Home > Others

Pattern in SSO

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

There are too many parallel and Symmetric Branch options in the SSO scheme, just like the garden where the boghes side branches. After writing a compact SSO, follow the saml2.0 and openid specifications to record these forks:

  1. Is the process initiated from the identity Provider or consumer?

    The identity Provider, that is, the SSO server, also known as ID provider (IDP. The identity consumer, SSO client, is called SP in SAML.
    In the process of initiating the identity Provider, the user logs on to the SSO server. The SSO server displays a portal/menu with several URLs for each SSO client, ID information is added to each URL.
    In the process of initiating an identity consumer, the portal/menu is a normal URL without material (or even the user directly goes to the client's website), SSO
    The client finds that there is no user identity information in the local session, so it has to redirect to return to the SSO server, and finally the server jumps back with an expected URL.
    Apparently, the previous process was redirect twice, which is faster, but every URL in the portal/menu is deeply coupled with SSO sever, or, sometimes there is no such central portal.
  2. The identity information transmitted in the URL parameter is still a pointer.
    ?
    SSO server direction
    When the client jumps, the sender can put the identity information in the URL parameter for direct transmission, or you can carefully throw only one random string (SAML is called
    Artifact), the client takes this random string and then secretly asks the SSO server to obtain the complete identity information using the WebService/rest interface in the background.
    Obviously, the previous method is faster than the background query, but the latter method is not safe, the WebService/rest interface in the latter way can transmit a lot of information in any format.
  3. Whether full-text encryption or signature-only security measures
    ?
    Some people like full text (add one moreNonce
    ) Encryption has been growing for a long period of ciphertext, and our hearts are full of security. Some people also boldly transmit the content in plain text, and only add a signature at the end to prevent counterfeiting (the signature uses simple plaintext + key hashing, or the HMAC encryption hashing algorithm)
    In the former, users only see a long period of Mars, which does not give users a glimpse of anything, but the string is violent and encryption and decryption itself consumes a lot of CPU.
  4. Will the SSO client decrypt/compare the signature by itself?

    Generally, the SSO client decrypts or generates a signature based on the plain text for comparison, and verifies that the nonce is not used or has timed out.
    However, there may also be a very lazy client. Without such a complicated security encryption algorithm, you can directly send the received content to the SSO server using the WebService/rest interface in the background for help.

    The SSO is handwritten, And the identity Provider initiates the process. The encrypted identity information is transmitted in the URL parameter, which is decrypted by the SSO client. So, it is super simple...

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
factory pattern in net observer pattern in php pattern program in php observer pattern in net factory design pattern in php star pattern programs in php cas sso

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More