gSSO is a middleware component at the lower bounds interfacing towards platform security features and network. System components are described in this chapter.
signon-glib provides glib-based client API for applications. Objects are cached locally and remote objects are created on-demand.
Three major classes are used to represent the object model:
- AuthService class represents the highest level service view towards the service daemon.
- Identity class represents a credential object at the service daemon side, either stored or non-stored temporary item.
- AuthSession class represents an authentication session. Session is instantiation of a plug-in object.
There are also three major data model classes:
- IdentityInfo is a model of a credential and related metadata.
- SessionData is an extensible model of data needed to perform an operation on an AuthSession.
- SecurityContext is a 2-tuple of platform security identifier and application context identifier
signon-ui is a user interface dialog service for displaying various authentication and authorization dialogs. Design and implementation of this component is usually product family and form factor dependent. signond-ui interfaces use a separate protected interface with the gsignond.
gsignond is the central daemon providing a dbus-service towards client applications. The glib-based plug-in API is provided for integrating new methods. Each plug-in is run as a separate process and the plug-in API makes this completely transparent from the method implementation point of view. An extension API is used to create suitable platform adaptations. Each extension is intended to provide adaptation to a certain platform/configuration.
gsignond-secret-storage provides a default database implementation for storing secrets. This implementation is based on the SQLite database.
gsignond-ac-manager is responsible for verifying the caller’s access rights to the request, based on the platform security rule set. Base class implements a no-op access control manager. In addition, on Tizen, a SMACK-based access control manager is provided.
gsignond-storage-manager is responsible for managing underlying storage for the gsignond-secret-storage database. Base class implements a basic XDG standard-based file system access. In addition, on Tizen, an ecryptfs-based encrypted storage file system access is provided.
gsignond-plugin-digest implements RFC 2617 standard HTTP DIGEST authentication. All necessary digests are generated without exposing credentials to the requesting application.
gsignond-plugin-sasl implements RFC 4422 standard the SASL authentication method and the most used standard mechanisms.
gsignond-plugin-oauth implements both RFC 5849 standard OAuth 1.0 and RFC 6749 standard OAuth 2.0 methods. This plug-in, together with the framework, acts as a user agent, as described in the standards.
gsignond-plugin-x509 handles various different operations and queries for X.509 certificates, specified by RFC 5280 and RFC 6818. These operations are performed without exposing the related keys to the requesting application.