Research And Implementation Of The Platform Of Unified Authentication And Authorization In Education Information Network

In order to integrate all kinds of resources in education information network and improve quality of service and avoid redundant project and information island occurrence, this subject tries to construct platform of unified authentication and authorization for education information network, which attempts to resolve reduplicate identity management repetitious logging in by means of unified identity management, SSO and unified privilege management and breaks tight coupling between applications system and authorization mechanism to guarantee the high security, manageability, extensibility, agility and transparency. The main works are listed as follows:1. Design and Analysis of a series of authentication protocolThrough the studies of authentication technology, and from the point of view of meeting the actual needs of authentication in the information network on education, this paper designs a variety of authentication protocol, such as multiple authentication methods logging in, access request treatment etc. and then uses BAN logic to make formal analysis of the security of them. 2. Adoption of improved RBAC authorization modelThe design of Authorization subsystem is based on improved RBAC model, that is, usersis granted role, the role is allocated resources, the privilege type includes public, private and inheritance, and role is established mutually exclusive role sets; Taking into account the reality of the role, subsystem increases the units role and the administrator role.3. Design of the unified authentication and authorization platform architecture that meets actual needsConsidering the cost and the reality administration relationship, the platform adopt distributed structure, it makes the campus network as a trusted domain units, each trust domain sets a sole authentication server and a corresponding user management Centre and a privilege management canters; verification process is transparent to the browser program through redirect technology, and very few changes is made to the Web server, The internal operational mechanism of authentication system can be very flexible, platform provides a wealth of standard service interface.4. Design and Implementation of the authentication subsystem, authorization subsystems and platform Security Service Application Program InterfaceUser Management Centre is designed in form of multi-level tree management , the coding of users identity is overall; authentication server is multi-threaded designed , and a cipher server supports cipher computing, authentication server provides a conversation cache, log audit function; client authentication plug-in can embedded in the browser, and seamlessly integrate with the browser, and ticket dealing process is made through resources generation technology and deal with visit requests; Application server-side components have access to the visitor information by calling the local user authentication API. Authorization subsystem achieves the storage and encoding of role, and can deals with the operation methods, privilege type and privilege succession; The service interface include attaining user login information, synchronization of user information, synchronization of authorization information etc.