摘要
通过借鉴自由联盟组织提出的Liberty框架,并针对该框架的结构以及身份提供者之间信任关系的建立模式进行改造,提出一种面向大型机构的新型身份管理联盟。新型的身份管理联盟比Liberty框架更加适用于具有分布性、自治性、全局性和协同性的大型机构。新型的身份管理联盟在物理结构上可看作由多个身份提供者节点组成的一棵树,其中每个身份提供者节点必须并且只能与其父节点和子节点建立信任关系,这与现实中各个大型机构的树状层级结构是完全相符的。在系统实现过程中,依托新型身份管理联盟的树状结构,并采用LDAP实现了用户认证数据的分级存储。此外还通过安全认证网关在网络层对用户的接入进行控制,从而能够同时支持B/S和C/S两类应用系统的单点登录。
In order to solve the problems of unified identity management in large organizations ' information systems,a new identity management alliance for large organizations is proposed.Through consulting the Liberty Framework raised by the Liberty Alliance Organization,as well as reforming its structure and its pattern of building trust relationships among IDPs,the new identity management alliance is more suitable than the Liberty Framework for large organizations,which are distributed,autonomous,globally unified,and coordinated.In terms of physical structure,the new identity management alliance can be regarded as a tree consisting of multiple IDP nodes while each node must and can only develop trust relationships with its father node and child nodes.This is totally in line with the tree-like hierarchy of every large organization in the real world.In the system realization,based on the tree-like structure of the new identity management alliance,a hierarchical storage of the authentication data is achieved by adopting LDAP.In addition,the user access control was conducted by a security authentication gateway at the network layer,which consequently makes it possible to support B /S and C /S application systems at the same time.
出处
《国防科技大学学报》
EI
CAS
CSCD
北大核心
2014年第3期122-128,共7页
Journal of National University of Defense Technology
基金
国家自然科学基金资助项目(91118004)
关键词
大型机构
统一身份管理
身份管理联盟
身份提供者
单点登录
large organization
unified identity management
identity management alliance
IDP
single sign-on
