Basic Search / Detailed Display

Author: 王明國
Ming-guo Wang
Thesis Title: 考量既有系統的可延伸性聯邦身分與存取管理框架
FEDERACY: AN EXTENSIBLE FEDERATED IDENTITY AND ACCESS MANAGEMENT FRAMEWORK CONSIDERING LEGACY SYSTEMS
Advisor: 查士朝
Shi-Cho Cha
Committee: 莊裕澤
Yuh-Jzer Joung
賴源正
Yuan-Cheng Lai
羅乃維
Nai-Wei Lo
Degree: 碩士
Master
Department: 管理學院 - 資訊管理系
Department of Information Management
Thesis Publication Year: 2008
Graduation Academic Year: 96
Language: 中文
Pages: 56
Keywords (in Chinese): 單點登入聯邦身份管理身份及存取管理聯邦身份管理及存取聯邦資料庫系統
Keywords (in other languages): FIAM, Single-Sign-On, FIM, FDBS
Reference times: Clicks: 175Downloads: 2
Share:
School Collection Retrieve National Library Collection Retrieve Error Report
  • 近年來,許多組織開始建置身份及存取管理(Identity and Access Management, IAM)或聯邦式身份及存取管理(Federated Identity and Access Management, FIAM)系統,以降低管理不同系統在使用上的安全風險及成本。然而,目前在市面上的身份及存取管理系統的解決方式經常是採用基於全球資訊網的架構以及需要應用程式支援HTTP協定。如果系統不支援該介面,則有可能要重新改寫。針對組織在建置身份及存取管理系統所遭遇之困難,我們提出了一個考量既有系統的可延伸性聯邦身分與存取管理框架。該框架採用代理人式架構,以期能夠在不用修改各別系統的情況下,與既有系統完成整合。以促進身份及存取管理系統及聯邦式身份及存取管理系統的實現。


    In recent years, many organizations start to deploy Identity and Access Management (IAM) or Federated Identity and Access Management (FIAM) systems to reduce the cost and security risks of using and managing different systems. While deploying the IAM or FIAM systems, organizations may usually meet difficulties in integrating legacy systems into IAM or FIAM systems. Current IAM solutions usually adopt the Web-based portal approach and require application system to support the Web-based architecture or HTTP protocol. In light of this, we propose the framework of extensible FEDerated identity and access management framework considering LegACY systems (FEDERACY). Compared to current Web-based approaches, FEDERACY adopts agent-based approach to provide a unified way for individuals to use heterogeneous legacy systems and for administrators to manage the legacy systems without modifying the systems. While the cost of integrating legacy systems to IAM systems can be reduced, FEDERACY can hopefully contribute to the realization of IAM systems.

    摘要 I Abstract II 誌謝 III 目錄 V 圖目錄 VI 表目錄 VI 第一章 緒論 1 1.1 研究背景與動機 1 1.2 研究目的與貢獻 3 1.3 章節介紹 4 第二章 文獻探討 5 2.1 身份及存取管理系統 5 2.2 從單一登入到聯邦身份及存取管理系統 6 2.2.1 單點登入 6 2.2.2 聯邦身份與存取管理系統相關標準 7 2.2.3 從單一登入系統到聯邦身份及存取管理系統 12 2.3 跨系統間的資源存取控制 13 第三章 目前聯邦身份管理的作法和可能問題 16 第四章 系統框架 23 4.1 系統概要 23 4.2 使用者情境 25 4.3 管理者情境 27 第五章 異質系統的認證及權限表示 29 5.1 概念說明 29 5.2 模型 31 5.3 基於 LDAP 的方法實作概念 34 5.4 基於LDAP的實作範例 37 第六章 結論及未來方向 41 參考文獻 43

    [1]:Anderson, A., Lockhart, H., “SAML 2.0 Profile of XACML 2.0 Version
    2”,http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-prof
    le-spec-os.pdf, 2005

    [2]:Bajaj, S., Della-Libera, G., Dixon, B., Dusche, M., Hondo, M., Hur, M.,
    Kaler, C., Lockhart, H., Maruyama, H., Nadalin, A., Nagaratnam, N., Nash
    A., Prafullchandra, H., and Shewchuk, J., ”Web Services Federation
    Language (WS-Federation) Version 1.0”,
    http://www.ibm.com/developerworks/library/specification/ws-fed, 2003

    [3]:Barton, T., Basney, J., Freeman, T., Scavo, T., Siebenlist, F., Welch, V.,
    Ananthakrishnan, R., Baker, B., Goode, M., and Keahey, K., “Identity
    Federation and Attribute-based Authorization through the Globus Toolkit,
    Shibboleth, Gridshib, and MyProxy”, In Proceedings of the 5th Annual PKI
    R&D Workshop, April 2006

    [4]:Bhatti, R., Bertino, E., Ghafoor, A., “An integrated approach to
    federated identity and privilege management in open systems”,
    Common.ACM,50(2):81-87, 2007

    [5]:CA, “CA identity manager”,
    http://www.ca.com/files/ProductBriefs/identity_manager_product_brief.pdf
    ,2007

    [6]:CA, “CA Web identity and access management suite”,
    http://www.ca.com/file/ProductBriefs/web_iam_suite_product_brief.pdf
    ,2007

    [7]:Carmody, S., “Shibboleth Overview and Requirement”,
    http://shibboleth.internet2.edu/docs/draft-internet2-shibboleth-requirements
    01.html, 2007

    [8]:Cha, S.C., Huang, J.W., Lin, H.P., Wang, M.G., “XPIPAL: a markup
    language to realize federated identity management”, In: Proceedings of the
    2nd International Conference for Internet Technology and Secure
    Transactions, London, UK 61–68, 2007

    [9]:Cha, S.C., Lin, H.P., Wang, M.G., and Huang, C.W., “FEDERACY: An
    Extensible Federated Identity and Access Management Framework
    Considering Legacy Systems”, From Proceeding (589) Communication,
    Network, and Information Security, 2007

    [10]:Citrix System, Inc, “7 key requirements for secure remote access”,
    http://www.citrix.com/English/ps2/products/documents_onecat.asp?content
    d=15005&cid=White+Papers#top, 2005

    [11]:Clercq, J.D., “Single Sign-On architectures”, In: Proceedings of
    International Conference onInfrastructure Security (InfraSec). Volume 2437
    of Lecture Notes in Computer Science., Springer-Verlag, Berlin Germany
    40–58, 2002

    [12]:Daiziel, J. and Vullings, E., “MAMS and Middleware: The Easily
    Solved Authentication, Authorisation, Identity, Single-Sign-On, Federation,
    Trust, Security, Digital Rights and Automated Access Policy Cluster of
    Problems”, http://www.melcoe.mq.edu.au/projects/MAMS, 2005

    [13]:Gaedke, M., Meinecke, J., Nussbaumer, M., “A modeling approach to
    federated identity and access management”, In WWW ’05: Special interest
    tracks and posters of the 14th international conference on World Wide Web,
    New York, NY, USA, ACM Press 1156–1157, 2005

    [14]:Grubb, M.F., Carter, R., “Single sign-on and the system administrator”,
    In:Proceedings of the 12th Conference on Systems Administration
    (LISA-98), Berkeley, CA, USENIX Association 63–86, 1998

    [15] IBM, “IBM Global Sign-On for Multiplatforms, Version 1.5: A Secure
    Single Sign-on Solution Updated for AIX, Windows NT, and Sun Solaris,”
    http://www-306.ibm.com/common/ssi/rep_ca/1/897/ENUS298-001/index.h
    tml, 2007

    [16]:IBM, “IBM identity manager end user guide”,
    http://publib.boulder.ibm.com/tividd/td/ITIM/SC32-1152-02/en_US/PDF/i
    451_enduser.pdf, 2004

    [17]:i-Sprint Innovation, “On-intrusive single sign-on solution –universal
    sign-on, White Paper”,
    http://www.i-sprint.com/download/doc/AccessMatrix-USO-Overview.pdf,
    2005

    [18]:Jonscher, D. and Dittrich, K.R., “An Approach for Building Secure
    Database Federations”, VLDB 24-35, 1994

    [19]:Karjoth, G., “Access control with IBM Tivoli access manager”, ACM
    Trans. Inf. Syst. Secur. 6(2):232-257, 2003.

    [20]:Kellomaki, S. and Lockhart, R., “Liberty ID-SIS Employee
    Profile Service Specification version 1.1”, Specification of Liberty Alliance
    Project, Liberty Alliance Project, 2005

    [21]:Kellomaki, S. and Lockhart, R., “Liberty ID-SIS Personal
    Profile Service Specification version 1.1”, Specification of Liberty Alliance
    Project, Liberty Alliance Project, 2005

    [22]:Kohl, J., Neuman, C., “The Kerberos Network Authentication Service
    Version 5”, 1993

    [23]:Sebastian Dietzold, “LDAP2OWL Conversion Tool”,
    http://sebastian.dietzold.de/archive/2005/04/13/ldap2owl.php, 2007

    [24]:Moss, T., “eXtensible Access Control Markup Language (XACML)
    version 2.0 OASIS Standard”,
    http://docs.oasisopen.org/xacml/2.0/accesscontrol-xacml-2.0-core-specos.pd
    f, 2005

    [25]:OpenLDAP Foundation, info@OpenLDAP.org,
    http://www.openldap.org/, 2007

    [26]:Pearlman, L., Welch, V., Foster, I., Kesselman, C., and Tuecke, S., “A
    community authorization service for group collaboration”, In Proceedings of
    the Third International Workshop on Policies for Distributed Systems and
    Networks, page(s): 50-59, 2002

    [27]:Ragouzis, N., Hughes, J., Philpott, R., and Maler, E., “Security
    Assertion Markup Language (SAML) V2.0 Technical Overview”,
    http://www.oasisopen.org/committees/download.php/20645/sstc-saml-tech-
    verview-2%200-draft-10.pdf, 2006

    [28]:Rigney, C., Rubens, A., Simpson, W., Willens, S., “Remote
    authentication dial in user service”, 1997

    [29]:Rissanen, E., Lockhart, H., and Moses, T., “XACML v3.0
    Administrative Policy Version 1.0”, 2007

    [30]:Sabrina De Capitani di Vimercati and Samarati, P., “Access control in
    federated systems”, In Proceedings of the workshop on New security
    paradigms, 1996

    [31]:Sandhu, R.S., Samarati, P., “Access control: Principles and practice”,
    IEEE Communications Magazine 32 40–48, 1994

    [32]:Shands, D., Jacobs, J., Yee, R., and E. Sebes, J., “Secure Virtual
    Enclaves: Supporting Coalition Use of Distributed Application
    Technologies”, ACM Transactions on Information and System Security, Vol.
    4, No. 2, Pages 103-133, 2001

    [33]:Sheth, A.P., Larson, J.A., “Federated database systems for managing
    distributed, heterogeneous, and autonomous databases”, ACM Computing
    Surveys 22 (1990) 183–236 Also published in/as: Bellcore,
    TM-STS-016302, 1990

    [34]:Sun Microsystems, Inc, “sun java system access manager”,
    http://www.sun.com/software/products/access_mgr/ds_access_mgr.pdf, 2007

    [35]:Sun Microsystems, Inc, “sun java system identity manager”,
    http://www.sun.com/software/products/identity_mgr/ds_identity_mgr.pdf,
    2006

    [36]:Templeton, M., Lund, E., and Ward, P., “Pragmatics of Access Control
    in Mermaid”, IEEE Data Eng. Bull. 10(3), pp. 33-38, 1987

    [37]:Apache Tomcat, The Apache Software Foundation,
    http://tomcat.apache.org/index.html, 2007

    [38]:Wahl, M., Howes, T., and Kille, S., “Lightweight Directory
    Access Protocol version 3”,1997

    [39]:Wang Ching-Yi and David L. Spooner, “Access Control in a
    Heterogeneous Distributed Database Management System”, 1987

    [40]:Wason T., “Liberty ID-FF Architecture Overview,
    Version:1.2-errata-v1.0”, 2005

    [41]:Witty, R.J., Allan, A., Enck, J., Wagner, R., “Identity and Access
    Management Defined. Gartner”, 2003

    無法下載圖示
    Full text public date This full text is not authorized to be published. (Internet public)

    QR CODE