Transcript Document
مهرگان مهدوی
استادیارگروه مهندسی کامپیوتر دانشگاه گیالن
[email protected]
Authentication مقدمه در خصوص
مدیریت هویت متمرکز
Single Sign On
Federated Identity Management
SAML
Shibboleth
نتیجه گیری
•
•
•
•
•
•
•
• Authenticationبه معنی تصدیق درستی یک صفت از یک موجودیت میباشد.
• ممکن است تصدیق هویت یک شخص یا یک برنامه باشد.
• Token-based
•
•
•
Key card
Bank card
Smart Card
مبتنی بر این سوال اساسی که:
”?“What you have
• Biometric
مبتنی بر این سوال اساسی که:
”?“Who you are
• Knowledge-based
مبتنی بر این سوال اساسی که:
”?“What you know
• Textual
• Graphical
• There are different systems at institutions
E.g. Email, Finance, Student portal, etc.
• Currently, Identity Management often fragmented (several
directories or databases)
Finance System
Student Portal
Web AuthN
Mail
Calendar
eDir
SunOne
Oracle
People Data System
eDir
Password Management
Forgot password
Helpdesk
Printer service
Finance System
Student Portal
Web AuthN
Mail
Calendar
eDir
Sync Password
SunOne
Oracle
People Data System
Sync
eDir
Password Management
Forgot password
Helpdesk
Printer service
وUserid (استفاده از یکSame Sign On •
) در همه سیستمهاPassword
) (دسته کلیدKey Ring •
Single Sign On •
• استفاده از یک دایرکتوری مرکزی جهت Authentication
• تصدیق کاربران بر اساس این دایرکتوری مرکزی
• تعیین مجوزهای کاربران بر اساس Credentialهای کاربر مربوطه
بین چند سازمان چگونه عمل خواهد کرد؟Single Sign On
:سوال
SAML (Security Assertion Markup Language) استفاده از
• Security Assertion Markup Language (SAML) is an XMLbased open standard for exchanging authentication and
authorization data between security domains, that is, between an
identity provider (a producer of assertions) and a service provider (a
consumer of assertions).
• SAML is a product of the OASIS Security Services Technical
Committee.
• SAML assumes the principal (often a user) has enrolled with at
least one identity provider.
• This identity provider is expected to provide local
authentication services to the principal
<saml:Assertion ...>
...
</saml:Assertion>
• SAML assertions are usually transferred from identity
providers to service providers.
• Assertions contain statements that service providers use to
make access-control decisions.
• Three types of statements are provided by SAML:
• Authentication statements
• Attribute statements
• Authorization decision statements
• Authentication statements assert to the service provider that
the principal did indeed authenticate with the identity
provider at a particular time using a particular method of
authentication.
• An attribute statement asserts that a subject is associated with
certain attributes. An attribute is simply a name-value pair.
Relying parties use attributes to make access-control decisions.
• An authorization decision statement asserts that a subject is
permitted to perform action A on resource R given evidence E.
The expressiveness of authorization decision statements in
SAML is intentionally limited. More-advanced use cases are
encouraged to use XACML instead.
• An Attribute Based Access Control system
(ABAC)
• Attributes associated with a user or action or
resource are inputs into the decision of whether
a given user may access a given resource in a
particular way.
• Role-based access control (RBAC) can also be
implemented in XACML as a specialization of
ABAC.
•
•
•
•
•
Shibboleth is an Internet2 Middleware Initiative
project
An architecture and open-source implementation for
Identity management and federated identity-based
authentication and authorization (or Access control)
infrastructure based on SAML
Federated identity allows for information about users in one
security domain to be provided to other organizations in a
federation
This allows for cross-domain single sign-on and removes
the need for content providers to maintain user names and
passwords.
Identity providers (IdPs) supply user information, while
service providers (SPs) consume this information and give
access to secure content.
<bibliography>
<paper ID= "object-fusion">
<authors>
<author>Y. Papakonstantinou</author>
<author>S. Abiteboul</author>
<author>H. Garcia-Molina</author>
</authors>
<fullPaper source="fusion"/>
<title>Object Fusion in Mediator Systems</title>
<booktitle>VLDB 96</booktitle>
</paper>
</bibliography>
•
•
•
•
•
Human-readable
Machine-readable
Standard format for data interchange
Possible to validate
Extensible
• can represent any data
• can add new tags for new data formats
• Well-Formed:
Structure follows XML syntax rules
•
Valid:
Structure conforms to a DTD
• XML Document Type Definitions (DTDs)
•
XML Schema
• defines structure and data types
• allows developers to build their own libraries of
interchanged data types
•
•
•
•
مدیریت هویت متمرکز میتواند بسیاری از مشکالت نگهداری
چندین Usernameو Passwordرا کاهش دهد
نیاز به مکانیزمی جهت مدیریت هویت در کاریردهایی نظیر به
اشتراک گذاشتن داده های دیجیتال و نطایر آن
SAMLیک مکانیزم جهت مدیریت هویت
Shibbolethیک پیاده سازی از SAML