CN100534094C - System and method for network accession utilizing single clicking single pointing - Google Patents
System and method for network accession utilizing single clicking single pointing Download PDFInfo
- Publication number
- CN100534094C CN100534094C CNB2005101108391A CN200510110839A CN100534094C CN 100534094 C CN100534094 C CN 100534094C CN B2005101108391 A CNB2005101108391 A CN B2005101108391A CN 200510110839 A CN200510110839 A CN 200510110839A CN 100534094 C CN100534094 C CN 100534094C
- Authority
- CN
- China
- Prior art keywords
- user
- network application
- customer service
- administrative center
- cpa
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims description 20
- 238000012795 verification Methods 0.000 claims description 11
- 235000014510 cooky Nutrition 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000010295 mobile communication Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
Images
Abstract
A user management and certification system of network application comprises user terminal, user identification/ ZP subsystem, network application server CPa, user service management center of network application server CPa, user service management center of nationwide and user service management center of the user. It is featured as allowing trustful network application system or network application certifying system to check user information by using user identification / ZP subsystem to switch on interface.
Description
Technical field
The invention belongs to network application system user management technical field, be specifically related to a kind of authentification of user management system of network application,, realize " (AAA) differentiates, authorizes, charges " with clicking single-point logging method.
Background technology
The technology that various accesses internet is arranged on the current internet network is as dial up on the telephone (employing ppp protocol), broadband emulation dialing (adopting PPPoE agreement, Ethernet to insert).When Virtual network operator provides the Internet service, all need to do user's login, carry out " (AAA) differentiates, authorizes, charges ".Above access technology uses radius protocol to carry out user's login mostly, realizes " (AAA) differentiates, authorizes, charges ".
During the diverse network application system of user on internet usage, must carry out authentication at different different user's name and the user ciphers of network application system input, the user must keep many cover user names simultaneously firmly in mind and claim and user cipher; Even the user's name of some network application system is identical with user cipher, the user also must repeatedly import user's name and user cipher, carries out authentication respectively by each network application system.(Single SignOn, SSO) platform proposes in order to address the above problem single-sign-on.The single-sign-on platform can be simplified the use flow process, and the user only need login once, and promptly once unified user's name and the user cipher of input just can repeatedly use a plurality of application systems.Simple, the most direct implementation method of SSO is based on Cookie, generates session tokens (Session Token) according to user name and session related information, returns browser as the Cookie of Web browser.During the different network application system of user capture later on, this application server detects information such as user name according to the information among this Cookie.The user name pattern of the input of network application single-point logging method, the regulation of each network application operator all is not quite similar.
The shortcoming that existing network is used single-point logging method is that network application single-point logging method and network entry method are discrete, causes the authentification of user management (differentiate, authorize, charge) of Virtual network operator and network application operator complicated numerous and disorderly.And the user still will remember different user's names, user cipher and login method form, and the user will do twice login at least when access network and use network application, complex operation, under equipment and environment that move, the input information inconvenience, very inconvenience especially.
Summary of the invention
The object of the present invention is to provide a kind of authentification of user management system and method for high-efficient simple, behind user's logging in network, only need single to click (1click) startup network application software and just can carry out the login of network application automatically, and accomplish single-sign-on (Single Sign On).
For achieving the above object, the solution that the present invention adopts is: the system and method for single-sign-on is clicked in a kind of network application, and the native system framework comprises user terminal, user ID/IP subsystem, the affiliated customer service administrative center of network application server CPa, CPa, national customer service administrative center and the affiliated customer service administrative center of user.User ID/IP subsystem is the subsystem/equipment that records user totem information and institute's IP address allocated information in the network entry system, and it opens interface, allows the network application system or the network application Verification System verification user profile of trusting; Network application server is used to the user that the disparate networks application service is provided; The affiliated customer service administrative center of customer service administrative center, national customer service administrative center and user is each user of a certain ground domain identifier and network application server according to ldap protocol authority data institutional framework under the CPa.
The method of single-sign-on is clicked in network application, may further comprise the steps:
A. the network application software on the user click terminal equipment sends the network application server CPa of network application logging request to a network application service provider, contains terminal equipment IP address in the content of logging request packet, i.e. the source address of logging request;
B. network application server CPa adds that with the terminal equipment source address information in the logging request packet of receiving the service identification of this application service constitutes the customer service authentication request;
C. be set after this authentication request is received by customer service administrative center under the CPa of service this network application server CPa, promptly with the source address in this request to user ID/IP subsystem inquiring user sign;
D. user ID/IP subsystem customer service administrative center under CPa returns the user ID of this source address correspondence;
Customer service administrative center judges that according to the ground domain information in the user ID this user is the user of one's respective area, then goes to step I under the e.CPa; If this user is not the user of one's respective area, then sends and confirm the user ID request to national customer service administrative center;
F. national customer service administrative center should confirm that the user ID request was forwarded to the request of user's affiliated area customer service administrative center and confirms;
G. user's affiliated area customer service administrative center returns to national customer service administrative center and confirms the user ID request results;
H. national customer service administrative center customer service administrative center under CPa returns and confirms the user ID request results;
If i. the user conforms with the service management rule, then begin to authorize, charge, and generate the session identification of forming by user ID and service identification (Session Token) of customer service management usefulness, return network application server CPa;
J. network application server CPa returns this session identification (Session Token) to subscriber terminal equipment, is used for the operation of user network application software;
K. then carry out " (AAA) differentiates, authorizes, charges " if the network application software on the later user click terminal equipment is visited another network application, accomplish single-sign-on (Single Sign On) according to the user ID in the session identification (Session Token) of last time application.
Beneficial effect of the present invention: it is a kind of network application user authentication administrative system and method for high-efficient simple, can simplify the user management complexity greatly, makes things convenient for operator to concentrate and differentiates, authorizes, charges.Simultaneously, behind user's logging in network, only need single to click (1click) and start network application software etc. and just can carry out the login of network application automatically, and accomplish single-sign-on (Single Sign On), be user-friendly to.
Description of drawings
Fig. 1 is the figure of data organizational structure of the present invention;
Fig. 2 is a method flow diagram of the present invention;
Fig. 3 is that system and method typical case of the present invention implements figure;
Fig. 4 is the concrete enforcement figure of honeycomb mobile communication network of the present invention;
Fig. 5 is the concrete enforcement figure of fixedly access of the present invention internet;
Fig. 6 is the concrete enforcement figure of IPv6 of the present invention and mobile IP v 6 net.
Among the figure, 1. user terminal; 2. user ID/IP subsystem; 3. network application server CPa; 4.CPa affiliated customer service administrative center; 5. national customer service administrative center; 6. customer service administrative center under the user.
Embodiment
The invention will be further described below in conjunction with drawings and Examples.
Fig. 1 is the figure of data organizational structure of the present invention.Among Fig. 1, according to the ldap protocol standard, each user of unique identification and network application server, for example: the sign of certain network application server is OU=CPa, OU=Game, DC=Sh, DC=ChinaMobile, DC=Com, DC=Cn, wherein DC=Sh is the region under the user; Certain user's sign is CN=user a, OU=z, and DC=Gd, DC=ChinaMobile, DC=Com, DC=Cn, wherein DC=Gd is the region under the network application server CPa.For the form of unified user login name, the present invention adopts ldap protocol authority data institutional framework, and the user just can unify to adopt the form of similar username@sh.chinamobile.com.cn to carry out network entry like this.
From Fig. 2, Fig. 3 as seen, system architecture comprises user terminal 1, user ID/IP subsystem 2, the affiliated customer service administrative center 4 of network application server CPa3, CPa, national customer service administrative center 5 and the affiliated customer service administrative center 6 of user.User ID/IP subsystem 2 is the subsystem/equipment that records user totem information and institute's IP address allocated information in the network entry system, and it opens interface, allows the network application system or the network application Verification System verification user profile of trusting; Network application server CPa3 is used to the user that the network application service is provided; The affiliated customer service administrative center 6 of customer service administrative center 4, national customer service administrative center 5 and user is according to ldap protocol authority data institutional framework under the CPa, is the equipment of each user of a certain district management and network application server.
The login method that single-node login system is clicked in above-mentioned network application may further comprise the steps;
A. the network application software on user click terminal 1 equipment, send the network application server CPa3 of network application logging request to a network application service provider, contain terminal equipment IP address in the content of logging request packet, i.e. the source address of logging request;
B. network application server CPa3 adds that with the 1 equipment sources address information of the terminal in the logging request packet of receiving the service identification of this application service constitutes the customer service authentication request;
C. be set after this authentication request is received by customer service administrative center 4 under the CPa of service this network application server CPa3, promptly with the source address in this request to user ID/IP subsystem 2 inquiring users sign;
D. user ID/IP subsystem 2 customer service administrative center 4 under CPa returns the user ID of this source address correspondence;
Customer service administrative center 4 judges that according to the ground domain information in the user ID this user is the user of one's respective area, then goes to step I under the e.CPa; If this user is not the user of one's respective area, then sends and confirm the user ID request to national customer service administrative center 5;
F. national customer service administrative center 5 should confirm that the user ID request was forwarded to 6 requests of user's affiliated area customer service administrative center and confirms;
G. user's affiliated area customer service administrative center 6 returns to national customer service administrative center 5 and confirms the user ID request results;
H. national customer service administrative center 5 customer service administrative center 4 under CPa returns and confirms the user ID request results;
If i. the user conforms with the service management rule, then begin to authorize, charge, and generate the session identification of forming by user ID and service identification (Session Token) of customer service management usefulness, return network application server CPa3;
J. network application server CPa3 returns this session identification (Session Token) to user terminal 1 equipment, is used for the operation of user network application software;
K. then carry out " (AAA) differentiates, authorizes, charges " if the network application software on later user click terminal (1) equipment is visited another network application, accomplish single-sign-on (Single Sign On) according to the user ID in the session identification (Session Token) of last time application.
Fig. 4 is embodiment 1, the concrete enforcement figure of honeycomb mobile communication network of the present invention.
The concrete enforcement of the present invention in honeycomb mobile communication network such as GSM/GPRS, 3G is exactly GGSN (GatewayGPRS Support Node), and open network application system or the network application Verification System that allows to trust investigated the user terminal telephone number information.Be that GGSN is equivalent to the user ID/IP subsystem 2 among Fig. 2 or Fig. 3,, click single-sign-on by above-mentioned steps except that above-mentioned user ID described in single-sign-on step c and the d/IP subsystem 2 of clicking is changed into the GGSN.
Fig. 5 is embodiment 2, and the present invention is at the fixing concrete enforcement figure that inserts the internet.
The present invention is exactly radius server, network access server (NAS) subsystem or long-range BAS Broadband Access Server (BRAS) subsystem open interface in the fixing concrete enforcement that inserts in the Internet network diagram, allows the network application system or the network application Verification System verification user that trust to login the user ID that the internet is used.Be that RADIUS/NAS/BRAS is equivalent to the user ID/IP subsystem 2 among Fig. 2 or Fig. 3,, click single-sign-on by above-mentioned steps except that above-mentioned user ID described in single-sign-on step c and the d/IP subsystem 2 of clicking is changed into the RADIUS/NAS/BRAS.
Fig. 6 is embodiment 3, and the present invention is at the concrete enforcement figure of IPv6 and mobile IP v 6 net
The IPv6 address of terminal equipment is provided by network insertion service provider in the IPv6 network.If a certain internet access carrier all adopts stateless to dispose automatically, then need when opening a certain terminal, note the user name of this IPv6 address correspondence, set up a user name/IP address ldap database.If adopt state configuration is arranged, then before the IPv6DHCP server-assignment address of being responsible for address assignment, also carry out the user and " differentiate, authorize, charge ", set up the IPv6AAA subsystem.
Home agent in the mobile IP v 6 net (home agent) subsystem has affiliated user ID and the Home Address of Mobile Host, Care-of-Address information.
The application of method of the present invention in IPv6 and mobile IP v 6 network is exactly home agent (home agent) subsystem open interface in user name/IP address ldap database, IPv6AAA subsystem or the mobile IP v 6 net, and the network application system or the network application Verification System verification user login that allow to trust are linked into the user ID that the IPv6 internet is used.Be that IPv6AAA/User-IP LDAP/Home Agent is equivalent to the user ID/IP subsystem 2 among Fig. 2 or Fig. 3, except that above-mentioned user ID described in single-sign-on step c and the d/IP subsystem 2 of clicking is changed into the IPv6 AAA/User-IP LDAP/Home Agent, click single-sign-on by above-mentioned steps.
Claims (1)
- The method of single-sign-on is clicked in 1 one kinds of network applications, system architecture comprises user terminal (1), user ID/IP subsystem (2), network application server CPa (3), customer service administrative center (4) under the CPa, customer service administrative center (6) under whole nation customer service administrative center (5) and the user, described user ID/IP subsystem (2) is the subsystem/equipment that records user totem information and institute's IP address allocated information in the network entry system, it opens interface, allows the network application system or the network application Verification System verification user profile of trusting; The affiliated customer service administrative center (6) of customer service administrative center (4), national customer service administrative center (5) and user is according to ldap protocol authority data institutional framework under the described CPa, be the equipment of each user of a certain district management and network application server, it is characterized in that the described single-point logging method of clicking may further comprise the steps:A. the network application software on user click user terminal (1) equipment, send the network application server CPa (3) of network application logging request to a network application service provider, contain terminal equipment IP address in the content of logging request packet, i.e. the source address of logging request;B. network application server CPa (3) adds that with user terminal (1) the equipment sources address information in the logging request packet of receiving the service identification of this application service constitutes the customer service authentication request;C. be set after customer service administrative center (4) receives this authentication request under the CPa of service this network application server CPa (3), promptly with the source address in this request to user ID/IP subsystem (2) inquiring user sign;D. user ID/IP subsystem (2) customer service administrative center (4) under CPa returns the user ID of this source address correspondence;Customer service administrative center (4) judges that according to the ground domain information in the user ID this user is the user of one's respective area, then goes to step I under the e.CPa; If this user is not the user of one's respective area, then sends and confirm the user ID request to national customer service administrative center (5);F. national customer service administrative center (5) should confirm that the user ID request was forwarded to user's affiliated area customer service administrative center (6) request and confirms;G. user's affiliated area customer service administrative center (6) returns to national customer service administrative center (5) and confirms the user ID request results;H. national customer service administrative center (5) customer service administrative center (4) under CPa returns and confirms the user ID request results;If i. the user conforms with the service management rule, then begin to authorize, charge, and generate the session identification of forming by user ID and service identification of customer service management usefulness, return network application server CPa (3);J. network application server CPa (3) returns this session identification to user terminal (1) equipment, is used for the operation of user network application software;K. if visiting another network application, the network application software on later user click user terminal (1) equipment then carries out " differentiating, authorize, chargeing, accomplish single-sign-on according to the user ID in the session identification of last time application.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101108391A CN100534094C (en) | 2005-11-28 | 2005-11-28 | System and method for network accession utilizing single clicking single pointing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101108391A CN100534094C (en) | 2005-11-28 | 2005-11-28 | System and method for network accession utilizing single clicking single pointing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1933483A CN1933483A (en) | 2007-03-21 |
| CN100534094C true CN100534094C (en) | 2009-08-26 |
Family
ID=37879099
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005101108391A Expired - Fee Related CN100534094C (en) | 2005-11-28 | 2005-11-28 | System and method for network accession utilizing single clicking single pointing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100534094C (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102710621B (en) * | 2012-05-22 | 2016-06-08 | 中兴通讯股份有限公司 | A kind of user authentication method and system |
| CN104283852B (en) * | 2013-07-08 | 2019-01-25 | 中国电信股份有限公司 | The single sign-on authentication method and system and client and server-side of mobile application |
| CN106656566B (en) * | 2016-11-18 | 2020-06-05 | 上海斐讯数据通信技术有限公司 | Third-party data source authentication network-accessing management method based on LDAP protocol |
| CN109542587A (en) * | 2018-11-26 | 2019-03-29 | 郑州云海信息技术有限公司 | A kind of virtual machine access method, device and computer equipment |
| CN110765445B (en) * | 2019-10-08 | 2023-02-10 | 中国建设银行股份有限公司 | Method and device for processing request |
-
2005
- 2005-11-28 CN CNB2005101108391A patent/CN100534094C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN1933483A (en) | 2007-03-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4195450B2 (en) | Single sign-on method for packet radio network users roaming multi-country operator networks | |
| CA2457368C (en) | A server, system and method for providing access to a public network through an internal network of a multi-system operator | |
| CN1534921B (en) | Method of public authentication and authorization between independent networks | |
| CA2530891C (en) | Apparatus and method for a single sign-on authentication through a non-trusted access network | |
| US7522907B2 (en) | Generic wlan architecture | |
| US6912567B1 (en) | Broadband multi-service proxy server system and method of operation for internet services of user's choice | |
| CN100438516C (en) | Network connection system, network connection method, and switch used therefor | |
| US20010028636A1 (en) | Method and apparatus for mapping an IP address to an MSISDN number within a service network | |
| US20070184819A1 (en) | System, method and apparatus for federated single sign-on services | |
| US20060248225A1 (en) | System and Method for Providing Source Awareness in a Wireless Application Protocol Network Environment | |
| US20030233329A1 (en) | System and method for providing subscription content services to mobile devices | |
| CN100525523C (en) | Method for mobile terminal switching in packet network | |
| US7173933B1 (en) | System and method for providing source awareness in a network environment | |
| CN100534094C (en) | System and method for network accession utilizing single clicking single pointing | |
| US20030060199A1 (en) | Method and apparatus for managing a plurality of mobile nodes in a network | |
| CN101013941A (en) | Digital certificate authentication/management system and authentication/management method | |
| US8656026B1 (en) | Associating network address lease information with user data | |
| US20050210288A1 (en) | Method and apparatus for eliminating dual authentication for enterprise access via wireless LAN services | |
| JP4567173B2 (en) | Concentration / Connection System, Concentration / Connection Method and Concentration / Connection Device | |
| CN103179544A (en) | Mobile data international roaming user access method and network device | |
| CN101009611A (en) | A method for terminal access to different service networks | |
| CN100484109C (en) | Method of looking for attribution server/dialing up access server of using remote authentication | |
| EP1269716B1 (en) | Method and apparatus for managing a plurality of mobile nodes in a network | |
| EP1356654B1 (en) | System and method for assigning dynamic ip-addresses | |
| CN113014550A (en) | Access control and authentication method for IPoE IPv 4IPv6 in campus network of colleges and universities |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: SHANGHAI SUTENG INFORMATION SCIENCE CO., LTD. Free format text: FORMER OWNER: WANG WEIWEI Effective date: 20091002 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20091002 Address after: Room 1, building 66, Lane 401, Huayuan Road, Shanghai, Hongkou District Patentee after: Shanghai Suteng Information Science & Technology Co., Ltd. Address before: Room 137, No. 99, Lane 2503, Tam Tam Road, Shanghai, Putuo District Patentee before: Wang Weixun |
|
| ASS | Succession or assignment of patent right |
Owner name: WANG WEIXUN Free format text: FORMER OWNER: SHANGHAI SUTENG INFORMATION SCIENCE + TECHNOLOGY CO., LTD. Effective date: 20150807 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20150807 Address after: 200061 room 137, No. 99, Lane 2503, Tam Tam Road, Putuo District, Shanghai Patentee after: Wang Weixun Address before: 200081 room 1, building 66, Lane 401, Huayuan Road, Shanghai, Hongkou District Patentee before: Shanghai Suteng Information Science & Technology Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090826 Termination date: 20161128 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |