多个网站，单点登录的设计 [英] Multiple websites, Single sign-on design

问题描述

我有一个问题。客户端我最近做了一些工作的范围是不同的登录机制的网站。他正在慢慢迁移到单点登录机制为他的网站（全写在 asp.net MVC ）。

I have a question. A client I have been doing some work recently has a range of websites with different login mechanisms. He is looking to slowly migrate to a single sign-on mechanism for his websites (all written in asp.net mvc).

我在看我的选择这里，所以这里的要求清单：

I am looking at my options here, so here is a list of requirements:

1. 它是安全的（废话）


2. 它需要支持过和平常的名称上方，地址的东西额外的用户属性（如金钱或为用户学分）


3. 它为他提供便利的集中式用户管理web控制台（我的理解，这将是对任何设计方案我选择去顶级的小项目）


4. 它而不需要重新设计整个产品（我的理解，这取决于当前的产品实施），与现有的网站进行整合。


5. 它当他登记（为了他激活他的帐户）来处理电子邮件用户


6. 它处理激活的用户，当他点击激活我的邮件（我的理解是5和6需要某种形式的邮件模板系统来支持每个应用程序不同的电子邮件）
链接

我想建立一个库，窗体身份验证暴露所需的任何方法一起工作（如登录，注销，激活等和一个小RESTful服务，以实现从电子邮件激活，登记处理等。

I was thinking of creating a library working together with forms authentication that exposes whatever methods are required (e.g. login, logout, activate, etc. and a small restful service to implement activation from email, registration processing etc.

考虑到，事物的负载已经离开了，使这个问题简短扼要的帐户，这听起来像一个好的设计？

Taking into account that loads of things have been left out to make this question brief and to the point, does this sound like a good design?

不过，这看起来像一个非常普遍的问题，所以出现的arent任何现有的项目，我可以用？

But this looks like a very common problem so arent there any existing projects that I could use?

感谢您的阅读。

推荐答案

要实现基本的事情是，你不能鉴别使用跨多个域标准窗体身份验证的用户。例如，dev.google.com和www.google.com是不同的领域，如果一个用户登录到dev.google.com除非谷歌做一些特别的东西，使这个他不是自动登录到www.google.com。这是因为浏览器无法访问其他网站的cookie。

The basic thing to realize is that you can't authenticate a user using standard Forms Authentication across multiple domains. For example, dev.google.com and www.google.com are different domains and if a user signs into dev.google.com he isn't automatically signed into www.google.com unless Google does something special to enable this. This is because the browser can't access the cookies of another website.

要真正使工作跨域标志的唯一方法就是包括像在该网站检查，并设置用户的身份验证cookie中的URL的查询字符串的会话ID的密钥值。你或许可以在使用手动自定义的code的一个小一点做到通过您的网站。

The only way to really make the cross domain sign on work is to include a key value like a session ID in the query string of the URL that the website examines and sets the user's authentication cookie. You can probably do that manually through your site using a small bit of your own custom code.

例如： http://www.example.com/autoLogin.aspx?sessionid= 23232323

这种方法的危险是，虽然有人可以通过找出被用户使用的地址和检查会话ID欺骗用户会话。所以，你需要确保使用什么跨域认证用户的价值是时间sensative和动态。不要让用户的用户ID或用户名或类似的东西。

The danger of this approach though is that someone could spoof a user session by finding out the address that was used by the user and checking the session ID. So you need to make sure what the value used to authenticate the user across domains is time sensative and dynamic. Don't make it the user's user ID or username or something like that.

现在，如果网站是在同一个域，你可以给他们所有相同的machineKey，然后已经登录到一个网站，用户将不被注销时左右移动通过不同的网站在同一个域。

Now, if the sites are on the same domain you can give them all the same MachineKey and then a user already logged into one site won't be logged out when the move around through the different websites on the same domain.

这篇关于多个网站，单点登录的设计的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！