Single Sign-On (SSO) Introduction)

With the surge in business programs supported by IT systems, users and system administrators are faced with the same increasingly complex interface for job function operations. In typical cases, users have to log on to multiple systems, which forces the same Login Dialog Box to appear multiple times. Each system calls different user names and authentication information. System administrators manage user accounts in each system and maintain a complete mandatory security policy for coordinated access. The following describes how to log on to multiple systems using the genetic method:

Users using genetic methods log on to multiple systems

Historically, a distributed computer system has been assembled by various components as independent security domains. These components are composed of independent platforms that contain associated operating systems and applications.

These components act as independent functional domains, and end users must independently identify and verify the domains they want to interact. This scenario is already described. The end user initially establishes a session by interacting with the primary domain. In the "primary domain sign-on" section, you must provide end users with a set of available user information, such as the user name and password. A master domain session is typically obtained by running the OS session shell on an end user machine that represents the end user environment (such as program attributes, environment variables, and root directories ). Through the primary domain session shell, you can call other domain services, such as platforms or applications.

To call the secondary domain service, end users must log on to the second-level domain sign-on ). The end user is required to provide user information again, and the end user has to guide an independent Login Dialog Box for verification. A second-level domain session is a typical operating system shell or program shell that once again represents the end user environment. From the management point of view, the adoption of genetic methods requires independent management of each domain, and is a multi-user account management interface. To balance availability and security considerations, You need to deploy a collaboration mechanism and integrated user login and user account management functions for multiple different domains in the enterprise. The provision of such collaboration and integration services is beneficial for enterprises to provide real overhead, through:

This reduces the time required for users to log on to an independent domain, and also reduces the chance of failure during login.
Security is enhanced by reducing necessary user handles and keeping multiple groups of authentication messages in mind.
Reduces the time cost and improves the response. The system administrator can add, delete, and modify user access permissions for the system.
Improve security by enhancing system administrators to maintain the integrity of user account configurations. Prohibit or cancel independent users from accessing all system resources in a collaborative manner.

Single User Login to multiple users

This type of service is called Single Sign-On ). In any case, this service is equally important for end users and management. This method is embodied in. In the single-point login mode, the system must collect data from the user, as part of the main login, all the identity and user information must be provided to the user verification system, so that each second-level domain can perform potential interaction.

The information is provided by the end user as part of the main domain login process. The second-level domain login can be provided in the following aspects:

Directly, the information provided by the user is directly part of the second login of the second level domain.
Indirectly, user information is used to retrieve the identity and user information of other users stored in the Single Sign-on management database. The retrieved information is then used for basic second-level domain login operations.
Establish a session with the second-level domain as the initial session. This means that the customer of the program will automatically call and establish communication during the First Login operation.
Temporary storage or cache is used when an end user occasionally requests second-level domain services.

From the management point of view, the single point of login mode provides a single user management interface, all component domains will be managed in a collaborative and synchronous manner.

The significance of single-point login mode in security is as follows:

Trust Relationship Between the second-level domain and the primary domain:

Correctly asserted the identity and authentication information of the end user.
Protects authentication information for end-user authentication to use an unauthorized second-level domain.

Verification information should be protected when communication between the master and slave domains is threatened, such as interception or loss (eavsdropping) in the middle of the attack.

(Please note! This document shall indicate the original translator Rosen Jiang and the source:Http://blog.csdn.net/rosen)