当前位置:网站首页>SSO single sign on
SSO single sign on
2022-07-06 20:25:00 【Brother Youji】
1、SSO explain
SSO English full name Single Sign On, Single sign on .SSO In multiple application systems , Users only need to log in once to access all mutual trust application systems .SSO(Single Sign On)_ Baidu Encyclopedia
For example, visit the Netease account center ( Netease email account security center ) After login Visit the following sites are login status
- Netease live https://v.163.com
- Netease blog https://blog.163.com
- Netease Huatian https://love.163.com
- Netease koala https://www.kaola.com
- NetEase Lofter http://www.lofter.com
2、 Benefits of single sign on system
- User perspective : Users can log in once and use many times , No need to record multiple sets of user names and passwords , worry .
- System administrator Perspective : The administrator only needs to maintain a unified account center , convenient .
- New system development perspective : When developing a new system, you only need to directly connect to a unified account center , Simplify development process , To save time .
3、 Design objectives
This article is also mainly to explore how to design & Achieve one SSO System
Here are the core functions that need to be implemented :
- Single sign on
- Single sign out
- Support cross domain single sign on
- Support cross domain single sign out
Two 、SSO Design and implementation
1、 Core applications and dependencies
| application / modular / object | explain |
|---|---|
| Front desk site | The site you need to log in to |
| SSO Site - Sign in | Provide login page |
| SSO Site - Log out | Provides access to log off |
| SSO service - Sign in | Provide login service |
| SSO service - The login status | Provide login status verification / Login information query service |
| SSO service - Log out | Provides the user to log off the login service |
| database | Store user account information |
| cache | Store user login information , Usually use Redis |
2、 Storage and verification of user login status
common Web Framework for Session The implementation of is to generate a SessionId Store in browser Cookie in . And then Session Content is stored in server-side memory , This ken.io Before Session working principle It's also mentioned in . The whole idea is also used for reference . After the user logs in successfully , Generate AuthToken Give it to the client to save . If it's a browser , It's stored in Cookie in . If it's a cell phone App It's stored in App In the local cache . This paper is mainly based on Web Site SSO. When the user is browsing the page that needs to log in , The client will AuthToken Submit to SSO Service validation login status / Get user login information
For the storage of login information , The proposal USES Redis, Use Redis Cluster to store login information , It can guarantee high availability , It can be extended linearly . At the same time, we can also make SSO Services meet load balancing / Scalable requirements .
| object | explain |
|---|---|
| AuthToken | Use it directly UUID/GUID that will do , If there is validation AuthToken The need for legitimacy , Can be UserName+ Timestamp encryption generation , Verify the validity after decryption by the server |
| login information | Usually it's going to be UserId,UserName cached |
3、 The user login / Login verification
- Login sequence diagram
According to the picture above , After the user logs in AuthToken Save in Cookie in . domain=test.com The browser will domain Set to .test.com, This way to access all of *.test.com Of web Site , Will be AuthToken Take it to the server side . And then through SSO service , Complete the verification of user status / Access to user login information
- Access to login information / Login status verification
4、 The user to log out
What users have to do when they log out is simple :
- Server clear cache (Redis) Login status in
- The client clears the stored AuthToken
- Log out of the sequence diagram
5、 Cross domain login 、 Log out
As mentioned earlier , The core idea is client storage AuthToken, Server side through Redis Store login information . Since the client is going to AuthToken Stored in Cookie Medium . So the problem to be solved across domains , It's how to solve Cookie Cross domain read-write problem of .
Cookie It's not cross domain , Like me
The core idea of cross domain solution is :
- After the login is completed, through callback , take AuthToken Pass to a site other than the primary domain name , The site itself will AuthToken Stored in the current domain Cookie in .
- After the logout is completed, it can be called back , Call the logout page of a non primary domain name site , Complete set Cookie Medium AuthToken Expired operations .
- Cross domain login ( The primary domain name is already logged in )
Cross domain login ( The primary domain name is not logged in )
Cross domain logout 
3、 ... and 、 remarks
- About the plan
This design is more to provide implementation ideas . If it involves APP User login, etc , During a visit to SSO The service , Add to APP The signature verification of . Of course , If there is a wireless gateway , Verifying the signature is not a problem .
- About sequence diagrams
The sequence diagram doesn't contain all the scenarios ,ken.io Just the core / Main scene , In addition, for some information that does not affect the understanding of ideas, you can save .
边栏推荐
- Tencent architects first, 2022 Android interview written examination summary
- 【DSP】【第一篇】开始DSP学习
- Tencent T3 teaches you hand in hand. It's really delicious
- [cloud native and 5g] micro services support 5g core network
- How to select several hard coded SQL rows- How to select several hardcoded SQL rows?
- Enumeration gets values based on parameters
- [network planning] Chapter 3 data link layer (3) channel division medium access control
- Crawler (14) - scrape redis distributed crawler (1) | detailed explanation
- Quel genre de programmation les enfants apprennent - ils?
- [weekly pit] output triangle
猜你喜欢
"Penalty kick" games
02 基础入门-数据包拓展
(工作记录)2020年3月11日至2021年3月15日
案例 ①|主机安全建设:3个层级,11大能力的最佳实践
Tencent architects first, 2022 Android interview written examination summary
电子游戏的核心原理
Utilisation de l'écran OLED
【每周一坑】输出三角形
Continuous test (CT) practical experience sharing
Crawler (14) - scrape redis distributed crawler (1) | detailed explanation
随机推荐
Catch ball game 1
JVM_常见【面试题】
SQL injection 2
Leetcode question 283 Move zero
为什么新手在编程社区提问经常得不到回答,甚至还会被嘲讽?
5. Nano - Net in wireless body: Top 10 "is it possible?" Questions
Enumeration gets values based on parameters
Node. Js: express + MySQL realizes registration, login and identity authentication
【GET-4】
mod_ WSGI + pymssql path SQL server seat
Special topic of rotor position estimation of permanent magnet synchronous motor -- fundamental wave model and rotor position angle
Anaconda安装后Jupyter launch 没反应&网页打开运行没执行
Tencent architects first, 2022 Android interview written examination summary
Crawler (14) - scrape redis distributed crawler (1) | detailed explanation
Synchronization of data create trigger synchronization table for each site
Wechat applet common collection
[DSP] [Part 2] understand c6678 and create project
设计你的安全架构OKR
Linear distance between two points of cesium
Guangzhou's first data security summit will open in Baiyun District