Specific Single Sign-On (SSO) Single Point login Implementation Scheme [reprinted]

How to implement Single Sign-On (SSO) Single Sign-on
We all know that large portals such as Netease And Sohu all have the concept of "pass". This pass system is the "single sign-on system" discussed today ". Its main feature is that multiple sites have one user center, and one point after logging on to other sites
Log on automatically and log out. For example, if we log on to the mailbox at 126 and go to 163.com, the logon status is displayed. My Implementation Scheme here is the traditional cookie scheme. Hope this article is intended for friends
Useful and I hope you can raise your shortcomings. Basic SSO functions: · all logon requests to all sites must be redirected to SSO, with the URL parameters you just requested included so that the system can return after logon. Like http://sso.a.com/login? Url = http://www. B .com, after logging on, We response a cookie and set its domain to a.com top-level domain so that any site in the same domain can directly access this cookie. Because Cookies cannot be cross-origin, we need to solve the cookie problem in different domains. The solution is to obtain the cookie information of a.com through the js api, and pass a B .com through the URL. We know that AJAX cannot be accessed across regions, but we can <SCRIPT> A cross-region JS (this is jsapi). Therefore, the SSO system needs to provide a callback parameter and output it as a piece of JS Code. SSO outputs the cookie to the caller and accepts the callback parameter var user = request. Cookies ["username"];
VaR callback = request. querystring ["Callback"];
If (user! = NULL)
Response. write (callback + "(" + User. tojson () + ")"); // tojson is an extension method that serializes an object to B .com in JSON format to obtain the cookie $. getscript ("http://sso.a.com/getcookie? Callback = setuser ");
Function setuser (data)
{
If (Data! = NULL)
{
VaR user = eval (data );
Alert ("hello" + User. username );
}
Setcookie (User); // write the obtained cookie locally
} In this way, we can use B .com to know whether the user is logged on. · To log out of each website, you must connect to sso.a.com/logoutto perform real-time injection and delete cookie. · Verify that all requests in B .com must access sso.a.com to verify whether the logon is still in progress. There are two ways to verify Logon: one is that the above mentioned jsapi is used to determine whether the cookie exists to determine whether other systems have logged out. The other is to verify whether the user has returned the cookie through WebService when the local cookie is saved. in the login status. The two methods have their own advantages and disadvantages. The first is that you do not need to know whether a local cookie exists. The second is to use WebService, but the added validation is rigorous. If we perform important data operations on B .com, we recommend that you use server-side checks to determine the logon status. If you determine from the cookie, you must ensure that the cookie cannot be forged, that is, you must encrypt the cookie, decryption. If the cookie through the WebService client also requires an unforged identifier, such as guid, but does not need to be encrypted, you only need
Match the username. However, the stress on WebService is much greater than that on cookie decryption. If the site is mostly accessed, the authentication request will
This causes great pressure. · Server Design: If SSO has other high-pressure jobs, it must be deployed on multiple machines. Multiple deployments have a session problem, so the user logon status on the server cannot set the session
Stored in inproc, not statusserver, but SQL Server. My solution is to put it in the distributed cache (memcached). Of course
In fact, it is not a session, but a normal cache list. Put username and guid in memcached to create a hash table, so that a user's
Logon status (consistent with guid and request) · authorized White List SSO exposes some WebService interfaces for the site, so it cannot be used by others, in this case, you need to verify whether the requested IP address is an authorized IP address)