基於SAML架構達到多層式跨IDP之單一登入系統

Abstract

Web service的出現是為了讓使用者能夠迅速及時使用網路資源，它使用XML來傳輸資訊以適應各種開發環境。隨著電子商務的興起，為了解決資訊安全的問題，OASIS在2002年發展了一種以XML為基礎的語言SAML，可安全產生和交換使用者認證和授權資訊。SAML明確地定義了許多安全認證方式並以XML架構來加強之，這樣的優勢令許多網路廠商廣泛使用它來達到Web SSO的功能。 以目前SAML提供的SSO (Single Sign-On) 機制，是透過一個認證中心來管理使用者資訊，這個認證中心整合各種服務，使用者必須先到認證中心確認身分後，才能使用這些服務，只要在認證中心登入過一次，底下所屬的服務都無須再做登入動作即可使用。但若想使用不同IDP (identity provider) 底下的服務時，仍然要做多次登入動作認證身分。 為了提供使用者一個跨企業間的整合性服務，我們必須讓使用者在不同的認證中心底下仍可達到單一登入的功能，因此本論文以SAML1.1為基礎，提供了一種可跨IDP做聯合身分認證以達到SSO的系統。

The development of Web Service enables users rapidly to access network resources in time. As a result of the electronic commerce starting, Web service uses xml to transmit the information to be able to adapt each kind of development environment. In order to solve the information secure problem, the Security Assertion Markup Language (SAML) which is an XML-based framework has been developed by the OASIS (the Organization for the Advancement of Structured Information Standards) to describe and exchange authorization and authentication information between on-line business partners in 2002. SAML explicitly defines several safe confirmations ways and the security of xml architecture will be enhanced with these methods. The superiority causes SAML widely to be used to achieve Web SSO by the on-line commercial systems. At present SAML SSO mechanism is that there is an identity provider (IDP) which integrates several services managing users information. After logging in at IDP, the user can access these services. So long as a user has logged in at the authentication center, he does not need to authenticate again and then he directly can access these services at the same time. But a user has to login many times to provide valid credentials to use the services which are subordinate under different IDPs. In order to provide the users a enterprise-crossed and integrated service, we must enable the users also to achieve SSO under many identity providers, the thesis designs a SSO architecture to achieve identity federation cross-IDP using SAML 1.1.