Taking a multimedia news organizations database system, for example, proposed the establishment of enterprise user authentication center, to achieve unified user management based logon security policy, authentication and single, resolve duplicate user login problems when using multiple applications simultaneously encountered .
With the rapid development of information technology and network technology, internal enterprise applications more and more. For example, in the media industry, there is a common application system editing, typesetting systems, printing systems, advertising management systems, financial systems, office automation systems, decision support systems, customer relationship management systems and web publishing system. Because these systems are independent of each other, users must use before each application in accordance with the appropriate system logged in, this user must remember user names and passwords for each system, which gives users a lot of trouble. Especially with the system increases, the likelihood of errors will increase the likelihood of unlawful interception and destruction will increase, security will be reduced accordingly. For in this case, the unified user authentication, single sign-on concept came into being, while continuing to be applied to enterprise application systems.
The basic principle of a unified user management
In general, each application has a separate format of the user information management, user information, naming and storage options are also diverse. When users need to use multiple applications will bring the user information synchronization. User information synchronization will increase the complexity of the system, increase the cost of management.
For example, user A requires the use of the system X and the B system, it must create a user X in the A system and the B system, so that after the change the information in the user X's A, B must be synchronized either system to another system. If you need to use 10 X applications, user information to make changes at any one system to another must be synchronized after nine systems. If the system user synchronization unexpected, but also to ensure data integrity, thus synchronizing the user's program can be very complex.
The fundamental way to solve the problem is to synchronize the user to establish a unified user management system (UUMS). User information UUMS unified storage systems for all applications, and applications related to the user's actions all through UUMS completed, and other operations authorized by the application system is completed, that unified storage, distribution authorization. UUMS should have the following basic functions:
1. Named user specification information, unified storage, user ID globally unique. If the user ID card, identification and distinction between different individuals.
2. UUMS each application system provides a list of user attributes, such as name, phone number, address, e-mail and other attributes, each application can select some or all the properties required of the system.
3. Application system to increase the user's basic information, modify, delete, and query requests are handled by UUMS.
4. Application system retains user management functions, such as user groups, user authorization and other functions.
5. UUMS shall be a sound logging, the operation of the application system UUMS detail records.
UUMS unified user authentication is based, it provides a unified authentication and authorization policies for all applications, in order to identify the user's legitimacy. Unified user authentication should support the following authentication methods:
1. Anonymous authentication: Users do not need any authentication, you can log in anonymously.
2. username / password authentication: This is the most basic means of authentication.
3. PKI / CA digital certificate authentication: user authentication through digital certificates.
4. IP address authentication: the user only from the specified IP address or IP addresses to access the system.
5. time authentication: Users can access the system in a time period specified.
6. The access authentication number: total number of users to access the user visits within a certain range of values.
Above authentication mode should be modular design, the administrator can flexibly loading and unloading, it may also be required by users while easily extended new authentication module.
Authentication policy by means authentication, or other non-logic combination of the authentication method. Administrators can add, delete, or combination of authentication according to the authentication strategies to meet certification requirements. For example, a group of people share a user account, user by user name and password to access the system, access must be limited to a certain range of IP addresses. The authentication policy can be expressed as: username / password "and" IP address authentication.
PKI / CA digital certificate authentication, while not common, but useful, usually used in a higher level of security required environment. PKI (Public Key Infrastructure) that is PKI is a public key system theory and digital certificates to ensure the security of information systems.
In the public key cryptosystem, the key pair is generated, each pair of keys consists of a public key and a private key, public key available to the public, the private key is used by private persons. The sender's public key to send the recipient information, called a digital encryption, use their private key to decrypt the recipient; sender to send information using their own private key, known as a digital signature, the recipient using the sender's public key to decrypt. PKI using digital encryption and digital signature technology to ensure the confidentiality of data during transmission (not being illegally authorized peek), integrity (can not be illegally tampered with) and effectiveness (data can not be denied issuer).
Digital certificates are sometimes called digital ID, digital certificate contains the user identity is a piece of information, data, user information and public key digital signature authentication mechanism. Digital signature authentication mechanism to ensure the authenticity of the certificate information.
The system should have a complete PKI certification authority CA (Certificate Authority), certificate registration system RA (Registration Authority), the key management center KMC (Key Manage Center), a certificate issued query system backup and recovery systems. CA is the core of PKI, is responsible for the issuance and cancellation of all digital certificates; RA accept user certificate request or certificate cancellation, recovery application and review it; KMC is responsible for generating the encryption key, storage, management, backup and recovery; certificate issued query systems typically use OCSP (online certificate status protocol, online certificate status protocol) protocol provides services query the user certificate, used to verify the validity of the user's signature; backup and recovery system is responsible for digital certificates, keys and system data backup and recovery.
sign in
Single sign-on (SSO, Single Sign-on) is a user-friendly access to multiple systems technology, users only need to register once at login, you can freely shuttle between multiple systems without having to repeatedly enter a user name and password to determine the identity. In essence, the security context (Security Context) or single sign-on credentials (Credential) transfer, or shared among multiple applications. When users log in, the client software to establish the user's credentials (eg username and password) to the user a security context, security context includes verifying the user's security information, systems with this security context and security policy to determine whether the user has access to system resources. Unfortunately, the J2EE specification does not specify the security context format and therefore can not pass a security context between different vendors' J2EE product.
The industry has many products support SSO, such as WebLogic IBM's WebSphere and BEA, but each SSO product implementations are not the same. Cookie authentication information recorded by WebSphere, WebLogic is shared by Session authentication information. Cookie mechanism is a client, it stores the contents include: the name, value, expiration time, and route domain, and the domain path together constitute the scope of Cookie, Cookie embodiment may be implemented with so SSO, you domain It must be the same; Session is a server-side mechanism, when the client access server, the server creates a unique SessionID for the client, so always keep the state in the whole interaction process, and information exchange can be specified by the application itself, so implemented in Session mode SSO, can not be achieved single sign-on across multiple browsers, but it can cross-domain.
Implement SSO whether the standards to be found? How to make between industry products, information products more interaction between the internal standard, more safe? For this purpose, OASIS (Organization for the Advancement of Structured Information Standards) SAML proposed solutions (see link knowledge about the SAML).
User authentication center actually all of the above features, all the concepts to form a whole, providing a complete set of user authentication and single sign-on solution. A complete user authentication center shall have the following functions:
1. unified user management. Centralized management of user information, and provides a standard interface.
2. unified authentication. User authentication is a centralized, supports multiple authentication methods PKI, username / password, B / S and C / S, etc. 
3. single sign-on. It supports single sign-on between different systems within multiple applications.
User authentication center provides a unified authentication function, how to provide a unified user authentication center authorized functions? This is authorization management, which is the most widely PMI.
PMI (Privilege Management Infrastructure, Privilege Management Infrastructure) goal is to provide authorization management services to users and applications, providing the user identity to the authorization of the mapping function, provide practical application processing mode corresponding to the specific application systems development and manage authorization and access control mechanisms unrelated to simplify the development and maintenance of specific applications. PMI is the attribute certificate (Attribute Certificate), aggregate members of the authority attributes (Attribute Authority), attribute certificate library, etc., to achieve the rights and produce the certificate, management, storage, distribution and revocation functions.
PMI resource management as the core, control of access to resources unified by the authorized institution to deal with, namely to control access by the owner of the resource. Compared with Public Key Infrastructure PKI, the main difference between the two is: PKI prove who the user is, while the PMI to prove what permissions the user can do, and PMI can be used to provide PKI authentication.
Single sign-on universal design model
Figure 2 is a unified user authentication and single sign-on universal design model, which consists of the following products:
1. PKI system: including CA server, RA server, KMC and OCSP servers.
2. AA management server: the authentication (Authentication) and authorization (Authorization) server that provides user information for system administrators, authentication and authorization management.
3. UUMS module: provides an interface for the application UUMS.
4. SSO: including SSO and SSO proxy server. SSO Agent Deployment server-side application system, is responsible for intercepting the SSO client requests and forwarded to the SSO server, if OCSP request is forwarded, the SSO server forwards it to the OCSP server. In the C / S mode, SSO proxy is typically deployed at the client.
5. PMI: 包括PMI代理和PMI服务器。PMI代理部署在各应用系统的服务器端,负责截获客户端的PMI请求,并转发给PMI服务器。
6. LDAP服务器: 统一存储用户信息、证书和授权信息。
为判断用户是否已经登录系统,SSO服务器需要存储一张用户会话(Session)表,以记录用户登录和登出的时间,SSO服务器通过检索会话表就能够知道用户的登录情况,该表通常存储在数据库中。AA系统提供了对会话的记录、监控和撤消等管理功能。为保证稳定与高效,SSO、PMI和OCSP可部署两套或多套应用,同时提供服务。
链接
SAML
SAML(Security Assertion Markup Language,安全性断言标记语言)是一种基于XML的框架,主要用于在各安全系统之间交换认证、授权和属性信息,它的主要目标之一就是SSO。在SAML框架下,无论用户使用哪种信任机制,只要满足SAML的接口、信息交互定义和流程规范,相互之间都可以无缝集成。SAML规范的完整框架及有关信息交互格式与协议使得现有的各种身份鉴别机制(PKI、Kerberos和口令)、各种授权机制(基于属性证书的PMI、ACL、Kerberos的访问控制)通过使用统一接口实现跨信任域的互操作,便于分布式应用系统的信任和授权的统一管理。
SAML并不是一项新技术。确切地说,它是一种语言,是一种XML描述,目的是允许不同安全系统产生的信息进行交换。SAML规范由以下部分组成:
1. 断言与协议: 定义XML格式的断言的语法语义以及请求和响应协议。SMAL主要有三种断言: 身份认证断言、属性断言和访问授权断言。
2. 绑定与配置文件: 从SAML请求和响应消息到底层通信协议如SOAP或SMTP的映射。
3. 一致性规范: 一致性规范设置了一种基本标准,必须满足这一SAML标准的实现才能够称为一致性实现。这样有助于提高互操作性和兼容性。
4. 安全和保密的问题: SAML体系结构中的安全风险,具体而言就是SAML如何应对这些风险以及无法解决的风险。
要注意的是,SAML并不是专为SSO设计,但它却为SSO的标准化提供了可行的框架。