研究生: |
陳麗美 Chen, Li-Mei |
---|---|
論文名稱: |
電子資源的聯盟存取管理系統:Shibboleth在臺灣學術及高等教育界的應用探討 Federated Access Management for Electronic Resources:A Study of the Application of the Shibboleth System in Research and Higher Education in Taiwan |
指導教授: |
張迺貞
Chang, Nai-Cheng |
學位類別: |
碩士 Master |
系所名稱: |
圖書資訊學研究所 Graduate Institute of Library and Information Studies |
論文出版年: | 2010 |
畢業學年度: | 98 |
語文別: | 中文 |
論文頁數: | 102 |
中文關鍵詞: | 存取管理 、認證與授權 |
英文關鍵詞: | Shibboleth, Access Management, Authentication and Authorization |
論文種類: | 學術論文 |
相關次數: | 點閱:153 下載:10 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
目前國內的大學及學術機構對提供的保護性線上資源,如全文電子期刊、電子資料庫、電子書、數位教學資源及研究用數據資料庫等購買的或自建的電子資源,如何達方便存取與易於管理,似乎還沒有很好的對策。目前國內的做法為:1、在校園的IP範圍內使用,其出了校園便無法使用;2、使用IP限制,校園外則用proxy伺服器,此方法是有技術性的;3、使用虛擬私有網路連線 (Virtual Private Network),此種方法針對不同資源要分別登入; 4、使用共用的密碼 (‘Shared’passwords),此方法密碼容易外洩而威脅到資源的安全;5、針對不同資源,使用者分別註冊密碼,此方法使用者隱私容易外洩且恐有身份不實的問題。
為了改善上述的電子資源存取管理問題,英、美等國所發展的Shibboleth存取管理系統,已漸漸被很多已開發國家使用。Shibboleth是一個依據標準的開放源碼套裝軟體,以提供機關內或跨機關間的網頁單一登入(Web Single SignOn,簡稱SSO)及屬性交換的架構,容許網站對個人存取保護性線上資源時,使用單一及單位所控制的辨識法,並以保護隱私的方式作確認性的授權決定,讓使用者無接縫的去存取內部與外部的資源,以減少現行使用者在使用不同領域的多種資源時,必須局限在一個校園或要去維護多個密碼,並為身份提供者及服務提供者簡化了身份管理及存取許可。
本研究:1、參加澳洲測試聯盟(Meta Access Management System),並在中央研究院地球科學研究所建置身份管理系統,同時邀請Elsevier出版商為資源提供者,以實際測試聯盟的運作方式,並瞭解其在數位環境下的認證與授權機制及分析其效益;2、從英、美、澳洲及瑞士的聯盟網站去探討其聯盟的組織、所採用的技術與政策;3、以上述兩項為基礎規畫一個適合臺灣的聯盟存取管理系統。
ABSTRACT
As of this writing, no academic institution or higher learning in Taiwan has a demonstrable solution for access management for the many diverse and usually proprietary electronic resources they provide for users. Such resources are generally known as full texts of electronic journals and books, electronic databases, e-learning resources, and autonomously established institutional databases among many others. At present, there are five methods to access electronic resources in Taiwan. The first uses a typical IP address. This method has its advantages; however, the restriction cannot meet the increasing need for off-campus access by users. Second, an IP address restriction using a proxy-server is available whereby with the help of an intermediate server. This method is unfortunately technically challenging for users. Third is a Virtual private network (VPN) method which has yet to be fully evaluated. Fourth, a set of shared usernames and passwords, this method is easily compromised and threatens the security of a resource host. Finally, there is separate individual registration for individual resources. Some users might not be willing to reveal their identities to the resource providers or identity theft could happen by this way.
In order to solve the electronic access problems mentioned above, Shibboleth has been developed in U.S.A. and the U.K. and has become an emerging solution for access management of electronic resources in a growing number of developed countries. The Shibboleth system is a standard based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.
In order to implement the Shibboleth system, this study joined a test-bed federation in Australia called MAMS (Meta Access Management System) and set up an identity provider in Academia Sinica. At the same time a publisher, Elsevier, was invited to join MAMS as a resource provider. By joining MAMS federation, and the deployment of an IdP, the author tries to understand how a federated system is operated and how the mechanism of authentication and authorization is used and to what effect as an evaluation of its efficiency and performance. The second important method of this study was to compare the organization structures, technologies and policies adopted by four federations: InCommon (USA), UK Federation, Australian Federation, and SWITCHaai (Switzerland). The practical implementation and the comparison lead to simulate a federation system model in Taiwan for future reference.
參考文獻
中文文獻
中央研究院 (2010)。中央研究院圖書館服務︰電子期刊。上網日期︰98年12月23日,檢自︰HHUUUUUUhttp://www.sinica.edu.tw/ /ejournal/ej1.htmUU
中央研究院 (2010)。中央研究院圖書館服務︰線上資料庫。上網日期︰98年12月23日,檢自︰HHUUhttp://www.sinica.edu.tw/database/database1.htmlUU
王梅玲 (2000)。電子資源對圖書館資訊組織工作的挑戰。書苑,45,54-67。
交大圖書館(2010)。交大圖書館公告:EZProxy校外使用圖書館資源超EZ。 上網日期: 民國99年1月10日,檢自HHUUhttp://blog.lib.nctu.edu.tw/index.php?op=ViewArticle&articleId=10992&blogId=14UUHH)
李相臣等 (2008)。如何避免資安危機=How to face the information security threats。臺北市:國研科技政策研究中心,143頁。
林明宏 (2001)。廿一世紀資訊中心:數位圖書館。書苑,47,頁40。
林彥明 (2005)。利用LDAP整合Apache網頁驗證。上網日期2010年1月8日。網址:HHUUhttp://linux.vbird.org/somepaper/20060111-ldap_and_apach_auth.pdfUUHH
陳昭珍 (2000)。二十一世紀電子圖書館的發展趨勢。國家圖書館館刊,頁89。
國家圖書館輔導組 (2009)。大專院校圖書館。在中華民國九十八年圖書館年鑑 ,頁134。台北市:國家圖書館。
數位典藏與數位學習國家型科技計畫 (2009)。計畫簡介。上網日期:民國98年12 月23日,檢自HHUUhttp://teldap.tw/Introduction/introduction.phpUUHH
西文文獻
Athens (2010). Access & identity management. Retrieved Jan. 25, 2010, from
HHUUhttp://www.athens.ac.uk/UUHH
Australian Access Federation (2009). Australian Access Federation Inc. Constitution. Retrieved Jan. 10, 2010,from HHUUhttp://www.aaf.edu.au/wp-content/uploads/2009/11/AAF-Incorporated-Constitution-19-June-09.pdfUU
Australian Government (1988). Australian Privacy Act 1988,Retrieved Jan. 2, 2010,from HHUUhttp://www.efa.org.au/Issues/Privacy/privacy.htmUU
Australian Access Federation (2010). Australian Access Federation:providing trusted access to services, resources and people. Retrieved Jan. 12, 2010, from HHUUhttp://www.aaf.edu.auUU
Carmody, S. (2001). Shibboleth overview and requirements. Retrieved Jan. 9, 2010, from HHUUhttp://shibboleth.internet2.edu/docs/draft-internet2-shibboleth-requirements-01.htmlUU
Chang, N. (2009). Federated access management for electronic resources: the Taiwan experience, the 7th International CALIBER-2009, Pondicherry University, Puducherry, February 25-27, 2009, India, pp.409-413
DAASI (2009). Authentication and authorization with Shibboleth. Retrieved Jan. 16, 2010, from HHUUhttp://www.daasi.de/info/shibboleth-e.htmlUU
Davies, C. and M. Shreeve (2007). Federated access management: international aspects, Curtis+Cartwright Consulting Ltd., pp. 1-96.
de Vries, A. (Nov. 27, 2009). E-mail communication with Ale de Vries, Elsevier’s Senior Product Manager, Platform & content.
Eprints (2008). Open access and institutional repositories with eprints. Retrieved Jan. 16, 2010, from HHUUhttp://www.eprints.org/UU
FEIDE (2010) LDAP used in Feide. Retrieved Jan. 1, 2010, from HHUUhttp://docs.feide.no/guide-0002-1.0-en.html#txt-0055-schemaUUHH
Garibyan, M. (2007). Building a national federated access management infrastructure
(the U.K. experience), the ITE 2007 Conference in Yerevan, 21-23 May 2007.
Gourley, D. (2003). Library portal roles in a Shibboleth federation, Washington Research Library Consortium, 8 p. Retrieved Jan. 9, 2010, from HHUUhttp://shibboleth.internet2.edu/docs/gourley-shibboleth-library-portals-200310.htmlUU
InCommon (2008). Foundations for federation: UCTrust builds its system-wide federation on top of InCommon. Retrieved June 25, 2008, from HHUUhttp://www.incommonfederation.org/docs/eg/InC_CaseStudy_UCTrust_2007.pdfUU
InCommon (2008). InCommon makes sharing protected online resources easier. Retrieved Jan. 8, 2010, from HHUUhttp://www.incommonfederation.org/UU
InCommon (2008). Federation:Participant operational practices. Retrieved Jan. 23, 2010, from HHUUhttp://www.incommonfederation.org/docs/policies/incommonpop_20080208.html。UU
InCommon (2009). InCommon now serves 4 million on U.S. campuses. Retrieved Jan. 8, 2010, from HHUUhttps://spaces.internet2.eduUU
Internet2 (2008). Shibboleth: a project of the Internet2 middleware initiative. Retrieved July 5, 2008, from HHUUhttp://shibboleth.internet2.edu/UU
Internet2 (2010). InCommon. Retrieved Dec. 26, 2009, from HHUUhttp://www.incommon.orgUU
JANET (2010). The UK Access Management Federation for education and research. Retrieved from Dec. 26, 2009, from HHUUhttp://www.ukfederation.org.uk/UU
JISC (2008). Sherpa. Retrieved June 21, 2008, from
HHUUhttp://www.sherpa.ac.uk/UUHH
JISC (2005). ShibboLeap. Retrieved June 20, 2008, from
HHUUhttp://www.angel.ac.uk/ShibboLEAP/UUHH
JISC (2006). Shibboleth: connecting people & resources briefing (version 2). Retrieved June 23, 2008, from HHUUhttp://www.jisc.ac.uk/publications/publications/pub_shibboleth.aspxUU
JISC (2008). Connecting people to resources: federated access management: JISC guide for institutions (version 3). Retrieved Jan. 16, 2010, from HHUUhttp://www.jisc.ac.uk/media/documents/publications/bpfaminstitutionsv3.pdfUU
JISC (2008).U.K. federated access management. Retrieved Jan. 16, 2010, from, HHUUhttp://www.jisc.ac.uk/federationUU
This Klingenstein, N. (2008). Shibboleth 2.0: finally. Trans-European Research and Education Networking Association, TNC 2008 at Bruges, Belgium, May 20, 2008. Retrieved June 15, 2008, from HHUUhttp://tnc2008.terena.org/core/getfile.php?file_id=401UU
LSE (2007). Shibboleth at LSE. Retrieved June 24, 2008, from HHUUhttp://www.angel.ac.uk/ShibbolethAtLSE/index.htmlUU
Lynch, C. (1998).A white paper on authentication and access management issues in cross-organizational use of networked information resources. Coalition for Networked Information. Retrieved June 20, 2008, from HHUUhttp://www.cni.org/projects/authentication/authentication-wp.htmlUU
MACE-Dir working group (2005). The enterprise directory implementation roadmap, 33 pp. Retrieved Jan. 16, 2010, from HHUUhttp://www.nmi-edit.org/roadmap/dir-roadmap_200510/index-set.htmlUU
McLean,N.(2000).Matching people and information resources: authentication, authorization and access management and experiences at Macquarie University, Sydney. Program, 34, 239-225.
Macquarie University – Sydney (2008). MAMS: Meta Access Management System :Testbed Federation. Retrieved June 29, 2008, from HHUUhttp://www.federation.org.au/FedManager/jsp/index.jspUU
Novakov, I. (2008).Using LDAP with Shibboleth identity provider 2.x, CESNET technical report 12/2008. Retrieved Jan. 8, 2010, from HUHUhttp://www.cesnet.cz/doc/techzpravy/2008/ldap-with-shibboleth-idp-2/ldap-with-shibboleth-idp-2.pdf
NSF Middleware Initiative (2006). The enterprise authentication implementation roadmap. 34 pp. Retrieved Jan. 17, 2010, from UUhttp://www.nmi-edit.org/roadmap/draft-authn-roadmap-03/
Smedinghoff, T.J. (2009). Federated identity management: balancing privacy rights, liability, risks, and the duty to authenticate. Retrieved Jan. 2, 2010,from HHUUhttp://papers.ssrn.com/sol3/papers.cfm?abstract_id=1471599UU
SWITCH (2008). AAI service agreement. Retrieved from Jan. 2, 2010, from
HHUUhttps://www.switch.ch/aai/docs/AAI_Service_Agreement.pdfUUHH
SWITCH (2004). AAI-authentication and authorization infrastructure:exhibit 3 AAI policy. Retrieved Jan. 12, 2010, from HHUUhttp://www.switch.ch/aai/UUHH
SWITCH (2007). AAI attribute specification. Retrieved Jan. 2, 2010,from HHUUhttps://www.switch.ch/aai/docs/AAI_Attr_Specs.pdfUU
SWITCH (2009). SWITCH: Serving Swiss Universities. Retrieved Dec. 20, 2009, from HHUUhttp://www.switch.ch/aai/index.htmlUU
SWITCH (2004). SWITCHaai Federation and related organizations. Retrieved Jan. 26, 2010, from HHUUhttps://www.switch.ch/aai/docs/AAI_Org_Processes.pdfUU
Terena (2009). Federations. Retrieved Dec. 24, 2009, from HHUUhttps://refeds.terena.org/index.php/FederationsUUHH.
UK Access Management Federation (2007). Rules of membership. Retrieved Jan. 2, 2010, from HHUUhttp://www.ukfederation.org.uk/library/uploads/Documents/rules -of-membership.pdfUU
UK Access Management Federation (2008). Recommendations for use of personal data. Retrieved Jan. 15, 2010, from HHUUhttp://www.ukfederation.org.uk/library/uploads/Documents/recommendations-for-use-of-personal-data.pdfUU
van Halm, J. (1999). The digital library as access management facilitator. Information Services & Use,19, 299-303.