一個開放的Web-Based Single Sign-On服務架構

Abstract

使用者認證〈Authentication〉與授權〈Authorization〉一向是電子商務與網路服務的重要課題。使用者認證、授權管理的複雜性，也隨著網站服務市場不斷成長，而成為網站服務系統管理者的重大負擔。由於缺乏一個普遍的資訊交換技術，各個網站服務間的使用者認證資訊無法相互交換，致使這些服務的使用者必須一再地輸入認證資訊。這不僅增加使用者的困擾，也讓網站服務系統安全蒙上一層陰影。單一登入服務〈Single Sign-On〉技術的發展目標，是為了解決使用者一再輸入認證資料的問題。許多著名的軟體、網路相關企業紛紛推出自己的單一登入服務套件。然而，由於種種因素，這些產品間仍無法互相交換使用者資訊。雖然SAML〈Security Assertion Mark-up Language〉能有效地解決這個問題，某些主要的軟體廠商卻仍未支援SAML。 此外，絕大多數的單一登入服務皆不具有權限控制機制。採用這些單一登入服務的系統管理者，必須另行找尋權限控制機制。在本研究中，將採用以腳色為基礎的權限控制機制〈Role-Based Access Control；RBAC〉，並依據RBAC的特殊性質搭配LDAP〈Lightweight Directory Access Protocol〉來作為相關資料的儲存裝置。 本研究將針對單一登入服務所面臨的問題，提出一個可解決這些問題的服務架構。在這個服務架構中，將透過一個專職對外聯繫的服務單位，來與其他的單一登入服務系統溝通，並將採取RBAC與LDAP的搭配，來提供良好的權限控制機制。 最後，本研究將根據此一架構實作一套範例網站來驗證這個服務架構的可行性。

User Authentication and Authorization are always important issues for electronic business and web services. With the prevalence of Web Services, these issues become even more complicated. Due to lacking of a standard information-sharing architecture, users have sign on again and again when surfing on webs. It is inconvenient to users, and causes security problems to sites providing services. The goal of Single Sign-On technique is to solve the problem that users have to repeat entering their authentication information. Recently there are several SSO products provided by those famous internet-related corporations. However, for some reasons these products still cannot exchange their user information between them. Although SAML〈Security Assertion Mark-up Language〉 is the solution for exchanging user information, it has not been supported by some of the major software companies. Besides, most of these SSO products do not provide access control mechanism so that system administrators have to find themselves one. In our research, with RBAC〈Role-Based Access Control〉 and LDAP〈Lightweight Directory Access Protocol〉, we provide a fine mechanism for access control. In this paper, we investigate several issues about SSO services and propose a scheme, which provides a new architecture to solve these problems. By using a service unit to communicate with other SSO services, this scheme could solve the problems mentioned before. A sample SSO Service kit will be implemented to demonstrate this scheme.