| With the Web services specifications and standards development, Web services have gradually shifted from theoretical research to the practical application. Many systems are using Web services integration to be achieved. However, to access these systems users need to repeatedly enter passwords or other credentials. For efficiency and safety considerations, it is an urgent need to change the traditional authentication method, to design a more efficient and secure authentication method, which simplifies the process of access to Web services. SSO (Single Sign On, referred to as SSO) can solve these problems.Mechanisms commonly used in secure communication (such as SSL, TLS, IPSec, etc.) apply to data security protection of the transport layer/network layer, not for the Web service application layer security to protect the SOAP message. WS-Security specification provide the Web services security. It defines a SOAP header element that brings security-related data. WS-Security uses existing standards and norms to achieve security, so do not require the definition of a complete security solution in WS-Security. XML Encryption and XML Signature describes the XML message encryption and signature methods; SAML tokens provide user authentication and authorization. WS-Security adds a framework in the existing norms to embed these mechanisms into the SOAP message.Existing solutions of single sign-on are: Microsoft's Passport, Kerberos and SAML specification. Its main design goal is single sign on. However, these programs are based on Web site applications, can better adapt to the Web service environment.On the basis of an in-depth study on related technologies ,this paper arises a Web services model for single sign on. The main idea of the model is: with reference to HTTP POST profile of SAML specification (also known as push-type configuration file) this paper design SAML token server. The server comprises a authentication module, a attribute query module, a identity/role database, a SAML token generator and a secure message channel. Among them, the token generator's function is to generate SAML token and signature, thus Web service site can obtain the the effectiveness of the token according to the authentication of its signature; secure message channel is based on the establishment of WS-Security specification, its main function is to achieve the SOAP message signature/encryption and decryption/authentication, and it also provides encryption of SAML token.Finally, this paper realizes a SAML token server and Web services interface of Chinese Mobile Agent Server, and through the deployment of SAML token server, single sign-on model is used in MAS to achieve single sign on. |
PDF Full Text Request