Principle and summary of SSO Single sign-on implementation

One, what is Single Sign-on SSO (sign-on)

SSO is a unified authentication and authorization mechanism that refers to the same user who accesses a protected resource in a different application in the same server and only needs to log in once, that is, after security authentication in one app and then access to protected resources in other apps, no re-login verification is required.

Second, single sign-on solves what problem

Addresses the need for users to log in once to gain access to all trusted applications without having to log in repeatedly.

For example, forum application in CSDN, blog application, download application module. We don't need to log in when we visit any of the sub-apps in Csdn and then visit another app site.

Third, in the company also through. NET, the development of SSO. I've seen a lot of SSO implementations on the Internet. Summarizes some development experiences in the actual project development. Let's look at the following flowchart:

I. The first time the user visits the site.

1. The first time the user visits >www.a.com, this time the site does not record the previous login cookie,

2. All > jumps to the login page when no user is logged in.

3. Users now enter the user name, password login, request SSO Login API, login success, in the Redis cache a key=sessioid,values=userinfo such a record, cache time can be configured. Response returns the login verification status, and user information.

4. The user logged in successfully, recorded the voucher, that is, the SessionID write cookie at the moment. Then jump to www.a.com

5. This time there is a cookie that will record the cookie, that is sessioid request SSO authentication token interface, because the login successfully recorded Key=sessionid, all can get to values= that is user information, Response return the user information.

6. Users now go to visit the www.B.com site, B site no cookie, here SessionID is still the current session of SessionID, all areas request SSO primary site authentication token interface, found that there key=sessionid, return the login status success, user information. Cookies are recorded under the B site token configuration.

This allows users to visit a site for the first time, from the first login, to the process of accessing other sites is gone.

Two. The user closes the browser in the middle, then opens the browser, accesses the B site:

1. Found that there is a cookie, the token credential, go to the SSO master, verify that there is a key=sessioid, get values to return the Userino to the user, return the user to any login status. This way the site visited before accessing the app is still logged in.

2. If the user is performing an access to the second application, then the login status of the Redis cache expires, and the authentication voucher fails to return. This time the second app jumps to the login status, walks the user login process, and the subsequent verification process.

Note that the expiration time of the cookie should be guaranteed to be consistent with the Redis expiration time and not expire after the expiration of the Redis cache, so that when the user accesses the first application site at this time, the cookie does not exist and the certificate is verified by SessionID. Found that this time is expired after the re-login, will be logged in the status of the cookie.

Three. Log out

Just clear the local cookie and call the SSO site interface to clear the status of the login cache to enable logout.

Four. Note:

In the actual project development will encounter various situations, such as sub-site and SSO primary site interface call parameter constraints, signature, encryption and so on. And the implementation of the pure HTML site SSO login interface, or pure. NET application Web site of the jump interface, these are to distinguish. Only after a detailed understanding of the principle of SSO to implement single sign-on can you achieve a multiplier effect.

工欲善其事 its prerequisite.

Principle and summary of SSO Single sign-on implementation