SSO solution exploration (Web)

1: Scenario

A company has three sites. A.com, B .com, and c.com. A user is required to log on to a.com without having to log on to B .com or c.com again. A.com, B .com, and c.com are three different domain names.

The general process should be like this.

1: The user comes to a.com, enter the user name and password on the logon interface, and click the logon button.

2: The browser sends a request to the.com server. The request provides the user name and password.

3: Use the user name and password on the server to check whether the row of data exists in the database.

4: If a row of data exists, the user information (User ID) is returned and B .com and c.com are notified that the user has logged on, if no row of data exists, the system prompts the user to re-enter the user name and password or register a new user.

We can see that through the above four sections, we can achieve our most important goal of "full-site traffic ". If we agree with this statement, let's proceed.

Here we have a problem, that is"HowInform B .com and c.com that the user has logged on ".We can have two solutions: client solution and server solution.

2: Scenario Solutions

2.1: client Solution

This is the client solution because the initiator of the notification event is on the client. In general, we can do this as follows:

Let's take a look at the sequence diagram.

 

The figure is relatively simple and will not be drawn here.

This solution is basically like this. We have a separate loginserver, which is used to verify user information and obtain the list of all domain names. When you log on, use it to detect user information. If the detection succeeds, you can obtain the domain name used, finally, post the user information to each domain name under the domain name list (each domain name has the same logic to write the information into cookies ).

2.2 Server Solution

Here we will talk about how the server notifies you.

First look at the sequence diagram

 

Let's look at the deployment diagram.

 

The difference between this and the client solution is that the user's login information is stored on the server (such as cloginserver ), when a user logs on, the Central Authentication Service will distribute the authentication information to each sub-Authentication Service (if the sub-authentication service is physically not a machine, the Central Authentication Service will send the authentication information the primary and sub-authentication service is then distributed to the sub-Authentication Service ). The authentication service stores the information of users who have logged on to each domain name.

Note:

1: The logical units shown in the figure can be simply considered as a physical machine or a group of physical machines providing a certain service.

 

 

More detailed introduction (partial connection)

Http://blog.csdn.net/cityhunter172/archive/2005/12/31/567479.aspx

Http://www.cnblogs.com/luck0235/archive/2009/08/05/1539906.html

Http://crazysoul.javaeye.com/blog/23674