Research And Design Of Single Sign-On System In Multiple Heterogeneous Application Environments

Generally, every heterogeneous application has its own security system and authentication module. Because of these independent modules, the access to each application needs a separate login. Synchronously, applications are often supported by different companies and the softwares with different architectures in enterprises widely exist, this situation increases the difficulty of unified management in the enterprise information integration system and thus proposes the further research of single sign-on model of heterogeneous applications for unified authentication.Firstly, the thesis analyses the heterogeneous system architecture and multi-certified structures of heterogeneous application systems, and makes a summary of the difficulties of single sign-on on heterogeneous applications. Then, it describes the present single sign-on mechanism and focuses on the CAS single sign-on system with the explanation of the principles and certification processes of the system. On the basis of jobs above, it analyzes the security of the CAS system and the limitations while the CAS system faces the design problem of single sign-on system for heterogeneous applications. Finally, it proposes an improved solution which is client agent based and non-invasive.In this design, user authentication information from the multiple applications is integrated into unified authentication information by using the mapping technology, and then the uniqueness authentication certificates of users are generated. The application interface of authentication is implemented by web service in aim to offer cross platform support. The integration of heterogeneous application clients is the other important part of the design. By utilizing Windows messaging system and browser plug-in BHO technology, both the program proxy login functions in different structure of C/S and B/S are achieved. LDAP is used for the storage of user authentication information and applications information to facilitate the role-based access control authorization, and Web Service is used for the encapsulation of maintenance of user information to improve the system reusability.Based on this improved solution, the architecture and the function modules of the single sign-on system are designed and implemented, including the assistance module which offers the proxy login function, and the certification information management web service module, and the central management module which offers the information maintenance user interface.