研究生: |
王明國 Ming-guo Wang |
---|---|
論文名稱: |
考量既有系統的可延伸性聯邦身分與存取管理框架 FEDERACY: AN EXTENSIBLE FEDERATED IDENTITY AND ACCESS MANAGEMENT FRAMEWORK CONSIDERING LEGACY SYSTEMS |
指導教授: |
查士朝
Shi-Cho Cha |
口試委員: |
莊裕澤
Yuh-Jzer Joung 賴源正 Yuan-Cheng Lai 羅乃維 Nai-Wei Lo |
學位類別: |
碩士 Master |
系所名稱: |
管理學院 - 資訊管理系 Department of Information Management |
論文出版年: | 2008 |
畢業學年度: | 96 |
語文別: | 中文 |
論文頁數: | 56 |
中文關鍵詞: | 單點登入 、聯邦身份管理 、身份及存取管理 、聯邦身份管理及存取 、聯邦資料庫系統 |
外文關鍵詞: | FIAM, Single-Sign-On, FIM, FDBS |
相關次數: | 點閱:234 下載:2 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
近年來,許多組織開始建置身份及存取管理(Identity and Access Management, IAM)或聯邦式身份及存取管理(Federated Identity and Access Management, FIAM)系統,以降低管理不同系統在使用上的安全風險及成本。然而,目前在市面上的身份及存取管理系統的解決方式經常是採用基於全球資訊網的架構以及需要應用程式支援HTTP協定。如果系統不支援該介面,則有可能要重新改寫。針對組織在建置身份及存取管理系統所遭遇之困難,我們提出了一個考量既有系統的可延伸性聯邦身分與存取管理框架。該框架採用代理人式架構,以期能夠在不用修改各別系統的情況下,與既有系統完成整合。以促進身份及存取管理系統及聯邦式身份及存取管理系統的實現。
In recent years, many organizations start to deploy Identity and Access Management (IAM) or Federated Identity and Access Management (FIAM) systems to reduce the cost and security risks of using and managing different systems. While deploying the IAM or FIAM systems, organizations may usually meet difficulties in integrating legacy systems into IAM or FIAM systems. Current IAM solutions usually adopt the Web-based portal approach and require application system to support the Web-based architecture or HTTP protocol. In light of this, we propose the framework of extensible FEDerated identity and access management framework considering LegACY systems (FEDERACY). Compared to current Web-based approaches, FEDERACY adopts agent-based approach to provide a unified way for individuals to use heterogeneous legacy systems and for administrators to manage the legacy systems without modifying the systems. While the cost of integrating legacy systems to IAM systems can be reduced, FEDERACY can hopefully contribute to the realization of IAM systems.
[1]:Anderson, A., Lockhart, H., “SAML 2.0 Profile of XACML 2.0 Version
2”,http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-prof
le-spec-os.pdf, 2005
[2]:Bajaj, S., Della-Libera, G., Dixon, B., Dusche, M., Hondo, M., Hur, M.,
Kaler, C., Lockhart, H., Maruyama, H., Nadalin, A., Nagaratnam, N., Nash
A., Prafullchandra, H., and Shewchuk, J., ”Web Services Federation
Language (WS-Federation) Version 1.0”,
http://www.ibm.com/developerworks/library/specification/ws-fed, 2003
[3]:Barton, T., Basney, J., Freeman, T., Scavo, T., Siebenlist, F., Welch, V.,
Ananthakrishnan, R., Baker, B., Goode, M., and Keahey, K., “Identity
Federation and Attribute-based Authorization through the Globus Toolkit,
Shibboleth, Gridshib, and MyProxy”, In Proceedings of the 5th Annual PKI
R&D Workshop, April 2006
[4]:Bhatti, R., Bertino, E., Ghafoor, A., “An integrated approach to
federated identity and privilege management in open systems”,
Common.ACM,50(2):81-87, 2007
[5]:CA, “CA identity manager”,
http://www.ca.com/files/ProductBriefs/identity_manager_product_brief.pdf
,2007
[6]:CA, “CA Web identity and access management suite”,
http://www.ca.com/file/ProductBriefs/web_iam_suite_product_brief.pdf
,2007
[7]:Carmody, S., “Shibboleth Overview and Requirement”,
http://shibboleth.internet2.edu/docs/draft-internet2-shibboleth-requirements
01.html, 2007
[8]:Cha, S.C., Huang, J.W., Lin, H.P., Wang, M.G., “XPIPAL: a markup
language to realize federated identity management”, In: Proceedings of the
2nd International Conference for Internet Technology and Secure
Transactions, London, UK 61–68, 2007
[9]:Cha, S.C., Lin, H.P., Wang, M.G., and Huang, C.W., “FEDERACY: An
Extensible Federated Identity and Access Management Framework
Considering Legacy Systems”, From Proceeding (589) Communication,
Network, and Information Security, 2007
[10]:Citrix System, Inc, “7 key requirements for secure remote access”,
http://www.citrix.com/English/ps2/products/documents_onecat.asp?content
d=15005&cid=White+Papers#top, 2005
[11]:Clercq, J.D., “Single Sign-On architectures”, In: Proceedings of
International Conference onInfrastructure Security (InfraSec). Volume 2437
of Lecture Notes in Computer Science., Springer-Verlag, Berlin Germany
40–58, 2002
[12]:Daiziel, J. and Vullings, E., “MAMS and Middleware: The Easily
Solved Authentication, Authorisation, Identity, Single-Sign-On, Federation,
Trust, Security, Digital Rights and Automated Access Policy Cluster of
Problems”, http://www.melcoe.mq.edu.au/projects/MAMS, 2005
[13]:Gaedke, M., Meinecke, J., Nussbaumer, M., “A modeling approach to
federated identity and access management”, In WWW ’05: Special interest
tracks and posters of the 14th international conference on World Wide Web,
New York, NY, USA, ACM Press 1156–1157, 2005
[14]:Grubb, M.F., Carter, R., “Single sign-on and the system administrator”,
In:Proceedings of the 12th Conference on Systems Administration
(LISA-98), Berkeley, CA, USENIX Association 63–86, 1998
[15] IBM, “IBM Global Sign-On for Multiplatforms, Version 1.5: A Secure
Single Sign-on Solution Updated for AIX, Windows NT, and Sun Solaris,”
http://www-306.ibm.com/common/ssi/rep_ca/1/897/ENUS298-001/index.h
tml, 2007
[16]:IBM, “IBM identity manager end user guide”,
http://publib.boulder.ibm.com/tividd/td/ITIM/SC32-1152-02/en_US/PDF/i
451_enduser.pdf, 2004
[17]:i-Sprint Innovation, “On-intrusive single sign-on solution –universal
sign-on, White Paper”,
http://www.i-sprint.com/download/doc/AccessMatrix-USO-Overview.pdf,
2005
[18]:Jonscher, D. and Dittrich, K.R., “An Approach for Building Secure
Database Federations”, VLDB 24-35, 1994
[19]:Karjoth, G., “Access control with IBM Tivoli access manager”, ACM
Trans. Inf. Syst. Secur. 6(2):232-257, 2003.
[20]:Kellomaki, S. and Lockhart, R., “Liberty ID-SIS Employee
Profile Service Specification version 1.1”, Specification of Liberty Alliance
Project, Liberty Alliance Project, 2005
[21]:Kellomaki, S. and Lockhart, R., “Liberty ID-SIS Personal
Profile Service Specification version 1.1”, Specification of Liberty Alliance
Project, Liberty Alliance Project, 2005
[22]:Kohl, J., Neuman, C., “The Kerberos Network Authentication Service
Version 5”, 1993
[23]:Sebastian Dietzold, “LDAP2OWL Conversion Tool”,
http://sebastian.dietzold.de/archive/2005/04/13/ldap2owl.php, 2007
[24]:Moss, T., “eXtensible Access Control Markup Language (XACML)
version 2.0 OASIS Standard”,
http://docs.oasisopen.org/xacml/2.0/accesscontrol-xacml-2.0-core-specos.pd
f, 2005
[25]:OpenLDAP Foundation, info@OpenLDAP.org,
http://www.openldap.org/, 2007
[26]:Pearlman, L., Welch, V., Foster, I., Kesselman, C., and Tuecke, S., “A
community authorization service for group collaboration”, In Proceedings of
the Third International Workshop on Policies for Distributed Systems and
Networks, page(s): 50-59, 2002
[27]:Ragouzis, N., Hughes, J., Philpott, R., and Maler, E., “Security
Assertion Markup Language (SAML) V2.0 Technical Overview”,
http://www.oasisopen.org/committees/download.php/20645/sstc-saml-tech-
verview-2%200-draft-10.pdf, 2006
[28]:Rigney, C., Rubens, A., Simpson, W., Willens, S., “Remote
authentication dial in user service”, 1997
[29]:Rissanen, E., Lockhart, H., and Moses, T., “XACML v3.0
Administrative Policy Version 1.0”, 2007
[30]:Sabrina De Capitani di Vimercati and Samarati, P., “Access control in
federated systems”, In Proceedings of the workshop on New security
paradigms, 1996
[31]:Sandhu, R.S., Samarati, P., “Access control: Principles and practice”,
IEEE Communications Magazine 32 40–48, 1994
[32]:Shands, D., Jacobs, J., Yee, R., and E. Sebes, J., “Secure Virtual
Enclaves: Supporting Coalition Use of Distributed Application
Technologies”, ACM Transactions on Information and System Security, Vol.
4, No. 2, Pages 103-133, 2001
[33]:Sheth, A.P., Larson, J.A., “Federated database systems for managing
distributed, heterogeneous, and autonomous databases”, ACM Computing
Surveys 22 (1990) 183–236 Also published in/as: Bellcore,
TM-STS-016302, 1990
[34]:Sun Microsystems, Inc, “sun java system access manager”,
http://www.sun.com/software/products/access_mgr/ds_access_mgr.pdf, 2007
[35]:Sun Microsystems, Inc, “sun java system identity manager”,
http://www.sun.com/software/products/identity_mgr/ds_identity_mgr.pdf,
2006
[36]:Templeton, M., Lund, E., and Ward, P., “Pragmatics of Access Control
in Mermaid”, IEEE Data Eng. Bull. 10(3), pp. 33-38, 1987
[37]:Apache Tomcat, The Apache Software Foundation,
http://tomcat.apache.org/index.html, 2007
[38]:Wahl, M., Howes, T., and Kille, S., “Lightweight Directory
Access Protocol version 3”,1997
[39]:Wang Ching-Yi and David L. Spooner, “Access Control in a
Heterogeneous Distributed Database Management System”, 1987
[40]:Wason T., “Liberty ID-FF Architecture Overview,
Version:1.2-errata-v1.0”, 2005
[41]:Witty, R.J., Allan, A., Enck, J., Wagner, R., “Identity and Access
Management Defined. Gartner”, 2003