-------------------------------------------------- ------------------------------
This paper takes a multimedia database system of a news unit as an example, and proposes to establish an enterprise user authentication center to realize the The unified user management, authentication and single sign-on of security policies solve the problem of repeated logins encountered by users when using multiple application systems at the same time.
With the rapid development of information technology and network technology, there are more and more application systems within enterprises. For example, in the media industry, common application systems include editing systems, typesetting systems, printing systems, advertising management systems, financial systems, office automation systems, decision support systems, customer relationship management systems, and website publishing systems. Since these systems are independent of each other, the user must log in according to the corresponding system identity before using each application system. Therefore, the user must remember the user name and password of each system, which brings a lot of trouble to the user. Especially with the increase of the system, the possibility of error will increase, the possibility of illegal interception and destruction will also increase, and the security will decrease accordingly. In response to this situation, concepts such as unified user authentication and single sign-on have emerged, and have been continuously applied to enterprise application systems.
Fundamentals of Unified User Management
Generally speaking, each application system has an independent user information management function, and the format, naming and storage methods of user information are also varied. When a user needs to use multiple application systems, it will bring about the problem of user information synchronization. User information synchronization will increase the complexity of the system and increase the cost of management.
For example, if user X needs to use system A and system B at the same time, user X must be created in both system A and system B, so that after the information of user X in either system A or B is changed, it must be synchronized to the other system. If user X needs to use 10 application systems at the same time, after the user information is changed in any one system, it must be synchronized to the other 9 systems. If there is an accident in the system when the user synchronizes, the integrity of the data must be guaranteed, so the procedure for synchronizing the user may be very complicated.
The fundamental solution to the problem of user synchronization is to establish a unified user management system (UUMS). UUMS stores the user information of all application systems in a unified manner, and all operations related to users by the application system are completed through UUMS, while authorization and other operations are completed by each application system, that is, unified storage and distributed authorization. UUMS should have the following basic functions:
1. User information is named and stored uniformly, and the user ID is globally unique. User ID is like an ID card, distinguishing and identifying different individuals.
2. UUMS provides each application system with a list of user attributes, such as name, telephone, address, email and other attributes, and each application system can select some or all of the attributes required by the system.
3. Requests for adding, modifying, deleting and querying basic user information by the application system are handled by UUMS.
4. The application system retains user management functions, such as user grouping, user authorization and other functions.
5. The UUMS should have a complete log function to record the operations of each application system on the UUMS in detail.
Unified user authentication is based on UUMS and provides a unified authentication method and authentication strategy for all application systems to identify the legitimacy of user identities. Unified user authentication should support the following authentication methods:
1. Anonymous authentication method: Users can log in to the system anonymously without any authentication.
2. Username/Password Authentication: This is the most basic authentication method.
3. PKI/CA digital certificate authentication: authenticate the user's identity by means of digital certificate.
4. IP address authentication: Users can only access the system from the specified IP address or IP address range.
5. Time period authentication: Users can only access the system within a specified time period.
6. Access times authentication: Accumulate the user's access times, so that the user's access times are within a certain range of values.
The above authentication methods should adopt a modular design, the administrator can flexibly load and unload, and can easily expand new authentication modules according to the user's requirements.
The authentication policy refers to the authentication method after the authentication method is combined with logical relationship such as AND, OR, NOT. The administrator can add, delete or combine authentication methods according to the authentication policy to meet various authentication requirements. For example, multiple users of a group share an account, and users access the system through user names and passwords, and the access must be restricted to a certain IP address segment. The authentication policy can be expressed as: username/password "and" IP address authentication.
Although PKI/CA digital certificate authentication is not commonly used, it is very useful and is usually used in environments with high security level requirements. PKI (Public Key Infrastructure) is a system that uses public key theory and digital certificates to ensure the security of system information.
In the public key system, keys are generated in pairs, each pair of keys consists of a public key and a private key, the public key is published to the public, and the private key is private to the user. The sender uses the receiver's public key to send information, which is called digital encryption, and the receiver uses his private key to decrypt it; the sender uses his own private key to send information, which is called digital signature, and the receiver uses the sender's public key to decrypt. Through the use of digital encryption and digital signature technology, PKI ensures the confidentiality of data (not to be peeped by illegal authorized persons), integrity (not to be illegally tampered with) and validity (data cannot be denied by the issuer) during the transmission process.
A digital certificate is sometimes referred to as a digital ID. A digital certificate is a piece of data that contains user identity information, user public key information, and a digital signature from an authentication authority. The digital signature of the authentication authority can ensure the authenticity of the certificate information.
A complete PKI system should have an authoritative certification authority CA (Certificate Authority), a certificate registration system RA (Registration Authority), a key management center KMC (Key Manage Center), a certificate issuance query system and a backup and recovery system. CA is the core of PKI and is responsible for the issuance and cancellation of all digital certificates; RA accepts user's certificate application or certificate cancellation, recovery and other applications, and reviews them; KMC is responsible for encryption key generation, storage, management, backup and Recovery; the certificate issuance query system usually adopts the OCSP (Online Certificate Status Protocol, Online Certificate Status Protocol) protocol to provide the service of querying user certificates to verify the legitimacy of user signatures; the backup and recovery system is responsible for digital certificates, keys and system data. Backup and restore.
sign in
单点登录(SSO,Single Sign-on)是一种方便用户访问多个系统的技术,用户只需在登录时进行一次注册,就可以在多个系统间自由穿梭,不必重复输入用户名和密码来确定身份。单点登录的实质就是安全上下文(Security Context)或凭证(Credential)在多个应用系统之间的传递或共享。当用户登录系统时,客户端软件根据用户的凭证(例如用户名和密码)为用户建立一个安全上下文,安全上下文包含用于验证用户的安全信息,系统用这个安全上下文和安全策略来判断用户是否具有访问系统资源的权限。遗憾的是J2EE规范并没有规定安全上下文的格式,因此不能在不同厂商的J2EE产品之间传递安全上下文。
目前业界已有很多产品支持SSO,如IBM的WebSphere和BEA的WebLogic,但各家SSO产品的实现方式也不尽相同。WebSphere通过Cookie记录认证信息,WebLogic则是通过Session共享认证信息。Cookie是一种客户端机制,它存储的内容主要包括: 名字、值、过期时间、路径和域,路径与域合在一起就构成了Cookie的作用范围,因此用Cookie方式可实现SSO,但域名必须相同; Session是一种服务器端机制,当客户端访问服务器时,服务器为客户端创建一个惟一的SessionID,以使在整个交互过程中始终保持状态,而交互的信息则可由应用自行指定,因此用Session方式实现SSO,不能在多个浏览器之间实现单点登录,但却可以跨域。
实现SSO有无标准可寻?如何使业界产品之间、产品内部之间信息交互更标准、更安全呢?基于此目的,OASIS(结构化信息标准促进组织)提出了SAML解决方案(有关SAML的知识参看链接)。
用户认证中心实际上就是将以上所有功能、所有概念形成一个整体,为企业提供一套完整的用户认证和单点登录解决方案。一个完整的用户认证中心应具备以下功能:
1. 统一用户管理。实现用户信息的集中管理,并提供标准接口。
2. 统一认证。用户认证是集中统一的,支持PKI、用户名/密码、B/S和C/S等多种身份认证方式
3. 单点登录。支持不同域内多个应用系统间的单点登录。
用户认证中心提供了统一认证的功能,那么用户认证中心如何提供统一授权的功能呢?这就是授权管理中,其中应用最多的就是PMI。
PMI(Privilege Management Infrastructure,授权管理基础设施)的目标是向用户和应用程序提供授权管理服务,提供用户身份到应用授权的映射功能,提供与实际应用处理模式相对应的、与具体应用系统开发和管理无关的授权和访问控制机制,简化具体应用系统的开发与维护。PMI是属性证书(Attribute Certificate)、属性权威(Attribute Authority)、属性证书库等部件的集合体,用来实现权限和证书的产生、管理、存储、分发和撤销等功能。
PMI以资源管理为核心,对资源的访问控制权统一交由授权机构统一处理,即由资源的所有者来进行访问控制。同公钥基础设施PKI相比,两者主要区别在于: PKI证明用户是谁,而PMI证明这个用户有什么权限,能干什么,而且PMI可以利用PKI为其提供身份认证。
单点登录通用设计模型
图2是统一用户认证和单点登录通用设计模型,它由以下产品组成:
1. PKI体系: 包括CA服务器、RA服务器、KMC和OCSP服务器。
2. AA管理服务器: 即认证(Authentication)和授权(Authorization)服务器,它为系统管理员提供用户信息、认证和授权的管理。
3. UUMS模块: 为各应用系统提供UUMS接口。
4. SSO: 包括SSO代理和SSO服务器。SSO代理部署在各应用系统的服务器端,负责截获客户端的SSO请求,并转发给SSO服务器,如果转发的是OCSP请求,则SSO服务器将其转发给OCSP服务器。在C/S方式中,SSO代理通常部署在客户端。
5. PMI: 包括PMI代理和PMI服务器。PMI代理部署在各应用系统的服务器端,负责截获客户端的PMI请求,并转发给PMI服务器。
6. LDAP服务器: 统一存储用户信息、证书和授权信息。
为判断用户是否已经登录系统,SSO服务器需要存储一张用户会话(Session)表,以记录用户登录和登出的时间,SSO服务器通过检索会话表就能够知道用户的登录情况,该表通常存储在数据库中。AA系统提供了对会话的记录、监控和撤消等管理功能。为保证稳定与高效,SSO、PMI和OCSP可部署两套或多套应用,同时提供服务。
链接
SAML
SAML(Security Assertion Markup Language,安全性断言标记语言)是一种基于XML的框架,主要用于在各安全系统之间交换认证、授权和属性信息,它的主要目标之一就是SSO。在SAML框架下,无论用户使用哪种信任机制,只要满足SAML的接口、信息交互定义和流程规范,相互之间都可以无缝集成。SAML规范的完整框架及有关信息交互格式与协议使得现有的各种身份鉴别机制(PKI、Kerberos和口令)、各种授权机制(基于属性证书的PMI、ACL、Kerberos的访问控制)通过使用统一接口实现跨信任域的互操作,便于分布式应用系统的信任和授权的统一管理。
SAML并不是一项新技术。确切地说,它是一种语言,是一种XML描述,目的是允许不同安全系统产生的信息进行交换。SAML规范由以下部分组成:
1. 断言与协议: 定义XML格式的断言的语法语义以及请求和响应协议。SMAL主要有三种断言: 身份认证断言、属性断言和访问授权断言。
2. 绑定与配置文件: 从SAML请求和响应消息到底层通信协议如SOAP或SMTP的映射。
3. 一致性规范: 一致性规范设置了一种基本标准,必须满足这一SAML标准的实现才能够称为一致性实现。这样有助于提高互操作性和兼容性。
4. 安全和保密的问题: SAML体系结构中的安全风险,具体而言就是SAML如何应对这些风险以及无法解决的风险。
要注意的是,SAML并不是专为SSO设计,但它却为SSO的标准化提供了可行的框架。
---
(计算机世界报 2005年09月19日 第36期 C14、C15)