Research On Identity Management And Access Control For Large Organizations

As the expansion of large organization’s information systems goes on, and theintegration of large scale systems starts to go across regions, departments, and businessdomains, to construct a safe and reliable identity management and access control systemin a multiple autonomous domain environment has become an important task for theconstruction of large organization’s information systems. The goal of identitymanagement system is “unified identity management”, that is to achieve unified identityauthentication and single sign-on. Meanwhile, the access control system is aimed at“cross regional access control”, that is to enforce effective supervision on all crossregional communication behaviors. Because of the rapid spread and popularization ofservice-oriented architecture and network application model, unified identitymanagement and cross regional access control will certainly play a more important rolein the construction of large organization’s information systems. This thesis has broughttogether the state-of-the-arts and practical requirements of large organization’sinformation systems. Its major research effort is about system architecture,implementation method and application model of unified identity management andcross regional access control technologies.For unified identity management, this thesis has in the first place deliberated onthree types of system architecture, that is stand alone, allied and centralized, andmeanwhile, three types of single sign-on model, that is agent, proxy and gateway. In themeantime, it has analyzed typical unified identity management techniques, including theSMAL-based Liberty framework, the CAS protocol which adopts a centralizedauthentication method and the user-centered OpenID protocol. Based on the Libertyframework, this thesis has enforced constraints on the establishment of trust relationsbetween identity providers, which forms a type of large-organization-oriented identitymanagement alliance. Besides, focusing on the dual goal of unified identitymanagement and single sign-on, this thesis has on the one hand adopted the LDAPdirectory service to achieve hierarchical storage and centralized management of userauthentication data, on the other hand, it has imposed unified control over user access atthe network layer through safety authentication gateway, which consequently enablessingle sign-on to be compatible with B/S applications and C/S applicationssimultaneously.For cross regional access control, this thesis has first illustrated the collaborationpatterns between a “loosely-coupled” and a “federal” autonomous domain. Meanwhile,it has analyzed several typical cross regional access control techniques, including theXACML-based ABAC model, the IRBAC2000model which supports cross regionalrole switching and the cross domain authority mapping technology which relies on authorized intermediaries.By borrowing the idea from federal model, this thesis has proposed to add an“authority domain” to original autonomous domains. The authority domain is then usedas the center to carry out unified authorization management and access decision makingon all cross regional communication behaviors, which in turn forms an access controlfederation in a multi-autonomous-domain environment. With regard to the detailedimplementation, this thesis has deployed service access proxies in authority domains,meanwhile, it has proposed the concept of authority attribute and achieved fine-grainedglobal authorization and dynamic access decision making based on authority attribute.