Author: seven nights
Source: http://blog.chinaunix.net/space.php? Uid = 1760882 & Do = Blog & id = 93117
We all know that large portals such as Netease And Sohu all have the concept of "pass". This pass system is the "single sign-on system" discussed today ". Its main feature is that multiple sites have one user center. After one login, others also log on automatically and log off. For example, if we log on to the mailbox at 126 and go to 163.com, the logon status is displayed. It's like building a skyscraper. laying a solid foundation is the key. Let's see the importance of SSO.
Below I will briefly introduce some internationally renowned SSO solutions:
1. SAML
SAML: The full name of the bird language is Security Assertion Markup Language. It is developed by Sun, Bea, IBM, RSA, AOL, Boeing, and other large companies. Its technical specifications are quite professional and well-organized, several concepts are abstracted to clearly describe the entire system. The popular technology XML schema is used to describe the protocol, and leading XML security technologies such as XML-sign and XML encrypt are used. at first glance, it will make you feel daunting. In an image, SAML is similar to Java, and every layer is divided very fine. it is the same as the foot cloth. therefore, the SAML technology is widely used in the Java field and rarely used in non-Java fields. sun's open SSO is an open source SAML implementation. if you want to solve opensso, you must have a profound skill. self-cultivation
Ii. openid
Openid does not actually belong to SSO, but is only an identity authentication. Openid is Nb-compatible and has many fans, such as Google, Yahoo, and Facebook, who want others' systems to use their accounts to log on. They wanted a simple web SSO specification, so they chose a grassroots network protocol openid. Openid: Get a good name. As the name suggests, you will know what it is. China also has its fans, such as douban.com. Openid is simple enough, but the Protocol itself is not perfect. Some Supplementary Protocols may be required to meet business requirements. For example, Google uses openid + oauth. Currently, openid supports Yahoo, Google, Windows Live, and Facebook, which claims to support openid. Currently, Yahoo and Google claim their support for openid, but they are actually limited. Only a few partners of Yahoo's openid can obtain its attributes, google can only get the attribute of the account in its Google Apps. User accounts are, after all, the most valuable resources of an Internet company. It is impossible for them to fully share their accounts. Openid, as a so-called "Open-Source Project", seems that everyone is serving him, but it seems that everyone is not serving him. No organization can really help others get familiar with and use him
Iii. oauth
Similar to openid, oauth does not actually fall within the SSO range. It is the user ID permission restriction authentication. Oauth is jointly initiated by Blaine Cook, Chris Messina, Larry HALFF, and David recordon to provide an open standard for API access authorization. Oauth Specification Version 1.0 was released on September 10, December 4, 2007. Currently, Weibo has many applications.
Typical oauth application scenarios (senario)
In the past, users had a lot of things in website a with resources. Now users have found a new website B, which is quite fun, however, this new website B wants to call the data of website a with resources.
On website B, the user clicks a URL to jump to website a that owns the resource.
Website a with resources prompts: Do you need to share resources with website B? Yes/No.
Click Yes. website a with resources opens a temporary/permanent channel for website B with resources. Then, the website with resources can capture the required information.
Oauth is more like a kind of resource like a kind of website resource sharing, rather than a mechanism for sharing user data and logging on to the entire site.
Iv. CAS
CAS (Central Authentication Service) is an open-source project initiated by Yale University. According to statistics, about 8 cas are used for every 10 Java projects that use open source to build Web SSO. CAS is the most widely used open-source single-point login implementation in Java.
Some portal websites in China, including the cookie-based SSO solution. The browser directly requests the SSO server for authentication. If the authentication succeeds, a callback JS Code is returned. Then, the browser uses js src to implicitly access the SSO client one by one. The SSO client uses the p3p technology to implant cookies for each domain name in the user's browser, thus implementing the entire SSO process.
This method is obviously very simple and easier than any SSO open-source project just introduced. however, I think there are two main disadvantages of this method: 1. when the number of sub-sites is too large, the number of callback interfaces increases accordingly. In terms of the number of sub-sites distributed, how to control the login efficiency is not too low and difficult to grasp; 2. when a sub-station callback interface encounters a problem, the default logon process gets stuck (the execution time of the logon program can be limited, but the callback interface of the sub-station after the sub-station fails to be called.
The following is a general flowchart.
Loongsso is an overall SSO open source solution launched in 2008. Projects include SSO server and session pool server.
Loongsso open source website http://www.loongsso.com
Document: http://www.loongsso.com/doc.html
Forum discussion: http://www.loongsso.com/bbs/
Loongsso author seven nights (Li jinxing)
Mail lijinxing@gmail.com
Qq 1, 531020471
MSN lijinxing20@hotmail.com
Loongsso2.1
Http://code.google.com/p/loongsso/downloads/detail? Name=loongsso2.1.tar.bz2 & can = 2 & Q =
Loongsso for discuz API
Http://code.google.com/p/loongsso/downloads/detail? Name‑discuz7.2.tar.bz2 & can = 2 & Q =
Loongsso2.1 for phpwind API
Http://code.google.com/p/loongsso/downloads/detail? Name‑phpwind8.3.tar.bz2 & can = 2 & Q =
Loongsso server Overview
1. C-based development, stable and efficient running in Linux, FreeBSD, and other * nix Systems
2. Use the master-worker multi-process working model and then use the epoll and kqueue event trigger mechanisms.
3. Using MYSQL as the user database and reading and writing MySQL through handler socket not only ensures the security and stability of user data, but also improves the efficiency of reading and writing data.
4. Use a simple and easy-to-configure xml configuration file
5. Use http protocol interaction and MD5 digital signature to ensure convenient, secure, and efficient data interaction
6. Key registration names can be retained.
7. Permission Control for editing and deleting SSO Client
Session pool server Overview
1. C-based development, stable and efficient running in Linux, FreeBSD, and other * nix Systems
2. Use the thread pool Working Model with epoll and kqueue event triggering mechanisms
3. Persistent session data is stored, and efficient hashtable is used internally to store session data.
4. Use haproxy as the ingress gateway and use haproxy's consistent hash mode to distribute requests to the session server in the cluster.
Loongsso is divided into two SSO working modes
1. js callback mechanism. Javascript calls back each SSO client, and then uses the p3p protocol to separate cookies.
2. The unified COOKIE Mechanism means that session IDs are uniformly planted under the domain name cookies run by the SSO server. session IDs are required for each SSO client. All query through loongsso
Summary
The advantages and disadvantages of the first mode have been roughly introduced above. personal perception is more advantageous than personal perception, so it is impossible to achieve single-point login under dozens or hundreds of domain names.
In the second mode, you do not need to notify each SSO client of user logon information one by one after logon. The SSO client is read from the loongsso server. This ensures the maximum utilization of resources, even if thousands of SSO clients are not a problem. Of course, loongsso server can run in a distributed manner to support more requests.
Demo site
Http://sso2.weigame.com/discuz Forum
Http://sso3.dlapk.com/index.php? M = BBS phpwind Forum
User name: demo123 password: 123456
Log on to any end, and you do not need to log on to another website.
1. the user browser requests the login.html of www.aaa.com.
2. The web server returns login.html
3. the user directly posts the form to the SSO server.
4. The SSO server authenticates with the MySQL user library based on the user name.
5. The database is successfully verified. The session ID is generated and the session data is written to the session pool server.
6. The SSO server sorts the session ID in the cookie under the domain name of the SSO server.
7. Access www.bbb.com
8. www.bbb.com returns the page to the user's browser. the user's browser requests the SSO server to query the session ID.
9. The SSO server returns the session ID to the user's browser.
10. www.aaa.com uses the session ID to query session user data in the session pool server.
11. Generate a cookie for www.aaa.com Based on session user data