身份管理系统身份联合互操作能力研究  

作　　者：张严[1] 张立武[1] Zhang Yan;Zhang Liwu(Trusted Computing and Information Assurance Laboratory,Institute of Software,Chinese Academy of Sciences,Beijing 100190)

机构地区：[1]中国科学院软件研究所可信计算与信息保障实验室

出　　处：《信息安全研究》2019年第10期929-934,共6页Journal of Information Security Research

基　　金：北京高等学校高水平人才交叉培养“实培计划”项目

摘　　要：随着电子认证2.0时代的到来,身份管理边界不断演变,并逐渐被打破,通过身份联合方案实现身份管理服务间的互联互通已成为当前网络应用的主要模式,涌现了包括安全断言置标语言(SAML),OpenID,OAuth,FIDO等在内的一系列身份联合方案和标准.在我国访问量最高的网站和使用量最大的移动APP中,大部分均提供身份联合服务或支持通过其他应用的账号进行用户登录.但是,目前的身份联合相关实现均与特定的单一身份联合方案相绑定,也缺乏不同身份联合方案间的互操作参考.为了解决这一问题,首先对现有身份联合方案与标准进行了分析,总结了身份管理系统在进行身份联合操作时可以实现的不同功能作为身份管理系统的身份联合互操作能力,之后针对这些能力,给出了身份管理系统应为实现这些能力而必须达到的功能与安全要求,最后,以OpenID标准为例,给出了所提出的身份联合能力要求在实际身份联合过程中的应用方法,验证了相关要求的可用性.With the advent of the era of electronic authentication 2.0, the boundaries of identity management have evolved and been gradually broken, and the interconnection between identity management services through the identity federation frame has become the main mode of current network applications. A range of identity federation schemes and standards such as SAML, OpenID, OAuth, FIDO have emerged. Most of the highest visited websites and the most used mobile APPs in China provide identity federation services or support for to login through accounts of other applications. However, the current identity federation-related implementations are bound to a specific single identity federation scheme, and there is no mutual reference between different identity federation schemes. In order to solve this problem, first of all, the existing identity federation scheme and standards are analyzed, and the different functions that identity management system can achieve when performing identity federation operation are proposed as the identity federation interoperability capability of identity management system;Then, for these capabilities, the function and security requirements that identity management system should have possessed and realizedand , and finally, taking the OpenID as an example, the application method of the proposed requirement in the actual identity federation process is given, which verified the availability of relevant requirements.

关 键 词：身份管理 身份联合 互操作 网络安全 鉴别 授权 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]