Research And Implementation Of Single Sign-On For Internet/Intranet

There is an increasing demand for computers and information systems with the wide application of information in enterprises, which are strongly depending on these systems. The application system is getting variegated under the extending of enterprise and the spreading of its operations. When employees use these systems, they have to sign on every system, which reduce the work efficiency.Furthermore, in order to successfully login every system, users always set simple passwords or same passwords for login successfully. These bring about the problem of information security. The single sign-on (SSO) system was put forward under above backgrounds. The main goals of this system are to administer the information so that the users are allowed into the system with one-time logon, thereby guaranteeing the security of system and users' information.Most of current SSO systems are based on PKI or Kerberos, which is supported by an intelligent client called corpulent client to sustain its algorithm. These systems need an aptitude client which is called as corpulent client. However there are more and more systems based on web in enterprises. That not only improves the convenience, but also enhances the work efficiency. On the web environment, client is usually browser which is called thin client, and can not achieve the algorithm. Moreover, the HTTP is stateless. All these characters are not compatible with the demands of traditional SSO system.This thesis analyzes the characters of Internet/Intranet, studies a lot of authentication mechanism, brings forward a single sign-on model based on cookie in web, and implements the system prototype. During the design process, the convenience and security have been fully considered. The system applies LDAP to the management of user' s information and enterprise systems, Https to the assurance of date transmission security, and XML as carrier of data. Each layer is independent with the other, which not only ensure the relaxcoupling, but also enhance the integration of system. The old system can cancel the user login system and easily integrate into the SSO;the new system does not need the user login system and can make use of SSO to complete the user' s authentication and authorization.