Overview:
Single Sign On (SSO) is one of the most popular solutions for enterprise business integration.
SSO is defined in multiple application systems. Users only need to log on once to access all mutually trusted application systems.
SSO is a popular definition: SSO refers to the same user accessing protected resources in different applications of the same server. It only needs to log on once, that is, after the security verification in an application, when Accessing Protected Resources in other applications, you do not need to log on again for verification.
Why do I need single-point logon:
With the development of enterprises, the number of business systems is constantly increasing, but old systems cannot be easily replaced, which brings a lot of overhead. One is management overhead, and more systems need to be maintained. Data in many systems is redundant and repetitive. data inconsistency puts a lot of pressure on management.
Enterprise Application Integration (EAI ). Enterprise Application Integration can be performed at different levels: for example, "data centralization" at the data storage level and "General Data Exchange Platform" at the transmission level ", "Business Process Integration" on the application layer and "General Enterprise Portal" on the user interface. In fact, there is another layer of integration that becomes more and more important, that is, the integration of "Identity Authentication", that is, "Single Sign-On ".
When there is no single sign-on, the system integration is like this:
Single Sign-on mechanism:
When a user logs on to system A for the first time, the user is directed to the authentication system for logon;
The authentication system authenticates the user based on the login information provided by the user. If the verification succeeds, a ticket credential is returned to the user );
When you access system B again, the ticket is used as your authentication credential. System B will send the ticket to the authentication system for verification and check the legality of the ticket;
If the verification succeeds, you do not need to log on again to access system B.
Simple Single Sign-On should have the following content:
All application systems share an Identity Authentication System.
A unified authentication system is one of the prerequisites for SSO. The main function of the authentication system is to compare the user login information with the user information library to authenticate the user login. After the authentication is successful, the authentication system should generate a unified authentication mark (Ticket ), return to the user. In addition, the authentication system should verify ticket to determine its validity.
All application systems can identify and extract ticket information.
To implement the SSO function and allow users to log on only once, the application system must be able to identify users who have logged on. The application system should be able to identify and extract ticket. by communicating with the authentication system, the system can automatically determine whether the current user has logged on to the system to complete the single-point logon function.
Notes for Single Sign-on:
A single user information database is not necessary.
Many systems cannot store all user information in a centralized manner and should allow user information to be stored in different storage systems. In fact, as long as the unified authentication system and ticket are generated and verified, single-point logon can be achieved no matter where the user information is stored.
A unified authentication system does not mean that only a single authentication server is used.
The entire system can have more than two Authentication servers, which can even be different products. Authentication servers must exchange authentication information through standard communication protocols to complete high-level single-point logon. For example, when a user accesses Application System 1, the first authentication server authenticates and obtains the ticket generated by the server. When he accesses Application System 4, Authentication Server 2 can identify that this ticket is generated by the first server and pass the standard communication protocol (such as SAML) between Authentication servers) to exchange authentication information.
Advantages of Single Sign-on:
Convenient for users
When you use the application system, you can log on to the application system at one time and use it multiple times. You do not need to enter the user name and password each time, or remember multiple user names and passwords. The Single Sign-On platform can improve the user experience in using the application system.
Convenient Administrator
The system administrator only needs to maintain a set of unified user accounts, which is convenient and simple. In contrast, the system administrator previously needed to manage many user accounts. Each application system has a set of user accounts, which not only bring inconvenience to management, but also prone to management vulnerabilities.
Simplify Application System Development
When developing a new application system, you can directly use the user authentication service of the Single Sign-On platform to simplify the development process. The Single Sign-On platform provides a unified authentication platform for single-point logon. Therefore, the application system does not need to develop user authentication programs.
Single Sign-On classification:
Cross-subdomain Single Sign-on
Cross-subdomain single-point logon means that sites A, B, and P are located in the same domain. For example, Site A is the http://www.baidu.com, site B is the http://tieba.itcast.com, site P is the http://fangi.itcast.com.
Full cross-origin Single Sign-on
The so-called full cross-origin Single Sign-On means that sites A and B do not have a common parent domain, but they can still log on together. For example, Site A is a http://www.baidu.cn, site B is a http://www.sina.cn.
Single Sign-on:
Cookies-based implementation
Note the following: if the method for transferring sessionid between two domain names may be set up in windows, problems may occur in UNIX and Linux. You can implement it based on databases; more security considerations may be made. In addition, although cookies do not cross-domain, they can be used to implement cross-domain SSO.
Broker-based (broker-based)
The broker-based SSO system uses a centralized authentication and user account management server. The authentication server plays the role of the broker. Before a user accesses the application server, he/she performs active identity authentication from the broker and then carries the ticket license to the authorization server to obtain the service ticket. The user carries the service ticket to request the application server, the Application Server verifies the service bill and then provides the response service.
Agent-based (Agent-based)
An Identity Authentication Proxy exists in the proxy-based SSO system. When a user logs on to the server, the proxy program records the password and sends it to another integrated system, instead of logging on.
Token-based
Currently widely used password authentication, such as FTP and email server logon authentication, is a simple and easy-to-use method to implement a single password for use in a variety of applications.
Gateway-based
A gateway can be a firewall or a server dedicated for communication encryption. All servers requiring single-point logon are placed in the security network segment isolated by the gateway. The client obtains service authorization after passing authentication.
Implementation Based on Security Assertion Markup Language (SAML)
The emergence of SAML (Security Assertion Markup Language, Security Assertion Markup Language) greatly simplifies SSO and is approved by Oasis as the Implementation Standard of SSO. Opensaml, an open-source organization, implements the SAML specification. See the http://www.opensaml.org.
The demo source code will be uploaded later!
SSO Single Sign-On principle and demo