1. Background
In the process of website construction, multiple application systems are generally developed in different periods. Different application systems have their own independent user libraries and user authentication systems due to their focus on functions, design methods, and development technologies. With the development of the website, there will be such a user group: taking a user as an example, he or she uses multiple application systems of the website, however, there is an independent account in each application system, and there is no overall concept of a Website user account. Before entering each application system, You need to log on with the account of the application system. This makes the user feel inconvenient to use. The user will think: Since I am using an application on the same website, why can't I log on to the application system without having to pass application system authentication? User requirements are called "Single Sign-On ".
2 Analysis
To achieve Single Sign-On between multiple application systems with independent user systems, we need to consider the following issues:
- The implementation of the Single Sign-on system is implemented on the premise that all application systems adopt the B/S mode.
- User authentication marks must be unified between application systems. After a user logs on, the User Token can be obtained, and each application system recognizes the unified User Token.
- The User Token should be encrypted securely and the validity period should be limited.
- Because each application system has its own user library, a single user may use different accounts in different application systems, therefore, each user who wants to use multiple application systems must set a unified user account and use this account for single-point logon. This account is mapped to one account of the user in each application system.
- Different Application Systems may belong to different domains. Therefore, Cross-Domain Single-point logon is required.
- The application systems that have been launched need to be transformed to support single-point logon. The developing application systems can support single-point logon in the development phase, but the application systems should be loosely coupled.
- Since each application system is usually in a stable operation period, the implementation of a single sign-on system should minimize the impact on the login authentication system of each application system, and the original login process of each application system is still available.
- Although some application server platforms support single-point logon, the design of application system user authentication is required to comply with its specifications, which is difficult for application systems that are already in operation.
3. Design
The overall design structure of the system is as follows:
3.1 Single Sign-on management application
First, we design a single sign-on management application:
The user registers a Single Sign-On account, binds an original account of the application system to each application system, and maintains the registration and binding information. During the binding process, You need to log on to the application server to verify that the user-provided application system has an original account and password, the Application Server provides this function with the same web service interface.
3.2 user single sign-on Process
Then, the user's Single Sign-on management application and Token transmission identification standards are used to achieve the user's Single Sign-On process.
1. users access the application system.
2. If the application system detects that the user has not logged on to its own server, the user request is redirected to the Single Sign on server. (Redirection can be used to handle cross-origin requests from different servers)
3. The single-point Logon Server checks that the user has logged on to the single-point Logon Server (if the user does not have single-point logon, the user is required to log on, the logon flag is stored as the cookie of the client browser.
4. The Single Sign-On server generates a User Token Based on the result of step 3, and the system is used to redirect the response.
5. the application system receives user tokens in a unified format, obtains the user's Logon account on the system, and sets the user's status on the system as logon, returns the page requested by the user.
if the user has logged on to the single-point logon server before accessing the application system, steps 2 to 4 are transparent to the user, the user just sent an access request to the application system and then received page feedback.
4. Implementation
(Omitted)
5 Summary
the user single-point logon system designed in this solution is:
- it enables single-point logon and network-wide access to facilitate user use.
- the coupling between systems is low. Application System Transformation does not undermine the inherent process and structure, and the implementation process of the entire system is secure and smooth.
- Unified the user authentication information access standards from single-point login servers to application servers, and unified the transmission and identification standards of token security encryption, it provides a unified single-point logon framework for more application systems in the future.
- the integration of user information resources that were scattered in various application systems in the past, although they were internally associated but difficult to identify, laid the foundation for further personalized user services.