The above section describes the failure of Microsoft's passport and traditional SSO in the software architecture. Both of them need to store the user name and password in one place, so no one is willing to, unless one side is particularly strong, otherwise, neither Google nor Baidu is willing to compromise.
So how can we solve the storage problem of this user credential?
Let's take a look at the major European Schengen agreements. The Agreement sets out a single visa policy, that is, where a foreigner holds a valid entry visa issued by any Schengen Member State, he or she may access the Member State multiple times without having to apply for a separate visa. Therefore, you only need to obtain a visa from one of the European Schengen countries. SAML-based Federation identity authentication is similar to a Schengen visa. Within the Federation Alliance, SAML assertions issued by each member can be trusted by other alliance members, it can also protect resource access based on the authorization mode.
SAML, short for Security Assertion Markup Language, is a Security Assertion Markup Language. It is also part of the WS * specification.
It consists of the assertion party and the trusted party and the user identity topic. The user reports the creden of the asserted party to the trusted party. The Trust party verifies that the asserted held by the user is correct based on the certificate signature and is signed by the asserted party.
For example, if Baidu space users want to use Google's protected Gmail, how can they establish a trust relationship?
I drew a sequence diagram using my Visio, which I am not good at. Don't laugh.
Several key steps:
Step 5: After a user successfully logs on to Baidu, Baidu issues a SAML Security token, which is signed on the digest using its own private key, this proves that this SAML was issued by Baidu.
Step 7: After receiving the Security token issued by Baidu to the user, the Google authentication center uses the public key of Baidu to decrypt the digest, and compares the Digest to verify if it is consistent, then we can ensure that this asserted is issued by Baidu and trust this asserted.
(Of course, in this process design, Google's authentication center and Gmail can be one without having to jump to a browser. In addition, Google may not maintain a security token internally .)
Baidu's user creden are stored on Baidu, but Google's protected resources can be accessed, so that Baidu and Google's users can be in harmony!
Glossary:
Abstract:
That is, data is hashed, and the number of bytes after hash is significantly reduced.
Signature:
Use your own private key to encrypt data. As long as the other party is able to unbind your public key, it proves that it is yours, because no one can obtain your private key.