Single Sign-On SSO

1. What is single sign-onSSO (Single Sign-On)

SSOIs a unified authentication and authorization mechanism,A user accessing protected resources of different applications on the same server only needs to log on once, that is, after security verification in one application and then Accessing Protected Resources of other applications, you no longer need to log on again for verification.

Ii. What problems does single-point logon solve?

SolvedYou only need to log on once to access all applications that are mutually trusted, instead of logging on again.

Iii. Technical Implementation Mechanism of Single Sign-on

As shown in:

When a user accesses Application System 1 for the first time, the user is directed to the authentication system for Logon because the user has not yet logged on. Based on the login information provided by the user, the authentication system performs identity verification, if the verification is successful, you should return the user an authentication credential-ticket; when the user accesses another application, the ticket will be carried as the authentication credential, after receiving the request, the application system sends the ticket to the authentication system for verification and checks the validity of the ticket ). After verification, you can access application system 2 and Application System 3 without having to log on again.

We can see the technical points of SSO implementation:

1)Share all application systemsOne Identity Authentication System.

The unified authentication system isSSO. The main function of the authentication system is to compare the user login information with the user information library to authenticate the user login. After the authentication is successful, the authentication system should generate a unified authentication mark (Ticket. In addition, the authentication system should alsoTicketVerify and determine its validity.

2)All application systems can identify and extract ticket information.

To implementSSOTo allow users to log on only once, the application system must be able to identify users who have logged on. The application system should be ableTicketIdentification and extraction. through communication with the certification system, the system can automatically determine whether the current user has logged on to the system, thus completing the Single Sign On function..

AboutUniform Identity Authentication Mechanism: For example

① The user requests to access the business system.

② The business system checks whether there is a valid token for the corresponding request in the system. If yes, it reads the corresponding identity information and allows it to access; if no or the token is invalid, redirect the user to the Uniform Identity Authentication Platform, and carry the business system address to step 3.

③ On the page provided by the Uniform Identity Authentication Platform, the user enters the identity creden and the platform authenticates the identity creden. If the identity creden are valid, a valid token is generated for the user, go to Step 4. If the authentication is invalid, continue until the authentication succeeds or exits.

④ The user carries the token obtained in step 3 to access the business system again.

⑤ The business system obtains the token carried by the user and submits it to the Authentication Platform for validity check and identity information retrieval.

⑥ If the token passes the validity check, the Authentication Platform returns the user identity information corresponding to the token to the business system, and the business system writes the identity information and valid token to the session status, users are allowed to perform various operations on the business system using this identity information. If the token does not pass the validity check, it will be redirected to the Authentication Platform again and return step 3.

The valid token obtained by the Unified Identity Authentication Platform enables application roaming between business systems.

Iv. Advantages of single-point Logon

1) Improve user efficiency.

You do not need to remember multiple IDs and passwords. In addition, users forget their passwords and turn to support staff for help.

2) Improve the efficiency of developers.

SSO provides developers with a universal authentication framework. In fact, if the SSO mechanism is independent, developers do not need to worry about authentication. They can assume thatProgramWith a username, the authentication is complete.

3) simplified management.

If the application is added to the Single Sign-On protocol, the burden of managing user accounts will be reduced. The degree of simplification depends on the application, because SSO only processes authentication. Therefore, the application may still need to set user attributes (such as access privileges ).

5. disadvantages of single-point Logon

1) not conducive to refactoring

Because many systems are involved, restructuring must be compatible with all systems, which may take a long time.

2) unattended Desktop

Because you only need to log on once, all authorized application systems can be accessed, which may cause some important information leakage.