To address the scalability and identity federation problems of the traditional single sign-on system,the proposed scheme divides the security systems into different security domains.Each security domain has its own security servers and service providers,and there are trust relationships between different security domains for identity federation.The security server is responsible for authentication and authorization inside the domain,and offers identity federation capability for different domains.The security assertion markup language (SAML) assertion is used as security token in the system for authentication,authorization,and identity federation.The design of the proposed single sign-on process is based on web service security framework and multiple security domains,and the authorization is always deployed in the local area inside the service provider's security domain,which enables web service clients,both inside and outside their security domains,to access the services in a simple,scalable,standard and secure way.%为解决传统单点登录系统的可扩展性和身份联合问题,将系统划分为不同的安全域,每个安全域具有域内的安全验证服务器,并且不同的安全域之间具有信任关系以支持身份联合.安全服务器负责域内用户的验证和授权,同时为不同域之间的用户提供身份联合.系统使用SAML断言作为安全令牌以完成验证、授权和身份联合过程.单点登录过程的设计基于web服务安全框架和多安全域,并且授权总是在服务提供者所在的域内实施,因此无论对于域内还是域外用户,系统提供了一种简单、可扩展、标准并且安全的访问web服务的方法.
展开▼