Single Sign On refers to a Single login that allows access to the relevant system website. And there are many kinds of technical solutions to achieve, according to the requirements of different scenarios are not the same.
scenario
1. Only one domain name
Only one system platform has a domain name, such as example.com
Login process:
- Log in to generate the Session and set the sessionID to the cookie of the current domain name
Disadvantages:
- It is limited to a single system platform
2. The second level domain name is the same
Multiple system platforms, but the second level domain name is the same, such as: xxx.example.com, yyy.example.com, the second level domain name is example.com
Login process:
- Log in to generate the Session, and set the Session ID to the cookie of the second level domain name
- The same secondary domain name under the system, as long as the login of other systems can be exempted from boarding
Disadvantages:
- If the company’s second domain name is more, different two domains between the free boarding
3, the second level domain name is different
The second-level domain names of multi-system platforms are also different, such as xxx.example.com, xxx.test.com, and demo.com. The second-level domain names are all different, and cookies cannot be read across domains. There are many implementations, and if we look at the CAS implementation, we need an SSO Certification Authority service to implement single sign-on.
Login process:
xxx.example.com
Unlogged jump to the unified login page for the SSO servicewww.sso.com/login
, enter the account password to create a global session, set the TGC to the cookie, and add the generated TGT parametersxxx.example.com
Jumping back to the URLxxx.example.com
The service takes the TGT parameter to obtain ST, which is mainly for security purposes, and then uses ST to obtain user information. ST is one-time, and becomes invalid after use. After verification, Session is set and SeesionID is set to cookiexxx.test.com
Verify that no cookie jumps to the SSO service. The SSO service finds that the user has logged in and generates TGT parameters to add to itxxx.test.com
rebound
Logout process:
- Log off the current service session, clear the cookie, and redirect the SSO service logout page
- The SSO service logs off the global session and notifies other services to destroy the session
The login page is not unified
Q: What if the login page is different from system to system and the second level domain name is also used by each system? A: Each system service can call SSO Certification Center to log in. After logging in, redirect to different secondary domain names with TGT parameters to write cookies. Logout also requires redirect to these domain names. But if the second domain name a lot of experience is very poor.