当前位置:网站首页>SSO single sign on
SSO single sign on
2022-07-06 20:25:00 【Brother Youji】
1、SSO explain
SSO English full name Single Sign On, Single sign on .SSO In multiple application systems , Users only need to log in once to access all mutual trust application systems .SSO(Single Sign On)_ Baidu Encyclopedia
For example, visit the Netease account center ( Netease email account security center ) After login Visit the following sites are login status
- Netease live https://v.163.com
- Netease blog https://blog.163.com
- Netease Huatian https://love.163.com
- Netease koala https://www.kaola.com
- NetEase Lofter http://www.lofter.com
2、 Benefits of single sign on system
- User perspective : Users can log in once and use many times , No need to record multiple sets of user names and passwords , worry .
- System administrator Perspective : The administrator only needs to maintain a unified account center , convenient .
- New system development perspective : When developing a new system, you only need to directly connect to a unified account center , Simplify development process , To save time .
3、 Design objectives
This article is also mainly to explore how to design & Achieve one SSO System
Here are the core functions that need to be implemented :
- Single sign on
- Single sign out
- Support cross domain single sign on
- Support cross domain single sign out
Two 、SSO Design and implementation
1、 Core applications and dependencies
| application / modular / object | explain |
|---|---|
| Front desk site | The site you need to log in to |
| SSO Site - Sign in | Provide login page |
| SSO Site - Log out | Provides access to log off |
| SSO service - Sign in | Provide login service |
| SSO service - The login status | Provide login status verification / Login information query service |
| SSO service - Log out | Provides the user to log off the login service |
| database | Store user account information |
| cache | Store user login information , Usually use Redis |
2、 Storage and verification of user login status
common Web Framework for Session The implementation of is to generate a SessionId Store in browser Cookie in . And then Session Content is stored in server-side memory , This ken.io Before Session working principle It's also mentioned in . The whole idea is also used for reference . After the user logs in successfully , Generate AuthToken Give it to the client to save . If it's a browser , It's stored in Cookie in . If it's a cell phone App It's stored in App In the local cache . This paper is mainly based on Web Site SSO. When the user is browsing the page that needs to log in , The client will AuthToken Submit to SSO Service validation login status / Get user login information
For the storage of login information , The proposal USES Redis, Use Redis Cluster to store login information , It can guarantee high availability , It can be extended linearly . At the same time, we can also make SSO Services meet load balancing / Scalable requirements .
| object | explain |
|---|---|
| AuthToken | Use it directly UUID/GUID that will do , If there is validation AuthToken The need for legitimacy , Can be UserName+ Timestamp encryption generation , Verify the validity after decryption by the server |
| login information | Usually it's going to be UserId,UserName cached |
3、 The user login / Login verification
- Login sequence diagram
According to the picture above , After the user logs in AuthToken Save in Cookie in . domain=test.com The browser will domain Set to .test.com, This way to access all of *.test.com Of web Site , Will be AuthToken Take it to the server side . And then through SSO service , Complete the verification of user status / Access to user login information
- Access to login information / Login status verification
4、 The user to log out
What users have to do when they log out is simple :
- Server clear cache (Redis) Login status in
- The client clears the stored AuthToken
- Log out of the sequence diagram
5、 Cross domain login 、 Log out
As mentioned earlier , The core idea is client storage AuthToken, Server side through Redis Store login information . Since the client is going to AuthToken Stored in Cookie Medium . So the problem to be solved across domains , It's how to solve Cookie Cross domain read-write problem of .
Cookie It's not cross domain , Like me
The core idea of cross domain solution is :
- After the login is completed, through callback , take AuthToken Pass to a site other than the primary domain name , The site itself will AuthToken Stored in the current domain Cookie in .
- After the logout is completed, it can be called back , Call the logout page of a non primary domain name site , Complete set Cookie Medium AuthToken Expired operations .
- Cross domain login ( The primary domain name is already logged in )
Cross domain login ( The primary domain name is not logged in )
Cross domain logout 
3、 ... and 、 remarks
- About the plan
This design is more to provide implementation ideas . If it involves APP User login, etc , During a visit to SSO The service , Add to APP The signature verification of . Of course , If there is a wireless gateway , Verifying the signature is not a problem .
- About sequence diagrams
The sequence diagram doesn't contain all the scenarios ,ken.io Just the core / Main scene , In addition, for some information that does not affect the understanding of ideas, you can save .
边栏推荐
- 小孩子学什么编程?
- Tencent byte Alibaba Xiaomi jd.com offer got a soft hand, and the teacher said it was great
- 【云原生与5G】微服务加持5G核心网
- JS get browser system language
- 【GET-4】
- How to handle the timeout of golang
- Guangzhou's first data security summit will open in Baiyun District
- Use of OLED screen
- 永磁同步电机转子位置估算专题 —— 基波模型与转子位置角
- 2022 Guangdong Provincial Safety Officer C certificate third batch (full-time safety production management personnel) simulation examination and Guangdong Provincial Safety Officer C certificate third
猜你喜欢
Anaconda安装后Jupyter launch 没反应&网页打开运行没执行
持续测试(CT)实战经验分享
Maximum likelihood estimation and cross entropy loss
OLED屏幕的使用
Web security - payload
![[weekly pit] output triangle](/img/d8/a367c26b51d9dbaf53bf4fe2a13917.png)
[weekly pit] output triangle
夏志刚介绍
Design your security architecture OKR
Node.js: express + MySQL实现注册登录,身份认证
I've seen many tutorials, but I still can't write a program well. How can I break it?
随机推荐
Force deduction brush question - 98 Validate binary search tree
Case ① | host security construction: best practice of 3 levels and 11 capabilities
Cesium Click to draw a circle (dynamically draw a circle)
How to handle the timeout of golang
报错分析~csdn反弹shell报错
系统与应用监控的思路和方法
永磁同步电机转子位置估算专题 —— 基波模型与转子位置角
【DSP】【第一篇】开始DSP学习
Tencent byte Alibaba Xiaomi jd.com offer got a soft hand, and the teacher said it was great
Trends of "software" in robotics Engineering
Monthly report of speech synthesis (TTS) and speech recognition (ASR) papers in June 2022
Quel genre de programmation les enfants apprennent - ils?
[weekly pit] positive integer factorization prime factor + [solution] calculate the sum of prime numbers within 100
Tencent architects first, 2022 Android interview written examination summary
Node.js: express + MySQL实现注册登录,身份认证
8086指令码汇总表(表格)
电子游戏的核心原理
深度学习分类网络 -- ZFNet
[weekly pit] calculate the sum of primes within 100 + [answer] output triangle
Jupyter launch didn't respond after Anaconda was installed & the web page was opened and ran without execution