create value for improving information technology abilities of the enterprise

under the guidance of user demand,provide the best service to customers
Single Sign-On
Suzhou Metalogic Information Technology Co.,Ltd   2018-09-04 17:59:56 Author:SystemMaster

SSO is a unified authentication and authorization mechanism. It allows users to access all authorized network resources and applications without having to log in again after an active authentication in the network. In order to achieve the goal of single-point login in a complex application environment, a variety of authentication integration mechanisms have been adopted, which can be summarized into three types.

Application Roaming Based on Authentication Platform

The unified identity authentication platform stores all the identity information and corresponding certificate information, and provides different programming languages(Java,. Net, PHP) authentication interface. After the deployment of the identity information synchronization and authentication interface, the business system can use the unified identity authentication platform to complete the authentication of identity, without the need to store the certificate information and implement authentication. Figure 1 illustrates the process by which the business system completes authentication. Specifically:

①User requests access to business systems.The business system sees in the system whether there is a valid token for the corresponding request. If there is, it reads the corresponding identity information and allows it to access it. If there is no or the token is invalid, the user is redirected to the unified identity authentication platform and the business system address is carried to the third step.In the page provided by the unified identity authentication platform, the user enters the identity certificate information, the platform validates the identity certificate information, and if it is valid, generates a valid token to the user and enters the fourth step. If invalid, continue authentication until authentication is successful or exit.

The user carries the token obtained in step 3 and accesses the business system again.

The business system obtains the tokens carried by the user and submits them to the authentication platform for validity checking and identity information acquisition.If the token passes the validity check, the authentication platform returns the user identity information corresponding to the token to the business system.The business system writes identity information and valid tokens to the session state, allowing users to perform various operations of the business system with this identity information; If the token does not pass the validation check, it will redirect to the authentication platform again and return to step 3.The valid tokens obtained through the unified identity authentication platform can realize application roaming between various business systems.

Protocol logon mechanism based on shared key is a common protocol authentication integration mode in information construction, Authentication between systems is accomplished by sharing keys and other information combinations. It requires the deployment of different programs on both systems, but it does not need to modify the original authentication module. Figure 2 shows the general structure of the protocol login mechanism: The login jump program of each business system is deployed in a single entry system, and the corresponding verification program is deployed in the respective business system. The jump program submits the agreed protocol data to the verification program of the business system through HTTP's get or post method. The verification program is responsible for verifying the validity of the data. If it passes the verification, it jumps to the business system or refuses to use it.

This mechanism generally requires that the entrance system and the business system side jointly stipulate four parameters: user account number, time stamp, verification code, and shared key, and requires both systems to synchronize time. When the access system requests access to the business system through the jump program, it is necessary to add three parameter values of user, time, and verify in the URL and pass it to the business system. Among them, verify is a string of values formed by the use of username, time, and key and encrypted using MD5.

After the business system acquires various parameters, compare the business system server time with the received timestamp(time) within the allowed time difference. If within allowed range, the received user, time, and the originally set key need to be encrypted with MD5 to obtain a string value and compare it with verify, if consistent, the authentication login was completed and the system was accessed as a user, otherwise the login failed.

Through this mechanism, one-way application roaming from single to multiple points can be achieved. It can also expand the content of the agreed protocols and extend the functions, such as specifying the application module parameters(module) of the business system to achieve the jump of the specific application module.

Simulation login based on self-configuration

The self-configured analog login mechanism is designed for Web business systems that log in based on Form, and it does not require any changes to the original authentication module of the business system. It uses the user's self-configured business system account number, password and other information to simulate the user's use of the business system login page to complete the login process, and directly submits the corresponding information to the login verification module of the business system in the background, thus completing the user's login process. Figure 3 describes the main architecture formed:

First, establish a mapping table for the entry system account to each business system account in the entry system. This table generally needs to contain the following information:

1.Entry system account: store the entry system's own account number
2.Business System ID: Identifies different business systems.
3.Business system account: The account number corresponding to the business system and the entry system account.
4.The basic role of the business system: The role information stored in the business system.
5.Business System Password: The password information of the business system is stored by encryption.
Second, it is necessary to analyze the login page of the business system and its corresponding verification logic, and establish a corresponding self-configuration program in the entrance system, including the business account password configuration page, the business account password preservation page, and the business account password modification page.
Second, it is necessary to analyze the login page of the business system and its corresponding verification logic, and establish a corresponding self-configuration program in the entrance system, including the business account password configuration page, the business account password preservation page, and the business account password modification page.

Comparing the three mechanisms

Each mechanism needs to perform some data preparation first, and then deploy the corresponding program, which can produce different application roaming situations, so they apply the authentication integration of different systems, and the specific analysis is shown in Table 1.

In the process of information construction, it is necessary to analyze the mechanism of authentication integration, however, the first consideration of application roaming based on authentication platform,afterwards, it is a protocol login mechanism based on shared keys, finally, we consider the analog login mechanism based on self-configuration.

Secondary authentication:

Okta's software allows customers 'employees to easily access a single, secure account, log on to various network services they need to use in their work, or network services for contractors, partners, and customers. One of Okta's main selling points is security. Companies use its software to allow employees and others to access corporate information remotely without causing sensitive information to be leaked. When an employee leaves the company, the company can also use Okta's software to quickly cancel the employee's access to previously used network services.

Mobile secondary authentication

Token
RSA
Microsoft Windows   Certificate Based Microsoft Windows Domain Login