Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSO as an alternate authentication method #542

Open
PayPalAustralia opened this issue Sep 12, 2022 · 2 comments
Open

SSO as an alternate authentication method #542

PayPalAustralia opened this issue Sep 12, 2022 · 2 comments
Labels
Security Change or question related to the information security profile

Comments

@PayPalAustralia
Copy link

PayPalAustralia commented Sep 12, 2022
edited
Loading

Description

PayPal Australia Pty Limited (PayPal) is a limited Authorised Deposit-Taking Institution with authority to provide purchase payment facilities. Its primary business is as a digital wallet provider that allows buyers and sellers to send and receive payments online. PayPal customers are able to store balance in their PayPal account and withdraw those funds to a linked bank account, pay for goods and services or make person to person transactions within PayPal’s closed network using their PayPal account. There are three (3) types of accounts offered by PayPal: a Personal Account, a Premier Account (no longer available to new customers) and a Business Account.

When it comes to authentication, globally PayPal’s large enterprise business customers typically have their own Identity Provider (IdP) and related Single Sign On (SSO) based authentication. Some of these enterprises have integrated their IdP with the PayPal security ecosystem to authenticate users, and this is how their staff log into PayPal as authorised. To this end, they do not have individual user credentials (e.g. login and password) specific to our platform. 

The current CDR authentication model does not consider this online account authentication scenario. The authentication model for CDR with One-Time-Password (OTP) assumes that all online users of a data holder have individual user credentials with said the data holder, which is not necessarily the case for large enterprises.

Area Affected

specific standards/API’s: CDR Authentication Standards

Change Proposed

Change Requested: PayPal requests that the Data Standards Body revises the CDR Authentication Standards to allow an authentication method other than OTP. Specifically, we request that Single Sign On (SSO) be added as an alternate authentication method.
@nils-work
Copy link
Member

nils-work commented Sep 13, 2022
edited
Loading

For reference, another alternative to OTP was suggested in issue #405

@dpostnikov
Copy link

Authentication level and factors used.
PayPal requests that the Data Standards Body revises the CDR Authentication Standards to allow an authentication method other than OTP.
This suggestion makes perfect sense and is being considered in issue #405 as @nils-work mentioned.

Selection of the IDP to perform authentication
Specifically, we request that Single Sign On (SSO) be added as an alternate authentication method.
I'd argue this is not required because it's up to a Data Holder what IDP they utilise to authenticate their customers (their own, shared, federated / SSO, the same IDP they user to authenticate 3rd parties or separate, etc etc). You might be able to it now, especially once #405 is resolved.

@nils-work nils-work added the Security Change or question related to the information security profile label Feb 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security Change or question related to the information security profile
Projects
Data Standards Maintenance
Status: Full Backlog
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dpostnikov @CDR-API-Stream @nils-work @PayPalAustralia