Single Sign-On (SSO) Implementation (with source code) and single point sso

Single Sign-On (SSO) Implementation (with source code) and single point sso

Basic concepts of SSO

SSO stands for Single Sign On ). SSO is used in multiple application systems. Users only need to log on once to access all mutually trusted application systems. It includes a mechanism for ing the main logon to other applications for the login of the same user. It is one of the most popular solutions for enterprise business integration. (This section is from Baidu encyclopedia)

This article will introduce an SSO implementation method. The code is super simple and it is only used to verify whether my ideas are feasible. Please complete the details!

Single Sign-on for second-level domain names

What is a second-level domain name? For example:

• Site1.domain.com
• Site2.domain.com

For single-point login of second-level domain names, we can easily implement it through sharing cookies. Simply put, we can set the cookie domain to a top-level domain name when setting Form tickets, for example:

HttpCookie cookie = new HttpCookie(FormsAuthCookieName, encryptedTicket);cookie.Expires = rememberMe ? expirationDate : DateTime.MinValue;cookie.HttpOnly = true;cookie.Path = "/";cookie.Domain = "domain.com";context.Response.Cookies.Set(cookie);

This method does not involve cross-origin. When the domain attribute of the cookie is set to a top-level domain name, all second-level domain names can access the cookie for identity authentication, if the cookie is verified on the server side, authentication can be performed.

However, when cross-origin is used, for example:

• Site1.com
• Site2.com

At this time, the cookie cannot be shared, so the above solution will become invalid. What should I do if I want to implement cross-domain single-point logon? Continue.

Cross-origin Single Sign-on

I drew a simple flowchart about the design of cross-origin SSO:

First, I divide cross-domain SSO into two parts: SSO-Server And SSO-Client. SSO-Client can be multiple.

SSO-Server

SSO-Server is mainly responsible for user login and cancellation, assigning taken to SSO-Client, and verifying taken.

The Form authentication method is used for logon and logout, which is detailed in many places.

Allocate Token to SSO-Server

Allocate a Token to the SSO-Client. When the SSO-Client requests the SSO trusted page, check whether the SSO-Server is logged on. If no logon is made, the SSO-Server logon page is displayed, if you have logged on, run the code for Token allocation. After the assignment is complete, add TokenID as a parameter to returnUrl and jump to returnUrl. The specific allocation code is as follows:

If (Domain. Security. SmartAuthenticate. LoginUser! = Null) {// generate the Token and persist the Token Domain. SSO. entity. SSOToken token = new Entity. SSOToken (); token. user = new Entity. SSOUser (); token. user. userName = Domain. security. smartAuthenticate. loginUser. userName; token. loginID = Session. sessionID; Domain. SSO. entity. SSOToken. SSOTokenList. add (token); // concatenate the returned url with the Token string spliter = returnUrl In the parameter. contains ('? ')? "&":"? "; ReturnUrl = returnUrl + spliter +" token = "+ token. ID; Response. Redirect (returnUrl );}

After Token allocation is completed, the parameters with TokenID are redirected to the SSO-Client page, and the Token value is added to the Cookie of the SSO-Client. In each subsequent request, SSO-Client verifies the legality of the Token by calling the SSO-Server service.

SSO-Server verification Token

I used WebService to verify the Token.

First, define a Web Service in SSO-Server:

[WebMethod]public Entity.SSOToken ValidateToken(string tokenID){  if (!KeepToken(tokenID))    return null;  var token = Domain.SSO.Entity.SSOToken.SSOTokenList.Find(m => m.ID == tokenID);  return token;}[WebMethod]public bool KeepToken(string tokenID){  var token = Domain.SSO.Entity.SSOToken.SSOTokenList.Find(m => m.ID == tokenID);  if (token == null)    return false;  if (token.IsTimeOut())    return false;  token.AuthTime = DateTime.Now;  return true;}

ValidateToken is used to verify the validity of the TokenID. KeepToken is used to ensure that the Token does not expire.

SSO-Client verifies the Token by calling Validate and obtains the current login user information. Next let's take a look at the implementation of SSO-Client.

SSO-Client

SSO-Client exists as a trusted system. It does not have an authentication system and can only use SSO-Server for user identity authentication.

When a user requests the protected resource of SSO-Client, SSO-Client first checks whether there is a TokenID. If TokenID exists, the SSO-Server WebService is called to verify that the TokenID is valid;

After the verification is successful, the SSOToken instance will be returned, which contains the information of the logged-on user. The Code is as follows:

If (! String. IsNullOrEmpty (tokenID) {AuthTokenService. AuthTokenServiceSoapClient client = new AuthTokenService. AuthTokenServiceSoapClient (); var token = client. ValidateToken (tokenID); if (token! = Null) {this. lblMessage. Text = "Login successful, Login User:" + token. User. UserName + "<a href = 'HTTP: // sso-server.com/logout.aspx? ReturnUrl = "+ Server. UrlEncode (" http://sso-client.com ") +" '> exit </a> ";} else {Response. Redirect (" http://sso-server.com/sso.aspx? ReturnUrl = "+ Server. UrlEncode (" http://sso-client.com/default.aspx ") ;}} else {Response. Redirect (" http://sso-server.com/sso.aspx? ReturnUrl = "+ Server. UrlEncode (" http://sso-client.com/default.aspx "));}

Source code

The article has introduced my specific ideas and implementation. If you are still interested, you can download my code> Demo. SSO

Source code deployment:

1. Create two sites in IIS to bind to SSO-Server And SSO-Client, the domain names they bind are sso-server.com and sso-client.com

2. Add two line mappings in the hosts file to map sso-server.com and sso-client.com to 127.0.0.1 to ensure access

3. Access the sso-client.com, this page will jump to the login page of The sso-server.com, username, password casually enter, and then click Login

The above is all the content of this article. I hope it will be helpful for your learning and support for helping customers.