Single Sign-On Implementation Principle (SSO)

Others 2022-04-22 11:36:44 views: 0

Introduction

  1. Single sign-on is that in multiple application systems, users only need to log in once to access the protection resources of all mutually trusted application systems. If the user logs out in an application system, all application systems can no longer directly access the protection resources. To protect resources, some well-known large websites, such as Taobao and Tmall, Sina Weibo and Sina Blog, all use this technology.

principle

  1. sign in
    1. There is an independent authentication center. Only the authentication center can accept the user's user name and password for authentication. Other systems do not provide login entrances and only accept indirect authorization from the authentication center. Indirect authorization is achieved through tokens. When the user name and password provided by the user are authenticated by the authentication center, the authentication center will create an authorization token. In the next jump process, the authorization token is sent to each subsystem as a parameter. After getting the token, it is authorized, and then a partial session is created.
    2. Example:
      The principle of single sign-on
      The diagram above is explained below:
      1. When the user has not logged in as a user
        1. The user accesses the protection resources of system 1. System 1 detects that the user has not logged in and jumps to the SSO authentication center. The SSO authentication center also finds that the user is not logged in and jumps to the login page where the user goes to the authentication center.
        2. After the user submits the user's corresponding information on the login page, the authentication center will verify the user information. If the user information is correct, the authentication center will create a global session with the user (when the global session expires, the user needs to log in again), and at the same time create a global session with the user. Authorize the token, and then proceed to the next step, otherwise the authentication center will give a prompt (the user information is incorrect), and when the user clicks to log in again, the user information will be verified again.
        3. The authentication center takes the token and jumps to the address originally requested by the user (system 1). After the system 1 gets the token, it goes to the SSO authentication center to verify whether the token is valid, and the SSO authentication center verifies the token. step
        4. Register system 1, system 1 uses the token to create a partial session with the user (if the partial session expires, jump to the SSO authentication center, the SSO authentication center finds that the user has logged in, and then executes part 3), and returns to the protected resource

      2. After the user has been authenticated by the authentication center, the
        user accesses the protected resources of system 2. System 2 finds that the user is not logged in and jumps to the SSO authentication center. The SSO authentication center finds that the user has logged in and jumps back to system 2 with the token. After the system 2 gets the token, it goes to the SSO authentication center to check whether the token is valid, the SSO authentication center returns valid, and registers the system 2. The system 2 uses the token to create a local session with the user and returns the protected resource.

      3. If the local session of system 1 exists, when the user accesses the protection resources of system 1, the protection resources are directly returned, and there is no need to go to the authentication center for verification.

    If the local session exists, the global session must exist; if the global session exists, the local session may not exist; if the global session is destroyed, the local session must be destroyed

  2. single logout
    1. Logout in one subsystem, the global session will also be logged out, and the sessions of all subsystems will be logged out
    2. Example:
      Single logout principle
      The user sends a logout request to system 1, and system 1 obtains the token according to the session id established between the user and system 1, and initiates a logout request to the SSO authentication center. The authentication center verifies that the token is valid, destroys the global session, and removes the The system address of token registration, the authentication center sends a logout request to all registered systems, each system destroys the local session after receiving the logout request, and the authentication center guides the user to jump to the value login page.
  3. overall statement
    1. Single sign-on involves the SSO authentication center and multiple subsystems. The subsystem and the SSO authentication center need to communicate (exchange tokens, verify tokens, and initiate logout requests, etc.), and the subsystem includes SSO clients. The SSO authentication center is a service end
    2. The communication between the authentication center and the client can be realized through httpClient, web service, rpc, restful api (url is one of them), etc.
    3. Client-side and server-side functionality
      1. Client:
        1. The interception subsystem does not log in user requests, and jumps to the sso authentication center
        2. Receive and store the token sent by the sso authentication center
        3. Communicate with the server to verify the validity of the token
        4. Create a local session
        5. Intercept user logout request and send logout request to sso authentication center
        6. Receive the logout request sent by the sso authentication center and destroy the local session
      2. Service-Terminal:
        1. Verify the user's login information
        2. Create a global session
        3. Create an authorization token
        4. Communicate with client to send token
        5. Verify client token validity
        6. System registration
        7. Receive client logout request, logout all sessions

Reference in this article: Single sign-on principle and simple implementation.
Some parts of this article may be wrong. If you find any mistakes, please let me know, I would be very grateful.
If you need to reprint, please add the source: http://www.cnblogs.com/zhuchenglin/p/8968530.html

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=324997069&siteId=291194637
Recommended
Ranking
vue project automated build tools 1.0, support for multi-page build
JDBC add, update, delete data
SpringCloud combat service in response to the decline tutorial series (Chapter IV)
A segmentation fault (core dumped) error occurs when C+11 compiles and calls the PCL library
Django achieve websocket
Go语言并发之道--笔记1
Three-tier structure and application
Zhejiang data structure after-school exercise practice two 7-2 Reversing Linked List (25 points)
Front-end interview brushing day9 (updated daily high-frequency inspection points for front-end interviews)
The difference between the shell of the single and double quote
Daily
More
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)

Code World

© 2018 codetd.com