适用于多产品的Google Single Sign On体系结构
[英]Google Single Sign On architecture for muliple products
问题描述
I have two products on individual Amazon cloud server with their own database including user management. 
我在单个Amazon云服务器上有两个产品,它们具有自己的数据库,包括用户管理。
Now, I am planning for making centralize user management(SSO), for example, 现在,我正在计划进行集中式用户管理(SSO),例如,
- AdminDb (user master goes here for all product) AdminDb(所有产品的用户母版都在这里)
- Product1Db 产品1Db
- Product2Db 产品2Db
I am not database expert, is it right way to do this? 我不是数据库专家,这是正确的方法吗? Is there any already SSO service available? 是否已有任何SSO服务可用?
How can I maintain transactions of any user in each product database, since user master in different server & database? 由于用户主服务器位于不同的服务器和数据库中,我如何维护每个产品数据库中任何用户的交易?
Kindly note, I have kind of similar architecture with Google having different domains. 请注意,我具有类似的架构,但Google具有不同的域。 Let me know if you need any other information. 让我知道您是否需要其他信息。
1 个解决方案
解决方案1
0 2017-10-07 11:42:05
I am not database expert, is it right way to do this?
You can use Amazon Cognito User Pools which is a fully managed user store and identity service you can use to authenticate users and optionally also to authorize (Using Cognito Users & Groups). 您可以使用Amazon Cognito用户池,这是一个完全托管的用户存储和身份服务,可用于对用户进行身份验证并可以选择进行授权(使用Cognito用户和组)。 You can either use Cognito Hosted UI or Build the login page by your own using AWS SDKs . 您可以使用Cognito托管UI或使用AWS开发工具包自行构建登录页面。
Note: The example is for NodeJS, for Java use the relevant methods from AWS JavaSDK . 注意:该示例适用于NodeJS,适用于Java,请使用AWS JavaSDK中的相关方法。
How can I maintain transactions of any user in each product database, since user master in different server & database?
In the identity service, you won't be storing business related information of the user (Which is typically stored in the product database). 在身份服务中,您将不会存储用户的业务相关信息(通常存储在产品数据库中)。 Therefore if you have any data to store in relation to the user for a product, use an identifier from the identity service(id or email or etc.) in individual application databases. 因此,如果您要存储与产品用户有关的任何数据,请在各个应用程序数据库中使用身份服务中的标识符(ID或电子邮件等)。
Having said that, you can still use your own application for authorization (Using the identity service eg AWS Cognito User Pools for authentication). 话虽如此,您仍然可以使用自己的应用程序进行授权(使用身份服务,例如AWS Cognito用户池进行身份验证)。 If so you can asynchronously replicate the user permissions to other product databases (Decentralized user permissions) so that, individual product can self sustain. 如果是这样,则可以将用户权限异步复制到其他产品数据库(分散的用户权限),以便单个产品可以自我维持。 You can use AWS SNS (Pub-Sub messaging for this). 您可以使用AWS SNS(为此提供Pub-Sub消息传递)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.