liuxiaohua
cd0b30796f
All checks were successful
Publish to Confluence / confluence (push) Successful in 3m39s
138 lines
4.0 KiB
Markdown
138 lines
4.0 KiB
Markdown
<!-- Space: qifu -->
|
||
<!-- Parent: 后端技术&知识&规范 -->
|
||
<!-- Parent: 技术方案 -->
|
||
<!-- Parent: 基建 -->
|
||
<!-- Parent: 02-技术方案 -->
|
||
<!-- Title: 20241224-元盟全域SSO方案 -->
|
||
|
||
<!-- Macro: :anchor\((.*)\):
|
||
Template: ac:anchor
|
||
Anchor: ${1} -->
|
||
<!-- Macro: \!\[.*\]\((.+)\)\<\!\-\- width=(.*) \-\-\>
|
||
Template: ac:image
|
||
Url: ${1}
|
||
Width: ${2} -->
|
||
<!-- Macro: \<\!\-\- :toc: \-\-\>
|
||
Template: ac:toc
|
||
Printable: 'false'
|
||
MinLevel: 2
|
||
MaxLevel: 4 -->
|
||
<!-- Include: 杂项/声明文件.md -->
|
||
|
||
<!-- :toc: -->
|
||
|
||
# 元盟全域SSO方案
|
||
|
||
## 一、现状
|
||
|
||
### 业务背景
|
||
|
||
为了统一账号登录,减少由于平台账号密码不同导致的割裂。
|
||
采用统一的SSO,使用企微进行登录,方便开发人员各平台使用,减少各个平台的割裂
|
||
|
||
## 二、需求
|
||
|
||
### 业务需求
|
||
|
||
需要统一的SSO方案来达到一个账户或者企微账户直接登录的效果
|
||
|
||
## 三、设计目标
|
||
|
||
### 实现的功能
|
||
|
||
- 通过企业微信登录各个平台
|
||
- 平台列表
|
||
- Gitlab
|
||
- Jenkins
|
||
- Confluence
|
||
- kubesphere
|
||
- kibana
|
||
- grafana
|
||
- Skywalking
|
||
- Nacos
|
||
- Graylog
|
||
- Yarning
|
||
- Harbor
|
||
- Nexus sonatype
|
||
- 产研协同平台
|
||
|
||
## 四、整体设计
|
||
|
||
### 整体架构
|
||
|
||
|
||
|
||
### 交互流程
|
||
|
||
|
||
|
||
## 五、详细设计
|
||
|
||
### 功能模块设计
|
||
|
||
- 产研协同平台
|
||
- 对接 keycloak 实现企微登录
|
||
- 方案一:
|
||
- 企赋网关对接 Keycloak
|
||
- 产研协同平台对接企赋网关
|
||
- 方案二:
|
||
- 产研协同平台直接对接 Keycloak
|
||
|
||
- Jenkins SSO(已验证)
|
||
- 安装插件 SAML:插件市场直接安装
|
||
- [整合Keycloak教程](https://github.com/jenkinsci/saml-plugin/blob/main/doc/CONFIGURE_KEYCLOAK.md)
|
||
- Gitlab SSO
|
||
- [SAML](https://docs.gitlab.com/ee/integration/saml.html)
|
||
- Confluence SSO
|
||
- [SAML](https://www.selinux.tech/architecture/cas/cas-gitlab)
|
||
- kubesphere SSO
|
||
- [OIDC](https://blog.csdn.net/zpf17671624050/article/details/144296801)
|
||
- kibana SSO
|
||
- [SAML](https://docs.authing.cn/v2/integration/)
|
||
- grafana SSO
|
||
- [配置](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/)
|
||
- [配置参考](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/)
|
||
- Skywalking SSO
|
||
- [CAS](https://blog.csdn.net/qq_42536474/article/details/108669351)
|
||
- Nacos SSO
|
||
- 暂时不支持,可以搞插件开发
|
||
- Graylog
|
||
- [需要plugin支持,并且不支持新版本](https://community.graylog.org/t/single-sign-on-authentication-plugin/22804)
|
||
- Yarning sso
|
||
- [OIDC](https://github.com/cookieY/Yearning/pull/608)
|
||
- Harbor
|
||
- [OIDC](https://docs.authing.cn/v2/integration/harbor/)
|
||
- Nexus sonatype SSO
|
||
- [Nexus sonatype](https://help.sonatype.com/en/user-authentication.html)
|
||
- [SAML](https://help.sonatype.com/en/saml.html)
|
||
|
||
### 潜在风险
|
||
|
||
## 六、工作量和排期
|
||
|
||
### 开发时间
|
||
|
||
### 联调时间
|
||
|
||
### 提测时间
|
||
|
||
### 上线时间
|
||
|
||
## 七、设计评审意见
|
||
|
||
## 八、参考文档
|
||
|
||
- [Okta](https://www.okta.com/)
|
||
- [CAS 单点登录部署](https://blog.csdn.net/xu_guo_jie/article/details/104209452)
|
||
- [集成文档参考](https://docs.authing.cn/v2/integration/?category=all&page=2)
|
||
- [CAS Server](https://github.com/apereo/cas)
|
||
- [CAS 整合 LDAP](https://www.doc88.com/p-0774845211878.html)
|
||
- [CAS](https://zhuanlan.zhihu.com/p/610470663)
|
||
- [OIDC](https://zhuanlan.zhihu.com/p/539297736)
|
||
- [LDAP](https://zhuanlan.zhihu.com/p/608437013)
|
||
- [IAM单点登录之CAS协议分析](https://zhuanlan.zhihu.com/p/627920220)
|
||
- [Keycloak](https://www.keycloak.org/)
|
||
- [Keycloak OIDC](https://www.keycloak.org/securing-apps/oidc-layers)
|
||
- [Keycloak 默认 Provider 配置](https://www.keycloak.org/docs/latest/server_admin/index.html#default_identity_provider)
|
||
- [Keycloak custom theme](https://springdoc.cn/spring-keycloak-custom-themes/)
|
||
- [Keycloak custom theme](https://blog.csdn.net/q1ngqingsky/article/details/123417611) |