SSO(单点登录)如何工作 [英] How does SSO (Single Sign On) work

查看:117
本文介绍了SSO(单点登录)如何工作的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在努力把自己的头围在SSO上.据我了解,SSO允许您登录一次并访问多个应用程序(如果您有权限).因此,我登录到AppA.我建立了令牌.该令牌如何对App B可用,因此我不必再次登录App B(假设用户拥有A和B的权限)?我的应用程序是AngularJs应用程序.我访问.Net WebAPis获取数据.

I'm trying to wrap my head around SSO. It's my understanding that SSO allows you to login once and get access to multiple apps (if you have rights). So, I log into App A. I establish a token. How does that token become available to App B so I do not have to login to App B again (assuming user has rights to A and B)? My Apps are AngularJs apps. I access .Net WebAPis for data.

我可以查看是否登录到App A并检索令牌,然后将令牌传递给App B从App A启动AppB.这种方式,App B拥有令牌并可以发送到服务器以确保用户有权访问B.但是,如果用户直接打开浏览器并转到App B,那么如何使用现有令牌建立他们的会话?

I can see if I login to App A and retrieve a token then launch App B from App A by passing the token to App B. This way App B has the token and can send to server to make sure user has access to B. However, if user opens a browser directly and goes to App B, then how does their session get established with existing token?

如果答案是后端服务器上存在会话状态,那么会话状态如何将登录App A的用户与对App B的新请求相匹配?

If the answer is there's session state on the back-end server, then how does session state match the user logged in App A with the new request for App B?

谢谢.

推荐答案

当然,有很多方法可以实现它,这可能很棘手.我可以举一个解决方案为例:

Well, there are certainly many ways to achieve it, and it can be tricky. I can give you one solution as an example:

考虑两个位于不同子域上的应用程序:

Consider two apps on different subdomains:

The Fine Corinthian Turkey Shop (turkey.example.com)
Rent a Baboon (monkey.example.com)

这两个Web应用程序希望共享登录,并为它们的单点登录安排第三个托管网站:

These two web apps want to share signon, and arrange for a third hosted website for their single sign-on:

sso.example.com

那么流程是:

  1. 坦率的访问 http://turkey.example.com/orders/12
  2. 土耳其将重定向到 https://sso.example.com/login
  3. SSO向用户提供登录表单,验证并颁发令牌
  4. 令牌已保存在SSO的Cookie中.
  5. 用户现已通过SSO验证,但需要将令牌重新返回土耳其.
  6. SSO在服务器上存储了(Guid,Token,Expiry)的组合,其中Guid是随机的guid,而Expiry大约是30秒.
  7. SSO在* .example.com上设置了包含Guid的安全cookie
  8. SSO重定向回 http://turkey.example.com/orders/12
  9. 土耳其现在可以从cookie中检索票证了
  10. 土耳其呼叫SSO服务器并交换票证以获取令牌.
  11. 土耳其将令牌存储在浏览器中(通常是cookie)
  1. Frank visits http://turkey.example.com/orders/12
  2. Turkey redirects to https://sso.example.com/login
  3. SSO presents user with login form, validates and issues token
  4. The token is saved in a cookie on SSO.
  5. User is now validated on SSO, but needs to get the token back to turkey.
  6. SSO stores a combination of (Guid, Token, Expiry) on the server, where Guid is a random guid and Expiry is something like 30 seconds.
  7. SSO sets a secure cookie on *.example.com containing the Guid
  8. SSO redirects back to http://turkey.example.com/orders/12
  9. Turkey can now retrieve the ticket from the cookie
  10. Turkey calls SSO server and exchanges the ticket for the token.
  11. Turkey stores token in the browser (typically a cookie)

现在,让我们想象弗兰克想要一些漂亮多汁的狒狒和火鸡搭配:

Now let's imagine that Frank wants some nice juicy baboons to go with that turkey:

  1. 坦率的访问: http://monkey.example.com/order-in-bulk
  2. 猴子发现Frank没有存储令牌,因此重定向到 https://sso.example.com/login
  3. SSO看到Frank已登录,因为他已经存储了令牌.
  4. SSO在服务器上存储一个新的(Guid,令牌,到期)三元组
  5. 其余过程与初始登录相同
  1. Frank visits: http://monkey.example.com/order-in-bulk
  2. Monkey sees that Frank has no stored token and redirects to https://sso.example.com/login
  3. SSO sees that Frank is already logged in as he has a stored token.
  4. SSO stores a new (Guid, token, expiry) triple on the server
  5. Process is identical to the initial login the rest of the way

这篇关于SSO(单点登录)如何工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆