Unified identity management platform IAM single sign-on process and third-party interface design scheme

#统一身份管理平台IAM

Many companies have multiple office systems,账号、密码、角色、Permissions, etc. need to be set separately and cannot be managed uniformly.

Unified identity authentication management systemIAM,I think there are the following three advantages：

1. Establish unified user management、Identity rationing and identity authentication systems,Realize dynamic synchronization of user identities and permissions.
2. Implement all office systems(应用)的单点登录(B/S架构)or password authentication login(C/S架构).
3. Strengthen information security early warning and auditing,提高系统可用性、Security and user portability.

即：One account can access multiple office systems within the enterprise,Covers multi-scenario control,支持部门,角色,Personnel dimension authorization.

#统一身份管理平台IAM单点登录流程图(B/S架构)

使用范围：需要实现单点登录,Use the login page of the unified identity management platform,and can sendhttpsThe requested third-party system,A brief summary of the following four steps：

1. authorize接口,请求用户授权,Jump to the third-party system after completion.
2. authorization_code接口,根据code获取授权Token.
3. getUserInfo接口,根据Token获取用户信息.
4. logout接口,注销登录.

This article will introduce the unified identity authentication platformIAMCommonly used single sign-on third-party interface design.

#1、请求用户授权,Jump to the third-party system after completion,网页设计

 Web interface description：

实际操作：

WEBWeb page login authorization interface(GET请求) 

Log in successfully and jump to the interface,携带参数code和state

#2、根据code获取TokenAuthorize third-party interface design

通过上文code即可以获取access_token和refresh_token,当access_token过期时,可以通过refresh_token重新获取新的access_token,保持登陆状态.

接口说明：

获取Token-POSTRequest interface sample code：

import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.params.BasicHttpParams;
import org.apache.http.params.HttpConnectionParams;
import org.apache.http.util.EntityUtils;
public class getToken {
    public static String getToken(String url){
        BasicHttpParams http = new BasicHttpParams();
        //设置请求超时1秒钟
        HttpConnectionParams.setConnectionTimeout(http,1000);
        //设置等待数据超时时间1秒钟
        HttpConnectionParams.setSoTimeout(http,1000);
        HttpClient client = new DefaultHttpClient(http);
        String jsonresult = "";
        try {
            //Http Post请求
            HttpPost post = new HttpPost(url);
            HttpResponse response = client.execute(post);
            //获取返回参数
            HttpEntity entity =response.getEntity();
            jsonresult = EntityUtils.toString(entity,"utf-8");
        }catch (Exception ex){
            ex.printStackTrace();
        }finally {
            client.getConnectionManager().shutdown();
        }
        return jsonresult;
    }
    public static void main(String[] args) {
        String url = "https://iam.xxxxx.com:8080/idp/oauth2/getToken?client_id=SE&grant_type=authorization_code&code=dc605a7a6389b0898f653b4895359071&client_secret=6f369937851b4669ad66b41257b9a902";
        //输出返回JSON字符串
        System.out.println(getToken(url));
    }
}

#3、根据TokenThird-party interface design for obtaining user information

通过上文获取的access_tokento access the user interface,获取用户信息,Implement this user in a third-party system(应用)password-free login on . 

接口说明： 

获取用户信息-GETRequest interface sample code：

import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.params.BasicHttpParams;
import org.apache.http.params.HttpConnectionParams;
import org.apache.http.util.EntityUtils;

public class getUserInfo {
    public static String getToken(String url){
        BasicHttpParams http = new BasicHttpParams();
        //设置请求超时1秒钟
        HttpConnectionParams.setConnectionTimeout(http,1000);
        //设置等待数据超时时间1秒钟
        HttpConnectionParams.setSoTimeout(http,1000);
        HttpClient client = new DefaultHttpClient(http);
        String jsonresult = "";
        try {
            //Http Get请求
            HttpGet get = new HttpGet(url);
            HttpResponse response = client.execute(get);
            //获取返回参数
            HttpEntity entity =response.getEntity();
            jsonresult = EntityUtils.toString(entity,"utf-8");
        }catch (Exception ex){
            ex.printStackTrace();
        }finally {
            client.getConnectionManager().shutdown();
        }
        return jsonresult;
    }
    public static void main(String[] args) {
        String url = "https://iam.xxxxx.com:8080/idp/oauth2/getUserInfo?access_token=xxxxx&client_id=xxxxx";
        //输出返回JSON字符串
        System.out.println(getToken(url));
    }
}

#4、Logout注销登录,Jump when done,网页设计 

Third-party application system requestsIAMThe certification authority is globally withdrawnURL,The authentication authority destroys the user's global session,and call the app to destroy the sessionURL,This address needs to call the recovery authorization interface to clear the currentoauthThe ability to ticket and destroy application-local sessions. 

流程图如下：

Web interface description：