CN106452774B - Method and device for controlling access authority based on single sign-on protocol - Google Patents

Method and device for controlling access authority based on single sign-on protocol Download PDF

Info

Publication number
CN106452774B
CN106452774B CN201510484297.8A CN201510484297A CN106452774B CN 106452774 B CN106452774 B CN 106452774B CN 201510484297 A CN201510484297 A CN 201510484297A CN 106452774 B CN106452774 B CN 106452774B
Authority
CN
China
Prior art keywords
user
authorization
verification
service system
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510484297.8A
Other languages
Chinese (zh)
Other versions
CN106452774A (en
Inventor
陈勇
程怡
李阳光
张冬冬
孙海雷
陈亮
谷明启
刘鹏
陈定友
唐瑞东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201510484297.8A priority Critical patent/CN106452774B/en
Publication of CN106452774A publication Critical patent/CN106452774A/en
Application granted granted Critical
Publication of CN106452774B publication Critical patent/CN106452774B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The embodiment of the invention discloses a method and a device for controlling access authority based on a single sign-on protocol. The method comprises the following steps: receiving an authentication request of a user logged in a first business system from a client of the user to access a second business system associated with the first business system; carrying out authorization verification on the access request based on a preset authorization rule for controlling access to the second service system, wherein the authorization rule comprises at least one user characteristic and an authorization data item of a set control condition of the user characteristic; sending a verification response including a result of the authorization verification to a client of the user. By adopting the embodiment of the invention, the access of the user to the associated service system can be further authorized according to the authorization rule configured according to the requirement of the service system on the basis of supporting the single sign-on mode, the access user is authorized in a targeted manner, and the utilization rate of the service system is improved.

Description

Method and device for controlling access authority based on single sign-on protocol
Technical Field
The invention relates to the technical field of computers, in particular to a method and a device for controlling access authority based on a single sign-on protocol.
Background
With the continuous development of computer technology, the business range of each merchant is wider and wider, and corresponding business is developed from the original one to the present multiple. However, how to control the user access to the service system related to each other has become an important issue of concern.
The user's access to the associated business system can be controlled by a single sign-on protocol (e.g., CAS single sign-on protocol), such as the user logging on to a business system using his/her account information (e.g., username and password). After successful login, if the user needs to access another business system associated with the business system, the user can log in the other business system without inputting the account information of the user again.
The foregoing method for performing access control based on single sign-on protocol has at least the following problems: after the user successfully logs in a certain service system through the account information of the user, the user can log in another service system without inputting the account information of the user again, so that the user logging in the first service system can unconditionally access the second service system. If another business system makes sense only for a user who satisfies a certain condition, the desired goal cannot be achieved by the above process, so that the pertinence of the business system is poor and the burden of the business system is increased.
Disclosure of Invention
The embodiment of the invention provides a method and a device for controlling access authority based on a single sign-on protocol, which also carry out authorization verification on a user through an authorization rule set for the user to access a certain service system on the basis of supporting a single sign-on mode, thereby pertinently authorizing the access user.
In order to achieve the above object, an embodiment of the present invention provides a method for controlling access rights based on a single sign-on protocol. The method comprises the steps of receiving an authentication request of a user logged in a first business system from a client of the user to access a second business system associated with the first business system; carrying out authorization verification on the access request based on a preset authorization rule for controlling access to the second service system, wherein the authorization rule comprises at least one user characteristic and an authorization data item of a set control condition of the user characteristic; sending a verification response including a result of the authorization verification to a client of the user.
Optionally, the processing of performing authorization verification on the access request based on a preset authorization rule for controlling access to the second business system includes: acquiring user characteristic information of the user; if the user characteristic information conforms to the corresponding set control conditions in the authorization rule, the authorization verification result is verification passing; and if the user characteristic information does not accord with the corresponding set control condition in the authorization rule, the result of the authorization verification is that the authorization is not verified.
Optionally, the method further comprises: receiving an authorization control setting request including an authorization data item for the second business system; and updating the authorization rule for controlling the access to the second business system according to the authorization data item.
Optionally, the user characteristics may include user attribute characteristics and/or user behavior characteristics.
Optionally, the user characteristics include one or more of: the method comprises the following steps of registering a region of a user, a region where the user is located currently, a region where a work unit where the user is located, active login conditions of the user, a work industry of the user, the amount of money charged by the user for the first time, daily average consumption amount of the user and the integrity level of the user.
Optionally, the processing of performing authorization verification on the access request based on a preset authorization rule for controlling access to the second business system further includes: if the authorization rule for controlling the access to the second business system does not include an authorization data item, the result of the authorization verification is verification passing.
In order to achieve the above object, an embodiment of the present invention further provides an apparatus for controlling access rights based on a single sign-on protocol. The device comprises: the system comprises an authentication request receiving module, a first service system and a second service system, wherein the authentication request receiving module is used for receiving an authentication request of a user who logs in the first service system to access the second service system associated with the first service system from a client of the user; the authorization verification module is used for carrying out authorization verification on the access request based on a preset authorization rule for controlling access to the second service system, wherein the authorization rule comprises at least one user characteristic and an authorization data item of a set control condition of the user characteristic; and the verification response sending module is used for sending a verification response comprising the result of the authorization verification to the client of the user.
Optionally, the authorization verification module includes: a user characteristic obtaining unit, configured to obtain user characteristic information of the user; a verification result determining unit, configured to determine that the result of the authorization verification is a pass verification if the user feature information matches a corresponding set control condition in the authorization rule; the verification result determining unit is further configured to determine that the result of the authorization verification is non-verification if the user characteristic information does not match the corresponding set control condition in the authorization rule.
Optionally, the apparatus further comprises: a setting request receiving module for receiving an authority control setting request including an authorization data item for the second service system; and the authorization rule updating module is used for updating the authorization rule for controlling the access to the second service system according to the authorization data item.
Optionally, the user characteristics may include user attribute characteristics and/or user behavior characteristics.
Optionally, the user characteristics include one or more of: the method comprises the following steps of registering a region of a user, a region where the user is located currently, a region where a work unit where the user is located, active login conditions of the user, a work industry of the user, the amount of money charged by the user for the first time, daily average consumption amount of the user and the integrity level of the user.
Optionally, the authorization verification module is further configured to: and if the authorization rule for controlling the access to the second business system does not comprise an authorization data item, determining that the result of the authorization verification is verification passing.
According to the method and the device for controlling the access authority based on the single sign-on protocol, provided by the embodiment of the invention, for the user who logs in the first service system, when the verification request that the user accesses the second service system associated with the first service system is received, the access of the user to the second service system can be controlled based on the preset authorization rule, so that the access of the user to the associated service system is further authorized according to the authorization rule configured according to the requirement of the service system on the basis of supporting the single sign-on mode, the access of the user to the associated service system is authorized in a targeted manner, and the utilization rate of the service system can be improved.
Drawings
FIG. 1 is a logic diagram of information interaction for access right control based on a single sign-on protocol;
fig. 2 is a flowchart of a method for controlling access rights based on a single sign-on protocol according to an embodiment of the present invention;
fig. 3 is a flowchart of a method for controlling access rights based on a single sign-on protocol according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an apparatus for performing access right control based on a single sign-on protocol according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an apparatus for performing access right control based on a single sign-on protocol according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an apparatus for performing access right control based on a single sign-on protocol according to an embodiment of the present invention.
Detailed Description
The basic inventive concept of the present invention is to provide an access right control scheme based on the CAS protocol: after a user logs in a first service system, if the user needs to access a second service system associated with the user, authorization verification can be performed on the access of the user through an authorization rule for controlling access to the second service system, so that on the basis of supporting a single sign-on mode, the access of the user to the associated service system is further authorized according to the authorization rule configured according to the needs of the service system, the access user is authorized in a targeted manner, and the utilization rate of the service system can be improved.
Generally, the Single Sign-on protocol may include various protocols, such as a CAS Single Sign-on protocol, a Passport Single Sign-on protocol, and an X/Open Single Sign-on Service Single Sign-on protocol. The embodiment of the present invention takes the CAS single sign-on protocol as an example to perform the detailed description of the scheme, and for the case of other protocols, the case processing of the CAS single sign-on protocol may be referred to, and is not described herein again. For a single sign-on protocol system, a user can log in a certain business system through his account information (e.g. a user name and a password), and when the user accesses another business system associated with the business system again, the user does not need to input the user name and the password again to access the other business system, and the corresponding process can be seen in the information interaction logic block diagram shown in fig. 1.
Referring to fig. 1, the single sign-on system may include a CAS authentication server, a plurality of Service systems (so-called services), and a user client, where the CAS authentication server stores account information, such as a user name and a password, of a user who has registered the single sign-on system, and the CAS authentication server may authenticate the identity of the user who has logged in an account of a certain Service system. The Service system may be a specific Service (i.e., Service), such as a game Service, an information (or advertisement) promotion Service, and the like, each Service system is configured with a corresponding CAS client for processing an access request of a user to a protected resource in the Service system, and when an identity authentication of a requester is required, the CAS client is redirected to a CAS authentication server for authentication. Moreover, any two of the plurality of service systems may be associated with each other, or a certain number of the plurality of service systems may be associated with each other, the remaining service systems may be associated with each other, and the first service system and the second service system in fig. 1 may be associated with each other. If a user needs to request a resource from the first service system, the user can access the first service system by using the browser client through the network address where the resource is located (interaction 1), after the first service system receives a corresponding access request, if the CAS client in the first service system detects that the user does not currently log in the first service system, the CAS client in the first service system can send a redirection message to the client of the user (interaction 2), wherein the redirection message may include the network address of the CAS authentication server, the network address of the first service system, and the like.
The user's client may send an access request to the CAS authentication server based on the redirection message (interaction 3). After receiving the access request, the CAS server may detect whether the received access request includes the user's authentication credentials, and if not, or if the user's authentication credentials are expired, may send the data of the login page to the user's client (interaction 4). The user can input corresponding account information in the login page and then click the login key, and the client of the user can send the account information and the like input by the user to the CAS authentication server (interaction 5). The CAS authentication server can authenticate the account information, and if the account information is correct, a first identity authentication voucher is generated and stored. The CAS authentication server may then send a redirect message to the user's client that includes the first authentication credential and the network address of the first business system (interaction 6). The user's client may write the first authentication credential in a cookie and may send the first authentication credential to a CAS client in a first service system (interaction 7), the CAS client may send the first authentication credential to a CAS authentication server for authentication (interaction 8), if the CAS authentication server determines that the first authentication credential is valid, the user is allowed to log in the first service system through an account thereof, the CAS client in the first service system may send a notification message of successful login to the user's client (interaction 9), and may send data of a resource requested by the user to the user's client. It should be noted that the first authentication credential may be a one-time-use credential, which is used only once for processing the user who successfully logs in and the request thereof, and after the first authentication credential is used, the CAS authentication server may delete it or set it as invalid.
When a user browses to a target network address of a resource in a second service system in a first service system, if the user needs the resource, the target network address may be clicked, and the client of the user sends an access request to the second service system (interaction 10). After the CAS client in the second service system detects that the user is not logged in the second service system, a redirection message including the network address of the second service system and the network address of the CAS authentication server may be sent to the client of the user (interaction 11). The user's client may obtain the first authentication credential from a cookie in the browser and send a verification request including the first authentication credential to the CAS authentication server (interaction 12). The CAS authentication server extracts the first identity authentication voucher from the CAS authentication server, verifies the first identity authentication voucher, and generates and stores a second identity authentication voucher if the verification is passed. The CAS authentication server may send a redirection message including the second authentication credential to the user's client (interaction 13), the user's client may send the second authentication credential to a CAS client in the second service system (interaction 14), the CAS client in the second service system verifies the second authentication credential through the CAS authentication server (interaction 15), and if the verification is passed, the second service system may send a notification message that the login is successful to the user's client (interaction 16), and send data of the resource requested by the user to the user's client.
The process shown in fig. 1 may be a process commonly used in a single sign-on protocol system, but in the present invention, based on the above process, a user accessing each service system may be further limited, that is, in the process of the interaction 12 in fig. 1, corresponding authorization rules may be set for different service systems, so as to control the authority of the user to access the corresponding service systems.
The following describes a method and an apparatus for performing access right control based on a single sign-on protocol according to an embodiment of the present invention in detail with reference to the accompanying drawings.
Example one
Fig. 2 is a flowchart of a method for controlling access rights based on a single sign-on protocol according to an embodiment of the present invention. The method is performed by a computer system comprising the apparatus as shown in fig. 4.
As shown in fig. 2, in step S210, an authentication request for a user who has logged in to a first business system to access a second business system associated with the first business system is received from a client of the user.
The client of the user can be a browser used by the user or an application program of the related business system accessed by the user. The first service system and the second service system can be any service system, and the two service systems are different, for example, the first service system can be a game service system, the second service system can be an information promotion service system, and the like, the first service system and the second service system are respectively provided with a CAS client for processing an access request of a user to the service system, and when the identity authentication of a requester is required, the CAS client is redirected to a CAS authentication server for authentication.
Specifically, the user logs in the first service system through the account information, and the corresponding processing may refer to the content in fig. 1, which is not described herein again. In order to improve the popularity and the influence of a certain service, the network address of the corresponding service system may be set in other service systems to promote the service to the user, for example, the first service system may be a service system commonly used by the user and has a large number of users, the second service system may be a newly established service system and has a small number of users, and in order to promote the corresponding service of the second service system, the network address of the second service system may be set in the first service system. When a user clicks a network address of a second service system in the first service system, the client of the user may send an access request to the second service system, and after detecting that the user does not log in the second service system, the CAS client in the second service system may send a redirection message including the network address of the second service system and the network address of the CAS authentication server to the client of the user. The client of the user can acquire a first identity authentication voucher used by the user for logging in the first service system in a cookie of the browser, and sends a verification request comprising the first identity authentication voucher to the CAS authentication server, and the CAS authentication server can receive the verification request.
In step S220, the authorization verification is performed on the access request based on a preset authorization rule for controlling access to the second business system, where the authorization rule includes at least one user characteristic and an authorization data item of a set control condition of the user characteristic.
The authorization rule may be a rule for determining whether the user can access a certain business system, for example, the authorization rule may be that the user continuously consumes for 3 months, and the consumption amount per month exceeds 10 ten thousand yuan; or, the authorization rule may also be that the industry to which the work of the user belongs is a mechanical industry (here, the industry to which the work of the user belongs is an example of "user characteristics", and the industry to which the work of the user belongs is an example of "set control conditions", the example of "user characteristics" and the example of "set control conditions" constitute an "authorization data item", and subsequent examples are similar to these), and the current region where the user is located is city a; or, the authorization rule may also be that the user used his account in the last week, and the industry to which the user's work belongs is the catering industry, etc. The user characteristics may include attribute characteristics of the user and/or behavior characteristics of the user, the attribute characteristics of the user may include a region where the user is currently located, an industry to which work of the user belongs, and the like, and the behavior characteristics of the user may include a consumption condition of the user, a login activity condition of the user, and the like. Authorization rules of different business systems can be set in the CAS authentication server so as to uniformly manage the authorization rules of the different business systems.
Specifically, different service systems may have different requirements for users to access, for example, a certain service system is only open for users in a specific region, or a certain service system is only open for users above a predetermined integrity level, and the like. After receiving the verification request, the CAS authentication server may extract the first authentication credential therein and verify the first authentication credential, and if the first authentication credential is valid, the CAS authentication server determines that the identity of the user is correct, and at this time, the CAS authentication server may acquire an authorization rule set in advance for the second service system, acquire user characteristic information of the user, and may determine whether the user characteristic information of the user conforms to the authorization rule, so as to determine whether the authorization verification for the access request passes.
In step S230, an authentication response including a result of the authorization authentication is transmitted to the client of the user.
Specifically, if the user characteristic information of the user conforms to the authorization rule, it may be determined that the authorization verification for the access request passes, at which point the CAS authentication server may generate a second authentication credential and send a verification response including the authorization verification pass of the second authentication credential to the client. It should be noted that the verification response may be a redirection message in the process of interaction 13 in fig. 1. If the user characteristic information of the user does not comply with the authorization rule, it may be determined that the authorization verification for the access request fails, at which point the CAS authentication server may send a verification response to the client denying access to the user.
According to the method for controlling the access authority based on the single sign-on protocol, provided by the embodiment of the invention, for the user who logs in the first service system, when the verification request that the user accesses the second service system associated with the first service system is received, the access of the user to the second service system can be controlled based on the preset authorization rule, so that the access of the user to the associated service system is further authorized according to the authorization rule configured according to the requirement of the service system on the basis of supporting the single sign-on mode, the access of the user to the associated service system is authorized in a targeted manner, and the utilization rate of the service system is improved.
Example two
Fig. 3 is a flowchart of another embodiment of a method for controlling access rights based on a single sign-on protocol according to the present invention, which may be regarded as another specific implementation scheme of fig. 2.
As shown in fig. 3, in step S310, an authentication request for a user who has logged in to a first business system to access a second business system associated with the first business system is received from a client of the user.
The content of step S310 is the same as the content of step S210, and is not described herein again.
In step S320, user feature information of the user is acquired.
The user characteristic information may include one or more items, for example, the user characteristic information may include information of a region where the user is currently located, information of an integrity level of the user, and the like.
Specifically, after receiving the verification request, the CAS authentication server may extract the first authentication credential therein and verify the first authentication credential, and if the first authentication credential is valid, the CAS authentication server determines that the identity of the user is correct. The CAS authentication server may find the user characteristic information of the user among the pre-stored user characteristic information.
In step S330, it is determined whether the user characteristic information conforms to a corresponding set control condition in an authorization rule set in advance for controlling access to the second service system.
Wherein the user characteristics may include one or more of: the method comprises the following steps of registering a region of a user, a region where the user is located currently, a region where a work unit where the user is located, active login conditions of the user, a work industry of the user, the amount of money charged by the user for the first time, daily average consumption amount of the user and the integrity level of the user. The set control condition may be a minimum condition that a user accessing the service system needs to satisfy, and the set control condition may be user characteristic information corresponding to a corresponding user characteristic, for example, the set control condition may be that the integrity level of the user is 5 levels, and the like.
Specifically, the CAS authentication server may obtain an authorization rule for controlling access to the second service system, extract a user feature from the authorization rule, search the user feature information of the user for the user feature information matching with the user feature, and compare the searched user feature information with a corresponding set control condition in the authorization rule to determine whether the searched user feature information matches with the corresponding set control condition in the authorization rule. If the two match, the process of step S340 may be performed, and if the two do not match, the process of step S350 may be performed.
In step S340, if the user characteristic information matches a corresponding set control condition in an authorization rule preset for controlling access to the second service system, determining that the result of authorization verification is a pass verification, where the authorization rule includes at least one user characteristic and an authorization data item of the set control condition.
In step S350, if the user characteristic information does not match the corresponding set control condition in the authorization rule, it is determined that the result of the authorization verification is not verified.
The processing of steps S340 and S350 can be performed in step S330, and is not described herein again.
In addition, the authorization rule may not include an authorization data item, or the CAS authentication server may not include an authorization rule of the second service system, and the corresponding processing may include: if the authorization rule for controlling the access to the second business system does not include an authorization data item, the result of the authorization verification is verification passing.
Specifically, for the case that the authorization rule does not include an authorization data item, or the CAS authentication server does not include an authorization rule of the second service system, after the CAS authentication server verifies the first identity authentication credential, it determines that the identity of the user corresponding to the first identity authentication credential is correct, and then it may determine that the authorization verification for the access request passes, so as to generate the second identity authentication credential, and send a redirection message (i.e., a verification response) including the second identity authentication credential to the client of the user, so as to allow the user to access the second service system, where corresponding processing may refer to relevant contents shown in fig. 1, which is not described herein again.
In step S360, a verification response including a result of the authorization verification is transmitted to the client of the user.
The content of step S360 is the same as the content of step S230, and is not described herein again.
In addition, according to the preferred embodiment of the present invention, the authorization rule of the business system stored in the CAS authentication server may be updated to meet different requirements of the business system, and the corresponding processing may include the following contents of step one and step two.
In step one, an entitlement control settings request is received that includes an authorization data item for the second business system.
Specifically, in order to meet different requirements of service systems in different periods, the authorization rules of each service system may be modified and updated, and accordingly, an application program for updating the authorization rules may be installed in the management terminal device, where the management terminal device may be a terminal device having a right to perform read-write operation on data stored in the CAS authentication server. When the authorization rule of a certain service system needs to be updated, the application program can be started, the management terminal device can display an authorization control setting interface, the identification of the service system needing to be updated can be input in the authorization control setting interface, one or more user characteristics can be selected, then, corresponding setting control conditions are respectively set for each user characteristic, after the setting is completed, a confirmation key can be clicked, the management terminal device can acquire the identification of the service system and an authorization data item formed by the selected user characteristics and the corresponding setting control conditions, an authorization control setting request is generated and sent to the CAS authentication server, and the CAS authentication server can receive the authorization control setting request.
And in the second step, updating the authorization rule for controlling the access to the second business system according to the authorization data item.
Specifically, the CAS authentication server may extract the user characteristics in the authorization setting request, then search in the stored authorization rules to determine whether the user characteristics are included in the current authorization rules, and if so, the corresponding set control conditions in the authorization setting request may be used to replace the set control conditions corresponding to the user characteristics in the current authorization rules, for example, the authorization rules in the CAS authentication server may be stored in a form of a table, as shown in table 1.
TABLE 1
User features Setting control conditions
Level of integrity of user Grade 3
Industry to which user works Food and beverage
Average daily consumption amount of user 200 yuan
Referring to table 1, if the user characteristic in the permission control setting request is the integrity level of the user and the corresponding set control condition is level 5, the CAS authentication server may modify the integrity level of the user in table 1 from level 3 to level 5.
If not, the user characteristic and the corresponding set control condition are correspondingly set in the current authorization rule, for example, if the user characteristic is the current region of the user and the corresponding set control condition is shansha in south of hunman, the CAS authentication server may correspondingly set "the current region of the user" and "shansha in south of hunman" in table 1 above. And after that, the CAS authentication server can carry out authorization verification on the user to access the corresponding service system through the updated authorization rule.
According to the method for controlling the access authority based on the single sign-on protocol, provided by the embodiment of the invention, for the user who logs in the first service system, when the verification request that the user accesses the second service system associated with the first service system is received, the access of the user to the second service system can be controlled based on the preset authorization rule, so that the access of the user to the associated service system is further authorized according to the authorization rule configured according to the requirement of the service system on the basis of supporting the single sign-on mode, the access of the user to the associated service system is authorized in a targeted manner, and the utilization rate of the service system is improved. Moreover, the authorization rule is updated, so that the pertinence of authorization to the access user is stronger, the utilization rate of the service system can be further improved, and the safety of the service system can be improved.
EXAMPLE III
Based on the same technical concept, the embodiment of the invention also provides a device for controlling the access authority based on the single sign-on protocol. As shown in fig. 4, the apparatus includes an authentication request receiving module 410, an authorization authentication module 420, and an authentication response transmitting module 430.
The authentication request receiving module 410 is configured to receive, from a client of a user, an authentication request for accessing a second business system associated with a first business system by the user who has logged into the first business system.
The authorization verification module 420 is configured to perform authorization verification on the access request based on a preset authorization rule for controlling access to the second business system, where the authorization rule includes at least one user characteristic and an authorization data item of a set control condition thereof.
The verification response sending module 430 is configured to send a verification response including a result of the authorization verification to the client of the user.
Further, on the basis of the embodiment shown in fig. 4, the authorization verification module 420 shown in fig. 5 may include: a user characteristic obtaining unit 421, configured to obtain user characteristic information of the user; a verification result determining unit 422, configured to determine that the result of the authorization verification is a pass verification if the user characteristic information matches the corresponding set control condition in the authorization rule; the verification result determining unit 422 is further configured to determine that the result of the authorization verification is non-verification if the user characteristic information does not conform to the corresponding set control condition in the authorization rule.
Further, on the basis of the embodiment shown in fig. 5, the apparatus shown in fig. 6 may further include: a setting request receiving module 440, configured to receive an authority control setting request including an authorization data item for the second service system; and an authorization rule updating module 450, configured to update the authorization rule for controlling access to the second business system according to the authorization data item.
Further, the user characteristics may include user attribute characteristics and/or user behavior characteristics.
Further, the user characteristics include one or more of: the method comprises the following steps of registering a region of a user, a region where the user is located currently, a region where a work unit where the user is located, active login conditions of the user, a work industry of the user, the amount of money charged by the user for the first time, daily average consumption amount of the user and the integrity level of the user.
In addition, the authorization verification module 420 is further configured to determine that the result of the authorization verification is a pass verification if the authorization rule for controlling access to the second business system does not include an authorization data item.
The device for controlling access authority based on the single sign-on protocol provided by the embodiment of the invention can control the access of a user to a second service system associated with a first service system based on a preset authorization rule when the user who has logged in the first service system receives a verification request for accessing the second service system associated with the first service system, so that the access of the user to the associated service system is further authorized according to the authorization rule configured according to the requirement of the service system on the basis of supporting the single sign-on mode, the access of the user to the associated service system is authorized in a targeted manner, and the utilization rate of the service system is improved. Moreover, the authorization rule is updated, so that the pertinence of authorization to the access user is stronger, the utilization rate of the service system can be further improved, and the safety of the service system can be improved.
It should be noted that, according to the implementation requirement, each step/component described in the present application can be divided into more steps/components, and two or more steps/components or partial operations of the steps/components can be combined into new steps/components to achieve the purpose of the present invention.
The above-described method according to the present invention can be implemented in hardware, firmware, or as software or computer code storable in a recording medium such as a CD ROM, a RAM, a floppy disk, a hard disk, or a magneto-optical disk, or as computer code originally stored in a remote recording medium or a non-transitory machine-readable medium and to be stored in a local recording medium downloaded through a network, so that the method described herein can be stored in such software processing on a recording medium using a general-purpose computer, a dedicated processor, or programmable or dedicated hardware such as an ASIC or FPGA. It will be appreciated that the computer, processor, microprocessor controller or programmable hardware includes memory components (e.g., RAM, ROM, flash memory, etc.) that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the processing methods described herein. Further, when a general-purpose computer accesses code for implementing the processes shown herein, execution of the code transforms the general-purpose computer into a special-purpose computer for performing the processes shown herein.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims (12)

1. A method for controlling access authority based on single sign-on protocol, the method comprising:
the method comprises the steps that a single sign-on authentication server receives a verification request of a user who logs in a first business system from a client of the user to access a second business system associated with the first business system, wherein the verification request at least comprises a first identity authentication certificate for the first business system;
the single sign-on authentication server carries out authorization verification on the verification request based on a preset authorization rule for controlling access to the second service system, wherein the authorization rule comprises at least one user characteristic and an authorization data item of a set control condition of the user characteristic;
the single sign-on authentication server sends a verification response comprising a result of the authorization verification to the client of the user, wherein if the result of the authorization verification is verification passing, a second identity authentication certificate for the second business system is also generated and sent to the client of the user;
sending the second identity authentication certificate to the second service system through the verified client of the user;
the second service system requests the single sign-on authentication server to verify the second identity authentication certificate;
and if the second identity authentication voucher passes the verification, the second service system sends a notification message of successful login to the client of the user and sends the data of the resource requested by the user to the client of the user.
2. The method according to claim 1, wherein the processing of performing authorization verification on the verification request based on preset authorization rules for controlling access to the second business system comprises:
acquiring user characteristic information of the user;
if the user characteristic information conforms to the corresponding set control conditions in the authorization rule, the authorization verification result is verification passing;
and if the user characteristic information does not accord with the corresponding set control condition in the authorization rule, the result of the authorization verification is that the authorization is not verified.
3. The method of claim 2, further comprising:
receiving an authorization control setting request including an authorization data item for the second business system;
and updating the authorization rule for controlling the access to the second business system according to the authorization data item.
4. The method of claim 3, wherein the user characteristics comprise user attribute characteristics and/or user behavior characteristics.
5. The method of claim 4, wherein the user characteristics include one or more of: the method comprises the following steps of registering a region of a user, a region where the user is located currently, a region where a work unit where the user is located, active login conditions of the user, a work industry of the user, the amount of money charged by the user for the first time, daily average consumption amount of the user and the integrity level of the user.
6. The method according to any one of claims 1 to 5, wherein the processing of authorization verification of the verification request based on preset authorization rules for controlling access to the second business system further comprises:
if the authorization rule for controlling the access to the second business system does not include an authorization data item, the result of the authorization verification is verification passing.
7. A system for controlling access authority based on single sign-on protocol is characterized in that the system comprises a client of a user, a single sign-on authentication server, a first service system and a second service system:
the single sign-on authentication server is used for receiving a verification request of a user who logs in a first business system to access a second business system associated with the first business system from a client of the user, wherein the verification request at least comprises a first identity authentication certificate for the first business system; the authorization data item is used for carrying out authorization verification on the verification request based on a preset authorization rule used for controlling access to the second business system, and the authorization rule comprises at least one user characteristic and a set control condition thereof; a verification response for sending a result including the authorization verification to the client of the user; the server is further used for generating a second authentication credential for the second business system and sending the second authentication credential to the client of the user if the result of the authorization verification is determined to be passed;
the user's client is used for sending a verification request for accessing a second business system associated with the first business system to the single sign-on authentication server and sending the second identity authentication credential to the second business system;
the second service system is configured to request the single sign-on authentication server to verify the second identity authentication credential, and if the second identity authentication credential passes the verification, the second service system sends a notification message that the login is successful to the client of the user, and sends data of the resource requested by the user to the client of the user.
8. The system of claim 7, wherein the single sign-on authentication server comprises:
a user characteristic obtaining unit, configured to obtain user characteristic information of the user;
a verification result determining unit, configured to determine that the result of the authorization verification is a pass verification if the user feature information matches a corresponding set control condition in the authorization rule;
the verification result determining unit is further configured to determine that the result of the authorization verification is non-verification if the user characteristic information does not match the corresponding set control condition in the authorization rule.
9. The system of claim 8, wherein the single sign-on authentication server further comprises:
a setting request receiving module for receiving an authority control setting request including an authorization data item for the second service system;
and the authorization rule updating module is used for updating the authorization rule for controlling the access to the second service system according to the authorization data item.
10. The system of claim 9, wherein the user characteristics comprise user attribute characteristics and/or user behavior characteristics.
11. The system of claim 10, wherein the user characteristics include one or more of: the method comprises the following steps of registering a region of a user, a region where the user is located currently, a region where a work unit where the user is located, active login conditions of the user, a work industry of the user, the amount of money charged by the user for the first time, daily average consumption amount of the user and the integrity level of the user.
12. The system according to any one of claims 7 to 11, wherein the single sign-on authentication server is further configured to:
and if the authorization rule for controlling the access to the second business system does not comprise an authorization data item, determining that the result of the authorization verification is verification passing.
CN201510484297.8A 2015-08-07 2015-08-07 Method and device for controlling access authority based on single sign-on protocol Active CN106452774B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510484297.8A CN106452774B (en) 2015-08-07 2015-08-07 Method and device for controlling access authority based on single sign-on protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510484297.8A CN106452774B (en) 2015-08-07 2015-08-07 Method and device for controlling access authority based on single sign-on protocol

Publications (2)

Publication Number Publication Date
CN106452774A CN106452774A (en) 2017-02-22
CN106452774B true CN106452774B (en) 2020-07-10

Family

ID=58092389

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510484297.8A Active CN106452774B (en) 2015-08-07 2015-08-07 Method and device for controlling access authority based on single sign-on protocol

Country Status (1)

Country Link
CN (1) CN106452774B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107277015A (en) * 2017-06-21 2017-10-20 北京易教阳光教育科技有限公司 Unifying user authentication management method, system, storage medium and server
CN108347423A (en) * 2017-07-25 2018-07-31 深圳壹账通智能科技有限公司 Enterprise portal manages system, method and storage medium
CN108881232B (en) * 2018-06-21 2019-07-02 北京海泰方圆科技股份有限公司 Sign-on access method, apparatus, storage medium and the processor of operation system
CN109753783B (en) * 2018-11-28 2020-09-08 北京友信科技有限公司 Single sign-on method and device based on machine learning and computer readable storage medium
CN110427747B (en) * 2019-06-20 2021-12-14 中国科学院信息工程研究所 Identity authentication method and device supporting service security mark
CN113055186B (en) * 2021-03-29 2023-04-07 中国建设银行股份有限公司 Cross-system service processing method, device and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101398771A (en) * 2008-11-18 2009-04-01 中国科学院软件研究所 Distributed system access control method based on component and access control system
CN101521660A (en) * 2008-02-27 2009-09-02 华为技术有限公司 Session initiation protocol registry method, certification and authorization method, system and equipment
CN101640687A (en) * 2009-08-31 2010-02-03 国家信息中心 Privilege management system and method
CN102694867A (en) * 2012-06-06 2012-09-26 江苏大学 Attribution-based cross-security domain access control method and system in SOA (Service Oriented Architecture)
CN104270386A (en) * 2014-10-22 2015-01-07 中国建设银行股份有限公司 Cross-application-system user information integration method and identity information management server

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101521660A (en) * 2008-02-27 2009-09-02 华为技术有限公司 Session initiation protocol registry method, certification and authorization method, system and equipment
CN101398771A (en) * 2008-11-18 2009-04-01 中国科学院软件研究所 Distributed system access control method based on component and access control system
CN101640687A (en) * 2009-08-31 2010-02-03 国家信息中心 Privilege management system and method
CN102694867A (en) * 2012-06-06 2012-09-26 江苏大学 Attribution-based cross-security domain access control method and system in SOA (Service Oriented Architecture)
CN104270386A (en) * 2014-10-22 2015-01-07 中国建设银行股份有限公司 Cross-application-system user information integration method and identity information management server

Also Published As

Publication number Publication date
CN106452774A (en) 2017-02-22

Similar Documents

Publication Publication Date Title
CN106452774B (en) Method and device for controlling access authority based on single sign-on protocol
US10652282B2 (en) Brokered authentication with risk sharing
US10462665B2 (en) Multifactor network authentication
US9491155B1 (en) Account generation based on external credentials
US10044761B2 (en) User authentication based on user characteristic authentication rules
US11128625B2 (en) Identity management connecting principal identities to alias identities having authorization scopes
US11501292B1 (en) Systems and methods for third party token based authentication
US10091230B1 (en) Aggregating identity data from multiple sources for user controlled distribution to trusted risk engines
JP6533871B2 (en) System and method for controlling sign-on to web applications
US11070556B2 (en) Context-based possession-less access of secure information
CN109257321B (en) Secure login method and device
US20130103771A1 (en) Generating processed web address information
US10015171B1 (en) Authentication using metadata from posts made to social networking websites
WO2015143855A1 (en) Method, apparatus and system for accessing data resources
US10462126B2 (en) Self-adjusting multifactor network authentication
WO2012117253A1 (en) An authentication system
CN105227315B (en) Web application authentication method, server and system thereof
EP3579595B1 (en) Improved system and method for internet access age-verification
US10318725B2 (en) Systems and methods to enable automatic password management in a proximity based authentication
US10277579B2 (en) Information processing system that provides a resource to an application of a terminal through a network
WO2019154861A1 (en) System for managing jointly accessible data
US20180039771A1 (en) Method of and server for authorizing execution of an application on an electronic device
US11075922B2 (en) Decentralized method of tracking user login status
US10587617B2 (en) Broadcast-based trust establishment
US20150333909A1 (en) Information processing system and information processing method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant