The Research And Realization Of WEB Single Sign-on System (WEB SSO) Based On SAML

Single Sign-On technology is a sort of technology which makes end users accessing federation sites more conveniently. No matter how complicated the federation sites structure is, identity authentication among the federation sites is needed only once when end user log on one of the federation site and gets authorization to access the site. There is no need for end users to input their usernames and passwords frequently to ensure their identities.Single Sign-On technology is on researching and developing now, and the deep research has been made, along with various specifications and solutions being put forward. Currently, the specifications and solutions are not perfect and they can't compatible well. Though all kinds of Single Sign-On solutions can provide us with joint identification among many sites in the single domain, but they can't implement joint identifications between many cross-domain sites. Single Sign-On system is faced with the problems of lack of uniform standards, over-complicacy of the flow, the inability of cross-domain operation and security deficiency, and so on, which are beyond the capability of the current Single Sign-On system. The paper makes a deep research and analysis on standards of Single Sign-On in existence (SAML specifications and WS-* series specifications) and all kinds of models and solutions of Single Sign-On system. On the basis of that, and considering security and interoperability, the paper puts forward a Single Sign-On model based on SAML specification. Now, the SAML specification is supported by most organizations. The implementation of Single Sign-On system based on SAML specification provides the abilities of joint identification in a single domain and cross domain, it also provides the interoperability among heterogeneous Single Sign-On systems which follow SAML specification.In developing and implementing the system and in view of the weakness of SAML on security, the author depend on WS-* specification to ensure end to end safe transfer of SAML assertion and other sensitive message. Because the SAML specification is just a standard, and there are not SDK(Software Development Kit) to support implementation. WS-* specification is a standard of ensuring end to end safe transfer of sensitive message, and it has provided SDK to support implement end to end safe transfer, moreover, it has been broadly used in the field of information security.