NET中如何实现单点登录? [英] how to implement single sign on in .Net?

问题描述

在.net应用程序中实现单点登录的最佳解决方案是什么?我已经在Google上搜索并找到了很少的解决方案，但是我对这些解决方案并不十分信服.

What is the best solution to implement single sign on in a .net application? I have googled and found few solutions but I am not very convinced with those solutions.

用户登录website1，然后移至website2.网站2将如何知道用户已登录?我猜想通过在URL中传递一些令牌，将由网站中的网站2检查有效性.这意味着我需要整理网站1中所有要转到网站2中的网址吗?

User logs on website1 and then moves to website2. How website2 will know user has logged in? I guess by passing some token in the url which will be checked by website2 in database for validity. That means I need to marshall all the urls in website1 which takes to website2?

第二，如果用户继续浏览website2达1个小时，然后再转到website1.到那时website1会话已超时，因此用户将看到登录页面，不是吗?但是，从单点登录功能来看，这种行为是错误的.

Secondly if user continue to browse website2 for say 1 hour and then move to website1. By that time website1 session has timed out so user will see a login page, isn't it? But this behavior is wrong as per single sign on functionality.

推荐答案

我认为您误会了单点登录的工作原理.

I think you're misunderstanding how single sign-on works.

让我们考虑要使用单点登录的网站1和网站2.

Lets consider website1 and website2 who want to use single signon.

在identityProvider上创建一个登录网站.这是唯一出现登录屏幕的地方.

A login website is created at identityProvider. This is the only place where a logon screen appears.

当用户访问website1并选择登录website1时，会将用户发送到IdentityProvider的登录屏幕.用户登录到identityProvider，该标识符将为其域丢弃其自己的登录cookie(并且可能允许用户保存其身份验证信息，这样就不再提示他们了).然后，它将浏览器重定向回website1，并在请求中包含一个令牌，website1可以打开该请求，从中获取身份信息并执行其自己的登录位(丢弃其自身的身份验证cookie，该cookie可以持续使用它所需的时间).

When the user visits website1 and choose to login website1 sends the user to the logon screen at identityProvider. The user logs onto identityProvider which drops its own login cookie for its domain (and perhaps allows the user to save their authentication information so they're never prompted again). It then redirects the browser back to website1 including a token in the request which website1 cracks open, gets identity information from and performs it's own login bits (dropping it's own authentication cookie which lasts for however it wants).

然后，用户访问website2并选择登录.Website2将用户反弹到identityProvider，identityProvider已经知道用户是谁，如果他们的用户选择保存其登录信息，则对其进行静默身份验证，然后使用另一个令牌重定向回sites2，site2会打开该令牌，然后执行其自己的登录位.

Then the user visits website2 and selects logon. Website2 bounces the user to identityProvider, who already knows who the user is and, if they user has chosen to save their login information, silently authenticates and then redirects back to website2 with another token which website2 cracks open and then performs its own login bits.

它周围有很多安全性，将令牌限制在特定的网站上，只允许将令牌发送到列入白名单的网站等.

There's a bunch of security around it, limiting tokens to particular websites, only allowing tokens to be sent to whitelisted web sites etc. etc.

所以要解决您的问题

1. 用户登录website1，然后移至website2.网站2将如何知道用户已登录?没有.website2必须首先从单点登录站点请求身份验证信息.
2. 这意味着我需要将website1中的所有URL编组到website2吗?不可以，除非您也将website1设置为身份提供者.即使这样，也很痛苦，如果需要令牌，最好让website2重定向回到Identityprovider.
3. 第二，如果用户继续浏览网站2个小时(例如1个小时)，然后转到网站1.到那时website1会话已超时，因此用户将看到登录页面，不是吗?-这取决于您如何配置website1，以及身份验证cookie持续的时间.
4. 但是，根据单点登录功能，此行为是错误的.不，这不对.单一登录并不意味着您获得在站点之间共享的浮动令牌.每个使用单点登录的网站仍会创建自己的身份验证Cookie.可能发生的情况是，如果用户返回到website1，它检测到过期的身份验证Cookie，然后再次将用户发送到单点登录页面，在此页面上对其进行了身份验证(无提示)，并且将新令牌推回了website1，从而创建了一个新令牌.本身的身份验证Cookie.

这篇关于NET中如何实现单点登录?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！