gSSO is a framework for centrally storing authentication credentials and handling authentication on behalf of applications as requested by them. It consists of a gSSO daemon that implements secure storage of login credentials (for example usernames and passwords), plugins for different authentication systems and a client library (libgsignond-glib) for applications to communicate with this system.
By using this client library, an application can authenticate to a (usually remote) service using an existing set of credentials, and manage the credentials database as well (subject to access restrictions).
Some authentication methods require interaction with the user, for example to request a username and password, or to show a webpage with which the user is expected to interact. This functionality is provided by gSSO UI component, and it's completely invisible from the applications' point of view.
The client library (libgsignond-glib) interacts with gSSO daemon through D-Bus. These D-Bus APIs should not be used directly as they are not documented, subject to change and don't come with backwards compatibility guarantees.
gSSO is built around a few key concepts which are explained below:
Authentication service
: the top level
object representing the gSSO service. It can be used to query
existing identities, available
authentication menthods and their mechanisms. Authentication
service is represented in the client library by
SignonAuthService objects.
Identity
: This is a local object representing a record in the
credentials DB. It contains information about the username and password (the
latter is write-only), plus some metadata such as a descriptive caption, access
control list, reference count, and other metadata. Identities are identified by
numeric identity IDs and represented in the client library by
SignonIdentity objects.
Security context
: The information that is used by gSSO daemon
to make access control decisions when applications try to access identities
for reading, writing, or starting authentication sessions. Security contexts
consist of two strings: the system context which identifies the application process,
and application context which identifies what the application process is doing. Security
contexts are represented in the client library by
SignonSecurityContext objects.
Authentication method
: the SSO daemon supports different
authentication methods, each implemented by a plugin. Well known examples of
authentication methods include SASL,
or OAuth. Authentication methods
might support different authentication mechanisms, which are method-specific variants of authentication process.
Authentication session
: the process of performing the authentication.
It is represented in the client library by SignonAuthSession objects.
Authentication sessions are started from existing identites.