| Cross-realm authentication technology is a typical application of authentication technology.With the fast development and the large-scale deployment of cloud computing, profound changes have taken place in the traditional network architecture, which brings some new challenges about security. With the diversity of identity providers, identity authentication credentials and issuing institutions in cloud computing environment, it is bound to cross multiple realms of security when the user accesses resources. As a result, cross-realm authentication is a difficult problem of cloud security. Claim-based authentication(CBA) is a cross-realm authentication technology which is proposed by Microsoft. The open source technologies that can implement claim including Shibboleth, SAML and WS-federation.Claim-based authentication technology has became an important means to solve cross-realm authentication in computing cloud.Aiming at the issue how users in Windows domain cross-realm access cloud computing resources, this paper analyses the characteristics of three traditional cross-realm authentication model, including gateway-based cross-realm authentication model,token-based cross-realm authentication model and agent-based cross-realm authentication model, claim-based cross-realm authentication, SSL, and the back-end of OpenStack integration of AD etc. This paper gives a cross-realm authentication scheme. Based on the traditional gateway-based cross-realm authentication model and the idea of the declaration,the scheme uses the federated identity provider to replace the gateway in the gateway model, so as to realize the users in Windows domain access the cloud resources without reauthentication. The scheme uses SAML protocol to exchange user identity information between different domains, which ensures versatility and security of the system and realizes sealmlessly secure communication between different security domains.Firstly, the paper analyses the characteristics of three traditional cross-realm authentication model. Combined with the idea of claim, the paper gives a cross-realm authentication scheme, which is divided into three parts, including claim provider, federated identity provider, application service provider, and gives the design of the key components of the three modules. Secondly, the specific design of trust maintenance between the various modules and the safety of the transmission channel is given. Finally, with the popular cloud platform OpenStack the feasibility of the scheme is verified.The paper has a certain theoretical and practical significance in to solve cross-realm authentication issues and promote enterprise and government to migrate their business to the cloud platform. Next step in the research focus on improving the efficiency and the load balancing of the cross-realm authentication system. |
PDF Full Text Request