Problems and Solutions for Analysis of Single Sign-On (flowchart and data security)

Source: Internet
Author: User

In the previous articleArticle: [Original] Design and Implementation of the Single Sign-On (SSO) component, and make a summative analysis based on your understanding: Analysis of Single Sign-On (flowchart and data security ).

At that time, I made a personal analysis based on the SSO process and got comments and help from many garden friends.PityHowever, none of the garden friends raised the problems in the flowchart I drew. This may be because you didn't understand my diagram (I'm not sure ).

At that time, I thought that there was not much problem in the process and business logic. When I talked to my friend about SSO, I was very proud to express the SSO process and ideas, he also recognizes it, but one of hisDifficulties meNow.

His problemYes:

If user a passes the authentication from the certification center on the site of the consortium. in this way, user a's uid will appear in the line list of the authentication center. at this time, if user a re-opens a consortium sub-site siteb, how can he identify this user in the consortium site siteb? Press
This user A should be logged on in the site of the consortium.

To this end, I once again posted my understanding of the SSO flowchart, and attached the three questions that bothered me.


FollowSSO Logon Process(Personal understanding ):

First:
Determine whether the session ["uid"] of the site exists. If the session Status of the site exists, it indicates the logon status.

Problem: Use session to manage the session Status of a sub-site, which can effectively reduce the association between the sub-site and the consortium site. however, when the session of the child site expires, this may be the case. The session in the Child Site A does not expire, but the sesion in the Child Site B just expires, but the user does not exit normally. How can I control the online list of the Certification Center? Does it exist or not?

Second:
If session ["uid"] does not exist, check whether the parameter uid exists in the webpage. If yes, check whether the parameter uid is in the online list of the authentication center through the uid in the authentication center, if yes, the user is logged on. I don't know if this understanding is correct.
If so, the problem is as follows:
If user a successfully logs on, user B will know the parameter uid on user a's webpage, and others will add this number to the pages of other sub-sites, at this time, it should also be logged on. how can this problem be solved?

There is anotherProblemMy friend proposed:
If user a passes the authentication from the certification center on the site of the consortium. in this way, user a's uid will appear in the line list of the authentication center. at this time, if user a re-opens a consortium sub-site siteb, how can he identify this user in the consortium site siteb? Different
The session of the site cannot be shared. (How do you know that user a is logged on, not user B ?) It is reasonable to say that user a is logged on in the site of the consortium.

My analysis:
1: The newly opened Alliance site certainly does not have a session, because sessions cannot be shared between sites.
2: The newly opened Alliance site will certainly not have the user's uid.
At this time, you cannot determine whether the user has logged on to the authentication center.

TheFocusIt actually lies in how the Alliance site confirms the user's identity, that is, how to confirm the user's uid.

My assumption is that my solution is like this, and I don't know if it is feasible in practical application.


After user a successfully logs on to sitea,Store the user's UID and user IP address in the form of cookies on the client.. When a user opens a new consortium sub-site (such as siteb), the process for judging the user status changes. generally, the user's IP address is uniquely identified within a certain period of time. This should ensure the correctness and uniqueness of the user's identity (in my opinion, this is true), and I do not know if this is correct. the above flowchart should solve the three problems in the first figure in this article.

I have never had a correct understanding of SSO because of my poor learning skills. With my enthusiasm for SSO, I hope I can analyze the best SSO solution through enthusiastic discussions with all park friends.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.