First popularize a posture. Most existing products or websites basically record user information in the database and use it for login authentication. However, this does not Not a standard practice. Because the structure of the user table for each product is different. As to what is a standard, see below.
- SAML2.0 Standard It defines the process of login and the format of transmission content for interaction between different systems. There have been no updates for several years, and there are several versions of the standard: "Committee Specification" and "Oasis Standard", which seem to be discussed by a committee and eventually become a standard.
- OAuth2.0 1.0a has been rarely used, and now most websites are using OAuth2.0.
- OpenID Connect It must be distinguished from the name of the previous version. There were OpenId1.0 and 2.0 before, and the latest version is called OpenId Connect.
- Kerberos I haven't looked closely yet, it seems that it is mainly to support the SSO of the Desktop APP, to be added
- LDAP Please refer to Baidu Encyclopedia for professional explanation. . It is simple to understand in the following way:
- JAAS To be added
- Site Minder A solution/product that supports SSO adds user identity information to the HTTP header. Generally, the HTTP request header can be processed as a filter. If it is found to contain user information, it will be directly verified or stored without requiring the user to log in.
- WS Trust To be added
Old official website address (Legacy Only): http://saml.xml.org/New
Wiki address: https://wiki.oasis-open.org/security/FrontPage
Document address: http://docs.oasis-open. org/security/saml/
Shibboleth ( http://shibboleth.net/ ) is one of the most complete open source implementations of SAML, including several sub-products.
SAML itself does not care where the user exists, and how the user is authenticated is also configurable. Shield can log in directly.
OAuth is mainly for authorization. Generally, it is supported by websites with a relatively large number of users, such as Google, facebook, QQ, Sina, etc. After it is done, it will be used by small websites or cooperative websites. For example, you often see "Login with QQ" on non-QQ web pages. After the user clicks this button on the third-party website and logs in with QQ, QQ will ask the user, which information do you want the third-party website to use? This is an authorization process, but generally basic information is open to third-party websites.
Official website address: http://oauth.net/2/
RFC document address: http://tools.ietf.org/html/rfc6749
OpenId Connect is actually based on "OAuth2.0". It is very 2B that his documentation does not seem to be a function. Sexual patch, but it feels like a large part of OAuth is included, which makes me understand for a while, of course, I am not sure if I understand it correctly =. =:
The website that provides OAuth2.0 finally gives an AccessToken to the third-party website, so that the third-party website can obtain the resources of the website provided by OAuth2.0 through this Token, for the purpose of authorization. On this basis, OpenID Connect defines an ID Token. In addition to including some authentication-related "claims" in this ID Token, it also defines how to obtain some user information in a standard format through AccessToken. You can see OpenId Connect primarily wants to provide user identity information.
Official website address: http://openid.net/connect/
Move the ladder to watch the video introduction of OpenId Connect: http://www.youtube.com/watch?feature=player_embedded&v=Kb56GzQ2pSk
First, LDAP is mainly used to store users and organizational structures.
Second , LDAP is stored in the form of a tree, which is different from a database, which is a two-dimensional table.
Again, LDAP is just an abstraction, for example, it can correspond to "database", then the database has "MySQL", "SQL Server", and correspondingly, LDAP also has specific products, such as "Open LDAP", "Active Directory", "Sun Java" System Directory Server" etc. You can connect to the database through code, and of course you can also connect to LDAP Server through code.
Finally, add a Single Sign On Implementation List:
https://en.wikipedia.org/wiki/List_of_single_sign-on_implementations
Most of them are your own understanding, if there is any deviation, please spray lightly.
PS: I was about to post at the end and saw a hint, which made me almost pee. . ITeye is still a caring little padded jacket
." Your article contains the sensitive keyword 'XXX', which is harmful information stipulated by the relevant departments. In order to protect the safety of you and the ITeye website, we recommend that you do not publish this article. Your article is harmful and will ask us for your IP address"