Internet安全协议与标准第6课.ppt

8/7/2003 Internet安全协议及标准 Internet安全协议与标准第13课 唐礼勇 博士 tly@ Single Sign-on概论 什么是Single Sign-on What does single sign-on (SSO) mean to you? Why Single Sign-onUser Perspective The Problem Too many credentials Which one for which app Multiple logons Why Single Sign-onIT Perspective The Problem Provisioning new accounts Password management Auditing user activity De-provisioning users Managing non-employee access Deploying Enterprise Applications The Challenges Multiple Platforms and Application Models Windows Server, multiple versions of UNIX, OS390, AS400 Legacy custom applications Web applications and services Network gateways (VPN, Wireless, Internet) Different Security Mechanisms Kerberos Basic Authentication X.509 Certificates Passport Proprietary (eg database lookups) Multiple Account Directories Active Directory LDAP Databases Application integrated Complexities with B2B and B2C Concerns about mixing partner customer accounts with employee accounts Privacy (outbound) as well as security (inbound) concerns Are external users their entitlements up to date? Day to day management issues (eg password reset) SSO技术 传统Single Sign-on 口令同步 身份鉴别平台 Web Logon Aggregators 传统SSO技术 - I Allows a User to Login Once, Using a Single Authentication Method to Gain Access to Multiple Hosts and / or Applications 可能同时提供访问控制/授权服务 Authorization policies restrict which applications or systems a user has access And what the user can and can’t do on these applications and systems 不是全新的概念 Kerberos and Kerberized RADIUS and Radiized 传统SSO技术 - II 如何工作-1 Authenticate Once To Access Many Login Credentials (ID And Authentication) Usually Stored Locally Transparently Presented to the System or Application When Needed 传统SSO技术 - III 如何工作-2 Single Credential for All Systems Kerberos Model Multiple Credentials Required for Most Heterogeneous Environments 传统SSO技术 - IV 如何工作-3 APIs And DLLs Write the SSO Authentication into Each Application or System (compare to: Radiized) Or Use Replacement DLLs