Single Sign On/Federation via AD FS/WIF/SAML Software Requirements Specification

Group Id: F1202FBFA8 (MC110403218)

Supervisor Name: Sarfraz Ahmad Awan (sawan@vu.edu.pk)

Revision HistoryDate Version Description Author

11/2/1012 1.0 Initial Draft for all the basic elements of SRS document

MC110403218

11/5/2012 1.1 Added scope for project and

Refined use cases.

MC110403218

11/5/2012 1.2 Labeled as version 1.2 send to Sarfraz Ahmad Awan as assignment no 1

MC110403218

Contents1 Overview............................................................................................................................4

1.1 Introduction.................................................................................................................4

1.2 Competitor solution.....................................................................................................4

1.3 Implementation technologies.......................................................................................4

2 Scope..................................................................................................................................5

2.1 Architecture Scope Options.........................................................................................5

2.1.1 Implementation via Federation Server for SSO...................................................5

2.1.2 Development of STS Service for SSO.................................................................5

2.1.3 Identity Providers to cover for SSO.....................................................................5

2.1.4 Service Providers to cover for SSO.....................................................................5

2.1.5 OS scope for SSO.................................................................................................5

2.1.6 SAML Implementation Scope..............................................................................5

3 Software Requirement........................................................................................................5

3.1 Functional Software Requirement...............................................................................5

3.1.1 Transparent SSO..................................................................................................5

3.1.2 Source and destination.........................................................................................6

3.1.3 Administrator Console.........................................................................................6

3.2 Non-Functional Software Requirement.......................................................................6

3.2.1 Performance Requirements..................................................................................6

3.2.2 Security Requirements.........................................................................................6

4 User Case Diagram............................................................................................................6

5 Use case Explanation.........................................................................................................7

5.1 Use Case Id 00001.......................................................................................................7

5.2 Use Case Id 00002.......................................................................................................8

5.3 Use Case Id 00003.......................................................................................................9

1 Overview

1.1 IntroductionSingle Sign On (SSO) (also known as Enterprise Single Sign On or "ESSO") is the ability for a user to enter the same id and password to logon to multiple applications within an enterprise. As passwords are the least secure authentication mechanism, single sign on has now become known as reduced sign on (RSO) since more than one type of authentication mechanism is used according to enterprise risk models.

1.2 Competitor solutionFor details, please visit:http://en.wikipedia.org/wiki/List_of_single_sign-on_implementations

1.3 Implementation technologiesMicrosoft .Net Framework / C#WIF http://en.wikipedia.org/wiki/Windows_Identity_FoundationSAML http://en.wikipedia.org/wiki/SAML_2.0WS-Trust http://en.wikipedia.org/wiki/WS-Trust

WS-Security http://en.wikipedia.org/wiki/WS-Security

2 Scope

2.1 Architecture Scope Options

2.1.1 Implementation via Federation Server for SSOFederation server can be implemented to handle federation mechanism for SSO.It would be best laid architecture. But can be out of scope for current course. A POC will be done to make sure that the current scope is properly under stood.Scope can be dependent on design phase of the project.

2.1.2 Development of STS Service for SSOAD FS will act as STS Service. Scope for AD FS can be dependent on design phase of the project.

2.1.3 Identity Providers to cover for SSOCurrently Active directory is primary scope as Identity provider.

2.1.4 Service Providers to cover for SSOASP .Net business applications like HR application will act as service provider for current implementation.

2.1.5 OS scope for SSOCurrent project will only cover Windows Server 2012 as testing and development environment for Server operating system.

Current project will only cover Windows 8 as testing and development environment for client operation system.

2.1.6 SAML Implementation ScopeWindows Identity Foundation have SAML 2.0 implementation as extension as explained in

http://connect.microsoft.com/site1168/Downloads/DownloadDetails.aspx?DownloadID=36088

This will be current scope of SAML 2.0 implementation.

3 Software Requirement

3.1 Functional Software Requirement

3.1.1 Transparent SSOFor end user there should not be any visual indicator that user is moving from one application to another. Means for end user it should be transparent SSO.

3.1.2 Source and destination Source and destination Provider should be configurable.

3.1.3 Administrator Console There should not be any hard coding for entities evolved in solution like Identity provider or

Service Provider. STS Service should not be hard coded; there must an interface to change URL for STS

Service. Service accounts for solution must be configurable via UI interface.

3.2 Non-Functional Software Requirement

3.2.1 Performance RequirementsSSO must be performed with no delays. Robust redirection should be provided from source to destination.

3.2.2 Security Requirements

The security requirements to be met by an implementation of SSO are:

SSO shall not adversely affect the resilience of the system within which it is deployed. SSO shall not adversely impact the availability of any individual system service. An SSO implementation shall audit all security relevant events which occur within the context of the

XSSO. An SSO implementation shall protect all security relevant information supplied to or generated by the

XSSO implementation such that other services may adequately trust the integrity and origin of all security information provided to them as part of a secondary sign-on operation.

The SSO shall provide protection to security relevant information when exchanged between its own constituent components and between those components and other services.

4 User Case Diagram

5 Use case ExplanationExplanation for only primary use cases (Those mainly used by actors) is written below.

5.1 Use Case Id 00001

Use Case Title Configure SSO Provider

Abbreviated Title C_SSO_Provider

Use Case Id 00001

Requirement Id 3.1.2 , 3.1.3

Description:

It is administrative task and will be performed by SSO Admin

Pre Conditions: Solution is properly installed. STS Service is already installed.

Task Sequence Exceptions

1. Open MMC for SSO

2. Identify the Source or destination - type of provider to configure.

3. Provide configuration like URL or other related info. Some provider might

not have URL

4. Provide Service account info for configuration like user name and

password

Some provider might

give anonymous

access.

.

Post Conditions: Provider is tested and returns positive response to SSO admin.

Unresolved issues:

Authority: Shahzad Sarwar

Modification history: Initial Draft

Author: Shahzad Sarwar

Description: Needs review by Course Supervisor : Sarfraz Ahmad Awan

5.2 Use Case Id 00002

Use Case Title Configure Identity Privder

Abbreviated Title C_I_Privder

Use Case Id 00002

Requirement Id 3.1.2 , 3.1.3

Description:

It is administrative task and will be performed by SSO Admin

Pre Conditions:

Solution is properly installed.

STS Service is already installed.

Identify Provider is reachable.

Task Sequence Exceptions

1. Open MMC for SSO

2. Provide Identity configuration like URL , domain name or other related

info.

Some provider might

not have URL or

domain name

3. Provide configuration like URL or other related info. Some provider might

not have URL

Post Conditions: Identity Provider is tested and returns positive response to SSO admin.

Unresolved issues:

Authority: Shahzad Sarwar

Modification history: Initial Draft

Author: Shahzad Sarwar

Description: Needs review by Course Supervisor : Sarfraz Ahmad Awan

5.3 Use Case Id 00003

Use Case Title Perform action for SSO

Abbreviated Title P_A_F_SSO

Use Case Id 00003

Requirement Id 3.1.1

Description:

User will be redirected from source application to source application.

Pre Conditions:

Solution is properly installed.

STS Service is already installed.

Identify Provider is configured.

Source Provider is configured.

Destination Provider is configured.

Task Sequence Exceptions

1. Open application for source.

2. Open application for destination.

3. Perform redirection action, that will redirect from source to destination.

Post Conditions: Transparent redirection is performed from source to destination.

Unresolved issues:

Authority: Shahzad Sarwar

Modification history: Initial Draft

Author: Shahzad Sarwar

Description: Needs review by Course Supervisor : Sarfraz Ahmad Awan