The initial user sign-on is performed by the primary sign-on application. Secondary sign-on operations are invoked when a user invokes an application that interfaces to services that require user authentication. These services are typically client-server applications requiring the communication of user authentication information to a further platform.
The user interacts with the sign-on service via an interface provided by the application providing the system entry service that establishes a user session on the workstation. This application invokes the primary authentication mechanism, and any necessary secondary authentication mechanisms via the XSSO Services.
The primary mechanism is used to authenticate the user as part of the system entry service. If this authentication fails then the user is generally denied access to the workstation. The primary mechanism may need to interact with a remote authentication service target (Primary Sign-on Application Target) in order to perform user authentication.
Authentication mechanism independence is provided by the invocation of common XSSO sign-on services by the primary and secondary sign-on applications. The XSSO sign-on services support multiple components for implementing user authentication and session establishment whilst maintaining a common interface for the calling application.
The XSSO service cache provides temporary storage for sign-on information obtained or derived as part of the primary sign-on operation from which it can be retrieved for use in subsequent secondary sign-on operations during the current user session. The cache is cleared on termination of a user session.
The XSSO sign-on service depends upon a set of sign-on service management information. This comprises configuration information for the XSSO sign-on service itself, for example which authentication mechanisms to use, together with the user account information required by those authentication mechanisms and the other supporting services.
In addition to the primary sign-on, that essentially supports access to a user session on the workstation and applications executed within it, secondary sign-on operations to authenticate the user and establish sessions with other management domains are generally necessary within a distributed environment. These are supported by the XSSO services in a manner that is generally transparent to the end-user on whose behalf the secondary sign-on operations are undertaken. These secondary sign-ons may occur at the time of the primary sign-on or later as an application is invoked.
The XSSO services invoked by the Primary Sign-on Application are responsible for:
The XSSO services invoked by a secondary sign-on application client and target service in effect comprise a Distributed XSSO Sign-on Service. The XSSO sign-on service invoked by the target service performs essentially the same functions as the XSSO services invoked by the Primary Sign-on Application. However, the user dialogue is replaced by an exchange of information with the application client. The XSSO sign-on services invoked by the application client are responsible for retrieving the information required for the exchange with the target service from the XSSO service cache created by the primary sign-on operation or from the Sign-on Service Management Information.
In addition, the XSSO sign-on services invoked by the application client and target service are responsible for protecting the sign-on information exchanged.
The definition of the Account Management API is deferred to a future specification.