[1] Huang He, Shan Zhiguang, Huang Dongquan,. Scalable single sign-on system [J]. Journal of Southeast University (English Edition), 2007, 23 (3): 465-468. [doi:10.3969/j.issn.1003-7985.2007.03.034]

Copy

Scalable single sign-on system()

一种可扩展的单点登录系统

Share：

Journal of Southeast University (English Edition)[ISSN:1003-7985/CN:32-1325/N]

Volumn:

23

Issue:

2007 3

Page:

465-468

Research Field:

Computer Science and Engineering

Publishing date:

2007-09-30

Info

Title:

Scalable single sign-on system

一种可扩展的单点登录系统

Author(s):

Huang He¹;  Shan Zhiguang²;  Huang Dongquan³

¹College of Software, Beihang University, Beijing 100083, China
²Department of Informatization Research, State Information Center, Beijing 100045, China
³Department of Foundation Courses, Xuzhou Air Force Academy,

黄河¹;  单志广²;  黄冬泉³

¹北京航空航天大学软件学院, 北京 100083; ²国家信息中心信息化研究部, 北京 100045; ³徐州空军学院基础部, 徐州 221000

Keywords:

security systems;  architecture;  web service;  single sign-on;  identity federation

安全系统;  体系结构;  web服务;  单点登录;  身份联合

PACS:

TP393

DOI:

10.3969/j.issn.1003-7985.2007.03.034

Abstract:

To address the scalability and identity federation problems of the traditional single sign-on system, the proposed scheme divides the security systems into different security domains.Each security domain has its own security servers and service providers, and there are trust relationships between different security domains for identity federation.The security server is responsible for authentication and authorization inside the domain, and offers identity federation capability for different domains.The security assertion markup language(SAML)assertion is used as security token in the system for authentication, authorization, and identity federation.The design of the proposed single sign-on process is based on web service security framework and multiple security domains, and the authorization is always deployed in the local area inside the service provider’s security domain, which enables web service clients, both inside and outside their security domains, to access the services in a simple, scalable, standard and secure way.

为解决传统单点登录系统的可扩展性和身份联合问题, 将系统划分为不同的安全域, 每个安全域具有域内的安全验证服务器, 并且不同的安全域之间具有信任关系以支持身份联合.安全服务器负责域内用户的验证和授权, 同时为不同域之间的用户提供身份联合.系统使用SAML断言作为安全令牌以完成验证、授权和身份联合过程.单点登录过程的设计基于web服务安全框架和多安全域, 并且授权总是在服务提供者所在的域内实施, 因此无论对于域内还是域外用户, 系统提供了一种简单、可扩展、标准并且安全的访问web服务的方法.

References:

[1] Hallam-Braker P, Maler E.Assertions and protocol for the OASIS security assertion markup languages(SAML)[EB/OL].(2002-04-19)[2007-05-08].http://www.oasis-open.org/committees/security/docs.
[2] Erdos M, Cantor S.Shibboleth-architecture draft v05 [EB/OL].(2002-05-02)[2007-05-08].http://shibboleth.internet2.edu/docs/draft-internet2-shibboleth-arch-v05.pdf.
[3] Pfitzmann B, Waidner M.Analysis of liberty single-sign-on with enabled clients[J].Internet Computing, 2003, 7(6):38-44.
[4] Yu Xiulan, Chen Xiaoyan, Fang Xing et al.Web services security in data service delivery platform for telecom[C]//Proceedings of the E-Commerce Technology for Dynamic E-Business. Washington DC:IEEE Computer Society, 2004:374-377.
[5] Jeong Jongil, Shin Dongkyoo, Shin Dongil.An XML-based automated authentication profile for home network based on OSGi framework[C]//International Conference on Consumer Electronics(ICCE ’06), Digest of Technical Papers.IEEE Consumer Electronics Society, 2006:99-100.
[6] Zhao Gang, Zheng Dong, Chen Kefei.Design of single sign-on[C]//Proceedings of the E-Commerce Technology for Dynamic E-Business.Washington, DC: IEEE Computer Society, 2004:253-256.

Memo

Memo:

Biography: Huang He(1970—), male, doctor, lecturer, huanghe@buaa.edu.cn.

Common functions