簡易檢索 / 詳目顯示

研究生: 陳麗美
Chen, Li-Mei
論文名稱: 電子資源的聯盟存取管理系統:Shibboleth在臺灣學術及高等教育界的應用探討
Federated Access Management for Electronic Resources:A Study of the Application of the Shibboleth System in Research and Higher Education in Taiwan
指導教授: 張迺貞
Chang, Nai-Cheng
學位類別: 碩士
Master
系所名稱: 圖書資訊學研究所
Graduate Institute of Library and Information Studies
論文出版年: 2010
畢業學年度: 98
語文別: 中文
論文頁數: 102
中文關鍵詞: 存取管理認證與授權
英文關鍵詞: Shibboleth, Access Management, Authentication and Authorization
論文種類: 學術論文
相關次數: 點閱:153下載:10
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報
  • 目前國內的大學及學術機構對提供的保護性線上資源,如全文電子期刊、電子資料庫、電子書、數位教學資源及研究用數據資料庫等購買的或自建的電子資源,如何達方便存取與易於管理,似乎還沒有很好的對策。目前國內的做法為:1、在校園的IP範圍內使用,其出了校園便無法使用;2、使用IP限制,校園外則用proxy伺服器,此方法是有技術性的;3、使用虛擬私有網路連線 (Virtual Private Network),此種方法針對不同資源要分別登入; 4、使用共用的密碼 (‘Shared’passwords),此方法密碼容易外洩而威脅到資源的安全;5、針對不同資源,使用者分別註冊密碼,此方法使用者隱私容易外洩且恐有身份不實的問題。
    為了改善上述的電子資源存取管理問題,英、美等國所發展的Shibboleth存取管理系統,已漸漸被很多已開發國家使用。Shibboleth是一個依據標準的開放源碼套裝軟體,以提供機關內或跨機關間的網頁單一登入(Web Single SignOn,簡稱SSO)及屬性交換的架構,容許網站對個人存取保護性線上資源時,使用單一及單位所控制的辨識法,並以保護隱私的方式作確認性的授權決定,讓使用者無接縫的去存取內部與外部的資源,以減少現行使用者在使用不同領域的多種資源時,必須局限在一個校園或要去維護多個密碼,並為身份提供者及服務提供者簡化了身份管理及存取許可。

    本研究:1、參加澳洲測試聯盟(Meta Access Management System),並在中央研究院地球科學研究所建置身份管理系統,同時邀請Elsevier出版商為資源提供者,以實際測試聯盟的運作方式,並瞭解其在數位環境下的認證與授權機制及分析其效益;2、從英、美、澳洲及瑞士的聯盟網站去探討其聯盟的組織、所採用的技術與政策;3、以上述兩項為基礎規畫一個適合臺灣的聯盟存取管理系統。

    ABSTRACT
    As of this writing, no academic institution or higher learning in Taiwan has a demonstrable solution for access management for the many diverse and usually proprietary electronic resources they provide for users. Such resources are generally known as full texts of electronic journals and books, electronic databases, e-learning resources, and autonomously established institutional databases among many others. At present, there are five methods to access electronic resources in Taiwan. The first uses a typical IP address. This method has its advantages; however, the restriction cannot meet the increasing need for off-campus access by users. Second, an IP address restriction using a proxy-server is available whereby with the help of an intermediate server. This method is unfortunately technically challenging for users. Third is a Virtual private network (VPN) method which has yet to be fully evaluated. Fourth, a set of shared usernames and passwords, this method is easily compromised and threatens the security of a resource host. Finally, there is separate individual registration for individual resources. Some users might not be willing to reveal their identities to the resource providers or identity theft could happen by this way.
    In order to solve the electronic access problems mentioned above, Shibboleth has been developed in U.S.A. and the U.K. and has become an emerging solution for access management of electronic resources in a growing number of developed countries. The Shibboleth system is a standard based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.
    In order to implement the Shibboleth system, this study joined a test-bed federation in Australia called MAMS (Meta Access Management System) and set up an identity provider in Academia Sinica. At the same time a publisher, Elsevier, was invited to join MAMS as a resource provider. By joining MAMS federation, and the deployment of an IdP, the author tries to understand how a federated system is operated and how the mechanism of authentication and authorization is used and to what effect as an evaluation of its efficiency and performance. The second important method of this study was to compare the organization structures, technologies and policies adopted by four federations: InCommon (USA), UK Federation, Australian Federation, and SWITCHaai (Switzerland). The practical implementation and the comparison lead to simulate a federation system model in Taiwan for future reference.

    目 次 第一章 緒論 1 第一節 研究動機與目的 1 第二節 研究問題 3 第三節 研究範圍與限制 4 第四節 預期研究貢獻 5 第五節 名詞解釋 6 第二章 文獻探討 9 第一節 電子資源存取管理系統需求分析 9 第二節 Shibboleth的發展 22 第三節 Shibboleth的技術觀 32 第三章 研究方法 35 第一節 研究方法與設計 35 第二節 研究流程 42 第四章 結果與討論 44 第一節 Shibboleth系統實作結果展示 44 第二節 Shibboleth系統優勢分析 66 第三節 聯盟的認證與授權機制 66 第四節 聯盟比較 70 第五章 結論與建議 87 第一節 結論 87 第二節 建議 89 參考文獻 97

    參考文獻
    中文文獻
    中央研究院 (2010)。中央研究院圖書館服務︰電子期刊。上網日期︰98年12月23日,檢自︰HHUUUUUUhttp://www.sinica.edu.tw/ /ejournal/ej1.htmUU

    中央研究院 (2010)。中央研究院圖書館服務︰線上資料庫。上網日期︰98年12月23日,檢自︰HHUUhttp://www.sinica.edu.tw/database/database1.htmlUU

    王梅玲 (2000)。電子資源對圖書館資訊組織工作的挑戰。書苑,45,54-67。
    交大圖書館(2010)。交大圖書館公告:EZProxy校外使用圖書館資源超EZ。 上網日期: 民國99年1月10日,檢自HHUUhttp://blog.lib.nctu.edu.tw/index.php?op=ViewArticle&articleId=10992&blogId=14UUHH)
    李相臣等 (2008)。如何避免資安危機=How to face the information security threats。臺北市:國研科技政策研究中心,143頁。
    林明宏 (2001)。廿一世紀資訊中心:數位圖書館。書苑,47,頁40。
    林彥明 (2005)。利用LDAP整合Apache網頁驗證。上網日期2010年1月8日。網址:HHUUhttp://linux.vbird.org/somepaper/20060111-ldap_and_apach_auth.pdfUUHH
    陳昭珍 (2000)。二十一世紀電子圖書館的發展趨勢。國家圖書館館刊,頁89。
    國家圖書館輔導組 (2009)。大專院校圖書館。在中華民國九十八年圖書館年鑑 ,頁134。台北市:國家圖書館。
    數位典藏與數位學習國家型科技計畫 (2009)。計畫簡介。上網日期:民國98年12 月23日,檢自HHUUhttp://teldap.tw/Introduction/introduction.phpUUHH

    西文文獻

    Athens (2010). Access & identity management. Retrieved Jan. 25, 2010, from
    HHUUhttp://www.athens.ac.uk/UUHH
    Australian Access Federation (2009). Australian Access Federation Inc. Constitution. Retrieved Jan. 10, 2010,from HHUUhttp://www.aaf.edu.au/wp-content/uploads/2009/11/AAF-Incorporated-Constitution-19-June-09.pdfUU
    Australian Government (1988). Australian Privacy Act 1988,Retrieved Jan. 2, 2010,from HHUUhttp://www.efa.org.au/Issues/Privacy/privacy.htmUU
    Australian Access Federation (2010). Australian Access Federation:providing trusted access to services, resources and people. Retrieved Jan. 12, 2010, from HHUUhttp://www.aaf.edu.auUU

    Carmody, S. (2001). Shibboleth overview and requirements. Retrieved Jan. 9, 2010, from HHUUhttp://shibboleth.internet2.edu/docs/draft-internet2-shibboleth-requirements-01.htmlUU
    Chang, N. (2009). Federated access management for electronic resources: the Taiwan experience, the 7th International CALIBER-2009, Pondicherry University, Puducherry, February 25-27, 2009, India, pp.409-413

    DAASI (2009). Authentication and authorization with Shibboleth. Retrieved Jan. 16, 2010, from HHUUhttp://www.daasi.de/info/shibboleth-e.htmlUU

    Davies, C. and M. Shreeve (2007). Federated access management: international aspects, Curtis+Cartwright Consulting Ltd., pp. 1-96.
    de Vries, A. (Nov. 27, 2009). E-mail communication with Ale de Vries, Elsevier’s Senior Product Manager, Platform & content.
    Eprints (2008). Open access and institutional repositories with eprints. Retrieved Jan. 16, 2010, from HHUUhttp://www.eprints.org/UU
    FEIDE (2010) LDAP used in Feide. Retrieved Jan. 1, 2010, from HHUUhttp://docs.feide.no/guide-0002-1.0-en.html#txt-0055-schemaUUHH
    Garibyan, M. (2007). Building a national federated access management infrastructure
    (the U.K. experience), the ITE 2007 Conference in Yerevan, 21-23 May 2007.

    Gourley, D. (2003). Library portal roles in a Shibboleth federation, Washington Research Library Consortium, 8 p. Retrieved Jan. 9, 2010, from HHUUhttp://shibboleth.internet2.edu/docs/gourley-shibboleth-library-portals-200310.htmlUU

    InCommon (2008). Foundations for federation: UCTrust builds its system-wide federation on top of InCommon. Retrieved June 25, 2008, from HHUUhttp://www.incommonfederation.org/docs/eg/InC_CaseStudy_UCTrust_2007.pdfUU
    InCommon (2008). InCommon makes sharing protected online resources easier. Retrieved Jan. 8, 2010, from HHUUhttp://www.incommonfederation.org/UU
    InCommon (2008). Federation:Participant operational practices. Retrieved Jan. 23, 2010, from HHUUhttp://www.incommonfederation.org/docs/policies/incommonpop_20080208.html。UU
    InCommon (2009). InCommon now serves 4 million on U.S. campuses. Retrieved Jan. 8, 2010, from HHUUhttps://spaces.internet2.eduUU
    Internet2 (2008). Shibboleth: a project of the Internet2 middleware initiative. Retrieved July 5, 2008, from HHUUhttp://shibboleth.internet2.edu/UU
    Internet2 (2010). InCommon. Retrieved Dec. 26, 2009, from HHUUhttp://www.incommon.orgUU

    JANET (2010). The UK Access Management Federation for education and research. Retrieved from Dec. 26, 2009, from HHUUhttp://www.ukfederation.org.uk/UU
    JISC (2008). Sherpa. Retrieved June 21, 2008, from
    HHUUhttp://www.sherpa.ac.uk/UUHH
    JISC (2005). ShibboLeap. Retrieved June 20, 2008, from
    HHUUhttp://www.angel.ac.uk/ShibboLEAP/UUHH

    JISC (2006). Shibboleth: connecting people & resources briefing (version 2). Retrieved June 23, 2008, from HHUUhttp://www.jisc.ac.uk/publications/publications/pub_shibboleth.aspxUU

    JISC (2008). Connecting people to resources: federated access management: JISC guide for institutions (version 3). Retrieved Jan. 16, 2010, from HHUUhttp://www.jisc.ac.uk/media/documents/publications/bpfaminstitutionsv3.pdfUU

    JISC (2008).U.K. federated access management. Retrieved Jan. 16, 2010, from, HHUUhttp://www.jisc.ac.uk/federationUU
    This Klingenstein, N. (2008). Shibboleth 2.0: finally. Trans-European Research and Education Networking Association, TNC 2008 at Bruges, Belgium, May 20, 2008. Retrieved June 15, 2008, from HHUUhttp://tnc2008.terena.org/core/getfile.php?file_id=401UU
    LSE (2007). Shibboleth at LSE. Retrieved June 24, 2008, from HHUUhttp://www.angel.ac.uk/ShibbolethAtLSE/index.htmlUU

    Lynch, C. (1998).A white paper on authentication and access management issues in cross-organizational use of networked information resources. Coalition for Networked Information. Retrieved June 20, 2008, from HHUUhttp://www.cni.org/projects/authentication/authentication-wp.htmlUU

    MACE-Dir working group (2005). The enterprise directory implementation roadmap, 33 pp. Retrieved Jan. 16, 2010, from HHUUhttp://www.nmi-edit.org/roadmap/dir-roadmap_200510/index-set.htmlUU
    McLean,N.(2000).Matching people and information resources: authentication, authorization and access management and experiences at Macquarie University, Sydney. Program, 34, 239-225.
    Macquarie University – Sydney (2008). MAMS: Meta Access Management System :Testbed Federation. Retrieved June 29, 2008, from HHUUhttp://www.federation.org.au/FedManager/jsp/index.jspUU

    Novakov, I. (2008).Using LDAP with Shibboleth identity provider 2.x, CESNET technical report 12/2008. Retrieved Jan. 8, 2010, from HUHUhttp://www.cesnet.cz/doc/techzpravy/2008/ldap-with-shibboleth-idp-2/ldap-with-shibboleth-idp-2.pdf

    NSF Middleware Initiative (2006). The enterprise authentication implementation roadmap. 34 pp. Retrieved Jan. 17, 2010, from UUhttp://www.nmi-edit.org/roadmap/draft-authn-roadmap-03/

    Smedinghoff, T.J. (2009). Federated identity management: balancing privacy rights, liability, risks, and the duty to authenticate. Retrieved Jan. 2, 2010,from HHUUhttp://papers.ssrn.com/sol3/papers.cfm?abstract_id=1471599UU
    SWITCH (2008). AAI service agreement. Retrieved from Jan. 2, 2010, from
    HHUUhttps://www.switch.ch/aai/docs/AAI_Service_Agreement.pdfUUHH
    SWITCH (2004). AAI-authentication and authorization infrastructure:exhibit 3 AAI policy. Retrieved Jan. 12, 2010, from HHUUhttp://www.switch.ch/aai/UUHH
    SWITCH (2007). AAI attribute specification. Retrieved Jan. 2, 2010,from HHUUhttps://www.switch.ch/aai/docs/AAI_Attr_Specs.pdfUU
    SWITCH (2009). SWITCH: Serving Swiss Universities. Retrieved Dec. 20, 2009, from HHUUhttp://www.switch.ch/aai/index.htmlUU
    SWITCH (2004). SWITCHaai Federation and related organizations. Retrieved Jan. 26, 2010, from HHUUhttps://www.switch.ch/aai/docs/AAI_Org_Processes.pdfUU
    Terena (2009). Federations. Retrieved Dec. 24, 2009, from HHUUhttps://refeds.terena.org/index.php/FederationsUUHH.
    UK Access Management Federation (2007). Rules of membership. Retrieved Jan. 2, 2010, from HHUUhttp://www.ukfederation.org.uk/library/uploads/Documents/rules -of-membership.pdfUU
    UK Access Management Federation (2008). Recommendations for use of personal data. Retrieved Jan. 15, 2010, from HHUUhttp://www.ukfederation.org.uk/library/uploads/Documents/recommendations-for-use-of-personal-data.pdfUU
    van Halm, J. (1999). The digital library as access management facilitator. Information Services & Use,19, 299-303.

    下載圖示
    QR CODE