Complete Guide to Single Sign-On: Principles, Architecture, and Flow

Single Sign-On (SSO) is the most common unified authentication solution in the Internet, large enterprises, and micro‑service architectures.

The core goal is that a user logs in once and can access multiple mutually trusted systems.

SSO Components

SSO typically contains three core components:

CAS Server : the central authentication server (login center) that receives login requests, validates usernames and passwords, generates and manages authentication tickets, and provides unified login results to business systems.

CAS Client : a client component deployed in each business system. It intercepts unauthenticated requests, redirects users to the CAS Server for login, and validates the tickets returned by the server.

Browser : the medium through which users interact with the system and the key carrier of information flow in the SSO process.

Overall Architecture

┌────────────────┐
│Browser│
└────────┬───────┘
│
▼
┌──────────────────┐
│    CAS Server│
│Authentication Center/Ticket Center│
└────────┬─────────┘
│
┌────────────────┼────────────────┐
│││
│▼▼▼
OA系统(CAS Client) CRM系统 ERP系统

SSO Process

Access Service : User accesses a protected resource via CAS Client.

Redirect Authentication : Client detects the user is not logged in and redirects to the CAS Server.

User Authentication : User enters credentials on the CAS Server login page; the server verifies the identity.

Issue Ticket : After successful verification, the CAS Server generates a random Service Ticket (ST) and redirects back to the Client.

Validate Ticket : Client presents the ST to the CAS Server; upon successful validation, the user is allowed to access the target service.