CAS single sign on

Today, the leader assigned a task , Let me make a set of multiple systems CAS Single point , I frown , good heavens , Yes, but I haven't done it . I can't help clapping in my heart .

Fortunately ！ I'm famous Ali sweeper Duolong My little fan .

After a general understanding of business needs , Asked the leader for a day to analyze and realize . Return to the station , Start scratching your head .

initial CAS

First let's talk about it CAS,CAS Its full name is Central Authentication Service Central certification service , Is an enterprise multilingual single sign on solution , And strive to become a comprehensive platform for authentication and authorization requirements .

CAS By Yale The University launched an enterprise class 、 Open source projects , For the purpose of Web Application system provides a reliable single sign on solution （ Belong to Web SSO ）.

CAS The agreement involves at least three parties ： client Web browser , Requesting authentication Web Applications and CAS The server . It could also involve back-end services , Such as database server , It doesn't have its own HTTP Interface , But with Web The application communicates .

This involves a name Single sign on

What is that Single sign on Well ？

In plain words , Is an account after login , You can access the resources corresponding to its account in other systems directly without login , To put it bluntly , Lazy people log in with one click .

stay SSO In the system , It mainly includes three parts ：

1. User （ Multiple ）
2. Web application （ Multiple ）
3. SSO authentication center （ 1 individual ）

and SSO The basic core principles are as follows ：

• All logins are in SSO Certification Center
• SSO The certification center tells Web Whether the current access user of the application is an authenticated user or not
• SSO Certification Center and all Web Applications build a trust relationship , SSO The authentication center's judgment on the correctness of the user's identity will be informed by some means Web application , And the judgment must be Web App trust .

advantage

• Lower access number 3 The risk of our site （“ Federation ”）, Because the user password is not stored or managed externally
• Reduce password fatigue caused by different user names and password combinations
• Reduce the time it takes to re-enter the password for the same identity
• Simpler Management . As part of normal maintenance ,SSO Related tasks are performed transparently using the same tools as other management tasks .
• Better administrative control . All network management information is stored in one repository . This means that each user's rights and privileges have a single 、 Authoritative list . This allows the administrator to change the user's permissions and know that the results will spread across the network .
• Improve the efficiency of users . Users are no longer bothered by multiple logins , You don't need to remember multiple passwords to access network resources . This is also good for help desk staff , They need to handle fewer forgotten password requests .
• Better network security . Eliminating multiple passwords can also reduce common sources of security vulnerabilities —— Users write down their passwords . Last , Due to the integration of network management information , The administrator can definitely know when he disables the user's account , This account is completely disabled .
• Integration of Heterogeneous Networks . By joining different networks , Can integrate management work , Ensure that management best practices and corporate security policies are always implemented .

SSO Share a centralized authenticator for authentication with all other applications and systems , And combine it with technology , To ensure that users do not have to actively enter their credentials many times .

CAS principle

Compared to single system login ,sso Need an independent certification center , Only the authentication center can accept the user's user name, password and other security information , Other systems do not provide login access , Only indirectly authorized by Certification Center . Indirect authorization through token ,sso The authentication center can verify the user name and password , Create authorization token , In the next jump , The authorization token is sent to each subsystem as a parameter , Subsystem gets token , I'm authorized , You can use this to create a local session , Local session login mode is the same as single system login mode . This process , That is, the principle of single sign on , Use the figure below to explain

Here is a brief description of the above figure

1. User access system 1 Protected resources for , System 1 Found user not logged in , Jump to sso authentication center , And take your own address as a parameter
2. sso The authentication center found that the user was not logged in , Guide the user to the login page
3. User enters user name and password to submit login application
4. sso Authentication center verifies user information , Create users and sso Sessions between certification centers , Called a global session , Create authorization token at the same time
5. sso The authentication center takes the token to jump to the original request address （ System 1）
6. System 1 Get token , Go to sso The authentication center verifies whether the token is valid
7. sso Authentication center verification token , Return valid , Registration system 1
8. System 1 Use this token to create a session with the user , Called local session , Return to protected resources
9. User access system 2 Protected resources for
10. System 2 Found user not logged in , Jump to sso authentication center , And take your own address as a parameter
11. sso The authentication center found that the user has logged in , Jump back to system 2 The address of , And attach the token
12. System 2 Get token , Go to sso The authentication center verifies whether the token is valid
13. sso Authentication center verification token , Return valid , Registration system 2
14. System 2 Use this token to create a local session with the user , Return to protected resources

After the user logs in successfully , Will be with sso Authentication center and subsystem establish session , Users and sso The session established by the authentication center is called global session , The session established by the user and each subsystem is called local session , After local session establishment , User access to subsystem protected resources will no longer pass sso authentication center , Global session and local session have the following constraints

1. Local session exists , Global session must exist
2. Global session exists , Local session does not necessarily exist
3. Global session destroy , Local session must be destroyed

sso The authentication center has been monitoring the status of global sessions , Once the global session is destroyed , The listener will notify all registered systems to log off

Here is a brief description of the above figure

1. User to system 1 Initiate logout request
2. System 1 According to users and system 1 Established session id Get token , towards sso Certification center initiates cancellation request
3. sso The authentication center verifies that the token is valid , Destroy global session , At the same time, all system addresses registered with this token are taken out
4. sso The certification center initiates the cancellation request to all registration systems
5. Received by each registration system sso Cancellation request of Certification Center , Destroy local session
6. sso Authentication center guides users to login page

Reference resources ：

• Principle and implementation of single sign on
• https://en.wikipedia.org/wiki/Single_sign-on#Common_configurations

Subsequently, we launched a series of environment construction and service terminals 、 The implementation of client

Finally, let's pay attention

Focus on 『Xiang Want to 』 official account