【作者】 黄朝；

【导师】 龙毅宏；

【作者基本信息】 武汉理工大学 ， 通信与信息系统， 2008， 硕士

【摘要】 信息技术的迅猛发展,特别是互联网技术的普及应用,使得电子政务、电子商务成为当今信息化发展最重要的领域之一。网络上的信息安全是电子政务、电子商务健康持续发展的重要保障。身份鉴别是证实一个声称的身份是否真实有效的过程,是实现网络安全的重要机制之一,是确保企业信息资源只能被合法用户访问的重要保障。跨域身份鉴别是在单域身份鉴别的基础上,实现多域系统之间的单点登录。Web服务的一个明显优势就是能够在异构环境下实现资源共享和互操作。但随之而来的安全问题,使许多企业首先把Web服务的应用限制在企业内部。导致用户在多个系统上需要拥有多个身份,带来了用户需要记忆多个身份信息、多次登录、密码过度繁殖、密码被非法截获的可能性增加、维护用户个人信息开销大等诸多问题。针对这些问题,用户对支持跨域用户身份管理系统的需求越来越大。身份联合技术提倡用户最好将鉴别信息分散到许多数据库,将一个用户的不同身份形成身份鉴别联合,解决了用户多次登录的麻烦,简化了身份的管理。本文首先分析了Web服务安全需求和身份鉴别的发展趋势,由此引出了课题研究的内容和意义。然后给出本文涉及到的一些基础知识,主要是Kerberos,PKI和安全断言标记语言。并在此基础上对一种分布式鉴别模型给予了详细的分析和论诉。深入研究了SAML安全声明标记语言,然后基于SAML开发实现了一个支持跨域的身份鉴别系统。更多还原

【Abstract】 With the rapid development of information technology, especially the widespread application of Internet technology, electronic government and electronic commerce have become the most important development field of information technology. It is important to guarantee information security in the network to electronic government and electronic commerce. Authentication is one of the most important mechanisms to implement network security by protecting our information from unauthorized accesses, which allows each party to a communication to be sure of the identity of the other. Cross-domain authentication is to implement Single Sign On mechanisms on more than one domain which is based on the single domain authentication.One of apparent merits about Web Service is that it could realize resource sharing and intercourse under heterogeneous environment. But the secure problem following this character makes many enterprises confine Web Service to their inner part. One user who needs to log on varied systems is required to present varied identities, which would lead to many problems such as too many identities needed to remember, log on system too many times, password multiply too much, the risk of passwords being stolen increase and too much work has to be done to maintain the user’s identify, etc. In order to solve these problems above, there is a growing requirement for identify management system supporting across domains. And identity federation advocates that users should scatter their verified information around multiple databases and form an identity verification federation in order to free the user of the trouble of logging too many times and simplify the identity management.Firstly this thesis analyzes the requirement of Web Service security and the developing trend of identity authentication, which lead to research content and sense for the federated identity authentication. Then some basic knowledge will be presented in this thesis, including Kerberos, PKI and SAML. Based on them, distributed model is put forward with detailed analysis and arguments. After that, deeply discussed the SAML, and then develop a real system which can realize the cross-domain identity authentication based SAML.更多还原