Single Sign On Solutions for Java Applications – Java应用的单点登录解决方案

最后修改: 2022年 4月 14日

中文/混合/英文(键盘快捷键:t)

1. Overview

1.概述

Organization users with multiple applications often need to authenticate across multiple systems. As a result, the users must remember multiple accounts and passwords. Single Sign-On (SSO) technology is a solution to this problem. SSO provides a single login credential for a set of systems.

拥有多个应用程序的组织用户往往需要在多个系统中进行认证。因此,用户必须记住多个账户和密码。单点登录(SSO)技术是解决这个问题的一个办法。SSO为一组系统提供一个单一的登录凭证

In this tutorial, we’ll briefly explain what SSO is, and then we’ll look at seven different SSO solutions for Java applications.

在本教程中,我们将简要地解释什么是SSO,然后我们将看看Java应用程序的七个不同的SSO解决方案。

2. Single Sign-On

2.单点登录

Implementing an SSO solution can be performed using either of the two protocols:

实施SSO解决方案可以使用两种协议中的任何一种:

  • SAML 2.0
  • OpenID Connect

SAML 2.0 (Security Assertion Markup Language) simplifies user authentication. It allows users only to register and authenticate at the identity provider to access multiple services. It is based on XML. The OpenID Connect (OIDC) is the successor to SAML 2.0. Also, it is an extension to OAuth 2.0 protocol used for authentication. The OIDC is simpler to configure than SAML 2.0.

SAML 2.0(安全断言标记语言)简化了用户认证。它允许用户只在身份提供者处注册和认证,以访问多种服务。它是基于XML的。OpenID Connect(OIDC)是SAML 2.0的继承者。同时,它也是用于认证的OAuth 2.0协议的扩展。OIDC的配置比SAML 2.0更简单。

3. Keycloak

3.钥匙环

Keycloak is an open-source identity and access management (IAM) system. It provides features such as SSO, User Federation, Fine-Grained Authorization, Social Login, Two-Factor Authentication (2FA), and more. In addition, it supports OpenID Connect, OAuth 2.0, and SAML. It has good integration with third-party tools. For instance, it integrates really well with the Spring Boot application. The latest release can be found here. In addition, it provides a friendly admin console for administrators and developers to configure and manage Keycloak. The source code is available on GitHub.

Keycloak是一个开源的身份和访问管理(IAM)系统。它提供的功能包括SSO、用户联盟、细粒度授权、社交登录双因素认证(2FA)等。此外,它还支持OpenID Connect、OAuth 2.0和SAML。它与第三方工具有良好的整合。例如,它与Spring Boot应用程序的整合非常好。最新的版本可以在这里找到。此外,它还提供了一个友好的管理控制台,供管理员和开发人员配置和管理Keycloak。源代码可在GitHub上找到。

4. WSO2 Identity Server

4.WSO2身份服务器

WSO2 Identity Server is an open-source IAM system developed by WSO2. It offers SSO, 2FA, Identity Federation, Social Login, and more. It also supports almost all popular identity standards. Moreover, it comes up with an admin console and exposes APIs for integration with other applications. However, it is mainly written in Java, and the source code is available on GitHub.

WSO2 Identity Server是一个开源的IAM系统,由WSO2开发。它提供了SSO、2FA、身份联盟、社交登录等功能。它还支持几乎所有流行的身份标准。此外,它还提供了一个管理控制台,并公开了用于与其他应用程序集成的API。然而,它主要是用Java编写的,其源代码可在GitHub上获得。

5. Gluu

5. Gluu

Gluu is an open-source and cloud-native IAM solution with a variety of features for access management. It provides Strong Authentication, Mobile Authentication, 2FA, and Identity Brokering. Moreover, it also supports open web standards such as OpenID Connect, SAML 2.0, FIDO, and User-Managed Access. It is written in Python language. Also, the scripts to automate deployment and configuration of the Gluu Server is available on GitHub.

Gluu是一个开源的、云原生的IAM解决方案,具有访问管理的各种功能。它提供了强认证、移动认证、2FA和身份经纪服务。此外,它还支持开放的网络标准,如OpenID Connect、SAML 2.0、FIDO和用户管理访问。它是用Python语言编写的。此外,用于自动部署和配置Gluu服务器的脚本在GitHub上提供。

6. Apereo CAS

6.Apereo CAS

Apereo CAS is an open-source enterprise-grade SSO system. Also, it is part of the Central Authentication Service (CAS) project. Similar to previous solutions, it supports several protocols like SAML, OAuth 2.0, OpenID Connect, and more. Also, it can integrate with uPortal, BlueSocket, TikiWiki, Mule, Liferay, Moodle, and others. It is built on top of Spring Boot and Spring Cloud. The source code is available on GitHub.

Apereo CAS是一个开源的企业级SSO系统。同时,它也是中央认证服务(CAS)项目的一部分。与之前的解决方案类似,它支持多个协议,如SAML、OAuth 2.0、OpenID Connect等。另外,它可以与uPortal、BlueSocket、TikiWiki、Mule、Liferay、Moodle等集成。它建立在Spring Boot和Spring Cloud之上。源代码可在GitHub上获得。

7. Spring Security OAuth2

7.Spring Security OAuth2

We can use Spring Security OAuth project to implement the SSO solutions. It supports OAuth providers and OAuth consumers. In addition, we can implement 2FA functionality with a Soft Token and Spring Security.

我们可以使用Spring Security OAuth项目来实现SSO解决方案。它支持OAuth提供者和OAuth消费者。此外,我们可以通过软令牌和Spring Security实现2FA功能。

8. OpenAM

8.敞篷车

OpenAM is an open-access management solution that includes Authentication, Authorization, SSO, and Identity Provider. It supports Cross-Domain Single Sign On (CDSSO), SAML 2.0, OAuth 2.0, and OpenID Connect. The latest release and source code can be found here.

OpenAM是一个开放的访问管理解决方案,包括认证、授权、SSO和身份提供者。它支持跨域单点登录(CDSSO)、SAML 2.0、OAuth 2.0和OpenID Connect。最新的版本和源代码可以在这里找到。

9. Authelia

9.傲慢者

Authelia is an open-source authentication and authorization server that provides SSO and 2FA. It provides several hardware-based 2FA leveraging FIDO2 Webauthn compatible security keys. Moreover, it supports Time-based one-time passwords generated by apps like Google Authenticator. The Authelia server is written in the Go language, and its all source code is available on GitHub.

Authelia是一个开源的认证和授权服务器,提供SSO和2FA。它利用FIDO2Webauthn兼容的安全密钥,提供几种基于硬件的2FA。此外,它还支持由Google Authenticator等应用程序生成的基于时间的一次性密码。Authelia服务器是用Go语言编写的,其所有源代码都可以在GitHub上找到。

10. Conclusion

10.结语

Many organizations use the SSO today. In this article, we took a very high-level look at the SSO solutions in the Java ecosystem. Some of the solutions provide a complete IAM, and the others just the SSO server and authentication methods.

今天,许多组织都在使用SSO。在这篇文章中,我们对Java生态系统中的SSO解决方案做了一个非常高层次的考察。其中一些解决方案提供了完整的IAM,其他的只是SSO服务器和认证方法。