What is Single Sign-On?
Single sign-on (Single Sign On), referred to as SSO for short, is one of the more popular enterprise business integration solutions. The definition of SSO is that in multiple application systems, users only need to log in once to access all mutually trusted application systems.
- Very early companies, a company may have only one server, and slowly the number of servers began to increase. Each server must register and log in, and log out one by one when logging out. The user experience is bad! You can imagine that you need to log in to Douban FM, Douban Reading, Douban Movie, Douban Diary on Douban ... It really makes people crumble. We want another login experience: services under one enterprise need only be registered once, when logging in, only once, and when logging out, only once. How to do it?
- Register once. It is not difficult to register once. Think about it, as long as the server synchronizes user information? Yes, but this description is not complete. I will explain it in detail when the user registers later. In fact, the management of user information is the real difficulty of SSO. As a beginner, our difficulty lies in the technology of SSO! Let's discuss the means of realization first.
- One login and one logout. Looking back at the story of ordinary malls, what is the key thing to keep logged in? Recorder (session)? What kind of paper is called a cookie? The ID written on the paper is the information recorded in the session and that ID. Cookies are not just a tool for recording IDs. The client holds the ID and the server holds the session. Both are used to keep the login status. The client needs to use the ID as the credential, and the server needs to use the session to verify the validity of the ID (the ID may expire, it may not be found at all, the corresponding information cannot be found, the corresponding client under the ID has not yet performed login verification, etc. ). But the session thing is unique to each server at first, Douban FM has its own session, Douban reading has its own session, and the cookie that records the ID cannot cross domains. Therefore, we need to achieve one login and one logout, we just need to find a way to let each server share the information of a session, so that clients can hold this ID under each domain name. Furthermore, as long as each server gets the same ID, there is a way to check the validity of the ID and obtain the user information corresponding to the ID, that is, it can check the ID [1]
- usually
- When users access the application system for the first time, they will be logged out because they are not logged in.
- 1) Improve user efficiency.
- Users are no longer troubled by multiple logins and do not need to remember multiple IDs and passwords. It also reduces the number of times users forget their passwords and turn to support staff.
- 2) Improve the efficiency of developers.
- SSO provides developers with a common authentication framework. In fact, if the SSO mechanism is independent, developers need not worry about authentication at all. They can assume that as long as a request for the application is accompanied by a username, authentication is complete.
- 3) Simplify management.
- If the application includes a single sign-on protocol, the burden of managing user accounts is reduced. The degree of simplification depends on the application, because SSO only deals with authentication. Therefore, the application may still need to set user attributes (such as access privileges).
- 1) Not conducive to reconstruction
- Because there are many systems involved, rebuilding must be compatible with all systems, which can be time consuming.
- 2) Unattended desktop
- Because you only need to log in once, all authorized application systems can access, which may lead to some important information leakage.