CN110830512A - Multi-platform unified authentication system based on domain account - Google Patents
Multi-platform unified authentication system based on domain account Download PDFInfo
- Publication number
- CN110830512A CN110830512A CN201911255967.3A CN201911255967A CN110830512A CN 110830512 A CN110830512 A CN 110830512A CN 201911255967 A CN201911255967 A CN 201911255967A CN 110830512 A CN110830512 A CN 110830512A
- Authority
- CN
- China
- Prior art keywords
- authentication system
- unified authentication
- user
- application
- account
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a domain account-based multi-platform unified authentication system which is characterized by comprising seven business modules, namely a front-end login display module, a Server permission module, an ST verification module, a TGT, ST bill management module, a redis cache management module, an LDAP data query module and a logout message distribution module. The multi-platform unified authentication system uses domain accounts to access different platforms, realizes that one account logs in all authorized systems, and realizes that one system logs in, accesses other systems to automatically log in, one system logs out, and other systems also log out together, thereby having better convenience and safety.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a domain account based multi-platform unified authentication system.
Background
In the daily business processing of enterprises, a plurality of business processing platforms are developed or introduced, each system is closed, each platform has a respective account system and an authentication mode, with the increase of business systems, users need to remember accounts and passwords of a plurality of systems, personal account management is complicated and complicated, and when a special condition occurs and a specific account needs to be stopped, each system needs to be operated, and the workload is large.
The domain account based multi-platform unified authentication system (hereinafter referred to as "unified authentication system") just solves the problem of multi-platform account intercommunication and uses domain accounts to access different platforms. The method realizes that one account logs in all authorized systems, and realizes that one system logs in, accesses other systems to automatically log in, one system quits, and other systems also quit, thereby having better convenience and safety.
Disclosure of Invention
The invention aims to solve the problem of multi-platform account intercommunication and provides a domain account-based multi-platform unified authentication system.
In order to solve the technical problems, the invention adopts the technical scheme that:
the invention provides a multi-platform unified authentication system based on a domain account, which comprises seven service modules;
the front end logs in the display module: the account verification server is responsible for receiving user operation and sending an account verification request;
a Server permission module: the system is responsible for preparing a service name to be accessed, calling back an address and checking the access validity;
an ST authentication module: the system is responsible for verifying whether the ST sent by the service system is legal or not;
TGT, ST Bill management Module: the core module is responsible for generating, managing and dispatching TGT and ST bills and managing life cycles;
the redis cache management module: caching TGT and ST bill information;
LDAP (lightweight directory access protocol) data query module: obtaining an LDAP domain account;
the logout message distribution module: responsible for accepting and distributing logout messages.
Further, the unified authentication system has three preconditions:
precondition 1: establishing a unified account of an enterprise;
precondition 2: the business system account and the domain account are sorted into a one-to-one corresponding relation, and the business system account can be inquired out by accessing the business system according to the domain account number;
precondition 3: the service system is connected with the unified authentication system and is provided with three interfaces of ST acquisition, ST verification and logout notification.
Further, the login authentication process of the unified authentication system comprises:
a1, opening a browser by a user to access an application A;
a2, the application A judges whether the user logs in, if not, the user jumps to the unified authentication system;
a3, inputting account information on the unified authentication system, sending LDAP query, writing TGC information in cookie, and jumping back to application A homepage;
b1, opening a browser by the user to access the application B;
b2, the application B judges whether the user logs in, if not, the user jumps to the unified authentication system;
b3, the unified authentication system finds out the user certificate according to the TGC information of the cookie of the browser, and the application B homepage is skipped after the authentication is successful;
o1, opening a browser by the user to access other systems;
o2, judging whether the user logs in by other systems, and jumping to the unified authentication system if the user does not log in;
and O3, finding out user credentials by the unified authentication system according to the TGC information of the cookie of the browser, and jumping back to other system homepages after the authentication is successful.
Further, the unified authentication system logout authentication process is as follows:
a1, opening a browser by a user to access the application A, wherein the browser is in normal operation;
a2, the user sends an exit request to the application A, the application A sends an exit message to the unified authentication system, and the unified authentication system destroys the TGT information;
b1, the unified authentication system sends a logout message to the application B;
o1 the unified authentication system sends logout messages to other systems.
The invention also discloses a computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, implements the multi-platform unified authentication system as claimed in claim 1.
The invention also discloses a device/terminal equipment, which is characterized by comprising a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the processor realizes the multi-platform unified authentication system according to claim 1 when executing the computer program.
The invention combines the advantages of domain control account management and unified authentication, and aims to provide a set of simple, convenient and efficient enterprise-level account management scheme. Unified authentication provides single sign-on access for systems within an enterprise, and domain controlled accounts provide validity verification of accounts. The system scheme has the following characteristics
1. Is convenient for users.
When the user uses the application system, the user can log in once and use for multiple times. The user does not need to input the user name and the user password every time, and does not need to remember a plurality of sets of the user names and the user passwords. The single sign-on platform can improve the experience of the user using the application system.
2. Convenient administrator
The system administrator only needs to maintain one set of unified user account number, and the method is convenient and simple. In contrast, system administrators have previously required management of many sets of user accounts. Each application system has a set of user account, which not only brings inconvenience to management, but also is easy to have management loopholes.
3. Simplifying application system development
When a new application system is developed, the user authentication service of the single sign-on platform can be directly used, and the development process is simplified. The single sign-on platform realizes single sign-on by providing a uniform authentication platform. Therefore, the application system does not need to develop a user authentication program.
The technical solution of the present invention is further described in detail by the accompanying drawings and embodiments.
Drawings
FIG. 1 is a block diagram of the system of the present application;
FIG. 2 is a flowchart of the login service of the present application
FIG. 3 is a logic sequence diagram of the login service of the present application
FIG. 4 is a flow chart of the log-out service of the present application
FIG. 5 is a logic sequence diagram of the log-out service of the present application
FIG. 6 is a diagram of the underlying protocol of the present application
Detailed Description
Example 1
The application provides a domain account-based multi-platform unified authentication system, and the system composition is shown in fig. 1. Through LDAP protocol, access domain control account, verify user account information, return authentication result, through three interfaces and external system interaction, the service system realizes access through a small amount of modification.
The application provides a multi-platform unified authentication system based on a domain account, which comprises seven service modules, namely a front-end login display module, a Server permission module, an ST verification module, a TGT, an ST bill management module, a redis cache management module, an LDAP data query module and a logout message distribution module.
The application provides a multi-platform unified authentication system based on a domain account, which has three prepositive conditions: establishing a unified account of an enterprise; the business system account and the domain account are sorted into a one-to-one corresponding relation, and the business system account can be inquired out by accessing the business system according to the domain account number; the service system is connected with the unified authentication system and is provided with three interfaces of ST acquisition, ST verification and logout notification.
The application provides a domain account-based multi-platform unified authentication system, wherein a login authentication process is shown in fig. 2, a login service working logic time sequence is shown in fig. 3, and a basic protocol is shown in fig. 6. Specifically, applications A and B and other systems are logged in sequence:
a1, opening browser to access application A by user, the browser requests to access service resource provided by application system;
a2, the application A judges whether the user logs in, if not, the user jumps to the unified authentication system, and the service system redirects the user request to the server of the unified authentication system;
a3, inputting account information on the unified authentication system, sending LDAP query, writing TGC information in cookie, jumping back to application A homepage, and performing user identity authentication;
b1, opening a browser by the user to access the application B;
b2, the application B judges whether the user logs in, if not, the user jumps to the unified authentication system;
b3, the unified authentication system finds out the user certificate according to the cookie TGC information of the browser, and the application B homepage is skipped after the authentication is successful;
o1, opening a browser by the user to access other systems;
o2, judging whether the user logs in by other systems, and jumping to the unified authentication system if the user does not log in;
and O3, finding out user credentials by the unified authentication system according to the cookie TGC information of the browser, and jumping back to other system homepages after the authentication is successful.
The application provides a domain account-based multi-platform unified authentication system, a logout authentication flow is shown in fig. 4, and a login service working logic time sequence is shown in fig. 5. Specifically log out application A, B and other systems in sequence:
a1, opening a browser by a user to access the application A, wherein the browser is in normal operation;
a2, the user sends an exit request to the application A, the application A sends an exit message to the unified authentication system, and the unified authentication system destroys the TGT information;
b1, the unified authentication system sends a logout message to the application B;
o1 the unified authentication system sends logout messages to other systems.
The invention also discloses a computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, implements the multi-platform unified authentication system as claimed in claim 1.
The invention also discloses a device/terminal equipment, which is characterized by comprising a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the processor realizes the multi-platform unified authentication system according to claim 1 when executing the computer program.
The embodiments of the present invention have been described in detail, but the embodiments are merely examples, and the present invention is not limited to the embodiments described above. Any equivalent modifications and substitutions to those skilled in the art are also within the scope of the present invention. Accordingly, equivalent changes and modifications made without departing from the spirit and scope of the present invention should be covered by the present invention.
Claims (10)
1. A multi-platform unified authentication system based on domain accounts is characterized by comprising seven service modules:
the front end logs in the display module: the account verification server is responsible for receiving user operation and sending an account verification request;
a Server permission module: the system is responsible for preparing a service name to be accessed, calling back an address and checking the access validity; an ST authentication module: the system is responsible for verifying whether the ST sent by the service system is legal or not;
TGT, ST Bill management Module: the core module is responsible for generating, managing and dispatching TGT and ST bills and managing life cycles;
the redis cache management module: caching TGT and ST bill information;
an LDAP data query module: obtaining an LDAP domain account;
the logout message distribution module: responsible for accepting and distributing logout messages.
2. The multi-platform unified authentication system according to claim 1, wherein there are three preconditions:
precondition 1: establishing a unified account of an enterprise;
precondition 2: the business system account and the domain account are sorted into a one-to-one corresponding relation, and the business system account can be inquired out by accessing the business system according to the domain account number;
precondition 3: the service system is connected with the unified authentication system and is provided with three interfaces of acquiring st, verifying st and logging out notification.
3. The multi-platform unified authentication system according to claim 1, wherein the login authentication procedure is:
a1, opening a browser by a user to access an application A;
a2, the application A judges whether the user logs in, if not, the user jumps to the unified authentication system;
a3, inputting account information on the unified authentication system, sending LDAP inquiry, writing TGC information in the cookie, and jumping back to the application A homepage.
4. The multi-platform unified authentication system according to claim 1, wherein the login authentication procedure is:
b1, opening a browser by the user to access the application B;
b2, the application B judges whether the user logs in, if not, the user jumps to the unified authentication system;
b3, the unified authentication system finds out the user certificate according to the cookie TGC information of the browser, and the application B homepage is skipped after the authentication is successful.
5. The multi-platform unified authentication system according to claim 1, wherein the login authentication procedure is:
o1, opening a browser by the user to access other systems;
o2, judging whether the user logs in by other systems, and jumping to the unified authentication system if the user does not log in;
and O3, finding out user credentials by the unified authentication system according to the cookie TGC information of the browser, and jumping back to other system homepages after the authentication is successful.
6. The multi-platform unified authentication system according to claim 1, wherein the log-out authentication procedure is:
a1, opening a browser by a user to access the application A, wherein the browser is in normal operation;
a2, the user sends an exit request to the application A, the application A sends an exit message to the unified authentication system, and the unified authentication system destroys the TGT information.
7. The multi-platform unified authentication system according to claim 1, wherein the log-out authentication procedure is:
b1 the unified authentication system sends a logout message to application B.
8. The multi-platform unified authentication system according to claim 1, wherein the log-out authentication procedure is:
o1 the unified authentication system sends logout messages to other systems.
9. A computer-readable storage medium, wherein the computer-readable storage medium stores a computer program which, when executed by a processor, implements the multi-platform unified authentication system of claim 1.
10. An apparatus/terminal device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the multi-platform unified authentication system according to claim 1 when executing the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911255967.3A CN110830512A (en) | 2019-12-10 | 2019-12-10 | Multi-platform unified authentication system based on domain account |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911255967.3A CN110830512A (en) | 2019-12-10 | 2019-12-10 | Multi-platform unified authentication system based on domain account |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110830512A true CN110830512A (en) | 2020-02-21 |
Family
ID=69544290
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911255967.3A Pending CN110830512A (en) | 2019-12-10 | 2019-12-10 | Multi-platform unified authentication system based on domain account |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110830512A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111586054A (en) * | 2020-05-09 | 2020-08-25 | 山东健康医疗大数据有限公司 | Single sign-on implementation method based on Internet architecture |
| CN111984965A (en) * | 2020-08-31 | 2020-11-24 | 成都安恒信息技术有限公司 | Multi-source user management authentication system and method based on operation and maintenance audit system |
| CN112019495A (en) * | 2020-05-28 | 2020-12-01 | 北京航空航天大学 | Dynamic mapping mechanism and data security control method for wide-area virtual data space account |
| CN113612865A (en) * | 2021-07-29 | 2021-11-05 | 济南浪潮数据技术有限公司 | Method, device and equipment for managing cloud platform LDAP domain account and readable medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103051630A (en) * | 2012-12-21 | 2013-04-17 | 微梦创科网络科技(中国)有限公司 | Method, device and system for implementing authorization of third-party application based on open platform |
| CN104539615A (en) * | 2014-12-29 | 2015-04-22 | 中国南方电网有限责任公司 | Cascading authentication method based on CAS |
| CN107707570A (en) * | 2017-11-13 | 2018-02-16 | 山东省农村信用社联合社 | Cross-domain single logs in integrated approach and system |
| CN109815010A (en) * | 2018-12-29 | 2019-05-28 | 深圳供电局有限公司 | A kind of cloud platform unified identity authentication method and system |
-
2019
- 2019-12-10 CN CN201911255967.3A patent/CN110830512A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103051630A (en) * | 2012-12-21 | 2013-04-17 | 微梦创科网络科技(中国)有限公司 | Method, device and system for implementing authorization of third-party application based on open platform |
| CN104539615A (en) * | 2014-12-29 | 2015-04-22 | 中国南方电网有限责任公司 | Cascading authentication method based on CAS |
| CN107707570A (en) * | 2017-11-13 | 2018-02-16 | 山东省农村信用社联合社 | Cross-domain single logs in integrated approach and system |
| CN109815010A (en) * | 2018-12-29 | 2019-05-28 | 深圳供电局有限公司 | A kind of cloud platform unified identity authentication method and system |
Non-Patent Citations (1)
| Title |
|---|
| 赵晋: "基于JASIG-CAS的SSO系统的研究与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111586054A (en) * | 2020-05-09 | 2020-08-25 | 山东健康医疗大数据有限公司 | Single sign-on implementation method based on Internet architecture |
| CN112019495A (en) * | 2020-05-28 | 2020-12-01 | 北京航空航天大学 | Dynamic mapping mechanism and data security control method for wide-area virtual data space account |
| CN112019495B (en) * | 2020-05-28 | 2021-11-19 | 北京航空航天大学 | Dynamic mapping mechanism and data security control method for wide-area virtual data space account |
| CN111984965A (en) * | 2020-08-31 | 2020-11-24 | 成都安恒信息技术有限公司 | Multi-source user management authentication system and method based on operation and maintenance audit system |
| CN113612865A (en) * | 2021-07-29 | 2021-11-05 | 济南浪潮数据技术有限公司 | Method, device and equipment for managing cloud platform LDAP domain account and readable medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110830512A (en) | Multi-platform unified authentication system based on domain account | |
| US10992818B2 (en) | Usage tracking for software as a service (SaaS) applications | |
| US11962593B2 (en) | Identity management connecting principal identities to alias identities having authorization scopes | |
| US9137304B2 (en) | Method and apparatus for achieving data security in a distributed cloud computing environment | |
| US9584615B2 (en) | Redirecting access requests to an authorized server system for a cloud service | |
| CN112597472B (en) | Single sign-on method, device and storage medium | |
| US20080168539A1 (en) | Methods and systems for federated identity management | |
| CN107948203A (en) | A kind of container login method, application server, system and storage medium | |
| US20100299738A1 (en) | Claims-based authorization at an identity provider | |
| CN104320423A (en) | Single sign-on light weight implementation method based on Cookie | |
| CN108111473A (en) | Mixed cloud Explore of Unified Management Ideas, device and system | |
| CN110891060A (en) | Unified authentication system based on multi-service system integration | |
| CN111062023B (en) | Method and device for realizing single sign-on of multi-application system | |
| CN108632241B (en) | Unified login method and device for multiple application systems | |
| US10650153B2 (en) | Electronic document access validation | |
| CN102143131B (en) | User logout method and authentication server | |
| CN107862198A (en) | One kind accesses verification method, system and client | |
| CN105354482A (en) | Single sign-on method and device | |
| CN111695108A (en) | Unified account identification system for multi-source accounts in heterogeneous computing environment | |
| CN108200107A (en) | A kind of method that single-sign-on is realized in multi-domain environment | |
| CN109547481A (en) | A kind of website user's conversation managing method based on Redis ordered set and token mode | |
| CN103069741A (en) | Credential authentication method and single sign-on server | |
| CN107911379B (en) | CAS server | |
| US20230164130A1 (en) | User authentication system | |
| KR102362327B1 (en) | Method and apparatus for providing virtual desktop environment based on biometric information of user |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200221 |