SSO stands for single sign on. SSO is used in multiple application systems. Users only need to log on once to access all mutually trusted application systems. It includes a mechanism for ing the main logon to other applications for the login of the same user. It is one of the most popular solutions for enterprise business integration.
SSOTechnologyImplementation Mechanism
When a user accesses Application System 1 for the first time, the user is directed to the authentication system for Logon because the user has not yet logged on. Based on the login information provided by the user, the authentication system performs identity verification, if the verification is successful, a verification credential ticket should be returned to the user. When the user accesses another application, the ticket is carried as the authentication credential, after receiving the request, the application system sends the ticket to the authentication system for verification to check the validity of the ticket. After verification, you can access application system 2 and Application System 3 without having to log on again.
To implement SSO, the following functions are required:
1. All application systems share an Identity Authentication System.
A unified authentication system is one of the prerequisites for SSO. The main function of the authentication system is to compare the user login information with the user information library to authenticate the user login. After the authentication is successful, the authentication system should generate a unified authentication mark (Ticket ), return to the user. In addition, the authentication system should verify ticket to determine its validity.
2. All application systems can identify and extract ticket information
To implement the SSO function and allow users to log on only once, the application system must be able to identify users who have logged on. The application system should be able to identify and extract ticket, and passCommunicationTo automatically determine whether the current user has logged on to the Apsara stack console.
In addition:
1. A single user information database is not necessary. Many systems cannot store all user information in a centralized manner and user information should be stored in different storage systems, as shown in. In fact, as long as the unified authentication system and ticket are generated and verified, single-point logon can be achieved no matter where the user information is stored.
2. A unified authentication system does not mean that only a single authentication server is used.
Authentication servers must exchange authentication information through standard communication protocols to complete high-level single-point logon. For example, when a user accesses Application System 1, the first authentication server authenticates and obtains the ticket generated by the server. When he accesses Application System 2, Authentication Server 2 can identify that this ticket is generated by the first server and is standard between Authentication servers.CommunicationProtocol (such as SAML) to exchange authentication information, and can still complete the SSO function.
Realization of WEB-SSO
The user logs on to page 1, but each client request is a separate connection. When the customer accesses page 2 again, how can he tell the Web server, what if the customer has logged on just now? There is an agreement between the browser and the server: The Cookie technology is used to maintain the application status. Cookie is a string that can be set by the Web server and can be saved in the browser. When the browser accesses page 1, the web server sets a cookie and returns the cookie together with page 1 to the browser. After the browser receives the cookie, it will save it, when it accesses page 2, it will also bring this cookie. When the Web server receives a request, it can also read the cookie value, you can determine and restore the Information Status of some users based on the content of the cookie value. Web-Sso can use cookies to save user login information, and combine the cookies in the browser with the ticket mentioned above to complete the SSO function.
To complete a simple SSO function, we need to work with the following two parts:
1. Uniform Identity Authentication Service.
2. Modify the web application so that each application performs identity verification through this unified authentication service.