一种基于身份联合的Web单点登录系统的设计与实现
|
摘要
单点登录技术是一项非常重要的网络安全技术。随着企业内部应用系统大量增加和互联网web应用系统大量应用,如何实现配套的单点登录系统也是一个热点问题。
本论文分析了当前单点登录技术的现状,介绍了当前主要的几种单点登录系统,并在此基础上介绍了一种基于身份联盟的单点登录系统。该系统使用自由联盟组织提出的身份联盟协议和Ping Identity组织的SourceID.NET工具开发包,以基于XML的交换安全性信息的框架SAML语言为支撑,借助Web应用等关键技术,实现单点登录、身份联合、名称注册、身份联合终止和单点登录全局退出等功能。
在介绍了系统架构以及系统的主要功能后,文章详细介绍了系统的整体框架设计和各模块之间的关系,并描述了主要的数据库设计和接口设计。
本系统是一个适用于Web应用系统的单点登录系统,易于在新的应用系统和已有的应用系统中实现。论文最后提出了一些进一步改进的构想。
Single sign on (SSO) is very important. With the large scale increased intranet business applications and internet web site based applications, it is a hot topic that how to implement SSO system.
This paper analyzes the status quo of SSO technology and introduces some main SSO systems. Based on this study, the paper raises an identity federation-based SSO system. The solution is based on the Liberty Identity Federation Framework (ID-FF) by liberty alliance and SoureID.NET toolkit by Ping Identity. With the support of some key technologies such as SAML language and web technology, this solution implements features of single sign on, federation, name registration, federation termination and single logout, etc.
After introducing the main function and frame of the system, the paper details the design of the framework and the relationship among the modules. It also illustrates the design of the database structure and interfaces. Then it gives out an analysis of the system.
As a kind of software solution, this system is very practical for new and existing web site based applications. The paper finally shows some ideas for further improvement.
本论文分析了当前单点登录技术的现状,介绍了当前主要的几种单点登录系统,并在此基础上介绍了一种基于身份联盟的单点登录系统。该系统使用自由联盟组织提出的身份联盟协议和Ping Identity组织的SourceID.NET工具开发包,以基于XML的交换安全性信息的框架SAML语言为支撑,借助Web应用等关键技术,实现单点登录、身份联合、名称注册、身份联合终止和单点登录全局退出等功能。
在介绍了系统架构以及系统的主要功能后,文章详细介绍了系统的整体框架设计和各模块之间的关系,并描述了主要的数据库设计和接口设计。
本系统是一个适用于Web应用系统的单点登录系统,易于在新的应用系统和已有的应用系统中实现。论文最后提出了一些进一步改进的构想。
Single sign on (SSO) is very important. With the large scale increased intranet business applications and internet web site based applications, it is a hot topic that how to implement SSO system.
This paper analyzes the status quo of SSO technology and introduces some main SSO systems. Based on this study, the paper raises an identity federation-based SSO system. The solution is based on the Liberty Identity Federation Framework (ID-FF) by liberty alliance and SoureID.NET toolkit by Ping Identity. With the support of some key technologies such as SAML language and web technology, this solution implements features of single sign on, federation, name registration, federation termination and single logout, etc.
After introducing the main function and frame of the system, the paper details the design of the framework and the relationship among the modules. It also illustrates the design of the database structure and interfaces. Then it gives out an analysis of the system.
As a kind of software solution, this system is very practical for new and existing web site based applications. The paper finally shows some ideas for further improvement.
引文
[1] Liberty ID-FF Architecture Overview, Liberty Alliance Project. Liberty Alliance Specifications. http://www.projectliberty.org/index.php/liberty/specifications__1
[2] Liberty ID-FF Protocols and Schema Specification, Liberty Alliance Project. Liberty Alliance Specifications. http://www.projectliberty.org/index.php/liberty/specifications__1
[3] Liberty ID-FF Bindings and Profiles Specification, Liberty Alliance Project. Liberty Alliance Specifications. http://www.projectliberty.org/index.php/liberty/specifications__1
[4] Ping Identity. ID-FF 1.1. Net Toolkit Overview http://www.sourceid.org/projects/id-ff_1_1_dotnet_toolkit
[5] Asserions and Protocol for the OASIS Security Markup Language(SAML) v1. 1, http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
[6] SAML Implementation Guidelines Working Draft 01. OASIS Security Services (SAML) TC. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
[7] Morgan Yingfu Lu, Alex Lau, Yun Lu. "CS746 Project Referenct Architecture of Internet Single Sign-on". Univ of Waterloo. 2003
[8] 孔宁.Internet上的单点登录研究.http://www.cnnic.net.cn/html/Dir/2005/11/22/3349.htm, 2005
[9] 王珊珊,叶平丰,李晖.利用SAML构建新型单点登录模型.西安电子科技大学
[10] Patrick Harding. Recommended architecture for implementing and managing identity federation, http://www.www.pingidentity.com 2005
[11] Microsoft TechNet.微软身份和访问管理系列文章.http://www.microsoft.com/china/technet/security/topics/identitymanagement/idmanage/P1Plat_1. mspx?mfr=true 2006
[12] Jongil Jeong, Donkgkyoo Shin, Dongil Shin. "A study on the XML-Based Single-On System Supporting Mobile and Ubiquitous Service Environments". Sejong Univ. 2004.
[13] Recommended Architecture for Implementing and Managing Identity Federation. Version 1.0. September 2005. http://www.pingidentity.com
[14] Liberty ID-FF Implementation Guidelines. Version: 1.2. Liberty Alliance Project. http://www.projectliberty.org
[2] Liberty ID-FF Protocols and Schema Specification, Liberty Alliance Project. Liberty Alliance Specifications. http://www.projectliberty.org/index.php/liberty/specifications__1
[3] Liberty ID-FF Bindings and Profiles Specification, Liberty Alliance Project. Liberty Alliance Specifications. http://www.projectliberty.org/index.php/liberty/specifications__1
[4] Ping Identity. ID-FF 1.1. Net Toolkit Overview http://www.sourceid.org/projects/id-ff_1_1_dotnet_toolkit
[5] Asserions and Protocol for the OASIS Security Markup Language(SAML) v1. 1, http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
[6] SAML Implementation Guidelines Working Draft 01. OASIS Security Services (SAML) TC. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
[7] Morgan Yingfu Lu, Alex Lau, Yun Lu. "CS746 Project Referenct Architecture of Internet Single Sign-on". Univ of Waterloo. 2003
[8] 孔宁.Internet上的单点登录研究.http://www.cnnic.net.cn/html/Dir/2005/11/22/3349.htm, 2005
[9] 王珊珊,叶平丰,李晖.利用SAML构建新型单点登录模型.西安电子科技大学
[10] Patrick Harding. Recommended architecture for implementing and managing identity federation, http://www.www.pingidentity.com 2005
[11] Microsoft TechNet.微软身份和访问管理系列文章.http://www.microsoft.com/china/technet/security/topics/identitymanagement/idmanage/P1Plat_1. mspx?mfr=true 2006
[12] Jongil Jeong, Donkgkyoo Shin, Dongil Shin. "A study on the XML-Based Single-On System Supporting Mobile and Ubiquitous Service Environments". Sejong Univ. 2004.
[13] Recommended Architecture for Implementing and Managing Identity Federation. Version 1.0. September 2005. http://www.pingidentity.com
[14] Liberty ID-FF Implementation Guidelines. Version: 1.2. Liberty Alliance Project. http://www.projectliberty.org