单点登录解决方案的架构与实现
@宝玉xp 2011.4
什么是单点登录？
单点登录
CLIENT -> WEB [GTALK -> GMAIL]
CLIENT -> WEB [MSN->HOTMAIL]
WEB -> WEB [GOOGLE READER -> GMAIL]
单点登录定义
• 单点登录SSO（Single Sign-On）是身份管理中的一部分。SSO的一种较为通俗 的定义是：SSO是指访问同一服务器不同应用中的受保护资源的同一用户， 只需要登录一次，即 通过一个应用中的安全验证后，再访问其他应用中的受 保护资源时，不再需要重新登录验证。
TOKEN 数据
•
ct=1302192303
•
bver=7
•
wa=wsignin1.0
•
ru=/%3Frru%3Dinbox%26wlexpid%3D80097F54CF934247916123482695F310%26wlrefapp%3D2
•
pl=MBI
01/04/xmlenc%23Element%22%3E%3CEncryptionMethod%20Algorithm%3D%22/2001/04/xmlenc%23tripledes cbc%22%3E%3C/EncryptionMethod%3E%3Cds:KeyInfo%20xmlns:ds%3D%22/2000/09/xmldsig%23%22%3E%3Cds:KeyName%3Ehttp: /// STS%3C/ds:KeyName%3E%3C/ds:KeyInfo%3E%3CCipherData%3E%3CCipherValue%3EAdn%2BcqR1gmiTLVQGs8qXIcBFJ0QPGi7O%2BRbRjyoR0F2Iz94dGP8 s9qoe3 GdGFUt9/qguaX1ygP/ghA%2B7m6eyYgUjKr6ZLQXL3lvi/2%2BAiYeEdRp3dTFqifsjTdc6a0el3rxnayb5yHiP3YbSzknVcqayqszMLnZIIuUxrDVcHGuobAIqCH rWIwiApfYJCjbb nzXNr4GIqbueQkebpn7JU16bkCion1neNxSg58P7XLEqxzAce3ZUNZWoUDnT/6OtDCkuCmxewrn3sr5Ugh/FSoW%2B3KGledTk3brKOu8Uu7YNM5Y2k4K90Su8U3z XCyhJ XkrVJCzRhJCvOCuWUs4DTEs9ocxKUSOICqaicIc6tTJYfyLlWHhOmsigGzVj2B8NOysbsr/V6KnLu2vgEWkYr0j/ZYYrAa1R0AuIep0i0hPHUTeOz7HAV5PzwciNA 33YIgzyGn 3ivmFFcjkxRwmesidmtXopLUSj%2BYIqUqXQ2p11vmQv9UJYCzWghtNS%3C/CipherValue%3E%3C/CipherData%3E%3C/EncryptedData%3E
53Dinbox%2526wlexpid%253D80097F54CF934247916123482695F310%2526wlrefapp%253D2%26pl%3DMBI% 26appid%3D%257B7108E71A-9926-4FCB-BCC99A9D3F32E423%257D%26da%3D%253CEncryptedData%2520xmlns%253D%2522/2001/04/x mlenc%2523%2522%2520Id%253D%2522BinaryDAToken0%2522%2520Type%253D%2522/2 001/04/xmlenc%2523Element%2522%253E%253CEncryptionMethod%2520Algorithm%253D%2522http://www.w /2001/04/xmlenc%2523tripledescbc%2522%253E%253C/EncryptionMethod%253E%253Cds:KeyInfo%2520xmlns:ds%253D%2522http://www.w3 .org/2000/09/xmldsig%2523%2522%253E%253Cds:KeyName%253E/STS%253C/ds:KeyNa me%253E%253C/ds:KeyInfo%253E%253CCipherData%253E%253CCipherValue%253EAdn%252BcqR1gmiTLV QGs8qXIcBFJ0QPGi7O%252BRbRjyoR0F2Iz94dGP8s9qoe3GdGFUt9/qguaX1ygP/ghA%252B7m6eyYgUjKr6ZL QXL3lvi/2%252BAiYeEdRp3dTFqifsjTdc6a0el3rxnayb5yHiP3YbSzknVcqayqszMLnZIIuUxrDVcHGuobAIqCHrWIw iApfYJCjbbnzXNr4GIqbueQkebpn7JU16bkCion1neNxSg58P7XLEqxzAce3ZUNZWoUDnT/6OtDCkuCmxewrn3sr5 Ugh/FSoW%252B3KGledTk3brKOu8Uu7YNM5Y2k4K90Su8U3zXCyhJXkrVJCzRhJCvOCuWUs4DTEs9ocxKUS OICqaicIc6tTJYfyLlWHhOmsigGzVj2B8NOysbsr/V6KnLu2vgEWkYr0j/ZYYrAa1R0AuIep0i0hPHUTeOz7HAV5Pzw ciNA33YIgzyGn3ivmFFcjkxRwmesidmtXopLUSj%252BYIqUqXQ2p11vmQv9UJYCzWghtNS%253C/CipherValue %253E%253C/CipherData%253E%253C/EncryptedData%253E%26nonce%3DgGOWyChz45t49%252BfhhBsK5l Pq/swIKn%252BZ%26hash%3DXvO2NYVpeXsR8cCa7TEv4JLzEVw%253D
• POST https:///ppsecure/sha1auth.srf?lc=1036bver%3D7%26wa%3Dwsignin1.0%26ru%3D/%253Frru%2
• appid=%7B7108E71A-9926-4FCB-BCC9-9A9D3F32E423%7D
•
da=%3CEncryptedData%20xmlns%3D%22/2001/04/xmlenc%23%22%20Id%3D%22BinaryDAToken0%22%20Type%3D%22http://www.w3.o rg/20
以msn为例分析
客户端登录过程
LIVE MESSENGER登录过程
https:///ppsecure/sha1auth.srf?lc=1033
https:///rru=inbox&wlexpid=80097F54CF93..........
LIVE MESSENGER 登录HOTMAIL传输的数据