1.3 How SecretStore Works

SecretStore 3.4.1 is supported eDirectory 8.8.4 and 8.8.5 running on AIX*, SUSE® Linux Enterprise Server (SLES) 32-bit and 64-bit, Solaris* 32-bit and 64-bit, and Windows Server* 32-bit and 64-bit.

The SecretStore service is installed on the servers as a component of eDirectory. SecretStore runs on eDirectory and NICI, and the SecretStore Transport plug-ins run on SecretStore.

Figure 1-1 Platforms that Support SecretStore

The following figure illustrates the server NCP and LDAP protocol stacks on a server platform:

Figure 1-2 SecretStore, eDirectory and NICI, and Plug-ins

The following figure illustrates the client NCP and LDAP protocol stacks on a client workstation:

Figure 1-3 Client NCP and LDAP Protocol Stacks

NOTE:SecretStore plug-ins include client APIs, NCP, and an LDAP extension.

The following figure illustrates the SecretStore client and server architecture:

Figure 1-4 SecretStore Client and Server Architecture

The following figure illustrates client software running on a Windows workstation:

Figure 1-5 SecretStore Components on a Windows Workstation

The following steps illustrate how SecretStore works:

  1. A user logs in to eDirectory by using a password or other login credential.

  2. A successful login allows the user's secrets to be downloaded (when necessary) from SecretStore to the workstation.

  3. The user accesses a client-based, Web-based, or host-based application. The connection recognizes the application and responds with the appropriate username and password from SecretStore.

    If the connection does not discover matching credentials, the application consuming the SecretStore client SDK prompts the user to add the application.

    credentials are provided which are stored using the writesecret api.

    for retrieving, when users launch the application, application uses ss api, it inturn talks to ss server, fetches the secrets readsecret api and provides.

1.3.1 Single Sign-On Authentication Process

This section describes the process of single sign-on authentication and show how an enabled application can interface with SecretStore, read and write secrets, and authenticate the user.

Authentication without SecretStore

For purposes of comparison, the following figure illustrates how a user might authenticate to a network application that isn’t enabled for single sign-on.

Figure 1-6 Successful Authentication Before Single Sign-On

  1. The user runs a network application.

  2. The application calls the authentication module.

  3. The module prompts the user to log in. The user submits credentials (for example, a user ID or smart card) and secrets (for example, a password or PIN), then authenticates.

  4. The authentication module notifies the application that access has been granted.

  5. The user starts interacting with the application.

Initial Authentication to a SecretStore-Enabled Application

The following figure illustrates the first-time authentication to an application that has been enabled for single sign-on with SecretStore.

Figure 1-7 First-Time Authentication to Single Sign-On Enabled Application

  1. The user runs an enabled network application.

  2. The application calls the authentication module.

  3. The module prompts the user to log in. The user submits credentials (for example, a user ID or Smart Card) and secrets (for example, a password or PIN), then authenticates.

  4. The authentication module updates Novell SecretStore with the user's verified authentication information.

  5. The authentication module notifies the application that access has been granted.

  6. The user starts interacting with the application.

Subsequent Authentication to a SecretStore-Enabled Application

The following figure illustrates the processes involved in subsequent user authentication to a single sign-on-enabled application using SecretStore.

Figure 1-8 Subsequent User Authentication to a Single Sign-On Enabled Application

  1. The user starts interacting with the application.

  2. The application calls the authentication module.

  3. The authentication module calls Novell SecretStore to retrieve the user's authentication secrets.

  4. Novell SecretStore returns the user's authentication secrets (identification, secrets, etc.) to the authentication module, and the user is authenticated.

  5. The authentication module notifies the application that access has been granted.

  6. The user runs a single sign-on-enabled network application.