Xiaoxian
With the rapid development of information technology and network technology, more and more enterprise internal application systems are available. For example, in the media industry, common application systems include editing systems, typographical systems, printing systems, advertising management systems, financial systems, office automation systems, decision support systems, customer relationship management systems, and website publishing systems. Because these systems are independent of each other, users must log on to each application system according to the corresponding system identity before using each application system. Therefore, users must remember the user name and password of each system, this brings a lot of trouble to users. Especially with the increase of the system, the possibility of errors will increase, the possibility of illegal interception and destruction will also increase, and the security will decrease accordingly. In response to this situation, the concepts such as unified user authentication and single sign-on (spof) emerged and were continuously applied to enterprise application systems.
Basic principles of unified user management
In general, each application system has an independent user information management function. The format, naming, and storage methods of user information are also diverse. When you need to use multiple application systems, user information synchronization may occur. User Information Synchronization increases system complexity and management costs.
For example, if user X needs to use both system A and system B, user X must be created in system A and system B, in this way, the information of user X in A and B must be synchronized to another system after being changed. If user X needs to use 10 application systems at the same time, after user information is changed in any system, it must be synchronized to the other 9 systems. If the system encounters an accident during user synchronization, data integrity must be ensured, so the synchronization of user programs may be very complicated.
The fundamental solution to user synchronization is to establish a unified user management system (uums ). Uums stores user information of all application systems in a unified manner. All operations performed by the application system on users are completed through uums, and authorization and other operations are performed by various application systems, that is, unified storage and distribution authorization. Uums should have the following basic functions:
1. Standardized user information naming, Unified Storage, and globally unique user IDs. The User ID is like ***, which distinguishes and identifies different individuals.
2. uums provides a user attribute list for each application system, such as name, phone number, address, and email. Each application system can select some or all of the attributes required by the system.
3. uums processes requests for adding, modifying, deleting, and querying basic user information.
4. the application system retains user management functions, such as user grouping and user authorization.
5. uums should have a complete log function, recording in detail the uums operations of various application systems.
Unified user authentication is based on uums. It provides unified authentication methods and policies for all application systems to identify the legitimacy of user identities. Unified user authentication should support the following authentication methods:
1. Anonymous Authentication: users can log on to the system anonymously without any authentication.
2. User Name/password authentication: This is the most basic authentication method.
3. PKI/CA digital certificate authentication: authenticates the user's identity through digital certificates.
4. IP address authentication: users can only access the system from the specified IP address or IP address segment.
5. Time period authentication: users can only access the system within a specified time period.
6. Access number authentication: accumulates the number of user visits, so that the number of user visits is within a certain value range.
The above authentication method should adopt a modular design. The administrator can flexibly load and unload the authentication module, and expand the new authentication module according to the user's requirements.
Authentication policy refers to the authentication method after the authentication method is combined with, or, non-or other logical relationships. Administrators can add, delete, or combine authentication methods based on authentication policies to meet various authentication requirements. For example, if multiple users in a group share one account, and users access the system using the user name and password, the access must be restricted to a specific IP address segment. This authentication policy can be expressed as "User Name/password" and "ip address authentication.
PKI/CA digital certificate authentication is not commonly used, but is useful. It is usually used in environments with high security requirements. PKI (Public Key Infrastructure) is a system that uses public key theory and digital certificates to ensure system information security.
In the public key system, keys are generated in pairs. Each pair of keys consists of a public key and a private key. The public key is published and the private key is private to the user. The sender uses the recipient's public key to send information, which is called digital encryption. The receiver uses its own private key to decrypt the information. The sender uses its own private key to send information, which is called a digital signature. The receiver uses the sender's public key to decrypt the information. By using digital encryption and digital signature technologies, PKI ensures the confidentiality and integrity of data during transmission (not being peeked by the unauthorized Authorizer) and validity (data cannot be denied by the issuer ).
A digital certificate is sometimes called a number ***. A digital certificate is a piece of data that contains the user identity information, the user's public key information, and the digital signature of the identity authentication organization. The digital signature of the authentication organization can ensure the authenticity of the certificate information.
The complete PKI system should have the CA (Certificate Authority), the certificate registration system (RA), and the key management center (KMC) certificate publishing Query System and Backup recovery system. Ca is the core of PKI and is responsible for issuing and canceling all digital certificates. Ra accepts and reviews users' certificate applications, such as certificate cancellation and restoration applications; KMC is responsible for the generation, storage, management, backup, and recovery of encryption keys. The certificate publishing and query system generally uses the OCSP (Online Certificate Status Protocol, Online Certificate Status Protocol) Protocol to query User Certificates, the backup and recovery system is responsible for backing up and restoring digital certificates, keys, and system data.
Single Sign-on
Single Sign-On (SSO) is a technology that allows users to access multiple systems. Users only need to register once upon logon, you can freely move between multiple systems without having to repeatedly enter your username and password to determine your identity. The essence of Single Sign-on is the transfer or sharing of security context or credential among multiple application systems. When a user logs on to the system, the client software establishes a security context for the user based on the user's creden (such as the user name and password). The security context includes security information used to verify the user, the system uses this security context and security policy to determine whether a user has the permission to access system resources. Unfortunately, the J2EE specification does not specify the security context format. Therefore, the security context cannot be transmitted between J2EE products of different vendors.
Figure 1 SSO Principle
Currently, many products in the industry support SSO, such as IBM WebSphere and BEA WebLogic, but the implementation methods of SSO products vary. WebSphere records authentication information through cookies, while WebLogic shares authentication information through sessions. Cookie is a client mechanism that stores the following content: name, value, expiration time, path, and domain. The combination of paths and fields constitutes the scope of cookie, therefore, the cookie method can be used to implement SSO, but the domain name must be the same. session is a server-side mechanism. When the client accesses the server, the server creates a unique sessionid for the client, in order to maintain the status throughout the interaction process, and the interaction information can be specified by the application. Therefore, the session method is used to implement SSO and single-point logon cannot be implemented between multiple browsers, but it can be cross-origin.
Is there a standard for SSO? How can we make information interaction between products in the industry more standard and secure? For this purpose, OASIS (Organization for the promotion of Structured Information Standards) proposed a SAML solution (for more information about SAML, see the link ).
In fact, the user authentication center forms a whole of all the above functions and concepts, providing enterprises with a complete set of user authentication and single sign-on solutions. A complete user authentication center should have the following functions:
1. Unified user management. Implements centralized management of user information and provides standard interfaces.
2. unified authentication. User authentication is centralized and unified, and supports multiple authentication methods, such as PKI, user name/password, B/S, and C/S.
Figure 2 unified user authentication and single sign-on Design Model
3. Single Sign-On. Supports single-point logon between multiple application systems in different regions.
The user authentication center provides the unified authentication function. How does the user authentication center provide the unified authorization function? This is authorization management, where PMI is the most applied.
PMI (Privilege Management Infrastructure, authorization management infrastructure) aims to provide authorization management services for users and applications, and provide the ing function from user identity to application authorization, provides authorization and access control mechanisms that correspond to the actual application processing mode and are irrelevant to the development and management of specific application systems, simplifying the development and maintenance of specific application systems. PMI is a collection of components such as attribute certificate, attribute authority, and attribute certificate library, it is used to generate, manage, store, distribute, and revoke permissions and certificates.
With resource management as the core, PMI's resource access control is centrally handled by the authorization authority, that is, the resource owner controls resource access. Compared with the Public Key Infrastructure PKI, the two main differences are: PKI proves who the user is, and PMI proves what permissions the user has and what he can do, in addition, PMI can use PKI to provide identity authentication.
Universal Single Sign-On Design Model
Figure 2 is a universal design model for unified user authentication and single sign-on. It consists of the following products:
1. PKI system: including CA server, RA server, KMC and OCSP server.
2. AA Management Server: authentication and authorization server, which provides system administrators with management of user information, authentication, and authorization.
3. uums module: Provides uums interfaces for various application systems.
4. SSO: includes the SSO proxy And sSo server. The SSO proxy is deployed on the servers of various application systems. It intercepts the SSO requests from the client and forwards the requests to the SSO server. If OCSP requests are forwarded, the SSO server forwards the requests to the OCSP server. In the C/S mode, the SSO proxy is usually deployed on the client.
5. PMI: includes the PMI proxy and PMI server. The PMI agent is deployed on servers of various application systems. It intercepts PMI requests from the client and forwards the requests to the PMI server.
6. LDAP server: stores user information, certificates, and authorization information in a unified manner.
To determine whether a user has logged on to the system, the SSO server needs to store a user session table to record the logon and logout times of the user, the SSO server retrieves a session table to know the user's logon status. The table is usually stored in the database. The AA system provides management functions such as session recording, monitoring, and revocation. To ensure stability and efficiency, SSO, PMI, and OCSP can deploy two or more applications and provide services at the same time.
Link
SAML
Security Assertion Markup Language (SAML) is an XML-based framework used to exchange authentication, authorization, and attribute information between security systems, one of its main objectives is SSO. Under the SAML framework, no matter what kind of trust mechanism the user uses, as long as they meet SAML interfaces, information interaction definitions, and process specifications, they can be seamlessly integrated. The complete SAML standard framework and related information interaction formats and protocols enable existing identity authentication mechanisms (PKI, Kerberos, and password) various authorization mechanisms (PMI, ACL, and Kerberos access control based on the property certificate) Use a unified interface to achieve cross-trust domain interoperability, it facilitates unified management of trust and authorization of distributed application systems.
SAML is not a new technology. To be exact, it is a language and an XML description that allows exchange of information generated by different security systems. The SAML specification consists of the following parts:
1. assertions and Protocols: Define the syntax and semantics of assertions in XML format and request and response protocols. Smal mainly has three types of assertions: Identity Authentication assertions, attribute assertions, and Access Authorization assertions.
2. Binding and configuration files: mappings between SAML requests and response messages to underlying communication protocols such as soap or SMTP.
3. Consistency specification: The consistency specification sets a basic standard that must meet the implementation of this SAML standard. This helps improve interoperability and compatibility.
4. Security and confidentiality: security risks in the SAML architecture, specifically, how SAML can cope with these risks and unsolvable risks.
It should be noted that SAML is not designed for SSO, but it provides a feasible framework for SSO standardization.
This article from the "fairy" blog, please be sure to keep this http://xian521.blog.51cto.com/9240575/1551076
SSO Single Sign-on