Shulou(Shulou.com)06/01 Report--

What is the principle of SSO login? I believe many inexperienced people don't know what to do about it. Therefore, this article summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Single Sign-on

SSO is a clich é topic, but some students may have a little knowledge of SSO. The SSO principle of the company is an attempt to provide you with a useful SSO principle in a simple and smooth form. According to my usual writing style, let's first talk about what is SSO and why we propose SSO.

SSO: in multiple systems, you only need to log in once to access other trusted applications, showing the actual scenario:

Enterprises deploy multiple website to form product suites or product matrices, while accounts are managed centrally.

Users can log in once and access web services under different domain names.

CAS

Today, we mainly talk about the implementation of SSO in different top domains, which leads to the principle of CAS. CAS official:

Https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html

Hand-drawn principle

The following figure describes the traditional authentication process elements and the authentication elements of the CAS protocol:

The CAS protocol is a simple and powerful ticket-based protocol developed specifically for CAS.

CAS Server is responsible for authenticating users and granting access to applications

CAS Clients protects the CAS project by retrieving the identity information of authorized users from CAS Server

Core concepts:

TGT (Ticket Granting Ticket), stored in CASTGC cookie, is responsible for the user's session in SSO

ST (Service ticket) is transmitted as a GET parameter in url to grant access to CASified applications to specific users on behalf of the CAS server.

Users visit website1 for the first time

① users need authentication to access website1,website1. Users are not currently logged in.

② website1 returns 302 redirect response to the client, and the client redirects to the SSO service page: www.sso-website.com?service= https://www.website1.com

# temporary jump. It is recommended to return 302 temporary redirection response by passing parameters false.

Context.Response.Redirect (ssoURL, false)

The user did not log in to the SSO system, so the SSO system will return to the login interface

③ users enter their account / password on the SSO landing page

If ④ is logged in successfully, SSO will write to cookie for sso [officially called CASTGT] on the client side and generate a 302 redirect response. The client will redirect to the original website1 address, and the request carries the ticket of SSO's successful authentication.

Http://www.website1.com?ticket=XXXX-OOOO-XXXX-OOOO

⑤ website1 receives the above redirection request, parses the ticket in QueryString, and makes a ticket verification to SSO; verification by writing the cookie for website1 of this site to the client

Step 5 above ⑥, the browser address will show: after the verification on this site, http://www.website1.com?ticket=XXXX-OOOO-XXXX-OOOO, will be redirected back to the business home page: www.website1.com.

Then the user accesses website2

① user accesses website2, and user is not authenticated in website2 domain; jump back to www.sso-website.com?service= https://www.website2.com

② SSO detects that the user has a Cookie for sso in the SSO domain and believes that the user has logged in, so he jumps back to website2. If so, the user will also carry the authentication ticket.

③ as above. If website2 receives a website2.com?ticket=XXXX-OOOO-XXXX-OOOO request, it will do SSO verification. If the verification is successful, it will be written to the Cookie for website2 of this site.

Focus on interpretation

Successful ① SSO authentication and written cookie for sso is the key to log in to other systems.

Why does ② website1 do SSO verification when it receives a redirect request initiated by SSO and parses the ticket=XXXX-OOOO-XXXX-OOOO?

Because the request with ticket received by website1 may be a forgery, it needs to be verified by SSO in website1.

The ③ standard CAS login process has three 302 client redirects, which are started twice by the website1 of the original site and once by SSO.

Is it theoretically possible for the process to be redirected by the server? If the watchman finds a loophole, he can reply in the comments section.

For ④ to log out of SSO, there are two things to do:

-initiate an api request to SSO to request SSO to delete the user's authentication cookie for sso under the SSO domain

-remove the cookie for website1 of this site

For each website of ⑤, at least the following sso configuration is required

"SsoOptions": {

"BaseAddress": "https://sso-cas.sso.com", / / Base address

"LoginPath": "/ login", / / sso login address

"LogoutPath": "/ api/logout", / / log out of the api address where sso logged in

"ValidateTGTPath": "/ api/validate", / / verify the api address of ticket

"UserInfoPath": "/ api/v2/userinfo" / / get the api address of the login user's information from sso

}, after reading the above, have you mastered the method of SSO login principle? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.