SSO表单身份验证 [英] SSO form authentication

问题描述

亲爱的页面，

我阅读了许多有关跨域SSO的页面文章.它们非常有用且非常好，但是我有一个问题，当网站www.domain1.com使用帐户user1进行登录，而网站www.domain2.com使用帐户use2时，那么刷新网站www时会发生什么? .domain3.com，当创建两个cookie时，domain3.com网站获得的cookie是什么?为什么呢?你能帮我解释一下吗?
谢谢您的阅读，

最好的问候，

Jimmy

Dear page,

I read many articles of page about SSO for cross - domain. They are very helpful and very nice, but I have a question that when the site www.domain1.com uses the account user1 for logging and the site www.domain2.com uses the account use2, so what happen when we refresh the site www.domain3.com, when two cookies are created, what is the cookie the site domain3.com get? and why? Can you explain for me,
Thank you for your reading,

Best regards,

Jimmy

推荐答案

我认为您可能错过了一个难题.我将在这里进行概括，因为您可以为此写一本书(实际上，人们已经知道了！).

实现单点登录(SSO)的关键组件是对SSO提供程序的需求.为此有许多实现( OAuth [ OpenID [ ^ ]， ^ ]等)，您的应用程序将与此提供程序进行交互以验证此用户.您对用户进行身份验证的方式将在很大程度上取决于提供程序的实现方式.对于OAuth之类的东西有RFC标准，但是人们并不总是遵守规则. :)

通常，您将获得某种安全令牌，以证明用户已通过身份验证.现在，您需要存储该令牌以在后续请求上验证用户.通常，它以cookie的形式存储在客户端.这是有趣的地方.根据提供程序的不同，取决于您是在设置cookie还是在提供商网站上设置cookie.我相信Facebook这样做的方式是他们设置cookie，并提供一段JavaScript或一个Web部件，该部件或Web部件使您的网页能够识别出它们已登录并经过身份验证.您需要仔细检查一个.

最后一个难题是您不希望SSO令牌过期之前SSO cookie过期.这使他们可以重复使用令牌，而不管您的站点部署或刷新的频率如何以及所有会话数据都丢失.

简而言之，与您一起使用的提供者将规定实施SSO和验证用户身份时的参与规则.回到您关于doman3.com将使用哪个cookie的问题?来自SSO的cookie.设置的位置和方式由提供商确定.我亲自使用了Microsoft的Active Directory联合服务(ADFS)，这是他们的SSO解决方案. ADFS为我们设置了cookie，我们的应用程序只需使用返回的令牌调用ADFS服务器，以验证令牌是否仍然有效.

我的下一个建议是选择SSO提供商并研究其工作方式.您也可以转到自己喜欢的网站购买书籍并搜索单一登录"，然后找到许多补充材料.

I think you might be missing a piece of the puzzle. I''m going to generalize a bit here because you can write a book on this (in fact, people have!).

A critical component to implementing single sign on (SSO) is the need for an SSO provider. There are many implementations for this (OAuth[^], OpenID[^], Facebook[^] to name a few) and your application(s) will interact with this provider to authenticate this user. The way you authenticate the user will greatly depend on how the provider is implemented. There are RFC standards for things like OAuth, but people don''t always adhere to the rules. :)

Typically, you will get back some sort of security token that is proof the user is authenticated. Now, you need to store that token to validate the user on subsequent requests. Typically, this is stored on the client side in the form of a cookie. This is where it gets fun. Depending on the provider depends on if you are setting the cookie or if the providers website is setting the cookie. I believe the way Facebook does theirs is they set the cookie and they provide a piece of JavaScript or a web part that allows your web page to recognize they are logged in and authenticated. You many need to double check that one.

The last piece of the puzzle is you don''t want to the SSO cookie to expire before the SSO token expires. This allows them to reuse the token regardless of how often your site deploys or is refreshed and all session data is lost.

So in a nutshell, the provider you are working with will dictate the rules of engagement when implementing SSO and authenticating the users. Going back to your question on which cookie will doman3.com use? The cookie that comes from the SSO provide. Where and how this is set is determined by the provider. I''ve personally worked with Microsoft''s Active Directory Federated Services (ADFS) which is their SSO solution. The ADFS set the cookie for us and our application simply made a call to the ADFS server with returned token to validate the token was still good.

My next suggestion would be select a SSO provider and research how it works. You can also go to your favorite site for buying books and search "single sign on" and find a lot of supplemental material.

这篇关于SSO表单身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！