Single Sign-on Requirements Session notes

This session is about the requirements and what we want to achieve.

Motivation

• people use their computers in a more integrated way with online apps than before (google calendar, flickr, facebook, gmail, launchpad etc)

Idea

• on login, be logged into your web apps automatically

Use cases

• scott logs in to his desktop and is automatically logged in to launchpad
• Yahoo Messenger and Flickr using the same account
• Google Docs and Gmail using the same account
• making login stuff available to multiple applications
• local applications: apport, hwtest, online-backup
• in a corporate or educational network your credentials are stored and your access rights are managed from a central server (that is the server world definition of SSO)

Example of a similar experience is the flickr export in f-spot.

Requirements

• the client side SSO should be able to get credentials from a local storage or from over the network (corporate LDAP server, for example)
• avoid requiring a Web browser for login, if possible
  • disorienting - requires handling and closing the browser window
  • not as accessible
• provide means to protect against spoofing in cases where the authentication page URL changes dynamically
• handle the "forgot password" and "have no account" cases
• we need to support the "username/password" and OAuth case

Additional applications that are not web services but we still want to support:

• imap/pop3
• jabber
• nxclient
• smbfs

  • smbfs is deprecated in favor of cifs. It is going to be removed from the kernel

• java applets (?)

It should be possible to store the credentials on LP so that they can be retrieved when the users logs into a new computer. Encrypted with the users password on LP. In addition storing it on LP should be optional and we should provide a mechanism to provide other means of transport (like exporting it to a usb stick and importing it on the new machine). What about passwordless accounts?

OAuth

• A possible protocol to use is OAuth that gives out authentication tokens that are less valueable than user passwords. The tokens are then stored in the gnome-keyring (and/or kwallet)
• whenn launchpad.net gives out OAuth tokens, other sites need then to verify against
  • launchpad.net that the token is valid
• supports some access control to limit what the token can do

OpenID

• purely for web browsers

misc

• add account manager application
• do not optimize for the multiple ubuntu.net account but focus on the
  • one-default account

User stories

• Jamie starts up her new Ubuntu installation, and starts Evolution. The Evolution Setup Assistant appears and asks her for her e-mail address, but she doesn't have one.
• Ladislav uses an Ubuntu.net account on his home computer. He has now installed Ubuntu on his laptop, and wants to use the same Ubuntu.net account.
• Alice has a new install and fires up pidgin. It comes up with a first-start
  • page that offers to create a new ubuntu.net account, use a existing ubuntu.net account or use a existing other account