CN103873475A - Single sign-on system and method - Google Patents
Single sign-on system and method Download PDFInfo
- Publication number
- CN103873475A CN103873475A CN201410120344.6A CN201410120344A CN103873475A CN 103873475 A CN103873475 A CN 103873475A CN 201410120344 A CN201410120344 A CN 201410120344A CN 103873475 A CN103873475 A CN 103873475A
- Authority
- CN
- China
- Prior art keywords
- single sign
- client
- user profile
- user
- service end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a single sign-on system and method. The single sign-on system comprises a client side, a server side and a verifying side. The client side provides single sign-on user information storage and submits a sign-on verifying request under the situation of single sign-on user information shortage. The server side is in communication connection with the client side, single sign-on user information storage is provided, the server side is used for carrying out verifying processing on client side identification AppID in the sign-on verifying request, after client side identification AppID verifying is passed, client side page information and generated/stored single sign-on user information are sent to the client side to be verified by the client side, and then single sign-on user information is generated. The verifying side is communication connection with the server side and provides a user sign-on function. According to the single sign-on system and method, safety is improved.
Description
Technical field
The present invention relates to a kind of login system and login method thereof, particularly relate to a kind of single sign-on system and single sign-on method thereof.
Background technology
The English full name Single of SSO Sign On, the meaning of Chinese is " single sign-on ".SSO is in multiple application systems, and user only need to log in the application system that once just can access all mutual trusts.It comprises can be mapped to current main logging in the mechanism logging in for same user in other application.It is one of solution of current popular business event integration.SSO single sign-on system is to adopt Cookie technology at present, records authentication information by Cookie, and shortcoming is that Cookie security performance is low.
Summary of the invention
Technical problem to be solved by this invention is to provide a kind of single sign-on system and single sign-on method thereof, the low technical problem of security performance that adopts Cookie technology to produce for solving existing single sign-on system.
The present invention solves above-mentioned technical problem by following technical proposals: a kind of single sign-on method of single sign-on system, in described single sign-on system, comprise client, service end, verifying end, described client and described verifying end all communicate to connect with described service end; Described single sign-on method comprises the following steps:
Step 1, access client page info, obtained in judgement by described client submitting to described service end the checking request that logs in under the situation of single sign-on user profile disappearance, described logging in checking request comprises customer terminal webpage information, described customer terminal webpage information comprises page URL and the client identification AppID of client-access, and each client has a unique client identification AppID;
Step 2, receives by described service end the customer terminal webpage information that described client sends, and to client identification, AppID verifies, if client identification AppID does not exist or extremely, returns to error message; If client identification AppID is correct, continue execution step three;
Step 3, judges whether to exist single sign-on user profile by described service end, if single sign-on user profile exists, returns to single sign-on user profile and customer terminal webpage information to described client, by described client executing step 6; If there is no single sign-on user profile, sends customer terminal webpage information to described verifying end;
Step 4, by described verifying end authentication of users logon information, if user's logon information mistake continues to log in; If user's logon information is correct, the user ID in user's logon information and customer terminal webpage information are sent to described service end, perform step five by described service end;
Step 5, receives by described service end the user ID UserID that described verifying end sends, and to user ID, UserID verifies; If user ID UserID authentication failed, returns to error message; If user ID UserID is verified, generate single sign-on user profile, and stored in described service end, then perform step three;
Step 6, the single sign-on user profile of described service end being returned by described client is verified; If single sign-on user profile authentication failed, returns to error message; If single sign-on user profile is verified, generate single sign-on user profile in described client.
Preferably, in described step 1, judge by described client whether single sign-on user profile exists, continue to process client flow process if single sign-on user profile exists; If single sign-on user profile does not exist, submit to described service end the checking request that logs in to.
Preferably, described single sign-on user profile comprises token Token and user ID UserID, and described token Token is the specific character string generating in the time logging in each time.
The present invention also provides a kind of single sign-on system, it is characterized in that, comprising:
Client, the storage of single sign-on user profile is provided and under the situation of single sign-on user profile disappearance, submits the checking request that logs in to, described logging in checking request comprises customer terminal webpage information, described customer terminal webpage information comprises page URL and the client identification AppID of client-access, and each client has a unique client identification AppID;
Service end, be connected with described client communication, the storage of single sign-on user profile be provided and verify processing and the single sign-on user profile of customer terminal webpage information and generation/storage is sent to described client after client identification AppID is verified and generate single sign-on user profile after for described client empirical tests for logging in the client identification AppID of checking request described in described client is submitted to;
Verifying end, with described server end communication connection, user is provided login function, the customer terminal webpage information sending over by the user ID UserID of user's logon information with by described service end after being verified is verified and logged in to the user's logon information providing for do not store single sign-on user profile in service end in the situation that and be sent to described service end and generate accordingly corresponding single sign-on user profile for described service end.
Preferably, the Cookie of described service end and the Cookie of client are Custom Encryption.
Preferably, described single sign-on user profile comprises token Token and user ID UserID, and described token Token is the specific character string generating in the time logging in each time.
Preferably, described single sign-on system is suitable for Web framework.
Positive progressive effect of the present invention is: single sign-on system of the present invention and single sign-on method thereof improve fail safe.
Brief description of the drawings
Fig. 1 is the theory diagram of single sign-on system of the present invention.
Fig. 2 is the flow chart of the single sign-on method of single sign-on system of the present invention.
Embodiment
Provide preferred embodiment of the present invention below in conjunction with accompanying drawing, to describe technical scheme of the present invention in detail.
Refer to Fig. 1, its theory diagram in one embodiment that is single sign-on system of the present invention.As shown in Figure 1, single sign-on system of the present invention comprises: client, service end, verifying end, described client and described verifying end all communicate to connect with described service end.
Client, the storage of single sign-on user profile is provided and under the situation of single sign-on user profile disappearance, submits the checking request that logs in to, described logging in checking request comprises customer terminal webpage information, described customer terminal webpage information comprises page URL and the client identification AppID of client-access, and each client has a unique client identification AppID;
Service end, be connected with described client communication, the storage of single sign-on user profile be provided and verify processing and the single sign-on user profile of customer terminal webpage information and generation/storage is sent to described client after client identification AppID is verified and generate single sign-on user profile after for described client empirical tests for logging in the client identification AppID of checking request described in described client is submitted to;
Verifying end, with described server end communication connection, user is provided login function, the customer terminal webpage information sending over by the user ID UserID of user's logon information with by described service end after being verified is verified and logged in to the user's logon information providing for do not store single sign-on user profile in service end in the situation that and be sent to described service end and generate accordingly corresponding single sign-on user profile for described service end.
Wherein, the Cookie of server Cookie and client can customize encryption (cryptographic algorithm is as follows).Single sign-on user profile comprises token Token and user ID UserID, and described token Token is the special string (generating character string as follows) generating in the time logging in each time.Single sign-on system of the present invention is suitable for Web framework.
Wherein, cryptographic algorithm is as follows:
Wherein, special string generates: token Token:Token is made up of System.Guid.NewGuid () .ToString (" N "), also can use MongoDB ObjectId generating algorithm to generate Token.User ID UserID is the unique sign of user id field.Special string is that token Token adds that user ID UserID encrypts userIdentity.Token+userIdentity.Identity again.
As shown in Figure 2, the single sign-on method of single sign-on system of the present invention, in described single sign-on system, comprises client, service end, verifying end, and described client and described verifying end all communicate to connect with described service end; Described single sign-on method comprises the following steps:
Step S101, access client page info, obtained in judgement by described client submitting to described service end the checking request that logs in under the situation of single sign-on user profile disappearance, described logging in checking request comprises customer terminal webpage information, described customer terminal webpage information comprises page URL and the client identification AppID of client-access, and each client has a unique client identification AppID; Specifically, step S101 judges by described client whether single sign-on user profile exists, and continues to process client flow process if single sign-on user profile exists; If single sign-on user profile does not exist, submit to described service end the checking request that logs in to.
Step S102, service end receives the customer terminal webpage information that client sends, and to client identification, AppID verifies, if client identification AppID does not exist or extremely, returns to error message; If client identification AppID is correct, continue execution step S103;
Step S103, service end judges whether to exist single sign-on user profile, if existed, returns to single sign-on user profile and customer terminal webpage information to client, client executing step S106; If there is no single sign-on user profile, sends customer terminal webpage information to verifying end;
Step S104, verifying end authentication of users logon information, if user's logon information mistake continues to log in; If user's logon information is correct, the user ID in user's logon information and customer terminal webpage information are sent to service end, service end execution step S105;
Step S105, service end receives the user ID UserID that verifying end sends, and to user ID, UserID verifies; If user ID UserID authentication failed, returns to error message; If user ID UserID is verified, generates single sign-on user profile, and in service end storage, then perform step S103;
Step S106, the single sign-on user profile that client is returned service end is verified; If single sign-on user profile authentication failed, returns to error message; If single sign-on user profile is verified, generate single sign-on user profile in client.
Wherein, single sign-on (SSO) user profile comprises token Token and user ID UserID, and token Token is the specific character string that at every turn logs in generation.
In sum, single sign-on system of the present invention and login method thereof, by multiple authentication, improve fail safe.
Those skilled in the art can carry out various remodeling and change to the present invention.Therefore, the present invention has covered various remodeling and the change in the scope that falls into appending claims and equivalent thereof.
Claims (7)
1. a single sign-on method for single sign-on system, in described single sign-on system, comprises client, service end, verifying end, and described client and described verifying end all communicate to connect with described service end; It is characterized in that, described single sign-on method comprises the following steps:
Step 1, access client page info, obtained in judgement by described client submitting to described service end the checking request that logs in under the situation of single sign-on user profile disappearance, described logging in checking request comprises customer terminal webpage information, described customer terminal webpage information comprises page URL and the client identification AppID of client-access, and each client has a unique client identification AppID;
Step 2, receives by described service end the customer terminal webpage information that described client sends, and to client identification, AppID verifies, if client identification AppID does not exist or extremely, returns to error message; If client identification AppID is correct, continue execution step three;
Step 3, judges whether to exist single sign-on user profile by described service end, if single sign-on user profile exists, returns to single sign-on user profile and customer terminal webpage information to described client, by described client executing step 6; If there is no single sign-on user profile, sends customer terminal webpage information to described verifying end;
Step 4, by described verifying end authentication of users logon information, if user's logon information mistake continues to log in; If user's logon information is correct, the user ID in user's logon information and customer terminal webpage information are sent to described service end, perform step five by described service end;
Step 5, receives by described service end the user ID UserID that described verifying end sends, and to user ID, UserID verifies; If user ID UserID authentication failed, returns to error message; If user ID UserID is verified, generate single sign-on user profile, and stored in described service end, then perform step three;
Step 6, the single sign-on user profile of described service end being returned by described client is verified; If single sign-on user profile authentication failed, returns to error message; If single sign-on user profile is verified, generate single sign-on user profile in described client.
2. the login method of single sign-on system as claimed in claim 1, is characterized in that, in described step 1, judges by described client whether single sign-on user profile exists; If single sign-on user profile exists, continue to process client flow process; If single sign-on user profile does not exist, submit to described service end the checking request that logs in to.
3. the login method of single sign-on system as claimed in claim 1, is characterized in that, described single sign-on user profile comprises token Token and user ID UserID, and described token Token is the specific character string generating in the time logging in each time.
4. a single sign-on system, is characterized in that, comprising:
Client, the storage of single sign-on user profile is provided and under the situation of single sign-on user profile disappearance, submits the checking request that logs in to, described logging in checking request comprises customer terminal webpage information, described customer terminal webpage information comprises page URL and the client identification AppID of client-access, and each client has a unique client identification AppID;
Service end, be connected with described client communication, the storage of single sign-on user profile be provided and verify processing and the single sign-on user profile of customer terminal webpage information and generation/storage is sent to described client after client identification AppID is verified and generate single sign-on user profile after for described client empirical tests for logging in the client identification AppID of checking request described in described client is submitted to;
Verifying end, with described server end communication connection, user is provided login function, the customer terminal webpage information sending over by the user ID UserID of user's logon information with by described service end after being verified is verified and logged in to the user's logon information providing for do not store single sign-on user profile in service end in the situation that and be sent to described service end and generate accordingly corresponding single sign-on user profile for described service end.
5. single sign-on system according to claim 4, is characterized in that, the Cookie of described service end and the Cookie of client are Custom Encryption.
6. single sign-on system according to claim 4, is characterized in that, described single sign-on user profile comprises token Token and user ID UserID, and described token Token is the specific character string generating in the time logging in each time.
7. single sign-on system according to claim 4, is characterized in that, described single sign-on system is suitable for Web framework.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410120344.6A CN103873475A (en) | 2014-03-27 | 2014-03-27 | Single sign-on system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410120344.6A CN103873475A (en) | 2014-03-27 | 2014-03-27 | Single sign-on system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103873475A true CN103873475A (en) | 2014-06-18 |
Family
ID=50911602
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410120344.6A Pending CN103873475A (en) | 2014-03-27 | 2014-03-27 | Single sign-on system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103873475A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104717228A (en) * | 2015-03-31 | 2015-06-17 | 北京羽乐创新科技有限公司 | Method and device for authorizing account number |
| WO2018064881A1 (en) * | 2016-10-09 | 2018-04-12 | 武汉斗鱼网络科技有限公司 | Method and system for saving user login state for use in ios client terminal |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060520A (en) * | 2006-04-21 | 2007-10-24 | 盛趣信息技术(上海)有限公司 | Token-based SSO authentication system |
| CN101651666A (en) * | 2008-08-14 | 2010-02-17 | 中兴通讯股份有限公司 | Method and device for identity authentication and single sign-on based on virtual private network |
| CN102857484A (en) * | 2011-07-01 | 2013-01-02 | 阿里巴巴集团控股有限公司 | Method, system and device for implementing single sign-on |
| US20130290719A1 (en) * | 2011-01-13 | 2013-10-31 | Infosys Limited | System and method for accessing integrated applications in a single sign-on enabled enterprise solution |
-
2014
- 2014-03-27 CN CN201410120344.6A patent/CN103873475A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060520A (en) * | 2006-04-21 | 2007-10-24 | 盛趣信息技术(上海)有限公司 | Token-based SSO authentication system |
| CN101651666A (en) * | 2008-08-14 | 2010-02-17 | 中兴通讯股份有限公司 | Method and device for identity authentication and single sign-on based on virtual private network |
| US20130290719A1 (en) * | 2011-01-13 | 2013-10-31 | Infosys Limited | System and method for accessing integrated applications in a single sign-on enabled enterprise solution |
| CN102857484A (en) * | 2011-07-01 | 2013-01-02 | 阿里巴巴集团控股有限公司 | Method, system and device for implementing single sign-on |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104717228A (en) * | 2015-03-31 | 2015-06-17 | 北京羽乐创新科技有限公司 | Method and device for authorizing account number |
| WO2018064881A1 (en) * | 2016-10-09 | 2018-04-12 | 武汉斗鱼网络科技有限公司 | Method and system for saving user login state for use in ios client terminal |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9992189B2 (en) | Generation and validation of derived credentials | |
| US10382426B2 (en) | Authentication context transfer for accessing computing resources via single sign-on with single use access tokens | |
| CN103475666B (en) | A kind of digital signature authentication method of Internet of Things resource | |
| US9083702B2 (en) | System and method for providing internal services to external enterprises | |
| US9083703B2 (en) | Mobile enterprise smartcard authentication | |
| CN103581108B (en) | Login authentication method, login authentication client, login authentication server and login authentication system | |
| US8959335B2 (en) | Secure password-based authentication for cloud computing services | |
| CN103514410A (en) | Dependable preservation and evidence collection system and method for electronic contract | |
| CN107809317A (en) | A kind of identity identifying method and system based on token digital signature | |
| CN103701919A (en) | Remote login method and system | |
| CN103973695A (en) | Signature algorithm for server validation | |
| US20170048225A1 (en) | Method, Apparatus, and System for Secure Authentication | |
| CN102420692A (en) | Safety authentication method and system of universal serial bus (USB) key of client terminal based on cloud computation | |
| CN105306423B (en) | Unified login method for distribution Web web station system | |
| Xie et al. | Cryptanalysis and security enhancement of a robust two‐factor authentication and key agreement protocol | |
| CN102946314A (en) | Client-side user identity authentication method based on browser plug-in | |
| CN103607284A (en) | Identity authentication method and equipment and server | |
| CN106936790A (en) | The method that client and server end carries out two-way authentication is realized based on digital certificate | |
| CN104038486A (en) | System and method for realizing user login identification based on identification type codes | |
| CN106161031B (en) | Server password generation method, server password verification method and server password verification device | |
| WO2015043787A1 (en) | Method and system for authenticating a user of a device | |
| CN104883351A (en) | Multiple-factor authentication method and device | |
| CN106796630A (en) | User authentication | |
| CN104283884A (en) | Verification code verification method | |
| CN103326856A (en) | Cloud storage data responsibility confirmation structure and method based on two-way digital signature |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140618 |
|
| WD01 | Invention patent application deemed withdrawn after publication |