaces to services that require user authentication. These services are typically client-server applications requiring the communication of user authentication information to a further platform.

• Logon User Interface

  The user interacts with the sign-on service via an interface provided by the application providing the system entry service that establishes a user session on the workstation. This application invokes the primary authentication mechanism, and any necessary secondary authentication mechanisms via the XSSO Services.

• Primary Mechanism

  The primary mechanism is used to authenticate the user as part of the system entry service. If this authentication fails then the user is generally denied access to the workstation. The primary mechanism may need to interact with a remote authentication service target (Primary Sign-on Application Target) in order to perform user authentication.

• XSSO Sign-on Support Services

  Authentication mechanism independence is provided by the invocation of common XSSO sign-on services by the primary and secondary sign-on applications. The XSSO sign-on services support multiple components for implementing user authentication and session establishment whilst maintaining a common interface for the calling application.

• XSSO Service Cache

  The XSSO service cache provides temporary storage for sign-on information obtained or derived as part of the primary sign-on operation from which it can be retrieved for use in subsequent secondary sign-on operations during the current user session. The cache is cleared on termination of a user session.

• XSSO Management Information Base

  The XSSO sign-on service depends upon a set of sign-on service management information. This comprises configuration information for the XSSO sign-on service itself, for example which authentication mechanisms to use, together with the user account information required by those authentication mechanisms and the other supporting services.

• Secondary Sign-on Applications

  In addition to the primary sign-on, that essentially supports access to a user session on the workstation and applications executed within it, secondary sign-on operations to authenticate the user and establish sessions with other management domains are generally necessary within a distributed environment. These are supported by the XSSO services in a manner that is generally transparent to the end-user on whose behalf the secondary sign-on operations are undertaken. These secondary sign-ons may occur at the time of the primary sign-on or later as an application is invoked.

The XSSO services invoked by the Primary Sign-on Application are responsible for:

• Conducting the dialogue with the user. XSSO services need to acquire from the user all the information necessary to perform, or needed to derive the information necessary to perform, both the primary sign-on and any subsequent secondary sign-ons so that secondary sign-ons may be transparent to the end-user.

• Authenticating the user. This may include authentication to multiple authentication services at this time to support later secondary sign-on operations as determined by administrative policy.

• Authorizing the creation of a user session.

• Initializing the user session including establishing the session security context. The XSSO service shall not preclude auditing the creation of a user session.

• Caching the information necessary to support subsequent secondary sign-ons and supporting the retrieval of the cached information. The information to be cached includes any security tokens obtained as part of the authentication operations and may also include the original authentication information supplied by the user if that is required for secondary sign-on operations. Cache management may include the refreshing of secondary sign-on credentials.

• Supporting a session close down policy. This may include the invocation of configured services on user session termination including the forced termination of any residual processing initiated within the session. The XSSO service shall not preclude the auditing of session termination.

  Note:

  Deferred authentication - for example, batch processing, whether directly invoked or scheduled - is considered to comprise a separate session and is not within the scope of the current XSSO specification. This may be subject to an extension within a subsequent version of the specification.

The XSSO services invoked by a secondary sign-on application client and target service in effect comprise a Distributed XSSO Sign-on Service. The XSSO sign-on service invoked by the target service performs essentially the same functions as the XSSO services invoked by the Primary Sign-on Application. However, the user dialogue is replaced by an exchange of information with the application client. The XSSO sign-on services invoked by the application client are responsible for retrieving the information required for the exchange with the target service from the XSSO service cache created by the primary sign-on operation or from the Sign-on Service Management Information.

In addition, the XSSO sign-on services invoked by the application client and target service are responsible for protecting the sign-on information exchanged.

XSSO Account Management Model

The definition of the Account Management API is deferred to a future specification.