Single Sign-on and single sign-on differences?

Source: Internet
Author: User

1. Single Sign-on:

Single Sign-on is login after all of the domain name of the site can not login to include subdomains.

Single Sign-on is from one system after login, other places without login ...

Single Sign-on, or SSO, is one of the most popular solutions for enterprise business integration at the moment. The definition of SSO is that in multiple application systems, users can access all trusted applications with only one login. Large enterprises, generally have a lot of business support system to provide it with the corresponding management and IT servicesthe same as the mechanism of single sign-on, as shown, when the user first access to the application System 1, because not yet logged in, will be directed to the authentication system to log in (1), according to user-provided login information, authentication system for identity verification, if through validation, Should be returned to the user a certified credential--ticket (2); When the user accesses another application (3,5) will take this ticket, as the credentials of their own authentication, the application system to accept the request will ticket sent to the authentication system for validation, Check the legality of the ticket (4,6). If tested, the user can access application System 2 and application 3 without having to log in again. [focus on ticket, reference to China Telecom, focus on certification center]

As you can see from the above view, to implement SSO, you need the following key features:
    • All application systems share an identity authentication system.
      A unified authentication system is one of the prerequisites for SSO. The main function of the authentication system is to compare the user's login information with the user database, to authenticate the users, and after the successful authentication, the authentication system should generate a unified certification mark (ticket) and return it to the user. In addition, the certification system should be ticket to determine its effectiveness.
    • All application systems can identify and extract ticket information
      To enable SSO functionality so that users log on only once, the application must be able to identify the users who have already logged in. Application system should be able to identify and extract the ticket, through the communication with the authentication system, can automatically determine whether the current user has logged in, thus completing the single sign-on function.
    • A unified authentication system is not to say that only a single authentication server, as shown, the entire system can exist more than two authentication servers, these servers can even be different products. Authentication server through the standard communication protocol, mutual exchange of authentication information, you can complete a higher level of single sign-on. For example, when the user accesses the application System 1 o'clock, is authenticated by the first authentication server, obtains the ticket which this server produces. When he accesses the application System 4, authentication server 2 can recognize that this ticket is generated by the first server, through the authentication server between the standard communication protocol (such as SAML) to Exchange authentication information, still can complete the function of SSO.

2. Single Sign-on, single-account single IP login policy:

Use is Cache.Insert (key (username), value (user name), time (session). Timeout));

if (cache["key"]== user name)
Response.Write (already logged in)

I say a more general way, I've seen a lot of it.
In fact, you can use a application to store a table
Record Username,sessionid,time in table
Well, check this table before you get to the official landing.
The user exits, can remove the record according to this table, session timeout can remove the record according to SessionID

The server interrupted the application also had no ... This idea should be able to help you out.

Put it in the server cache. Log in again when judging the current user list There is no, if so, the description has been logged in.

If the landlord said a machine-number mechanism, then you can directly bind the user's first logon IP address, the user's IP address is bound in the database, each time you log in to determine whether the IP is correct. If the user is IP is automatically obtained, then bind the user's hardware string number.
To make QQ that form, you can add a field in the database to indicate whether the account is a login status.

With cache +session control, if the cache is present, do not allow another place to log in

Each login is automatically updated with a random password, that is, in the user table Usrid usrname usrpass usrranpass users to log the random password after each login Cookie or session (including user ID), and then each time you refresh the page with Usri D and Usrranpass to compare with the database. Exit if random password is different ... can also be set to a timed comparison.

WebForm? Log in when extracting a SessionID saved in the database Ajax and the server to keep in touch. To detect logon records on the server: When another user logs in, the SessionID of the database is replaced by the SessionID of the user who is currently logged in. That's when Ajax and server communication match the SessionID in the database when it's different ...

It is said that SessionID is the only ... Not really, just use a GUID to generate one ... I don't know if I'm wrong.

A loginsession table (sessionid,userid,ip,expiredate) in the system

After successful login, check the single sign-on policy, if you currently do not allow multiple places to log in, then empty the Loginsession current Uesrid records. At the same time, record the current session and return a Token{sessionid,userid} to the client.

Every time and the service side of the request, to loginsession to check the token, see if there is (kicked), whether expired (expiredate), whether the IP address is limited.

If OK, modify the expiredate, then delay 20 minutes, and so on.

The above approaches can be implemented to kick people, limit IP, login timeout issues

Single Sign-on and single sign-on differences?

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.