Introduction to Single Sign-On (SSO)

Reproduced from: http://blog.icxo.com/read.jsp? Aid = 30925.

Introduction to Single Sign-On (SSO)
-Supermgr

 

 

An organization only needs to authenticate a user.
Authorized computers and systems do not need to enter the user password again.

Single Sign-On (Single Sign-On) reduces the probability of personnel and system errors.
This is a very high value, but it is difficult to implement it due to various difficulties.

Related Products:
HP Smart Security,
It is mainly used in enterprise web systems and supports multiple types of identity authentication. The product installation fee is RMB1 and 684 RMB.

Passport certification service provided by Microsoft
ASP. NET supports this service. For more information about web development, see
The class name starting with passport in the system. Web. Security namespace will be known.
If you want to use the passport certification service in your application, you need to download. NET Passport SDK.
For more information, see Net Passport single sign-in.

Centralized Control portal system for enterprise applications
Meishangkmen Co., Ltd. mainly uses Web-based solutions for application resources.

Yale CAS server for Single Point login (SSO)
CAS (Central Authentication Service) is an open-source Java implementation developed by its of Yale University.
SSO (Single Sign-On) service.

 

SSO implementation principle

1. Concept: SSO is a biased technique. Users only need to log on once to use multiple SSO enable application systems.

(1) A single landing point. Ideally, users can perform SSO through any application system, which is feasible for web-based systems. This single login point is the only place to authenticate the user in the design of the entire system. The login point is the SSO token (for different C/S, the user name may need to be transferred for B/S applications, password) is passed to the application system, and the application system uses the SSO token for user authentication. We call this Single login point an SSO entry.

(2) SSO enable means that modifications to the application system are inevitable. Not all systems can use SSO. Only application systems that comply with the SSO specification and use the SSO Api have the SSO function. Simply put, you need to modify the existing application system, block the user authentication module of the existing application system, use the sso api provided by the system to verify the user, and authorize the user's operations.

(3) unified authentication and permission information library are required. Generally, the authentication and authorization management module is implemented in an application-specific manner. The authorization model and authentication of the system are closely coupled with the authorization information storage structure and the access control logic and the application business logic. The disadvantages of this design and implementation method are obvious: due to the tight coupling between the authentication, authorization module and application logic, it is difficult to expand and maintain the authentication and authorization modules; the design and coding of authentication and authorization modules require a great deal of work, and it is difficult to share and reuse between different application systems. This is also one of the reasons why more and more enterprise applications require SSO.

SSO requires a uniform authentication and the permission is stored in the database. However, in reality, some systems cannot use external authentication and authorization information libraries. Therefore, authentication must be performed between the application system and the Portal Server, and authorization information data must be synchronized at the same time.
For details, see: Implementation of SSO in Nanjing Local Tax

In general, single-point login has two modes:

The first is the dnn mode. That is, to integrate the interfaces of various subsystems into a container manager similar to dnn to implement a login, then, you can continue to enjoy the User Logon Service in other systems. In fact, this is a webapplication method.

Second, similar to Microsoft's passport, after one login, you can switch between them in MSN, Hotmail, or space without re-login. This mode is not a webapplication, but is controlled on multiple applications.