A company has multiple product lines, it is possible to have many subdomains, head to XXX domain name for example, A.xxx.com, b.xxx.com. COM is the top-level domain name, XXX is a two-level domain name, a and B is a subdomain.
When a user logs on to a system on a product line, switching to B products, in order to increase the user experience, no longer need to let the user sign in B. So the single sign-on IS out.
The general implementation is to add a passport.xxx.com, specifically engaged in the login of the central control services.
When the user first logs in to the XXX domain, such as a product. At this point, jump to the passport to sign in, after the successful login, in the Passport session service insert login information, and passport will generate a token, in a cookie, It is placed under the. xxx.com domain, and of course the token will be linked to the login information in the session.
When a user logs on to the B product line, it still jumps to the passport, detects if the token is present in the session service under the cookie, and if there is one that the user has logged on to the online status, jump back to the B product line.
There is also a need to face the situation, such as the company acquired a product, for example yyy.com, the next level two domain name is not the same. Cross-domain, the cookie cannot be taken directly by Passport. What about this?
This can be done, when the user first login under Passport, the token generated, under the passport using JSONP to cross-domain request yyy.com, let yyy.com service to the token in their own domain under the cookie. When the user login successful a product, then went to visit the yyy.com, at this time the same JSONP to request passport, the yyy.com domain under the token to take over. Passport detection Session service, found OK, will return to the Yyy.com account information.
The above implementation is very easy, of course, is also very rough, such as a product line under the user's cookie has been stolen, this token is used by people, this person can use your account in XXX under all product line browsing.
This requires a more secure mechanism. Each product line also has its own token generation.
Simple analysis of single sign-on and SSO implementation under different two-level domain names
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
