公司的企业SSO实施
[英]Enterprise SSO implementation for a company
问题描述
I've been trying to get my head around SSO in an enterprise environment and what solution best fits my companies problem. 
我一直在尝试在企业环境中解决SSO问题,哪种解决方案最适合我的公司问题。
We have several apps (mostly in .net but some in java) running on our domain.. a.mydomain.com, b.mydomain.com etc... 我们的网域上有数个应用程式(主要是.net,但有些是Java)。a.mydomain.com,b.mydomain.com等...
My problem lies in trying to figure out how to implement Single Sign On, because as far as i can see, the likes of OpenID and OpenAuth are used for facebook, twitter, linked in based SSO, ie consumer based SSO. 我的问题在于试图弄清楚如何实现单一登录,因为据我所知,OpenID和OpenAuth之类的东西用于基于SSO(即基于消费者的SSO)链接的facebook,twitter。
We want an internal SSO system setup but I cant find many enterprise examples of how to do this and what protocols/frameworks/servers to use. 我们需要一个内部SSO系统设置,但是我找不到许多企业示例来说明如何执行此操作以及要使用哪些协议/框架/服务器。
Can anyone give me an idea how and if OpenID/OpenAuth should be used for this case, and what the benefits and disadvantages are? 谁能给我一个想法,在这种情况下应如何使用OpenID / OpenAuth,以及有什么优点和缺点?
also, would token based SSO be a good idea for this? 同样,基于令牌的SSO会是一个好主意吗? considering all the apps wiill be on the same domain (SSL is setup). 考虑到所有应用程序都将位于同一域(已设置SSL)。
Finally, what about cookie based SSO, is this a good idea? 最后,基于cookie的SSO怎么样?
Thanks Neil 谢谢尼尔
2 个解决方案
解决方案1
1 已采纳 2013-01-30 11:14:57
As you mentioned that all your apps are in the same domain and you are looking for an internal SSO solution I would recommend going for a cookie based SSO service.Simply because 正如您提到的那样,所有应用程序都在同一个域中,并且您正在寻找内部SSO解决方案,因此建议您使用基于cookie的SSO服务。
- It will be easier to implement. 实施起来会更容易。 Just checking the cookies and giving the user access to an app. 只需检查Cookie并授予用户访问应用程序的权限。
- no XML message exchange between your different apps (no need to design a schema) 您的不同应用程序之间无需交换XML消息(无需设计架构)
- You don't need to hire any Web service experts. 您不需要雇用任何Web服务专家。 (As long as your developers know how to handle cookies) (只要您的开发人员知道如何处理Cookie)
- ultimately it will depend on your scalability requirements . 最终它将取决于您的可伸缩性要求 。
update: 更新:
Scalability: 可扩展性:
- In future you might expand you user-base across different geographic locations. 将来,您可能会在不同地理位置扩展用户基础。
- Your different applications might have different servers and the user database might become distributed. 您的不同应用程序可能具有不同的服务器,并且用户数据库可能变得分散。
- In such cases you will have to maintain an identity repository to give authentication as a service.(This is what is done by the authentication frameworks that you mentioned) 在这种情况下,您将必须维护身份存储库以将身份验证作为服务提供(这由您提到的身份验证框架完成)
Cookies: 饼干:
- Cookie handling is no rocket science. Cookie的处理不是火箭科学。 The browser automatically sends cookies to your server in the HTTP request and you just have to read it. 浏览器会在HTTP请求中自动将cookie发送到您的服务器,而您只需要阅读它即可。
- Create the cookie wen user logs in. Set the domain property to your root domain so that other sub-domains can access it. 创建cookie wen用户登录。将domain属性设置为您的根域,以便其他子域可以访问它。
- Check for cookie when user tries to log into an app. 用户尝试登录应用程序时检查cookie。 If cookie is present that means the user has already logged in. 如果存在cookie,则表示用户已经登录。
- Don't forget to delete them when user logs out. 用户注销时,请不要忘记删除它们。
解决方案2
0 2013-01-30 12:24:22
Active Directory Federation Services ( http://msdn.microsoft.com/en-us/library/bb897402.aspx ) is an enterprise solution. Active Directory联合身份验证服务( http://msdn.microsoft.com/en-us/library/bb897402.aspx )是一种企业解决方案。 I would not recommend writing your own token issuer as there are lots of risks involved, security and performance. 我不建议您编写自己的令牌发行者,因为其中涉及很多风险,安全性和性能。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.