2024-07-12
한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina
Single Sign-On (SSO) is an authentication mechanism that allows users to log in with one credential across multiple applications and websites. This means that users only need to authenticate once across multiple applications or services to access all authorized services.
Utilize the parent domain's cookie mechanism to set a shared cookie under the main domain name, and the subdomain can read this cookie to confirm the user's identity.
This method is applicable to SSO between multiple subdomains under the same primary domain, but not applicable if they are different primary domains.
Advantages: Simple implementation, applicable to multiple subdomains under the same main domain name.
Disadvantages: Not suitable for cross-primary domains, less secure, and vulnerable to man-in-the-middle attacks and cross-site scripting (XSS) attacks.
After the user authenticates with the identity provider, he or she obtains a token (such as an Access Token or JWT in OAuth).
The token is stored on the client (such as Cookie, LocalStorage) or server (such as Session). When the user accesses other applications, the application verifies the user's identity through the token.
This method supports cross-domain and is more secure because the Token can be encrypted.
Advantages: Supports cross-domain, Token can be encrypted for transmission, improving security; Token can be stored offline, reducing the burden on the server.
Disadvantages: The validity period and security of the Token need to be properly managed to prevent Token leakage; if the JWT is too long, it may affect performance.
The centralized authentication service serves as a single entry point, and all applications rely on it for identity authentication.
After the user logs in on the CAS/SAML server, the CAS/SAML server generates a Ticket or Assertion and passes it to the application. The application then uses this Ticket or Assertion to communicate with the CAS/SAML server to confirm the user's identity.
CAS and SAML are two widely used centralized authentication protocols.
Advantages: Provides standardized SSO solution that is easy to integrate; can support a variety of different applications and services.
Disadvantages: Centralized services may become a single point of failure; configuration and maintenance are more complicated.
Use shared session storage (such as Redis, Memcached), all applications can access the same session storage.
After a user logs in to any application, the session information is written to the shared storage, and other applications can determine the user status by reading this shared session.
Advantages: Improves the scalability and availability of applications, and session data can be shared in the cluster.
Disadvantages: Increased reliance on shared storage systems, and storage system failures will affect the entire SSO process.
LDAP is used to store and retrieve user and group information on the network and supports SSO.
The application verifies the user's identity by querying the LDAP server, avoiding the need for each application to maintain user information separately.
Advantages: Easy to manage and query user information, suitable for large enterprise environments.
Disadvantages: Configuration and maintenance are relatively complex, not suitable for small or temporary projects.
OAuth 2.0 is an authorization framework, and OpenID Connect (OIDC) is built on top of OAuth 2.0 to provide authentication capabilities.
After a user logs in to an authorization server, the authorization server issues tokens to client applications, which use these tokens to access resource servers or confirm the user's identity.
Advantages: Standardized interface, easy for third-party application integration; supports multiple authorization modes.
Disadvantages: There are many implementation details and security measures need to be carefully designed; there may be a problem of overly broad permissions.
Kerberos is a network authentication protocol that is particularly suitable for internal enterprise network environments and supports SSO.
Kerberos uses a ticket mechanism to authenticate users and services. After logging in, a user receives a series of tickets that can be used to access other services on the network without having to enter a password again.
Advantages: High security, suitable for large enterprise internal networks; supports multiple authentication mechanisms.
Disadvantages: complex configuration and high maintenance cost; limited to internal networks and not suitable for Internet environments.
I have devoted myself to the research of technology for more than 30 years. I am proficient in various languages such as Java, Linux, JavaScript, PHP, CSS, etc. I have made many contributions in the field of open source. I have established a developer documentation site to share some problems in technology development for everyone to read.
