2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
5 <refentry id="gsso-intro">
7 <refentrytitle>gSSO introduction</refentrytitle>
11 <title>What is gSSO?</title>
13 gSSO is a framework for centrally storing authentication credentials
14 and handling authentication on behalf of applications as requested by
15 them. It consists of a gSSO daemon that implements secure storage of
16 login credentials (for example usernames and passwords), plugins for
17 different authentication systems and a client library (libgsignond-glib)
18 for applications to communicate with this system.
21 By using this client library, an application can authenticate to a
22 (usually remote) service using an existing set of credentials, and manage
23 the credentials database as well (subject to access restrictions).
26 Some authentication methods require interaction with the user, for example
27 to request a username and password, or to show a webpage with which the
28 user is expected to interact. This functionality is provided by gSSO UI
29 component, and it's completely invisible from the applications' point
33 The client library (libgsignond-glib) interacts with gSSO daemon through
34 D-Bus. These D-Bus APIs should not be used directly as they are not documented, subject
35 to change and don't come with backwards compatibility guarantees.
39 <title>Terminology</title>
41 gSSO is built around a few key concepts which are explained below:
45 <systemitem>Authentication service</systemitem>: the top level
46 object representing the gSSO service. It can be used to query
47 existing identities, available
48 authentication menthods and their mechanisms. Authentication
49 service is represented in the client library by
50 <link linkend="SignonAuthService">SignonAuthService objects</link>.
55 <systemitem>Identity</systemitem>: This is a local object representing a record in the
56 credentials DB. It contains information about the username and password (the
57 latter is write-only), plus some metadata such as a descriptive caption, access
58 control list, reference count, and other metadata. Identities are identified by
59 numeric identity IDs and represented in the client library by <link linkend="SignonIdentity">
60 SignonIdentity</link> objects.
65 <systemitem>Security context</systemitem>: The information that is used by gSSO daemon
66 to make access control decisions when applications try to access identities
67 for reading, writing, or starting authentication sessions. Security contexts
68 consist of two strings: the system context which identifies the application process,
69 and application context which identifies what the application process is doing. Security
70 contexts are represented in the client library by <link linkend="SignonSecurityContext">
71 SignonSecurityContext</link> objects.
76 <systemitem>Authentication method</systemitem>: the SSO daemon supports different
77 authentication methods, each implemented by a plugin. Well known examples of
78 authentication methods include <ulink url="http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer">SASL</ulink>,
79 or <ulink url="http://en.wikipedia.org/wiki/Oauth">OAuth</ulink>. Authentication methods
80 might support different authentication mechanisms, which are method-specific variants of authentication process.
85 <systemitem>Authentication session</systemitem>: the process of performing the authentication.
86 It is represented in the client library by <link linkend="SignonAuthSession">SignonAuthSession objects</link>.
87 Authentication sessions are started from existing identites.