Unified authentication System (III)

Source: Internet
Author: User

When programmers write program code for an application to access other applications, they often have a headache for user authentication: 1) Let the end user log in frequently? Seems like a solution that makes it hard for users to accept. 2) The user name and password are built into the code? Code needs to be maintained frequently with changes in user and password, and in many cases, usernames and passwords may not be visible to programmers.

How to solve this problem? After discussion, we decided to develop a unified identity authentication service to solve the user authentication problem encountered in this application integration. This service needs to meet the following features and objectives:

    1. Supports the Web Services technology framework, enabling the use of this unified authentication service for authentication when implementing Web services-based application integration (EAI/B2BI) across application systems.
    2. It is easy to use, can make the best use of the existing system's authentication module and existing user settings and permissions settings, to protect the existing investment, reduce the cost of re-set user settings and permissions, while avoiding large-scale modification of the existing system.
    3. With good extensibility and integration, not only can support existing application system and its existing user system, when new enterprise application is deployed or developed, this unified identity authentication service can work as its identity authentication module, that is, the new enterprise application can not bring the user system, The equivalent functionality can be achieved by integrating the service into the form.
    4. Should have flexible and convenient usage patterns, users can freely use the unified authentication Service in many ways.
Solution Solutions

Based on the objectives of this unified identity service and the initial functional definition, we will design this service as follows:

Figure 1. Unified Identity Authentication Service

The service mainly requires three functions:

    1. User registration: The user registers the account in the Unified Authentication Service, the account can be used in all applications using the Unified Authentication Service.
    2. Account Association: If the user has already had the account in the related application system, also has set the corresponding permission, then the user can associate these application system's account number with the Unified Identity authentication Service account, causes the user to log in the Unified Authentication Service, will be able to automatically use the relevant application system users to access the application system.
    3. User authentication: For the application system to provide user authentication, taking into account two application methods:
      • The application system uses the Unified Identity authentication Service as its user system, the user interacts with the application system, carries on the login operation, the application system forwards the user name/password provided by users to the unified Identity authentication service to verify whether it is authorized.
      • The user first logs in to the unified authentication service and obtains a permission token that can later be used to access other applications, and the application system should interact with the unified Authentication Service to verify the legality of the access when it receives the permission token.

As described above, we can assume that entities that need to be considered in a unified identity authentication service can be used to represent:

Figure 2. Data entity for unified identity Authentication Service

    1. User: The user of the unified Identity authentication Service;
    2. Account: The account of the application system, associated with the user of the unified Identity authentication Service, a user can associate multiple accounts;
    3. Application System (Application): Application system with unified identity authentication Service;
    4. Session: When a user logs on to the Unified Authentication Service, an active session is created, and a session's authentication token is obtained, in which the user can access various application systems using the session's authentication token.
User Registration

The process of user registration (including user update registration information) can be expressed using. It consists of two processes: New user registration and User update registration information.

Figure 3. User Registration process

New User registration:

    1. User makes a new user registration request to the Unified authentication Service
    2. The service queries the user registry, and if the user can register (without violating the constraint with the same name ID), then save the user's information to the user's registry.
    3. When the save is complete, the unified Authentication Service responds to the user and the registration is complete.

User Update registration information:

    1. The user issues a user registration information update request to the unified Authentication Service.
    2. The service queries the user registry, and if the user information can be updated (with the ID present, the password provided is correct, and so on), the user's information will be updated in the user registry.
    3. When the save is complete, the unified Authentication Service responds to the user and the update is complete.
Account Association

Account association actions can be used to represent. The diagram contains only one action to register a new account associated with it, and the related modifications and deletions are omitted, and interested readers can give them their own.

Figure 4. User Association Process

To register a new account association:

    1. The user issues an account association registration request to the Unified Authentication Service, which provides the application's identity A and provides user information that can be used in the application (including user name and password, etc.).
    2. The service first consults the application, and the user information is legal. Respond to the service if it is legitimate.
    3. If a legitimate response is received, then the service will save the Account Association registration information to the user's registry, after which the user will be able to use the applicable system a after signing in to the Unified Identity authentication service.
    4. When the registry completes the save operation, the unified Authentication Service responds to the user and the registration is complete.
Identity Authentication Component Mode

A basic application mode of unified identity authentication Service is to work in the form of authentication component of application system, and in this application mode, the application system is the dominant position. In this case, the application system itself does not have a user system, so the account involved in this mode must be a unified Identity authentication service user account.

Figure 5. Identity authentication Component Mode flow

The process is described as follows: (describe normal processes only)

    1. User name and password (also possibly other authorization information, such as digital signature, etc.) registered with the Unified Authentication Service Login Application A
    2. Apply System A, the user name and password together with their own identity (application system A's identity) forward to the Unified Authentication Service, require the Unified authentication service to complete the logon operation.
    3. Unified Authentication Service Check your application registry (using UDDI Registry, I'll explain later why use UDDI Registry) to see if application A is already a user system for the Unified authentication Service. Also verify the user name and password forwarded by application A in the user registry.
    4. After the verification is complete, the Unified Authentication Service Response Application system A, login completed.
    5. Applying system A creates a system session (session, system A's own mechanism), and returns the application's own permission token to the user, which can be accessed by the client at a later time via this permission token until the system is logged out or the session times out.
Unified Authentication Mode

The Unified authentication mode is the service usage mode which is based on the unified Identity Attestation service. Once the user logs in to the Unified authentication Service, all applications that support the unified Authentication service can be used.

Figure 6. Unified Authentication Mode Process

The process is described as follows: (describe normal processes only)

    1. Users use the unified Authentication Service registration of the user name and password (may also be other licensing information, such as digital signature, etc.) to the unified authentication Service;
    2. The Unified authentication Service creates a session and returns the access authentication token associated with the session to the user;
    3. This access authentication token is used by the user to access an application system that supports the unified identity authentication Service;
    4. The application system will access the authentication token into the Unified Identity authentication service, and the validity of authentication access authentication token;
    5. The Unified Identity Authentication Service confirms the validity of the authentication token;
    6. The application system receives access and returns the access results, and the application can choose to return its own authentication token if it needs to increase access efficiency, allowing the user to continue accessing the private token later.

In addition, regarding the expiration of the access authentication token, there are two policies, one is the user initiates the declaration, declares that it owns the access authentication token no longer valid, this is similar to the logoff operation, another is the user does not use this authentication token for a period of time, the authentication token is automatically invalidated, this similar timeout processing.

Trust Agent Mode

In an Internet application environment, the importance of security and trust is obvious, and for commercial systems, avoiding illegal access and intrusion is one of the key issues he needs to consider, no worse than commercial data loss or a commercial system being violated.

In trust agent mode, an organization can set up a unified authentication service for all of his application systems that need to provide security trust, and access to these applications is all represented by the unified Authentication Service.

Figure 7. Trust Agent Mode Process

The process is described as follows: (describe normal processes only)

    1. Users use the unified Authentication Service registration of the user name and password (may also be other licensing information, such as digital signature, etc.) to the unified authentication Service;
    2. The Unified authentication Service creates a session and returns the access authentication token associated with the session to the user;
    3. The user uses this access authentication token to access an application that supports the Unified authentication service, but the user does not pass the request message directly to the application but to the unified authentication Service, which identifies the final application system ID in the message.
    4. The Unified authentication Service accesses the application registry (UDDI Registry) for access to the application system (the Unified authentication Service can cache the access gate locally to reduce the number of interactions with the application registry later). and confirm that the application system does support the unified Identity authentication Service;
    5. The Unified Authentication Service forwards the request message to the specified application system, and if the application uses its own user system, the message should contain a pre-defined, associated user name and password.
    6. The application system returns the result of the request to the Unified Authentication Service, and the final unified authentication Service returns the response message to the user and completes the call.

In this mode, all applications receive access requests from the Unified authentication Service only, so that the solution provider can deploy key security inputs at the same end of the unified authentication Service.

The above content is an excerpt from the linked content

Reference Link: https://www.ibm.com/developerworks/cn/webservices/ws-casestudy/part4/

Unified authentication System (III)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.