Joke Collection Website - Blessing messages - Speaking of single sign-on
Speaking of single sign-on
In the early stages of enterprise development, enterprises use very few systems, usually one or two. Each system has its own login module, and operators log in with their own accounts every day, which is very convenient. However, with the development of enterprises, the number of systems used increases. Operators need to log in multiple times when operating different systems, and each system has a different account, which is very inconvenient for operators. So, I thought about whether I could log in to one system without logging in to other systems? This is what single sign-on solves.
The full English name of single sign-on is Single Sign On, and the abbreviation is SSO. Its explanation is: In multiple application systems, you only need to log in once to access other mutually trusted application systems.
As shown in the figure, there are 4 systems in the figure, namely Application1, Application2, Application3, and SSO. Application1, Application2, and Application3 do not have login modules, while SSO only has a login module and no other business modules. When Application1, Application2, and Application3 need to log in, they will jump to the SSO system. The SSO system completes the login, and other application systems will follow. Logged in. This fits perfectly with our definition of single sign-on (SSO).
Before talking about the technical implementation of single sign-on (SSO), let us first talk about the ordinary login authentication mechanism.
As shown in the picture above, we access an application in the browser (Browser). This application requires login. After we fill in the user name and password, we complete the login authentication. At this time, we mark the login status as yes (logged in) in the user's session, and write a cookie in the browser (Browser). This cookie is the unique identifier of the user. The next time we visit this application, this cookie will be included in the request. The server will find the corresponding session based on this cookie and use the session to determine whether the user is logged in. If no special configuration is made, the name of this cookie is jsessionid, and the value is unique on the server.
Generally, an enterprise only has one domain name, and different systems are distinguished through second-level domain names. For example, we have a domain name called: a.com, and two business systems: app1.a.com and app2.a.com. We want to do single sign-on (SSO) and need a login system called: sso.a.com.
As long as we log in at sso.a.com, app1.a.com and app2.a.com will also log in. Through the above login authentication mechanism, we can know that when logging in to sso.a.com, the login status is actually recorded in the session on the server side of sso.a.com, and at the same time in the sso on the browser side (Browser). Cookies are written under a.com. So how can we let app1.a.com and app2.a.com log in? There are two questions here:
So how do we solve these two problems? Regarding the first question, after sso login, you can set the cookie domain to the top domain, that is. a.com, so that all sub-domain systems can access the cookies of the top domain. When we set cookies, we can only set the top domain and our own domain, and cannot set other domains. For example: We cannot set cookies for the baidu.com domain in our own system.
The cookie problem is solved, let’s look at the session problem again.
We logged in to the sso system, and then visited app1 again. The cookie was also brought to the server of app1. How does the server of app1 find the Session corresponding to this cookie? Here we need to share the Sessions of the three systems, as shown in the figure. There are many solutions for sharing Session, such as: Spring-Session. This solves the second problem.
Single sign-on under the same domain has been implemented, but this is not a true single sign-on.
Single sign-on under the same domain makes clever use of the characteristics of the Cookie top domain. What if it is a different domain? Cookies are not shared between different domains. What should I do?
Here we are going to talk about the CAS process, which is the standard process for single sign-on.
The above picture is the standard process on the CAS official website. The specific process is as follows:
At this point, the cross-domain single sign-on is completed. When we access the app system in the future, the app will be logged in. Next, let’s look at the process of accessing the app2 system.
In this way, the app2 system does not need to go through the login process, it is already logged in. SSO, app and app2 are in different domains, and there is no problem if the sessions between them are not shared.
Some students asked me that after logging in to the SSO system, when jumping back to the original business system, I brought a parameter ST. The business system also needs to use ST to access SSO again for verification. I think this step is a bit redundant. He wants to return the user information to the original business system through the callback address after passing the SSO login authentication. The original business system directly sets the login status. This way the process is simple and the login is completed. Isn't it great?
In fact, this problem is very serious. If I do not log in during SSO, but type the callback address directly into the browser and bring fake user information, will the business system also consider me logged in? What's up? This is terrible.
All the processes of single sign-on (SSO) have been introduced, and the principles are clear to everyone. Summarize what single sign-on needs to do:
Refer to the article I wrote about JWT/TOKEN
- Previous article:Mobile GPRS is suspended, how to resume with SMS?
- Next article:Good morning and flirty words (selected 102 sentences)
- Related articles
- Why is there a page that has opened SMS notification?
- Does the lawyer's letter that sends text messages have legal effect?
- Ganzhou Nankang District No.1 People's Hospital Jiujia hpv Appointment Entrance 2022
- Zhaolian Finance sent a text message saying that it would apply to the local authorities for filing a case when it was overdue.
- Answer quickly, what SMS command can you use to check Unicom's traffic?
- How does Xiaomi 10 connect to the computer?
- Blessing information for patients
- What does it mean for the police to collect information from my mobile phone?
- Do you know that online Nike purchasing is true?
- How to modify the reserved mobile phone number in ABC? There is no K-treasure.