What is SSO?
If you already know, please skip this section!
The core meaning of SSO is one sentence: Log in, log in everywhere, write off one place, write it off everywhere. That is, in multiple applications, users only have to log in once to gain access to all applications that trust each other.
Many people tend to confuse SSO with OAuth. Here's a quick explanation:
OAuth can also be summed up as a simple sentence: Based on a variety of lazy and yy reasons, take someone else's login system to use.
As for the official, it is an authorization agreement for website users to authorize third-party apps to access themselves on the site ... (Omit n multiple words here) can be Baidu by itself.
SSO implementation
There are many ways to implement SSO, but the large framework does not break out of the structure:
That is, all login verification, the login state store is processed in the SSO Authorization Center (www.sso.com in the figure), other sites either use a browser jump (Response.Redirect) or use server-side HTTP POST to communicate with the SSO Authorization Center. Here are some of Baidu's more well-known implementation methods, I will introduce their advantages and disadvantages, and put forward their own Final Solution!
Implementation method One: powerful cookie + Response.Redirect
Emotionally speaking, this is my favorite way, if not a few of the fatal shortcomings I mentioned later, I think I will only use it in my life. CodeProject the best article on ASP. September 2010: Single Sign On (SSO) for cross-domain ASP. Applications gives the perfect explanation for this way, And a running instance is given! Interested students can read the original text, very interesting. I'm here to talk about its core ideas!
First Look at login:
Look again, if I want to access an XX list page, the process is this:
This approach seems to be a complex process and the actual code is very simple to implement. Domain1.com/domain2.com and other sites do not have to do any cookie,session operations, only need to be in the background of the certification related operations all redirect to Sso.com, and then wait for the SSO processing results redirect back. The specific code implementation can refer to the second article of this great God: Single Sign On (SSO) for Cross-domain ASP. Applications:part-ii-the Implementation
This approach is simple in principle and code, but the drawbacks are obvious:
- Ajax login verification is not supported, because AJAX processing background redirect is quite complex, which is the fatal disadvantage of this method;
- This can be implemented in the same browser single sign-on, because the client site without any state information, can only borrow sso.com cookie judgment, but this drawback can be used URL with parameters, cache in lieu of cookies and other solutions;
Implementation Mode II: HttpClient background submission
The typical implementation of this approach was written by a man in the garden before smartsso:http://www.cnblogs.com/smartbooks/p/3800849.html
As above, the core of his implementation can also be simplified to two drawings.
When logged in:
To access an XX list page:
This implementation completely put the interaction with sso.com in the domain1.com/domain2.com background, through the httpclient post way. For the front-end users, there is no full sense of the existence of sso.com.
From the flowchart, you may find it easier to implement than the first, but the opposite is true. Because you not only in the sso.com to do state storage, but also in the domain1.com and other customer sites to do state judgment and jump.
The Smartsso only does a similar three-party login function, and does not provide a direct login interface to the client site.
How to implement Openauth.net
Openauth.net (Project Profile and Address: http://www.cnblogs.com/yubaolee/p/OpenAuth.html) The v1.2 version combines the advantages of both approaches to achieve a more elegant and practical SSO functionality.
Characteristics:
- Use redirect for quick verification when using normal jumps;
- When Ajax is used in the background post mode;
- If the customer site does not want to do login, SSO occupies the site with the login interface, you can completely put the login authorization and other logic to the SSO processing;
- A real login, everywhere login, a place to write off, everywhere write-off;
Project address:Https://git.oschina.net/yubaolee/OpenAuth.Net
Quick Experience Address: http://115.28.10.123:1312
Detail SSO Single Sign-on