BT

如何利用碎片时间提升技术认知与能力? 点击获取答案

低成本身份管理

| 作者 Ganesh Prasad 关注 0 他的粉丝 , Umesh Rajbhandari 关注 0 他的粉丝 ,译者 马国耀 关注 1 他的粉丝 发布于 2013年3月29日 QCon北京2018全面起航:开启与Netflix、微软、ThoughtWorks等公司的技术创新之路!

关于作者

Ganesh Prasad 在共享服务(Shared Service)领域拥有多年的架构师经历,他相信自己的学究气事实上是一种长远而企业级视角的体现。他给那些仅限于完成工作(译注:不讲求质量)的团队带去了许多麻烦。

 

 

 

Umesh Rajbhandari 是一个Java/Web开发者,喜爱跟踪最新技术。它曾在新加坡和尼泊尔工作,现居悉尼。

 

 

 


查看英文原文:Identity Management on a Shoestring

本书面向的读者是最终企业/组织的安全和IT从业者,特别是架构师,他们负责实施企业范围的身份与访问控制管理系统(IAM)。它既非关于身份认真的概念性解答(这方面我们希望推荐Kim Camerron的名作Laws of Identity),也不是关于某款产品的详细技术手册。它是一本基于作者们的经验描述的在企业内实施IAM的一套规范且经济的架构方法。

早在2009初,我们为一家大型知名的澳大利亚金融服务公司建设了一套IAM系统,使用的是一种非传统方法。虽然该系统还未达到它预期的目标状态,但是我们已经取得了一些重要成绩,而且我们相信,我们的经验能为其他考虑做类似事情的公司提供宝贵经验。身份管理的应用实践并无太多公开的知识基础,所以,我们很乐意将我们的经验贡献出来。我们在这里描述的大多数内容是我们已经实施或验证的。有一些引用了我们为满足下一步需求所做的设计,另一些则反映了我们的后见之明,即在实施之后回头看架构应该设计成的样子。我们将这些领悟提炼成一套架构方法,我们从称之为LIMA1。

我们的背景和经验主要是Java技术,所以使用Java的公司可能从我们的建议中获益最大,但是我们坚信这些通用原则同样适用于其他技术平台。如同其他主动性建议一样,读者需要注意。我们不提供或表明任何保证或担保。读者在基于此方法设计解决方案时需要运用常识及良好的设计判断。

免费下载

免费下载本书

英文目录

ACKNOWLEDGEMENTS

INTENDED AUDIENCE

COVER ILLUSTRATION

OVERVIEW – CHARACTERISTICS OF LIMA AT A GLANCE

INTRODUCTION

THE MODERN ENTERPRISE – A REALITY CHECK

SO YOU THINK YOU'RE GOING TO CHANGE THE WORLD

WHO'S YOUR SUGAR DADDY? FUNDING MODELS THAT WORK

FIRST THINGS FIRST – OBJECTIVES OF IDENTITY AND ACCESS MANAGEMENT

THE TROUBLE WITH BRAND-NAME PRODUCTS

MISCONCEPTIONS ABOUT SECURITY

AUDITORS, SECURITY AND WORDS OF WISDOM

INTRODUCING LIMA – A DIFFERENT ARCHITECTURE FOR IAM

LOOSE COUPLING – A FIRM FOUNDATION FOR IAM

SNEAK PREVIEW – WHAT A LIMA IMPLEMENTATION LOOKS LIKE

ACCESS MANAGEMENT, LIMA-STYLE

ACCESS MANAGEMENT CONCEPTS

HOW SINGLE SIGN-ON WORKS

THE BEST THINGS IN LIFE (AND IN IAM) ARE FREE

CENTRAL AUTHENTICATION SERVICE AND THE CAS PROTOCOL

SHIBBOLETH'S FEDERATED IDENTITY MODEL

CAS SERVER CONFIGURATION AND THE “TWO-LAYER PROTOCOL ARCHITECTURE”

ENHANCING ACCESS MANAGEMENT FUNCTIONALITY INCREMENTALLY

EXTENSION CASE STUDY 1: LAN SSO INTEGRATION WITH SPNEGO

EXTENSION CASE STUDY 2: TWO-FACTOR AUTHENTICATION WITH SMS ONE-TIME TOKENS

EXTENSION CASE STUDY 3: FEDERATED IDENTITY WITH SAML TOKENS

LIMITS TO THE TWO-LAYER PROTOCOL ARCHITECTURE

MISCELLANEOUS TOPICS IN ACCESS MANAGEMENT

PROTECTING NON-WEB APPLICATIONS

IMPLEMENTING “SINGLE SIGN-OUT”

IAM AND CLOUD COMPUTING

WHAT DO WE DO WITH ACTIVE DIRECTORY?

TAILORING COARSE-GRAINED ACCESS CONTROL

USING CAS TO CENTRALISE ENFORCEMENT OF AUTHORISATION RULES

USING A REVERSE-PROXY DEVICE AS A COMMON INTERCEPTOR

ACCESS MANAGEMENT FOR “PORTAL” APPLICATIONS

IDENTITY MANAGEMENT, LIMA-STYLE

IDENTITY MANAGEMENT CONCEPTS

SEPARATING CHURCH AND STATE – THE ROLES OF DIRECTORY AND DATABASE

DESIGNING THE IAM DIRECTORY

USER UUID – THE ONE RING TO RULE THEM ALL

DECOUPLING AUTHENTICATION, COARSE-GRAINED AND FINE-GRAINED AUTHORISATION REALMS

PERSON UUID – THE ULTIMATE IDENTITY REFERENCE

DATA REPLICATION AND MASTER DATA MANAGEMENT

DESIGNING THE IAM DATABASE

REST EASY WITH REST SERVICES

IAM REST SERVICE INTERFACE AT A GLANCE

AUTOMATED USER PROVISIONING – INVOCATION OF REST SERVICES

USER ADMINISTRATION

IAM, PROTECT THYSELF

PROVISIONING USERS TO DOWNSTREAM SYSTEMS

DESIGNING USER PROVISIONING MESSAGES

IMPLEMENTING LIMA

TRANSITIONING TO THE TARGET STATE

HARMONISING DATA

MANAGING SSO REALMS

MANUAL PROVISIONING

THE BAU OF IAM – A “COOKIE-CUTTER” IMPLEMENTATION

DEVELOPMENT TASKS

PROVISIONING TASKS

CONCLUSION

APPENDIX A – TYPICAL SECURITY REQUIREMENTS FROM AN IAM SYSTEM

APPENDIX B – MAPPING THE LIMA DESIGN TO THE OASIS MODEL OF IAM

APPENDIX C – SPECIAL CASE EXAMPLE 1 (MULTIPLEXING USER IDS)

APPENDIX D – SPECIAL CASE EXAMPLE 2 (RESETTING LAN PASSWORDS)

APPENDIX E – A SAMPLE PHASED ROLL-OUT PLAN

登陆InfoQ,与你最关心的话题互动。


找回密码....

Follow

关注你最喜爱的话题和作者

快速浏览网站内你所感兴趣话题的精选内容。

Like

内容自由定制

选择想要阅读的主题和喜爱的作者定制自己的新闻源。

Notifications

获取更新

设置通知机制以获取内容更新对您而言是否重要

BT