Single sign-on SSO (Single Sign On) put it simple is the co-existence in a multi-system environment, users do not have to log in to other systems after a login, that is, once logged-in users can get all the other systems trust. Single sign-on used quite frequently in large sites;
For example, sites like Alibaba, behind the site is hundreds of subsystems, the user one operation or transaction may involve the collaboration of dozens of sub-systems, if each subsystem requires user authentication, only the user will be mad each subsystem will be to repeat this authentication and authorization logic do mad. To achieve single sign-on in the final analysis is to figure out how to generate and store the trust, then there are other systems how to verify the validity of the trust, and therefore also the following points:
1, storage trust
2, verify trust
As long as solve the above problems, to put it at the beginning of the effect it can be said SSO. The most simple implementation method is to use SSO Cookie, implementation process is as follows:
It is more difficult to find solutions to the client's Cookie years, although this method is easy to achieve the trust store but will immediately raises questions about two issues:
1, Cookie unsafe
2, can not be cross-domain Bintang
For the first question usually handled by encryption Cookie, the second question is flawed, in fact, the idea of this program is to bring the trust relationship is stored in the client, to achieve this is not necessarily only with Cookie , can be resolved with a flash, flash of Shared Object API to provide storage capacity.
In general, large-scale approach will be taken in the server storage trust relationship, implementation process is as follows:
Program is to take over the trust relationship is stored in a separate SSO system (let us call it so), saying it simply moved from the client to the server, but need to focus on several issues to resolve:
1, how to efficiently store large amounts of data temporary trust
2, how to prevent information being tampered with during transmission
3, how to make the system trust SSO login system and Bintang system
For the first problem, generally similar to the distributed memcached cache scheme, both provide a mechanism extensible amount of data, can also provide efficient access.
对于第二个问题,一般采取数字签名的方法,要么通过数字证书签名,要么通过像md5的方式,这就需要SSO系统返回免登URL的时候对需验证的参数进行md5加密,并带上token一起返回,最后需免登的系统进行验证信任关系的时候,需把这个token传给SSO系统,SSO系统通过对token的验证就可以辨别信息是否被改过。
对于最后一个问题,可以通过白名单来处理,说简单点只有在白名单上的系统才能请求生产信任关系,同理只有在白名单上的系统才能被免登录。