简体繁体 English

为单点登录设计用户表以跨子域使用

[英]Design users table for single sign in to use across sub domains

原文 2016-05-26 08:35:27 4 4 sql-server/ database-design/ architecture/ database-schema

We have a site which has sub domains like:我们有一个包含子域的站点，例如：

example.com - Main Site example.com - 主站点
food.example.com food.example.com
fashion.example.com时尚.example.com

And each domain and sub domain has a different database, like this:每个域和子域都有不同的数据库，如下所示：

exampleDB - Main DB with Users Table exampleDB - 带有用户表的主数据库
foodDB食物数据库
fashionDB时尚数据库

What have you tried?你尝试过什么？

Right now, for single sign in we have planned to redirect users in our Main Site for signing up.现在，对于单点登录，我们计划重定向主站点中的用户进行注册。
While order processing in sub domains get the UserID from main DB and store in respective sub domain's Orders table.子域中的订单处理从主数据库中获取 UserID 并存储在相应子域的 Orders 表中。
For reporting purposes we store the UserID without FK constraint in the Orders table since we have separate database.出于报告目的，我们将没有FK constraint的UserID存储在Orders表中，因为我们有单独的数据库。

I can see here that stack exchange sites have separate databases, but does it have separate users tables too?我可以在这里看到堆栈交换站点有单独的数据库，但它也有单独的用户表吗？

Does StackExchange Network profile is stored in a separate database? StackExchange 网络配置文件是否存储在单独的数据库中？

I can see from here that Every site's user table has AccountId of StackExchange Network profile.我可以从这里看到每个站点的用户表都有 StackExchange Network 配置文件的 AccountId。

An Example:一个例子：

Here is Nick Craver Network Profile with ID:7598这是 ID:7598 的 Nick Craver 网络配置文件
His profile in History Site has Account ID Linked with same ID:7598 check this query.他在历史站点中的个人资料的帐户 ID 与相同的 ID：7598 相关联，请检查此查询。

I can't see the Accounts table anywhere in data dumbs , So Were is AccountId stored?我在data中的任何地方都看不到Accounts表，那么AccountId是否已存储？ And how is SSO done in multiple sites using AccountId ?以及如何使用AccountId在多个站点中完成 SSO？

My Question: Do we need a single user table in Main DB or we have to create separate user tables for the sub domain's database and Link Main DB UserID but not FK constraint?我的问题：我们需要在主数据库中使用单个用户表，还是必须为子域的数据库和Link Main DB UserID创建单独的用户表，但不需要 FK 约束？ Which is the best design for a shopping site?哪个是购物网站的最佳设计？

Any help would be great.任何帮助都会很棒。

4 个解决方案

The UserID you mentioned is only identical in a specific Users table in a single DB.您提到的 UserID 仅在单个数据库中的特定用户表中相同。 It's actually not an identifier of any user in your domain.它实际上不是您域中任何用户的标识符。 To identify users across multiple databases, you will need a domain-level ID for every user.要识别多个数据库中的用户，您需要为每个用户提供域级 ID。 A simple way is to add one more property (column) named UID or something like that to User class (table), of Global Unique Id (GUID, see https://msdn.microsoft.com/en-us/library/system.guid(v=vs.110).aspx ) and use it as domain-level ID to identify users instead of UserId.一种简单的方法是向全局唯一 ID（GUID，请参阅https://msdn.microsoft.com/en-us/library/system ）的用户类（表）添加一个名为 UID 或类似名称的属性（列） .guid(v=vs.110).aspx ) 并将其用作域级 ID 来识别用户而不是 UserId。 This way you can freely store user information in multiple databases in your domain.通过这种方式，您可以自由地将用户信息存储在域中的多个数据库中。 So:所以：

You can hold only domain-level ID in every sub-domain's database and use that ID to query full user profiles from the main domain DB.您只能在每个子域的数据库中保存域级 ID，并使用该 ID 从主域数据库查询完整的用户配置文件。 Pros: costs less memory.优点：消耗更少的内存。 Trade-off: in a distributed system, it takes longer to query user information from sub-domain because the information residing in main DB.权衡：在分布式系统中，由于信息驻留在主数据库中，因此从子域查询用户信息需要更长的时间。
You can hold full user information in all DB, including main's and subs'.您可以在所有数据库中保存完整的用户信息，包括主数据库和子数据库。 Pro: faster queries.优点：更快的查询。 Cons: costs more memory and when a user information changes, you will have to synchronize it across all databases.缺点：消耗更多内存，当用户信息发生变化时，您必须在所有数据库中同步它。

1] You need to have separate user table in all three database because there is no referential integrity of foreign key.Here if any database goes down, then other domains will up and running.Trade-off is, database management needs more maintenance but performance will not hamper. 1]你需要在所有三个数据库中都有单独的用户表，因为外键没有参照完整性。这里如果任何一个数据库宕机，那么其他域将启动并运行。权衡是，数据库管理需要更多的维护但性能不会妨碍。

Alternatively you can produce following database plan.或者，您可以生成以下数据库计划。

1] Keep one database for all three domain(One main domain and two sub domain) 1] 为所有三个域保留一个数据库（一个主域和两个子域）

2] Create one user table having two status flag for food_order, fashion_order 2] 为 food_order、fashion_order 创建一个具有两个状态标志的用户表

3] Create order table for food and fashion separate 3] 分别为食品和时尚创建订单表

4] There are three possibility that user orders i)Food or ii)Fashion or iii)Food/Fashion both. 4] 用户订购 i)Food 或 ii)Fashion 或 iii)Food/Fashion 的三种可能性。

5] Keep update status flag as per order either Food or Fashion or Food/Fashion both. 5]根据订单保持更新状态标志食品或时尚或食品/时尚两者。

Here trade-off is that, if your database goes down, then your all three website goes down.So Keep very good disaster recovery model of database.这里的权衡是，如果你的数据库宕机了，那么你的三个网站都会宕机。所以要保持非常好的数据库灾难恢复模型。

Some options:一些选项：

Only store your users in the main DB.仅将您的用户存储在主数据库中。 Then ...那么...
- use an encrypted cookie to store all the user information you care about.使用加密的 cookie 来存储您关心的所有用户信息。 This cookie would be readable by all the other sub-domains.所有其他子域都可以读取此 cookie。
- OR only store the user_id in the cookie and use back channel communication over an API to get the users information from the main site.或者只将 user_id 存储在 cookie 中，并通过 API 使用反向通道通信从主站点获取用户信息。
- OR use one of the many existing fairly standard user information sharing protocols to get user information into the other sites, where you can then store it in the current session store.或者使用许多现有的相当标准的用户信息共享协议之一将用户信息获取到其他站点，然后您可以将其存储在当前会话存储中。 Some examples include CAS and OAuth.一些示例包括 CAS 和 OAuth。
Store your user information in all the DBs.将您的用户信息存储在所有数据库中。 You would typically get the information to the other DBs by using one of...您通常会使用以下方法之一将信息发送到其他数据库。
- regularly scheduled synchronization job定期调度的同步作业
- back channel communication when the user logs in用户登录时的反向信道通信
- one of the fairly standard user information sharing protocols (as above)相当标准的用户信息共享协议之一（如上）

With option 1, your main DB going down would impact all the other sites.使用选项 1，您的主数据库停机会影响所有其他站点。 With option 2, the non-main DBs are pretty much cached copies, and you need to deal with cache invalidation.使用选项 2，非主 DB 几乎是缓存副本，您需要处理缓存失效。

Which option you pick will mostly depend on your specific business needs.您选择哪个选项主要取决于您的特定业务需求。

I think how you started off in your question is your best bet.我认为你如何开始你的问题是你最好的选择。

Your best bet is to have one users table, and three configuration tables.最好的办法是拥有一张用户表和三张配置表。 The one users table will be linked to the SSO functionality, which will validate users, their overall profile and credentialing information.一个用户表将链接到 SSO 功能，该功能将验证用户、他们的整体配置文件和凭据信息。 Every service/website irrelevant of the domain which use the federated SSO validating the users cookies.使用联合 SSO 验证用户 cookie 的每个与域无关的服务/网站。 Ie pretend everything was the same, except you are using google web federation for SSO.即假装一切都一样，除了您使用谷歌网络联盟进行 SSO。 The data stored in google you don't really care about (except maybe there are field that you do, maybe user name, etc...) No matter which domain you are on, the first thing you do is make a call to SSO, and see if the user is already logged in, if they aren't direct them there, and when they are done, they will get a redirect back to your subdomain.存储在 google 中的数据你并不真正关心（除了可能有你做的字段，可能是用户名等......）无论你在哪个域上，你做的第一件事就是打电话给 SSO ，看看用户是否已经登录，如果他们没有将他们引导到那里，当他们完成后，他们将重定向回您的子域。

If they are logged in, then no redirect, but you get the jwt token, which would allow converting saved userIds (or UID) to actual information.如果他们已登录，则不会重定向，但您会获得 jwt 令牌，这将允许将保存的用户 ID（或 UID）转换为实际信息。

Say for instanced a logged in user buys something from fashion.example.com.比如说一个登录用户从 fashion.example.com 购买东西。 You could add a row to your orders table, which happens to have a column called "userId".您可以在您的订单表中添加一行，该行恰好有一个名为“userId”的列。 If that site wanted to publish on the front page "user X ordered Y", after getting the order from the table, you would call the SSO service to get back a jwt with the users information using the SSO token.如果该站点想在首页上发布“用户 X 订购了 Y”，在从表中获取订单后，您将调用 SSO 服务以使用 SSO 令牌获取包含用户信息的 jwt。 If for some reason you wanted to store configuration that is different by subdomain, then that subdomain would create its own "users" or "configuration" table, and the key would be linked to the UID in the SSO service.如果出于某种原因您想存储不同子域的配置，那么该子域将创建自己的“用户”或“配置”表，并且键将链接到 SSO 服务中的 UID。 Whether there is a unique PK is up to you (with a FX to the UID) or if the PK is the UID.是否有唯一的 PK 取决于您（带有 UID 的 FX）或者 PK 是否是 UID。

This let's you completely separate the the domains from each other.这让您可以将域彼此完全分开。 And let's your subdomain decide if they need a "users" table or not.让您的子域决定他们是否需要“用户”表。

You really have 4 domains, not 3, treat it as 1 SSO authentication domain and 3 sites.您确实有 4 个域，而不是 3 个，将其视为 1 个 SSO 身份验证域和 3 个站点。 The SSO will have the auth table, and each site domain may or may not have its own user table if it needs to. SSO 将有 auth 表，如果需要，每个站点域可能有也可能没有自己的用户表。 That user table would have an FK to the SSO table, without needing to enforce an FX constraint.该用户表将具有 SSO 表的 FK，无需强制执行 FX 约束。 (FK constraint, if somehow could be enforced would actually be bad, because you wouldn't want an SSO service, to have to know about the subdomains when a user's account should be deleted, the fact these are all different database is already awesome.) （FK 约束，如果可以以某种方式强制执行实际上会很糟糕，因为您不希望 SSO 服务在应该删除用户帐户时必须知道子域，事实上这些都是不同的数据库已经很棒了。 )

And because SSO/user management is really its own domain, that is exactly why there are SaaS solutions that support user management directly, for the explicit reason that this is actually complicated and reimplementing it should be avoided at all costs.并且因为 SSO/用户管理确实是它自己的领域，这就是为什么有直接支持用户管理的 SaaS 解决方案的原因，因为这实际上很复杂，并且应该不惜一切代价避免重新实现它。

TL;DR. TL;博士。 You really have 4 domains, not 3, treat it as 1 SSO authentication domain and 3 sites.您确实有 4 个域，而不是 3 个，将其视为 1 个 SSO 身份验证域和 3 个站点。 The SSO will have the auth table, and each site domain may or may not have its own user table if it needs to. SSO 将有 auth 表，如果需要，每个站点域可能有也可能没有自己的用户表。