Principle of single sign on
1、 Single sign on concept
1. What is single sign on
Single sign on, referred to as SSO for short, is one of the popular solutions for enterprise business integration. SSO is defined as that in multiple application systems, users can access all mutually trusted application systems only by logging in once.
2. Introduction of single sign on
Large enterprises generally have many business support systems to provide corresponding management and it services. For example, the financial system provides financial management, calculation and reporting services for financial personnel; The personnel system provides maintenance services for the personnel department of the whole company; Various business systems provide different services for different businesses within the company, and so on. The purpose of these systems is to allow computers to carry out complex and cumbersome calculation work, replace manual labor, and improve work efficiency and quality. These different systems are often built in different periods and run on different platforms; It may be developed by different manufacturers, using a variety of different technologies and standards.
For example, a famous IT company in China (name hidden), there are more than 60 internal business systems, including two different versions of SAP ERP systems, 12 different types and versions of database systems, 8 different types and versions of operating systems, 3 different firewall technologies, and dozens of incompatible protocols and standards. In fact, this situation is very common. Each system should After running for several years, the system will become an irreplaceable part of the enterprise IT architecture, as shown in the figure below.
Enterprise application integration can be carried out at different levels: for example, "data centralization" at the data storage level, "general data exchange platform" at the transmission level, "business process integration" at the application level, and "general enterprise portal" on the user interface. In fact, one level of integration is becoming more and more important, that is, the integration of "identity authentication", that is, "single sign on". Generally speaking, each individual system will have its own security system and identity authentication system. Before integration, login is required to enter each system. This situation not only brings great difficulties to management, but also buries major hidden dangers in security. The following is the statistical data displayed by some famous survey companies: users spend an average of 16 minutes on authentication tasks every day - data source: IDS frequent it users have an average of 21 passwords - data source: NTA monitor password survey, 49% wrote their passwords, While 67% of people rarely change their identity, they have an identity theft event every 79 seconds - source: national small business travel Assoc global fraud loss is about 12b per year - source: comm fraud control Assoc by 2007, the identity management market will double to $4.5b - source: IDS
3. Benefits of single sign on
After using "single sign on" integration, you can enter multiple systems only once without logging in again, which not only brings a better user experience, but also reduces the security risk and management consumption. Please look at the following statistics: improve it efficiency: for every 1000 managed users, each user can save $70K, help desk calls can be reduced by at least 1 / 3, for companies with 10K employees, each year can save $75 per user, or a total of $648k. Productivity improvement: each new employee can save $1K, Every old employee can save $350 data source: Giga ROI return: 7.5 to 13 months data source: Gartner in addition, the use of "single sign on" is still one of the needs of the SOA era. In service-oriented architecture, there are a lot of communication between services and between programs. Security authentication between services is one of the difficulties in SOA application. Therefore, the establishment of "single sign on" system system can greatly simplify the security problems of SOA and improve the cooperation efficiency between services.
2、 How single sign on works
1. A simple operating mechanism
The mechanism of single sign on is actually relatively simple. Compare it with a real example. There are many independent scenic spots in a park. Tourists can buy tickets separately at the gate of each scenic spot. For tourists who need to visit all scenic spots, this way of buying tickets is very inconvenient. They need to queue up at the gate of each scenic spot to buy tickets. If they take out their wallets, they are easy to lose and very unsafe. Therefore, the vast majority of tourists choose to buy a pass (also known as package ticket) at the gate, so they can play all the scenic spots without buying tickets again. They only need to show the package ticket they just bought at the gate of each scenic spot, and they can be allowed to enter each independent scenic spot.
The mechanism of single sign on is the same, as shown in the figure below
According to the login information provided by the user, the authentication system performs identity verification. If it passes the verification, it should return an authentication credential - ticket (2) to the user;
When users visit other applications (3, 5), they will bring this ticket as their own authentication credentials. After receiving the request, the application system will send the ticket to the authentication system for validation and check the legitimacy of the ticket (4, 6).
If the validation is passed, the user can access application system 2 and application system 3 without logging in again.
2. A slightly more complex operating mechanism
As can be seen from the above view, the following main functions are required to implement SSO:
All application systems share an identity authentication system. A unified authentication system is one of the prerequisites of SSO. The main function of the authentication system is to compare the user's login information with the user information base to authenticate the user; After successful certification, The certification system shall generate a unified certification mark (ticket) and return it to the user. In addition, the authentication system should also validate the ticket and judge its effectiveness. All application systems can identify and extract ticket information. In order to realize the SSO function and allow the user to log in only once, the application system must be able to identify the logged in user. The application system should be able to identify and extract the ticket and pass the authentication The communication of the system can automatically judge whether the current user has logged in, so as to complete the function of single sign on.
The above function is only a very simple SSO architecture. In reality, SSO has a more complex structure. Two points need to be pointed out:
A single user information database is not necessary. Many systems can not store all user information centrally. User information should be allowed to be placed in different storage. In fact, as long as the unified authentication system and the generation and verification of tickets are unified, single sign on can be realized no matter where the user information is stored.
3、web-sso
With the rapid development of the Internet, web applications almost dominate most software application systems. Therefore, web-sso is the most popular SSO application. Web-sso has its own characteristics and advantages, which is relatively simple and easy to use. Many commercial software and open source software have the implementation of web-sso. One of the things worth mentioning is opensso( https://opensso.dev.java.net ), it provides architecture guide and service guide for realizing web-sso with Java, and provides theoretical basis and implementation method for users to realize web-sso themselves.
Why is web-sso easier to implement? This is determined by the characteristics of web applications. as everyone knows, Web protocol (that is, HTTP) is a stateless protocol. A web application consists of many web pages, and each page has a unique URL to define. The user enters the URL of the page in the address bar of the browser, and the browser will send a request to the web server. As shown in the figure below, the browser sends two requests to the web server and applies for two pages. The requests for these two pages are divided into two Don't use two separate HTTP connections. The so-called stateless protocol is shown here. The browser and web server will close the connection channel after the first request is completed and re-establish the connection when the second request is completed. The web server does not distinguish which request comes from which client. It treats all requests equally and is a separate connection. This way is greatly different from the traditional (client / server) C / S structure. In such an application, the client and server will establish a special connection channel for a long time. It is precisely because of the stateless characteristics that each connection resource can be reused by other clients quickly, and a web server can serve thousands of clients at the same time.
Web SSO can use cookies to save user login information, and combine cookies in the browser with ticket above to complete the function of SSO.
In order to complete a simple SSO function, two parts of cooperation are needed: unified identity authentication service. Modify the web application so that each application can verify its identity through this unified authentication service.
ps
I saw this article on the Internet and thought it was well written. I turned it around and saved it. I'm afraid I can't find it. The original link: https://www.cnblogs.com/lexiaofei/p/7172214.html