简体繁体 English

在没有Cookie的情况下跨多个域进行单一登录

[英]single sign on across many domain without cookies

原文 2011-02-16 07:36:59 1 2 asp.net/ authentication/ single-sign-on/ cookieless

im using visual studio 2008. 即时通讯使用Visual Studio 2008。

my requirement is to implement single sign on across many domains without using cookies. 我的要求是在不使用Cookie的情况下跨多个域实施单点登录。 is this possible? 这可能吗？

for example, i have 3 domains (hosted in 3 different systems). 例如，我有3个域（托管在3个不同的系统中）。 www.domain1.com www.domain2.com www.domain3.com www.domain1.com www.domain2.com www.domain3.com

and cookies are disabled. 和cookie被禁用。

i implemented single sign on with cookies, if the sites are hosted in single system then it is working. 我使用Cookie实施了单点登录，如果网站托管在单个系统中，则它可以正常工作。 but it doesnt work if cookies are disabled. 但是如果禁用了cookie，则无法使用。

i tried all made all possible google searches, but couldnt find anything useful. 我尝试了所有使所有可能的谷歌搜索，但找不到任何有用的。 please help ? 请帮忙？

2 个解决方案

I believe Microsoft have a trick to their single sign in that might work for this. 我相信Microsoft对其单一登录有一个窍门，可能可以解决此问题。 I am assuming rather than cookies you would set a session variable so the theory is (from memory) something like: 我假设要设置会话变量而不是cookie，所以理论是（从内存中）类似：

1 - You designate one domain as the point of authentication ie no matter where you sign in you make sure www.domain1.com has a session variable set to say that the user has been authenticated (I guess ideally you could just put the sign in page on this domain, but if not you could work around this by using http requests to setup initial sign in auth on domain1). 1-您将一个域指定为认证点，即无论您在何处登录，都要确保www.domain1.com的会话变量设置为表明用户已通过身份验证（我想理想情况下，您可以将其登录）该域上的页面，但如果没有，则可以使用http请求在domain1上设置初始登录身份验证来解决此问题。

2 - Then the trick is to have a common header in all you other domain (1,2,3,4) pages that first does a check to see whether a session variable is set on the respective domain and if not does a redirect to domain1, determines if the user is logged in - if so get the login details - redirect back to the domain you came from (passing the login details) and then setting up the login variable once you arrive back on the domain you started from. 2-然后，诀窍是在所有其他域（1,2,3,4）页面中具有一个公共标头，该页面首先进行检查以查看是否在相应域上设置了会话变量，如果没有，则重定向到domain1，确定用户是否已登录-如果是，则获取登录详细信息-重定向回您来自的域（传递登录详细信息），然后在回到起始域时设置登录变量。

We have a cross-domain authentication on a system that I work with - it is done with cookies and is a nightmare to work with - we looked at possible options for re-designing this and this is from memory the solution that seemed to be most common - mind you it was still cookie based I think but it should work with sessions too. 我们在使用的系统上进行了跨域身份验证-它是通过cookie完成的，并且是一个噩梦-我们研究了重新设计此方法的可能选项，这是从内存来看，似乎是最有效的解决方案常见-请注意，我认为它仍基于cookie，但它也应与会话配合使用。

You ought to look at Windows Identity Foundation and Active Directory Federation Services in this era. 您应该看看这个时代的Windows Identity Foundation和Active Directory联合 身份验证 服务。 It is based on the Identity Metasystem and Claims-based Identity model; 它基于身份元系统和基于声明的身份模型； making these types of identity/authentication and SSO scenarios easier. 使这些类型的身份/身份验证和SSO场景更容易。

A Guide to Claims–based Identity and Access Control 基于声明的身份和访问控制指南

In your case, all three of your sites will "outsource" authentication services to a trusted Security Token Service (STS). 就您而言，您的所有三个站点都将身份验证服务“外包”到受信任的安全令牌服务（STS）。 This STS can be ADFS if you are expose AD domain identities to the Internet, otherwise a custom WIF implementation. 如果您将AD域标识公开给Internet，则此STS可以是ADFS，否则可以是自定义WIF实现。 Your web sites redirect unauthenticated visitors to your STS, which hands them security tokens (usually in the form of SAML) which the web sites can accept as identity claims. 您的网站将未经身份验证的访问者重定向到您的STS，后者将向他们提供安全令牌（通常以SAML形式），这些令牌可以被网站接受为身份声明。