Journal of the Korea Institute of Information and Communication Engineering (한국정보통신학회논문지)

The Korea Institute of Information and Commucation Engineering (한국정보통신학회)
권호 표지
DOI QR코드

DOI QR Code

Development of SAML Software for JAVA Web Applications in Korea

국내 자바 웹 응용을 위한 SAML 소프트웨어의 개발

  • Received : 2019.07.04
  • Accepted : 2019.07.25
  • Published : 2019.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

Federated authentication is a user authentication and authorization infrastructure that spans multiple security domains. Many overseas Web applications have been adopting SAML-based federated authentication. However, in Korea, it is difficult to apply the authentication because of the high market share of a specific Web (application) server, which is hard to use open-source SAML software and the high adoption of Java-based standard framework which is not easy to integrate with SAML library. This paper proposes the SAML4J, which is developed in order to have Web applications easily and safely integrated with the Java-based framework. SAML4J has a developer-friendly advantage of using a session storage independent of the framework and processing Web SSO flows through simple API. We evaluate the functionality, performance, and security of the SAML4J to demonstrate the high feasibility of it.

연합인증은 다수의 보안도메인 간에 적용되는 사용자 인증 및 인가체계이다. 연구 및 교육 분야에서 활용되고 있는 다수의 국외 웹 응용서비스들은 표준화된 사용자 인증방식으로 SAML(Security Assertion Markup Language) 기반의 연합인증을 채택하고 있다. 하지만 국내는 공개 SAML 소프트웨어를 이용하기 힘든 특정 웹 서버나 웹 응용 서버의 시장 점유율이 높고 전자정부 표준프레임워크 기반의 Java 웹 응용이 많기 때문에 연합인증 기술을 적용하기 어려운 상황이다. 본 논문은 Java 기반의 웹 응용개발 환경에서 연합인증 기술을 쉽고 안전하게 활용케 할 목적으로 개발된 SAML4J 소프트웨어를 소개한다. SAML4J는 개발 프레임워크에 독립적인 세션 저장소를 지원하고 API를 통해 Web SSO 플로우를 처리케 함으로써 개발자 친화적인 장점이 있다. 네트워킹 테스트베드를 구성하고 개발한 소프트웨어의 기능과 성능, 확장성 및 보안성에 대해서 검증함으로써 SAML4J의 높은 활용가능성을 확인한다.

Keywords

References

  1. I. M. Khalil, A. Khreishah, and M. Azeem, "Cloud Computing Security: A Survey," Computers, vol.3, no.1, pp.1-35, 2014. https://doi.org/10.3390/computers3010001
  2. OneLogin. OneLogin 2014 State of SaaS Identity Management [Internet]. Available: https://resources.onelogin.com/WP-OneLogin-2014-SaaS-Identity-Management.pdf?path=wp-content/images/OneLogin_2014_SaaS_Identity_Management.pdf.
  3. S. Droz, C. Hassenstein, G. Heim, T. Meier, D. Monnard, and H. C. Tschudin, "Concept for an Electronic Academic Community in Switzerland and the creation of a Common Authentication and Authorization Infrastructure (AAI) for the Swiss Higher Education System," Inter-University Working Group, Oct., 2001.
  4. Metadata Explorer Tool [Internet]. Available: https://met.refeds.org/.
  5. eduGAIN [Internet]. Available: https://www.edugain.org/.
  6. Korean Access Federation [Internet]. Available: https://www.kafe.or.kr/.
  7. A. Costa, M. Pietro, B. Marilena, B. Ugo, K. Mel, P. Costantino, R. Simone, S. Eva, and V. Fabio, "An Innovative Science Gateway for the Cherenkov Telescope Array," Journal of Grid Computing, vol.13, no.4, pp.547-559, 2015. https://doi.org/10.1007/s10723-015-9330-2
  8. M. Linden, M. Prochazka, I. Lappalainen, D. Ducik, P. Vyskocil, M. Kuba, S. Silen, P. Belmann, A. Sczrba, S. Newhouse, L. Matyska, and T. Nyronen, "Common ELIXIR Service for Researcher Authentication and Authorisation," F1000Research 7, pp.1-15. Aug., 2018. https://doi.org/10.12688/f1000research.13428.1
  9. H. Short, A. Manzi, V. D. Notaris, O. Keeble, A. Kiryanov, H. Mikkonen, P. Tedesco, and R. Wartel, "x509-free Access to WLCG Resources," Journal of Physics: Conference Series, vol.898, no.8, pp.1-7, Oct., 2017.
  10. M. Brinn, "GENI Architecture Foundation," The GENI Book, Springer, Cham, p.101-116, 2016.
  11. Shibboleth Consortium [Internet]. Available: https://shibboleth.net/.
  12. simpleSAMLphp, [Internet]. Available: https://www.simplesamlphp.org/.
  13. K. Kim and K. Lee, "Visualization of Geo-spatial Data and Public Data Using Mobile Operating Environment in the eGovernment Standard Framework," Journal of Korea Spatial Information Society, vol.23, no.1, pp.9-17, Feb., 2015.
  14. J. Park, Ranked 1st in the WAS Market in 2017, Electronic Times Internet [Internet]. Available: https://news.v.daum.net/v/20180802140303883.
  15. C. Linhart, A. Klein, R. Heled, and S. Orrin, HTTP REQUEST SMUGGLING. (2005) [Internet]. Available: http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf.
  16. Shibboleth Wiki [Internet]. Available: https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes.
  17. OneLogin's SAML Java Toolkit [Internet]. Available: https://github.com/onelogin/java-saml.
  18. Danish Agency for Digitisation, "OIOSAML Web SSO Profile 3.0 'Release Candidate'," 2019.
  19. Spring Security SAML Extension [Internet]. Available: https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/.
  20. Ministry of the Interior and Safety, "Technical Specification of SSO Authentication Gateway," June 2018.
  21. SAML Entity Category [Internet]. Available: https://refeds.org/specifications.
  22. PyFF - A SAML Metadata Appliance [Internet]. Available: http://pyff.io/.
  23. C. Lorentzen, M. Fiedler, H. Johnson, J. Shaikh, and J. Ivar, "On User Perception of Web Login - a Study on QoE in the Context of Security," in Proceedings of the Australasian Telecommunication Networks and Applications Conference, Auckland, New Zealand, pp.84-89, 2010.
  24. J. Somorovsky, A. Mayer, J. Schwenk, M. Kampmann, and M. Jensen, "On Breaking SAML: Be Whoever You Want to Be," in Proceedings of the 21st USENIX Security Symposium, Bellevue, USA, Aug., 2012.
  25. N. Engelbertz, N. Erinola, D. Herring, J. Somorovsky, V. Mladenov, and J. Schwenk, "Security Analysis of eIDAS - The Cross-Country Authentication Scheme in Europe," in Proceedings of the 12th USENIX Workshop on Offensive Technologies, Baltimore, USA, 2018.
  26. M. Christian, M. Vladislav, G. Tim, and J. Schwenk, "Automatic Recognition, Processing and Attacking of Single Sign-on Protocols with BURP Suite," Open Identity Summit, 2015.
  27. H. Phong, How to use Brup Suite to Verify SAML Signature Wrapping Attack [Internet]. Available: https://blog.ritvn.com/testing/2018/02/16/burp-suite-saml-signature-wrapping-attack.html.