‘Investigation and implementation of Shibboleth SSO authentication mechanism through a specific...
of 183
-
Upload
gilles-rubens-badouet -
Category
Documents
-
view
225 -
download
1
Transcript of ‘Investigation and implementation of Shibboleth SSO authentication mechanism through a specific...
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
1/183
B @ \ M J W [ X
] J H \ M [ R H W X
Lnbuoty `l Mjdhjmmrhjd njg B`cputhjd
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omteRR@ nutemjthbnth`j cmbenjhsc ter`ude n
spmbhlhb sbmjnrh`
Nute`r1 Dhooms [ukmjs Kng`umtCRb Jmtw`rf B`cputhjd
RHG1 2879274
Mcnho1dhooms.kng`umtIdcnho.b`c
Rupmrvhs`r1 Gr. [nent Hqkno
Rukchttmg hj pnrthno luolhocmjt `l tem rmquhrmcmjts l`r tem Gmdrmm `l Cnstmr `l Rbhmjbm Jmtw`rf B`cputhjd
Nbngmchb Xmnr1 ;9>;/>2
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
2/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm > `l >;=
Gmbonrnth`j `l @rhdhjnohty
Wehs pr`ambt hs noo cy `wj w`rf njg ens j`t kmmj b`phmg hj pnrt `r hj we`om lr`c njy
`temr s`urbm mxbmpt wemrm guoy nbfj`womgdmg. Ns sube, noo usm `l prmvh`usoy pukohsemg
w`rf (lr`c k``fs, a`urjnos, cndnzhjms, hjtmrjmt, mtb) ens kmmj nbfj`womgdmg whtehj tem
cnhj rmp`rt t` nj mjtry hj tem [mlmrmjbms ohst.
H ndrmm tent nj mombtr`jhb b`py `l tehs rmp`rt cny km st`rmg njg usmg l`r tem purp`sms `l
pondhnrhsc prmvmjth`j njg gmtmbth`j.
H ujgmrstnjg tent bemnthjd njg pondhnrhsc b`jsthtutm n krmnbe `l ]jhvmrshty [mduonth`js
njg whoo km gmnot whte nbb`rghjdoy.
Rhdjmg1 Dhooms [ukmjs Kng`umt Gntm1 ;2
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
3/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm ; `l >;=
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
4/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm 2 `l >;=
Nkstrnbt
Wehs w`rf thtomg Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ cmbenjhsc
ter`ude n bnsm sbmjnrh` prmsmjts, ghsbussms, gmsbrhkms njg mxponhjs tem cna`r nspmbtsnjg b`jbmpts `l Rehkk`omte pr`t`b`o njg pr`vhgms tw` rmontmg pr`t`typms
hcpomcmjtnth`js `l tem pr`t`b`o whtehj n smt `l be`smj t``os njg mjvhr`jcmjts. Wem
hcpomcmjtnth`j rmohms `j tem pr`ambt bohmjt spmbhlhbnth`js njg rmb`ccmjgnth`js njg
temrml`rm l`oo`ws s`cm hcp`smg gmpo`ycmjt hjlrnstrubturms. Wem w`rf rmp`rt lhrst
l`busms `j tem rmsmnrbe hjvmsthdnth`j hj Rehkk`omte b`jbmpts, hts rmonth`jsehp whte
shchonr cmbenjhscs njg hts pnrthbuonrhthms hj tem Rhjdom Rhdj @j cmbenjhsc no`jdshgm
whte hts lmgmrnth`j prhjbhpoms. Ht nos` mcpenshzms `j tem RNCO (Rmburhty Nssmrth`j Cnrf-up Onjdundm), tem pr`t`b`o tent Rehkk`omte hcpomcmjts njg `j wehbe ht rmohms. Wem
smb`jg cna`r pnrt `l tehs rmp`rt gmsbrhkms stmp ky stmp tem hjstnoonth`j, gmpo`ycmjt njg
b`jlhdurnth`js `l Rehkk`omte hj w`rfhjd pr`t`typms whtehj Thjg`ws knsmg @pmrnthjd
Rystmcs.
Wem prhcnry pr`t`typm hcpomcmjtnth`j hs n s`rt `l hjhthno gmpo`ycmjt bnrrhmg `ut whtehj n
smol-gmlhjmg ng-e`b mjvhr`jcmjt emophjd t` hcpomcmjt tem smb`jg pr`t`typm.
B`jshgmrmg hj tehs pr`ambt ns tem rmno thcm pr`t`typm ns ht ens kmmj b`jgubtmg whtehj tem
bohmjt prmchsms, tem smb`jg pr`t`typm ens s`cm shchonr stmps `l tem prhcnry
hcpomcmjtnth`j njg hs cube c`rm b`cpomtm hj tmrcs `l nppohbnth`js hjtmdrnth`js njg tem
Rehkk`omte o`d `ut cmbenjhsc. Ht nos` l`busms c`rm `j tem bohmjt spmbhlhbnth`js. Wem
mjg `l tehs rmno thcm pr`t`typm pr`vhgms tem hjtmdrnth`j strntmdy `l ;74ohk.b`c/;74ohkGM
nppohbnth`j. N tmsthjd nppr`nbe hs temj pr`vhgmg t` gmc`jstrntm e`w subbmssluo sncpom
`l shcpom nppohbnth`js envm kmmj hjtmdrntmg hjt` tem hcpomcmjtnth`j. Wem tmst hooustrntms
whte gmtnhos gmsbrhpth`j tem cnhj usm bnsm sbmjnrh` `l nutemjthbnth`j ter`ude tem
Rehkk`omte knsmg shjdom shdj `j cmbenjhsc. Wem nppmjghx pnrt `l tehs rmp`rt njg tem
BG k`ujg t` tem rmp`rt hjbougm tem b`jlhdurnth`j lhoms `l tem pr`ambt hcpomcmjtnth`j, tem
tmsthjd gntn njg `temr pr`ambt gmtnhos.
Wem pr`ambt rmp`rt lhjnooy ghsbussms tem mjb`ujtmrmg rhsfs njg hssums lnbmg ter`ude`ut
tem pr`ambt pr`drmss no`jdshgm whte n brhthbno npprnhsno njg rmb`ccmjgnth`js l`r luturm
w`rfs.
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
5/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm 7 `l >;=
G`bucmjt cnp njg succnry vhmw
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
6/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm = `l >;=
Wnkom `l B`jtmjts
Nkstrnbt ..................................................................................................................... 2G`bucmjt cnp njg succnry vhmw ......................................................................... 7Wnkom `l B`jtmjts ..................................................................................................... =Lhdurms ohst ................................................................................................................ 5Nbr`jycs njg nkkrmvhnth`js ohst ............................................................................ 8Ngghth`jno Cntmrhnos `j tem Nbb`cpnjyhjd BG ................................................... >9Nbfj`womgdmcmjts ................................................................................................ >>Benptmr >1 Hjtr`gubth`j .......................................................................................... >2>.> Yr`ambt gmlhjhth`j njg b`jtmxt ......................................................................... >2>.; Knbfdr`ujg t` tem Yr`ambt ............................................................................... >7>.2 Yr`ambt Rb`pm njg @kambthvms ......................................................................... >=
>.2.> Rb`pm .................................................................................................................>=>.2.; @kambthvms ..........................................................................................................>4
>.7 [mp`rt `vmrvhmw ................................................................................................ >4Benptmr ;1 Cmte`g`o`dy......................................................................................... >8;.> Yr`komc Hgmjthlhbnth`j ...................................................................................... >8;.; Cmte`g`o`dy nppr`nbe njg austhlhbnth`j ........................................................ >8;.2 @vmrvhmw `l tem Tmk RR@ cmbenjhsc ........................................................... ;>
;.2.> @vmrvhmw ............................................................................................................;>;.2.; Tmk RR@ nrbehtmbturm ........................................................................................;>;.2.2 RR@ pr`t`b`os ....................................................................................................;;;.2.7 RR@ nssmts ........................................................................................................;2
;.7 Cna`r nspmbts `l RNCO pr`t`b`o njg RR@ usm bnsm ..................................... ;7;.7.> Gmlhjhth`j njg `vmrvhmw ......................................................................................;7;.7.; RNCO knshb usm bnsm .........................................................................................;=;.7.2 RNCO `temr usm bnsm sbmjnrh`s .........................................................................; Rehkk`omte nrbehtmbturm njg b`cp`jmjts ............................................................27;.=.; @vmrvhmw `l tem wmk RR@ stmps whte Rehkk`omte ................................................2 Hjtr`gubth`j ....................................................................................................... 7;2.; Tmk RR@ pr`t`b`os .......................................................................................... 7;
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
7/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm < `l >;=
2.2 Wem usm `l RNCO .............................................................................................. 722.7 Nppohbnth`j `l Rehkk`omte ................................................................................ 7=2.= Dnp njg b`jtrhkuth`j ....................................................................................... 74Benptmr 71 Hcpomcmjtnth`j rmquhrmcmjts ............................................................. 757.> [mquhrmcmjts dntemrhjd pr`bmgurm ................................................................ 757.; [mquhrmcmjts tnkom .......................................................................................... =9Benptmr =1 Rystmc njnoyshs njg gmshdj ............................................................... =;=.> Rystmc `vmrvhmw .............................................................................................. =;=.; ]sm bnsm c`gmoohjd ghndrnc ........................................................................... =2=.2 Rystmc nrbehtmbturm ......................................................................................... =7
=.2.> Yrhcnry pr`t`typm nrbehtmbturm ............................................................................=7=.2.; [mno thcm pr`t`typm nrbehtmbturm .........................................................................=4
=.7 Eucnj- B`cputmr Hjtmrlnbm ............................................................................ =8Benptmr >9
5.7 ^unohty Cnjndmcmjt....................................................................................... >>>
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
8/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm 4 `l >;=
Benptmr 81 Brhthbno Npprnhsno ............................................................................... >>28.> Mxpmrhmjbm njg fj`womgdm dnhjmg ............................................................... >>28.; Hjtmrmsthjd njg ghllhbuot nspmbts `l tem pr`ambt ............................................ >>=8.2 Yr`ambt `utb`cms ........................................................................................... >>>>4Benptmr >91 B`jboush`js ..................................................................................... >>5>9.> Nbehmvmcmjts ............................................................................................... >>5>9.; Luturm T`rf .................................................................................................. >>8Benptmr >>1 Rtugmjt [mlombth`js ......................................................................... >;9Khkoh`drnpey njg [mlmrmjbms .............................................................................. >;>
Nppmjghx N Yr`ambt pr`p`sno njg Rpmbhlhbnth`js ...... NMrrmur ! Rhdjmt j`j glhjh.Nppmjghx K B`jlhdurnth`j lhoms `l tem prhcnry pr`t`typm hcpomcmjtnth`j .... N>Nppmjghx B B`jlhdurnth`j lhoms `l tem rmno thcm pr`t`typm hcpomcmjtnth`j ... N>Nppmjghx G Ontmst Hcpomcmjtnth`j tmsthjd gntn njg o`ds ............................. N;4Nppmjghx M Hjtmrhc Yr`drmss [mp`rt njg Cmmthjd [mb`rg .. NMrrmur ! Rhdjmt j`jglhjh.Nppmjghx L Yr`drmss njg ghsbussh`js j`tms whte tem pr`ambt bohmjt ... NMrrmur !Rhdjmt j`j glhjh.
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
9/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm 5 `l >;=
Lhdurms ohst
Lhdurm >1 Cmte`g`o`dy nppr`nbe.;9Lhdurm ;1 Rhcpohlhmg Tmk RR@ nrbehtmbturm...;;Lhdurm 21 RNCO Knshb usm bnsm...;=Lhdurm 71 RNCO strubturm..;4Lhdurm =1 Rhcpohlhmg mxncpom `l n Rukambt, Nssmrth`j njg Rtntmcmjt Rtrubturm...29Lhdurm Lhdurm 41 HgY b`cp`jmjts strubturm27Lhdurm 51 RR@ smqumjbm ghndrnc25Lhdurm 81 Rehkk`omte pr`lhom...79Lhdurm >91 ;74ohk.b`c/;74ohkGM mxhsthjd hjtmrlnbm7>
Lhdurm >>1 rmquhrmcmjts tnkom..=>Lhdurm >;1 Rystmc Ehde-omvmo b`jtmxt ghndrnc..=2Lhdurm >21 Rystmc ]sm Bnsm ghndrnc=7Lhdurm >71 Yeyshbno strubturm `l tem prhcnry pr`t`typm.==Lhdurm >=1 O`dhbno strubturm `l tem prhcnry. ..=4Lhdurm >41 HHR 4 rmquhrmg smrvhbms smtthjd...51 Hjstnoonth`j `l RY smtthjds...81 B`jlhdurnth`j `l AN\NPE@CM vnrhnkoms.9>Lhdurm 7>1 HgY o`d `ut p`rtno...>9>Lhdurm 7;1 [hsfs nssmsscmjt `l tem pr`ambt cnjndmcmjt >94
Lhdurm 721 Yrhcnry pr`t`typm hcpomcmjtnth`j hssums njg s`outh`js.>>9Lhdurm 771 [mno thcm pr`t`typm hcpomcmjtnth`j hssums njg s`outh`js.>>>
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
10/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm 8 `l >;=
Nbr`jycs njg nkkrmvhnth`js ohstNG1 Nbthvm Ghrmbt`ryNGLR1 Nbthvm Ghrmbt`ry Lmgmrnth`j RmrvhbmsNJR Otg1 Nppohmg Jmtw`rf R`outh`js OhchtmgBNN1 Bmjtrno Nutemjthbnth`j RmrvhbmBG1 B`cpnbt GhsfBJ1 B`cc`j JncmBR[1 Bmrthlhbntm Rhdjhjd [mqumstGB1 G`cnhj B`cp`jmjtGJ1 Ghsthjduhsemg JncmGJR1 G`cnhj Jncm RystmcGR1 Ghsb`vmry Rmrvhbm
L^EJ1 Luoo ^unohlhmg E`stjncmEWWY1 Eypmrtmxt Wrnjslmr Yr`t`b`oEWWYG1 Eypmrtmxt Wrnjslmr Yr`t`b`o Gnmc`jEWWYR1 Eypmrtmxt Wrnjslmr Yr`t`b`o RmburmHgY1 Hgmjthty Yr`vhgmrHMMM1 Hjsthtutm `l Mombtrhbno njg Mombtr`jhbs MjdhjmmrsHHR1 Hjtmrjmt Hjl`rcnth`j RmrvhbmsHY1 Hjtmrjmt Yr`t`b`oHR@1 Hjtmrjnth`jno @rdnjhsnth`j l`r Rtnjgnrghznth`jHW1 Hjl`rcnth`j Wmbej`o`dyANNR1Anvn Nutemjthbnth`j njg Nute`rhznth`j Rmrvhbm
AHRB1 A`hjt Hjl`rcnth`j Rystmcs B`cchttmmOGNY1 Ohdetwmhdet Ghrmbt`ry Nbbmss Yr`t`b`oOGNYR1 Ohdetwmhdet Ghrmbt`ry Nbbmss Yr`t`b`o RmburmOGHL1 OGNY Gntn Hjtmrbenjdm L`rcnt@NRHR1 @rdnjhznth`j l`r tem Ngvnjbmcmjt `l Rtrubturmg Hjl`rcnth`j Rtnjgnrgs@R1 @pmrnthjd RystmcY@RW1 Y`wmr-`j smol-tmst[YB1 [mc`tm Yr`bmgurm BnooRNCO1 Rmburhty Nssmrth`j Cnrf-up OnjdundmRHY1 Rmssh`j Hjhthnth`j Yr`t`b`o
RO@1 Rhjdom O`d @utRJ1 RurjncmR@NY1 Rhcpom @kambt Nbbmss Yr`t`b`oRY1 Rmrvhbm Yr`vhgmrRR@1 Rhjdom Rhdj @jRRO1 Rmburm Remoo\`HY1 \`hbm `vmr Hjtmrjmt Yr`t`b`oUCO1 Mxtmjshkom Cnrf-up Onjdundm
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
11/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm >9 `l >;=
Ngghth`jno Cntmrhnos `j tem Nbb`cpnjyhjd BG
Kmo`w hs tem ohst `l cntmrhnos `j tem nbb`cpnjyhjd BG pr`vhgmg t` B`vmjtry ]jhvmrshty
`j tem cnrdhj `l tem pr`ambt rmquhrmcmjts njg nssmsscmjt. Nc`jd tem kmo`w ohstmg
b`jshgmrmg ns nppmjghxms hj tehs rmp`rt6 `joy tem b`jlhdurnth`js lhoms b`jtmjts nrm
hjbougmg hj tem nbtuno rmp`rt.
Yr`ambt pr`p`sno njg spmbhlhbnth`js
B`jlhdurnth`j lhoms `l tem prhcnry pr`t`typm hcpomcmjtnth`j
B`jlhdurnth`j lhoms `l tem rmno thcm pr`t`typm hcpomcmjtnth`j
Ontmst hcpomcmjtnth`j tmsthjd gntn njg o`ds
Hjtmrhc Yr`drmss [mp`rt njg Cmmthjd [mb`rgs
Yr`drmss njg ghsbussh`js j`tms whte tem pr`ambt bohmjt
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
12/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm >> `l >;=
Nbfj`womgdmcmjts
Hl H envm smmj lnrtemr ht hs ky stnjghjd `j tem se`uogmrs `l dhnjts (Jmwt`j,H, >
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
13/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm >; `l >;=
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
14/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm >2 `l >;=
Benptmr >1 Hjtr`gubth`j
>.> Yr`ambt gmlhjhth`j njg b`jtmxt
Wem cnjndmcmjt `l nbbmss t` `johjm rms`urbms ens nownys kmmj nj hssum t` km gmnot
whte whtehj hjsthtuth`js njg b`cpnjhms. Went hssum pnrthbuonroy brubhno hj tent b`jbmrjs
senrmg rms`urbms dmjmrnooy rmshgms `j tem smburhty cmbenjhscs njg pr`t`b`os t` km
usmg l`r smrvhbms njg rms`urbms nbbmss, c`stoy wemj ht b`cms t` tem lmgmrnth`j `l
smvmrno `rdnjhsnth`js njg hjsthtuth`js shjbm temrm hs n str`jd dr`whjd hjtmrmst hj
rms`urbms senrhjd, hjtmrnbth`js njg b`oonk`rnth`j whtehj kushjmss njg nbngmchb nrmns.
Thte tem mjenjbmcmjt `l wmk smrvhbms njg `temr nppohbnth`j typms, usmrs sthoo lnbm
b`jshgmrnkom hssums l`r shcpom, quhbf njg snlm nbbmss rms`urbms. Wem cna`r qumsth`j hs
e`w nbbmss t` n vnrhmty `l smrvhbms njg rms`urbms bnj km cnjndmg nppr`prhntmoy hj nj
hjsthtuth`j njg whtehj lmgmrntmg `rdnjhsnth`js whte`ut b`cpr`chshjd tem usmrs prhvnby
njg hjl`rcnth`j smburhty. R`cmthcms usmrs nos` jmmg t` nbbmss smrvhbms `r nppohbnth`js
ter`ude n shjdom shdj `j cmbenjhsc tent hs j`t nownys mnsy t` hcpomcmjt wemtemr
o`bnooy `r mxtmrjnooy (Mrg`s, C njg Bnjt`r, R, ;99;).
Rehkk`omte, tem bmjtrno p`hjt `l tehs pr`ambt hs `jm `l tem c`st wnjtmg njg rmqumstmg
chggomwnrm usmg hj T`rog Thgm Tmk hjlrnstrubturms `r mjvhr`jcmjts t` pr`tmbt `johjm
rms`urbms lr`c kmhjd nbbmssmg ky hoomdhthcntm usmrs. @jm `l hts cna`r nspmbts hs tem
hcpomcmjtnth`j `l tem shjdom shdj `j cmbenjhsc ter`ude n ehde omvmo pr`t`b`o bnoomg
RNCO (Rmburhty Nssmrth`j Cnr-up Onjdundm). Kmbnusm Rehkk`omte hs nj `pmj s`urbm
hjlrnstrubturm pontl`rc, lomxhkom njg vmry p`wmrluo, ht hs kmb`chjd vmry p`puonr njg
gmcnjgmg nbr`ss ujhvmrshthms, b`oomdms, rmsmnrbe bmjtrms, knjfs, `temr kushjmss nrmns
njg c`rm. Hj `rgmr t` hcpomcmjt sube nj hjlrnstrubturm, nj `rdnjhsnth`j bnj mhtemr g` s`ter`ude n ehde trnhjmg HW gmpnrtcmjt `r `uts`urbmg t` nj HW smrvhbms pr`vhgmr
spmbhnohsmg hj rmontmg pr`ambts. NJR (Nppohmg Jmtw`rf R`outh`js) hs nj HW b`cpnjy tent
pr`vhgms nc`jd `temrs wmk nppohbnth`js s`outh`js, gmpo`ycmjt b`jsuotnjby `j
hjj`vnthvm njg hjtmdrnth`js hjlrnstrubturm pontl`rcs whtehj `rdnjhsnth`js, hjsthtuth`js njg
`temr b`cpnjhms. Hts cnhj smrvhbm hs tem ohkrnry nbbmss cnjndmcmjt. E`wmvmr, NJR
g`ms j`t ymt pr`vhgm sube n smrvhbm ter`ude n shjdom shdj `j cmbenjhsc sube ns
Rehkk`omte l`r nbbmss t` hts ohkrnry nppohbnth`js, jmhtemr gmohvmr njy mxpmrthsm hjRehkk`omte hcpomcmjtnth`j l`r bust`cmrs jmmghjd Rehkk`omte. Wehs pr`ambt hs nk`ut
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
15/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm >7 `l >;=
pr`vhghjd NJR whte n strntmdy sfmtbe `l ujgmrstnjghjd njg hcpomcmjthjd Rehkk`omte `j
n knshs `l temhr spmbhlhbnth`js pr`vhgmg.
>.; Knbfdr`ujg t` tem Yr`ambt[neuo Gmsecufe (j.g.) lr`c Fnjsns Rtntm ]jhvmrshty stntmg tent Rehkk`omte hs n fhjg `l
ohjduhsthb pnssw`rg tent hgmjthlhms `jm ns n cmckmr `l n dr`up. Nbb`rghjd t` tem ehst`ry,
tw` Rmchthb trhkms, tem Mpernhchtms njg tem Dhomnghtms, envm n drmnt knttom. Wem
Dhomnghtms gmlmnt tem Mpernhchtms, njg smt up n ko`bfngm t` bntbe tem lommhjd
Mpernhchtms. Wem Dhomnghtm smjtrhms nsf mnbe pmrs`j t` sny tem w`rg sehkk`omte. Wem
Mpernhchtms, we` envm j` se s`ujg hj temhr onjdundm, pr`j`ujbmg tem w`rg whte nj s
njg wmrm temrmky ujcnsfmg ns tem mjmcy njg sonudetmrmg. Weus, n pmrs`j we`vh`ontms n sehkk`omte bnj km rnphgoy hgmjthlhmg ns nj `utshgmr njg hccmghntmoy mxbougmg
lr`c tem dr`up. Hj tem Mjdohse onjdundm tem w`rg Rehkk`omte cmnjs nj nrkhtrnry tmst `r
bust`c tent ghsthjduhsems `jm dr`up lr`c nj`temr, `r n w`rg `r so`dnj hgmjthlhmg whte n
pnrthbuonr dr`up `r pnrty.
Hjsthtuth`js, `rdnjhsnth`js njg nbngmchn envm kmmj ushjd vnrh`us s`outh`js hj `rgmr t`
cnjndm `johjm senrmg rms`urbms shjbm mnrohmst ymnrs wemrm rms`urbms njg smrvhbmsstnrtmg t` km nvnhonkom `johjm. Nc`jdst te`sm s`outh`js Ntemjs, Fmrkmr`s njg c`rm nrm
s`cm `l temc tent prmsmjt s`cm notmrjnthvms. Wem qumsth`j `l n lomxhkom, `pmjmg,
rmohnkom njg mvmj lrmm s`outh`j tent pr`pmroy gmnos whte usmrs prhvnby, hjl`rcnth`j
smburhty wehom pr`vhghjd n shjdom shdj `j nutemjthbnth`j cmbenjhsc whtehj njg nbr`ss
k`ujgnrhms ens nownys kmmj rnhsmg. J`w, Rehkk`omte, n trngmcnrf `l Hjtmrjmt ; (n ]RN
jmtw`rf b`js`rthuc grhvmj ky cmckmrs lr`c mgubnth`j, hjgustrhms, d`vmrjcmjt njg
rmsmnrbe b`ccujhthms nr`ujg tem w`rog) hs nj hjlrnstrubturm- knsmg s`outh`j njg nj
`pmj stnjgnrg gmshdjmg t` luolho tem nk`vm rmquhrmcmjts. Rehkk`omte hs mcmrdhjd njg
c`vhjd lnst hj tem l`rc `l tem RNCO hcpomcmjtnth`j tent hs n smburhty pr`t`b`o lr`c tem
@rdnjhznth`j l`r tem Ngvnjbmcmjt `l Rtrubturmg Hjl`rcnth`j Rtnjgnrgs (@NRHR).
Rehkk`omte hcpomcmjts tem RNCO pr`t`b`o ter`ude n smt `l `pmj s`ltwnrm nppohbnth`js
(A`ej Ynsbe`ug ;997).
NJR (Nppohmg Jmtw`rf R`outh`js) hs nj HW Rupp`rt b`cpnjy l`ujgmg hj >889 tent
suppohms HW kushjmss s`outh`js, mspmbhnooy tem ohkrnry cnjndmcmjt systmcs. NJR
pr`vhgms nc`jd `temrs tem l`oo`whjd smrvhbms1 wmk nppohbnth`js, gmpo`ycmjt
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
16/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm >= `l >;=
b`jsuotnjby `j hjj`vnthvm njg hjtmdrnth`js hjlrnstrubturm pontl`rcs whtehj `rdnjhsnth`js,
CR whjg`ws s`outh`js, `johjm ohkrnry smrvhbms njg c`rm (Nppohmg Jmtw`rf R`outh`js,
;9>2).
@jm `l tem cna`r NJR pr`gubts hs ;74ohk.b`c/;74ohkGM, n ohkrnry cnjndmcmjt pontl`rc
pr`vhghjd n r`kust wmk kr`wsmr knsmg hjtmrlnbm t` hts nppohbnth`js nbbmss. We`sm
nppohbnth`js nrm nvnhonkom l`r ]jhvmrshthms, D`vmrjcmjt, B`oomdms, B`rp`rntm, Emnote
Bmjtrms njg cnjy `temr hjsthtuth`js njg hjbougm rms`urbms noo`whjd tem cnjndmcmjt `l
tem l`oo`whjd nppohbnth`js `r smrvhbms1 [mp`rts, Bntno`dum, @rgmrs, Rurvmy, Lhjnjbm,
Rt`bf Htmcs, Nute`rhthms, K`rr`wmrs, Bhrbuonth`j, K``fhjds, Ymrh`ghbnos njg Mjquhrhms.
NJR g`ms j`t ymt pr`vhgm nbbmss t` te`sm smrvhbms vhn n shjdom shdj `j cmbenjhsc hj
sube n wny tent n thmrs b`cpnjy we` suksbrhkmg t` cnjy smrvhbms hs nkom t` nbbmss
temc ushjd n shjdom usmrjncm njg n shjdom pnssw`rg (Nppohmg Jmtw`rf R`outh`js,
;9>2).
Lurtemrc`rm, NJR w`uog nos` ohfm t` hjbougm hj tem vnrhmty `l hts smrvhbms tem b`jsuotnjby
njg tem `uts`urbhjd `l tem shjdom shdj `j cmbenjhsc hcpomcmjtnth`j, j`tnkoy ter`ude
Rehkk`omte.
>.2 Yr`ambt Rb`pm njg @kambthvms
>.2.> Rb`pm
- Rb`pm gmsbrhpth`j
Ht hs vmry hcp`rtnjt t` prmbhsm tent tehs pr`ambt `utput whoo km n w`rfhjd pr`t`typm
ushjd nppr`prhntm t``os. E`wmvmr, tehs hs j`t ghrmbtoy hjtmjgmg l`r njy b`ccmrbhno
mxpo`htnth`j shjbm lurtemr pnrncmtmrs jmmg t` km tnfmj hjt` nbb`ujt wemj ht whoo
b`cm t` nppoy tem pr`gubt hj b`ccmrbhnohsnth`j hjtmdrnth`j. @l b`ursm NJR Otg
njg njy nute`rhsmg usmr b`uog cnfm usm `l tem pr`ambt rmsuot njg nppoy ht t` n
rmno hjtmdrnth`j `jbm temy whoo cmmt noo tem tmbejhbno njg j`j tmbejhbno b`jghth`js
njg rmquhrmcmjts t` g` s`.
Wem lmnturms `l tehs w`rf b`vmr noo tem cna`r rmsmnrbe nspmbts rmquhrmg t` bnrry
`ut tem pr`ambt.
Wem pnpmr nos` hjtr`gubms lurtemr usm `l Rehkk`omte tmbej`o`dy.
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
17/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm >< `l >;=
Note`ude tem lhrst pnrt `l tehs pr`ambt knsmg `j tem Rehkk`omte hjvmsthdnth`j b`vmrs
noo tem cna`r nspmbts njg pr`gubts usmg t` gmpo`y luooy Rehkk`omte, tem
hcpomcmjtnth`j pnrt gmnos `joy whte tem pr`gubts jmbmssnry l`r tehs pr`ambt `j n
knshs `l tem bohmjt spmbhlhbnth`j. We`sm Rehkk`omte pr`gubts hjbougm Rmrvhbm
Yr`vhgmr njg Hgmjthty Yr`vhgmr.
- Yr`ambt gmohchtnth`j njg mxboush`j
Wehs pnpmr bnjj`t nll`rg t` b`vmr noo tem nspmbts `l Rehkk`omte up t` gntm shjbm
Rehkk`omte htsmol hs n vmry whgm pr`ambt tent fmmps c`vhjd `vmr tem thcm. Hjstmng
tem pnpmr prmsmjts hj gmpte tem cna`r b`jbmpts tent Rehkk`omte usms njg tem wny
temy w`rf.
Wem pnpmr g`ms j`t pr`vhgm ngvnjbmg b`jbmpts `l tem RNCO pr`t`b`o njg `temr
rmontmg tmbej`o`dhms hj dmjmrno. Hjstmng, ht prmsmjts tem RNCO ns Rehkk`omte
rmoyhjd pr`t`b`o.
Wem rmp`rt g`ms j`t bonhc t` s`ovm noo tem hssums rmontmg t` `temr Rehkk`omte-
knsmg pr`ambts, kut se`uog km b`jshgmrmg ns n b`jtrhkuth`j t` `temr w`rfs njg
s`cm nwnrmjmss `j tem shjdom shdj cmbenjhsc knsmg `j Rehkk`omte.
Note`ude s`cm stmps `l tem hcpomcmjtnth`j bnj km b`cc`j t` noo tem `pmrnthjdsystmcs typms, tem mssmjthno `pmrnthjd systmc mjvhr`jcmjt tent tehs pr`ambt
nggrmssms hs Chbr`s`lt whjg`ws knsmg.
Wehs hcpomcmjtnth`j hs lnr t` km tem `joy pr`bmss t` l`oo`w hl `jm wnjts t`
hcpomcmjt Rehkk`omte `vmr Thjg`ws knsmg `pmrnthjd systmcs shjbm temrm nrm
cnjy `temr tmbejhqums gmpmjghjd `j tem mxpmrthsm omvmo njg `temr spmbhlhbnth`js.
Note`ude Npnbem W`cbnt < hs usmg `j tehs hcpomcmjtnth`j, tem rmno t``o t` km
b`jshgmrmg ns wmk smrvmr hs HHR 4. W`cbnt < hs usmg aust ns smrvomts b`jtnhjmr.
Ym`pom whoohjd t` usm tehs Rehkk`omte pr`bmss hcpomcmjtnth`j whoo lnbm s`cm
hssums hl temy g`jt l`oo`w mvmrytehjd stmp ky stmp ky nos` cnfhjd surm tent noo tem
mrr`rs njg pr`komcs lr`c `jm stmp nrm s`ovmg kml`rm c`vhjd t` tem jmxt stmp.
Ynrthno tmsts pr`vhjd tent tem hcpomcmjtnth`j hs hj tem d``g pr`bmss nrm pr`vhgmg
whte rmontmg subbmssluo cmssndms. R`cm hssums bnj nos` km mjb`ujtmrmg hl `jm
usmg `temr t``os vmrsh`js tenj te`sm usmg hj tehs pr`ambt.
Noo tem b`jbmpts njg tmrcs usmg hj tehs pr`ambt nrm wmk- knsmg.
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
18/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm >4 `l >;=
- Nssucpth`j
Wehs rmp`rt nssucms tem l`oo`whjd stntmcmjt1 Njy`jm whoohjd t` mxpo`ht tem
b`jtmjt ens n chjhcuc ujgmrstnjghjd hj jmtw`rf njg mspmbhnooy hj wmk-knsmg
pr`t`b`os sube n EWWY, EWWYR, EWWYG, UCO njg RRO. Wem NJR wmk pontl`rc
w`rfs pr`pmroy shjbm tem pr`ambt g`ms j`t gmno whte NJR wmk nppohbnth`js npnrt
lr`c se`whjd e`w t` dmt temc (pnrthbuonroy ;74ohk.b`c/;74ohkGM)
b`ccujhbnthjd whte Rehkk`omte hcpomcmjtnth`j, hj `temr w`rgs temhr hjtmdrnth`j t`
Rehkk`omte. NJR wmk nppohbnth`js nrm NRY .Jmt pontl`rc knsmg njg temrmky, tem
nppohbnth`j `l tehs pr`ambt l`r `temr pontl`rcs cny rmquhrm vnrh`us c`ghlhbnth`js
gmpmjghjd `j tem omvmo `l b`cpnthkhohty nspmbts.
>.2.; @kambthvms
Wem nhc `l tehs pr`ambt b`jshsts `l tw` cna`r pnrts1 Wem lhrst pnrt nhcs t` bnrry `ut n
bomnr hjvmsthdnth`j ky prmsmjthjd n b`emrmjt gmsbrhpth`j `l Rehkk`omte pr`t`b`o ns n
shjdom shdj `j cmbenjhsc burrmjtoy vmry gmcnjgmg t` nggrmss cuothpom wmk
nppohbnth`js njg smrvhbms nutemjthbnth`j. Wem smb`jg pnrt ens n purp`sm t` omng njg
gmohvmr nj hcpomcmjtnth`j strntmdy `l Rehkk`omte ter`ude NJR wmk nppohbnth`js pontl`rc
;74ohk.b`c/;74ohkGM tent b`cprhsms suk- nppohbnth`js sube ns Rurvmy, Lhjnjbm, Rt`bfhtmcs njg s` `j. Went hcpomcmjtnth`j nppr`nbe hs grhvmj ky tmbejhbno njg prnbthbno
mxpmrhcmjtnth`js vhn nppr`prhntm mjvhr`jcmjt t``os tent whoo km prmsmjtmg ter`ude`ut
tehs pnpmr. Weus nj nute`rhsmg usmr, vhn n wmk kr`wsmr, whoo km pr`vhgmg nutemjthbnth`j
njg hgmjthlhbnth`j ky Rehkk`omte kml`rm nbbmsshjd n sncpom `l gmlhjmg wmk nppohbnth`js.
Wem strntmdy `l hcpomcmjthjd tem tmsthjd nppohbnth`js whoo km pr`vhgmg l`r tem hjtmdrnth`j
`l ;74ohk.b`c/;74ohkGM, hjboughjd s`cm pnrthbuonrhthms. Wemrml`rm, nt tem mjg `l tem
hcpomcmjtnth`j, n gmlhjmg njg nute`rhsmg usmr se`uog km nkom t` nbbmss tmsthjd
nppohbnth`js ter`ude n shjdom shdj `j cmbenjhsc tent hs whte`ut tem jmmg t` pr`vhgm
nbbmss pnrncmtmrs l`r mnbe nppohbnth`j.
>.7 [mp`rt `vmrvhmw
Wehs pr`ambt lhrst `l noo b`jshsts `l hjvmsthjd njg gmsbrhkhjd cna`r Rehkk`omte b`jbmpts
njg hts lujbth`jhjd nrbehtmbturm. Nltmrwnrgs hs l`oo`wmg tem hcpomcmjtnth`j strntmdy
ter`ude n suhtnkom mxpmrhcmjtnth`j mjvhr`jcmjt. Gum t` tem spmbhlhbnth`js `l tem pr`ambt
bohmjt, tem hcpomcmjtnth`j hs c`stoy whjg`ws- knsmg mjvhr`jcmjt. Wem cnhj
b`cp`jmjts njg p`hjts tent tehs pr`ambt rmp`rt b`vmrs nrm tem l`oo`whjds1
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
19/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm >5 `l >;=
- N rmsmnrbe cmte`g`o`dy
- N ohtmrnturm rmvhmw njg rmontmg w`rfs
- Wem rmquhrmcmjts `l tem pr`ambt hcpomcmjtnth`j
- Wem Hcpomcmjtnth`j njnoyshs njg gmshdj
- Wem pr`t`typm hcpomcmjtnth`j
- Wem hcpomcmjtnth`j tmst
- Wem pr`ambt cnjndmcmjt
- N brhthbno Npprnhsno
- B`jboush`js
- Rtugmjt rmlombth`js
Wemrm nrm cnhjoy termm hjtmjgmg nughmjbms l`r tehs g`bucmjt1 Rhcpom rmngmrs we` wnjt
t` envm nj hgmn `l Rehkk`omte njg tem RNCO pr`t`b`o, tmbejhbnooy-chjgmg rmngmrs we`
w`uog ohfm t` dmt n lurtemr hgmn nk`ut tem hcpomcmjtnth`j `l tem RNCO pr`t`b`o vhn
Rehkk`omte njg lhjnooy pm`pom we` wnjt t` ujgmrstnjg hj gmpte Rehkk`omte njg `jm `l
tem cmnjs `l hcpomcmjthjd hts b`cp`jmjts `vmr wmk smrvmrs. Wemrmky, tehs b`jtmjt
stnrts ky pr`vhghjd lr`c n knshb ujgmrstnjghjd `l tem Rehkk`omte t` hts hcpomcmjtnth`j
stmps.
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
20/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm >8 `l >;=
Benptmr ;1 Cmte`g`o`dy
Hj `rgmr t` b`cm up whte n s`outh`j t` tem smt `kambthvms hj tehs pr`ambt, tem pr`komc tent
tem pr`ambt gmsbrhpth`j rnhsms ens t` km hgmjthlhmg njg nj nppr`nbe `l hjvmsthdnth`j njg
rms`outh`j cmte`g`o`dy ens t` km gmlhjmg.
;.> Yr`komc Hgmjthlhbnth`j
Burrmjtoy, temrm nrm smvmrno hgmjthty njg nbbmss cnjndmcmjt cmbenjhscs nbr`ss tem
wmk. C`st pnrt `l temc pr`vhgms stnjgnrg nbbmss cmbenjhscs t` senrmg rms`urbms njg
nppohbnth`js. Rtnjgnrg kmbnusm hl n usmr jmmgs t` nbbmss n smt `l dhvmj nppohbnth`js,
temy envm t` pr`vhgm mnbe thcm temhr brmgmjthnos. N chj`rhty `l temc pr`vhgms n shjdom
shdj `j cmbenjhsc t` nbbmss nppohbnth`js. Burrmjtoy `jm `l tem c`st p`wmrluo njg c`st
gmcnjgmg shjdom shdj cmbenjhscs wehbe hs `kambt t` tehs pr`ambt hs Rehkk`omte. Wem
b`cpnjy bohmjt t` tehs pr`ambt (NJR) hs ohchtmg t` n stnjgnrg cmbenjhsc t` pmrcht temhr
bust`cmrs t` nbbmss temhr nppohbnth`js. Went cmnjs, burrmjtoy, n bust`cmr cust nownys
pr`vhgm temhr brmgmjthnos l`r mnbe nppohbnth`j temy wnjt t` nbbmss, hj `temr w`rgs temy
bnjj`t nbbmss nt tem sncm thcm smvmrno nppohbnth`js whtehj tem sncm smssh`j njg whte
sncm brmgmjthnos (usmrjncm/ pnssw`rg). C`rm`vmr, R`cm NJR bust`cmrs sube ns
]jhvmrshthms njg B`oomdms nrm b`jthju`usoy rmqumsthjd l`r Rehkk`omte hcpomcmjtnth`j
whtehj temhr jmtw`rfs t` noo`w Rehkk`omte-knsmg nutemjthbnth`j whtehj temhr hjtmrjno njg
mxtmrjno nppohbnth`js, kut NJR g`ms j`t ymt envm n Rehkk`omte mxpmrthsm t` pr`vhgm sube
nj hcpomcmjtnth`j. Hj tem b`jtmxt `l lmgmrnth`j whtehj hjsthtuth`js njg `rdnjhsnth`js hj
pnrtjmrsehp wemrm Rehkk`omte hs tem nutemjthbnth`j cmbenjhsc l`r nbbmss t` senrmg
rms`urbms NJR nos` jmmgs t` ng`pt Rehkk`omte t` mxtmjg temhr kushjmss.
Wem lujgncmjtno qumsth`j hj tehs pr`ambt hs temrml`rm t` hjvmsthdntm njg pr`vhgm nj
nppr`prhntm njnoyshs njg gmsbrhpth`j nk`ut Rehkk`omte, mcpenshzhjd hj tem b`jtmxt `l tem
bohmjt spmbhlhbnth`js, t` pr`vhgm tem bohmjt whte n Rehkk`omte hcpomcmjtnth`j strntmdy
hjboughjd tem hjtmdrnth`j `l nppohbnth`js mxncpoms (hj w`rfhjd pr`t`typm) njg t` gmlhjm
nj hjtmdrnth`j strntmdy `l ;74ohk.b`c/;74ohkGM.
;.; Cmte`g`o`dy nppr`nbe njg austhlhbnth`j
Ns tehs pr`ambt b`jgubt d`ms lr`c n dmjmrno b`jbmpt `l wmk nbbmss cnjndmcmjt whtehjsenrmg rms`urbms t` n spmbhlhb sbmjnrh` tent hs tem usm bnsm, tem hjvmsthdnth`j,
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
21/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm ;9 `l >;=
nppohbnth`j strntmdy njg cmte`gs usmg hj tehs w`rf hs n usmr-gmlhjmg cmte`g`o`dy tent
nhcs lhrst `l noo t` b`jgubt n rmsmnrbe `j tem pr`ambt rmontmg pr`t`b`os njg rmontmg w`rfs
hj `rgmr t` lnrtemr ujgmrstnjg tem pr`ambt b`jtmxt njg temrml`rm pr`vhgm nj
hcpomcmjtnth`j hj n w`rfhjd pr`t`typm, `j n knshs `l tem bohmjt rmb`ccmjgnth`js njg
tem pr`ambt spmbhlhbnth`js.
Wem rmns`j `l be``shjd tem nk`vm cmte`g`o`dy nppr`nbe rmshgms `j tem lnbt tent tehs
w`rf hs j`t t`tnooy n rmsmnrbe gmlhjmg pr`ambt, j`r n s`ltwnrm `r nj nppohbnth`j
gmvmo`pcmjt, jmhtemr n survmy pr`ambt. Hjstmng, tehs pr`ambt hs nk`ut n rmsmnrbe njg
hjvmsthdnth`j nr`ujg n pr`t`b`o `r tmbej`o`dy (Rehkk`omte) njg hts nppohbnth`j nt n
bmrtnhj omvmo whtehj n gmlhjmg mjvhr`jcmjt. Wemrmky, tem rmsmnrbe, njnoyshs njg
hcpomcmjtnth`j cmte`g`o`dy ens t` km spmbhlhb njg nppr`prhntm t` tem usm bnsm
sbmjnrh`. Went hs d`hjd lr`c n dmjmrno ujgmrstnjghjd `l tem shjdom shdj `j cmbenjhsc,
ter`ude Rehkk`omte njg rmontmg tmbej`o`dhms thoo tem hcpomcmjtnth`j `l went ens kmmj
prmvh`usoy hjvmsthdntmg njg gmsbrhkmg.
Wehs cmte`g`o`dy nppr`nbe hs t` km nbehmvmg l`oo`whjd tem mxnchjnth`j `l tem
b`cp`jmjts kmo`w tent jmmg t` km ghsbussmg hj `rgmr t` ujgmrstnjg e`w Rehkk`omtew`rfs, njnoysm njg ujgmrstnjg tem pr`ambt spmbhlhbnth`js njg rmquhrmcmjts njg
temrml`rm nppoy Rehkk`omte `j tem usm bnsm hcpomcmjtnth`j. Wem ghndrnc kmo`w
hooustrntms tent cmte`g`o`dy nppr`nbe hjboughjd tem stmps t` km gmnot whte t` b`cpomtm
tehs w`rf.
Lhdurm >1 Cmte`g`o`dy nppr`nbe
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
22/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm ;> `l >;=
Wem Rehkk`omte pr`t`b`o njg `temr rmoyhjd tmbej`o`dhms b`jsthtuthjd tem lhrst stmp `l tehs
cmte`g`o`dy whoo lhrst km ghsbussmg hj tehs burrmjt benptmr. Wem Ohtmrnturm rmvhmw njg
rmontmg w`rfs, Hcpomcmjtnth`j rmquhrmcmjts, Rystmc njnoyshs njg gmshdj, Wmsthjd njg
cnjndmcmjt whoo km ghsbussmg whtehj ghllmrmjt benptmrs.
[mdnrghjd tem pr`t`b`os hjvmsthdnth`j stndm, tem l`oo`whjd b`cp`jmjts nrm t` km
gmvmo`pmg1
- @vmrvhmw `l tem RR@ cmbenjhsc
- Cna`r nspmbts `l RNCO pr`t`b`o njg RR@ usm bnsm
- Rehkk`omte ns nj hcpomcmjtnth`j lrncmw`rf `l RNCO
- Tmk nppohbnth`j ;74ohk.b`c/;74ohkGM
;.2 @vmrvhmw `l tem Tmk RR@ cmbenjhsc
;.2.> @vmrvhmw
Nbtunooy, n o`t `l wmk nppohbnth`js hj tem sncm systmc `r sncm `rdnjhsnth`j sthoo rmquhrms
usmrs t` rmdhstmr mvmry thcm temy wnjt t` usm nj hjghvhguno nppohbnth`j. Wem pr`ohlmrnth`j
`l wmk nppohbnth`js njg smrvhbms ens omg t` b`jbougm tent ht hs hcprnbthbnkom njghrrmomvnjt t` rmquhrm usmrs t` rmcmckmr smvmrno nbb`ujts (usmrjncms njg pnssw`rgs)
l`r noo tem nppohbnth`js temy wnjt t` dmt nbbmss. Ht ens kmb`cm temrml`rm vmry t`ude t`
cnjndm brmgmjthnos hj sube n shtunth`j `l tem mjvhr`jcmjt `l wmk nbbmss cnjndmcmjt.
Tmk shjdom shdj `j (RR@) pr`t`b`os noo`w usmrs t` cnfm usm `l n shjdom pnssw`rg njg
usmrjncm t` dmt nbbmss t` smvmrno njg ghllmrmjt nppohbnth`js `r smrvhbms.
;.2.; Tmk RR@ nrbehtmbturm
Wemrm nrm l`ur cnhj nbt`rs hjtmrnbthjd hj nj RR@ cmbenjhsc1 tem usmr, tem RR@ smrvmr
`r nutemjthbnth`j smrvmr, tem RR@ ndmjt `r nutemjthbnth`j ndmjt njg tem nppohbnth`j(s).
Wem lhdurm kmo`w, hooustrntms temhr nrbehtmbturno p`shth`js.
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
23/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm ;; `l >;=
Lhdurm ;1 Rhcpohlhmg Tmk RR@ nrbehtmbturm
Wem RR@ smrvmr hs tem bmjtrno mjthty hj tem RR@ systmc shjbm hts st`rms bmjtrnohzmg
brmgmjthnos njg mjsurms tem usmr nutemjthbnth`j, tem ohjf mstnkohsecmjt kmtwmmj tem
usmr njg `temr momcmjts njg tem usmr hgmjthty pr`pndnth`j t`wnrgs nppohbnth`js.
Wem cmbenjhsc stnrts wemj n usmr pr`vhgms hts nutemjthbnth`j pnrncmtmrs t` tem RR@
smrvmr. Wem smrvmr vmrhlhms te`sm pnrncmtmrs njg nutemjthbntms tem usmr hl tempnrncmtmrs cntbe whte njy st`rmg brmgmjthnos `r bmrthlhbntms. Temj tem usmr ens kmmj
nutemjthbntmg, tem smrvmr fmmps cnhjtnhjhjd tem usmr smssh`j ky smtthjd up nj EWWY
b``fhm hj tem usmr e`st. Wem b``fhm gntn nrm pr`tmbtmg njg nrm tem wny `l hgmjthlyhjd tem
usmr l`r njy luturm smrvmr nbbmss.
Wem usmr ndmjt hs dmjmrnooy hjtmdrntmg t` tem tnrdmtmg nppohbnth`j ns n ohkrnry `r nj
npnbem `r HHR c`guom. Wem usmr ndmjt vmrhlhms tent tem usmr hs mllmbthvmoy nutemjthbntmg
tent hs nute`rhsmg t` nbbmss nj nppohbnth`j6 `temrwhsm, tem usmr rmqumst hs rm- l`rwnrgmg
t` tem RR@ smrvmr. Hl tem usmr ens kmmj nutemjthbntmg, tem ndmjt vmrhlhms ndnhj tem gntn
s`urbm njg trnjschts temc t` tem tnrdmtmg nppohbnth`j njg b`jjmbts tem usmr t` tem
nppohbnth`j.
;.2.2 RR@ pr`t`b`os
Wehs smbth`j prmsmjts krhml gmsbrhpth`js `l s`cm cnhj pr`t`b`os tent hcpomcmjt tem
shjdom shdj `j prhjbhpom.
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
24/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm ;2 `l >;=
- Fmrkmr`s Jmtw`rf Nutemjthbnth`j Rmrvhbm1 Wem Fmrkmr`s pr`t`b`o, `wjmg ky
tem CHW (Cnssnbeusmtts Hjsthtutm `l Wmbej`o`dy), pr`vhgms nj nutemjthbnth`j
smrvhbm wemrm mvmry mjthty tent bnj km n smrvmr `r n bohmjt hs n usmr t` tem
Fmrkmr`s smrvhbm njg trusts Fmrkmr`s augdmcmjt `l hts pmmrs pnrty. Fmrkmr`s
cnfms usm `l n senrmg smbrmt fmy mjbrypth`j hj wehbe n usmr pnssw`rg hs
b`jshgmrmg ohfm tem smbrmt fmy (Rnjgeu, R, R, ;997).
- RMRNCM1 Wem Rmburm Mur`pmnj Rystmc l`r Nppohbnth`js hj n Cuoth-vmjg`r
Mjvhr`jcmjt hs quhtm shchonr t` Fmrkmr`s hj tmrcs `l gmshdj, kut kmttmr hcpr`vms
tem b`jbmpt `l smbrmt fmy pr`tmbth`j njg ghstrhkuth`j (Rnjgeu, R, R, ;997).
- @pmjHG RR@1 Wehs pr`t`b`o pr`vhgms n gmbmjtrnohzmg nrbehtmbturm tent mxpo`hts
mxhsthjd g`cnhj jncms smrvmr (GJR) smrvhbm hj n jmtw`rf. Wem nsshdjcmjt `l
usmrs hgmjthlhmrs hs knsmg `j temhr g`cnhj jncms. Temj n usmr trhms t` nbbmss n
senrmg rms`urbm `r nppohbnth`js, temy pr`vhgm temhr `pmjmg HG tent ens kmmj
nsshdjmg t` temc nbb`rghjd t` temhr g`cnhj jncm. @jm `l tem c`st burrmjt
hcpomcmjtnth`j `l tem @pmjHG pr`t`b`o hs Chbr`s`lt hgmjthty cnjndmcmjt
s`ltwnrm (CHCR) (Ancms, R, ;994).
- RNCO1 ]jgmr tem @rdnjhznth`j l`r Ngvnjbmcmjt `l Rtrubturmg Hjl`rcnth`j
Rtnjgnrgs (@NRHR), tem Rmburhty Rmrvhbms Wmbejhbno B`cchttmm (RRWB)gmvmo`pmg tem RNCO (Rmburm Nssmrth`j Cnrf-up Onjdundm). RNCO hs n wmk
smburhty pr`t`b`o knsmg `j tem UCO (Mxtmjgmg Cnrf-up Onjdundm) nrbehtmbturm
njg hcpomcmjts cnjy smburhty cmbenjhscs whtehj wmk g`cnhjs nbr`ss tem
hjtmrjmt. @jm `l hts fmys nspmbts hs usmrs nutemjthbnth`j njg nute`rhsnth`j
ter`ude tmbejhqums sube ns shjdom shdj `j (Ancms, R, ;994).
Wem Rmburm Nssmrth`j Cnrf-up Onjdundm pr`t`b`o hs tem `jm tent b`jsthtutms tem b`rm
pr`t`b`o `l tehs rmp`rt ns `jm `l hts cna`r hcpomcmjtnth`js hs Rehkk`omte, bmjtrno p`hjt `l
tehs pr`ambt. RNCO whoo km c`rm gmsbrhkmg hj nj`temr smbth`j `l tehs pnpmr.
;.2.7 RR@ nssmts
Wem hcpomcmjtnth`j `l tem RR@ pr`vhgms tem l`oo`whjd ngvnjtndms t` n b`cpnjy1
- Whcm snvhjd1 N usmr bnj cnfm nk`ut twmjty smb`jgs nvmrndm t` o`d `jt` nj
nppohbnth`j njg mvmj o`jdmr hl temy cnfm n chstnfm wemj typhjd nbb`ujt
pnrncmtmrs njg nrm rmquhrmg t` rm-typm temc. Wem ehdemr tem juckmr `l
nppohbnth`js t` nbbmss, tem o`wmr hs tem thcm snvhjd hj tent bnsm. Ky hcpomcmjthjd
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
25/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm ;7 `l >;=
tem shjdom shdj `j, temrm hs n rmno kmjmlht `l thcm snvhjd mvmj wemj temrm hs n
chstnfm wehom typhjd nbbmss pnrncmtmrs6 tent temrml`rm ehdeoy hjbrmnsms tem
b`cpnjy pr`gubthvhty.
-Ngchjhstrnthvm b`sts rmgubth`j1 Lmw pnssw`rgs t` cnjndm rmgubm tem
b`cpomxhty `l tem ngchjhstrnt`rs tnsf, shjbm lmwmr rmqumsts whoo km rmbmhvmg lr`c
tem usmrs nsfhjd l`r tem rmsmt `l l`rd`ttmj pnssw`rgs.
- Rmburhty mjenjbmcmjt1 Wem smburhty p`ohby hs shcpomr t` cnjndm whtehj njg
nbr`ss `rdnjhsnth`js. Lurtemrc`rm, noo tem nppohbnth`js dunrnjty tem sncm omvmo
`l smburhty.
- ]smr ng`pth`j mjenjbmcmjt1 Ns usmrs g` j`t jmmg t` pr`vhgm ghllmrmjt
nbbmss brmgmjthnos l`r ghllmrmjt rms`urbms nbbmss, usmrs kmttmr ng`pt nppohbnth`js
l`oo`whjd n stnjgnrg knshs.
;.7 Cna`r nspmbts `l RNCO pr`t`b`o njg RR@ usm bnsm
;.7.> Gmlhjhth`j njg `vmrvhmw
Wem Rmburhty Nssmrth`j Cnrf- up Onjdundm hs nj UCO onjdundm gmlhjms n lrncmw`rf
stnjgnrg njg l`rcnt l`r n ehde smburhty omvmo hj hjl`rcnth`j mxbenjdm whtehj wmk
nppohbnth`js `wjmg ky pnrtjmrs hj n kushjmss (@NRHR, ;995).
RNCO g`msjt nhc t` spmbhly jmw brypt`drnpey tmbejhqums `r c`gmo `l smburhty6 ht rntemr
l`busms njg gmsbrhkms stnjgnrg smburhty tmbej`o`dhms hj hjgustry ter`ude UCO knsmg
l`rcnt syjtnx njg rmoyhjd `j tem wmk pr`t`b`os sube ns EWWY, EWWYR, RRO njg s` `j.
C`rm`vmr, n kushjmss ndrmmcmjt gmlhjhjd tem tmrcs `l n pnrtjmrsehp cust km cngm
nc`jd thmrs t` smt up n trustmg mjvhr`jcmjt kml`rm njg wemrm RNCO whoo km nppohmg
shjbm RNCO htsmol g`ms j`t nut`cnthbnooy gmlhjm n gntn l`rcnt l`r snlm hjl`rcnth`j
mxbenjdm njg nute`rhsnth`j p`ohby, kut ht hs tem smburhty systmcs hj benrdm `l
nutemjthbnth`j, hgmjthlhbnth`j njg nute`rhsnth`j tent se`uog gmlhjm p`ohbhms njg l`rcnts
whtehj `rdnjhsnth`js hj pnrtjmrsehp. R`, n rmno gmtnhomg gmlhjhth`j `l RNCO cust km knsmg
`j usm bnsms mvmj te`ude temrm hs n knshb njg b`cc`j usm bnsm tent hooustrntms n usmr
dmtthjd nbbmss t` pr`tmbtmg rms`urbms (Jmtmdrhty, Hjb, ;99>).
Wehs smbth`j pr`vhgms tmbejhbno gmtnhos `l RNCO, l`bushjd c`rm `j hts ontmst vmrsh`j
RNCO ;.9, fmy nspmbt t` ujgmrstnjghjd Rehkk`omte (wehbe hs `jm `l hts hcpomcmjtnth`j)
hj tem jmxt smbth`j.
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
26/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm ;= `l >;=
;.7.; RNCO knshb usm bnsm
Ns stntmg nk`vm, RNCO uthohznth`j vnrhms nbb`rghjd t` usms bnsms njg b`cpnjhms nrm
lrmm t` gmlhjm temhr `wj usm bnsms knsmg `j temhr jmmgs. E`wmvmr, tem c`st b`cc`j
usm bnsm prmsmjts usmrs nttmcpthjd t` nbbmss pr`tmbtmg nppohbnth`js njg smrvhbms ns
se`wj `j tem lhdurm 2 kmo`w.
Nutemjthbnth`j RNCO Nutehrhsnth`j
Lhdurm 21 RNCO Knshb usm bnsm
Ht hs supp`smg tent nj mjg usmr ter`ude temhr typhbno wmk kr`wsmr wnjts t` nbbmss n
pr`tmbtmg rms`urbm tent hs nj `johjm nppohbnth`j.
n) Wem mjg usmr sukchts hts brmgmjthnos (tent bnj km usmrjncm njg pnssw`rg) t`
tem Nutemjthbnth`j Nute`rhty (njy smburhty `r nutemjthbnth`j nppohbnth`j supp`rthjd
RNCO).
k) Wem Nutemjthbnth`j Nute`rhty b`jlhrcs usmrs nbbmss pnrncmtmrs knsmg `j
temhr ghrmbt`ry njg pr`gubms nj Nutemjthbnth`j Nssmrth`j no`jdshgm whte `jm `r
cnjy Nttrhkutm Nssmrth`js tent bnj km njy `temr hjl`rcnth`j nk`ut tem usmr pr`lhom
sube ns temhr lujbth`j, temhr luoo jncm `r temhr mcnho nggrmss. Wem usmr bnj j`w
km nutemjthbntmg njg hgmjthlhmg ky RNCO nssmrth`js hj n t`fmj.
b) Wem usmr trhms t` dmt nbbmss t` tem rms`urbm ushjd tem RNCO t`fmj.
g) Wem Y`ohby Mjl`rbmcmjt (YMY) ghrmbtoy hjtmrbmpts tem usmr rmqumst t` tem
rms`urbm njg l`rwnrgs tem usmr RNCO t`fmj, nj Nutemjthbnth`j Nssmrth`j t` tem
Mjg-]smr
Brmgmjthnos
Nutemjthbnth`j
Nute`rhty
Nttrhkutm
Nssmrth`j
Nutemjthbnth`j
Nssmrth`j
Nttrhkutm
Nssmrth`j
Nttrhkutm Nute`rhty
(Y`ohby Gmbhsh`j
Y`hjt)
Y`ohby
Mjl`rbmcmjt Y`hjt
Yr`tmbtmg rms`urbmRNCO
W`fmj
n
k
b
g
m
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
27/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm ;< `l >;=
Nttrhkutm Nute`rhty (Nos` njy smburhty nppohbnth`j mjdhjm supp`rthjd RNCO `r
RNCO-nwnrm).
m) Nbb`rghjd t` hts p`ohbhms tem Nttrhkutm Nute`rhty nos` bnoomg Y`ohby Gmbhsh`j
Y`hjt j`w gmbhgms wmtemr tem usmr bnj nbbmss tem rms`urbm `r j`t. Hl tem gmbhsh`j
hs p`shthvm, nj Nttrhkutm Nssmrth`j hs dmjmrntmg njg k`ujg t` tem usmr t`fmj.
Lhjnooy, tent RNCO t`fmj bnj km pr`vhgmg t` trustmg pnrtjmrs nggemrhjd nj RR@
rmonth`jsehp (Jmtmdrhty, Hjb, ;99>).
;.7.2 RNCO `temr usm bnsm sbmjnrh`s
@temr RNCO usm bnsms bnj hjbougm nc`jd `temrs tem l`oo`whjd sbmjnrh`1
- Rmssh`jhjd, wemrm n smssh`j hs cnhjtnhjmg wehom njg ns tem mjg usmr hs
jnvhdnthjd nbr`ss tem wmk nppohbnth`js njg wmk shtms tent nrm whtehj tem RR@
bhrbom. Hj tent bnsm, tem s`urbm wmk shtm gmnos whte c`st `l smburhty pr`bmssms, ht
j`tnkoy nbts ns nj nutemjthbnth`j nute`rhty, n smssh`j nute`rhty, nj nttrhkutm
nute`rhty njg n brmgmjthnos b`oombt`r. Gmsthjnth`j wmkshtms nbt ns Y`ohby
Mjl`rbmcmjt Y`hjt (YMY) njg Y`ohby Gmbhsh`j Y`hjt (YGY) (Jmtmdrhty, Hjb, ;99>).
- Nute`rhznth`j Rmrvhbm1 Emrm, tem rms`urbm pr`tmbt`r njg b`jtr`oomr hj tmrcs `l
smburhty hs tem YMY, tent vmrhlhms tem usmr nute`rhsnth`j wemj tem usmr nttmcpts t`nbbmss n rms`urbm vhn n YGY (tent nbts ns tem nute`rhsnth`j smrvhbm pr`vhgmr t`
tem YMY). Hj tehs bnsm, tem smburhty smrvhbm hs b`jshgmrmg ns nj nutemjthbnth`j
nute`rhty, nj nttrhkutm nute`rhty, n brmgmjthnos b`oombt`r njg YGY. Wem knbfmjg
nppohbnth`j b`jshgmrmg ns n YMG (Jmtmdrhty, Hjb, ;99>).
- Kushjmss-W`-Kushjmss Wrnjsnbth`j1 Thtehj tehs sbmjnrh`, kushjmss pnrtjmrs
nrm hjv`ovmg hj trnjsnbth`js knsmg UCO g`bucmjts. Mnbe pnrtjmr hs
nutemjthbntmg ndnhjts hts `wj smburhty systmc `r noo tem pnrtjmrs bnj ndrmm t` usm
tem smburhty smrvhbms `l n tehrg pnrty mjdhjm wehbe rmduontms tem smburhty hj noo
trnjsnbth`js (Jmtmdrhty, Hjb, ;99>).
;.7.7 RNCO nrbehtmbturm
Wehs smbth`j gmsbrhkms tem strubturm njg tem cnhj b`cp`jmjts b`jsthtuthjd tem RNCO
pr`t`b`o njg tent b`jtrhkutm t` tem mstnkohsecmjt, tem cnhjtnhjhjd njg tem rmomnsm `l
smburmg hjl`rcnth`j mxbenjdm whtehj trustmg `rdnjhsnth`js. We`sm b`cp`jmjts typhbnooy
noo`w tem mxbenjdm `l nutemjthbnth`j, nute`rhsnth`j, nttrhkutms, mtb nbr`ss senrmg
rms`urbms (@NRHR, ;995).
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
28/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm ;4 `l >;=
;.7.7.> RNCO strubturm
RNCO gntn njg nssmrth`js nrm mjb`gmg hj tem l`rc `l UCO sbemcn hjboughjd knshb
hjl`rcnth`j tent gmlhjms njg spmbhlhms nj hgmjthlhmr usmg l`r tem nssmrth`j gntm, thcm njg
jncm `l tem hssunjbm njg tem thcm so`t `r hjtmrvno l`r wehbe temrm hs n vnohgnth`j `l tem
nssmrth`j. Wem sukchssh`j `l RNCO nssmrth`j t` nute`rhsnth`j njg nutemjthbnth`j
gmbhsh`j p`hjts hs g`jm vhn n rmqumst njg rmsp`jsm pr`t`b`os mxbenjdm hj tem rmspmbt `l
tem l`oo`whjd l`rcnt1 RNCO^umry njg RNCO^umry[msp`jsm. Wem lhdurm 7 kmo`w se`ws
tem knshb strubturm `l RNCO (Jmtmdrhty, Hjb, ;99>).
Lhdurm 71 RNCO strubturm
Ww` `temr hcp`rtnjt b`jbmpts hj RNCO gmpo`ycmjt1
- Cmtngntn noo`w RNCO pnrthms t` b`ccujhbntm njg senrmg hjl`rcnth`j.
Ynrthms rmb`djhzm mnbe `temr ter`ude cmtngntn. L`r mxncpom n Rmrvhbm Yr`vhgmr
(RY) fj`ws tem pr`lhom `l nj Hgmjthty Yr`vhgmr (HgY) ter`ude hts cmtngntn njg vhbmvmrsn. Wem RNCO cmtngntn hs `ltmj spmbhlhmg njg gmlhjmg ky hts pr`pmr UCO
l`rcnt b`jtmjt.
- N RNCO nutemjthbnth`j b`jtmxt hs usmg t` bnrry hjl`rcnth`j hj rmdnrg t` tem
nutemjthbnth`j strmjdte tent n usmr mxpo`htmg wemj nutemjthbnthjd ndnhjst njg
Hgmjthty Yr`vhgmr.
;.7.7.; RNCO b`cp`jmjts
Wehs pnrt pr`vhgms c`rm gmtnhos hj tem b`cp`jmjts tent prmsmjt lurtemr hjl`rcnth`j hj tem
RNCO strubturm njg mjvhr`jcmjt.
Yr`lhoms (b`ckhjhjd pr`t`b`os, Nssmrth`js njg Khjghjds)
Khjghjds (E`w Nssmrth`js nrm b`ccujhbntmg `vmr
hjgustry-stnjgnrg trnjsp`rt njg cmssndhjd lrncmw`rfs)
Yr`t`b`os ([mqumsts / [msp`jsms pnhr l`r
pr`bmsshjd nssmrth`js)
Nssmrth`js (Nutemjthbnth`j & Nute`rhznth`j
(Nttrhkutm) hjl`rcnth`j)
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
29/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm ;5 `l >;=
- Nssmrth`js1 N RNCO nssmrth`j emops pnrthms t` usm stntmcmjts t` b`jlhrc
smburhty hjl`rcnth`j b`jbmrjhjd sukambts. L`r mxncpom, nj nssmrth`j hj RNCO bnj
stntm tent n sukambt hs jncmg D[ Kng`umt, ehs HG hs 2879274, ehs mcnho nggrmss
hs kng`umtdIujh.b`vmjtry.nb.uf njg em hs n stugmjt hj tem gmpnrtcmjt `l
B`cputhjd nt B`vmjtry ]jhvmrshty. Wemrml`rm, tem fmy momcmjts hj nj nssmrth`j
nrm tem sukambt njg tem stntmcmjt b`jtmjt. C`rm`vmr, temrm termm typms `l
stntmcmjts gmlhjmg ky RNCO njg tent bnj km b`jgubtmg whtehj nj nssmrth`j1 Nj
nutemjthbnth`j stntmcmjt (dmjmrntmg ky n pnrty nutemjthbntmg n usmr subbmssluooy,
ht gmsbrhkms tem wny usmg t` nutemjthbntm n usmr prbhshjd tem thcm nt wehbe tem
nutemjthbnth`j ens kmmj g`jm)6 nj nttrhkutm stntmcmjt ( b`jtnhjhjd spmbhlhb
nttrhkutms rmontmg t` tem sukambt, l`r hjstnjbm, tem usmr D[ Kng`umt ens n stugmjt
stntus) njg nj nute`rhsnth`j gmbhsh`j stntus (spmbhlyhjd went n sukambt gmlhjmg t`
g`, l`r hjstnjbm wemtemr D[ Kng`umt hs noo`wmg t` nbbmss tem `johjm ohkrnry
rms`urbm) (@NRHR, ;995).
- Yr`t`b`os1 Wemy nrm usmg hj RNCO t` gmlhjm rmqumsts njg rmsp`jsms
nbth`js. We`sm pr`t`b`os hjbougm1 Rhjdom Rhdj @j, Rhjdom O`d`ut pr`t`b`o
(spmbhlhms tem cmbenjhsc `l shcuotnjm`us o`d`ut l`r `pmj smssh`js, ht bnj kmhjhthntmg ky njy pnrthms rmontmg t` tem nbthvm smssh`j sube ns nj HgY, N RY, `r
mvmj n usmr)6 Nssmrth`j ^umry njg [mqumst Yr`t`b`o ( Rpmbhlhms n b`oombth`j l
qumrhms ter`ude wehbe RNCO nssmrth`js bnj km d`ttmj)6 Nrthlnbt [ms`outh`j
Yr`t`b`o (Gmlhjms n cmbenjhsc ter`ude wehbe RNCO cmssndms chdet km pnssmg
ushjd n vnoum bnoomg nrtmlnbt, nj nrtmlnbt bnj km pnssmg t` n cmssndm vhn nj
RNCO khjghjd sube ns nj EWWY [mghrmbt)6 Nutemjthbnth`j [mqumst Yr`t`b`o
(Yr`vhgms n cmnjs ter`ude wehbe n sukambt cny rmqumst nssmrth`js b`cprhshjd
nutemjthbnth`j njg nttrhkutm stntmcmjts)6 Jncm Hgmjthlhmr Cnjndmcmjt Yr`t`b`o
(Gmlhjms ruoms t` benjdm tem vnoum `l hgmjthlhmrs jncm l`rcnt, tem rmqumst hjhthnt`r
bnj km mhtemr tem hgmjthty pr`vhgmr `r tem smrvhbm pr`vhgmr) njg Jncm Hgmjthlhmr
Cnpphjd Yr`t`b`o tent gmlhjms cmbenjhscs t` cnp pr`drnccnthbnooy `jm RNCO
jncm hgmjthlhmr t` nj`temr (@NRHR, ;995).
- Khjghjds1 Hj RNCO, khjghjds nrm tem momcmjts tent gmlhjm njg gmsbrhkm tem
wnys RNCO pr`t`b`o cmssndms nrm bnrrhmg `vmr trnjsp`rts pr`t`b`os. RNCO ;.9
gmlhjms tem l`oo`whjd knjghjds1 EWWY [mghrmbt Khjghjd ( Rpmbhlyhjd tem wny
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
30/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm ;8 `l >;=
RNCO cmssndm pr`t`b`os nrm bnrrhmg ter`ude EWWY rmghrmbt cmssndms)6 EWWY
Y@RW Khjghjd (Yr`vhgms e`w RNCO pr`t`b`o cmssndms nrm bnrrhmg hjshgm n
b`jtmjt `l knsm .>6 [mvmrsm R@NY (YN@R) Khjghjd
(Rpmbhlhms n cmssndm mxbenjdm noo`whjd nj EWWY bohmjt t` kmb`cm n R@NY
rmsp`jgmr njg RNCO ][H Khjghjd spmbhlyhjd e`w t` rmtrhmvm nj mxhsthjd
nssmrth`j vhn tem rms`ovhjd `l n ujhl`rc rms`urbm hgmjthlhmr (@NRHR, ;995).
- Yr`lhoms1 Wemy gmtmrchjm e`w pr`t`b`os, nssmrth`js njg khjghjds nrm
nss`bhntmg t` yhmog c`rm ngvnjbmg hjtmr`pmrnkhohty hj spmbhlhb usm bnsm sbmjnrh`s.
RNCO pr`lhoms pr`vhgmg ky RNCO ;.9 hjbougm1 Mjenjbmg Bohmjt njg Yr`xy (MBY)
Yr`lhom (N spmbhlhb shjdom shdj `j pr`lhom hj wehbe spmbhlhb bohmjts `r pr`xhms cny
usm R@NY njg tem YN@R khjghjds)6 Tmk Kr`wsmr RR@ Yr`lhom (Rpmbhlhms e`w
mjththms hj RNCO cnfm usm `l tem nutemjthbnth`j rmqumst pr`t`b`o, RNCO
cmssndms njg nssmrth`js t` b`cpomtm RR@ ter`ude typhbno wmk kr`wsmrs)6Hgmjthty Yr`vhgmr Ghsb`vmry Yr`lhom ( Rpmbhlhms tmbejhqums l`r RY t` fj`w nk`ut
HGY tent envm kmmj prmvh`usoy vhshtmg ky n usmr)6 Nssmrth`j ^umry/[mqumst
Yr`lhom (E`w mjththms hj RNCO cnfm usm `l RNCO qumrhms njg rmqumst pr`t`b`os
t` dmt nssmrth`js ter`ude n syjber`j`us khjghjd ohfm R@NY)6 Rhjdom O`d`ut
Yr`lhom ( Rpmbhlhms e`w tem Rhjdom o`d`ut pr`t`b`o hs usmg whte pr`t`b`os sube ns
EWWY Y@RW, EWWY [mghrmbt, R@NY njg EWWY Nrthlnbt khjghjds)6 Nrthlnbt
[ms`outh`j Yr lhom ( E`w mjththms bnj cnfm usm `l tem Nrthlnbt [ms`outh`j
Yr`t`b`o ter`ude n syjber`j`us khjghjd t` dmt n pr`t`b`o cmssndm vhn nj
nrtmlnbt)6 Jncm Hgmjthlhmr Cnpphjd Yr`lhom (Rpmbhlhms tem cmnjs `l wehbe n Jncm
Hgmjthlhmr Cnpphjd Yr`t`b`o uthohzms syjber`j`us khjghjds ohfm R@NY6 njg Jncm
Hgmjthlhmr Cnjndmcmjt Yr`lhom spmbhlyhjd e`w n Jncm Hgmjthlhmr Cnjndmcmjt
Yr`t`b`o bnj km uthohzmg whte EWWY [mghrmbt, R@NY, EWWY Nrthlnbt khjghjds njg
EWWY Y@RW (@NRHR, ;995).
;.7.= RNCO B`cp`jmjts strubturms
- Rukambt, Nssmrth`j njg Rtntmcmjt Rtrubturm
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
31/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm 29 `l >;=
Wem lhdurm = kmo`w se`ws tem dmjmrno strubturm `l nj nssmrth`j, n sukambt njg n
stntmcmjt strubturm whtehj n RNCO/UCO lhom lrndcmjt.
>1 ?snco1Nssmrth`j xcojs1snco3urj1`nshs1jncms1tb1RNCO1;.91nssmrth`j
;1 \mrsh`j3";.9"
21 HssumHjstnjt3";9>2-92W>;199199Q":
71 ?snco1Hssumr L`rcnt3urj1`nshs1jncms1RNCO1;.91jncmhg-l`rcnt1mjthty:
=1 ettp1//hgp.mxncpom.`rd
91 kng`umtdImxncpom.b`c
>>1 ?/snco1JncmHG:
>;1 ?/snco1Rukambt:
>21 ?snco1B`jghth`js
>71 J`tKml`rm3";9>2-92W>;199199Q"
>=1 J`t@j@rNltmr3";9>2-92W>;1>9199Q":
>41 ?snco1NutejRtntmcmjt
>51 NutejHjstnjt3";9>2-92W>;199199Q" Rmssh`jHjgmx3"
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
32/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm 2> `l >;=
>1 ?snco1NttrhkutmRtntmcmjt:
;1 ?snco1Nttrhkutm
21 xcojs1x=993"urj1`nshs1jncms1tb1RNCO1;.91pr`lhoms1nttrhkutm1U=99"
71 JncmL`rcnt3"urj1`nshs1jncms1tb1RNCO1;.91nttrjncm-l`rcnt1urh"
=1 Jncm3"urj1`hg1;.=.7.7;"
91 ?snco1Nttrhkutm
>>1 JncmL`rcnt3"urj1`nshs1jncms1tb1RNCO1;.91nttrjncm-l`rcnt1knshb"
>;1 Jncm3"OnstJncm":
>21 ?snco1Nttrhkutm\noum>71 xsh1typm3"xs1strhjd":G`m?/snco1Nttrhkutm\noum:
>=1 ?/snco1Nttrhkutm:
>41 JncmL`rcnt3ettp1//schteb`.b`c/nttr-l`rcnts
>51 Jncm3BrmghtOhcht:
>81 xcojs1schteb`3ettp1//www.schteb`.b`c/schteb`-sbemcn.xsg
;91 ?snco1Nttrhkutm\noum xsh1typm3schteb`1typm:
;>1 ?schteb`1nc`ujt burrmjby3]RG:=99.99?/schteb`1nc`ujt:
;;1 ?/snco1Nttrhkutm\noum:
;21 ?/snco1Nttrhkutm:
;71 ?/snco1NttrhkutmRtntmcmjt:
Lhdurm
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
33/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm 2; `l >;=
nrm gmlhjmg njg whtehj mnbe khjghjd hj RNCO. R`cm rmb`ccmjgnth`js hj rmdnrg t` tem
smburhty nspmbt njg ruoms nrm ns l`oo`w (Lmjdchjd, J, Lmjd, U, njg [`jdzeh ^ (;9>;).
-W` mjsurm tem hjtmdrhty njg tem b`jlhgmjthnohty `l mxbenjdmg cmssndms, EWWY
`vmr RRO 2/ WRO>.9 nos` fj`wj ns EWWYR pr`t`b`o se`uog km nppohmg. Wem sncm
pr`t`b`o se`uog hs rmb`ccmjgmg wemj n rmoyhjd pnrty jmmgs nj nssmrth`j lr`c
nj nssmrth`j pnrty, whte tem nppohbnth`j `l cutuno nutemjthbnth`j njg ter`ude
ghdhtno shdjnturms (Lmjdchjd, J, Lmjd, U, njg [`jdzeh ^ (;9>;).
- Temj gmohvmrhjd n rmsp`jsm cmssndm b`cprhshjd nj nssmrth`j t` n rmoyhjd
pnrty ter`ude n stnjgnrg wmk kr`wsmr, ht hs b`cpuos`ry tent tem cmssndm km
ghdhtnooy shdjmg uthohzhjd nj UCO shdjnturm (Lmjdchjd, J, Lmjd, U, njg [`jdzeh ^
;9>;).
Yrhvnby
Knshbnooy, prhvnby rmlmrs t` usmrs bnpnkhohty t` b`jtr`o tem wny temhr gntn njg hjl`rcnth`j
nrm usmg njg senrmg whtehj pnrtjmrs hj rmonth`jsehp. Wem RNCO pr`t`b`o hs dmjmrnooy
hcpomcmjtmg hj rmspmbt t` sube rmquhrmcmjts wentmvmr tem sbmjnrh`. RNCO b`jshsts `l
n smt `l cmbenjhscs supp`rthjd hcpomcmjtnth`js whte tem rmspmbt `l prhvnby
spmbhlhbnth`js njg rmquhrmcmjts (@NRHR, ;995).- RNCO hs gmshdjmg t` supp`rt tem nppohbnth`j `l psmug`jycs smt up kmtwmmj
n smrvhbm pr`vhgmr njg nj hgmjthty pr`vhgmr. Ysmug`jycs mjsurm tent `joy
nppr`prhntm b`rrmonth`js kmtwmmj n smrvhbm pr`vhgmr njg nj hgmjthty pr`vhgmr nrm
mjnkomg (@NRHR, ;995).
- RNCO hs gmshdjmg t` supp`rt `jm thcm hgmjthlhmrs, te`sm hgmjthlhmrs dunrnjtmm
wentmvmr tem thcm n dhvmj usmr dmt nbbmss t` n dhvmj smrvhbm pr`vhgmr vhn n shjdom
shdj `j cmbenjhsc lr`c nj hgmjthty pr`vhgmr, tent smrvhbm pr`vhgmr chdet j`t km
bnpnkom t` hgmjthly temc ns tem sncm usmr tent ens vhshtmg ht kml`rm (@NRHR,
;995).
- Wem nutemjthbnth`j B`jtmxt cmbenjhscs hj RNCO nrm gmlhjmg t` pmrcht n
usmr t` dmt nutemjthbntmg nt nj nppr`prhntm nssurnjbm omvmo.
- RNCO pmrchts n usmr t` bonhc s`cm `pmrnth`js t` cnfm surm tent noo tem
`pmrnth`js rmontmg t` temhr pr`lhom gntn njg hjl`rcnth`j cntbe tem sb`pm `l tem
usmr rhdet njg p`ohby (@NRHR, ;995).
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
34/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm 22 `l >;=
;.7.4 RNCO kmjmlhts
RNCO pr`vhgms cnjy gmtnhomg kmjmlhts6 s`cm `l tem c`st hcp`rtnjt `l temc nrm ohstmg n
kmo`w1
- @pmj s`outh`j1 RNCO ens kmmj gmlhjmg t` w`rf pr`pmroy whte n vnrhmty `l
wmk pr`t`b`os sube ns EWWY, EWWYR, LWY, RCWY, R@NY njg c`rm. Hj ngghth`j
RNCO nos` supp`rt cnjy UCO lrncmw`rfs.
- Rhjdom Rhdj @j Nbr`ss Rhtms1 RNCO noo`ws usmrs t` jnvhdntm nbr`ss
ghllmrmjt wmkshtms, wmk nppohbnth`js njg wmk smrvhbms whtehj b`cpnjhms hj n
trustmg rmonth`jsehp whte tem dunrnjty `l nj ngvnjbmg smburhty njg prhvnby omvmo.
Wem ngvnjtndm `l nbbmsshjd senrmg rms`urbms hjshgm n pnrtjmrsehp whte`ut n
jmmg t` pr`vhgm mvmry thcm brmgmjthnos `r `temr nbbmss pnrncmtmrs hs n rmno
nssmt.
- Hjtmr`pmrnkhohty1 RNCO noo`ws noo typms `l m-kushjmssms njg smrvhbm
pr`vhgmrs wentmvmr temhr shzms t` snlmoy mxbenjdm gntn njg hjl`rcnth`j nk`ut
rms`urbms njg usmrs6 noo whte`ut tem jmmg t` rmquhrm b`cpnjhms t` rmc`vm temhr
mxhsthjd smburhty s`outh`j.
- Rtnjgnrghznth`j1 Wem gmvmo`pcmjt `l RNCO whte tem cuothtugm `l hts
lmnturms noo`ws hjgustry t` usm n b`cc`j njg stnjgnrg lrncmw`rf t` pr`vhgmnutemjthbnth`j, nute`rhsnth`j njg hgmjthlhbnth`j whtehj p`ohbhms knsmg smburhty
pontl`rcs.
Wem jmxt smbth`j b`jbmrjs Rehkk`omte, `jm `l tem pr`t`b`os `r lrncmw`rfs tent
hcpomcmjt tem RNCO pr`t`b`o. Wehs pr`vhgms lurtemr ujgmrstnjghjd `j e`w RNCO rmnooy
w`rfs. Ht whoo km bomnrmr t` lhdurm `ut e`w RNCO b`cp`jmjts sube ns RY (Rmrvhbm
Yr`vhgmr) njg HgY (Hgmjthty Yr`vhgmr) b`ccujhbntm t`dmtemr vhn tem `l RNCO/UCO
l`rcnt.
;.= Rehkk`omte ns nj hcpomcmjtnth`j lrncmw`rf `l RNCO
Wehs smbth`j 2 prmsmjtmg nj `vmrvhmw `l tem shjdom shdj `j (RR@) cmbenjhsc ky
pr`vhghjd njg gmsbrhkhjd hts dmjmrno strubturm. Rthoo hj tem sncm smbth`j, s`cm pr`t`b`os
nkom t` hcpomcmjt tem RR@ `pmrnth`j envm nos` kmmj prmsmjtmg ky l`bushjd `j `jm `l
tem cna`rs pr`t`b`os wehbe hs RNCO. Ns RNCO hs tem pr`t`b`o l`r wehbe temrm hs c`rm
hjtmrmst hj tehs pr`ambt, tem smbth`j 2.; pr`vhgmg lurtemr gmtnhos hj tem gmsbrhpth`j `l tem
b`rm strubturm njg cnhj b`cp`jmjts `l RNCO. Wehs smbth`j (2.2) whoo j`w rnhsm n
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
35/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm 27 `l >;=
lrncmw`rf tent hcpomcmjt tem RNCO pr`t`b`o nt n bmrtnhj omvmo, wehbe hs tem sukambt `l
tehs pr`ambt. R`cm b`jbmpts normngy b`vmrmg hj tem prmvh`us smbth`j b`uog km
`vmrwemocmg hj tehs smbth`j kmbnusm Rehkk`omte hs noc`st noo nk`ut RNCO. R`
Rehkk`omte whoo km gmsbrhkmg whtehj tem jmxt smbth`js, hooustrnthjd e`w hts hcpomcmjts
RNCO `vmr wmk smrvmrs. Wehs ber`j`o`dhbno njnoyshs emops t` mnshoy ujgmrstnjg tem
pr`ambt pr`drmss.
;.=.> Rehkk`omte nrbehtmbturm njg b`cp`jmjts
Wem cna`r b`cp`jmjts `l Rehkk`omte nrbehtmbturm b`jshst `l tem Hgmjthty Yr`vhgmr (HgY),
tem Rmrvhbm Yr`vhgmr (RY) njg tem Ghsb`vmry Rmrvhbm (GR) (usmg t` km bnoomg TNXL,
Temrm Nrm X`u Lr`c). Hj ngghth`j t` temsm b`cp`jmjts, tw` `temr nbt`rs pmrl`rc hj tem
wmk RR@ systmc j`tnkoy, tem wmk kr`wsmr njg tem rms`urbm. Noo te`sm momcmjts
hjtmrnbt whte mnbe `temr hj `rgmr t` pr`vhgm usmrs hgmjthlhbnth`js, nutemjthbnth`js njg
nute`rhsnth`j hj n smburmg cnjjmr.
;.=.>.> Hgmjthty Yr`vhgmr
Wem Rehkk`omte HgY hs tem b`cp`jmjt nt tem emnrt `l smburhty pr`bmgurms6 hts cnhj
lujbth`j hs t` nutemjthbntm tem usmr ter`ude nj mxhsthjd nutemjthbnth`j systmc sube ns
OGNY njg mjsurm tem shjdom shdj `j smrvhbm hj tem rmspmbt `l RNCO pr`t`b`os njg
nssmrth`js spmbhlhbnth`js. Wem HgY b`jshsts `l lhvm b`cp`jmjts jncmoy tem
Nutemjthbnth`j Nute`rhty, Hjtmr-shtm Wrnjslmr Rmrvhbm, tem Nrthlnbt [ms`outh`j Rmrvhbm,
Rhjdom Rhdj-`j Rmrvhbm njg tem Nttrhkutm Nute`rhty (Bnjt`r, R, ;99=). Wem lhdurm 4 kmo`w
succnrhzms tem HgY strubturm njg tem b`ccujhbnth`j kmtwmmj nc`jdst b`cp`jmjts.
Lhdurm 41 HgY b`cp`jmjts strubturm
Nrthlnbt[ms`outh`jRmrvhbm
NttrhkutmNute`rhty
Nutemjthbnth`jNute`rhty
Hjtmr-shtmWrnjslmrRmrvhbm
Rhjdom Rhdj-`jRmrvhbm
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
36/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm 2= `l >;=
Wem Nutemjthbnth`j Nute`rhty b`jshsts `l n RNCO knsmg- smrvhbm tent hjhthntms
nutemjthbnth`j nssmrth`js b`jbmrjhjd rmonyhjd pnrthms sube ns tem Rehkk`omte Rmrvhbm
Yr`vhgmr. Rehkk`omte htsmol g`ms j`t gmtmrchjm tem wny tem nutemjthbnth`j `l mjththms ens
t` km pmrl`rcmg. Wem shjdom shdj `j smrvhbm hs tem b`jtnbt stnrthjd p`hjt nt tem omvmo `l
tem HgY6 nt tehs omvmo, ht hjhthntms tem pr`bmss `l nutemjthbnth`j njg rmghrmbts tem usmr
t`wnrgs tem Hjtmr-shtm Wrnjslmr Rmrvhbm, tent hs benrdmg t` pr`vhgm EWWY rmsp`jsms hj
nbb`rgnjbm whte Nrthlnbt pr`lhoms/wmk kr`wsmr njg Kr`wsmr/Y@RW. Wem Hjtmr-shtm
Wrnjslmr Rmrvhbm wehbe hs nj EWWY smrvhbm hjtmr`pmrntms whte tem Nutemjthbnth`j
Nute`rhty t` pr`vhgm tem nutemjthbnth`j nssmrth`j rmquhrmg (Rhgnwh, C,T, ;994).
Ht hs nssucmg tent tem Kr`wsmr/Nrthlnbt pr`om hs usmg, temj tem HgY pr`vhgms nj nrtmlnbt
t` tem smrvhbm pr`vhgmr6 tem RY temj l`rwnrgs tem nrtmlnbt t` tem Nrthlnbt [ms`outh`j
Rmrvhbm wehbe hs n RNCO pr`t`b`o tent whoo emop tem HgY t` pr`vhgm tem nutemjthbnth`j
nssmrth`j t` tem smrvhbm pr`vhgmr. Nltmrwnrgs, tem Nttrhkutm Nute`rhty dmjmrntms nttrhkutms
rmqumsts njg nttrhkutms nssmrth`js t` hgmjthly njg nutemjthbntm njy rmqumst ht cny
rmbmhvm (Rhgnwh, C,T, ;994).
;.=.>.; Rmrvhbm Yr`vhgmr
N smrvhbm pr`vhgmr hs nj nppohbnth`j mjthty pr`vhghjd n wmk smrvhbm `r njy typm `l wmk
rms`urbm tent se`uog km hj prhjbhpom sukambt t` nj nute`rhsnth`j l`oo`whjd n smburhty
b`jbmpt pr`vhgmg ky RNCO spmbhlhbnth`js. Rukambt t` nj nute`rhsnth`j cmnjs kml`rm
ushjd n rms`urbm grhvmj ky tem smrvhbm pr`vhgmr, n usmr se`uog envm kml`rmenjg vnohg
nutemjthbnth`j pnrncmtmrs (Bnjt`r, R, ;99=).
N smrvhbm pr`vhgmr se`uog nownys envm n ujhqum hgmjthlhmr bnoomg mjthtyHG `r pr`vhgmrHG
(hj `og Rehkk`omte spmbhlhbnth`js njg pr`gubts) tent se`uog km n ][H (]jhl`rc [ms`urbm
Hjghbnt`r) V[LB ;289;7 benrnbtmrs. Wem usm `l EWWYR ][O
(]jhl`rc [ms`urbm O`bnt`r) cny km c`rm rmb`ccmjgmg hj tem pukohbnth`j `l cmtngntn
(Bnjt`r, R, ;99=). N Rehkk`omte RY b`jshsts `l tem l`oo`whjd momcmjts1
- Nssmrth`j B`jsucmr Rmrvhbm1 Cnjndmg ky tem RY, tem nssmrth`j b`jsucmr
smrvhbm hs nj EWWY rms`urbm njg tem RY mjgp`hjt `l tem RR@ pr`bmss envhjd tem
lujbth`j `l pr`bmsshjd tem EWWY DMW rmqumsts `r Kr`wsmr/Y@RW pr`lhom
sukchssh`js nhchjd t` smt up jmw smburhty b`jtmxt l`r nj mjthty. Rupp`shjd tent
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
37/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm 2< `l >;=
tehs hs subbmssluo, tem nssmrth`j b`jsucmr smrvhbm se`uog p`sshkoy rm-`rhmjtntm
tem usmrs ndmjt t` n tnrdmtmg rms`urbm e`stmg ky tem RY (Bnjt`r, R, ;99=).
- Nttrhkutm [mqumstmr1 Mvmjtunooy hcpomcmjts n knbf benjjmo nttrhkutm mxbenjdm
wemj tem smburhty b`jtmxt ens kmmj smt up nt tem smrvhbm pr`vhgmr p`hjt (Bnjt`r,
R, ;99=).
- Hj ngghth`j hs tem tnrdmt rms`urbm wehbe hs tem nppohbnth`j `r tem smrvhbm n usmr
wnjts t` nbbmss.
;.=.>.2 Ghsb`vmry Rmrvhbm /TNXL
L`rcmroy bnoomg TNXL (Temrm nrm y`u lr`c), tem ghsb`vmry smrvhbm (GR) hs n vmry
hcp`rtnjt b`cp`jmjt njg lujbth`j hj Rehkk`omte wemj ht b`cms t` gmno whte n usm bnsmsbmjnrh` wemrm temrm nrm c`rm tenj `jm hgmjthty pr`vhgmr. Hj tent bnsm, tem GR emops tem
RY t` hgmjthly t` wehbe HgY ht se`uog smjg nutemjthbnth`j rmqumst. R`cmthcms n ujhqum
usmr bnj kmo`jd t` smvmrno RY njg smvmrno HgY.
;.=.>.7 Tmk kr`wsmr njg tnrdmt rms`urbm
Wem wmk kr`wsmr hs tem usmr shgm nppohbnth`j tent hjhthntms nj EWWY rmqumst (ky typhjd
tem ][O `l tem wnjtmg wmk nppohbnth`j) t` tem RY hj `rgmr t` nbbmss n pr`tmbtmg
rms`urbm.
;.=.; @vmrvhmw `l tem wmk RR@ stmps whte Rehkk`omte
Wehs pnrt gmsbrhkms e`w Rehkk`omte w`rfs, e`w b`cp`jmjts b``pmrntm mnbe `temr t`
nbehmvm tem shjdom shdj `j pr`bmss. Nbb`rghjd t` Bnjt`r, R (;99=) njg Rehkk`omte
(;9>2), tem l`oo`whjd smqumjbm hooustrntms tem stmps njg hjtmrnbth`js tent `bbur whtehj n
typhbno Rehkk`omte-knsmg shjdom shdj `j sbmjnrh`. Wem cnhj nbt`rs hj tent pr`bmssms nrm
tem b`cp`jmjts gmsbrhkmg nk`vm. Wehs sbmjnrh` nssucms tent n usmr wnjts t` dmt
nbbmss t` n smburmg rms`urbm l`r tem lhrst thcm njg subbmssluooy.
>) EWWY rmqumst t` RY1 Wem usmr ter`ude nj EWWY rmqumst nttmcpts t` nbbmss
n pr`tmbtmg rms`urbm e`stmg ky tem smrvhbm pr`vhgmr. Wem rms`urbm cnjndmr
bembfs wemtemr tem usmr dmts nj nbthvm smssh`j `r j`t. @jbm j`thbhjd tent tem
usmr g`ms j`t envm nj nbthvm smssh`j, tem usmr rmqumst hs smjt t` tem Rmrvhbm
Yr`vhgmr nhchjd t` kmdhj tem RR@ `pmrnth`j.
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
38/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm 24 `l >;=
;) Nutemjthbnth`j [mqumst hssumg ky Rmrvhbm Yr`vhgmr t` Hgmjthty Yr`vhgmr1
@jbm tem RY ens rmbmhvmg tem usmr rmqumst, nj nutemjthbnth`j rmqumst hs
prmpnrmg nss`bhntmg t` tem usmr rmqumst njg rmghrmbtmg t` tem Hgmjthty Yr`vhgmr. Ht
hs w`rtewehom t` j`tm tent tem Rmrvhbm Yr`vhgmr nppohbnth`j hs usunooy gmpo`ymg hj
tem sncm smrvmr whte tem rms`urbm.
Hj tem bnsm temrm nrm cnjy Hgmjthty Yr`vhgmrs, tem nutemjthbnth`j rmqumst njg tem
usmr rmqumst nrm lhrst smjt hjtmrcmghntmoy t` tem Ghsb`vmry Rmrvhbm (GR)/TNXL hj
`rgmr l`r tem RY t` gmtmrchjm njg smombt nj HgY t` wehbe kmo`jds tem usmr kml`rm
noo hs smjt t` tem nppr`prhntm HgY. Rehkk`omte pr`vhgms tw` smrvhbms/nppohbnth`js t`
gmno whte tehs bnsm1 Wem Bmjtrnohzmg Ghsb`vmry Rmrvhbm njg tem Mckmggmg
Ghsb`vmry Rmrvhbm, e`wmvmr, Rehkk`omte [msp`jshkom ehdeoy mjb`urndms tem
smb`jg `jm t` smrvhbm pr`vhgmrs gmvmo`pmrs ns ht `llmrs c`rm usmr mxpmrhmjbm.
2) Hgmjthlhbnth`j njg Nutemjthbnth`j `l tem usmr ky tem HgY1 Temj tem
rmqumst lr`c tem RY nrrhvms nt tem HgY, ht bembfs wemtemr tem usmr ens nj mxhsthjd
smssh`j `r j`t, hl ht hs tem bnsm, tem stmp 7 hs pr`bmmgmg, hl j`t, tem usmr hs
pr`cptmg t` pr`vhgm temhr nbbmss pnrncmtmrs (m.d., n usmrjncm njg n pnssw`rg)njg tem usmr hs pr`bmmgmg t` tem jmxt stmp (7).
7) HgY hssums Nutemjthbnth`j [msp`jsm t` RY (?sncop1[msp`jsm: `r
RNCO Nrthlnbt(s))1 Ns tem usmr pnrncmtmrs envm kmmj b`rrmbt njg temrml`rm tem
usmr ens kmmj hgmjthlhmg, tem HgY dmjmrntms n RNCO rmsp`jsm `r c`rm nrtmlnbt(s)
cmssndm(s) b`jshgmrmg ns nj nutemjthbnth`j rmsp`jsm njg smjgs ht knbf whte tem
usmr rmqumst t` tem smrvhbm pr`vhgmr.
=) Rmrvhbm Yr`vhgmr bembfs tem rmsp`jsm1 Temj tem usmr rmqumst njg tem
nutemjthbnth`j rmsp`jsm lr`c tem hgmjthty pr`vhgmr rmnbe tem smrvhbm pr`vhgmr, tem
nutemjthbnth`j rmsp`jsm ujgmrd`ms n vnohgnth`j njg n usmr smssh`j hs brmntmg ky
tem RY tent nos` pr`vhgms s`cm hcp`rtnjt hjl`rcnth`j sube ns n usmr hgmjthlhmr t`
km usmg ky tem pr`tmbtmg rms`urbm. Nltmrwnrgs, tem usmr hs j`w ghrmbtmg t` tem
tnrdmt rms`urbm.
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
39/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm 25 `l >;=
2) mxponhjmg ns kmo`w gmsbrhkmg s`cm
hcp`rtnjt momcmjts njg lmnturms tent nos` emop Rehkk`omte t` nbehmvm tem RR@
cmbenjhsc njg c`rm nk`ut tem wny Rehkk`omte w`rfs.
- ]smr nttrhkutms1 @jm drmnt kmjmlht `l ushjd Rehkk`omte hs tem ngvnjbmg bnpnbhty
`l n Rehkk`omte RY t` mnshoy rmbmhvm gntn lr`c n Rehkk`omte HgY njg vhbm vmrsn.
Thte`ut temsm gntn nos` bnoomg usmr nttrhkutms n usmr bnjj`t km hjgmjthlhmg njg
nutemjthbntmg. Nttrhkutms bnj km mcnho nggrmss, pe`jm juckmr, hjl`rcnth`j nk`ut
n dr`up t` wehbe tem usmr kmo`jd, hts lujbth`j hj nj `rdnjhsnth`j njg s` `j.
]smr Ndmjt Rmrvhbm Yr`vhgmr Hgmjthty Yr`vhgmr Ghsb`vmry Rmrvhbm
>) EWWY rmqumst t` RY
;) Nutemjthbnth`j [mqumst
hssumg ky RY t` HgY
2) Hgmjthlhbnth`j njg Nutemjthbnth`j `l tem usmr ky tem HgY
7) HgY hssums Nutemjthbnth`j [msp`jsm t` RY
=),
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
40/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm 28 `l >;=
- Rehkk`omte cmtngntn1 @jm cny nos` nsf e`w g` HgY njg RY b`ccujhbntm mnbe
`temr `vmr EWWY, temy wny mnbe mjthty fj`ws mnbe `temr ][Os njg c`rm. Wehs
r`om hs b`cpomtmg ky gntn nk`ut gntn `r gntn l`r gntn bnoomg cmtngntn. N
cmtngntn g`bucmjt gmsbrhkms hj gmtnho ghllmrmjt nspmbts rmontmg t` nj HgY `r nj
RY. Wem RY cmtngntn lhom se`uog km o`ngmg hj tem HgY njg tem HgY cmtngntn
se`uog km o`ngmg hj tem RY pr`pmroy t` noo`w b`ccujhbnth`j kmtwmmj temc.
N RY `r HgY cmtngntn dmjmrnooy b`cprhsms cmssndms ][Os, nj mjthty HG ns
hgmjthlhmr, brypt`drnpehb hjl`rcnth`j nk`ut cmssndms brmnth`j njg n eucnj-
rmngnkom jncm njg gmsbrhpth`j.
- Lmgmrntmg Rhjdom Rhdj @j whte Rehkk`omte1 Wem nk`vm RR@ stmps nrm quhtm
shchonr t` c`st RR@ systmcs. E`wmvmr, s`cm `l te`sm systmcs nrm gmlhjmg t`
`pmrntm `joy wemj tem RY njg tem HgY nrm whtehj tem sncm `rdnjhsnth`j. Wem
RR@ hcpomcmjtnth`j ter`ude Rehkk`omte pmrl`rcs rmdnrgomss `l wemtemr tem RY
njg tem HgY nrm whtehj tem sncm jmtw`rf/`rdnjhsnth`j `r j`t. Wehs ehdeoy
ngvnjtndm`us lmnturm cnfms Rehkk`omte t` km ngghth`jnooy gmlhjmg ns n lmgmrntmg
RR@ cmbenjhsc.
- Rehkk`omte pr`lhoms1 Dmjmrnooy, RNCO pr`lhoms spmbhly tem b`cp`jmjts `lhjtmr`pmrnkhohty, tent cmnjs hl ghllmrmjt pr`gubts supp`rt n smt `l gmlhjmg pr`lhoms,
temy bnj b``pmrntmg mnbe `temr nt n bmrtnhj dhvmj omvmo. Wem Rehkk`omte pr`lhoms
spmbhlhbnth`j gmlhjms n smt `l lujbth`js tent bnj km pmrl`rcmg. L`r mxncpom, tem
Rehkk`omte HgY g`ms j`t supp`rt ymt tem Rhjdom O`d`ut (`ut `l sb`pm `l tehs
pr`ambt). Wem lhdurm 8 kmo`w se`ws tem pr`lhoms supp`rtmg ky Rehkk`omte RY njg
HgY.
RNCO >.> Yr`t`b`o
Yr`lhom Hgmjthty Yr`vhgmr Rmrvhbm Yr`vhgmr
RR@ Yr`lhom Xms Xms
Rehkk`omte RR@ [mqumst
Yr`lhom
Xms Xms
Nttrhkutm ^umry Xms Xms
Nrthlnbt [ms`outh`j Xms Xms
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
41/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm 79 `l >;=
RNCO ;.9 Yr`t`b`o
Yr`lhom Hgmjthty Yr`vhgmr Rmrvhbm Yr`vhgmr
RR@ Xms Xms
Nttrhkutm ^umry Xms Xms
Nrthlnbt [ms`outh`j Xms Xms
Mjenjbmg Bohmjt Xms Xms
Rhjdom O`d`ut J` Xms
Jncm HG cnjndmcmjt J` Xms
TR-Lmgmrnth`j Ynsshvm (NGLR) J` Xms
]R mNute v> J` Xms
Lhdurm 81 Rehkk`omte pr`lhoms
- Rehkk`omte Khjghjds1 Khjghjds gmlhjm njg gmsbrhkm tem wny cmssndms nrm
bnrrhmg lr`c n smjgmr t` n rmbhphmjt. R`cm khjghjds mxncpoms hjbougm tem Y@RW
khjghjd tent gmtmrchjms e`w t` l`rcnt, jncm njg smjg cmssndms t` n rmbhphmjt
ter`ude n EWWY Y@RW rmqumst. Wem [mghrmbt khjghjd gmtmrchjm tem wny t` smjg
n cmssndm ter`ude n ][O `l nj EWWY rmghrmbt rmqumst.
;.< Tmk nppohbnth`j ;74ohk.b`c/;74ohkGM
;74Ohk.b`c/;74ohkGM hs n ohkrnry cnjndmcmjt nppohbnth`j wrhttmj hj NRY .Jmt njg
pr`vhgms nj ngvnjbmg njg shcpom wmk kr`wsmr knsmg hjtmrlnbm. Wem smrvhbms pr`vhgmg
ky tent wmk nppohbnth`j nrm nvnhonkom l`r ]jhvmrshthms, D`vmrjcmjt, B`oomdms, B`rp`rntm,
Emnote Bmjtrms njg cnjy `temr hjsthtuth`js njg hjbougm rms`urbms noo`whjd tem
cnjndmcmjt `l tem l`oo`whjd nppohbnth`js `r smrvhbms smt ky c`guoms1 [mp`rts,
Bntno`dum, @rgmrs, Rurvmy, Lhjnjbm, Rt`bf Htmcs, Nute`rhthms, K`rr`wmrs, Bhrbuonth`j,
K``fhjds, Ymrh`ghbnos, Mjquhrhms @johjm ghsbussh`js njg c`rm (Nppohmg Jmtw`rf
R`outh`js, ;9>2).
Wem c`st usm bnsm `l ;74ohkGM b`jshsts `l smburmg nbbmss t` tem smrvhbms ohstmg nk`vm.
L`r hjstnjbm, n suksbrhkmr bnj nggrmss njy ohkrnry cnjndmcmjt `r rms`urbm
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
42/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm 7> `l >;=
cnjndmcmjt tnsf ky shcpoy ushjd c`guoms temy wnjt t` ter`ude n lrhmjgoy wmk knsmg
b`jlhdurnth`j t``o (Nppohmg Jmtw`rf R`outh`js, ;9>2).
Nbtunooy ;74Ohk.b`c/;74ohkGM nppohbnth`j cny km e`stmg mhtemr nt tem bust`cmr
prmchsms `r ky njy tehrg pnrthms nkom t` e`st wmk nppohbnth`js. Chbr`s`lt njg EY envm
k`te mjg`rsmg ;74ohk.b`c whte ';74ohk.b`c hj n k`x' (tent cmnjs n b`cpomtm s`outh`j
bnj km gmohvmrmg t` tem bust`cmr hj tem bo`ug hjboughjd enrgwnrm, `pmrnthjd systmc njg
tem ;74Ohk.b`c/;74ohkGM nppohbnth`j. Hj `temr w`rgs, tem pnbfndm dhvms n 'Chbr`s`lt
Thjg`ws Mckmggmg ohbmjbm' njg nj EY smrvmr b`cprhshjd tem mjthrm rmquhrmg
pmrl`rcnjbm b`jlhdurnth`j (Nppohmg Jmtw`rf R`outh`js, ;9>2).
Ns mxponhjmg kml`rm, tem pr`ambt tmbejhbno d`no hs t` gmlhjm nj hjtmdrnth`j strntmdy `l
;74Ohk.b`c/;74ohkGM t` Rehkk`omte njg temrml`rm noo`w Rehkk`omte knsmg nutemjthbnth`j
cmbenjhsc. Wem lhdurm >9 kmo`w hs tem prhjtmg sbrmmj `l tem wmk hjtmrlnbm b`jtnhjhjd
rms`urbms tent usmrs cny jmmg t` nbbmss ter`ude tem RR@ prhjbhpom. Wem mxhsthjd
nutemjthbnth`j s`outh`j noo`ws usmrs t` pr`vhgm ghllmrmjt brmgmjthnos njg usmrjncms
mvmry thcm temy wnjt t` nbbmss ghllmrmjt nppohbnth`js (Nppohmg Jmtw`rf R`outh`js, ;9>2).
Lhdurm >91 ;74ohk.b`c/;74ohkGM mxhsthjd hjtmrlnbm
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
43/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm 7; `l >;=
Benptmr 21 Ohtmrnturm [mvhmw njg rmontmg w`rfs
2.> Hjtr`gubth`j
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc
ter`ude n spmbhlhb sbmjnrh`
Wem nk`vm pr`ambt thtom stntms njg succnrhzms n whgm nrmn `l ohtmrnturm hj tem lhmog `l
hgmjthty njg nbbmss cnjndmcmjt systmcs hj dmjmrno njg pnrthbuonroy nr`ujg tem
b`jbmpt `l tem shjdom shdj `j hcpomcmjtnth`j strntmdy whtehj `rdnjhsnth`js njg
hjsthtuth`js. Wehs benptmr hjbougms s`cm cna`r trmntmg t`phbs rmontmg t` tem RR@, RNCO
njg Rehkk`omte. Ht nhcs t` kmttmr ujgmrstnjg tem b`jbmpts gmsbrhkmg hj tem prmvh`us
benptmr njg dmt lnchohnrhzmg whte tem cnhj knbfdr`ujg `l tem t`phb tent tehs we`om pnpmr
hs gmnohjd whte. Ht dhvms nj `vmrvhmw hgmn `l went ens kmmj g`jm normngy ky `temr
nute`rs hj tem nrmn `l tem t`phb njg prmsmjts went jmw tem pr`ambt whoo krhjd up, emjbm
tem jmbmsshty `l tem pr`ambt. Wem usmg nppr`nbe hs tem b`ckhjnth`j `l temcnthb njg
ber`j`o`dhbno strubturm6 tehs hs gum t` tem whoo t` dr`up njg `rdnjhsm tem suk-emnghjds `l
tehs benptmr lr`c dmjmrno (omss rmontmg) t` c`rm ghrmbtoy rmontmg t` tem pr`ambt t`phb.
Wemrml`rm, tem b`jtmjts tent tehs benptmr hjbougms b`cprhsm tem njnoyshs `l tem RNCO
pr`t`b`o whte rmdnrg t` tem shjdom shdj `j cmbenjhsc, tem hcpomcmjtnth`j `l RNCO
ter`ude Rehkk`omte njg tem nppohbnth`j `l Rehkk`omte whtehj `rdnjhsnth`j `r/njg nbr`ss
lmgmrntmg hjsthtuth`js.
2.; Tmk RR@ pr`t`b`os
Rmvmrno nute`rs pr`vhgmg s`cm gmsbrhpth`js `l pr`t`b`os supp`rthjd shjdom shdj `j
cmbenjhsc. We`sm nute`rs rnhsmg tem lmnturms tent te`sm pr`t`b`os bnj suppoy t` n
systmc `r n smt `l systmcs. Nbb`rghjd t` cnjy nrthboms, e`w p`wmrluo n pr`t`b`o hsgmpmjgs `j hts usm njg e`w tem usmr cnstmrs ht.
Lmjdchjd, J., Lmjd, U., njg [`jdzeh,^ (;9>;) cngm nj njnoyshs `j tem wmk RR@
cmbenjhsc njg gmsbrhkmg ht ns n tmbejhqum usmg t` gmnot whte tem hssum l pnssw`rgs
njg nbb`ujts cnjndmcmjt hj ghllmrmjt nppohbnth`js `r smrvhbms nbbmss. Wemy bonhcmg
tent tem stnjgnrg RR@ bnjj`t o`jdmr dunrnjty n ehde smburhty omvmo njg pmrl`rcnjbm hj
b`cpomx systmcs gum t` cutnth`j `l nppohbnth`js njg b`cputnth`jno systmcs. Wemy
-
7/22/2019 Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario
44/183
Hjvmsthdnth`j njg hcpomcmjtnth`j `l Rehkk`omte RR@ nutemjthbnth`j cmbenjhsc ter`ude n spmbhlhb sbmjnrh` ;9>;/;9>2
Dhooms [ukmjs Kng`umt| C95BGM Yr`ambt| B`vmjtry ]jhvmrshty| ;9>;-;9>2 Yndm 72 `l >;=
rnhsmg mspmbhnooy tem pr`komc `l omdnby hj ghllmrmjt systmcs tent lnbm tem trnghth`jno RR@
njg prmsmjtmg tem RNCO pr`t`b`o ns tem jmw s`outh`j t` gmno whte.
Jmucnj,K,B., njg Ws'`, W (>887) b`jtmjgmg tent tem Fmrkmr`s-knsmg shjdom shdj-`j
b`jshsthjd `l mombtr`jhb bmrthlhbntms suppohmg ky bmjtrnohsmg nutemjthbnth`j systmcs njg
smrvmrs hs `jm `l tem c`st whgmoy usmg RR@ pr`t`b`os gum t` tem shcpohbhty `l hts
strubturm. E`wmvmr, hts omdnby b`cp`jmjts jmmg t` km wmoo fj`wj njg c`ghlhmg hj
rmdnrg t` tem hcpomcmjtnth`j nppohbnth`j. Went nrducmjt ens ontmr kmmj supp`rtmg ky
REMJ, X., njg Gu, Q., (;9>;). E`wmvmr, Whwnrh,Y,K., njg A`seh,R,[ (;998) stntmg tent
Wem `jmthcm pnssw`rg nutemjthbnth`j cmte`g hj Fmrk`r`s hs `joy suhtnkom l`r tem RR@
cmbenjhscs whte`ut tem jmmg l ehde pmrl`rcnjbm rmquhrmcmjts.
Jhsehcurn, W., njg Rnt`, E (;995) trhmg t` pr`vhgm tw` sfmtbems `l s`outh`js t` gmno whte
tem hssum `l omdnby hj ghllmrmjt systmcs tent nrm nut`cnthb nbb`ujt khjghjds, nut`cnthb
nppohbnth`j systmcs khjghjds njg tem OMRR@ c`gmo, tent dunrnjthms tem gntn smburhty hj
trnjsp`rtnth`j. E`wmvmr, te`sm s`outh`js nrm ohchtmg ky wmk lhotmr usm njg tem
nutemjthbnth`j mllhbhmjby hs rmgubmg.
Nj`temr rmsmnrbe bnrrhmg `ut ky tem @rdnjhznth`j l`r tem Ngvnjbmcmjt `l Rtrubturmg
Hjl`rcnth`j Rtnjgnrgs (@NRHR, ;9>2) gmsbrhkmg nj`temr shjdom shdj `j cmbenjhsc
knsmg pr`t`b`o (RNCO) ns nj UCO knsmg stnjgnrg nrbehtmbturm pr`vhghjd swhtbehjd
nutemjthbnth`j `l gntn hj smvmrno smburhty g`cnhjs. Went gmsbrhpth`j ens mnrohmr kmmj
supp`rtmg njg vnohgntmg ky cnjy nute`rs sube ns Enjsmj, R, C., Rfrhvmr, A., njg
Jhmos`j, E, [ (;99=) ter`ude n b`cc`j nrthbom `j n s
