Single Sign-on technology: Microsoft Passport Single Sign-on protocol and Free Alliance specification.

Source: Internet
Author: User
Tags ssl connection

With the popularization of Internet applications, more and more people are beginning to use the services provided on the Internet. However, most of the websites that provide services now use usernames and passwords to identify users, which makes it necessary for users to enter their own usernames and passwords frequently. Obviously this kind of authentication method has the disadvantage: as the user's network identity increases, the user needs to remember many sets of user name, password, which causes the memory burden to the user, in addition the frequent input user name, the password, will correspondingly increase the user's password password to be cracked the probability. In order to change this situation, single sign-on technology emerged.

The core idea of single sign-on technology is to make a certain kind of connection between the website that provides service through certain way, the user only need to log in one of the authentication website, can realize the global login, when the user accesses another website again, do not need to log in again, its identity can be verified. We can see that the use of single sign-on technology, the user only need to remember a set of user name, password, and when logging in to multiple sites only needs to enter a user name, password, which makes users more secure and efficient use of various services on the Internet.

General model for single sign-on

In the general model of single sign-on, it is generally composed of three parts: (1) the User (2) Identity provider (3) the service provider. As shown in 1.

A user is an individual who uses a single sign-on service through a browser. Identity providers provide authentication services to individuals in single sign-on, which is equivalent to an authoritative authority. A service provider is an institution that specifically provides a service to a user. The user registers identity with the identity provider, and when the user makes a single sign-on, it needs to log on to the identity provider, authenticate, and mark the login information for the user by the identity provider. Typically, a user's login at the identity provider is called a global login. After a user has logged in globally, when accessing another service provider, the service provider that is accessed first interacts directly with the identity provider to ask if the user is globally logged on, and if the user is determined to be globally logged in, allows the user to access the services he or she provides, otherwise redirects the user to the identity provider. For a global login.

In a specific single sign-on implementation, the identity provider and service provider interact in different ways. If Microsoft's Passport single sign-on is used to interact with the encrypted authentication information contained in the redirect information, the free Federation Single sign-on specification is used to interact with the Security Assertion Markup Language (SAML). The following article introduces the two major single sign-on protocols: The Microsoft Passport Single sign-on protocol and the Free Alliance specification to further illustrate the single sign-on technology.

One, Microsoft Passport Single sign-on agreement

1.1 Microsoft Passport Services

Referring to the Microsoft Passport Single Sign-on agreement, we would naturally like to introduce the Microsoft Passport service first. On Microsoft's Www.passport.com site we can see the terms of use and notices for Microsoft Passport. Microsoft Passport is a Web service run by Microsoft, which makes it easier for users to log on to a website and perform e-commerce transactions. Microsoft's Passport service is part of the. NET strategy, allowing users access to many sites with one login. Microsoft claims that the purpose of the passport is to make it easier, faster and safer for members to use the Internet and online shopping, which is supported by many well-known online stores including 1-800-flowers, CostCo, OfficeMax and Victoria Secret. The Microsoft Passport service is essentially a centrally coordinated single sign-on service controlled by Microsoft. Microsoft's Hotmail, Messenger and ISP services (MSN) have joined this mechanism, with about 200 million accounts currently in use.

1.2 Microsoft Passport Single sign-on protocol

In the Microsoft Passport Service model, there are three principals: (1) Users who are using a Web browser (assuming that the user has already registered for the Passport Service), (2) the service provider (the website that provides a service to the user), and (3) the Passport login server. The Passport login server holds the user's authentication information and the user's personal information, and the service provider can obtain the user's personal information on the Passport login server on the condition that the user is allowed to do so.

The Microsoft Passport Single sign-on protocol process is as follows [1]: When a user accesses a service provider website through a browser, if the site needs to authenticate the user, the user's browser is redirected to the Passport login server. Next, the Passport login server provides the user with a login page over an SSL connection, which is redirected back to the service provider's website after the user logs in to the server. The authentication information is now included in the redirect message. The authentication information is encrypted using a triple-Des encryption algorithm, and the encryption key is negotiated in advance by the Passport login server and the service provider website. After verifying the authenticity of the authentication information on the service provider's website, you can assume that the user has successfully logged in. The specific flowchart can be seen in Figure 2.

The Microsoft Passport Single sign-on protocol employs a Kerberos authentication mechanism to perform identity authentication. Kerberos is an open system-oriented authentication mechanism that provides trusted third-party services for network communication. In the Kerberos authentication mechanism, each time a user (client) requests a service from a service program (server), the user and the service program will first ask Kerberos to authenticate the other person. Authentication is based on the trust of the user (client) and the service Program (server) to Kerberos. When applying for authentication, both client and server are considered to be users of the Kerberos authentication service, and for the purpose of distinguishing users from other services, the Kerberos user is collectively known as Principle,principle, which can be either a user or a service. When a user logs on to a workstation, Kerberos authenticates the user, and the authenticated user can receive the appropriate service for the entire logon time. [7] Kerberos does not rely on a user-logged-on endpoint, nor does it rely on the security mechanism of the service requested by the user, which itself provides the authentication server to complete the user's certification work. Simply put, Kerberos implements user identity authentication by centralizing stored security information and distributed "tickets". Specifically, the Microsoft Passport service implements user authentication through the following steps:

1, the user opened the client application or browser, open the login interface, and enter the user name, password.

2. The login action causes the client application or website to request a login confirmation certificate from Microsoft Passport (ie "ticket-granting-ticket", TGT).

3, Microsoft Passport Authentication user username, password, issued TGT, confirm that the login has been successful. The TGT is cached for a certain period of time, subject to a certain security constraint clause.

4. The client application or website submits a TGT to Microsoft Passport and requests that a "session certificate" be issued.

5. Microsoft Passport uses the TGT to verify that the identity of the client is valid and to issue a "session certificate" to the appropriate Web service after confirmation.

6, the client submits the session proof to the requested Web service, after confirmation, the client begins to exchange information with the Web service, all the data is encrypted by the "session proof" to ensure security.

1.3 Microsoft Passport Summary

Although Microsoft Passport has provided many years of service, its security has always been questioned. First of all, its central co-ordination model is the most popular question. Because the core authentication server and the user's personal information Server are controlled by Microsoft, and the technical details are not disclosed to the public, and there is no basis for a certain standard, people have been concerned about the leakage of personal data of users. Second, Microsoft's passport system has been repeatedly invaded by individuals or hackers. All this limits the further promotion of the Microsoft Passport service.

Ii. norms of the Free Alliance

4.1 Free Federation (Liberty Alliance)

The Freedom Alliance is the name of an alliance that is designed to create an open, federated, single-sign identification solution that can be implemented by any device connected to the Internet, with the goal of a single sign-on certification for anytime, anywhere, when trading with the Internet and to establish the relevant standards. Membership of the institution is available to all commercial and non-commercial organizations. The founding companies that join the agency are well-known companies in service delivery, automotive manufacturing, financial services, travel, digital media, retail, telecommunications and technology-related industries. Currently, the Free Alliance consists of more than 170 vendors, including Sun, Nokia, American Express, and so on, who provide technical specifications and business guidance as a cross-enterprise identity certification service. Liberty itself does not produce an application, which is developed by technology vendors (such as Sun, Novell, PeopleSoft and HP) to develop compatible applications that support the Liberty standard. The Free Alliance specification allows different service providers to join a federated Trust network [6].

The main objectives of the Freedom Alliance are as follows: three

Enable individual consumers and business users to securely keep personal information. Based on this, the promotion of non-information monopoly, can be applied to each other and across multiple networks of services.

Establish an open standard for "single Sign-on". Based on this, so that the user at any 1 www site after certification, do not have to accept other site certification can use its services.

Establish open standards for network authentication that all Internet-connected devices can use. This enables secure authentication between various terminals, such as mobile phones, in-vehicle devices, and credit cards.

Breaking Lolo article Introduction: Single Sign-on research on the Internet.

4.2 Free Alliance Specification

The Liberal Alliance announced March 11, 2003 local time the outline of the single sign-on architecture "Liberty Alliance Federated Network Identity Architecture" and its blueprint for development. The Freedom Alliance says it can address many of the technical hurdles that hinder web authentication services.

The Liberal Alliance publishes the normative-Free Alliance specification, which supports the architecture in two stages. In the first phase, in July 2002, the Freedom Alliance announced the "Liberty Alliance Identity Federation Framework (ID-FF, Free Alliance unified Framework)" as a specification set based on the Alliance user management. and was revised in January 2003. ID-FF supports the association or linking of multi-user information that already has a relationship, enabling users to log in once to enjoy the services offered by multiple businesses. In the second phase, the Free Alliance strengthened ID-FF within 2003 years and published the Identity Web Services Framework (ID-WSF, unified Web service frameworks). Id-wsf unveiled a summary of key technologies needed to build Web services that are based on mutual authentication. The Liberal alliance believes that this Web service serves specific purposes and protects personal privacy and system security in terms of sharing user information. In addition, the Free Alliance will also provide a ID-WSF-based specification set "Liberty Alliance Identity Services Interface Specifications (Id-sis, Free Alliance Unified Service Interface Specification)". [3] This allows businesses to use standard methods to provide feature registration/contact address/calendar/location information and alarm services.

4.3 Free Alliance-specific agreements

Four specific agreements are defined in the Free Alliance specification [2]:

1. Single Sign-on and identity Federation

2. Name Registration

3. Identity Joint termination statement

4. Single Point of Exit

As with Microsoft Passport, the Free Alliance specific agreement also has three principals, respectively:

1, subject (principals), (similar to Microsoft Passport users)

2. Service Provider (Providers)

3. Identity provider (Providers)

The service provider, similar to the service provider in Microsoft Passport, refers to a website that provides a service to the user. The identity provider in the Free Alliance is a special service provider that provides services such as identity authentication and subject information access control for other principals, although it is equivalent to the Passport login server in Microsoft Passport, but the difference is that the identity provider in the Free Alliance is not unique, It can be multiple and independent, and this is fundamentally different from Microsoft Passport's centrally integrated single sign-on service.

Let's take a closer look at the single sign-on and identity Federation in the Free Alliance specific protocol. Single Sign-on and identity federation are the most complex protocols in a free Alliance specific agreement. The protocol relies heavily on Security Assertion Markup Language (SAML). First let's look at SAML. SAML is not a new technology. Specifically, it is a language that provides a single XML description that allows the exchange of information generated by different security systems. SAML works in the standard industry transport protocol environment, such as HTTP, SMTP, and FTP, and also serves a wide variety of XML file Exchange frameworks, such as soap and BizTalk. One of the most prominent benefits of SAML is the ability to enable users to move security certificates over the Internet. SAML works as follows [5]:

1. The user submits the certificate to the Certification body.

2. The Certification body asserts the user's certificate and generates an authentication statement and one or more attribute declarations (such as the user's profile information). At this point the user is immediately given the authentication and identification flags asserted by the SAML.

3. The user attempts to access a protected resource using this SAML flag (authentication statement).

4. The user's access request to protect the resource is intercepted by THE PEP (Policy Enforcement Point), and the user's SAML flag (authentication statement) is submitted to the attribute management by THE PEP.

5. Attribute management or PDP (policy decision Point) produces a decision based on its own policy criteria. If the user is authorized to access the protected resource, a property declaration attached to the SAML flag (authentication claim) is generated. The user's SAML flag (the authentication statement) can be presented to a trusted business partner in a single sign-on approach.

The following is a brief introduction to the process of the Free Alliance single sign-on protocol, the process is roughly the same as the Microsoft Passport Single Sign-on agreement process, the difference is that the identity provider in the Free Alliance does not pass the authentication message to the service provider by redirecting the message, Instead, it is done through SAML interacting with the service provider. The specific process can be referenced in Figure 3.

4.4 Summary of the Free Alliance specification

Unlike Microsoft Passport, the Free Alliance specification is based on the Oasis industry Standard, which is not a centrally integrated single sign-on model, but rather a relatively fair model in which multiple independent identity providers can exist in their circle of trust. But the Liberal Alliance specification is still in the research phase, and its high complexity has led to the absence of a form of application services like the Microsoft Passport service.

Single sign-on system with personal domain name as identity

The following is a study of the author's engagement with the Microsoft Passport and Free Alliance Single sign-on protocol, a single sign-on system designed and developed with personal domain name as identity. The system development environment is: Operating system Linux 9, scripting language PHP5, database MySQL.

The system consists of three parts: (a) the IDP server (personal Domain name authentication server) (b) SP1 Server (Service Provider 1) (c) SP2 Server (service Provider 2). The IDP is equivalent to the login server in Passport, the role is to verify the user identity, SP1, SP2 for the simulation of two service providers.

As we can see from the above, Microsoft Passport and the Free Alliance have set up a dedicated authentication server to ensure the uniqueness and credibility of the login account in their single sign-on system. And in the single sign-on system I designed to directly use the personal domain name as identity, that is, through the personal Domain Name authentication server to ensure the uniqueness of the login account, credibility. It is well known that the domain name is similar to the house number on the Internet and is used to identify and locate a hierarchical character identifier for computers on the Internet, which corresponds to the computer's Internet Protocol (IP) address. Similarly, personal domain names that are open to individuals are like identity cards on the internet, with unique and authoritative characteristics. Therefore, the personal domain name as a single sign-on system in the login account, not only to ensure the identity of the single sign-on system, but also reduce the development cost of single sign-on system, which is conducive to the promotion of single-point login system.

The single sign-on process of the system is as follows: The user can register a personal domain name as a login account in the IDP, as a password for single sign-on. Users can have a global login directly to the IDP, and the SP1, SP2 can also be linked to the IDP's login page for global login. After the user is globally logged in, the IDP stores the encrypted information in the user's browser settings Cookie,cookie, which is used to indicate that the user has logged on globally. After a global logon, when a user accesses an SP, the SP automatically redirects the browser to the IDP, asking the IDP if the user is globally logged in, and the IDP checks the cookie in the user's browser to determine if the user is logged in, and the IDP redirects the user's browser back to the SP. and contains the authentication information in the redirect information, the SP reads the authentication information to determine whether the user has logged on globally. If the decision is passed, the user is allowed access to their services, and if the decision is not passed, the SP points the user to the SP login interface. In addition, when the IDP, SP1, and SP2 provide the global exit function, the IDP clears the cookie in the user's browser when the user performs a global exit operation.

The IDP and each SP use the same symmetric encryption algorithm and encryption key to encrypt the authentication information. In addition, to prevent the SP from being subjected to replay attacks, each time the SP interacts with the IDP, the SP generates a random number and encrypts the random number, which is then included in the redirect information redirected to the IDP. The IDP obtains the random number by decrypting it and encrypts it together with the authentication information, and then includes the encrypted information in redirection information redirected to the SP. SP decryption, the first to determine whether the random number of its own just generated, if not the redirect information is considered a replay attack, not processed.

See Figure 4, Figure 5 for a specific flowchart.

The system basically realizes the function of single sign-on, the authentication information between IDP and SP is similar to that of Microsoft Passport, the method of encrypting transmission is adopted, and the function of this system is relatively single, which realizes the function of single sign-on, and does not realize the function of identity union and user's personal information access control. The system is basically secure, user login submissions are HTTPS, and when the IDP interacts with the SP, also use the SP generated random number to avoid the replay attack. The disadvantage of this system is that the encryption protection of the cookie is not perfect, and the IDP and SP interaction information is only encrypted using the simple symmetric encryption algorithm, and the cryptographic function and key need to be negotiated by both parties beforehand. Therefore, this system does not apply to practical applications.

Conclusion

With the rapid development of the Internet, a variety of Web services have sprung up, so people's demand for single sign-on will be more and more intense. But is the single sign-on feasible? This paper analyzes the current two most mainstream single sign-on protocol: the technical details of the non-public Microsoft Passport Single sign-on protocol, and is still in the research phase of the Free Alliance (Liberty Alliance) specification, and combined with the author's implementation of the personal domain name as the identity of the single sign-on system, The following conclusion: Single sign-on technology is completely feasible, as long as the security of single sign-on system, as well as the impartial authority of authentication server, single sign-on technology will be widely accepted, and in the Internet application for people to provide a more convenient environment.

Reference documents

[1] David p. Kormann. Aviel D. Rubin.risks of the Passport single sign on protocol[eb/ol].2000

[2] Susan Landau, Jeff Hodges. A Brief Introduction to Liberty[j-ol].february 2003

[3] Liberty Alliance project.liberty Alliance Phase 2 Final specifications

[Eb/ol].http://www.projectliberty.org/specs/, 2003

[4] Ing. Radovan Seman. Internet applications Security[m]. November 2002

[5] ZDNet China Zhuangao. SAML standard improves network security [j-ol].2003 July 1

[6] ZDNet China Zhuangao. In-depth analysis: "Free Alliance" or Microsoft Passport? [J-ol].2003 Year September 20

[7] Jiang Wei. Kerberos: Authentication Service for open networks [d].1999 December 21

Single Sign-on technology: Microsoft Passport Single Sign-on protocol and Free Alliance specification.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.