Research And Implementation Of A Single Sign-on Authentication Model Based On Web Service Design

With the network application becoming more and more complicated, the negative effect brought by the lack of a unified identification authentication system is more and more obvious. The users want to get access to several different application systems, which requires the users to register for various application systems. And this not only causes a waste of resources, but also increases the users'workload. Single sign-on technology makes users get access to the resources within appropriate authority of various application systems on the internet once they login. The main direction of single sign-on research is based on the Security Assertion Markup Language (SAML) single sign-on model, however, there is no corresponding solution for SAML to its own security issues. What's more, single sign-on system's disadvantages such as deployment difficulties, limited expansion abilities restrict the development of single sign-on technology. In response to these problems, this thesis's main tasks are as follows:Firstly, for the SAML Browser/Artifact model's security problems, this thesis uses XML digital signature and encryption technology to sign on and encrypt the SAML message, which can be a good solution to ensure the integrity, privacy and non-repudiation of SAML message and effectively solves SAML Browser/Artifact model security issues as well. For the complexity of PKI, this thesis propose a key management layer which combined traditional PKI with XML Key Management Specification (XKMS) to provide the key management service, and the model can shield the complicated PKI grammar and also provide web service for client calls, which effectively solve the complexity of PKI.Secondly, combined with the improved SAML Browser/Artifact model, a security single sign-on authentication model based on Web Service is designed. It uses a key management layer which combined traditional PKI with XKMS to provide the key management service.At the same time, this model applies XML digital signature technology and XML encryption technology to ensure the security of sending SAML information. Besides, it realizes unified management of users and network resources by Lightweight Directory Access Protocol (LDAP) directory service, using Web Service to transmit SAML information and developing special SAML client to interact information between certification center and subsystem. The model implements unified management of users, unified identity authentication, unified management of keys, SAML information security transmission and minimize changes of subsystems, which achieve the business objectives of single sign-on. In the last place, it analyzes how to integrate and achieve such single sign-on authentication model of great security, expansion abilities and easiness to deploy, and analyze applicant effect as well on the unified communications platform.