Single sign-on (SSO) is part of identity management. SSO is commonly defined as follows: The same user accesses protected resources in different applications on the same server and only needs to log in once. That is, after passing security authentication in one application, the user does not need to log in again to access protected resources in other applications.
In the current enterprise application environment, there are often many application systems, such as office automation (OA) system, financial management system, file management system, information query system and so on. These application systems serve the informationization construction of enterprises and bring good benefits to enterprises. However, when users use these application systems, it is not convenient. Each time a user uses the system, he/she must enter the user name and password for authentication. Moreover, different application systems have different user accounts, and users must remember multiple sets of user names and passwords at the same time. Especially for the number of application systems, the number of users is also a lot of enterprises, this problem is particularly prominent. The reason for the problem is not the system development mistakes, but the lack of overall planning, lack of unified user login platform, using SSO technology can solve these problems.
The main benefits of SSO are as follows
(1) Convenient for users
Users can log in to the application system once and use the application system multiple times. Users no longer need to enter a user name and password each time, nor do they need to remember multiple sets of user names and passwords. Single sign-on platform can improve the user experience of using application systems.
(2) Convenient for administrators
The system administrator only needs to maintain a unified set of user accounts, which is convenient and simple. In contrast, system administrators used to have to manage many sets of user accounts. Each application system has a set of user accounts, not only bring inconvenience to management, but also easy to appear management loopholes.
(3) Simplify application system development
When developing a new application system, you can directly use the user authentication service of the single sign-on platform to simplify the development process. Single Sign-on platform Provides a unified authentication platform to implement single sign-on (SSO). Therefore, the application system does not need to develop user authentication procedures.
Two, SSO implementation technologies are mainly
(1) Cookies based implementation, need to pay attention to the following points: if it is based on the method of transferring sessionID between two domain names may be valid in Windows, Unix and Linux may have problems; Can be implemented based on database; More consideration may be given to security. Also, regarding cross-domain issues, cookies can be used for cross-domain SSO, although they themselves are not cross-domain.
(2)Broker-based, such as Kerberos;
This technology features a centralized authentication and user account management server. The broker gives electronic identity access to be used for further requests. The use of a central database reduces the cost of administration and provides a public and independent “third party” for certification. Examples include Kerberos, Sesame, IBM KryptoKnight (credential library idea), etc.
(3)Agent-based
In this solution, there is an agent that automatically authenticates users for different applications. The agent needs to be designed to have different functions. For example, it can use a password table or encryption key to automatically take the burden of authentication away from the user. The proxy is placed on the server and acts as a “translator” between the server’s authentication system and the client’s authentication methods. For example, SSH.
(4)Token-based, such as SecurID, WebID,
Now widely used password authentication, such as FTP, mail server login authentication, this is a simple and easy to use way to achieve a password used in many applications.
(5) Based on gateway
Agent and broker-based, not introduced here.
(6) Based on the implementation of Security Assertion Markup Language (SAML), the emergence of SAML greatly simplifies SSO and is approved by OASIS as the implementation standard of SSO. The open source organization OpenSAML implements the SAML specification and can be found at HTTP //www.opensaml.org.
SUN SSO technology
SUN SSO technology is an integral part of the SUN Java System Access Manager product.
Sun’s new Identity management products include Sun Java System Identity Manager, Sun Java System Directory Server Enterprise Edition, and Sun Java System Access Manager
The above three are part of the Sun Java Identity Management Suite. They are compatible with Sun Java Application Platform Suite, Sun Java Availability Suite, Sun Java Communications Suite, and Sun Java Web Infrastructure Suite consists of JavaES.
The innovative suite of products provides end-to-end identity management and interoperates with more than 60 third-party resources and technologies. The integrated products can be downloaded from SUN’s web site and are typically provided as Agent software, making them one of the most integrated and open identity management solutions in the industry.
In Sun’s new identity management products, Sun Java System Access Manager is an important part of the base. Java Access Manager is based on J2EE architecture, adopts standard API, has strong scalability, high reliability and high availability. Applications are deployed in Servlets containers, are distributed, easy to deploy, and have a low TCO.
Sun Java System Access Manager provides a scalable security model for all Web-based applications through the use of centralized verification points, their Access control to roles, and SSO. It simplifies information exchange and transaction while protecting privacy and the security of important identity information.
4. CAS Introduction
Central Authentication Service (CAS) is a single sign-on (SSO) system developed by Yale University. It is widely used, platform-independent, easy to understand, and supports proxy functions. CAS system has been applied in many universities such as Yale University, University of California, University of Cambridge, Hong Kong University of Science and Technology, etc.
The Spring Framework’s Acegi security system supports CAS and provides an easy-to-use solution.
Acegi security system, a security framework for the SpringFramework, can seamlessly integrate with the current popular Web container.
It uses the Spring approach to provide security and authentication security services, including the use of Bean Contexts, interceptors, and interface-oriented programming. As a result, Acegi security systems can be easily adapted to complex security requirements.
Acegi security system has been widely used at home and abroad, with a good community environment.
CAS design objectives
(1) Provide single sign-on infrastructure for multiple Web applications, and provide single sign-on function for non-Web applications with Web front-end function services;
(2) Simplify the process of user identity authentication;
(3) Centralizing user authentication in a single Web application allows users to simplify their password management, thereby improving security; And when applying business logic that needs to change authentication, you don’t need to change the code everywhere.
CAS implementation principle
The Central Authentication Server (CAS) is designed as an independent Web application. The implementation principle is very simple.
CAS creates a random number with a long number of digits (ticket). The CAS associates the ticket with the successful login user and the service that the user is accessing. For example, if user PEon redirects to service S, CAS creates ticket T, which allows PEon to access Service S.
The ticket is a one-time voucher; This parameter is only used for PEon and service S. It can be used only once and expires immediately. If ticket passes the authentication, CAS deletes the ticket to make it unavailable. This ensures its safety.
When you obtain an ST, use delete Ticket(ticketId) to delete the one-off ST. For TGT or PT, a reset Timer(ticketId) is used to update the TGT or PT time. Only the user name can be obtained from the ST returned by the CAS server.
In addition, CAS3.0 has also been released, and the latest version is 3.03. Hopefully, CAS3.0 will provide us with some new things as well as backward compatibility.