Single sign-on technology: Microsoft Passport Single sign-on protocol and Free Alliance specification

Source: Internet
Author: User
Tags join log ticket client ssl connection

Article Description: single sign-on research on the internet.

With the popularization of Internet applications, more and more people start to use the services provided on the Internet. However, most of the Web sites currently providing services use user names and passwords to identify users, which makes it necessary for users to enter their username and password frequently. Obviously this kind of authentication has the disadvantage: with the increase of user network identity, users need to remember more than one group of user names, passwords, which give users the burden of memory; another frequent input user name, password, will correspondingly increase the user password password is cracked probability. In order to change this situation, single sign-on technology emerged.

The core idea of single sign-on technology is to make some kind of connection between the websites that provide the service through certain ways, users only need to login in one of the authentication sites, you can achieve global login, when users visit other sites, do not need to log on again, their identity can be verified. We can see the use of single sign-on technology, users only need to remember a group of user names, passwords, and log on to multiple sites only needs to enter a user name, password, which makes users can be more secure and efficient use of various services on the Internet.

General model for single sign-on

In a single sign-on general model, there are generally three parts: (1) the User (2) the identity provider (3) the service provider. As shown in Figure 1.

A user is an individual who uses a single sign-on service through a browser. An identity provider provides authentication services to individuals in a single sign-on, equivalent to an authoritative organization. A service provider is an organization that specifically provides a service to a user. The user registers the identity with the identity provider, and when the user makes a single sign-on, it needs to log in to the identity provider, authenticate, and mark the login information for the user by the identity provider. Typically, a user's login at the identity provider is called a global login. When a user is logged on globally, when accessing another service provider, the service provider that is accessed first interacts directly with the identity provider to inquire whether the user is globally logged on and, if it is determined that the user is logged on globally, to allow the user to access the service provided by him or redirect the user to the identity provider. To log on globally.

In a specific single sign-on implementation, the identity provider and service provider interact in different ways. If Microsoft's Passport single sign-on uses the encrypted authentication information in the redirect information to interact, the Free Alliance single sign-on specification uses the Security Declaration Markup Language (SAML) to interact. The following article introduces the current two major single sign-on protocols: Microsoft Passport Single sign-on protocol and Free Alliance specification to further elaborate the single sign-on technology.

First, Microsoft Passport single sign-on protocol

1.1 Microsoft Passport Services

Referring to the Microsoft Passport Single sign-on protocol, we will naturally introduce the Microsoft Passport service first. At Microsoft's Www.passport.com site we can see the terms and notices of Microsoft's passport usage. Microsoft Passport is a Web service run by Microsoft, which makes it easier for users to log on to the site and perform e-commerce transactions. Microsoft's Passport services are part of the. NET strategy, allowing users access to many Web sites through a single login. Microsoft claims that Passport is designed to make it easier, faster and safer for members to use the Internet and online shopping, and it has been supported by many famous online stores including 1-800-flowers, CostCo, OfficeMax and Victoria Secret. Microsoft's Passport service is essentially a centrally-managed single sign-on service controlled by Microsoft. Microsoft's Hotmail, Messenger and ISP services (MSN) have joined the mechanism, with about 200 million accounts currently available.

1.2 Microsoft Passport Single sign-on protocol

In the Microsoft Passport Service model, there are three principals: (1) Users who use a Web browser (assuming that the user has registered for a Passport service), (2) the service provider (a Web site that provides a service to the user), and (3) a Passport login server. The Passport login server holds the user's authentication information as well as the user's personal information, and the service provider can obtain the user's personal information from the Passport login server on the premise of the user's permission.

The Microsoft Passport Single sign-on protocol process is as follows [1]: When a user accesses a service provider Web site through a browser, if the site needs to authenticate the user, the user's browser is redirected to the Passport login server. The next Passport logon server provides a login page to the user via an SSL connection, which is redirected back to the service provider Web site after the user logs on to the server. The authentication information is included in the redirect message at this time. The authentication information is encrypted using the Triple DES encryption algorithm, which is negotiated in advance by the Passport login server and the service provider website. After verifying the authenticity of the authentication information on the service provider Web site, the user is considered to have successfully logged on. The detailed flowchart can be seen in Figure 2.

The Microsoft Passport Single sign-on protocol uses the Kerberos authentication mechanism to complete the identity authentication work. Kerberos is an open system-oriented authentication mechanism that provides trusted Third-party services for network communications. In the Kerberos authentication mechanism, whenever a user (client) requests a service from a service program (server), the user and the service program first authenticate the other to the Kerberos requirement, The authentication is based on the trust of the user (client) and the service Program (server) for Kerberos. When applying for authentication, both client and server can be viewed as users of the Kerberos authentication service and, in order to differentiate themselves from other services, the Kerberos user is collectively known as Principle,principle, which can be either a user or a service. When the user logs on to the workstation, Kerberos authenticates the user, and the authenticated user is able to receive the appropriate service throughout the logon hours. Kerberos neither relies on the user to log on the terminal, also does not depend on the service which the user requests the security mechanism, it itself provides the authentication server to complete the user authentication work [7]. Simply put, Kerberos enables user authentication through centralized storage of security information and distributed "tickets". Specifically, the Microsoft Passport service implements user authentication through the following steps:

1, the user opens the client application or the browser, opens the login interface, and enters the user name, the password.

2, the login action triggers the client application or website to request a login confirmation certificate (i.e. "Ticket-granting-ticket", TGT) to Microsoft Passport.

3, Microsoft Passport Authentication user username, password, issue TGT, confirm login has been successful. The TGT is cached for a certain period of time, subject to a certain security restriction clause.

4. The client application or Web site submits a TGT to Microsoft Passport and requests a "session certificate" to be issued.

5. Microsoft Passport uses TGT to verify the validity of the client's identity and issue a "session certificate" to the appropriate Web service.

6. The client submits a session certificate to the requested Web service, and after confirmation, the client begins to exchange information with the Web service, and all data is encrypted through the "session proof" to ensure security.

1.3 Microsoft Passport Summary

Although Microsoft Passport has provided many years of service, its security has been questioned. First of all, the central co-ordination model is the most popular question. Because the core authentication server and user personal Information Server are all controlled by Microsoft, plus its technical details are not disclosed, and no basis for a certain standard, causing people to worry about the user's personal data leaked. Second, Microsoft's passport system has been hacked repeatedly by individuals or hackers. All this limits the further expansion of Microsoft's Passport Services.

Ii. norms of the Free Alliance

4.1 Free Federation (Liberty Alliance)

The Free Alliance is the name of a union institution, the aim of the alliance is to create an open, joint, single signature identification solution that can be achieved by any device connected to the Internet, which aims to achieve a single sign-on authentication anytime, anywhere, for the purpose of transactions using the Internet, and the establishment of relevant standards. Membership of the agency is available to all commercial and non-commercial organizations. The founding companies to join the agency have service providers, automotive manufacturing, financial services, travel industry, digital media, retail, telecommunications and technology-related industries well-known enterprises. At present, the Free Alliance consists of more than 170 manufacturers, including Sun, Nokia, American Express and so on, they are responsible for providing technical specifications and business guidance as a cross enterprise identity certification services. Liberty itself does not produce applications, which are developed by technology vendors such as Sun, Novell, PeopleSoft, and HP to develop compatible applications that support liberty standards. The Free-Alliance specification allows different service providers to join a federated Trust network [6].

The main objectives of the Free Alliance are as follows: three.

Enable individual consumers and business users to safely keep personal information. Based on this, we can promote the services that have no information monopoly, and are able to use each other and across multiple networks.

Develop an open standard for achieving "single sign-on". This allows users to use their services without having to accept other site certifications after they have passed the certification on any of the 1 www sites.

Establish a network authentication open standard that all devices connected to the Internet can use. This allows the mobile phone, car equipment and credit cards, such as a variety of terminals can be security certification.

[1] [2] Next page



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.