CN101277193A - One-point entry and access system based on authentication service acting information facing to service architecture - Google Patents
One-point entry and access system based on authentication service acting information facing to service architecture Download PDFInfo
- Publication number
- CN101277193A CN101277193A CNA2008101057529A CN200810105752A CN101277193A CN 101277193 A CN101277193 A CN 101277193A CN A2008101057529 A CNA2008101057529 A CN A2008101057529A CN 200810105752 A CN200810105752 A CN 200810105752A CN 101277193 A CN101277193 A CN 101277193A
- Authority
- CN
- China
- Prior art keywords
- user
- service
- application system
- authentication service
- certificate server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses an information portal single sign-on and accessing system based on facing to service architecture authentication service agent. The system includes: an authentication service terminal (1) based on facing to service architecture, an authentication service agent (2), an application system (3) and a user browser (4). The authentication service terminal (1) is composed of an authentication service terminal date structure set (11), an authentication service terminal atomic service set (12) and an authentication service terminal assistant service set (13). The authentication service terminal date structure set (11) is used for bearing exchanged date in single sign-on execution process; the authentication service terminal atomic service set can complete single sign-on and accessing to the application system (3) through response calling request of the authentication service agent (2); the authentication service terminal assistant service set (13) is used for maintaining local user role mapping LURM, global user identity information GUII in single sign-on, and can assistant complete single sign-on and accessing to the application system (3).
Description
Technical field
The present invention relates to a kind of be applicable to the information portal is integrated, based on Service-Oriented Architecture Based authentication service agency, information portal single-sign-on and access system, this information portal single-sign-on and access system belong to the technical field of telecommunications in the IPC classification.
Background technology
Along with popularizing and development of World Wide Web (WWW), Modern Web use become the modern indispensable information interchange platform, and the information portal most important thing especially.The information portal is a kind of Web application technology, it is with different application systems (Application System, AS) be integrated in a unified entrance, for the user provides polynary, concentrated, information service efficiently, it relates to Content Management, data integration, single-sign-on (Single Sign On, many-sided content such as SSO), wherein single-sign-on is the problem that must at first solve.The core concept of single-sign-on technology is to set up a kind of identity map relation between information portal and application system, the user only needs to login at the certificate server of information portal, just then need not to login once more a plurality of application systems in can the visit information door in this time login term of validity.
At present, flourish along with the information portal application, some commercializations, ripe SSO mechanism have released one after another, NET Passport single-sign-on services as Microsoft, it is the logon server of central pool formula, in store user's log-on message and personal information, the user needs only and once logins on NET Passport single-sign-on services, i.e. the cooperation website of addressable Passport.But the certificate server of its core and subscriber information server are all by Microsoft's monopolization, and ins and outs are not followed unified standard and externally not open, can't further promote.Liberty Alliance Liberty SSO mechanism, its identifying procedure depends on security assertion markup language (SecurityAssertion Markup Language, SAML), the AS that needs the information portal and wherein integrate can both understand the authentication information based on SAML, itself complexity is too high, uses to be difficult for.In sum, there is following defective in existing SSO mechanism:
(1) DLL (dynamic link library) complexity, openness is low, needs during integration AS is transformed on a large scale;
(2) often there is portable poor problem for the AS that adopts different technologies;
(3) existing SSO mechanism is owing to the high complexity of himself, and the AS in the information portal can not integrate fast to it when frequently changing.
On the other hand, (Service-Oriented Architecture SOA) is a kind of important framework model to Service-Oriented Architecture Based, and it can carry out distributed deployment, combination and use to loosely-coupled coarseness application component according to demand.SOA has features such as loose couplings, reusable, standardization, has all obtained extensively and effectively using in a lot of fields.Can therefore, solve the defective that existing SSO mechanism exists by the thought of SOA, be a very important problem.
Summary of the invention
In order to solve defectives such as existing portal application system combination complexity, openness are low, the present invention proposes a kind of simple in structure, loose couplings, fast and flexible, improves information portal single-sign-on and access system based on Service-Oriented Architecture Based authentication service agency general, lightweight.Described single-sign-on has adopted data encapsulation and service encapsulates strategy, openness height; The service broker is independent from application system with the correlation function of authentication by introducing, and controls user's single-sign-on and system's access request by the service broker, has effectively reduced the application system integration complexity, has improved door and has integrated performance.
The present invention is based on Service-Oriented Architecture Based authentication service agency's information portal single-sign-on and access system, include application system (3), user browser (4), and act on behalf of (2) based on the certificate server (1) and the authentication service of Service-Oriented Architecture Based;
Described certificate server (1) is used to provide single-sign-on services; It is made up of certificate server set of data structures (11), certificate server atomic service collection (12) and certificate server assistant service collection (13), and certificate server set of data structures (11) is used for carrying the data that the single-sign-on implementation exchanges; The call request of certificate server atomic service collection (12) by response authentication service broker (2), thus single-sign-on finished and to the visit of application system (3); Certificate server assistant service collection (13) is used for local users role-map LURM, the overall subscriber identity information GUII that (A) safeguards described certificate server (1) single-sign-on, (B) auxiliaryly finishes single-sign-on and to the visit of application system (3);
Described authentication service agency (2) is based on Service-Oriented Architecture Based, the single-sign-on services that provides by invokes authentication service end (1), make the user pass through user browser (4) and can use single-sign-on services to login, and realization is to the visit of application system (3).
Certificate server set of data structures (11) is one eight tuple D
0={ ASID, PRID, ARID, UIT, URT, UTS, GUII, LURM}, ASID represent the application system numbering, PRID represents door role numbering, and ARID represents application system role numbering, and UIT represents the user identity token, URT represents the user role token, UTS represents the User Token counterfoil, and GUII represents overall subscriber identity information, and LURM represents the local users role-map.
Certificate server atomic service collection (12) is a five-tuple S
0={ serviceUITF, serviceUITV, serviceUFPC, servicePMRF, serviceUITI}, serviceUITF represent that the user identity token obtains service, serviceUITV represents the service of user identity token authentication, serviceUFPC represents the service of user's one-level authorization check, and servicePMRF represents that door mapping role obtains service, and serviceUITI represents the discarded service of identity token.
Certificate server assistant service collection (13) is a hexa-atomic group of A
0={ serviceUGIF, serviceUIS, servicePRF, serviceURMR, serviceASIQ, serviceASIR}, serviceUGIF represents that user overall situation identity obtains service, serviceUIS represents the user profile synchronous service, servicePRF represents the service of obtaining at the door role PRID of application system ASID, serviceURMR represents user role mapping registration service, and serviceASIQ represents authentication service invokes interface inquiry service, and serviceASIR represents the registration service of authentication service invokes interface.
The present invention is based on Service-Oriented Architecture Based authentication service agency's the information portal single-sign-on and the design feature of access system is:
1. certificate server 1 has been adopted data encapsulation and service encapsulates strategy, made the openness height of information portal of the present invention single-sign-on and access system, DLL (dynamic link library) is simple;
2. in information portal of the present invention single-sign-on and access system, introduce authentication service agency 2, make authentication independent from application system 3, finish by the atomic service that authentication service is acted on behalf of in the 2 invokes authentication service ends 1, thereby reduced the complexity of the integration of system of the present invention;
3. in carrying out the single-point login process by the request-access module of authentication service agency 2 with certificate server 1, help the integration and the renewal of application system 3;
4. single-sign-on is encapsulated as a plurality of atomic service collection, the degree of coupling is low between each service, thereby can upgrade independently and safeguard each atomic service;
5. lightweight single-sign-on services provided by the invention helps the information portal and is dynamically realizing integrating fast under the loose coupling environment.
Description of drawings
Fig. 1 be the user by authentication proxy of the present invention service login, the schematic diagram of access application system.
Fig. 2 is the structured flowchart of certificate server of the present invention.
Fig. 3 is that certificate server of the present invention is at the flow chart of carrying out single-sign-on.
Among the figure: 1. certificate server 11. certificate server set of data structures 12. certificate server atomic service collection 13. certificate server assistant service collection 2. authentication service are acted on behalf of 3. application systems
Embodiment
The present invention is described in further detail below in conjunction with accompanying drawing.
The present invention is a kind of information portal single-sign-on and access system based on Service-Oriented Architecture Based authentication service agency, includes certificate server 1, authentication service agency 2 and application system 3 based on Service-Oriented Architecture Based.Described authentication service agency 2 is based on Service-Oriented Architecture Based, by the single-sign-on services that invokes authentication service end 1 provides, makes the user can use single-sign-on services to login by user browser 4, and realizes the visit to application system 3.
In the present invention, described application system 3 application system of managing, analyze, releasing news etc. for being used in the internet.
In the present invention, described authentication service agency 2 is the single-sign-on services that are used for calling described certificate server 1, plays the function served as bridge of user and application system 3.Because it is adopted data encapsulation and service encapsulates strategy in the described certificate server 1, higher at the openness of user's single-sign-on and visit; In carrying out the single-point login process,, help the integration and the renewal of described application system 3, really realized loose couplings by the request-access module of described authentication service agency 2 with described certificate server 1.
In the present invention, described certificate server 1 is used to provide single-sign-on services.Described single-sign-on services is designed to a plurality of atomic service collection, and the degree of coupling is low between each service, thereby can upgrade independently and safeguard each atomic service, has embodied described certificate server 1 and has had fast and flexible.
In the present invention, when (referring to shown in Figure 1) user logined by user browser 4, at first authenticated service broker 2 entered certificate server 1 realization single-sign-on by calling atomic service; Then can access application system 3, according to application system is set can has of a plurality of extents of competence, as A application system 31, B application system 32 ... N application system 33.
In the present invention, (referring to shown in Figure 2) certificate server 1 is made up of certificate server set of data structures 11, certificate server atomic service collection 12 and certificate server assistant service collection 13;
Certificate server set of data structures 11 is used for carrying the data that the single-sign-on implementation exchanges;
Certificate server atomic service collection 12 is by response authentication service broker 2 call request, thereby finishes single-sign-on and to the visit of application system 3;
Certificate server assistant service collection 13 is used for LURM, the GUII that (A) safeguards single-sign-on, (B) auxiliaryly finishes single-sign-on and to the visit of application system 3.
Certificate server set of data structures 11 is one eight tuple D
0={ ASID, PRID, ARID, UIT, URT, UTS, GUII, LURM}, ASID represent the application system numbering, PRID represents door role numbering, and ARID represents application system role numbering, and UIT represents the user identity token, URT represents the user role token, UTS represents the User Token counterfoil, and GUII represents overall subscriber identity information, and LURM represents the local users role-map.In the present invention, certificate server set of data structures 11 adopts the data encapsulation pattern, helps information portal single-sign-on and visit, has improved the openness of system of the present invention.
ASID: represent A application system 31, B application system 32 in the application system 3 ... the unique identification of N application system 33 in the information portal is called for short: the application system numbering.
PRID: in order to sign door role.Be called for short: door role numbering.
ARID: in order to role's numbering of sign application system, this role's numbering includes A application system 31, the B application system 32 in the application system 3 ... the application system numbering of N application system 33 in the information portal is called for short application system role numbering.
UIT: whether be in logging status in order to identifying user, be that Millisecond unit with the current time is 32 random strings that the basis generates, after the user carries out authentication by authentication service agency 2, generate, be called for short: the user identity token by certificate server 1.
URT: the door Role Information that logged-in user possesses is described, is that the door role that the user has numbers the array that PRID forms, and this structure of arrays is: URT={PRID
1, PRID
2..., PRID
n, be called for short: the user role token.
UTS: in order to the validity of identifying user identity token UIT and user role token URT, login the back the user and generated and preserved by certificate server 1, its form is: the UTS={ user name, and UIT, URT} is called for short: the User Token counterfoil.
GUII: in order to the identifying user identity information, its form is: GUII={ user name, user login code }, be called for short: overall subscriber identity information.
LURM: in order to safeguard that the door role numbers PRID and application system role and numbers mapping between the ARID, its form is: LURM={PRID, and ASID, ARID} is called for short: the local users role-map.
Certificate server atomic service collection 12 is five-tuple S
0={ serviceUITF, serviceUITV, serviceUFPC, servicePMRF, serviceUITI}, serviceUITF represent that the user identity token obtains service, serviceUITV represents the service of user identity token authentication, serviceUFPC represents the service of user's one-level authorization check, and servicePMRF represents that door mapping role obtains service, and serviceUITI represents the discarded service of identity token.
ServiceUITF: be used for (A) overall subscriber identity information GUII is carried out identifying user identity; (B) user that authentication is passed through authorizes user identity token UIT; (C) adopt automatic sequence sign indicating number generating mode to produce User Token counterfoil UTS to the user who authorizes user identity token UIT, and User Token counterfoil UTS is kept at certificate server.In the present invention, overall subscriber identity information GUII (user name and user login code) to user's input verifies, and according to verifying whether result's decision authorizes UIT, if then authorize user identity token UIT, and generation User Token counterfoil UTS is kept at certificate server, if not, then return invalid UIT.This service be input as GUII, be output as UIT.Be called for short: the user identity token obtains service.
ServiceUITV: in order to the validity of the checking user identity token UIT that the user held.At the user identity token UIT that the user held, according to validity and the backtrack test result of User Token counterfoil UTS check UIT.Be input as user identity token UIT, be output as Boolean checking result.Be called for short: the service of user identity token authentication.
ServiceUFPC: in order to whether to possess the inlet access rights in the application system 3 of inspection user to request.Be responsible for obtaining user role token URT according to user identity token UIT and User Token counterfoil UTS, in conjunction with application system numbering ASID, whether inspection user possesses the inlet access right to the application system 3 of being asked.Be input as user identity token UIT and application system numbering ASID, be output as Boolean checking result.Be called for short: the service of user's one-level authorization check.
ServicePMRF: in order to obtain the role of door role-map in the application system 3 of correspondence.Obtain URT, GUII, LURM according to UIT and UTS that the user held, and carry out quadrature, obtain the role of door role-map to this application system in conjunction with ASID.Be input as user identity token UIT and application system numbering ASID, the inside role who is output as corresponding application system numbers array { ARID
1, ARID
2..., ARID
n.Be called for short: door mapping role obtains service.
ServiceUITI: it is invalid that the current user identity token UIT that holds of user is labeled as.According to the current UIT that holds of user, discarded URT, UTS, UIT.Be input as user identity token UIT, be called for short: the discarded service of identity token.
Certificate server assistant service collection 13 is hexa-atomic group of A
0={ serviceUGIF, serviceUIS, servicePRF, serviceURMR, serviceASIQ, serviceASIR}, serviceUGIF represents that user overall situation identity obtains service, serviceUIS represents the user profile synchronous service, servicePRF represents the service of obtaining at the door role PRID of application system ASID, serviceURMR represents user role mapping registration service, and serviceASIQ represents authentication service invokes interface inquiry service, and serviceASIR represents the registration service of authentication service invokes interface.
ServiceUGIF: obtain the identity information of user in door.The UIT and the UTS that hold according to the user obtain corresponding user name, obtain GUII according to user name again.Be input as the current user identity token UIT that holds of user, be output as overall subscriber identity information GUII.Be called for short: user's overall situation identity is obtained service.
ServiceUIS: taking-up possesses whole users' of access rights overall identity information GUII to specifying application system, and is saved in the appointment application system.According to ASID, take out the GUII and the preservation that this application system are possessed the user of inlet access right.Be input as application system numbering ASID.Be called for short: the user profile synchronous service.
ServicePRF: take out to specifying application system to possess the door Role Information of access rights.Take out the whole Role Informations that in the door application system of specifying ASID possessed the inlet access right according to ASID.Be input as application system numbering ASID, be output as the door Role Information.Be called for short: application system door role obtains service.
ServiceURMR: the mapping of registration from the door role to the application system role.ASID, ARID, door role according to appointment number PRID, and LURM registers or changes to the user role mapping, promptly safeguards the LURM element in the certificate server set of data structures 11.Be input as application system numbering ASID, ARID, PRID, be output as the Boolean execution result.Be called for short: user role mapping registration service.
ServiceASIQ: inquire about specific authentication service invokes interface.The authentication service invokes interface index of prior agreement, taking out the pairing authentication service invokes interface of authentication service invokes interface index describes, during the atomic service interface failure that provides when authentication proxy's 2 invokes authentication service ends 1, the calling interface that this service regains the atomic service that certificate server 1 provided can call in authentication proxy 2.Be input as the authentication service invokes interface index, be output as the authentication service invokes interface and describe.Be called for short: authentication service invokes interface inquiry service.
ServiceASIR: the authentication service invokes interface index is registered or changed.The authentication service invokes interface that will carry out revising is described and the numbering registration, and the execution result of return action.When having revised the atomic service interface that certificate server 1 provides, can realize revising automatic registration and the change of back atomic service interface by calling this service.Be input as the authentication service invokes interface of wishing registration or change and describe and numbering, be output as the Boolean execution result.Be called for short: the registration service of authentication service invokes interface.
In the present invention, the user is (referring to shown in Figure 3) by the execution in step that user browser 4 carries out single-sign-on access application system 3:
Behind the system initialization, the information portal provides a single login inlet, and the user enters step 101 after logining by described login inlet input GUII (username and password) request;
Step 101: authentication service agency 2 calls serviceUITF, and GUII is passed to certificate server 1, execution in step 102 after intercepting and capturing described GUII request;
Step 102: certificate server 1 is carried out authentication service serviceUITF, and GUII is verified; After described GUII checking is passed through, (A) generate UIT, URT, UTS; (B) preserve URT and UTS; (C) send UIT to authentication service agency 2, execution in step 103; If the GUII checking is not passed through, then return invalid UIT to authentication service agency 2;
Does step 103: authentication service agency 2 judge whether the invalid UIT that returns effective?, do not return initial state; Be execution in step 104;
Step 104: the user sends access request to specifying application system, execution in step 105 by user browser 4; In the present invention, specify application system to be meant that the user sends access request to the A application system 31 in the application system 3 or A application system 31, B application system 32 or A application system 31, B application system 32 ... N application system 33 (referring to shown in Figure 1).Described access request is meant the appointment application system that has numbering, and expression-form can be ASID
N, N represents to specify the numbering of application system.For example, the user needs visit B application system 32 by user browser 4, and then the access request of Fa Songing then is ASID
BPerhaps ASID
32In order to sketch conveniently, appointment application system hereinafter replaces with B application system 32.
Step 105: authentication service agency 2 intercepts and captures described access request, calls serviceUITV, and user's overall identity token UIT is passed to certificate server 1; Certificate server 1 is carried out serviceUITV and is verified the validity of UIT, and returns UIT to authentication service agency 2, execution in step 106;
Step 106: authentication service agency 2 judges whether UIT is effective, not, returns initial state; Be execution in step 107;
Step 107: authentication service agency 2 calls serviceUFPC, and serviceUFPC is exported to certificate server 1; Certificate server 1 is carried out serviceUFPC and is verified whether the user has the authority of visit B application system 32, and these access rights are returned to authentication service agency 2, execution in step 108;
Step 108: after access rights in 2 pairs of steps 107 of authentication service agency and threshold value compared, output (A) user had access rights, execution in step 109; (B) do not have access rights, execution in step 111a; In the present invention, threshold value does not have access rights for " 1 " expression user, and threshold value has access rights for " 0 " expression user.
Step 109: authentication service agency 2 judges whether the role numbering of cache user in B application system 32, i.e. URT; Be that then execution in step 110; Not, then execution in step 901;
Step 901: authentication service agency 2 calls servicePMRF with UIT and ASID
B, be sent to certificate server 1, execution in step 902;
Step 902: certificate server 1 obtains LURM from certificate server set of data structures 11, and carries out the role who obtains in B application system 32 behind the servicePMRF and number, and described role's numbering is sent to authentication service agency 2; Described role's numbering of 2 pairs of receptions of authentication service agency is carried out execution in step 110 behind the buffer memory;
Step 110: authentication service agency 2 sends to B application system 32, execution in step 111 with described role's numbering of buffer memory;
Step 111:B application system 32 operates whether possess authority according to the URT inspection user to the access request of B application system 32; Not, execution in step 111a; Be execution in step 114;
Step 112:B application system 32 response users' access request realizes single-sign-on B application system 32 thereby reach the user.
Step 113: whether the inquiry user logins other application system in the application system 3 once more, if "Yes" execution in step 104 then; If "No" is execution in step 114 then;
Step 114: authentication service agency 2 calls serviceUITI, and user's overall identity token UIT is sent to certificate server 1; After certificate server 1 is carried out authentication service serviceUITI, user identity token UIT is discarded, and will discard and confirm that instruction sends to authentication service agency 2.
The specific design theory that the present invention is based on each module in Service-Oriented Architecture Based authentication service agency's information portal single-sign-on and the access system is:
One, authentication service design
The SSO service that certificate server provides is the core of whole mechanism.It is the emphasis of SSO Service Design that wherein rights management, security strategy and atomic service are divided.To set forth from these three aspects to authentication service design respectively below.
1, rights management strategy
The distribution of user right is extremely strict among the application system AS.The integrated difference of AS on service logic and workflow can be reflected in the delineation of power in mode the most intuitively usually in the gate system.Integrate difficulty and door rights management complexity to reduce AS in the present invention, the flexibility and the reusability that improve system of the present invention are target, and having designed based on secondary authentication system, role-map management system is the rights management strategy of assisting.
Secondary authentication system: refer to regard single AS as a door resource, the door role only is responsible for providing the inlet access right of user for AS, and the authority of user in AS is by AS otherwise allocated, management.System Privileges management strategy of the present invention is by adopting secondary authentication system, avoids in door the rights management to AS too much to interfere.But in the secondary authentication system, there is the blank phase of authority in newly-increased portal user---promptly Adding User possesses the door role that AS inlet access right can be provided, but it does not possess the inner role's of AS time period.System of the present invention adopts the role-map management system to solve the blank phase problem of authority.
Role-map management system: refer between door role and the inner role of AS, set up mapping relations.The user is long-pending according to its door role who holds and role-map when visit AS, draws the inner role of corresponding AS.So, the inlet access right that in a single day user possesses AS has also just possessed the inner role of certain AS simultaneously, and there is the authority deficiency of blank phase in newly-increased portal user in the secondary authentication system thereby remedy.
Carry out rights management by the rights management strategy, in native system, avoided because the modification to AS and door that the authority problem causes provides guarantee to the authority consistency of user in door and subsystem simultaneously.
2, security strategy design
In view of the institute of the Data Structures in the system of the present invention hosting Information is sensitive information, the safety requirements height, so system safety strategy of the present invention except that the security framework that depends on specific implementation, also need be realized following two kinds of security strategies:
(1) utilize SSL (Secure Socket Layer:SSL) agreement to guarantee transmission security
The embedded service broker of AS must show the SSL digital certificate that certificate server is issued when invokes authentication is served, call otherwise regard as illegally.
(2) utilize asymmetric encryption to guarantee the data element level security
The mode that adopts the RSA rivest, shamir, adelman to combine with the AES symmetric encipherment algorithm is encrypted the data structure of transmitting in service broker and the certificate server reciprocal process.Concrete steps are: when 1. the service broker sends service invocation request, generate a pair of RSA unsymmetrical key, and PKI is attached in the solicited message; When 2. certificate server sends response data, generate the AES symmetric key, with the AES symmetric key response data is encrypted earlier, the RSA PKI that provides with the service broker is encrypted AES key again, and the AES key after response data and the encryption is sent to the service broker in the lump; 3. the service broker uses the RSA private key that AES key is deciphered earlier, with AES key response data is deciphered again.
Above security strategy can guarantee effectively that mechanism is in transfer of data rank and other data security of data element level.In practice can with the information security of the common protection mechanism of security framework that specific implementation provided of mechanism.
3, atomic service is divided
System of the present invention integrates difficulty to reduce door, improving the door flexibility is target, is guidance with SOA thought, and single-sign-on is decomposed into one group of atomic service, this group atomic service externally provides unified, general calling interface to call for the authentication proxy among the AS, realizes the SSO function.For atomicity and the integrality that guarantees atomic service, when system authentication flow process of the present invention being carried out the atomic service division, need to satisfy:
Principle of unity: an atomic service can only comprise that a unique authentication proxy communicates by letter with the request between the certificate server;
The completeness principle: atomic service should be a complete function for a call request of authentication proxy, can not intersect to some extent on function with other atomic service.
Two, system authentication agency of the present invention design
In system of the present invention, AS calls the SSO service by authentication proxy.Owing to possess unified, general calling interface, so the work of authentication proxy only limits in conjunction with the specific implementation situation of AS the calling interface of authentication service is converted into the form that AS can directly use in conjunction with the designed authentication service of the system of the present invention of SOA thought.
Among the present invention, quote writing a Chinese character in simplified form and full name of letter, and Chinese meaning sees the following form:
Write a Chinese character in simplified form | Full name | The Chinese meaning |
?ASID | Application?System?ID | The application service system numbering |
?PRID | Portal?Role?ID | Door role numbering |
?ARID | Application?Role?ID | Application system role's numbering |
?UIT | User?Identity?Token | The user identity token |
?URT | User?Role?Token | The user role token |
?UTS | User?Token?Stub | The User Token counterfoil |
?GUII | Global?User?Identity?Info | Overall situation subscriber identity information |
?LURM | Local?User?Role?Mapping | The local users role-map |
?serviceUITF | User?Identity?Token?Fetching | The user identity token obtains service |
?serviceUITV | User?Identity?Token?Validation | The service of user identity token authentication |
?serviceUFPC | User?First?Privilege?Check | The service of user's one-level authorization check |
?servicePMRF | Portal?Mapping?Role?Fetching | Door mapping role obtains service |
?serviceUITI | User?Identity?Token?Invalidation | The discarded service of identity token |
?serviceUGIF | User?Global?Identity?Fetching | User's overall situation identity is obtained service |
?serviceUIS | User?Information?Synchronization | The user profile synchronous service |
?servicePRF | Portal?Role?Fetching | The door role obtains service |
?serviceURMR | User?Role?Mapping?Registration | User role mapping registration service |
?serviceASIQ | Authorization?Service?Interface Query | Authentication service invokes interface inquiry service |
?serviceASIR | Authorization?Service?Interface Registration | The registration service of authentication service invokes interface |
Claims (7)
1, a kind of information portal single-sign-on and access system based on Service-Oriented Architecture Based authentication service agency, include application system (3), user browser (4), it is characterized in that: also include certificate server (1) and authentication service agency (2) based on Service-Oriented Architecture Based;
Described certificate server (1) is used to provide single-sign-on services; It is made up of certificate server set of data structures (11), certificate server atomic service collection (12) and certificate server assistant service collection (13), and certificate server set of data structures (11) is used for carrying the data that the single-sign-on implementation exchanges; The call request of certificate server atomic service collection (12) by response authentication service broker (2), thus single-sign-on finished and to the visit of application system (3); Certificate server assistant service collection (13) is used for local users role-map LURM, the overall subscriber identity information GUII that (A) safeguards described certificate server (1) single-sign-on, (B) auxiliaryly finishes single-sign-on and to the visit of application system (3);
Described authentication service agency (2) is based on Service-Oriented Architecture Based, the single-sign-on services that provides by invokes authentication service end (1), make the user pass through user browser (4) and can use single-sign-on services to login, and realization is to the visit of application system (3).
2, information portal single-sign-on according to claim 1 and access system is characterized in that: application system (3) include according to the different rights scope be provided with as A application system (31), B application system (32) ... N application system (33).
3, information portal single-sign-on according to claim 1 and access system is characterized in that: certificate server set of data structures (11) is one eight tuple D
0={ ASID, PRID, ARID, UIT, URT, UTS, GUII, LURM}, ASID represent the application system numbering, PRID represents door role numbering, and ARID represents application system role numbering, and UIT represents the user identity token, URT represents the user role token, UTS represents the User Token counterfoil, and GUII represents overall subscriber identity information, and LURM represents the local users role-map.
4, information portal single-sign-on according to claim 1 and access system is characterized in that: certificate server atomic service collection (12) is a five-tuple S
0={ serviceUITF, serviceUITV, serviceUFPC, servicePMRF, serviceUITI}, serviceUITF represent that the user identity token obtains service, serviceUITV represents the service of user identity token authentication, serviceUFPC represents the service of user's one-level authorization check, and servicePMRF represents that door mapping role obtains service, and serviceUITI represents the discarded service of identity token.
5, information portal single-sign-on according to claim 1 and access system is characterized in that: certificate server assistant service collection (13) is a hexa-atomic group of A
0={ serviceUGIF, serviceUIS, servicePRF, serviceURMR, serviceASIQ, serviceASIR}, serviceUGIF represents that user overall situation identity obtains service, serviceUIS represents the user profile synchronous service, servicePRF represents the service of obtaining at the door role PRID of application system ASID, serviceURMR represents user role mapping registration service, and serviceASIQ represents authentication service invokes interface inquiry service, and serviceASIR represents the registration service of authentication service invokes interface.
6, information portal single-sign-on according to claim 1 and 2 and access system is characterized in that: the user by the execution in step that user browser (4) carries out single-sign-on access application system (3) is:
Behind the system initialization, the information portal provides a single login inlet, and the user enters step 101 after logining by described login inlet input GUII request;
Step 101: authentication service agency (2) calls serviceUITF, and GUII is passed to certificate server (1), execution in step 102 after intercepting and capturing described GUII request;
Step 102: certificate server (1) is carried out authentication service serviceUITF, and GUII is verified; After described GUII checking is passed through, (A) generate UIT, URT, UTS; (B) preserve URT and UTS; (C) send UIT to authentication service agency (2), execution in step 103; If the GUII checking is not passed through, then return invalid UIT to authentication service agency (2);
Does step 103: authentication service agency (2) judge whether the invalid UIT that returns effective?, do not return initial state; Be execution in step 104;
Step 104: the user sends access request to B application system (32), execution in step 105 by user browser (4);
Step 105: authentication service agency (2) intercepts and captures described access request, calls serviceUITV, and user's overall identity token UIT is passed to certificate server (1); Certificate server (1) is carried out serviceUITV and is verified the validity of UIT, and returns UIT to authentication service agency (2), execution in step 106;
Step 106: authentication service agency (2) judges whether UIT is effective, not, returns initial state; Be execution in step 107;
Step 107: authentication service agency (2) calls serviceUFPC, and serviceUFPC is exported to certificate server (1); Certificate server (1) is carried out serviceUFPC and is verified whether the user has the authority of visit B application system (32), and these access rights are returned to authentication service agency (2), execution in step 108;
Step 108: authentication service agency (2) exports (A) user and has access rights, execution in step 109 after access rights in the step 107 and threshold value are compared; (B) do not have access rights, execution in step 111a;
Step 111a: be used to point out the user to have no right to visit, and execution in step 114;
Step 109: authentication service agency (2) judges whether the role numbering of cache user in B application system (32), i.e. URT; Be that then execution in step 110; Not, then execution in step 901;
Step 901: authentication service agency (2) calls servicePMRF with UIT and ASID
B, be sent to certificate server (1), execution in step 902;
Step 902: certificate server (1) obtains LURM from certificate server set of data structures (11), and carries out the role who obtains in B application system (32) behind the servicePMRF and number, and described role's numbering is sent to authentication service agency (2); Authentication service agency (2) carries out execution in step 110 behind the buffer memory to the described role's numbering that receives;
Step 110: authentication service agency (2) sends to B application system (32), execution in step 111 with described role's numbering of buffer memory;
Step 111:B application system (32) operates whether possess authority according to the URT inspection user to the access request of B application system (32); Not, execution in step 111a; Be execution in step 114;
Step 111a: be used to point out the user to have no right to visit, and execution in step 114;
Step 112:B application system (32) response user's access request realizes single-sign-on B application system (32) thereby reach the user;
Step 113: whether the inquiry user logins other application system in the application system (3) once more, if "Yes" execution in step 104 then; If "No" is execution in step 114 then;
Step 114: authentication service agency (2) calls serviceUITI, and user's overall identity token UIT is sent to certificate server (1); After certificate server (1) is carried out authentication service serviceUITI, user identity token UIT is discarded, and will discard and confirm that instruction sends to authentication service agency (2).
7, information portal single-sign-on according to claim 6 and access system is characterized in that: the threshold value in the step 108 " 1 " and " 0 ", and threshold value does not have access rights for " 1 " expression user, and threshold value has access rights for " 0 " expression user.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2008101057529A CN101277193A (en) | 2008-05-05 | 2008-05-05 | One-point entry and access system based on authentication service acting information facing to service architecture |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2008101057529A CN101277193A (en) | 2008-05-05 | 2008-05-05 | One-point entry and access system based on authentication service acting information facing to service architecture |
Publications (1)
Publication Number | Publication Date |
---|---|
CN101277193A true CN101277193A (en) | 2008-10-01 |
Family
ID=39996233
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNA2008101057529A Pending CN101277193A (en) | 2008-05-05 | 2008-05-05 | One-point entry and access system based on authentication service acting information facing to service architecture |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101277193A (en) |
Cited By (33)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101958881A (en) * | 2009-07-17 | 2011-01-26 | 中国移动通信集团湖北有限公司 | Access control method, device and system for service group |
CN102306247A (en) * | 2011-08-17 | 2012-01-04 | 广州启生信息技术有限公司 | Network customer service and pass management system based on doctor on-line interaction |
CN102457376A (en) * | 2010-10-29 | 2012-05-16 | 中兴通讯股份有限公司 | Method and system for uniformly authenticating cloud computing services |
CN102739628A (en) * | 2011-04-14 | 2012-10-17 | 英业达股份有限公司 | System for application-side login and authentication, and method thereof |
WO2012139482A1 (en) * | 2011-04-15 | 2012-10-18 | 北京百度网讯科技有限公司 | Network encyclopedia user management system and method of accessing applications thereof |
CN102801808A (en) * | 2012-07-30 | 2012-11-28 | 武汉理工大学 | WebLogic-oriented Form identification single sign on integration method |
CN101645021B (en) * | 2009-06-18 | 2012-12-12 | 广东金宇恒科技有限公司 | Integrating method for multisystem single-spot logging under Java application server |
CN101764806B (en) * | 2009-12-31 | 2012-12-26 | 卓望数码技术(深圳)有限公司 | Single-point log-in method, system and log-in service platform |
CN103209168A (en) * | 2013-01-30 | 2013-07-17 | 广东欧珀移动通信有限公司 | Method and system for achieving single sign-on |
CN103227799A (en) * | 2013-05-13 | 2013-07-31 | 山东临沂烟草有限公司 | Implementing method of unified user management and single sign-on platform based on multiple application systems |
CN103595713A (en) * | 2013-11-08 | 2014-02-19 | 红云红河烟草(集团)有限责任公司 | Enterprise identity information unified management and authentication platform |
CN103617485A (en) * | 2013-11-15 | 2014-03-05 | 中国航空无线电电子研究所 | Uniform authority management and deployment system |
CN104396290A (en) * | 2012-07-02 | 2015-03-04 | Sk普兰尼特有限公司 | Single certificate service system and operational method thereof |
CN104506542A (en) * | 2014-12-29 | 2015-04-08 | 深圳中兴网信科技有限公司 | Security certification method and security certification system |
CN104821944A (en) * | 2015-04-28 | 2015-08-05 | 广东小天才科技有限公司 | Hybrid encryption network data security method and system |
CN105847220A (en) * | 2015-01-14 | 2016-08-10 | 北京神州泰岳软件股份有限公司 | Authentication method and system, and service platform |
CN106230850A (en) * | 2016-08-26 | 2016-12-14 | 芜湖创易科技有限公司 | A kind of unified identity authentication platform |
CN106878455A (en) * | 2017-03-16 | 2017-06-20 | 北京中电普华信息技术有限公司 | A kind of acquisition methods and server of the information on services based on internet |
CN107147496A (en) * | 2017-04-28 | 2017-09-08 | 广东网金控股股份有限公司 | Under a kind of service-oriented technological frame between different application unified authorization certification method |
CN107566473A (en) * | 2017-08-28 | 2018-01-09 | 南京南瑞继保电气有限公司 | A kind of electric power secondary system equipment check method |
CN108200099A (en) * | 2011-09-29 | 2018-06-22 | 甲骨文国际公司 | mobile application, identity relationship management |
CN109033803A (en) * | 2018-08-28 | 2018-12-18 | 南京南瑞信息通信科技有限公司 | A kind of movement based on portal APP is micro- to apply login management method |
CN109587148A (en) * | 2018-12-11 | 2019-04-05 | 上海宜延电子商务有限公司 | A kind of data calculate client, data calculation server and data computing system |
CN109905365A (en) * | 2019-01-14 | 2019-06-18 | 江苏第二师范学院(江苏省教育科学研究院) | It is a kind of can distributed deployment single-sign-on and authorization of service system and method |
CN110213223A (en) * | 2019-03-21 | 2019-09-06 | 腾讯科技(深圳)有限公司 | Business management method, device, system, computer equipment and storage medium |
CN110278179A (en) * | 2018-03-15 | 2019-09-24 | 阿里巴巴集团控股有限公司 | Single-point logging method, device and system and electronic equipment |
CN111143814A (en) * | 2019-12-30 | 2020-05-12 | 武汉佰钧成技术有限责任公司 | Single sign-on method, micro-service access platform and storage medium |
CN111240863A (en) * | 2020-01-10 | 2020-06-05 | 无锡华云数据技术服务有限公司 | Data communication method, device, micro front-end system and storage medium |
CN111355713A (en) * | 2020-02-20 | 2020-06-30 | 深信服科技股份有限公司 | Proxy access method, device, proxy gateway and readable storage medium |
US10813002B2 (en) | 2013-07-18 | 2020-10-20 | Convida Wireless, Llc | Capillary device charging |
CN112182522A (en) * | 2019-07-05 | 2021-01-05 | 北京地平线机器人技术研发有限公司 | Access control method and device |
CN112764725A (en) * | 2021-02-22 | 2021-05-07 | 浪潮云信息技术股份公司 | Method for realizing user synchronization based on JWT |
CN116405573A (en) * | 2023-06-07 | 2023-07-07 | 北京集度科技有限公司 | Service-oriented architecture based system, communication method and computer program product |
-
2008
- 2008-05-05 CN CNA2008101057529A patent/CN101277193A/en active Pending
Cited By (47)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101645021B (en) * | 2009-06-18 | 2012-12-12 | 广东金宇恒科技有限公司 | Integrating method for multisystem single-spot logging under Java application server |
CN101958881A (en) * | 2009-07-17 | 2011-01-26 | 中国移动通信集团湖北有限公司 | Access control method, device and system for service group |
CN101958881B (en) * | 2009-07-17 | 2013-12-04 | 中国移动通信集团湖北有限公司 | Access control method, device and system for service group |
CN101764806B (en) * | 2009-12-31 | 2012-12-26 | 卓望数码技术(深圳)有限公司 | Single-point log-in method, system and log-in service platform |
CN102457376A (en) * | 2010-10-29 | 2012-05-16 | 中兴通讯股份有限公司 | Method and system for uniformly authenticating cloud computing services |
CN102457376B (en) * | 2010-10-29 | 2016-02-10 | 中兴通讯股份有限公司 | A kind of method and system of cloud computing service unified certification |
CN102739628A (en) * | 2011-04-14 | 2012-10-17 | 英业达股份有限公司 | System for application-side login and authentication, and method thereof |
WO2012139482A1 (en) * | 2011-04-15 | 2012-10-18 | 北京百度网讯科技有限公司 | Network encyclopedia user management system and method of accessing applications thereof |
CN102306247A (en) * | 2011-08-17 | 2012-01-04 | 广州启生信息技术有限公司 | Network customer service and pass management system based on doctor on-line interaction |
CN108200099B (en) * | 2011-09-29 | 2019-09-17 | 甲骨文国际公司 | mobile application, identity relationship management |
US10621329B2 (en) | 2011-09-29 | 2020-04-14 | Oracle International Corporation | Mobile application, resource management advice |
CN108200099A (en) * | 2011-09-29 | 2018-06-22 | 甲骨文国际公司 | mobile application, identity relationship management |
CN104396290A (en) * | 2012-07-02 | 2015-03-04 | Sk普兰尼特有限公司 | Single certificate service system and operational method thereof |
CN104396290B (en) * | 2012-07-02 | 2018-07-10 | Sk普兰尼特有限公司 | Single certificate service system and its operating method |
CN102801808A (en) * | 2012-07-30 | 2012-11-28 | 武汉理工大学 | WebLogic-oriented Form identification single sign on integration method |
CN102801808B (en) * | 2012-07-30 | 2014-11-05 | 武汉理工大学 | WebLogic-oriented Form identification single sign on integration method |
CN103209168A (en) * | 2013-01-30 | 2013-07-17 | 广东欧珀移动通信有限公司 | Method and system for achieving single sign-on |
CN103227799A (en) * | 2013-05-13 | 2013-07-31 | 山东临沂烟草有限公司 | Implementing method of unified user management and single sign-on platform based on multiple application systems |
US10813002B2 (en) | 2013-07-18 | 2020-10-20 | Convida Wireless, Llc | Capillary device charging |
US11736968B2 (en) | 2013-07-18 | 2023-08-22 | Interdigital Patent Holdings, Inc. | Capillary device charging |
CN103595713A (en) * | 2013-11-08 | 2014-02-19 | 红云红河烟草(集团)有限责任公司 | Enterprise identity information unified management and authentication platform |
CN103617485A (en) * | 2013-11-15 | 2014-03-05 | 中国航空无线电电子研究所 | Uniform authority management and deployment system |
CN104506542A (en) * | 2014-12-29 | 2015-04-08 | 深圳中兴网信科技有限公司 | Security certification method and security certification system |
CN105847220A (en) * | 2015-01-14 | 2016-08-10 | 北京神州泰岳软件股份有限公司 | Authentication method and system, and service platform |
CN104821944A (en) * | 2015-04-28 | 2015-08-05 | 广东小天才科技有限公司 | Hybrid encryption network data security method and system |
CN106230850A (en) * | 2016-08-26 | 2016-12-14 | 芜湖创易科技有限公司 | A kind of unified identity authentication platform |
CN106878455A (en) * | 2017-03-16 | 2017-06-20 | 北京中电普华信息技术有限公司 | A kind of acquisition methods and server of the information on services based on internet |
CN106878455B (en) * | 2017-03-16 | 2020-09-29 | 北京中电普华信息技术有限公司 | Internet-based service information acquisition method and server |
CN107147496A (en) * | 2017-04-28 | 2017-09-08 | 广东网金控股股份有限公司 | Under a kind of service-oriented technological frame between different application unified authorization certification method |
CN107566473A (en) * | 2017-08-28 | 2018-01-09 | 南京南瑞继保电气有限公司 | A kind of electric power secondary system equipment check method |
CN110278179B (en) * | 2018-03-15 | 2021-08-10 | 阿里巴巴集团控股有限公司 | Single sign-on method, device and system and electronic equipment |
CN110278179A (en) * | 2018-03-15 | 2019-09-24 | 阿里巴巴集团控股有限公司 | Single-point logging method, device and system and electronic equipment |
CN109033803A (en) * | 2018-08-28 | 2018-12-18 | 南京南瑞信息通信科技有限公司 | A kind of movement based on portal APP is micro- to apply login management method |
CN109587148A (en) * | 2018-12-11 | 2019-04-05 | 上海宜延电子商务有限公司 | A kind of data calculate client, data calculation server and data computing system |
CN109905365A (en) * | 2019-01-14 | 2019-06-18 | 江苏第二师范学院(江苏省教育科学研究院) | It is a kind of can distributed deployment single-sign-on and authorization of service system and method |
CN109905365B (en) * | 2019-01-14 | 2020-10-09 | 江苏第二师范学院(江苏省教育科学研究院) | Distributed deployed single sign-on and service authorization system and method |
CN110213223A (en) * | 2019-03-21 | 2019-09-06 | 腾讯科技(深圳)有限公司 | Business management method, device, system, computer equipment and storage medium |
CN110213223B (en) * | 2019-03-21 | 2022-03-01 | 腾讯科技(深圳)有限公司 | Service management method, device, system, computer equipment and storage medium |
CN112182522A (en) * | 2019-07-05 | 2021-01-05 | 北京地平线机器人技术研发有限公司 | Access control method and device |
CN111143814B (en) * | 2019-12-30 | 2022-06-21 | 武汉佰钧成技术有限责任公司 | Single sign-on method, micro-service access platform and storage medium |
CN111143814A (en) * | 2019-12-30 | 2020-05-12 | 武汉佰钧成技术有限责任公司 | Single sign-on method, micro-service access platform and storage medium |
CN111240863A (en) * | 2020-01-10 | 2020-06-05 | 无锡华云数据技术服务有限公司 | Data communication method, device, micro front-end system and storage medium |
CN111240863B (en) * | 2020-01-10 | 2024-02-06 | 无锡华云数据技术服务有限公司 | Data communication method, device, micro front-end system and storage medium |
CN111355713A (en) * | 2020-02-20 | 2020-06-30 | 深信服科技股份有限公司 | Proxy access method, device, proxy gateway and readable storage medium |
CN112764725A (en) * | 2021-02-22 | 2021-05-07 | 浪潮云信息技术股份公司 | Method for realizing user synchronization based on JWT |
CN116405573A (en) * | 2023-06-07 | 2023-07-07 | 北京集度科技有限公司 | Service-oriented architecture based system, communication method and computer program product |
CN116405573B (en) * | 2023-06-07 | 2023-08-15 | 北京集度科技有限公司 | Service-oriented architecture based system, communication method and computer program product |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101277193A (en) | One-point entry and access system based on authentication service acting information facing to service architecture | |
US9386015B2 (en) | Security model for industrial devices | |
US20170286653A1 (en) | Identity risk score generation and implementation | |
US9300653B1 (en) | Delivery of authentication information to a RESTful service using token validation scheme | |
US9391978B2 (en) | Multiple access authentication | |
Gopalakrishnan | Cloud computing identity management | |
US20180234464A1 (en) | Brokered authentication with risk sharing | |
CN102801808B (en) | WebLogic-oriented Form identification single sign on integration method | |
CN101242272B (en) | Realization method for cross-grid secure platform based on mobile agent and assertion | |
US8275985B1 (en) | Infrastructure to secure federated web services | |
CN105141580B (en) | A kind of resource access control method based on the domain AD | |
Guija et al. | Identity and access control for micro-services based 5G NFV platforms | |
CN108319827B (en) | API (application program interface) authority management system and method based on OSGI (open service gateway initiative) framework | |
CN107070894A (en) | A kind of software integrating method based on enterprise's cloud service platform | |
Kraft | Designing a distributed access control processor for network services on the web | |
Zhang et al. | A model of workflow-oriented attributed based access control | |
Nacer et al. | A distributed authentication model for composite Web services | |
US8543810B1 (en) | Deployment tool and method for managing security lifecycle of a federated web service | |
KR20090058536A (en) | Client-based pseudonyms | |
Emig et al. | Identity as a service–towards a service-oriented identity management architecture | |
CN110189440A (en) | A kind of smart lock monitoring equipment and its method based on block chain | |
Chen et al. | Design of web service single sign-on based on ticket and assertion | |
JP6037460B2 (en) | Service providing apparatus, program, and method | |
Gao et al. | An OAuth2. 0-based unified authentication system for secure services in the smart campus environment | |
CN109218329A (en) | A kind of method and system authenticated using NetData-Auth user authentication frame |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20081001 |