No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R010C00SPC200, 300, and 500 Self-Service Integration Guide 11

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Implementation Principle

Implementation Principle

SSO Implementation Principle

  1. Access service: An SSO client sends requests for accessing service resources in the application systems.
  2. Redirection and authentication: An SSO client redirects user requests to the SSO server.
  3. User authentication: The SSO server authenticates user identities.
  4. ST delivery: The SSO server generates a random ST.
  5. ST verification: The SSO server verifies validity of STs. The SSO client can access required service resources only after passing verification.
  6. User information transfer: The SSO server transfers user authentication results to SSO clients.
  7. Single sign-out: Users exit the single sign-out.

SSO Access Processes

SSO supports the following access processes: first login-point access, second login-point access, first single-point access, second single-point process, and single sign-out.
  • Login point: the point that logs in to an application system for the first time.
  • Single point: the point that accesses an application system after logging in to another subsystem.
  • First login-point access: the process of accessing an application system for the first time and entering the login page.
  • Second login-point access: the process that a login point accesses the application system again after the first access.
  • First single-point access: the processes that a login point accesses another application system for the first time.
  • Second single-point access: the process that a single point accesses the application system again after the first access.
  • First login-point access

    When a user accesses System1 for the first time, the session contains no user context, and System1 encapsulates the request URL in the service parameter and redirects the request to the SSO server for authentication. The SSO server returns the login page to the user. The user enters the user name and password and submits them to the SSO server for authentication. After authentication succeeds, the SSO server generates a TGT, delivers the ST based on the TGT, and responds to the browser. The browser then sends the service parameter request with the ST to the SSO server for ST authentication. After ST authentication succeeds, the SSO server returns user information to the browser. The browser can set the user context in the session and TGC in the cookie.

    Figure 2-4 First login-point access
  • Second login-point access

    When the login point wants to access System1 again after first login-point access succeeds, System1 determines that the user context exists in the session and does not block the login-point access. The required service resources are directly displayed.

    Figure 2-5 Second login-point access
  • First single-point access

    The process is the same as that of first login-point access.

    Figure 2-6 First single-point access
  • Second single-point access

    The process is similar to that of second login-point access.

  • Single sign-out

    After a single point logs in, a global single-point sign-out filter records the ST and session ID of access security resources in the ST and session mapping table. When a single point logs out of a subsystem, for example, System1, System1 clears its local session and sends the single sign-out request to the SSO server. When receiving this request, the SSO server deletes the TGT, clears the TGC in the browser cookie, and reads the ST and session mapping table. The SSO server deletes the ST and session. When the user attempts to access subsystems, the user must relog in.

    Figure 2-7 Single sign-out
Download
Updated: 2019-12-13

Document ID: EDOC1100044386

Views: 21503

Downloads: 93

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next