TOKEN 数据
• • • ct=1302192303 bver=7 wa=wsignin1.0
• ru
• pl=MBI
=/%3Frru%3Dinbox%26wlexpid%3D80097F54CF934247916123482695F310%26wlrefapp%3D2
01/04/xmlenc%23Element%22%3E%3CEncryptionMethod%20Algorithm%3D%22/2001/04/xmlenc%23tripledes cbc%22%3E%3C/EncryptionMethod%3E%3Cds:KeyInfo%20xmlns:ds%3D%22/2000/09/xmldsig%23%22%3E%3Cds:KeyName%3Ehttp: /// STS%3C/ds:KeyName%3E%3C/ds:KeyInfo%3E%3CCipherData%3E%3CCipherValue%3EAdn%2BcqR1gmiTLVQGs8qXIcBFJ0QPGi7O%2BRbRjyoR0F2Iz94dGP8 s9qoe3 GdGFUt9/qguaX1ygP/ghA%2B7m6eyYgUjKr6ZLQXL3lvi/2%2BAiYeEdRp3dTFqifsjTdc6a0el3rxnayb5yHiP3YbSzknVcqayqszMLnZIIuUxrDVcHGuobAIqCH rWIwiApfYJCjbb nzXNr4GIqbueQkebpn7JU16bkCion1neNxSg58P7XLEqxzAce3ZUNZWoUDnT/6OtDCkuCmxewrn3sr5Ugh/FSoW%2B3KGledTk3brKOu8Uu7YNM5Y2k4K90Su8U3z XCyhJ XkrVJCzRhJCvOCuWUs4DTEs9ocxKUSOICqaicIc6tTJYfyLlWHhOmsigGzVj2B8NOysbsr/V6KnLu2vgEWkYr0j/ZYYrAa1R0AuIep0i0hPHUTeOz7HAV5PzwciNA 33YIgzyGn 3ivmFFcjkxRwmesidmtXopLUSj%2BYIqUqXQ2p11vmQv9UJYCzWghtNS%3C/CipherValue%3E%3C/CipherData%3E%3C/EncryptedData%3E nonce=gGOWyChz45t49%2BfhhBsK5lPq/swIKn%2BZ hash=XvO2NYVpeXsR8cCa7TEv4JLzEVw%3D
以msn为例分析
客户端登录过程
LIVE MESSENGER登录过程
https:///ppsecure/sha1auth.srf?lc=1033
https:///rru=inbox&wlexpid=80097F54CF93..........
LIVE MESSENGER 登录HOTMAIL传输的数据
• POST https:///ppsecure/sha1auth.srf?lc=1033
• token=ct%3D1302192303%26bver%3D7%26wa%3Dwsignin1.0%26ru%3D/%253Frru%2
DA
• • • • • <EncryptedData xmlns="/2001/04/xmlenc# " Id="BinaryDAToken0 " Type="/2001/04/xmlenc#Element "> <EncryptionMethod Algorithm="/2001/04/xmlenc#tripledes-cbc" /> <ds:KeyInfo xmlns:ds="/2000/09/xmldsig# "> <ds:KeyName>/STS </ds:KeyName> </ds:KeyInfo>
单点登录解决方案的架构与实现
@宝玉xp 2011.4
什么是单点登录？
单点登录
CLIENT -> WEB [GTALK -> GMAIL]
CLIENT -> WEB [MSN->HOTMAIL]
WEB -> WEB [GOOGLE READER -> GMAIL]
单点登录定义
• 单点登录SSO（Single Sign-On）是身份管理中的一部分。SSO的一种较为通俗 的定义是：SSO是指访问同一服务器不同应用中的受保护资源的同一用户， 只需要登录一次，即 通过一个应用中的安全验证后，再访问其他应用中的受 保护资源时，不再需要重新登录验证。
53Dinbox%2526wlexpid%253D80097F54CF934247916123482695F310%2526wlrefapp%253D2%26pl%3DMBI% 26appid%3D%257B7108E71A-9926-4FCB-BCC99A9D3F32E423%257D%26da%3D%253CEncryptedData%2520xmlns%253D%2522/2001/04/x mlenc%2523%2522%2520Id%253D%2522BinaryDAToken0%2522%2520Type%253D%2522/2 001/04/xmlenc%2523Element%2522%253E%253CEncryptionMethod%2520Algorithm%253D%2522http://www.w /2001/04/xmlenc%2523tripledescbc%2522%253E%253C/EncryptionMethod%253E%253Cds:KeyInfo%2520xmlns:ds%253D%2522http://www.w3 .org/2000/09/xmldsig%2523%2522%253E%253Cds:KeyName%253E/STS%253C/ds:KeyNa me%253E%253C/ds:KeyInfo%253E%253CCipherData%253E%253CCipherValue%253EAdn%252BcqR1gmiTLV QGs8qXIcBFJ0QPGi7O%252BRbRjyoR0F2Iz94dGP8s9qoe3GdGFUt9/qguaX1ygP/ghA%252B7m6eyYgUjKr6ZL QXL3lvi/2%252BAiYeEdRp3dTFqifsjTdc6a0el3rxnayb5yHiP3YbSzknVcqayqszMLnZIIuUxrDVcHGuobAIqCHrWIw iApfYJCjbbnzXNr4GIqbueQkebpn7JU16bkCion1neNxSg58P7XLEqxzAce3ZUNZWoUDnT/6OtDCkuCmxewrn3sr5 Ugh/FSoW%252B3KGledTk3brKOu8Uu7YNM5Y2k4K90Su8U3zXCyhJXkrVJCzRhJCvOCuWUs4DTEs9ocxKUS OICqaicIc6tTJYfyLlWHhOmsigGzVj2B8NOysbsr/V6KnLu2vgEWkYr0j/ZYYrAa1R0AuIep0i0hPHUTeOz7HAV5Pzw ciNA33YIgzyGn3ivmFFcjkxRwmesidmtXopLUSj%252BYIqUqXQ2p11vmQv9UJYCzWghtNS%253C/CipherValue %253E%253C/CipherData%253E%253C/EncryptedData%253E%26nonce%3DgGOWyChz45t49%252BfhhBsK5l Pq/swIKn%252BZ%26hash%3DXvO2NYVpeXsR8cCa7TEv4JLzEVw%253D
•
•
<CipΒιβλιοθήκη erData><CipherValue>Adn+cqR1gmiTLVQGs8qXIcBFJ0QPGi7O+RbRjyoR0F2Iz94dGP8s9qoe3GdGFUt9/qguaX1y gP/ghA+7m6eyYgUjKr6ZLQXL3lvi/2+AiYeEdRp3dTFqifsjTdc6a0el3rxnayb5yHiP3YbSzknVcqayqszMLnZIIu UxrDVcHGuobAIqCHrWIwiApfYJCjbbnzXNr4GIqbueQkebpn7JU16bkCion1neNxSg58P7XLEqxzAce3ZUNZ WoUDnT/6OtDCkuCmxewrn3sr5Ugh/FSoW+3KGledTk3brKOu8Uu7YNM5Y2k4K90Su8U3zXCyhJXkrVJCzR hJCvOCuWUs4DTEs9ocxKUSOICqaicIc6tTJYfyLlWHhOmsigGzVj2B8NOysbsr/V6KnLu2vgEWkYr0j/ZYYrA a1R0AuIep0i0hPHUTeOz7HAV5PzwciNA33YIgzyGn3ivmFFcjkxRwmesidmtXopLUSj+YIqUqXQ2p11vmQv9U JYCzWghtNS</CipherValue> </CipherData> </EncryptedData>
• appid • da
• •
=%7B7108E71A-9926-4FCB-BCC9-9A9D3F32E423%7D
=%3CEncryptedData%20xmlns%3D%22/2001/04/xmlenc%23%22%20Id%3D%22BinaryDAToken0%22%20Type%3D%22http://www.w3.o rg/20
service=mail =https%3A%2F%%2Fmail
• •
GTALK打开登录GMAIL传输的数据
• GET https:///accounts/TokenAuth
• auth
=APh-3FxTAOVo7177U8NQqkkMpJfIzHHi3ClRqCJzSRrft5CWIGKk6Fu5EwlCxmS0sloWRId1x18wCRrhrpA2hwNYyijP4AAu6YwENE FnzYY2nc8jOxmkkEJ0N8qRh9Xze3kr-_GiVVzBxzHOHxK0ZH2vge5JJyM0IEiTH69Hx8XYZ86qYi_rEKQMlYdLuGE4PJM5pULCi_895SjX2CNU9jyv6fTSS72nTOzrBDJ0kV9tW05gxNtdBQSvfldctE8GSpiDEds0B8oTuZAbgpnp17SO_MzEKGJ7_kGbAU66ea_Rn2_ MVitDjrqIp8rvN_GWrRWfLtOPgFVBmlFqPrrtAKWQbAz9HhyVqv4NptuY0LH_BkI4Db82Ws3I3gk3JGrRIG3wiw5yyt8t7zw0-OGU4yJkr1citxw4h30cIRybVTmX3WIaW1c_J-fUpwmwFcVCQ47V09wbdf3jgSH6TY_czbKn-ziqrqE6tbeACdw3BNLKRJ8y7-01Tbu4EOOYufKxiG-Z1ONFXG8uh8pkldJDQQ1XLX3RvgS3kOJsKk-Rk-0TtMtWcrBelq83XM3x2NMTUWguRWkkrdPP18V7x97Ez_UeMaETUP2cWau0xzhKo9yL1Lws,