Shulou(Shulou.com)06/01 Report--

Recently, the integration of new system and existing system is designed for domestic × ×. One of the keys is login authentication. There are some unexpected difficulties in the process of understanding the non-standard interface of the existing system.

As an example, the existing system is a plug board, which requires the following plug standards for the new system:

Three-flat head, head length 18mm wide 9mm thick 2mm, three-head center point from the center of the circle 10mm, the top parallel to the center of the head to the center of the head, the lower two vertical center of the circle to the center of the head.

Is the above interface American standard, European standard, British standard, or Chinese standard?

"what? neither? um."

Such an example will always be encountered in the process of login authentication integration of enterprise applications. The overall situation in IT developed countries is much better because most implementations adopt the standards commonly used in the industry. As a result, the expansion and integration of the system tend to be less hindered. Using common standard protocols and mature technologies to achieve just like the above plug, security, versatility, scalability, maintainability, many benefits are beyond doubt. Self-made IDM and related protocols are to reinvent the wheel.

So what is IDM? This article will introduce some related concepts and protocols and help readers understand its complexity.

What is IDM?

IDM (Identity Management), also known as IAM (Identity & Access Management), means identity authentication management. Narrowly speaking, the system that manages login is the IDM system. Generally speaking, in the field of computer security, IDM refers to the management of security and business norms to ensure that the right people, at the right time, for the right reasons, access the right resources.

With the rise of SaaS services, large and complex application systems in the past are gradually replaced by scattered small applications with simple functions. The popularity of applications based on mobile devices has led to a rapid growth in the number of new specific-purpose applications, thus accelerating this trend. In the environment of the increase in the number of application systems, the needs of inter-system integration, security, single sign-on, access control and so on become more obvious, although these requirements have always existed.

IDM system covers a lot of management content. This article focuses on logging in the parts related to authentication. This is also an important part of system login integration and docking. Before introducing many complex technical concepts, I will use a non-technical scenario to help readers understand the concepts to be introduced.

Airport process

In the process of going to the airport to take an international flight, it goes something like this: get your passport, check-in, print your boarding pass, go through customs, go through security, wait for a flight, verify your boarding pass and board the plane. This is a multi-system authentication process.

System role

(the name of the system varies from protocol to protocol specification. Here we first use the name in the SAML protocol)

ID provider (IDP, Identity Provider, or issuer): responsible for providing ID services. In the above airport example, the passport identification and authentication system is IDP.

Service provider (SP,Service Provider, or target): responsible for providing the final service. In the above example, the plane is a SP. Users eventually have to take a plane.

Login protocol, authentication protocol, and token

Login protocol (Sign-in protocol): the order in which these things are done at the airport. You will not be able to board the plane if you do not complete these steps in this order.

Authentication Protocol (authentication protocol): a method of using a passport (instead of × × or other) to verify your identity.

Token (Token): boarding pass.

Interaction between systems-protocols and tokens

The cooperation between the system and the user client depends on the protocol, and the token is transmitted. Here are several mainstream framework protocols:

SAML

SAML (Security Assertion Markup Language) is an abbreviation. To be exact, it should be SAML protocol (SAML Protocol), or SAML token (SAML Token).

In the SAML protocol, the system is described as follows:

What login protocol is used? SAML Protocol .

What authentication protocol is used? The specific authentication protocol is not stated here. For example, the browser-based general witness method can be Form (username and password) authentication.

What is the token type? SAML Token .

How is security and trust guaranteed? At the beginning of the system establishment, it is necessary to establish mutual trust between SP and IDP. For example, exchange the metadata containing certificates between IDP and SP through manual configuration.

SAML also supports Federation. For example, IDP forwards the request and proxies it to another trusted IDP. At such times, we call the system in this chain Federation Provider (FP).

WS-Federation

WS-*,WS-Security and WS-Trust are often mentioned when talking about WS-Federation (or WS-Fed). WS-Federation is a member of the WS-* family. WS-* was originally a set of specifications designed for SOAP-based Web Service. WS-Security is a security specification and an extension of SOAP. WS-Trust is the extended specification of WS-Security. WS-Trust describes the interaction between systems (login protocol). WS-Federation describes the specification for proxying and passing ID, attributes, and authentication between multiple security domains.

In WS-Trust 's view, the world looks like this:

The concept of STS (Security Token Service, Security token Service) is introduced in WS-Trust. Similar to IDP in SAMLp system.

What login protocol is used? WS-Federation/WS-Trust .

What authentication protocol is used? There are three examples of specific authentication protocols here: username/password,X509 certificate,Kerberos.

What is the token type? There is no description here. The token type depends on the implementation. For example, you can use SAML Token as a token in WS-Federation.

OAuth

In contrast to SAML, which contains configuration and property binding, which is used to implement a full set of single sign-on (SSO) and ID federation (Federation), OAuth only describes the authorization framework, not an authentication protocol.

A typical OAuth scenario is that a user opens a web page or application, jumps to another application (such as Facebook, Wechat) and asks if he or she is allowed to get some information about the user.

The workflow of OAuth is as follows:

A sample URL for an OAuth request is as follows:

Https://nanw.vmwareidentity.asia/oauth3/authorize?response_type=code&client_id=3ab2a37f-4cfd-409c-937c-defd776f4dee&redirect_uri=https://robotypo.appspot.com&resource=robotypo.appspot.com

Authentication

The previous article introduced some login protocols, and here are some authentication protocols:

Password-based authentication-perhaps the oldest but most frequently used authentication method

RADIUS

Kerberos-the most common implementation of the Kerberos protocol is Microsoft's Active Directory. This blog post explains what Kerberos: http://vmwareeuc.blog.51cto.com/8606576/1870674 is in a popular way

NTLM

IDM mature products

Although there are so many mature protocols and technologies that are public and universal, integration issues such as single sign-on (SSO), cross-domain aggregation (Cross security realms federation), access control and system scalability are still complex (the design cost is greater than the implementation). Fortunately, there are many mature products in the industry that can help solve this dilemma. VMware vIDM,Okta,Microsoft ADFS,Shibboleth, CAS,Ping Identity, OpenAM, Keycloak, etc.

Brief introduction of the author: Wang Nan, China EUC Solution Staff Engineer

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.