CN115484092A - Unified identity authentication method and device - Google Patents
Unified identity authentication method and device Download PDFInfo
- Publication number
- CN115484092A CN115484092A CN202211111606.3A CN202211111606A CN115484092A CN 115484092 A CN115484092 A CN 115484092A CN 202211111606 A CN202211111606 A CN 202211111606A CN 115484092 A CN115484092 A CN 115484092A
- Authority
- CN
- China
- Prior art keywords
- application system
- identity authentication
- domain
- application
- account information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention provides a unified identity authentication method and a unified identity authentication device, which relate to network security and comprise the following steps: the domain terminal accesses an application interface of an application system through a browser, the application system judges that the domain terminal needs identity authentication, attaches a first identity authentication parameter and redirects to an IWA reverse proxy; the IWA reverse proxy acquires domain account information of a domain terminal, determines a second identity authentication parameter by combining with the first identity authentication parameter, redirects the second identity authentication parameter to an application system, and returns the second identity authentication parameter to the browser; the browser accesses the MIM application service through the application system, acquires domain account information and logs in the application system; the application system accesses the MIM application service according to the domain account information and the first identity authentication parameter to acquire application system account information; the application system acquires authentication identity information corresponding to the target login application system according to the application system account information, redirects the authentication identity information of the target login application system to the browser, and logs in the target application system.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a unified identity authentication method and a unified identity authentication device.
Background
This section is intended to provide a background or context to the embodiments of the invention that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
At present, each system application of a bank uses independent login authentication mainly in a traditional user name password mode, so that the condition that a plurality of IDs and a plurality of passwords face when the system is accessed in normal work is caused, and the changing period strategies and the strength requirements of the passwords are different, so that the conditions of difficult memory and difficult management are caused.
The existing system applications use different user name and password for login authentication independently, the user passwords are various, the safety cannot be guaranteed, and a plurality of system applications need to be logged in the actual work.
Therefore, how to provide a new solution, which can solve the above technical problems, is a technical problem to be solved in the art.
Disclosure of Invention
The embodiment of the invention provides a unified identity authentication method, which realizes single sign-on of IWA authentication through IWA reverse proxy, and comprises the following steps:
the domain terminal accesses an application interface of an application system through a browser, the application system judges that the domain terminal needs identity authentication, attaches a first identity authentication parameter and redirects to an IWA reverse proxy;
the IWA reverse proxy acquires domain account information of the domain terminal according to the first identity authentication parameter, determines a second identity authentication parameter according to the first identity authentication parameter and the domain account information, redirects to an application system, and returns the second identity authentication parameter to the browser;
the browser attaches first identity authentication information and second identity authentication information, accesses the MIM application service through the application system, acquires domain account information and logs in the application system; the application system accesses the MIM application service according to the domain account information and the first identity authentication parameter to acquire application system account information;
the application system determines that the application system acquires an authentication identity information interface according to the application system account information, and accesses the MIM application service through the authentication identity information interface acquired by the application system according to the first identity authentication parameter and the domain account information to acquire authentication identity information corresponding to the target login application system;
the application system redirects the authentication identity information of the target login application system to the browser to log in the target application system.
The embodiment of the present invention further provides a unified identity authentication apparatus, including:
the identity authentication judgment module is used for the domain terminal to access an application interface of the application system through the browser, and the application system judges that the domain terminal needs identity authentication, attaches a first identity authentication parameter and redirects the domain terminal to the IWA reverse proxy;
the domain account information acquisition module is used for the IWA reverse proxy to acquire domain account information of the domain terminal according to the first identity authentication parameter, determine a second identity authentication parameter according to the first identity authentication parameter and the domain account information, redirect the second identity authentication parameter to the application system and return the second identity authentication parameter to the browser;
the application system login module is used for attaching the first identity authentication information and the second identity authentication information to the browser, accessing the MIM application service through the application system, acquiring domain account information and logging in the application system; the application system accesses the MIM application service according to the domain account information and the first identity authentication parameter to acquire application system account information;
the authentication identity information acquisition module is used for determining that the application system acquires an authentication identity information interface according to the application system account information by the application system, acquiring the authentication identity information interface through the application system to access the MIM application service according to the first identity authentication parameter and the domain account information, and acquiring the authentication identity information corresponding to the target login application system;
and the target application system login module is used for redirecting the authentication identity information of the target login application system to the browser by the application system and logging in the target application system.
The embodiment of the invention also provides computer equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the unified identity authentication method when executing the computer program.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the unified identity authentication method is implemented.
An embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program, and when the computer program is executed by a processor, the unified identity authentication method is implemented.
The embodiment of the invention provides a unified identity authentication method and a device, comprising the following steps: the domain terminal accesses an application interface of an application system through a browser, the application system judges that the domain terminal needs identity authentication, attaches a first identity authentication parameter and redirects to an IWA reverse proxy; the IWA reverse proxy acquires domain account information of the domain terminal according to the first identity authentication parameter, determines a second identity authentication parameter according to the first identity authentication parameter and the domain account information, redirects to an application system, and returns the second identity authentication parameter to the browser; the browser attaches first identity authentication information and second identity authentication information, accesses the MIM application service through the application system, acquires domain account information and logs in the application system; the application system accesses the MIM application service according to the domain account information and the first identity authentication parameter to acquire application system account information; the application system determines that the application system acquires an authentication identity information interface according to the application system account information, and accesses the MIM application service through the authentication identity information interface acquired by the application system according to the first identity authentication parameter and the domain account information to acquire authentication identity information corresponding to the target login application system; the application system redirects the authentication identity information of the target login application system to the browser to log in the target application system. The embodiment of the invention realizes the single sign-on of IWA authentication through the IWA reverse proxy. When accessing different applications, a user only inputs domain account information once for identity authentication, and integrates all system applications to realize single sign-on. The embodiment of the invention mainly solves the problems that under the Windows domain environment, a terminal user finishes domain account authentication when using other system applications after logging in through a domain account when using a computer Windows system, and the other system applications do not input user names and passwords any more, thereby realizing unified identity authentication. After a user using the domain terminal logs in WINDOWS through the domain account information containing the domain user and the password, the user can log in the access system without inputting the password of the user accessing the system again, and automatic verification login is realized.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. In the drawings:
fig. 1 is a schematic diagram of a unified identity authentication method according to an embodiment of the present invention.
Fig. 2 is an interaction diagram of a unified identity authentication method according to an embodiment of the present invention.
Fig. 3 is a schematic diagram of an embodiment of a unified identity authentication method according to an embodiment of the present invention.
Fig. 4 is a schematic diagram of an embodiment of a unified identity authentication method according to an embodiment of the present invention.
Fig. 5 is a schematic diagram of a computer device for executing a unified identity authentication method implemented by the present invention.
Fig. 6 is a schematic diagram of a unified identity authentication apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the embodiments of the present invention are further described in detail below with reference to the accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
Fig. 1 is a schematic diagram of a unified identity authentication method according to an embodiment of the present invention, and as shown in fig. 1, an embodiment of the present invention provides a unified identity authentication method, where an IWA reverse proxy is used to implement single sign-on of IWA authentication, where the method includes:
step 101: the domain terminal accesses an application interface of an application system through a browser, the application system judges that the domain terminal needs identity authentication, attaches a first identity authentication parameter and redirects to an IWA reverse proxy;
step 102: the IWA reverse proxy acquires domain account information of the domain terminal according to the first identity authentication parameter, determines a second identity authentication parameter according to the first identity authentication parameter and the domain account information, redirects to an application system, and returns the second identity authentication parameter to the browser;
step 103: the browser attaches first identity authentication information and second identity authentication information, accesses the MIM application service through the application system, acquires domain account information and logs in the application system; the application system accesses the MIM application service according to the domain account information and the first identity authentication parameter to acquire application system account information;
step 104: the application system determines that the application system acquires an authentication identity information interface according to the application system account information, and accesses the MIM application service through the authentication identity information interface acquired by the application system according to the first identity authentication parameter and the domain account information to acquire authentication identity information corresponding to the target login application system;
step 105: the application system redirects the authentication identity information of the target login application system to the browser to log in the target application system.
The embodiment of the invention provides a unified identity authentication method, which comprises the following steps: the domain terminal accesses an application interface of an application system through a browser, the application system judges that the domain terminal needs identity authentication, attaches a first identity authentication parameter and redirects to an IWA reverse proxy; the IWA reverse proxy acquires domain account information of a domain terminal according to the first identity authentication parameter, determines a second identity authentication parameter according to the first identity authentication parameter and the domain account information, redirects to an application system, and returns the second identity authentication parameter to the browser; the browser attaches first identity authentication information and second identity authentication information, accesses the MIM application service through the application system, acquires domain account information and logs in the application system; the application system accesses the MIM application service according to the domain account information and the first identity authentication parameter to acquire application system account information; the application system determines that the application system acquires an authentication identity information interface according to the application system account information, and accesses the MIM application service through the authentication identity information interface acquired by the application system according to the first identity authentication parameter and the domain account information to acquire authentication identity information corresponding to the target login application system; the application system redirects the authentication identity information of the target login application system to the browser to log in the target application system. The embodiment of the invention realizes the single sign-on of IWA authentication through the IWA reverse proxy. When accessing different applications, a user only inputs domain account information once for identity authentication, and integrates all system applications to realize single sign-on. The embodiment of the invention mainly solves the problems that under the Windows domain environment, after a terminal user logs in through a domain account when using a computer Windows system, domain account authentication is completed when using other system applications, and user name and password are not input any more by other system applications, so that unified identity authentication is realized. After a user using the domain terminal logs in WINDOWS through the domain account information containing the domain user and the password, the user can log in the access system without inputting the password of the user accessing the system again, and automatic verification login is realized.
In the embodiment of the invention, the related professional vocabularies are as follows:
ADFS: active Directory authentication Service, namely Active Directory federated identity authentication, is a local SSO solution of Microsoft, and supports user authentication on applications incompatible with Active Directory (AD) and integrated Windows identity authentication (IWA).
IWA: integrated Windows authentication, integrated identity authentication in a Windows domain environment.
IIS: internet Information Services, are basic Internet Services provided by Microsoft based on running Microsoft Windows. The method is used as proxy service to realize IWA authentication and acquire domain account information.
MIM: microsoft Identity Manager, the main functions include: 1. integrating AD (Active Directory) with a human resource management system (eHR) and integrating with each application system account system; 2. and the maintenance and query service of the user information is provided, for example, the mapping relation between the unified eHR and the self-established account number of each application system is maintained.
Identity authentication: a process of determining whether a user is a valid user.
The embodiment of the invention uses the IIS as the reverse proxy to realize the IWA login on the IIS, and returns the IWA authentication result of the IIS reverse proxy server to the access product for use, so that other platform web applications which do not support the IWA login can indirectly realize the IWA login.
When the unified identity authentication method based on the IIS reverse proxy server IWA is realized, firstly, the basic domain user account password provided by the infrastructure ADDS is required to be verified, and secondly, an application system is required to acquire the domain account information of the terminal; the IWA reverse proxy mainly completes authentication of domain user accounts. The MIM application service is used for maintaining the mapping relation between the domain name account and the self-established account, mainly relates to a system with the self-established account, and stores domain account information, application system account information and authentication identity information of an application system.
Fig. 2 is an interaction diagram of a unified identity authentication method according to an embodiment of the present invention, and as shown in fig. 2, when a unified identity authentication method according to an embodiment of the present invention is implemented, in an embodiment, the method includes:
the domain terminal accesses an application interface of an application system through a browser, the application system judges that the domain terminal needs identity authentication, attaches a first identity authentication parameter and redirects to an IWA reverse proxy; wherein, the first authentication parameter may be a SysID parameter; the SysID parameter, as described above, may be redirected to the url of the IWA reverse proxy, for example: url = proxyUrl? sysid = ABCD & return Url = http:// www.abcd.com.cn; wherein, 1, proxyUrl is the access address of the IWA proxy service; 2. SysID is a system identification of an application system; 3. return Url calls back the address/interface of the application system after the proxy service IWA authentication is completed.
The IWA reverse proxy acquires domain account information of the domain terminal according to the first identity authentication parameter, determines a second identity authentication parameter according to the first identity authentication parameter and the domain account information, redirects to an application system, and returns the second identity authentication parameter to the browser; wherein, the second identity authentication parameter may be IWA _ SessionID; the IWA _ SessionID is a session ID issued by the IWA authentication service after the domain name account information is verified, and is subsequently used by the application system to acquire a domain account, an application system account, and close information.
The browser attaches first identity authentication information and second identity authentication information, accesses the MIM application service through the application system, acquires domain account information and logs in the application system; the application system accesses the MIM application service according to the domain account information and the first identity authentication parameter to acquire application system account information;
the application system determines that the application system acquires an authentication identity information interface according to the application system account information, and accesses the MIM application service through the authentication identity information interface acquired by the application system according to the first identity authentication parameter and the domain account information to acquire authentication identity information corresponding to the target login application system; wherein, the authentication identity information can be Claim information;
the application system redirects the authentication identity information of the target login application system to the browser to log in the target application system.
In the embodiment of the invention, unified authentication is realized by an IWA reverse proxy mode, and the specific login process comprises the following steps: firstly, accessing an application interface from a browser, judging a user authentication state by an application system, returning redirection information to the browser if identity verification is required, carrying SYSID by the browser and calling back address parameters to request IWA reverse proxy service, realizing IWA authentication by the IWA reverse proxy, acquiring domain account information of a terminal, generating IWA _ Session ID according to the domain account and SysID, and then redirecting back the application interface. And attaching IWA _ Session ID information to the browser, requesting an application interface again, requesting an MIM application service interface according to the IWA _ Session ID and the SysID, and acquiring the domain account information corresponding to the domain user. If the access system user system is a non-EHR system, the application system accesses the MIM application interface by taking SysID and domain account information as parameters to exchange an application system account. And providing an application system to obtain a Claim information interface, wherein the application system requests an MIM application server interface according to the SysID and the domain account information to obtain the Claim information of the user in the specified application system. Such as user agency information, etc. And each access product selects and tunes the local interface according to actual requirements. And the application system performs the next processing of the application system according to the received user information. By utilizing the embodiment of the invention, the user only inputs the ID and the password once to carry out identity authentication when accessing different applications.
Fig. 3 is a schematic diagram of an embodiment of a unified identity authentication method according to an embodiment of the present invention, and as shown in fig. 3, when a unified identity authentication method according to an embodiment of the present invention is implemented specifically, in an embodiment, a domain terminal accesses an application interface of an application system through a browser, and the application system determines that the domain terminal needs to perform identity authentication, attaches a first identity authentication parameter, and redirects to an IWA reverse proxy, including:
step 301: the domain terminal requests to access an application interface of an application system through a browser;
step 302: the application system judges whether the domain terminal logs in or not according to the access request of the browser, if the domain terminal is judged not to log in, the domain terminal is required to perform identity authentication, redirected data is determined, and the redirected data is returned to the browser;
step 303: the browser carries the first identity authentication parameter according to the returned redirection data, and redirects to the IWA reverse proxy through an application interface URL used by IWA redirection.
In the embodiment, the domain terminal accesses the application interface from the browser, if the application system judges that identity verification is required, the application system attaches a SysID parameter and redirects the SysID parameter to the IWA reverse proxy, the IWA reverse proxy realizes IWA authentication, domain account information of the terminal can be obtained, IWA _ Session ID is generated according to the domain account and the SysID, and then the IWA _ Session ID is redirected to the application interface.
In a specific implementation of the unified identity authentication method provided in an embodiment of the present invention, in an embodiment, the obtaining, by the IWA reverse proxy, domain account information of the domain terminal according to the first identity authentication parameter includes:
and the IWA reverse proxy acquires the domain account information of the domain terminal according to the first identity authentication parameter through the realized IWA authentication.
Fig. 4 is a schematic diagram of an embodiment of a unified identity authentication method according to an embodiment of the present invention, and as shown in fig. 4, when the unified identity authentication method according to the embodiment of the present invention is implemented specifically, in an embodiment, a browser attaches first identity authentication information and second identity authentication information, accesses an MIM application service through an application system, acquires domain account information, and logs in the application system, where the method includes:
step 401: the browser attaches first identity authentication information and second identity authentication information to access an application interface of an application system;
step 402: the application system requests an MIM application service interface according to the first identity authentication information and the second identity authentication information, accesses the MIM application service through the MIM application service interface, and acquires domain account information corresponding to a domain user;
step 403: the application system logs in the domain user in the application system according to the domain account information corresponding to the domain user.
In the embodiment, the browser attaches IWA _ Session ID information, requests the application interface again, requests the MIM application service interface according to the IWA _ Session ID and SysID, and acquires the domain account information corresponding to the domain user.
In a specific implementation of the unified identity authentication method provided in the embodiment of the present invention, in an embodiment, the accessing, by an application system, an MIM application service according to domain account information and a first identity authentication parameter, to obtain application system account information includes:
and the application system requests an MIM application service interface according to the domain account information and the first identity authentication parameter as conditions, accesses the MIM application service through the MIM application service interface and acquires the application system account information corresponding to the logged-in domain user.
In the embodiment, the application system accesses the MIM application interface to exchange the application system account, and obtains the application system account information corresponding to the login domain user according to the SysID and the domain account information as conditions.
In the embodiment, the application system determines that the application system acquires an authentication identity information interface according to the application system account information, and accesses the MIM application service through the authentication identity information interface acquired by the application system according to the first identity authentication parameter and the domain account information to acquire authentication identity information corresponding to a target login application system; the application system redirects the authentication identity information of the target login application system to the browser to log in the target application system.
Specifically, an application system is provided to obtain a Claim information interface, and the application system requests an MIM application server interface according to SysID and domain account information to obtain Claim information of the user in a specified application system. And the application system performs the next processing of the application system according to the received Claim return data and logs in the target application system.
The following briefly describes a unified identity authentication method provided by the embodiment of the present invention with reference to specific scenarios:
the application system realizes the single sign-on process of IWA authentication through an IWA reverse proxy:
1. the domain terminal accesses the application interface from the browser, the application system judges that identity verification is needed, a SysID parameter is attached, the domain terminal is redirected to an IWA reverse proxy, the IWA reverse proxy realizes IWA authentication, domain account information of the terminal can be obtained, IWA _ Session ID is generated according to the domain account and the SysID, and then the application interface is redirected.
2. And attaching IWA _ Session ID information to the browser, requesting an application interface again, requesting an MIM application service interface according to the IWA _ Session ID and the SysID, and acquiring the domain account information corresponding to the domain user.
3. And then, the application system exchanges the application system account number by accessing the MIM application interface, and obtains the application system account number information corresponding to the login domain user according to the SysID and the domain account number information as conditions.
4. And providing an application system to obtain a Claim information interface, wherein the application system requests an MIM application server interface according to the SysID and the domain account information to obtain the Claim information of the user in the specified application system.
5. And the application system performs the next processing of the application system according to the received Claim return data.
Fig. 5 is a schematic diagram of a computer device for executing a unified identity authentication method implemented by the present invention, and as shown in fig. 5, an embodiment of the present invention further provides a computer device 500, which includes a memory 510, a processor 520, and a computer program 530 stored in the memory and executable on the processor, and when the processor executes the computer program, the unified identity authentication method is implemented.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the unified identity authentication method is implemented.
An embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program, and when the computer program is executed by a processor, the unified identity authentication method is implemented.
The embodiment of the invention also provides a unified identity authentication device, which is described in the following embodiment. Because the principle of the device for solving the problems is similar to a unified identity authentication method, the implementation of the device can refer to the implementation of the unified identity authentication method, and repeated parts are not described again.
Fig. 6 is a schematic diagram of a unified identity authentication device according to an embodiment of the present invention, and as shown in fig. 6, the embodiment of the present invention further provides a unified identity authentication device.
When the unified identity authentication device provided by the embodiment of the present invention is implemented specifically, in an embodiment, the unified identity authentication device includes:
an identity authentication judgment module 601, configured to access an application interface of an application system through a browser, where the application system judges that the domain terminal needs to perform identity authentication, attaches a first identity authentication parameter, and redirects the domain terminal to an IWA reverse proxy;
a domain account information obtaining module 602, configured to obtain, by the IWA reverse proxy, domain account information of the domain terminal according to the first identity authentication parameter, determine, according to the first identity authentication parameter and the domain account information, a second identity authentication parameter, redirect the second identity authentication parameter to the application system, and return the second identity authentication parameter to the browser;
an application system login module 603, configured to attach the first identity authentication information and the second identity authentication information to the browser, access the MIM application service through the application system, obtain domain account information, and log in the application system; the application system accesses the MIM application service according to the domain account information and the first identity authentication parameter to acquire application system account information;
the authentication identity information acquisition module 604 corresponding to the target login application system is used for determining that the application system acquires an authentication identity information interface according to the application system account information, accessing the MIM application service through the authentication identity information interface acquired by the application system according to the first identity authentication parameter and the domain account information, and acquiring authentication identity information corresponding to the target login application system;
and a target application system login module 605, configured to redirect, by the application system, the authentication identity information of the target login application system to the browser to log in the target application system.
In an embodiment of the present invention, when the unified identity authentication apparatus is implemented specifically, the identity authentication determination module is specifically configured to:
the domain terminal requests to access an application interface of the application system through the browser;
the application system judges whether the domain terminal logs in or not according to the access request of the browser, if the domain terminal is judged not to log in, the domain terminal is required to perform identity authentication, redirected data is determined, and the redirected data is returned to the browser;
the browser carries the first identity authentication parameter according to the returned redirection data, and redirects to the IWA reverse proxy through an application interface URL used by IWA redirection.
In a specific implementation of the unified identity authentication apparatus provided in the embodiment of the present invention, in an embodiment, the domain account information obtaining module is specifically configured to:
and the IWA reverse proxy acquires the domain account information of the domain terminal according to the first identity authentication parameter through the realized IWA authentication.
In a specific embodiment of the unified identity authentication apparatus provided in the embodiment of the present invention, the application system login module is specifically configured to:
the browser attaches first identity authentication information and second identity authentication information to access an application interface of an application system;
the application system requests an MIM application service interface according to the first identity authentication information and the second identity authentication information, accesses the MIM application service through the MIM application service interface, and acquires domain account information corresponding to a domain user;
the application system logs in the domain user in the application system according to the domain account information corresponding to the domain user.
In a specific embodiment of the unified identity authentication apparatus provided in the embodiment of the present invention, the application system login module is further configured to:
and the application system requests an MIM application service interface according to the domain account information and the first identity authentication parameter as conditions, accesses the MIM application service through the MIM application service interface and acquires the application system account information corresponding to the logged-in domain user.
To sum up, a method and an apparatus for unified identity authentication provided by the embodiments of the present invention include: the domain terminal accesses an application interface of an application system through a browser, the application system judges that the domain terminal needs identity authentication, attaches a first identity authentication parameter and redirects to an IWA reverse proxy; the IWA reverse proxy acquires domain account information of the domain terminal according to the first identity authentication parameter, determines a second identity authentication parameter according to the first identity authentication parameter and the domain account information, redirects to an application system, and returns the second identity authentication parameter to the browser; the browser attaches first identity authentication information and second identity authentication information, accesses the MIM application service through the application system, acquires domain account information and logs in the application system; the application system accesses the MIM application service according to the domain account information and the first identity authentication parameter to acquire application system account information; the application system determines that the application system acquires an authentication identity information interface according to the application system account information, and accesses the MIM application service through the authentication identity information interface acquired by the application system according to the first identity authentication parameter and the domain account information to acquire authentication identity information corresponding to the target login application system; the application system redirects the authentication identity information of the target login application system to the browser to log in the target application system. The embodiment of the invention realizes the single sign-on of IWA authentication through the IWA reverse proxy. When accessing different applications, a user only inputs domain account information once for identity authentication, and integrates all system applications to realize single sign-on. The embodiment of the invention mainly solves the problems that under the Windows domain environment, a terminal user finishes domain account authentication when using other system applications after logging in through a domain account when using a computer Windows system, and the other system applications do not input user names and passwords any more, thereby realizing unified identity authentication. After a user using the domain terminal logs in WINDOWS through the domain account information containing the domain user and the password, the user can log in the access system without inputting the password of the user accessing the system again, and automatic verification login is realized.
According to the technical scheme, the data acquisition, storage, use, processing and the like meet relevant regulations of national laws and regulations, and various types of data such as personal identity data, operation data, behavior data and the like related to individuals, clients, crowds and the like are authorized.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above-mentioned embodiments are provided to further explain the objects, technical solutions and advantages of the present invention in detail, and it should be understood that the above-mentioned embodiments are only examples of the present invention and should not be used to limit the scope of the present invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (13)
1. A unified identity authentication method is characterized by comprising the following steps:
the domain terminal accesses an application interface of an application system through a browser, the application system judges that the domain terminal needs identity authentication, attaches a first identity authentication parameter and redirects to an IWA reverse proxy;
the IWA reverse proxy acquires domain account information of the domain terminal according to the first identity authentication parameter, determines a second identity authentication parameter according to the first identity authentication parameter and the domain account information, redirects to an application system, and returns the second identity authentication parameter to the browser;
the browser attaches first identity authentication information and second identity authentication information, accesses the MIM application service through the application system, acquires domain account information and logs in the application system; the application system accesses the MIM application service according to the domain account information and the first identity authentication parameter to acquire application system account information;
the application system determines that the application system acquires an authentication identity information interface according to the application system account information, and accesses the MIM application service through the authentication identity information interface acquired by the application system according to the first identity authentication parameter and the domain account information to acquire authentication identity information corresponding to the target login application system;
the application system redirects the authentication identity information of the target login application system to the browser to log in the target application system.
2. The method of claim 1, wherein the domain terminal accesses an application interface of the application system through a browser, and the application system determines that the domain terminal needs to perform authentication, attaches a first authentication parameter, and redirects to the IWA reverse proxy, including:
the domain terminal requests to access an application interface of the application system through the browser;
the application system judges whether the domain terminal logs in or not according to the access request of the browser, if the domain terminal is judged not to log in, the domain terminal is required to perform identity authentication, redirected data is determined, and the redirected data is returned to the browser;
the browser carries the first identity authentication parameter according to the returned redirection data, and redirects to the IWA reverse proxy through an application interface URL used by IWA redirection.
3. The method of claim 1, wherein the IWA reverse proxy acquiring the domain account information of the domain terminal according to the first identity authentication parameter comprises:
and the IWA reverse proxy acquires the domain account information of the domain terminal according to the first identity authentication parameter through the realized IWA authentication.
4. The method of claim 1, wherein the browser attaches first identity authentication information and second identity authentication information, accesses the MIM application service through the application system, obtains domain account information, and logs in to the application system, and the method comprises:
the browser attaches first identity authentication information and second identity authentication information to access an application interface of an application system;
the application system requests an MIM application service interface according to the first identity authentication information and the second identity authentication information, accesses the MIM application service through the MIM application service interface, and acquires domain account information corresponding to a domain user;
the application system logs in the domain user in the application system according to the domain account information corresponding to the domain user.
5. The method of claim 4, wherein the accessing, by the application system, the MIM application service according to the domain account information and the first identity authentication parameter, and obtaining the application system account information comprises:
and the application system requests an MIM application service interface according to the domain account information and the first identity authentication parameter as conditions, accesses the MIM application service through the MIM application service interface and acquires the application system account information corresponding to the logged-in domain user.
6. A unified identity authentication device, comprising:
the identity authentication judgment module is used for the domain terminal to access an application interface of the application system through the browser, and the application system judges that the domain terminal needs identity authentication, attaches a first identity authentication parameter and redirects the domain terminal to the IWA reverse proxy;
the domain account information acquisition module is used for the IWA reverse proxy to acquire domain account information of the domain terminal according to the first identity authentication parameter, determine a second identity authentication parameter according to the first identity authentication parameter and the domain account information, redirect the second identity authentication parameter to the application system and return the second identity authentication parameter to the browser;
the application system login module is used for attaching the first identity authentication information and the second identity authentication information to the browser, accessing the MIM application service through the application system, acquiring domain account information and logging in the application system; the application system accesses the MIM application service according to the domain account information and the first identity authentication parameter to acquire application system account information;
the authentication identity information acquisition module is used for determining that the application system acquires an authentication identity information interface according to the application system account information by the application system, acquiring the authentication identity information interface through the application system to access the MIM application service according to the first identity authentication parameter and the domain account information, and acquiring the authentication identity information corresponding to the target login application system;
and the target application system login module is used for redirecting the authentication identity information of the target login application system to the browser by the application system and logging in the target application system.
7. The apparatus of claim 6, wherein the identity authentication determination module is specifically configured to:
the domain terminal requests to access an application interface of the application system through the browser;
the application system judges whether the domain terminal logs in or not according to the access request of the browser, if the domain terminal is judged not to log in, the domain terminal is required to perform identity authentication, redirected data is determined, and the redirected data is returned to the browser;
the browser carries the first identity authentication parameter according to the returned redirection data, and redirects to the IWA reverse proxy through an application interface URL used by IWA redirection.
8. The apparatus of claim 6, wherein the domain account information obtaining module is specifically configured to:
and the IWA reverse proxy acquires the domain account information of the domain terminal according to the first identity authentication parameter through the realized IWA authentication.
9. The apparatus of claim 6, wherein the browser application system login module is specifically configured to:
the browser attaches first identity authentication information and second identity authentication information to access an application interface of an application system;
the application system requests an MIM application service interface according to the first identity authentication information and the second identity authentication information, accesses the MIM application service through the MIM application service interface, and acquires domain account information corresponding to a domain user;
the application system logs in the domain user in the application system according to the domain account information corresponding to the domain user.
10. The apparatus of claim 9, wherein the application login module is further configured to:
and the application system requests an MIM application service interface according to the domain account information and the first identity authentication parameter as conditions, accesses the MIM application service through the MIM application service interface and acquires the application system account information corresponding to the logged-in domain user.
11. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 5 when executing the computer program.
12. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, implements the method of any of claims 1 to 5.
13. A computer program product, characterized in that the computer program product comprises a computer program which, when being executed by a processor, carries out the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211111606.3A CN115484092A (en) | 2022-09-13 | 2022-09-13 | Unified identity authentication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211111606.3A CN115484092A (en) | 2022-09-13 | 2022-09-13 | Unified identity authentication method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115484092A true CN115484092A (en) | 2022-12-16 |
Family
ID=84393135
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211111606.3A Pending CN115484092A (en) | 2022-09-13 | 2022-09-13 | Unified identity authentication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115484092A (en) |
-
2022
- 2022-09-13 CN CN202211111606.3A patent/CN115484092A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10505929B2 (en) | Management and authentication in hosted directory service | |
| US5586260A (en) | Method and apparatus for authenticating a client to a server in computer systems which support different security mechanisms | |
| US11706218B2 (en) | Systems and methods for controlling sign-on to web applications | |
| CN112995219B (en) | Single sign-on method, device, equipment and storage medium | |
| CN112597472B (en) | Single sign-on method, device and storage medium | |
| US20030033535A1 (en) | Method and system for implementing a common user logon to multiple applications | |
| US10476733B2 (en) | Single sign-on system and single sign-on method | |
| CN112800411B (en) | Multi-protocol and multi-mode supporting safe and reliable identity authentication method and device | |
| GB2464397A (en) | Accessing dynamic content on a web server using a default anonymous user account and cached logons of the web site owner. | |
| US9332433B1 (en) | Distributing access and identification tokens in a mobile environment | |
| US9769159B2 (en) | Cookie optimization | |
| CN111062023B (en) | Method and device for realizing single sign-on of multi-application system | |
| US20180218133A1 (en) | Electronic document access validation | |
| CN110830512A (en) | Multi-platform unified authentication system based on domain account | |
| CN108683651B (en) | Single sign-on method, server and system | |
| CN116886428A (en) | Service authentication method, system and related equipment | |
| JP3528065B2 (en) | Inherited access control method on computer network | |
| CN115484092A (en) | Unified identity authentication method and device | |
| US7565356B1 (en) | Liberty discovery service enhancements | |
| CN107105036B (en) | Activity tracing method and system for server | |
| CN109829689A (en) | A kind of cross-enterprise cooperation method and system based on PaaS system | |
| CN115426173A (en) | Login method and device | |
| CN116707869A (en) | Application login method and device, electronic equipment and computer readable storage medium | |
| CN114124530A (en) | Automatic login method and device of cross-border matching system | |
| CN116861402A (en) | Login certificate management method and device, terminal equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |