OpenId : Is true SSO possible?

2018-06-16 23:07:32

I have 3 web sites in my company and each has its own login page, but authenticating against same authentication ( let's say custom DB) store. Recently, we thought of implementing SSO and by having a centralized Authentication website and all these web sites will rely on this new Authentication website for sign-in. Let me call Authenticating website as IP (Identity provider) and Relying parties as RP1, RP2, RP3.

I'm aware that this is fairly achievable using SAML / WS-Fed (since all websites are asp.net based) based implementation and lot of examples are there in internet. My question is whether the same is achievable using OpenID or OAuth ? There are some scenarios where I think it may not be possible.

Scenario 1:

After I SSO sign-in in RP1 and type the URL of RP2 in browser, will RP2 know that I'm already authenticated and allow me to proceed or will I be forced to login again through IP?

Scenario 2:

Assume that I have signed in and able to navigate between RP1 & RP2, If I sign-out of RP2, and navigate to RP1, will I be redirected to login page? is Single log out achievable ?

Please click here SSO Image

I appreciate your help.

OpenID Connect is an authentication protocol that supports "true" (whatever that means) SSO.

Read about it here: https://openid.net/connect/

Scenario 1: This is never how it works - RP2 will still need to make a roundtrip to the IP to get an identity token. But the user will not see a login screen and will sign-in automatically.

Scenario 2: Single Sign-out is part of the protocol - yes.

链接地址: http://www.djcxy.com/p/47972.html

上一篇: SSO和现有的OAuth集成

下一篇: OpenId：真的可以使用SSO吗？