Lightweight Single Sign-on system best practices (III)-Chapter 1 Introduction to single sign-on

In the current enterprise application environment, there are often many application systems, such as human resource management systems, office automation systems, financial management systems, and file management systems. These application systems serve the informatization construction of enterprises and bring great benefits to enterprises. However, it is not convenient for users to use these application systems. Each time a user uses the system, he/she must enter the user name and password for authentication. In addition, if the application system is different, the user account is different, you must keep multiple user names and passwords in mind. Especially for enterprises with a large number of application systems and a large number of users, this problem is particularly prominent. The cause of the problem is not a system development error, but a lack of overall planning and a unified User Login platform.

SSO (Single Sign On) can solve the above problems. A single sign-on (spof) refers to a single user accessing protected resources of different applications on the same server. Only one logon is required, when Accessing Protected Resources in other applications, you do not need to log on again for verification.

The benefits of using SSO are as follows:

• Convenient for users. When you use the application system, you can log on to the application system at one time and use it multiple times. You do not need to enter the user name and password each time, or remember multiple user names and passwords. The Single Sign-On platform can improve the user experience in using the application system.
• Convenient administrator. The system administrator only needs to maintain a set of unified user accounts, which is convenient and simple. In contrast, the system administrator previously needed to manage many user accounts. Each application system has a set of user accounts, which not only bring inconvenience to management, but also prone to management vulnerabilities.
• Simplify application system development. When developing a new application system, you can directly use the user authentication service of the Single Sign-On platform to simplify the development process. The Single Sign-On platform provides a unified authentication platform for single-point logon. Therefore, application systems do not need to develop user authentication.Program.

The Single Sign-on mechanism is relatively simple. The essence of Single Sign-on is the transfer or sharing of security context or credential among multiple application systems.

As shown in, when a user accesses Application System 1 for the first time, the user is directed to the authentication system for Logon because it has not been logged on (1). Based on the login information provided by the user, the authentication system performs identity verification. If the authentication is successful, a creden named ticket (2) should be returned to the user. When the user accesses another application (3, 5) the ticket is taken with it as the credential for authentication. After the application system receives the request, it sends the ticket to the authentication system for verification and checks the validity of the ticket ). After verification, you can access application system 2 and Application System 3 without having to log on again.

To implement SSO, the following functions are required:

• All application systems share an Identity Authentication System. A unified authentication system is one of the prerequisites for SSO. The main function of the authentication system is to compare the user login information with the user information library to authenticate the user login. After the authentication is successful, the authentication system should generate a unified authentication mark (Ticket ), return to the user. In addition, the authentication system should verify ticket to determine its validity.
• All application systems can identify and extract ticket information. To implement the SSO function and allow users to log on only once, the application system must be able to identify users who have logged on. The application system should be able to identify and extract ticket. by communicating with the authentication system, the system can automatically determine whether the current user has logged on to the system to complete the single-point logon function.