What is gSSO?

gSSO is a framework for centrally storing authentication credentials and handling authentication on behalf of applications as requested by them. It consists of a gSSO daemon that implements secure storage of login credentials (for example usernames and passwords), plugins for different authentication systems and a client library (libgsignond-glib) for applications to communicate with this system.

By using this client library, an application can authenticate to a (usually remote) service using an existing set of credentials, and manage the credentials database as well (subject to access restrictions).

Some authentication methods require interaction with the user, for example to request a username and password, or to show a webpage with which the user is expected to interact. This functionality is provided by gSSO UI component, and it's completely invisible from the applications' point of view.

The client library (libgsignond-glib) interacts with gSSO daemon through D-Bus. These D-Bus APIs should not be used directly as they are not documented, subject to change and don't come with backwards compatibility guarantees.

Terminology

gSSO is built around a few key concepts which are explained below:

  • Authentication service: the top level object representing the gSSO service. It can be used to query existing identities, available authentication menthods and their mechanisms. Authentication service is represented in the client library by SignonAuthService objects.

  • Identity: This is a local object representing a record in the credentials DB. It contains information about the username and password (the latter is write-only), plus some metadata such as a descriptive caption, access control list, reference count, and other metadata. Identities are identified by numeric identity IDs and represented in the client library by SignonIdentity objects.

  • Security context: The information that is used by gSSO daemon to make access control decisions when applications try to access identities for reading, writing, or starting authentication sessions. Security contexts consist of two strings: the system context which identifies the application process, and application context which identifies what the application process is doing. Security contexts are represented in the client library by SignonSecurityContext objects.

  • Authentication method: the SSO daemon supports different authentication methods, each implemented by a plugin. Well known examples of authentication methods include SASL, or OAuth. Authentication methods might support different authentication mechanisms, which are method-specific variants of authentication process.

  • Authentication session: the process of performing the authentication. It is represented in the client library by SignonAuthSession objects. Authentication sessions are started from existing identites.