CN101075875B - Method and system for realizing monopoint login between gate and system - Google Patents
Method and system for realizing monopoint login between gate and system Download PDFInfo
- Publication number
- CN101075875B CN101075875B CN200710112108XA CN200710112108A CN101075875B CN 101075875 B CN101075875 B CN 101075875B CN 200710112108X A CN200710112108X A CN 200710112108XA CN 200710112108 A CN200710112108 A CN 200710112108A CN 101075875 B CN101075875 B CN 101075875B
- Authority
- CN
- China
- Prior art keywords
- door
- user
- message
- session
- visit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The method comprises: the first portal authenticates the user and establishes a first session with user; in the first portal, user clicks the visit linkage of the second portal; the first portal generates a first message comprises user's ID authentication information, and transmits the first message to the second portal; according to the user's ID authentication information in the first message, the second portal determines the user was authenticated, and establishes a second session with the user and allows user to access the second portal.
Description
Technical field
The present invention relates to the login method and the system thereof of the portal user/system (Portal) of the Internet and mobile Internet, more specifically, the present invention relates between different door/systems, realize the method and system of single-sign-on, wherein, the user is after door/system of login, need not carry out register once more, just can visit other door/system.
Background technology
Single-sign-on (SSO:Single Sign On) technology is mainly used in realization " single sign-on, multifunctional network capable ", for example, after the user lands a certain door/system, in door/system, click a certain other link, then be redirected to other system, can avoid user once more input account number/password and once more land by the SSO interface this moment.That is, the user just can visit other associated authorization system that all realize SSO by this door/system as long as land once in door/system.
The technology that realizes SSO at present mainly contains two kinds: a kind of is to utilize the automation login techniques to shield the process that the user logins different system; A kind of is to adopt the agreement with SSO function to finish.No matter adopt any technology in the above-mentioned technology to realize SSO, all need to finish a common process, that is, and initial login process.
First kind of prior art adopts the automation login techniques, that is, the shielding user logins the process of goal systems.Wherein, the user is in initial use goal systems, need input the user name and password (perhaps other authentication mode), afterwards, when the user visits other system by this goal systems, this automatic technology can be entered password and user name for the user automatically by some scripts, and whole login process user does not participate in.This mode is comparatively transparent to goal systems, can finish login process to most goal systems by client script language (as javascript, vbscript etc.).But logon script write more complicated, simultaneously client browser is had certain requirement, for example, need it to support Cookie (being referred to as Cookie) by web server text message that create and that be stored in client terminal local.In mobile Internet, because mobile phone browser realizes at present supporting that the ability of Cookie is inconsistent, therefore, most of mobile phones can't be supported Cookie fully.And because the Cookie data are placed on client, and other program of user terminal this locality can read described Cookie data, therefore, this layout fail safe is poor.
Second kind of technology adopts the procotol with SSO function.For example, the procotol that typically has a SSO function is the Kerberos agreement.By the Kerberos agreement, can adopt bill (ticket-granting ticket) mode to visit a plurality of goal systems, wherein, after by the certificate server authenticated user, server produces a ticket for the user, and the user can rely on this ticket to visit the system of all mandates.This technology is a kind of single-sign-on technology that generally adopts at present.For example, the example system that adopts described technology as shown in Figure 1.
But second kind of technology also has shortcoming.This Technology Need carry out Kerberosization to goal systems or destination service, promptly needs system to support the Kerberos agreement.This limits the application (for example, the application network equipment on) of described technology to some closed systems.For example, do not supporting kerberos authentication at present on a lot of network equipments, and because the message in the Kerberos agreement can't firewall-penetrating, therefore, these restrictive conditions have just limited the inside that the Kerberos agreement often can only be applied to a tissue.Yet many door/systems provide to the users on the public network and conduct interviews, and this wherein must relate to fire compartment wall.If the SSO agreement can't firewall-penetrating, then the scope of its application obviously is restricted.
Therefore, need a kind of new technical scheme to solve above-mentioned the problems of the prior art.
Summary of the invention
In order to address the above problem, the present invention has designed a kind of technology that is used for single-sign-on.
According to a first aspect of the invention, provide a kind of method that is used between door realizing single-sign-on, may further comprise the steps: first door is verified the user and foundation and user's first session; The user clicks the access links to second door in first door; First door produces first message that comprises user's ID authentication information, and this first message is passed to second door; And second door determine that according to the user's ID authentication information in first message this user is verified, and set up and this user's second session to allow this user capture second door.
In an embodiment of a first aspect of the present invention, described method is further comprising the steps of: if user's visit second door before visit first door, then second door will be redirected to first door and verify described user.
In another embodiment of a first aspect of the present invention, described method is further comprising the steps of: second door in the life cycle of first session, send session keep message to first door to keep first session.
In another embodiment of a first aspect of the present invention, described method is further comprising the steps of: adopt DES algorithm and MD5 algorithm to come first message is carried out encryption and decryption.
In another embodiment of a first aspect of the present invention, described method is further comprising the steps of: first door is verified described user by username and password.
In another embodiment of a first aspect of the present invention, described method is further comprising the steps of: first door is verified described user by user's MSISDN.
In another embodiment of a first aspect of the present invention, described first message is with the http protocol form.
According to a second aspect of the invention, a kind of system that is used for realizing single-sign-on between door is provided, comprise: first door, it is configured to the user is verified, first session of foundation and this user's user terminal, generation comprises first message of user's ID authentication information, and this first message is passed to second door; Second door, it is configured to determine that according to the user's ID authentication information in first message this user is verified, and second session of foundation and this user's user terminal is to allow this user capture second door; And user terminal, it is configured to visit described door.
In an embodiment of a second aspect of the present invention, second door also is configured to be redirected to first door the user under the situation of visit second door before visit first door, so that allow the described user of first portal authentication.
In another embodiment of a second aspect of the present invention, second door also is configured to send session and keeps message to first door, so that keep first session in the life cycle of first session.
In another embodiment of a second aspect of the present invention, first door is configured to adopt DES algorithm and MD5 algorithm to come first message is encrypted, and second door is configured to adopt DES algorithm and MD5 algorithm to come first message is decrypted.
In another embodiment of a second aspect of the present invention, first door also is configured to verify described user by username and password.
In another embodiment of a second aspect of the present invention, first door also is configured to verify described user by user's MSISDN.
In another embodiment of a second aspect of the present invention, described first message is with the http protocol form.
Technical scheme according to the present invention has extensive applicability.Technical scheme of the present invention unlike the prior art.In technical scheme according to the present invention, the user is after portal website authenticates, and authentication result information is kept in the backstage (for example first door), and realizes the login to other door in first door; And in the prior art, Coockie and bill all are kept in the user terminal, and each login all is directly to login to goal systems from terminal.Because all control logics are all carried out on the backstage, that is, in first door, carry out access registrar to other door, therefore, technical scheme according to the present invention does not have specific (special) requirements for user terminal, and it goes for the Internet and mobile Internet is used.In addition, SSO message according to the present invention adopts known standard communication protocol, http protocol for example, and therefore, it can firewall-penetrating, thereby can use the present invention on public network.Therefore, according to the equipment degree of support height of technical method of the present invention.
In addition, according to technical scheme of the present invention, keep information by the timed sending session, can be so that during other door of user capture, its session in first door is in state of activation always, the session of user in other door this moment also activates, and the user just can each door of random access like this, and does not need repeatedly to authenticate.
In addition, also has very high fail safe according to technical scheme of the present invention.In technical scheme according to the present invention, user authentication information is kept at the backstage of system, and the employing cryptographic protocol, for example MD5, DES (Data Encryption Standard) wait institute's message transmitted is encrypted, thereby have guaranteed the safety of user profile.
In addition, owing to adopt existing communication protocol and cryptographic algorithm, as long as and can transmit SSO message, just can realize technical scheme of the present invention, therefore, realize simple according to technical scheme of the present invention.
Description of drawings
With reference to accompanying drawing, according to following detailed, can be expressly understood the present invention more, wherein:
Fig. 1 is the schematic diagram according to the exemplary single-node login system of prior art.
Fig. 2 is the overall system architecture according to a plurality of door/systems of the present invention.
Fig. 3 has described the process that keeps according to user conversation of the present invention.
Fig. 4 is the flow chart that single-point logging method according to an embodiment of the invention is shown.
Fig. 5 is the flow chart that single-point logging method according to another embodiment of the invention is shown.
Concrete true mode
For the sake of simplicity and for the purpose of clear, the unit in the accompanying drawing needn't proportionally be drawn, and in different accompanying drawings, same reference numbers is represented identical unit.In addition, concisely and not can aspect unnecessary, make the present invention fuzzy for what describe, and omit description and details about known steps and unit.
Those of ordinary skill in the art should be understood that the general description of front and following detailed give an example to invention and illustrate, rather than in order to limit the invention.
Below by example technical scheme of the present invention is described.
SSO single-point logging method according to the present invention is based on known international standard protocol, it adopts the mode of the user conversation (Session) between door/system, realize the single-sign-on between different door/systems, and keep the state of activation of user in above-mentioned door/system.
The single-sign-on that the method according to this invention realizes is fully by being realized not having any extra requirement for the user client browser by door/system.And the message format between door/system adopts known international standard protocol, makes very high to the degree of support of equipment like this.In addition, utilize existing, ripe algorithm to come message content is encrypted, thereby order realize becoming easy according to system of the present invention.In addition, the present invention can also be applied in fields such as the Internet and mobile Internet, thereby really realizes the fusion of the Internet and mobile Internet business.
Figure 2 illustrates the overall system architecture according to a plurality of door/systems of the present invention, described this framework of overall system is used for making up the system according to SSO of the present invention.As shown in Figure 2, in one embodiment, system according to the present invention comprises user terminal, door A and door B.Wherein, user terminal is at first visited door A, and subsequently by door A visit door B.Simply and only show door B for what illustrate, those of ordinary skill in the art should be appreciated that according to system of the present invention can also comprise a plurality of and other door like the door category-B, and wherein, user terminal can visit described other door by door A.
As follows according to network entity in the system of the present invention and function thereof.
Door A: the gate system that the user at first conducts interviews, it provides identity authentication function for the user, and produces SSO message.Other gate system obtains subscriber identity information from door A.Door A is the authentication inlet door of all other door/systems in the network.Under internet environment, door A provides the user login interface, and under the mobile Internet environment, door A can provide backstage implicit expression login.Door A produces SSO message according to user UserID, and adopts the des encryption algorithm that UserID is encrypted, and reveals in transmission course to prevent user profile.Door A passes to door B again after the system applies field of all SSO message being carried out MD5 digest calculating, distorted in message process to prevent user profile.
Door B: the user is by other gate system of door A visit.Door B obtains subscriber identity information by the SSO interface from door A, avoids the user to login once more, thereby gives user's single-sign-on the whole network current good experience.If that the user at first visits is door B, this moment, door B can not obtain subscriber identity information from door A, and then door B can call the login interface of door A, to allow the user login.Door B gets access to SSO message from door A, and the system applies field of all SSO message is carried out MD5 digest calculate, whether distorted with judgement data wherein, and the system applies field of SSO message was carried out the DES deciphering, to extract all data wherein.
User terminal: the employed client of user capture system.For example, be the browser in the user computer under the Internet situation, and be the WAP browser in the user mobile phone under the mobile Internet situation.For example, in mobile Internet, user terminal can carry user's subscriber identity information.
Wherein, UserID is used to show user's identity information, is the registration account number of the manual input of user under internet environment, and is the Mobile Subscriber International ISDN Number that carries in the user terminal browser under the mobile Internet situation.Session A is the session that the user produces in door A, and it shows that the user has logined and visited door A.Session B is the session that the user produces in door B, and it shows that the user has logined and visited door B.
The main flow process of the method according to this invention is described with reference to Fig. 2 below.The flow process of the method according to this invention is as follows.
1. the A of user capture door/system (being designated hereinafter simply as door), door A verify the user after receiving user access request, produce user conversation A.
2. the user visits door B by the link of clicking door B in door A.Door A produces SSO message, wherein, includes encrypted user's ID authentication information in this SSO message.Door A passes to door B with described SSO message.
3. door B obtains user's identity information according to described SSO message.If door B can successfully obtain subscriber identity information, then in door B, produce user's session B.Alternatively, in one embodiment, if door B can not successfully obtain subscriber identity information, then this shows that the user does not login as yet in door A, and for example, the user visits door B under situation about not logining as yet in door A.In this case, door B can carry out system login by door A prompting user.
4. when produce user conversation B in door B after, the user just can login once more and directly visit door B.
5. the user is when visit door B, and the system backstage of door B regularly sends session to door A and keeps message, so that the life cycle of the session A of user in door A is continued.
In sum, this method is by adopting the mode of SSO message and common crypto algorithm in a plurality of systems, the session of user in a plurality of systems is associated, and the session that is associated stated the management in cycle, thus having realized following process: the user can visit the related system of other mandate and need not to login again after system of login.
Technical scheme according to the present invention has the following advantages:
1. user terminal there is not special requirement for restriction.In technical scheme according to the present invention, all control logics are all in system's backstage realization, promptly, after the user authenticated in portal website (door A), the information of authentication was stored in the backstage of system, promptly, among the door A, and in door A, realize login to other door.And in the prior art, Coockie and bill etc. is kept in the terminal, and each login all is directly to login to goal systems from terminal.Therefore, can be applicable to the Internet portal/service system according to technology of the present invention like this, also be applicable to mobile Internet (WAP) door/service system.
2.SSO message can be transmitted between a plurality of systems, so only needs a system to realize authentification of user, other system does not need to realize authentification of user, as long as get access to user SSO message.Reduced requirement, reduced system cost system.
3. the international standard protocol HTTP that widely adopts is at present adopted in the SSO message transmission between system, can well firewall-penetrating, thus can be applied in door/system that the public network service is provided.
4.SSO message adopts widely used des encryption algorithm and MD5 digest technology in communication system, this algorithm has extremely strong fail safe, and the algorithm application maturation, has so just increased the fail safe of system data in the route of transmission.
Door A generates SSO message according to user profile after receiving user's HTTP request, and the parameter format of described SSO message can adopt the XML form.Show an example of the parameter format of SSO message below:
<?xml?version=“1.0”?>
<SSOMessage?version=”1.0”>
<SSOParas>
<SessionID>SessionA</SessionID>
<MSISDN>MSISDN</MSISDN>
<EchoURL>EchoURL</EchoURL>
<Timeout>Timeout</Timeout>
<TimeStamp>YYMMDDHHMMSS</TimeStamp>
<Authenticator>Authenticator</Authenticator>
</SSOParas>
</SSOMessage>
Wherein, describe as follows to described message parameter:
Table 1
| Parameter name | Parameter type | Parameter declaration |
| ?SessionA | Character string | The user is at the session A of door A |
| ?MSISDN | Character string | The phone number that the user uses need carry out des encryption to it, and then it is carried out the BASE64 transcoding |
| ?EchoURL | Character string | Door B sends the URL that user conversation keeps message |
| Timeout | Character string | Session A is at the time-out time of door A, and the time interval of door B transmission Echo message must be less than Timeout.Chronomere is second. |
| TimeStamp | Character string | YYYYMMDDHHMMSS represents current time tag, totally 14 |
| Authenticator | Character string | Above all fields are carried out the MD5 signature, and then carry out the BASE64 transcoding |
User conversation keeps
When the user after door A and door B produce session A and session B respectively, because that session has is certain ageing, promptly, if the term of validity of session A is T1 minute, after then passing through T1 minute, if the user does not continue to visit door A, then session A will finish automatically.In order to prevent that when the user continues to visit door B the user finishes at the session A of door A, need door B regularly to send session and keep message to door A.
Is the target URL that door B is adopted when door A request keeps session: http://EchoURL? SessionID=session id.
Wherein, parameter EchoURL represents that door A receives the URL that session keeps message, and this URL is provided by door A, and door B sends session to this URL and keeps message.Parameter s essionid is SessionA.
Specifically describe the process that keeps according to user conversation of the present invention below with reference to Fig. 3, wherein, suppose in door A and door B, to set up respectively session A and session B.
1) door B timed sending session keeps message to give door A, and wherein, the time interval of transmission must not be greater than T1 minute.In the message that door B is sent, take certain measure to protect the data of door B, for example, door B adopts the MD5 algorithm that the data in the message are carried out digest calculations, is modified in transmission course to prevent message.
2) door A receives after session keeps message, at first the data in the message is carried out MD5 digest and calculates, and compare with summary that biography is come, to check whether data are modified in transport process.If it is correct that check result shows data, then door A can postpone user conversation SessionA according to the sessionid parameter in the request, then to the door B response that initiates a message.
When in real application systems, using the inventive method, will relate to following two kinds of situations, specific as follows:
1. the user at first logins door A, visits other system then;
2. the user did not login door A as yet, directly visited other system.
Below in conjunction with Figure 4 and 5,, discuss at two kinds of situations recited above by exemplary embodiment.Wherein, in order to illustrate for simplicity, there are two doors (door A and door B) in the supposing the system.But, it should be understood by one skilled in the art that system according to the present invention is not limited to only comprise two doors, but can comprise a plurality of doors as required.
Example 1: the user at first logins door A, visits other system then
In this exemplary embodiment, the user visits door A earlier, produces session information at door A, user capture door B then, and door A makes door B obtain subscriber identity information by transmitting SSO message, thereby realizes single-sign-on.Specifically describe described process below with reference to Fig. 4.
1) user at first visits door A system.Under the situation of internet, applications, the user can input UserID by hand and password is logined.In addition, under the situation that mobile Internet is used, door A searches user MSISDN as UserID in the head of HTTP access request, login on the backstage automatically then.
2) door A calls back-end data user identity is carried out legitimacy authentication.If described authentication success then produces user conversation SessionA in door A system.
3) if through authentication, the user is a validated user, the respective page of door/system then occurs at user terminal, for example the homepage of door A.
4) user clicks the link of door B in the page of door A.
5) door A generates SSOMessage message according to subscriber identity information.
Door A can at first adopt the des encryption algorithm that all data that comprise UserID, SessionA are encrypted, and then all the system applies fields in the SSO message is carried out MD5 digest and calculates, and summary data is also put into SSO message.
6) door A passes to door B with SSO message.
7) door B resolves SSOMessage message.Door B at first carries out MD5 digest to all the system applies fields in the SSO message and calculates, and then, the summary in result calculated and the SSO message is compared.If the comparative result unanimity, then these data of being received of explanation are not distorted, if comparative result is inconsistent, then the data that received of this explanation are wrong or have been distorted.Then, door B basis is carried out the DES deciphering with the key (ShareKey) that door A reaches an agreement in advance to the system applies field in the SSO message, thereby obtains subscriber identity information.In this case, door B can learn the user by the authentication of door A, that is, this user is a validated user.Then, door B produces session SessionB for this user.
8) door B returns the SSO response message and gives door A, comprises the session SessionB that the user produces in door B in this SSO response message.
9) those of ordinary skill in the art can know, in some cases, may cause the failure of SSO response message for some reason.
10) if return the failure of SSO response message, then door A returns the corresponding failure prompting page to the user.
11) return the success of SSO response message.
12) if return the success of SSO response message, then door A initiates the page reorientation operation.
13) door A to door B, and automatically initiates access request to the door B page with the user terminal page reorientation.
14) door B is that user terminal returns corresponding accession page.
Example 2: the user did not login door A as yet, and directly visited other system
The user at first visits door B, if the user did not carry out login in advance, then door B notice door A allows the user login.Under internet environment, door A ejects login page at user terminal allows the user login.In addition, under the mobile Internet environment, door A can obtain UserID (user MSISDN) automatically and carry out the user on the backstage and login.Then, door A makes door B obtain subscriber identity information by transmitting SSO message, to realize single-sign-on.
Specifically describe described process below with reference to Fig. 5.
1) user directly visits door B system by user terminal.
2) door B judges whether the user logins.If included subscriber identity information among the door B, then this shows that the user by authentication, can proceed visit.
3) if do not have subscriber identity information in the door B system, then this shows that the user did not carry out login, need authenticate the user.So, door B with the user terminal page reorientation to door A login page.When being redirected with the access location of BackUrl representative of consumer at door B.
4) the door A login page of user capture through being redirected.
5) under internet environment, door A returns the user terminal login page.In addition, under the mobile Internet environment, door A does not need to show login page, and the head that can directly ask from HTTP obtains user MSISDN as UserID.
6) under internet environment, the user inputs UserID and password by hand, so that login to door A.Under the mobile Internet environment, door A can login on the backstage automatically.
7) door A calls back-end data user identity is carried out legitimacy authentication.If authentication success then produces user conversation SessionA in door A.
8) if door A to user's not success of authentication, then returns the miscue page and gives user terminal.
9) door A generates SSOMessage message according to subscriber identity information.
Door A at first adopts the des encryption algorithm that all data that comprise UserID, SessionA are encrypted, and then all the system applies fields in the SSO message is carried out MD5 digest and calculates, and summary data is also put into SSO message.
10) door A passes to door B with SSO message.
11) door B resolves the SSOMessage message that receives.Door B at first carries out MD5 digest to all the system applies fields in the SSO message and calculates, and then the summary in result of calculation and the SSO message is compared.If the comparative result unanimity, then this illustrates that the data that received are not distorted; If comparative result is inconsistent, then these data of being received of explanation are wrong or have been distorted.Then, according to the key (ShareKey) of reaching an agreement in advance with door A the system applies field in the SSO message is carried out the DES deciphering, thereby obtain subscriber identity information.In this case, door B can learn the user by the authentication of door A, that is, this user is a validated user.Then, door B produces session SessionB for this user.
12) door B returns the SSO response message and gives door A, comprises the session SessionB that the user produces in door B in this SSO response message.
13) door A initiates the page reorientation operation according to B parameter ackURL.
14) door A is the BackUrl of user terminal page reorientation to door B, to proceed the user before to the access request of the door B page.
15) door B is that user terminal returns corresponding accession page.
Can realize method and system of the present invention by variety of way.For example, can by software, hardware, firmware with and combination in any realize method and system of the present invention.The order of top method steps only adopts for illustrative purpose, unless clear and definite explanation, the step of method of the present invention is not limited to top specifically described order.In addition, in certain embodiments, the program that the present invention can also be presented as on recording medium to be write down, it comprises the machine readable instructions that is used to realize the method according to this invention.
Although specific embodiment of the present invention is described in detail above by example,, those of ordinary skill in the art should be appreciated that above-mentioned example only is illustrative and be not to be limitation of the present invention.Those of ordinary skill in the art should be understood that can make modification to the foregoing description under the situation that does not break away from the spirit and scope of the present invention.Scope of the present invention is limited to the appended claims.
Claims (14)
1. method that is used between door realizing single-sign-on, first door is the authentication inlet door of every other door in the network, for the user provides identity authentication function, and may further comprise the steps:
First door is verified the user and foundation and user's first session;
The user clicks the access links to second door in first door;
First door produces first message that comprises user's ID authentication information, and this first message is passed to second door; And
Second door determines that according to the user's ID authentication information in first message this user is verified, and second door returns response message and gives first door;
First door is initiated the page reorientation operation, and the user terminal page reorientation to second door, and is initiated access request to second portal page automatically;
The foundation of second door and this user's second session is to allow this user capture second door;
If the user is visit second door before visit first door, then second door is verified described user with the user terminal page reorientation to first door.
2. method according to claim 1, if the user is visit second door before visit first door, further comprising the steps of: second door judges whether the user logins, if included this user's ID authentication information in second door, then proceed visit, if this user's ID authentication information not in second door, then described second door is verified described user with the user terminal page reorientation to first door.
3. method according to claim 1, further comprising the steps of: second door in the life cycle of first session, send session keep message to first door to keep first session.
4. method according to claim 1, further comprising the steps of: as to adopt DES algorithm and MD5 algorithm to come first message is carried out encryption and decryption.
5. method according to claim 1, further comprising the steps of: first door is verified described user by username and password.
6. method according to claim 1, further comprising the steps of: first door is verified described user by user's phone number.
7. method according to claim 1, wherein, described first message is with the http protocol form.
8. system that is used between door realizing single-sign-on comprises:
First door, authentication inlet door for every other door in the network, for the user provides identity authentication function, it is configured to the user is verified, first session of foundation and this user's user terminal, after clicking the access links of second door, the user produces first message that comprises user's ID authentication information in first door, and this first message passed to second door, and after receiving the response message that second door returns, the operation of initiation page reorientation, the user terminal page reorientation to second door, and is automatically initiated access request to second portal page;
Second door after it is configured to determine that according to the user's ID authentication information in first message this user has been verified, returns response message and gives first door, and set up and second session of this user's user terminal to allow this user capture second door; The user the visit first door before the visit second door situation under, with the user terminal page reorientation to first door, so that allow the described user of first portal authentication; And
User terminal, it is configured to visit described door.
9. system according to claim 8, wherein, second door also is configured to the user under the situation of visit second door before visit first door, judge at first whether the user logins, if included this user's ID authentication information in second door, then proceed visit, if this user's ID authentication information not in second door, then described second door with the user terminal page reorientation to first door, so that allow the described user of first portal authentication.
10. system according to claim 8, wherein, second door also is configured to send session and keeps message to first door, so that keep first session in the life cycle of first session.
11. system according to claim 8, wherein, first door is configured to adopt DES algorithm and MD5 algorithm to come first message is encrypted, and second door is configured to adopt DES algorithm and MD5 algorithm to come first message is decrypted.
12. system according to claim 8, wherein, first door also is configured to verify described user by username and password.
13. system according to claim 8, wherein, first door also is configured to verify described user by user's phone number.
14. system according to claim 8, wherein, described first message is with the http protocol form.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710112108XA CN101075875B (en) | 2007-06-14 | 2007-06-14 | Method and system for realizing monopoint login between gate and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710112108XA CN101075875B (en) | 2007-06-14 | 2007-06-14 | Method and system for realizing monopoint login between gate and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101075875A CN101075875A (en) | 2007-11-21 |
| CN101075875B true CN101075875B (en) | 2011-08-31 |
Family
ID=38976709
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200710112108XA Active CN101075875B (en) | 2007-06-14 | 2007-06-14 | Method and system for realizing monopoint login between gate and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101075875B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106790272A (en) * | 2017-02-16 | 2017-05-31 | 济南浪潮高新科技投资发展有限公司 | A kind of system and method for single-sign-on, a kind of application server |
Families Citing this family (35)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286843B (en) * | 2008-06-03 | 2010-08-18 | 江西省电力信息通讯有限公司 | Single-point login method under point-to-point model |
| CN101626369B (en) * | 2008-07-11 | 2012-07-25 | 中国移动通信集团公司 | Method, device and system for single sign-on |
| CN101674285B (en) * | 2008-09-08 | 2012-12-26 | 中兴通讯股份有限公司 | Single sign-on system and method thereof |
| CN101478485B (en) * | 2009-01-19 | 2012-04-04 | 成都市华为赛门铁克科技有限公司 | Method for local area network access control and network gateway equipment |
| CN101510877B (en) * | 2009-02-25 | 2012-05-23 | 中国联合网络通信集团有限公司 | Single-point logging-on method and system, communication apparatus |
| CN101557403B (en) * | 2009-05-27 | 2015-06-10 | 阿里巴巴集团控股有限公司 | Website login method, device and system |
| CN101997685B (en) * | 2009-08-27 | 2013-05-29 | 阿里巴巴集团控股有限公司 | Single sign-on method, single sign-on system and associated equipment |
| CN102045166B (en) * | 2009-10-13 | 2014-07-02 | 中国移动通信集团福建有限公司 | Method and system of single sign-on |
| CN102457546B (en) * | 2010-10-27 | 2014-12-31 | 中兴通讯股份有限公司 | Method, device and system for logging in netty Web application server by single point |
| CN102480474A (en) * | 2010-11-30 | 2012-05-30 | 金蝶软件(中国)有限公司 | Method, device and enterprise system for verifying user logging status |
| CN102065131A (en) * | 2010-12-03 | 2011-05-18 | 湖南大学 | Single-point logging way and logging authentication |
| CN102571344B (en) * | 2010-12-08 | 2014-12-03 | 中国电信股份有限公司 | Single point authentication method and system thereof |
| CN102682009B (en) * | 2011-03-11 | 2017-02-15 | 腾讯科技(北京)有限公司 | Method and system for logging in webpage |
| CN103107974B (en) * | 2011-11-09 | 2018-01-09 | 腾讯科技(深圳)有限公司 | A kind of user's registration and login method and mobile terminal |
| CN102404336B (en) * | 2011-12-12 | 2014-08-13 | 北京像素软件科技股份有限公司 | Cross-regional transfer method of users in online games |
| CN102377788B (en) * | 2011-12-13 | 2014-06-25 | 方正国际软件有限公司 | Single sign-on (SSO) system and single sign-on (SSO) method |
| CN103179088B (en) * | 2011-12-21 | 2017-07-07 | 腾讯科技(深圳)有限公司 | The guard method of CGI(Common gateway interface) business and system |
| CN102638454B (en) * | 2012-03-14 | 2014-05-21 | 武汉理工大学 | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol |
| CN103546432B (en) * | 2012-07-12 | 2015-12-16 | 腾讯科技(深圳)有限公司 | Realize method and system and browser, the name server of cross-domain redirect |
| CN105162675B (en) * | 2014-05-26 | 2018-06-12 | 杭州迪普科技股份有限公司 | A kind of conversation recording acquisition methods and device |
| CN105472052B (en) * | 2014-09-03 | 2019-12-31 | 阿里巴巴集团控股有限公司 | Cross-domain server login method and system |
| CN105490991A (en) * | 2014-09-18 | 2016-04-13 | 北京大学 | Method and device for implementing the third party application total station login |
| CN104270391B (en) * | 2014-10-24 | 2018-10-19 | 中国建设银行股份有限公司 | A kind of processing method and processing device of access request |
| CN104410674B (en) * | 2014-11-12 | 2018-04-10 | 国云科技股份有限公司 | A kind of WEB session synchronization methods of single-node login system |
| CN106330829A (en) * | 2015-06-26 | 2017-01-11 | 东方电气集团东方电机有限公司 | Method and system for realizing single signing on by using middleware |
| CN106487816A (en) * | 2016-12-25 | 2017-03-08 | 张忠义 | A kind of method of utilization cell-phone number encryption |
| CN107707570A (en) * | 2017-11-13 | 2018-02-16 | 山东省农村信用社联合社 | Cross-domain single logs in integrated approach and system |
| CN108200047A (en) * | 2017-12-29 | 2018-06-22 | 北京中油瑞飞信息技术有限责任公司 | Data processing method, apparatus and system |
| CN108200060B (en) * | 2018-01-03 | 2020-07-14 | 深圳壹账通智能科技有限公司 | Single sign-on verification method based on web subsystem, server and storage medium |
| CN108650209B (en) * | 2018-03-06 | 2021-05-14 | 北京信安世纪科技股份有限公司 | Single sign-on method, system, device and authentication method |
| CN109274694A (en) * | 2018-11-14 | 2019-01-25 | 天津市国瑞数码安全系统股份有限公司 | A kind of general cross-domain authentication method based on mark |
| CN109347857A (en) * | 2018-11-14 | 2019-02-15 | 天津市国瑞数码安全系统股份有限公司 | A kind of general inter-network authentication method based on mark |
| CN109544325A (en) * | 2018-11-28 | 2019-03-29 | 平安科技(深圳)有限公司 | Switching method, device and the computer equipment of face label system based on data processing |
| CN111259355A (en) * | 2020-02-12 | 2020-06-09 | 深信服科技股份有限公司 | Single sign-on method, portal system and service platform |
| CN111935107B (en) * | 2020-07-23 | 2022-06-10 | 珠海大横琴科技发展有限公司 | Identity authentication method, device, system, electronic equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1547343A (en) * | 2003-12-17 | 2004-11-17 | 上海市高级人民法院 | A Single Sign On method based on digital certificate |
| CN1812403A (en) * | 2005-01-28 | 2006-08-02 | 广东省电信有限公司科学技术研究院 | Single-point logging method for realizing identification across management field |
-
2007
- 2007-06-14 CN CN200710112108XA patent/CN101075875B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1547343A (en) * | 2003-12-17 | 2004-11-17 | 上海市高级人民法院 | A Single Sign On method based on digital certificate |
| CN1812403A (en) * | 2005-01-28 | 2006-08-02 | 广东省电信有限公司科学技术研究院 | Single-point logging method for realizing identification across management field |
Non-Patent Citations (1)
| Title |
|---|
| 同上. |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106790272A (en) * | 2017-02-16 | 2017-05-31 | 济南浪潮高新科技投资发展有限公司 | A kind of system and method for single-sign-on, a kind of application server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101075875A (en) | 2007-11-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101075875B (en) | Method and system for realizing monopoint login between gate and system | |
| US9871791B2 (en) | Multi factor user authentication on multiple devices | |
| US10523678B2 (en) | System and method for architecture initiated network access control | |
| US9887999B2 (en) | Login method and apparatus | |
| CN102638454B (en) | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol | |
| CN102638473B (en) | User data authorization method, device and system | |
| CN101350717B (en) | Method and system for logging on third party server through instant communication software | |
| CN102201915B (en) | Terminal authentication method and device based on single sign-on | |
| US20160269396A1 (en) | Methods and Systems for Controlling Mobile Terminal Access to a Third-Party Server | |
| US20100050243A1 (en) | Method and system for trusted client bootstrapping | |
| US9419974B2 (en) | Apparatus and method for performing user authentication by proxy in wireless communication system | |
| CN103986584A (en) | Double-factor identity verification method based on intelligent equipment | |
| CN101448001B (en) | System for realizing WAP mobile banking transaction security control and method thereof | |
| US8266434B2 (en) | System and method for providing an user's security when setting-up a connection over insecure networks | |
| KR101569753B1 (en) | System, Method and Apparatus for Secure Login | |
| US20120240203A1 (en) | Method and apparatus for enhancing online transaction security via secondary confirmation | |
| CN105554098A (en) | Device configuration method, server and system | |
| CN103929482B (en) | A kind of method and apparatus for being securely accessed by monitoring frontend | |
| CN103024740A (en) | Method and system for accessing internet by mobile terminal | |
| CN101902329A (en) | Method and device for single sign on | |
| CN101360107A (en) | Method, system and apparatus enhancing security of single system login | |
| US9553863B2 (en) | Computer implemented method and system for an anonymous communication and computer program thereof | |
| CN104243488B (en) | A kind of login authentication method of inter-network site server | |
| CN109495458A (en) | A kind of method, system and the associated component of data transmission | |
| CN101969426B (en) | Distributed user authentication system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 1113523 Country of ref document: HK |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: WD Ref document number: 1113523 Country of ref document: HK |