Single Sign-On(SSO)
Single sign-on (SSO) is a service that enables users to authenticate only once. Users sign in to the SSO service, which then passes on this authentication to every application by sending a digital authentication message to each application as needed.
It should not be confused with same-sign on (Directory Server Authentication), often accomplished by using the Lightweight Directory Access Protocol (LDAP) and stored LDAP databases on (directory) servers.
关系
- SSO 是一个目的(多系统共用登录)
- OAuth 2.0 是一个手段(授权协议,可用于实现 SSO)
- 要想让 OAuth 2 真正支持登录(认证),通常需要结合 OpenID Connect(OIDC)
实战示例:Google 登录
你用「Google 登录」访问其他网站(如 Notion、Trello)时,实际是:
- 网站使用的是 OAuth 2 + OpenID Connect 实现。
- Google 是 身份提供者(IdP),负责认证 + 授权。
- 用户登录 Google 后,不再需要重新登录其他服务(即实现 SSO)。
SSO 的实现方式
Security Assertion Markup Language (SAML)
SSO authentication messages use a protocol called Security Assertion Markup Language (SAML). SAML is a standardized method for telling external applications that a user is who they say they are.
A message authenticating a user is called a SAML “assertion.” Once an application receives a SAML assertion for a user, it does not need to authenticate the user on its own, because it knows the SSO service has already done this.
OpenID Connect (OIDC)
OpenID Connect (OIDC) is another authentication protocol that is growing in use by SSO providers. OIDC functions similarly to SAML, but it formats data differently, among other distinctions; while SAML formats data via XML, OIDC uses JSON.
Kerberos
Kerberos is a ticket-based authentication system that lets two or more parties mutually verify their identity on the network. It uses security cryptography to prevent unauthorized access to identification information transmitted amongst the server, clients, and Key Distribution Center.
Reference
- https://en.wikipedia.org/wiki/Single_sign-on
- https://www.youtube.com/watch?v=O1cRJWYF-g4
- https://www.cloudflare.com/learning/access-management/what-is-sso/
- https://aws.amazon.com/what-is/sso/