| 摘要: | 隨著企業或政府機關資訊化的趨勢,資訊系統日益增加,對於企業或政府機關內部的許多資訊系統而言,由於系統建置的時間與平台不盡相同,因此每個資訊系統各自擁有認證模組與帳號角色資料庫。對於使用者而言,必須個別登入每個系統,方可使用該系統之功能。此外,若使用者於各個系統內之帳號或密碼不同,則需記憶多組帳號與密碼。上述兩點會造成使用者之不便。從系統管理層面而言,每個系統的授權規則皆儲存於各自的資料庫中,系統管理者必須各自維護每個系統之授權規則,其中包括:使用者-角色、角色-資源的對映關係。因此,分散於各系統的認證模組、授權模組、帳戶資料庫,將對使用者與管理者造成諸多不便。單一簽入服務 (Single Sign-On) 技術的發展目標,是為了解決使用者一再輸入認證資料的問題。加上現有之憑證載具(例如:IC智慧卡)Smart Card 的認證及加解密的功能,身份驗證與數位簽章,現有憑證媒介有:Smart Card、磁碟片、隨身碟等。 在企業或政府機關中推動單一簽入服務時,企業或政府機關會將推動專案所需經費列為考慮最重要因素之一,以憑證媒介而言隨身碟、Smart Card 都屬於高單價產品,大部份企業或政府機關往往因成本考量因素無法將單一簽入考慮在其中,其次使用者已經習慣使用帳號與密碼的登入方式,若要改變由智慧卡或憑證方式登入系統,使用者會抗拒因新系統的導入而心生恐懼,導致會排斥或拒絕使用它。本論文將針對個案描述資訊系統導入單一簽入機制之技術解決上述問題。運用目錄整合技術,將多個既有系統之帳號與群組資料整合至單一目錄服務資料庫。透過帳號對映與單一簽入之機制,使用者只需以憑證載具(例如:IC智慧卡)登入,即可存取後端各個資訊系統。個案中所建構之單一簽入系統,代替後端所有資訊系統進行認證之作業。 本論文之重點包括:既有系統帳號與角色資料之整合作業、認證作業資料、單一簽入系統與後端資訊系統之系統整合,最後將整個單一簽入資訊系統導入後所能產生的直接或間接效益來作各分析討論,並提出結論與建議。 With the trend of increasing use of information technology by enterprises and government agencies, the number of information systems within each organization has also increased because the time constructing the systems and their platforms are usually different. Each information system also generally has its own authentication and account number database. Under such circumstances, a user must login each system individually before using the systems. In addition, if a user's accounts or passwords are different across the systems, the user has to remember them all. These will cause great inconvenience to users. From system management, the mandate rule of each system is all stored in its own databases and the system administrator must maintain the mandate rule of each system. So, disperse in the authentication modules of the systems and account databases will cause a lot of inconvenience to users and the administrator. The goal of the Single Sign-On Services technology is to resolve the above issues. Smart Card authentication and encryption and decryption functions, authentication and digital signature, the existing media credentials are devices and technologies for the development of the Single Sign-On services. Because the prices of Flash and Smart Card are high, making most businesses or government agencies unwilling to consider the Single Sign-On service. Further, users have become accustomed to using the account and password login, making the users resist the new technology of authentication. This study describes a case of developing a Single Sign-On mechanism and check its capability in resolving the problem of multiple logins. The use of the directory integration technology is more than integrating all the account information into a single directory service database. Mapped through a single account to the Single Sign-On mechanism, a user only needs to set a certificate (for example, Smart Card) login and then access all the back-end information systems.. In sum, the focuses of this paper include authentication data, Single Sign-On system and back-end systems integration of information systems, and finally Single Sign-On information system that can be derived after being imported, directly or indirectly, for analyzing the effectiveness of of the technology. Discussions and recommendations for constructing such a system are provided.. |
