Single sign-on SSO means that in multiple application systems, users only need to log in once to access all mutually trusted application systems. It is one of the solutions for enterprise business integration. Its advantages: 1. Improve User efficiency; 2. Improve developer efficiency; 3. Simplify management.
#In the very early days of the company, a company might only have one Server, but gradually the number of Servers began to increase. Each Server must be registered and logged in, and when logging out, one must log out one by one. The user experience is very bad! You can imagine that going to Douban and logging into Douban FM, Douban Reading, Douban Movies, Douban Diary... it will really make people collapse. We want another login experience: a company's services only require one registration, one login when logging in, and one logout when logging out. How to do it?
One registration. It’s not difficult to register once. Think about it, is it just a matter of synchronizing user information between servers? Yes, but this description is not complete. We will explain it in detail later when we talk about user registration. In fact, the management of user information is the real difficulty of SSO. But as beginners, our difficulty lies in the technology to implement SSO! Let’s discuss the means of implementation first.
One login and one logout. Looking back at the story of ordinary shopping malls, what is the key thing to keep logged in? Recorder(session)? That kind of paper called a cookie? The ID written on the paper? It is the information recorded in the session and the ID. Cookies are not just a tool for recording IDs. The client holds the ID and the server holds the session, and both are used together to maintain the login status. The client needs to use the ID as a credential, and the server needs to use the session to verify the validity of the ID (the ID may have expired, it may be forged at all and the corresponding information cannot be found, the client corresponding to the ID has not yet performed login verification, etc. ). However, the session is unique to each server at the beginning. Douban FM has its own session, Douban Reading has its own session, and the cookie that records the ID cannot be cross-domain. Therefore, if we want to log in and log out once, we only need to find a way to let each server share the same session information so that the client can hold this ID under each domain name. Going further, as long as each server gets the same ID, there is a way to check the validity of the ID and get the user information corresponding to the ID, that is, it can check the ID;
Single sign-on implementation method
server side
Based on how the server group generates and verifies IDs, it is roughly divided into two types:
"Shared Cookie" This is For the method of sharing session mentioned above, I think it is better to call it "shared session". In essence, cookie is just a medium for storing session-id, and session-id can also be placed in the URL of each request. It is said that this method is unsafe, so I didn’t go into it in details. Can anyone recommend some relevant information? I will add it later. In fact, it is. After all, the session mechanism is one server for each session from the beginning. It is indeed a bit strange to take out the session and let all servers share it.
SSO-Token method Because the method of sharing session is not secure, we no longer use session-id as the identity identifier. We generate another identifier and name it SSO-Token (or Ticket). This identifier is unique to the entire server group, and all server groups can verify the token and obtain the information of the user behind the token. . What we are going to discuss is also this way, and the specific flow chart will be shown later.
Browser side
There is a very critical step in single sign-on. This step has nothing to do with the way of verifying the token on the server side. The earliest "shared session" method is still the current "token" " method, the identity identifier will face such a problem on the browser side: after the user successfully logs in and gets the token (or session-id), how can the browser store and share it to other domain names? The same domain name is very simple. Store the token in the cookie and set the cookie path to the top-level domain name so that all subdomains can read the token in the cookie. This is how to share cookies (this is called shared cookies, the one above should be called shared session). For example: Google, google.com is its top-level domain name, mail.google.com for email services and map.google.com for map services are both its subdomains. But what should we do when going cross-domain? Google also has a domain name, youtube.com, which provides video services.
Recommended tutorial: "PHP"
The above is the detailed content of What does single sign-on mean?. For more information, please follow other related articles on the PHP Chinese website!
如何使用PHP实现高效稳定的SSO单点登录Oct 15, 2023 pm 02:49 PM如何使用PHP实现高效稳定的SSO单点登录引言:随着互联网应用的普及,用户面临着大量的注册和登录过程。为了提高用户体验,并减少用户的注册和登录间隔,许多网站和应用开始采用单点登录(SingleSign-On,简称SSO)技术。本文将介绍如何使用PHP实现高效稳定的SSO单点登录,并提供具体的代码示例。一、SSO单点登录原理SSO单点登录是一种身份认证的解决
PHP中的OAuth:构建一个多平台SSO解决方案Jul 28, 2023 pm 09:38 PMPHP中的OAuth:构建一个多平台SSO解决方案随着互联网的快速发展,人们在多个平台中使用各种应用程序已成为常态。这就带来了一个问题:如何实现在不同平台间的单点登录(SSO)?OAuth(开放授权)成为了解决这个问题的优秀选择。OAuth是一个开放标准,允许用户在不共享他们的凭据的情况下,授权第三方应用程序访问他们的互联网资源。OAuth可以用来构建一个多
探讨PHP SSO单点登录的安全性与漏洞防范Oct 15, 2023 pm 02:36 PMPHPSSO单点登录的安全性与漏洞防范一、介绍随着互联网的发展,越来越多的网站实现了用户身份验证功能。但是,用户每次登录不同的网站都需要输入账号和密码,既不方便又容易遗忘。为了解决这个问题,单点登录(SingleSign-On,简称SSO)应运而生。SSO是一种解决多个网站用户身份认证的解决方案,用户只需要登录一次,即可在其他网站上实现无缝访问。二、PH
聊聊基于Node实现单点登录(SSO)的方法Dec 06, 2022 pm 07:49 PM什么是单点登录?原理是什么?怎么实现?下面本篇文章带大家了解一下单点登录,并聊聊使用Node实现单点登录SSO的方法,希望对大家有所帮助!
基于Swoole的SSO单点登录系统设计实践Jun 14, 2023 pm 04:08 PM随着互联网的高速发展,越来越多的网站和应用需要实现用户单点登录(SingleSign-On,SSO)功能,以提供更加便捷和安全的用户体验。在此背景下,基于Swoole的SSO单点登录系统逐渐成为了业界关注的热点。本文将为大家介绍如何设计实现一个基于Swoole的SSO单点登录系统。一、SSO单点登录系统设计思路SSO单点登录系统目的是实现用户在一个系统中登
Java JAASの最新のベストプラクティスFeb 23, 2024 pm 10:52 PM一、JAAS概述JavaJAAS(JavaAuthenticationandAuthorizationService)是一个用于多系统单点登录(SSO)集成、基于角色的访问控制(RBAC)和授权管理的框架。JAAS允许应用程序保护对数据或资源的访问,并定义访问控制机制。二、JAAS最新最佳实践1.使用JAAS进行身份验证JAAS提供两种主要的身份验证方法:基于令牌的身份验证:此方法使用令牌(例如,用户名和密码)来验证用户身份。基于认证的身份验证:此方法使用认证(例如,数字证书)来验证用户身份。2
PHP SSO单点登录在多系统集成中的实际应用案例Oct 15, 2023 am 11:45 AMPHPSSO单点登录在多系统集成中的实际应用案例引言:随着互联网的快速发展和用户需求的增长,越来越多的网站和应用程序需要实现用户单点登录(SSO)功能。PHP作为一种广泛应用的服务器端脚本语言,具有灵活、简单和易于集成的特点,成为了许多开发者选择的首选。本文将介绍一个基于PHP的单点登录解决方案,并通过实际案例来演示其在多系统集成中的应用。一、什么是单点登
深入理解PHP SSO单点登录的工作原理和技术机制Oct 15, 2023 am 09:19 AM深入理解PHPSSO单点登录的工作原理和技术机制随着互联网的快速发展,各种网站和应用的数量也日益增多。用户为了访问不同的网站和应用,需要分别注册不同的账号和密码,给用户带来了不便和烦恼。为了解决这个问题,单点登录(SingleSign-On,SSO)应运而生。SSO是一种授权认证系统,在用户登录成功后,可以实现用户在多个系统中的无缝访问。本文将深入理解P
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Dreamweaver Mac version
Visual web development tools
mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool
SublimeText3 Chinese version
Chinese version, very easy to use
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
