The Research And Design Of SSO System

The technique of Single Sign-on (SSO) allows users to access all authorized resources just need to logon and get authenticated once. In recent years, with the progressing of informationization, the application systems in a corporation are also increasing. In order to access different application systems, users need to input their related "user name and password" many times to log on every system, which is inconvenient and may bring secure problems to users and systems. SSO was put forward to resolve the problem.At present, many research for SSO have been done both at home and abroad. Although Single Sign-on systems appear for not long time, there are abundant products in the market, such as JITSSO, IBM WebSphere, Microsoft .Net Passport etc.. While many products only accomplish the function of unified identity authentication for users, but the access control to resource is mainly managed by each application system, some even have no control. These SSO systems maybe have solved the problem for users that they have to input "username and password" repeatedly when they access multi-application systems, but haven't provided unified security platform for legitimate users.This article starts with analyzing the background and significance of SSO, explains its principle, discusses the domestic and foreign development situation, and then researches the correlative techniques. On the basis of above jobs, aiming at the limitation of some present SSO systems, a Single Sign-on system model based on PKI/PMI digital certificate is proposed. In this model, PKC (Public Key Certificate) from PKI is used to authenticate users' identity, and AC (Attribute Certificate) from PMI is used to support RBAC (Role Based Access Control) and achieve privilege management to application resource. This manifests integrative design of SSO and PKI/PMI sufficiently.The design includes system whole design and major function modules design, as follows: (1) A Single Sign-on system model based on PKI/PMI digital certificate is designed in the text, using SSL mechanism and Diffie_Hellman session key in communication process; (2) For the convenience of users and management, the digital certificates on-line accepting system architecture is schemed out. Digital certificates are stored in LDAP certificate-library, and the user's own PKC is set into UsbKey; (3) During the process of identity authentication, the system adopts a dual-factor authentication method combined with bidirectional authentication based on digital certificate, in this way, the authenticity of both users and Server can be guaranteed. And the identity credential is designed as a ticket, adopting Cookie technique combined with Kerberos ticket mechanism. Then the ticket is stored into user's browser after being encrypted. This is the key to carry out SSO; (4) Application authorization module is designed which accomplishes privilege management to resource and creates application access ticket. Based on the ticket the user can carry on the authorized operation to the resource.This SSO system that combines such advanced techniques as PKI,PMI,Cookie, makes use of speciality of digital certificate, not only solves the trouble of users that they have to input "username and password" repeatedly when they access multi-application systems, but also can provide more comprehensive secure service including unified identity authentication and unified privilege management. And that the system introduces encryption, signature and other secure mechanisms. So it has better security which can prevent attacks and deceits effectively. Nowadays with the requirement of security service getting more and more, the system has widespread applicable value and is good solution scheme to realize SSO.