Single Sign-On System (SSO) Detailed Design Instruction (Part 1)

Single Sign-On System (SSO) Detailed Design Instruction (Part 1) favorites
1. Introduction
1.1 Writing Purpose
In order to ensure the feasibility and integrity of the Single Sign-On System (SSO system) and implement the system as expected, a requirement statement is prepared.
At the same time, the statement also plays a role in better communication with planning and design personnel.

1.2 Background
A. In view of the multiple independent websites (called member sites) operated by the group, each website has its own authentication mechanism, which will inevitably result in:
If a user wants to access a website as a member, he/she must register with each website and pass the authentication before he/she can access the website as a member.
Even if you use the same user name and password to register on each website, you can avoid forgetting or confusing the user name and password.
However, when a user accesses Multiple member sites or redirects between member sites within a period of time, the user must log on to the site before accessing the site as a member.
Ask the website. This not only brings inconvenience to users, but also the performance of member websites;

B. If all member websites can achieve single-point logon, it not only improves the user experience, but also truly reflects the brothers of multiple websites of the group.
. This organic combination can better reflect the company's philosophy of big platforms and big channels. At the same time, this will also facilitate the mutual promotion and mutual relationship between member websites.
Publicity.

It is precisely because of the above two points that single-point login system development is necessary and imminent.

1.3 Definition
The Single Sign-on system provides a single logon portal for all member websites. The essence of this system is variables that contain the authentication status,
Shared across Member websites. Single Sign-On System, including the authentication server (Passport server) and member website server.

Member: the user has a member identity after successful registration through the Passport server.

Single login: the user name and password must be provided when a Member accesses a member's website for the first time. Once the user passes authentication on the Passport server,
This member does not need to log on again to any member website within a certain period of time.

Cookie verification Ticket: a variable containing the authentication status. Generated by the Passport server. The ticket contains the user name and date of issue,
Expiration date and other user data.

2. Task Overview
2.1 goals
The SSO system is a unified Passport of the Group. The SSO system is implemented in two phases. The first stage provides single-point logon for newly registered users.
In the second stage, existing members of each member website are integrated into the single sign-on system.

The passport server is the only entry for identity verification for each member website. You need to consider its performance, scalability, stability, security, and maintenance costs. Especially
Pay attention to the development in the second stage for overall consideration.

2.2 features of end users
The end user is tens of thousands of netizens. This determines that the user's computer usage level is uneven. When developing a single sign-on system, we strive to be a friend of the interface.
Good. The wording is simple and clear. You can use this system without learning.

3. Requirements
3.1 requirement Overview
1) Registration:

A. The member website is redirected to the registration page of the passport server with the returned URL and member website ID.

B. After creating a member on the passport registration page, save the member verification ticket to the cookie in the domain where the database and passport server are located. At the same time
Create a ing relationship with the Members in the database of the Passport server.

C. Redirect to the member website and fill in the personal information of the member.

D. Save the personal information of the member, save the verification ticket passed in by redirection to the local cookie, and create the Session status variable.

2) Logon:

A. the SSO system must seamlessly integrate member websites. If a member passes the Authentication Server login verification (Passport server), the member accesses
You do not need to log on to any other website again.

B. When a member logs on to the Passport server for the first time, the cookie authentication ticket generated after the Passport server authenticates the identity is saved to
In a cookie, you cannot write a cookie to the domain where each member website is located to prevent the response from being too long and give the Member an unfriendly browsing experience. Same
Save the cookie pass sent to members to the database of the Passport server to facilitate the expansion of verification methods and member Behavior Statistics.

C. Once A member passes identity verification, he/she successfully logs on to A member website (assumed as website A). The Session and cookie methods must be used to save that the member has been logged on
Status.

D. In the same browser process, when A member jumps between pages of website A, the member only needs to load the logon box according to the status variable in the Session. No need
The Passport Server communicates to verify the identity of the member.

E. The Member has logged on to website A through verification. If the Member jumps from website A or re-opens the browser to log on to other member websites (assuming website B), both must be connected to the Passport
The ticket for the server communication verification member. However, for this verification, do not compare the Passport server with the verification ticket saved in the database.
The cookie verification ticket in the Passport server domain is valid.

F. encryption and digital signature can be implemented to verify the cookie ticket to ensure the confidentiality, integrity, and non-repudiation of the cookie.

G. If the Passport server is Down, you can log on to the member website directly.

Note: The highlighted above indicates the second-phase development function.

3) log out, change the password, retrieve the password, and redirect between member websites. view the corresponding module description in the IPO chart.

<Type = text/javascript> cpro_client = 'ttbaojian _ cpr '; cpro_cbd =' # A2BE43 '; cpro_cbg =' # F4FAE1 '; cpro_ctitle =' #178102 '; cpro_cdesc = '#444444'; cpro_curl = '#2D4383'; cpro_clink = '# ffff'; cpro_flush = 4; cpro_w = 728; cpro_h = 90; cpro_template = 'text _ default_728_90 '; <language = JavaScript src = "http://cpro.baidu.com/cpro/ui/cp.js" type = text/javascript>
-
3.2 functional provisions

The SSO system includes the registration, logon, logout, password modification, password retrieval, member website redirection, and user management modules. HIPO diagram description in this manual
The internal processing function of the system organization and module. It consists of two parts: the hierarchy chart and the IPO diagram. The hierarchical structure diagram describes the structure of the entire system and
The relationship between modules. The IPO diagram describes the input (I), processing (P), and output (O) ideas within a specific module.

A. System Structure Diagram


Figure 1 SSO System Structure

 

B. hierarchy chart

Figure 2 system hierarchy chart

 

C. IPO chart

Note: The Red highlighted part indicates the modified logic.

Module name: Member registration
User: Passport server and member websites
 
Input Part I
Processing description P
Output part o
 
1. Redirect to the Passport server

Returned URL and member website ID

2. Enter the email address, password, and region (Verification code is not used currently ).

3. Submit Registration Information and send a registration request.

4. the registered user obtains the verification code from the email and uses the verification code to activate the user. At this time, the user becomes a legal member.

5. Personal member information (entered on the member website)
1. Check whether the mailbox is available in real time and prompt whether the mailbox is available (the available here only indicates that the mailbox is compliant with the mailbox specifications, and the mailbox is not registered, does not indicate that it is actually available ).

2. Real-time prompt on password security level. Calculate the security level based on the length and types of characters, and prompt the user in real time. Security levels are classified into four levels: Too short, poor, good, and superior.

3. Obtain the region information drop-down Box Based on the regional database, and use the IP address of the member region to automatically filter the region. You do not need to manually select the region within the allowable error range.

4. Create a new member

(1) Verify the registration information submitted by the member. If the registration information is valid, send the verification code used to activate the account to the member's test email address.

(2) The member uses the verification code to activate the account. If the account is activated successfully, the member information and the member verification ticket are saved to the database (passport Server database) and the verification ticket is saved to the cookie. At the same time, call the Web service interface of the member website to save the generated passid to the member website database (create a ing relationship ).

(3) redirect to a member website.

(4) The member website receives data, prompts the member to fill in his/her personal information, and submits it to the member website server.

(5) Save personal information and received Member verification information to the member website database and cookie, and save Member verification status information in the session.

(5) navigate to a page.
1. The passort server saves new member information and member verification tickets to the database.

2. The member website Web Service adds member information to the member website database, uses passid to establish a ing relationship with the member on the passport server, and returns the operation success or failure status information.

3. Modify the personal information of members in the member website database.

4. Save the member verification ticket to the cookie, and save the Member's verified status to the session.
 

Table 1: Member registration module

 

Module name: Member Logon
User: Passport server and member websites
 
Input Part I
Processing description P
Output part O
 
1. Enter an Email when the member logs on for the first time.

And password.

2. Submit the member information to the Passport Service.

.

 

Note: Before loading the logon box, the member Network

The site will first communicate with the Passport server,

Whether or not the member has logged on.

Status load logon box.
1. If the Member website A contains the logon page

<Head> area, using

<Script src = meber_auth.aspx> embed the. aspx file in the page header (the file on the member website ).

A. Check the status variables in the Session. If the status variable is NULL, check the status variables in the cookie.

B. Communicate with the Web Service on the Passport Server Based on the status variables in the Session and Cookie to determine whether the member has logged on.

2. Load the logon box based on the logon status of the member.

3. If you have not logged on, the logon Email and password entered by the member is displayed.

4. The member submits information to the Web Service on the Passport server. After verification, the member generates a cookie ticket and returns the logon status value and cookie ticket to the member website. Member websites store logon status variables and cookie tickets.

 

Note: After a member successfully logs on to any member website, the member has logged on to all member websites.
1. Load the logon box according to the logon status

2. Create a member on the Passport Server

Verify the ticket and save it to the database and cookie.

3. Passport Web Service returns to log on

Status value and cookie verification ticket to the member website.

4. Save the member verification ticket to the cookie, and save the Member's verified status to the Session.
 

Table 2: Member logon Module

 

 

Module name: Member logout
User: Passport server and member websites
 
Input Part I
Processing description P
Output part o
 
1. The member website is redirected to the logout page of the passport server with the returned URL, member website ID, and verification ticket.

 
1. on member website a, redirect to the Passport server. Passport receives the cookie verification ticket and verifies that the ticket is valid.

2. Modify the verification ticket in the database to make it invalid and clear the verification ticket in the cookie.

3. Redirect to the member website to clear the verification ticket in the cookie and the logon status variable in the session.

4. Navigate to a page.
1. Modify the verification ticket in the database to make it invalid and clear the cookie.

2. Redirect to a member website.
 

Table 3: Member logout

 

Module name: Change Password
User: Passport server and member websites
 
Input Part I
Processing description P
Output part O
 
1. The member website is redirected to the Passport server password modification page with a returned URL to verify the cookie pass.

2. The member enters the original password and new password.

3. submit data.
1. on member website A, redirect to the Passport server. Passport receives the cookie verification ticket and verifies that the ticket is valid.

2. Passport: Modify the member password.

3. Redirect to a member website with a status variable indicating whether the modification is successful or not.

4. Navigate to a page.
1. Modify the password of a member in the database.

2. Redirect to a member website.
 

Table 4: Member logout

 

Module name: password retrieval
User: Passport server and member websites
 
Input Part I
Processing description P
Output part O
 
1. The member website is redirected to the Passport server password retrieval page with a verification cookie ticket.

2. member input email address

3. submit data

4. Activate the new password (the mailbox will receive a URL for activating the password)
1. on member website a, redirect to the Passport server. Passport receives the cookie verification ticket and verifies that the ticket is valid.

2. Passport generates a new password for the member and sends a URL for activating the password to the member email address.

3. Activate the new password

4. Log On with the new password
1. generate a new password for the member, but it is not activated.

2. prompt the member to receive an email to activate the new password, which can be used only after activation.
 

Table 5: password retrieval

 

 

Module name: jump between member websites
User: Passport server and member websites
 
Input Part I
Processing description P
Output part O
 
Member website A is linked to other member website B, and then processes the login module with the member.
 

Table 6: Member website redirection

 

Module name: Bill encryption/decryption and Verification
User: Passport Server
 
Input Part I
Processing description P
Output part O
 
1. Member Passid, Bill release time, ticket validity time, and other member information data.

2. Call the Web Service method for verification

A. input the Email and password.

B. Pass in the cookie verification ticket

 
1. Receive member website request data (Email and password ).

2. The encrypted cookie verification ticket is generated by the member passid, the bill release time, the ticket validity time, and other member information data and saved to the database and cookie.

3. Receive the cookie verification ticket, decrypt and verify the ticket, and return the logon status value to the member website.

 
1. generate an encrypted cookie ticket.

2. Return the logon status of the member.
 

Table 7: Ticket encryption and decryption and Verification

 

This article from the csdn blog, reproduced please indicate the source: http://blog.csdn.net/YongJava/archive/2008/09/30/2994089.aspx