Single Sign-On solution based on SOA Service Mode

Abstract: This document develops a single sign-on information integrated management platform based on a standard SOA service to solve problems such as user authentication, permission verification, session Timeout, and single point logout between distributed systems, it embodies the characteristics of SOA service development in business-oriented, coarse-grained, and loose coupling. Keywords: SSO, SCASDO standard, SOA service, single-point logon, use

Summary

This document develops a single sign-on information management platform based on a standard SOA service to solve issues such as user authentication, permission verification, session Timeout, and single-point logout between distributed systems, it embodies the characteristics of SOA service development in business-oriented, coarse-grained, and loose coupling.

Keywords

SSO, SCA/SDO standard, SOA service, spof, user authentication, permission verification, EOS6

Definition, acronyms

SSO: Single Sign-On

EOS: Primeton eo1_6.0, component-oriented SOA platform of panyuan

1.1 Introduction

In distributed systems, how to implement Single-point logon and permission verification is a common problem that many enterprises encounter during the informatization process. Many solutions have been put forward for this problem. For example, WebLogic and WebSphere provide container-level solutions, and CAS (Cen) of Yale UniversityTrAl AuthentiCatIon Service) such open-source solutions, there are many enterprises developed for the enterprise's solutions. However, these solutions all share a common weakness: user authentication and permission verification cannot be well integrated and are basically separated. Single Sign-On only solves user authentication problems, permission verification is performed independently by each business application.

As SOA becomes the trend of the times, we have encapsulated user authentication and permission verification into SOA services, and adopted SOA services in Distributed Systems to authenticate user information and authenticate user permissions, it is a good solution for single-point logon authentication and permission verification. In addition, SOA-based single-point logon has great advantages in supporting system loose coupling, system scalability, and flexibility. I have the honor to participate in the construction of an integrated information management platform of a bank. Using the component-oriented SOA development platform EOS of panyuan, I can easily implement SOA services based on SCA/SDO standards, supports single-point logon and permission verification for distributed systems.

1.2 System Framework

According to the plan, the information integrated management platform will provide user authentication, permission verification and other services for all MIS business applications. User Information and permission information are centrally maintained on the information platform. The information integrated management platform and MIS business applications can be freely deployed to one or more hardware devices with their own independent databases. Their deployment diagram is as follows:

: System deployment Diagram

For users, the integrated information management platform and business applications are a whole. The integrated information management system must support single-point user logon. to access business applications on the client, you must log on to the integrated information management system first, when a user accesses a business application, the business application determines whether the customer has access permissions. If you have the permission, the business application executes the business logic and returns the result to the customer.

The information of business application permissions is maintained in a unified manner on the information integrated management platform, which facilitates centralized management. Business applications can perform permission Verification Based on the authorization information of the information integration platform.

Therefore, on the basis of unified user organization and permission management, we need to implement a single sign-on mechanism and permission verification mechanism for the information integrated management platform and various MIS business applications.

1.3 Single Sign-on mechanism Principle

Single-point logon mainly solves three problems: single-point logon, session Timeout, and single-point logout. Based on the SOA development method of the EOS platform, the service is extracted from the business problem to solve the problem. We can use the user authentication service to provide single-point logon. The logout Service provides the single-point logout function. The user authentication service is provided by the information integrated management platform, and the logout service is provided by MIS business applications.

In distributed application single-point login processing, session Timeout processing is quite difficult. After the authentication service is used to handle user authentication, it is very easy to handle this problem.

Session Timeout. If the session of the business application times out, you can re-call the Information Management Platform authentication service to verify the user information. If the session times out on the information management platform, you need to log on again. When the authentication service is re-called, the client obtains the unique identification number and user ID of the user through cookies and passes them to the authentication service. The authentication service can determine whether the user identification number is valid and matches the user ID, to determine whether the verification is successful.

1.3.1 user authentication process

3. Access business applications

2. User Authentication

User Client

1 Login

5. Return authentication results

4. Call the service and authenticate user information

Information Integrated Management System

Certification Service

6. The application creates a session.

: Single Sign-On schematic

1. On the logon page of the information management system, enter the user name and password.

2. The Information Management System authenticates the user name and password. There are many authentication mechanisms, such as writing an authentication program by yourself or using some standard authentication methods, such as LDAP or database. In most cases, LDAP is used for authentication. This is because LDAP has many unique advantages in handling user logon.

3. After the authentication is passed, the Information Management Platform will create a session for the user to generate the user's unique id ticketid,

When a user accesses an application for the first time, the information management platform transmits the user's userID and TICKETID to the business application.

4. The business application intercepts user access requests through the Single Sign-On Proxy SSO Filter, and checks whether user information, such as userID and TICKETID, exists in the user session of the business application. If yes, it indicates that the user has not accessed the business application for the first time, and the request is forwarded to the end. If there is no user information in the session, request the Authentication Service of the Information Management Platform, and send the user userID, appCode of the application code, and the user's unique identification number TICKETID.

5. The Authentication Service of the Information Integrated Management Platform determines whether the user has passed the authentication on the Information Integrated Management Platform Based on userID and TICKETID. If the user has passed the authentication, the system returns information about the user, such as the user role, user group, user title, user position, and user organization. The Information Management Platform records the user's userID and appCode information for the user to log out. If the user has not passed the authentication on the integrated information management platform, go to the logon page to log on to the user.

6. Information that the business application has been authenticated, create a user session, initialize the user session, and store the user information in the session. In the future, when users request access to business applications, business applications no longer need to request the Authentication Service of the Information Integrated management platform.

To ensure system security, the user name and TICKET transmitted between the information management platform and business applications are transmitted in ciphertext. That is, the Information Management Platform encrypts the information with a public key, the business application receives the ciphertext and uses the public key of the integrated information management platform to unbind the ciphertext to obtain information.