search

ConsumerDataStandardsAustralia / standards-maintenance

This repository houses the interactions, consultations and work management to support the maintenance of baselined components of the Consumer Data Right API Standards and Information Security profile.
41 stars 9 forks source link

SSO as an alternate authentication method #542

Open PayPalAustralia opened 1 year ago

PayPalAustralia commented 1 year ago

Description

PayPal Australia Pty Limited (PayPal) is a limited Authorised Deposit-Taking Institution with authority to provide purchase payment facilities. Its primary business is as a digital wallet provider that allows buyers and sellers to send and receive payments online. PayPal customers are able to store balance in their PayPal account and withdraw those funds to a linked bank account, pay for goods and services or make person to person transactions within PayPal’s closed network using their PayPal account. There are three (3) types of accounts offered by PayPal: a Personal Account, a Premier Account (no longer available to new customers) and a Business Account.

When it comes to authentication, globally PayPal’s large enterprise business customers typically have their own Identity Provider (IdP) and related Single Sign On (SSO) based authentication. Some of these enterprises have integrated their IdP with the PayPal security ecosystem to authenticate users, and this is how their staff log into PayPal as authorised. To this end, they do not have individual user credentials (e.g. login and password) specific to our platform. 

The current CDR authentication model does not consider this online account authentication scenario. The authentication model for CDR with One-Time-Password (OTP) assumes that all online users of a data holder have individual user credentials with said the data holder, which is not necessarily the case for large enterprises.

Area Affected

specific standards/API’s: CDR Authentication Standards

Change Proposed

Change Requested: PayPal requests that the Data Standards Body revises the CDR Authentication Standards to allow an authentication method other than OTP. Specifically, we request that Single Sign On (SSO) be added as an alternate authentication method.

nils-work commented 1 year ago

For reference, another alternative to OTP was suggested in issue #405

dpostnikov commented 1 year ago

Authentication level and factors used. PayPal requests that the Data Standards Body revises the CDR Authentication Standards to allow an authentication method other than OTP. This suggestion makes perfect sense and is being considered in issue #405 as @nils-work mentioned.

Selection of the IDP to perform authentication Specifically, we request that Single Sign On (SSO) be added as an alternate authentication method. I'd argue this is not required because it's up to a Data Holder what IDP they utilise to authenticate their customers (their own, shared, federated / SSO, the same IDP they user to authenticate 3rd parties or separate, etc etc). You might be able to it now, especially once #405 is resolved.