Introduction to single sign-on

 

Reproduced on:

Http://dotnet.blog.51cto.com/272325/51559

 

Single Sign-On (SSO) is part of identity management. SSO is a popular definition: SSO refers to the same user accessing protected resources in different applications of the same server. It only needs to log on once, that is, after the security verification in an application, when Accessing Protected Resources in other applications, you do not need to log on again for verification.

In current enterprise application environments, there are often many application systems, such as office automation (OA) systems, financial management systems, file management systems, and information query systems. These application systems serve the information construction of enterprises, and bring great benefits to enterprises. However, it is not convenient for users to use these application systems. Each time a user uses the system, the user name and password must be entered for authentication. Different application systems make different user accounts. The user must remember multiple user names and passwords at the same time. Especially for enterprises with a large number of application systems and a large number of users, this problem is particularly prominent. The cause of the problem is not a system development error, but a lack of overall planning and a unified User Login platform. SSO technology can solve these problems.

I. The main advantages of using SSO are:
(1) convenient for users
When you use the application system, you can log on to the application system at one time and use it multiple times. You do not need to enter the user name and password each time, or remember multiple user names and passwords. The Single Sign-On platform can improve the user experience in using the application system.
(2) convenient Administrator
The system administrator only needs to maintain a set of unified user accounts, which is convenient and simple. In contrast, the system administrator previously needed to manage many user accounts. Each application system has a set of user accounts, which not only bring inconvenience to management, but also prone to management vulnerabilities.
(3) simplified application system development
When developing a new application system, you can directly use the user authentication service of the Single Sign-On platform to simplify the development process. The Single Sign-On platform provides a unified authentication platform for single-point logon. Therefore, the application system does not need to develop user authentication programs.
II. The main technologies for implementing SSO are:
(1) based on cookies, pay attention to the following points: If the method of transferring sessionid between two domain names may be established in windows, problems may occur in UNIX & Linux; it can be implemented based on the database; more security considerations may be made. In addition, although cookies do not cross-domain, they can be used to implement cross-domain SSO.
(2) Broker-based (broker-based), such as Kerberos;
This technology features a centralized authentication and user account management server. The broker provides electronic identity access for further requests. The use of central databases reduces management costs and provides a public and independent "third-party" for authentication ". For example, Kerberos, sesame, and IBM kryptoknight (Credential library idea.
(3) Agent-based)
In this solution, there is a proxy that automatically authenticates user identities for different applications. This agent needs to be designed with different features. For example, it can use a password table or an encryption key to automatically remove the authentication burden from the user. The proxy is placed on the server and acts as a "Translation" between the server's authentication system and the client authentication method ". For example, ssh.
(4) token-based, such as SecurID, webid,
Currently widely used password authentication, such as FTP and email server logon authentication, is a simple and easy-to-use method to implement a single password for use in a variety of applications.
(5) gateway-based
Agent and broker-based, which is not described here.
(6) Based on the Security Assertion Markup Language (SAML), the emergence of SAML (Security Assertion Markup Language, Security Assertion Markup Language) greatly simplifies SSO, it is also approved by Oasis as the Implementation Standard of SSO. Opensaml, an open-source organization, implements the SAML specification. For more information, see http // www.opensaml.org.
Iii. Sun SSO Technology 
Sun SSO is an integral part of Sun Java System Access Manager.
Sun's new identity management products include Sun Java System Identity Manager, Sun Java System Directory Server Enterprise Edition, and Sun Java System Access Manager, the above three are components of Sun Java Identity Management Suite (Identity Management Suite, they form Java es with Sun Java application platform suite, Sun Java availability suite, Sun Java Communications suite, and Sun Java Web infrastructure suite. This series of innovative products provide end-to-end identity management and can interoperate with over 60 third-party resources and technologies. Integrated products can be downloaded from Sun's website and are generally provided through agent software, it is one of the most open and integrated identity management solutions in the industry.
Sun Java System Access Manager is an important component of Sun's new identity management product. Based on the J2EE architecture, Java Access Manager adopts standard APIs and has high scalability, with high reliability and availability, applications are deployed in the servlets container, supporting distributed deployment, easy deployment, and low TCO. Sun Java System Access Manager provides a scalable security model for all web-based applications by using centralized verification points, role-based access control, And sSo. It simplifies information exchange and transactions, while protecting the security of privacy and important identity information.
Iv. CAS Introduction 
CAS (Central Authentication Service) is a single sign-on (SSO) system developed by Yale University. It is widely used and has platform-independent, easy to understand, and supports proxy functions. CAS systems can be used in various universities, such as Yale University, University of California, University of Cambridge, and Hong Kong University of Science and Technology.
The acegi Security System of Spring framework supports CAS and provides easy-to-use solutions. Acegi security system is a security framework for Spring framework, which can be seamlessly integrated with popular web containers. It uses spring to provide security and authentication security services, including bean context, interceptor and interface-oriented programming. Therefore, the acegi security system can easily meet complex security requirements. Acegi security systems have been widely used at home and abroad and have a good community environment.
CAS design goals 
(1) provides single-point login infrastructure for multiple web applications, and provides single-point login for non-Web applications but Web Front-end functional services;
(2) simplify the process of user identity authentication for applications;
(3) user identity authentication is concentrated on a single web application, allowing users to simplify their password management to improve security. In addition, when the application needs to modify the business logic of identity authentication, you do not need to modify the code everywhere.
Implementation principle of CAS
CAS (Central Authentication Server) is designed as an independent web application. The implementation principle is very simple.

CAS creates a long random number (Ticket ). CAS associates the ticket with the successfully logged-on user and the service the user wants to access. For example, if the user peon redirects from service s and CAS creates a ticket T, this ticket T allows peon to access service S. This ticket is a one-time credential. It is only used for peon and only for service S, and can only be used once. It will expire immediately after use, that is, ticket passes verification, CAS immediately deletes the ticket, it cannot be used later. This ensures its security.
For St, when a st is retrieved, delete ticket (ticketid) is used to delete the one-time st. For TGT or PT, the reset timer (ticketid) to update the time of TGT or PT. Only the user name can be obtained from the St returned by the CAS server.
In addition, cas3.0 has been released, and the latest version is 3.03. We hope cas3.0 can provide us with new things while being backward compatible.

Sun SSO implementation principle
The core of SSO is unified user authentication. login and authentication requests are completed through the identity server and then distributed to the corresponding applications.
Sun SSO is an integral part of Java Access Manager. SSO is implemented based on cookies as follows:
(1) Policy Agent on web or Application Server intercepts resource requests and enforces access control;
(2) Client is issued SSO token containing information for session validation with session service.
(3) SSO token has no content-just a long random string used as a handle.
(4) Web-based applications use browser session cookies or URL rewriting to issue SSO token.
(5) Non Web applications use the sso api (Java/C) to obtain the SSO token to validate the users identity. Sun SSO applications 
The application mentioned here refers to the application of Sun Java System Access Manager. There are many examples of successful applications, including the applications of German Telecom and other companies. There are also a large number of colleges and universities in China, and there are also a considerable number of applications in other industries. Sun SSO Open Source 
Sun will release its network verification and Network Single Sign-On technology to give a new open source code plan "Open Web Single Sign-On" (Open SSO ). The opensso website is located at [url] https://opensso.dev.java.net/#/url#. This website provides an overview of opensso: This project is based on the code base of Sun Java (TM) System Access Manager product, a core identity infrastructure product offered by Sun Microsystems.
The first source code of the opensso program will be completed by the end of this year. The basic version will be released in March, and the complete version may wait until March. Sun adopts the same common development and distribution license as the Solaris operating system.