Single Sign-on certification Scheme ideas, to find a good idea to reply

The idea of unified user authentication scheme

Achieve the goal:

1. Achieve single sign-on, with a single sign-on account login, access to multiple authorized systems.

2. Try not to allow users to install the client, some technology such as CAS,SAML,P3P welcome reviews

There may be a login-free access method:
1, the current system interface to connect to other systems interface, (scene: Multi-system integration of a system)
2, the current system access to other systems of the Authenticated Service interface (scenario: access to the services of the authorized system)
3. Open the other system's page directly in the New Browser tab page. (Scenario: Access to other systems is free of login)

2. Enhanced security validation, using Cookie,token,session, and security token securitycard form

1, the cookie records the user's login information token,
2, the session can obtain the visitor's IP,
3. Security tokens are used to record unique credentials for single sign-on user access.
4, sensitive information (money, core content) or anti-malicious requests (such as theft) can be considered dynamic password and frequency of access to control (in the future if necessary)

3. Enhance user Experience

1. Login Profile Editor, add upload Avatar
2. User management, group management, role management, Rights Management interface Interactive modification more friendly
3. When the user accesses a system sub-page directly, if not logged in, it pops up and redirects to the specified sub-page after login.
4. For some special HTTP request error give friendly error.html hint, such as 404.500,302.

A problem exists:
1. Multiple systems may have more than one set of own user management, in addition to the possibility of third-party system access;
2. Multiple systems may share a set of user management;
3. What is the relationship between the single sign-on user and the system?


Solution:

1. For Issue 1: Establishment of UUM Certification center;
Provide the application system single sign-on role configuration registration, update, and logout interface (that is, the application system to join the operation of the Certification center);
Provide authorization to add, change, delete interface between application system;
A query interface that provides registration information for all registered systems;
Provide online single sign-on user's query, exit, login, etc.;
It is necessary to include the authorization period in the information of the interface.

2. For question 2:
Optimize the user Management module of application system, and support to distinguish the permissions of different domain names;
The unified user Management role is registered to the UUM Certification center, and the system authorizes each other;
It is recommended that the unified user management interface be open to users of a system for unified operation.


3. For question 3:
Application system has its own user management system, if you want to join a single sign-on group, you need to establish the following rules:
The application system to the authentication center to initiate the unit of the request for the role, that is, the user login alone needs to identify the role in the certification center;
Need to set up a single sign-on role, and then match the role of their system;
Application user management can authorize the single sign-on role to other systems, as well as to view information authorized by other systems;
Certification Center only role, can be applied to join the application system registration information Unified Management (separate processing), but the role of access is managed by each system replication.



4. Separate Login configuration:
1. Application submission XML format registered to the UUM Certification center, including information: System ID, role name (can be multiple), expiry time, etc., and can be modified.
2. The application system can assign a single sign-on role to the corresponding role of another system, which can be one-to-many, including necessary information such as expiry time.
3. The certification center can make some changes to some of the information submitted by the application system.

5. Single Sign-on access steps:


1. User access to a system, enter the user name, password;

2.A System login is successful,
Discovery is that the user role is a single sign-on role,
REDIRECT Uum Authentication Center login interface, and transfer parameters and a system callback path,
Uum Authentication parsing parameters, check whether the role expires, generate security tokens, and then redirect back to the application system;
This results in the connection between the application system and the authentication Center system.

3. User access to the B system home page, B system found not logged on its own server,
REDIRECT Uum Authentication Center login interface, and transfer parameters and B system callback path,
Uum authentication discovery is logged in, returns the user role corresponding information, and the security token is redirected to the B system,
B System Login succeeded.


6. Security Verification:

Single Sign-on certification Scheme ideas, to find a good idea to reply