Shibboleth口令系统的研究

如何安全地访问分布式资源、同时降低资源提供者为认证访问者所带来的负担一直是网格应用发展的绊脚石.在分析现有解决方案的基础上,介绍了Shibboleth的解决方案,并对Shibboleth口令系统,如Shibboleth组件、各组件的功能以及Shibboleth的工作流程等进行了介绍.同时,对Shibboleth的特点进行了分析,并指出了进一步的研究工作.     

校际统一身份认证及资源共享技术研究

随着校际间资源共享的日益频繁,校际间如何进行必要的身份验证就可实现跨校的信息访问,是摆在我们面前的一大课题。Shibboleth是一个针对SSO的开源项目,试项目主要应用于校园内Web资源共享,以及校园间的应用系统的用户身份联合认证。本论文介绍了Shibboleth的产生,对Shibboleth的模型、工作流程以及特点进行了分析和研究,旨在为研究者把握相关技术的发展趋势提供借鉴,并指出了今后进一步的研究工作。     

基于Shibboleth的校园网统一身份认证系统研究

以校园网统一身份认证为研究平台,以远程单点登录为研究对象,主要研究Shibboleth在校园网中的认证机制,概述Shibbo-leth的特点,深入分析Shibboleth系统架构,阐述Shibboleth工作原理,利用Shibboleth在校园网建设中的优势,设计校园网统一身份认证系统解决方案,实现跨网域异构系统间用户的统一身份认证,解决跨域组织用户身份认证管理困难的问题。     

基于Shibboleth的在线实验平台多资源访问认证

基于联盟认证的单点登录能够认证不同组织的用户,但资源的多样化导致了管理上的困难。针对该问题,采用Shibboleth联盟认证方式,规范多种资源访问的REST API接口,借助Shibboleth的属性筛选策略发布访问资源的授权码,实现多组织用户访问多种复杂资源的统一认证。以基于OpenEdX的在线实验平台为例,验证了采用Shibboleth进行用户统一认证,通过REST API接口以及授权码的发布可实现复杂资源共享,并在OpenEdX上以XBlock的方式实现与其余系统的数据交互。     

浅析单点登录系统设计与实现

本文首先简要介绍了统一认证系统的设计,分析统一认证系统的不足,引出单点登录系统的必要性,叙述了单点登录系统的设计方法,并通过Shibboleth介绍了单点登录系统的架构以及工作流程。     

基于XACML和SAML的Shibboleth隐私保护方法的探索分析

联合认证中Web服务提供者可能要求用户提供个人隐私信息,而Shibboleth架构的提出则着重于联合认证中隐私信息的保护.分析Shibboleth和P3P的不同及当前Shibboleth的属性释放策略ARP(Attribute Release Policy)的不足之处,提出基于XACML和SAML的ARP实现及其在Shibboleth中的应用,从而既实现了"单点登录",又保护了用户隐私.     

基于SAML的校园联合身份认证的研究

为了解决不同高校闻用户的身份认证问题,实现安全资源共享,本文基于SAML规范,结合单点登录技术,通过细化实现Shibboleth模型。提出一种新的联合身份认证机制。该机制结合高校实际,扩展定义了SAML元数据与不同资源系统间的安全信息交换．实现了对被受权资源进行安全互访的联舍身份认证。     

智慧旅游应用解决方案

通过对智慧旅游应用价值的分析,介绍了智慧旅游应用解决方案的总体框架,同时介绍了智慧旅游应用解决方案的几个重点,并对中国电信作为中国最大的综合信息服务提供商在智慧旅游方面的优势进行了分析,最后介绍了中国电信关于智慧旅游应用方面在浙江省内外的几个典型应用案例。     

基于GIS的电信传输资源管理系统

从分析电信传输资源的特点出发，结合开发实例，介绍了利用GIS技术来管理电信传输资源的方法，并对这些关键的技术进行较全面的阐述，对管线资源管理系统开发提供了解决方案。     

基于网络的遥操作机器人系统传输时延研究

文章主要研究了基于网络的遥操作机器人系统传输时延的测试、分析以及数据丢包的解决方案。首先概括地介绍了系统的构成及工作原理,然后采用VisualC++6.0软件编写网络时延测试软件,并进行多种实验,最后对实验结果进行了分析,并给出了针对丢包问题的解决方案,同时基于Matlab仿真实验验证了该方案的有效性和可靠性。     

SHIBBOLETH AND SAML: AT LAST,A VIABLE GLOBAL STANDARD FOR RESOURCE ACCESS MANAGEMENT

The library and publishing communities have used various imperfect solutions for the management of access to online resources, but now Shibboleth and an infrastructure based on it look set to become a global public domain standard that has been designed to meet all the requirements. This paper reviews the business issues of access management, briefly describes common mechanisms currently in use, and explains what Shibboleth is and how it works. Britain is one of several countries planning for and investing in Shibboleth for use by its’ national academic community by providing programme funding of over £7 million for technology development projects and infrastructure support. To conclude the history of progress to date with this rapidly moving work is outlined.     

基于Shibboleth的企业信息系统统一身份认证

主要介绍企业信息系统中的统一身份认证研究和实践情况.对于一些大型企业而言,其信息系统往往是由不同的业务系统组成的,而且具有分布式的特点,其统一的身份认证就是提高系统运行效率,保证安全性关键之一.就以烟草行业信息系统为例,利用Shibboleth构建了一个统一身份认证系统,对相关的系统建设具有一定的借鉴作用.     

基于Shibboleth和SAML的跨校统一身份认证系统

结合跨域统一身份认证的基础技术平台Shibboleth和跨域统一身份认证的技术标准SAML,设计出跨校统一身份认证系统.该系统可实现用户"异地访问-本地认证"功能,避免了异地认证的繁琐,简化了业务流程;身份联盟各子系统交互采用SAML标准,有效地保证了系统通信的安全,保障了用户的隐私,满足了应用管理的需求.     

Role-Based Access Control in a Data Grid Using the Storage Resource Broker and Shibboleth

In this paper, we propose a role-based access control (RBAC) system for data resources in the Storage Resource Broker (SRB). The SRB is a Data Grid management system, which can integrate heterogeneous data resources of virtual organizations (VOs). The SRB stores the access control information of individual users in the Metadata Catalog (MCAT) database. However, because of the specific MCAT schema structure, this information can only be used by the SRB applications. If VOs also have many non-SRB applications, each with its own storage format for user access control information, it creates a scalability problem with regard to administration. To solve this problem, we developed a RBAC system with Shibboleth, which is an attribute authorization service currently being used in many Grid environments. Thus, the administration overhead is reduced because the role privileges of individual users are now managed by Shibboleth, not by MCAT or applications. In addition, access control policies need to be specified and managed across multiple VOs. For the specification of access control policies, we used the Core and Hierarchical RBAC profile of the eXtensible Access Control Markup Language (XACML); and for distributed administration of those policies, we used the Object, Metadata and Artifacts Registry (OMAR). OMAR is based on the e-business eXtensible Markup Language (ebXML) registry specifications developed to achieve interoperable registries and repositories. Our RBAC system provides scalable and fine-grain access control and allows privacy protection. Performance analysis shows that our system adds only a small overhead to the existing security infrastructure of the SRB.     

Authentication and authorization infrastructure for Grids—issues,technologies, trends and experiences

Authentication and authorization for Grids is a challenging security issue. In this paper, key issues for the establishment of Grid authentication and authorization infrastructures are discussed, and an overview of major Grid authentication and authorization technologies is presented. Related to this, recent developments in Grid authentication and authorization infrastructures suggest adoption of the Shibboleth technology which offers advantages in terms of usability, confidentiality, scalability and manageability. When combined with advanced authorization technologies, Shibboleth-based authentication and authorization infrastructures provide role-based, fine-grained authorization. We share our experience in constructing a Shibboleth-based authentication and authorization infrastructure and believe that such infrastructure provides a promising solution for the security of many application domains.     

Cross‐domain authorization for federated virtual organizations using the myVocs collaboration environment

This paper describes our experiences building and working with the reference implementation of myVocs (my Virtual Organization Collaboration System). myVocs provides a flexible environment for exploring new approaches to security, application development, and access control built from Internet services without a central identity repository. The myVocs framework enables virtual organization (VO) self‐management across unrelated security domains for multiple, unrelated VOs. By leveraging the emerging distributed identity management infrastructure. myVocs provides an accessible, secure collaborative environment using standards for federated identity management and open‐source software developed through the National Science Foundation Middleware Initiative. The Shibboleth software, an early implementation of the Organization for the Advancement of Structured Information Standards Security Assertion Markup Language standard for browser single sign‐on, provides the middleware needed to assert identity and attributes across domains so that access control decisions can be determined at each resource based on local policy. The eduPerson object class for lightweight directory access protocol (LDAP) provides standardized naming, format, and semantics for a global identifier. We have found that a Shibboleth deployment supporting VOs requires the addition of a new VO service component allowing VOs to manage their own membership and control access to their distributed resources. The myVocs system can be integrated with Grid authentication and authorization using GridShib. Copyright © 2008 John Wiley & Sons, Ltd.