1. Single Sign On/Federation via AD FS/WIF/SAML
Software Requirements Specification
Group Id: F1202FBFA8 (MC110403218)
Supervisor Name: Sarfraz Ahmad Awan (sawan@vu.edu.pk)
2. Revision History
Date Version Description Author
11/2/1012 1.0 Initial Draft for all the basic MC110403218
elements of SRS document
11/5/2012 1.1 Added scope for project and MC110403218
Refined use cases.
11/5/2012 1.2 Labeled as version 1.2 send to MC110403218
Sarfraz Ahmad Awan as
assignment no 1
3. Contents
1 Overview ............................................................................................................................ 4
1.1 Introduction ................................................................................................................. 4
1.2 Competitor solution ..................................................................................................... 4
1.3 Implementation technologies ...................................................................................... 4
2 Scope .................................................................................................................................. 5
2.1 Architecture Scope Options ........................................................................................ 5
2.1.1 Implementation via Federation Server for SSO ................................................... 5
2.1.2 Development of STS Service for SSO ................................................................. 5
2.1.3 Identity Providers to cover for SSO ..................................................................... 5
2.1.4 Service Providers to cover for SSO ..................................................................... 5
2.1.5 OS scope for SSO ................................................................................................ 5
2.1.6 SAML Implementation Scope ............................................................................. 5
3 Software Requirement ....................................................................................................... 5
3.1 Functional Software Requirement ............................................................................... 5
3.1.1 Transparent SSO .................................................................................................. 5
3.1.2 Source and destination ......................................................................................... 6
3.1.3 Administrator Console ......................................................................................... 6
3.2 Non-Functional Software Requirement ...................................................................... 6
3.2.1 Performance Requirements .................................................................................. 6
3.2.2 Security Requirements ......................................................................................... 6
4 User Case Diagram ............................................................................................................ 6
5 Use case Explanation ......................................................................................................... 7
5.1 Use Case Id 00001....................................................................................................... 7
5.2 Use Case Id 00002....................................................................................................... 8
5.3 Use Case Id 00003....................................................................................................... 9
4. 1 Overview
1.1 Introduction
Single Sign On (SSO) (also known as Enterprise Single Sign On or "ESSO") is the ability for
a user to enter the same id and password to logon to multiple applications within an
enterprise. As passwords are the least secure authentication mechanism, single sign on has
now become known as reduced sign on (RSO) since more than one type of authentication
mechanism is used according to enterprise risk models.
1.2 Competitor solution
For details, please visit:
http://en.wikipedia.org/wiki/List_of_single_sign-on_implementations
1.3 Implementation technologies
Microsoft .Net Framework / C#
WIF http://en.wikipedia.org/wiki/Windows_Identity_Foundation
SAML http://en.wikipedia.org/wiki/SAML_2.0
WS-Trust http://en.wikipedia.org/wiki/WS-Trust
5. WS-Security http://en.wikipedia.org/wiki/WS-Security
2 Scope
2.1 Architecture Scope Options
2.1.1 Implementation via Federation Server for SSO
Federation server can be implemented to handle federation mechanism for SSO.
It would be best laid architecture. But can be out of scope for current course. A POC will be
done to make sure that the current scope is properly under stood.
Scope can be dependent on design phase of the project.
2.1.2 Development of STS Service for SSO
AD FS will act as STS Service. Scope for AD FS can be dependent on design phase of the
project.
2.1.3 Identity Providers to cover for SSO
Currently Active directory is primary scope as Identity provider.
2.1.4 Service Providers to cover for SSO
ASP .Net business applications like HR application will act as service provider for current
implementation.
2.1.5 OS scope for SSO
Current project will only cover Windows Server 2012 as testing and development
environment for Server operating system.
Current project will only cover Windows 8 as testing and development environment for client
operation system.
2.1.6 SAML Implementation Scope
Windows Identity Foundation have SAML 2.0 implementation as extension as explained in
http://connect.microsoft.com/site1168/Downloads/DownloadDetails.aspx?DownloadID=360
88
This will be current scope of SAML 2.0 implementation.
3 Software Requirement
3.1 Functional Software Requirement
3.1.1 Transparent SSO
For end user there should not be any visual indicator that user is moving from one application
to another. Means for end user it should be transparent SSO.
6. 3.1.2 Source and destination
Source and destination Provider should be configurable.
3.1.3 Administrator Console
There should not be any hard coding for entities evolved in solution like Identity provider or
Service Provider.
STS Service should not be hard coded; there must an interface to change URL for STS
Service.
Service accounts for solution must be configurable via UI interface.
3.2 Non-Functional Software Requirement
3.2.1 Performance Requirements
SSO must be performed with no delays. Robust redirection should be provided from source
to destination.
3.2.2 Security Requirements
The security requirements to be met by an implementation of SSO are:
SSO shall not adversely affect the resilience of the system within which it is deployed.
SSO shall not adversely impact the availability of any individual system service.
An SSO implementation shall audit all security relevant events which occur within the context of the
XSSO.
An SSO implementation shall protect all security relevant information supplied to or generated by the
XSSO implementation such that other services may adequately trust the integrity and origin of all
security information provided to them as part of a secondary sign-on operation.
The SSO shall provide protection to security relevant information when exchanged between its own
constituent components and between those components and other services.
4 User Case Diagram
7. Single Sign On/Federation via AD FS/WIF/SAML
Configure Source «uses»
«extends» Provider
«uses»
Provide System Provide Service
Configuration Account Info
Configure SSO
* Provider «uses»
*
«extends»
* Configure
Destination Provider
SSO Admin
*
* «uses»
* Configure Identity
* Privder Test Provider
*
STS Service
«uses» Passing Token from Source «uses»
Perform action for Notification for
Provider to Destination
SSO Provider change
Provider
*
*
SSO End User
5 Use case Explanation
Explanation for only primary use cases (Those mainly used by actors) is written below.
5.1 Use Case Id 00001
Use Case Title Configure SSO Provider
Abbreviated Title C_SSO_Provider
Use Case Id 00001
Requirement Id 3.1.2 , 3.1.3
Description:
It is administrative task and will be performed by SSO Admin
Pre Conditions: Solution is properly installed. STS Service is already installed.
Task Sequence Exceptions
1. Open MMC for SSO
2. Identify the Source or destination - type of provider to configure.
3. Provide configuration like URL or other related info. Some provider might
not have URL
4. Provide Service account info for configuration like user name and Some provider might
password give anonymous
8. access.
.
Post Conditions: Provider is tested and returns positive response to SSO admin.
Unresolved issues:
Authority: Shahzad Sarwar
Modification history: Initial Draft
Author: Shahzad Sarwar
Description: Needs review by Course Supervisor : Sarfraz Ahmad Awan
5.2 Use Case Id 00002
Use Case Title Configure Identity Privder
Abbreviated Title C_I_Privder
Use Case Id 00002
Requirement Id 3.1.2 , 3.1.3
Description:
It is administrative task and will be performed by SSO Admin
Pre Conditions:
Solution is properly installed.
STS Service is already installed.
Identify Provider is reachable.
Task Sequence Exceptions
1. Open MMC for SSO
2. Provide Identity configuration like URL , domain name or other related Some provider might
info. not have URL or
domain name
3. Provide configuration like URL or other related info. Some provider might
not have URL
Post Conditions: Identity Provider is tested and returns positive response to SSO admin.
Unresolved issues:
Authority: Shahzad Sarwar
Modification history: Initial Draft
Author: Shahzad Sarwar
9. Description: Needs review by Course Supervisor : Sarfraz Ahmad Awan
5.3 Use Case Id 00003
Use Case Title Perform action for SSO
Abbreviated Title P_A_F_SSO
Use Case Id 00003
Requirement Id 3.1.1
Description:
User will be redirected from source application to source application.
Pre Conditions:
Solution is properly installed.
STS Service is already installed.
Identify Provider is configured.
Source Provider is configured.
Destination Provider is configured.
Task Sequence Exceptions
1. Open application for source.
2. Open application for destination.
3. Perform redirection action, that will redirect from source to destination.
Post Conditions: Transparent redirection is performed from source to destination.
Unresolved issues:
Authority: Shahzad Sarwar
Modification history: Initial Draft
Author: Shahzad Sarwar
Description: Needs review by Course Supervisor : Sarfraz Ahmad Awan