论文部分内容阅读
With the rapid development of technology in the world of the Internet today,most enterprises and large organizations have embarked to store and share their business details into the cloud hereby if one wanted to access data information,had to authenticate to one of the sites to access the data.The basic philosophy ofsingle sign on is to provide unlimited accessing with single sign on.Because web services involve the coordination of many sites belonging to different domains,this brought about the issue of cross—domain coordinated identification and the security message transport.Based on the analysis of security requirements of current web services,the basic philosophy of single sign on system,and the frequently employed single sign on technology based the present dissertation elaborates on such issues as the lack of uniform standards,over-complicacy of the flow, the inability of cross—domain operation and security deficiency,to name but a few,are beyond the capability of the current single sign on system,though it can provide clients/users with joint identification between many sites in the single domain.Under the present single sign on services,which provides a simple and convenient authentication service to a number of organizations when applied appropriately,on the other hand it has instead led to an increase in number of service providers and this came along with a good deal of setbacks in that users/clients have felt a burden to login to every website of the service provider with their credentials.This also has put the engineersinturmoilof configuring, deploying,and supporting the system for every client/user with the internal resources and the resulted into inconveniences,insecurity and mistrust to the clients.The Shibboleth provides a federated single sign-on and attribute exchange framework.It allows sites to make informed authorization decisions for individual access of protected online resources.A user is authenticated by his own organization,which passes the minimal identity information necessary to the service provider to enable an authorization decision.In this thesis,I recommended a single sign on based Shibboleth authentication approach.The log-in method in shibboleth is modified,so the identity authentication provided by the SSO servers is only used for determining if the user is permitted to log in the system when the user try to visit the Service Provider,while the users role is still verified by the service provider.Security assertion Markup Language (SAML) is provided for exchanging user security information between an identity provider and a service provider which is flexible and can allow customers data to be transmitted safely to the external service provider.First,our project proposed the integrated Shibboleth based on SAML SSO infrastructure which will deliver a production level service for accessing the organizations under federation in a user friendly manner.Second,I proposed a simple and convenient authentication method of the identity roaming to enable a user to sign up for one website and extend the connectivity service in a location that is different from the home location where the user was registered and authenticated.Third,this thesis also elaborated an architecture by which users are authenticated by the Service provider access management federation to acquire low assurance credentials to access resources on the identity agent.In this project,the user login to identity agent resources via identity provider portal using their local instructions authentication system.In other words, the user signs in once and accesses many safe resources with the mechanism of trust and his credential remain safe and saved which reduces the burden of daily prompt authentication.