CN101277193A - One-point entry and access system based on authentication service acting information facing to service architecture - Google Patents

One-point entry and access system based on authentication service acting information facing to service architecture Download PDF

Info

Publication number
CN101277193A
CN101277193A CNA2008101057529A CN200810105752A CN101277193A CN 101277193 A CN101277193 A CN 101277193A CN A2008101057529 A CNA2008101057529 A CN A2008101057529A CN 200810105752 A CN200810105752 A CN 200810105752A CN 101277193 A CN101277193 A CN 101277193A
Authority
CN
China
Prior art keywords
user
service
application system
authentication service
certificate server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2008101057529A
Other languages
Chinese (zh)
Inventor
蒲菊华
罗辛
张品
熊璋
李欢
陈辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Beijing University of Aeronautics and Astronautics
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CNA2008101057529A priority Critical patent/CN101277193A/en
Publication of CN101277193A publication Critical patent/CN101277193A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses an information portal single sign-on and accessing system based on facing to service architecture authentication service agent. The system includes: an authentication service terminal (1) based on facing to service architecture, an authentication service agent (2), an application system (3) and a user browser (4). The authentication service terminal (1) is composed of an authentication service terminal date structure set (11), an authentication service terminal atomic service set (12) and an authentication service terminal assistant service set (13). The authentication service terminal date structure set (11) is used for bearing exchanged date in single sign-on execution process; the authentication service terminal atomic service set can complete single sign-on and accessing to the application system (3) through response calling request of the authentication service agent (2); the authentication service terminal assistant service set (13) is used for maintaining local user role mapping LURM, global user identity information GUII in single sign-on, and can assistant complete single sign-on and accessing to the application system (3).

Description

Information portal single-sign-on and access system based on Service-Oriented Architecture Based authentication service agency
Technical field
The present invention relates to a kind of be applicable to the information portal is integrated, based on Service-Oriented Architecture Based authentication service agency, information portal single-sign-on and access system, this information portal single-sign-on and access system belong to the technical field of telecommunications in the IPC classification.
Background technology
Along with popularizing and development of World Wide Web (WWW), Modern Web use become the modern indispensable information interchange platform, and the information portal most important thing especially.The information portal is a kind of Web application technology, it is with different application systems (Application System, AS) be integrated in a unified entrance, for the user provides polynary, concentrated, information service efficiently, it relates to Content Management, data integration, single-sign-on (Single Sign On, many-sided content such as SSO), wherein single-sign-on is the problem that must at first solve.The core concept of single-sign-on technology is to set up a kind of identity map relation between information portal and application system, the user only needs to login at the certificate server of information portal, just then need not to login once more a plurality of application systems in can the visit information door in this time login term of validity.
At present, flourish along with the information portal application, some commercializations, ripe SSO mechanism have released one after another, NET Passport single-sign-on services as Microsoft, it is the logon server of central pool formula, in store user's log-on message and personal information, the user needs only and once logins on NET Passport single-sign-on services, i.e. the cooperation website of addressable Passport.But the certificate server of its core and subscriber information server are all by Microsoft's monopolization, and ins and outs are not followed unified standard and externally not open, can't further promote.Liberty Alliance Liberty SSO mechanism, its identifying procedure depends on security assertion markup language (SecurityAssertion Markup Language, SAML), the AS that needs the information portal and wherein integrate can both understand the authentication information based on SAML, itself complexity is too high, uses to be difficult for.In sum, there is following defective in existing SSO mechanism:
(1) DLL (dynamic link library) complexity, openness is low, needs during integration AS is transformed on a large scale;
(2) often there is portable poor problem for the AS that adopts different technologies;
(3) existing SSO mechanism is owing to the high complexity of himself, and the AS in the information portal can not integrate fast to it when frequently changing.
On the other hand, (Service-Oriented Architecture SOA) is a kind of important framework model to Service-Oriented Architecture Based, and it can carry out distributed deployment, combination and use to loosely-coupled coarseness application component according to demand.SOA has features such as loose couplings, reusable, standardization, has all obtained extensively and effectively using in a lot of fields.Can therefore, solve the defective that existing SSO mechanism exists by the thought of SOA, be a very important problem.
Summary of the invention
In order to solve defectives such as existing portal application system combination complexity, openness are low, the present invention proposes a kind of simple in structure, loose couplings, fast and flexible, improves information portal single-sign-on and access system based on Service-Oriented Architecture Based authentication service agency general, lightweight.Described single-sign-on has adopted data encapsulation and service encapsulates strategy, openness height; The service broker is independent from application system with the correlation function of authentication by introducing, and controls user's single-sign-on and system's access request by the service broker, has effectively reduced the application system integration complexity, has improved door and has integrated performance.
The present invention is based on Service-Oriented Architecture Based authentication service agency's information portal single-sign-on and access system, include application system (3), user browser (4), and act on behalf of (2) based on the certificate server (1) and the authentication service of Service-Oriented Architecture Based;
Described certificate server (1) is used to provide single-sign-on services; It is made up of certificate server set of data structures (11), certificate server atomic service collection (12) and certificate server assistant service collection (13), and certificate server set of data structures (11) is used for carrying the data that the single-sign-on implementation exchanges; The call request of certificate server atomic service collection (12) by response authentication service broker (2), thus single-sign-on finished and to the visit of application system (3); Certificate server assistant service collection (13) is used for local users role-map LURM, the overall subscriber identity information GUII that (A) safeguards described certificate server (1) single-sign-on, (B) auxiliaryly finishes single-sign-on and to the visit of application system (3);
Described authentication service agency (2) is based on Service-Oriented Architecture Based, the single-sign-on services that provides by invokes authentication service end (1), make the user pass through user browser (4) and can use single-sign-on services to login, and realization is to the visit of application system (3).
Certificate server set of data structures (11) is one eight tuple D 0={ ASID, PRID, ARID, UIT, URT, UTS, GUII, LURM}, ASID represent the application system numbering, PRID represents door role numbering, and ARID represents application system role numbering, and UIT represents the user identity token, URT represents the user role token, UTS represents the User Token counterfoil, and GUII represents overall subscriber identity information, and LURM represents the local users role-map.
Certificate server atomic service collection (12) is a five-tuple S 0={ serviceUITF, serviceUITV, serviceUFPC, servicePMRF, serviceUITI}, serviceUITF represent that the user identity token obtains service, serviceUITV represents the service of user identity token authentication, serviceUFPC represents the service of user's one-level authorization check, and servicePMRF represents that door mapping role obtains service, and serviceUITI represents the discarded service of identity token.
Certificate server assistant service collection (13) is a hexa-atomic group of A 0={ serviceUGIF, serviceUIS, servicePRF, serviceURMR, serviceASIQ, serviceASIR}, serviceUGIF represents that user overall situation identity obtains service, serviceUIS represents the user profile synchronous service, servicePRF represents the service of obtaining at the door role PRID of application system ASID, serviceURMR represents user role mapping registration service, and serviceASIQ represents authentication service invokes interface inquiry service, and serviceASIR represents the registration service of authentication service invokes interface.
The present invention is based on Service-Oriented Architecture Based authentication service agency's the information portal single-sign-on and the design feature of access system is:
1. certificate server 1 has been adopted data encapsulation and service encapsulates strategy, made the openness height of information portal of the present invention single-sign-on and access system, DLL (dynamic link library) is simple;
2. in information portal of the present invention single-sign-on and access system, introduce authentication service agency 2, make authentication independent from application system 3, finish by the atomic service that authentication service is acted on behalf of in the 2 invokes authentication service ends 1, thereby reduced the complexity of the integration of system of the present invention;
3. in carrying out the single-point login process by the request-access module of authentication service agency 2 with certificate server 1, help the integration and the renewal of application system 3;
4. single-sign-on is encapsulated as a plurality of atomic service collection, the degree of coupling is low between each service, thereby can upgrade independently and safeguard each atomic service;
5. lightweight single-sign-on services provided by the invention helps the information portal and is dynamically realizing integrating fast under the loose coupling environment.
Description of drawings
Fig. 1 be the user by authentication proxy of the present invention service login, the schematic diagram of access application system.
Fig. 2 is the structured flowchart of certificate server of the present invention.
Fig. 3 is that certificate server of the present invention is at the flow chart of carrying out single-sign-on.
Among the figure: 1. certificate server 11. certificate server set of data structures 12. certificate server atomic service collection 13. certificate server assistant service collection 2. authentication service are acted on behalf of 3. application systems
Embodiment
The present invention is described in further detail below in conjunction with accompanying drawing.
The present invention is a kind of information portal single-sign-on and access system based on Service-Oriented Architecture Based authentication service agency, includes certificate server 1, authentication service agency 2 and application system 3 based on Service-Oriented Architecture Based.Described authentication service agency 2 is based on Service-Oriented Architecture Based, by the single-sign-on services that invokes authentication service end 1 provides, makes the user can use single-sign-on services to login by user browser 4, and realizes the visit to application system 3.
In the present invention, described application system 3 application system of managing, analyze, releasing news etc. for being used in the internet.
In the present invention, described authentication service agency 2 is the single-sign-on services that are used for calling described certificate server 1, plays the function served as bridge of user and application system 3.Because it is adopted data encapsulation and service encapsulates strategy in the described certificate server 1, higher at the openness of user's single-sign-on and visit; In carrying out the single-point login process,, help the integration and the renewal of described application system 3, really realized loose couplings by the request-access module of described authentication service agency 2 with described certificate server 1.
In the present invention, described certificate server 1 is used to provide single-sign-on services.Described single-sign-on services is designed to a plurality of atomic service collection, and the degree of coupling is low between each service, thereby can upgrade independently and safeguard each atomic service, has embodied described certificate server 1 and has had fast and flexible.
In the present invention, when (referring to shown in Figure 1) user logined by user browser 4, at first authenticated service broker 2 entered certificate server 1 realization single-sign-on by calling atomic service; Then can access application system 3, according to application system is set can has of a plurality of extents of competence, as A application system 31, B application system 32 ... N application system 33.
In the present invention, (referring to shown in Figure 2) certificate server 1 is made up of certificate server set of data structures 11, certificate server atomic service collection 12 and certificate server assistant service collection 13;
Certificate server set of data structures 11 is used for carrying the data that the single-sign-on implementation exchanges;
Certificate server atomic service collection 12 is by response authentication service broker 2 call request, thereby finishes single-sign-on and to the visit of application system 3;
Certificate server assistant service collection 13 is used for LURM, the GUII that (A) safeguards single-sign-on, (B) auxiliaryly finishes single-sign-on and to the visit of application system 3.
Certificate server set of data structures 11 is one eight tuple D 0={ ASID, PRID, ARID, UIT, URT, UTS, GUII, LURM}, ASID represent the application system numbering, PRID represents door role numbering, and ARID represents application system role numbering, and UIT represents the user identity token, URT represents the user role token, UTS represents the User Token counterfoil, and GUII represents overall subscriber identity information, and LURM represents the local users role-map.In the present invention, certificate server set of data structures 11 adopts the data encapsulation pattern, helps information portal single-sign-on and visit, has improved the openness of system of the present invention.
ASID: represent A application system 31, B application system 32 in the application system 3 ... the unique identification of N application system 33 in the information portal is called for short: the application system numbering.
PRID: in order to sign door role.Be called for short: door role numbering.
ARID: in order to role's numbering of sign application system, this role's numbering includes A application system 31, the B application system 32 in the application system 3 ... the application system numbering of N application system 33 in the information portal is called for short application system role numbering.
UIT: whether be in logging status in order to identifying user, be that Millisecond unit with the current time is 32 random strings that the basis generates, after the user carries out authentication by authentication service agency 2, generate, be called for short: the user identity token by certificate server 1.
URT: the door Role Information that logged-in user possesses is described, is that the door role that the user has numbers the array that PRID forms, and this structure of arrays is: URT={PRID 1, PRID 2..., PRID n, be called for short: the user role token.
UTS: in order to the validity of identifying user identity token UIT and user role token URT, login the back the user and generated and preserved by certificate server 1, its form is: the UTS={ user name, and UIT, URT} is called for short: the User Token counterfoil.
GUII: in order to the identifying user identity information, its form is: GUII={ user name, user login code }, be called for short: overall subscriber identity information.
LURM: in order to safeguard that the door role numbers PRID and application system role and numbers mapping between the ARID, its form is: LURM={PRID, and ASID, ARID} is called for short: the local users role-map.
Certificate server atomic service collection 12 is five-tuple S 0={ serviceUITF, serviceUITV, serviceUFPC, servicePMRF, serviceUITI}, serviceUITF represent that the user identity token obtains service, serviceUITV represents the service of user identity token authentication, serviceUFPC represents the service of user's one-level authorization check, and servicePMRF represents that door mapping role obtains service, and serviceUITI represents the discarded service of identity token.
ServiceUITF: be used for (A) overall subscriber identity information GUII is carried out identifying user identity; (B) user that authentication is passed through authorizes user identity token UIT; (C) adopt automatic sequence sign indicating number generating mode to produce User Token counterfoil UTS to the user who authorizes user identity token UIT, and User Token counterfoil UTS is kept at certificate server.In the present invention, overall subscriber identity information GUII (user name and user login code) to user's input verifies, and according to verifying whether result's decision authorizes UIT, if then authorize user identity token UIT, and generation User Token counterfoil UTS is kept at certificate server, if not, then return invalid UIT.This service be input as GUII, be output as UIT.Be called for short: the user identity token obtains service.
ServiceUITV: in order to the validity of the checking user identity token UIT that the user held.At the user identity token UIT that the user held, according to validity and the backtrack test result of User Token counterfoil UTS check UIT.Be input as user identity token UIT, be output as Boolean checking result.Be called for short: the service of user identity token authentication.
ServiceUFPC: in order to whether to possess the inlet access rights in the application system 3 of inspection user to request.Be responsible for obtaining user role token URT according to user identity token UIT and User Token counterfoil UTS, in conjunction with application system numbering ASID, whether inspection user possesses the inlet access right to the application system 3 of being asked.Be input as user identity token UIT and application system numbering ASID, be output as Boolean checking result.Be called for short: the service of user's one-level authorization check.
ServicePMRF: in order to obtain the role of door role-map in the application system 3 of correspondence.Obtain URT, GUII, LURM according to UIT and UTS that the user held, and carry out quadrature, obtain the role of door role-map to this application system in conjunction with ASID.Be input as user identity token UIT and application system numbering ASID, the inside role who is output as corresponding application system numbers array { ARID 1, ARID 2..., ARID n.Be called for short: door mapping role obtains service.
ServiceUITI: it is invalid that the current user identity token UIT that holds of user is labeled as.According to the current UIT that holds of user, discarded URT, UTS, UIT.Be input as user identity token UIT, be called for short: the discarded service of identity token.
Certificate server assistant service collection 13 is hexa-atomic group of A 0={ serviceUGIF, serviceUIS, servicePRF, serviceURMR, serviceASIQ, serviceASIR}, serviceUGIF represents that user overall situation identity obtains service, serviceUIS represents the user profile synchronous service, servicePRF represents the service of obtaining at the door role PRID of application system ASID, serviceURMR represents user role mapping registration service, and serviceASIQ represents authentication service invokes interface inquiry service, and serviceASIR represents the registration service of authentication service invokes interface.
ServiceUGIF: obtain the identity information of user in door.The UIT and the UTS that hold according to the user obtain corresponding user name, obtain GUII according to user name again.Be input as the current user identity token UIT that holds of user, be output as overall subscriber identity information GUII.Be called for short: user's overall situation identity is obtained service.
ServiceUIS: taking-up possesses whole users' of access rights overall identity information GUII to specifying application system, and is saved in the appointment application system.According to ASID, take out the GUII and the preservation that this application system are possessed the user of inlet access right.Be input as application system numbering ASID.Be called for short: the user profile synchronous service.
ServicePRF: take out to specifying application system to possess the door Role Information of access rights.Take out the whole Role Informations that in the door application system of specifying ASID possessed the inlet access right according to ASID.Be input as application system numbering ASID, be output as the door Role Information.Be called for short: application system door role obtains service.
ServiceURMR: the mapping of registration from the door role to the application system role.ASID, ARID, door role according to appointment number PRID, and LURM registers or changes to the user role mapping, promptly safeguards the LURM element in the certificate server set of data structures 11.Be input as application system numbering ASID, ARID, PRID, be output as the Boolean execution result.Be called for short: user role mapping registration service.
ServiceASIQ: inquire about specific authentication service invokes interface.The authentication service invokes interface index of prior agreement, taking out the pairing authentication service invokes interface of authentication service invokes interface index describes, during the atomic service interface failure that provides when authentication proxy's 2 invokes authentication service ends 1, the calling interface that this service regains the atomic service that certificate server 1 provided can call in authentication proxy 2.Be input as the authentication service invokes interface index, be output as the authentication service invokes interface and describe.Be called for short: authentication service invokes interface inquiry service.
ServiceASIR: the authentication service invokes interface index is registered or changed.The authentication service invokes interface that will carry out revising is described and the numbering registration, and the execution result of return action.When having revised the atomic service interface that certificate server 1 provides, can realize revising automatic registration and the change of back atomic service interface by calling this service.Be input as the authentication service invokes interface of wishing registration or change and describe and numbering, be output as the Boolean execution result.Be called for short: the registration service of authentication service invokes interface.
In the present invention, the user is (referring to shown in Figure 3) by the execution in step that user browser 4 carries out single-sign-on access application system 3:
Behind the system initialization, the information portal provides a single login inlet, and the user enters step 101 after logining by described login inlet input GUII (username and password) request;
Step 101: authentication service agency 2 calls serviceUITF, and GUII is passed to certificate server 1, execution in step 102 after intercepting and capturing described GUII request;
Step 102: certificate server 1 is carried out authentication service serviceUITF, and GUII is verified; After described GUII checking is passed through, (A) generate UIT, URT, UTS; (B) preserve URT and UTS; (C) send UIT to authentication service agency 2, execution in step 103; If the GUII checking is not passed through, then return invalid UIT to authentication service agency 2;
Does step 103: authentication service agency 2 judge whether the invalid UIT that returns effective?, do not return initial state; Be execution in step 104;
Step 104: the user sends access request to specifying application system, execution in step 105 by user browser 4; In the present invention, specify application system to be meant that the user sends access request to the A application system 31 in the application system 3 or A application system 31, B application system 32 or A application system 31, B application system 32 ... N application system 33 (referring to shown in Figure 1).Described access request is meant the appointment application system that has numbering, and expression-form can be ASID N, N represents to specify the numbering of application system.For example, the user needs visit B application system 32 by user browser 4, and then the access request of Fa Songing then is ASID BPerhaps ASID 32In order to sketch conveniently, appointment application system hereinafter replaces with B application system 32.
Step 105: authentication service agency 2 intercepts and captures described access request, calls serviceUITV, and user's overall identity token UIT is passed to certificate server 1; Certificate server 1 is carried out serviceUITV and is verified the validity of UIT, and returns UIT to authentication service agency 2, execution in step 106;
Step 106: authentication service agency 2 judges whether UIT is effective, not, returns initial state; Be execution in step 107;
Step 107: authentication service agency 2 calls serviceUFPC, and serviceUFPC is exported to certificate server 1; Certificate server 1 is carried out serviceUFPC and is verified whether the user has the authority of visit B application system 32, and these access rights are returned to authentication service agency 2, execution in step 108;
Step 108: after access rights in 2 pairs of steps 107 of authentication service agency and threshold value compared, output (A) user had access rights, execution in step 109; (B) do not have access rights, execution in step 111a; In the present invention, threshold value does not have access rights for " 1 " expression user, and threshold value has access rights for " 0 " expression user.
Step 111a: be used to point out the user to have no right to visit, and execution in step 114;
Step 109: authentication service agency 2 judges whether the role numbering of cache user in B application system 32, i.e. URT; Be that then execution in step 110; Not, then execution in step 901;
Step 901: authentication service agency 2 calls servicePMRF with UIT and ASID B, be sent to certificate server 1, execution in step 902;
Step 902: certificate server 1 obtains LURM from certificate server set of data structures 11, and carries out the role who obtains in B application system 32 behind the servicePMRF and number, and described role's numbering is sent to authentication service agency 2; Described role's numbering of 2 pairs of receptions of authentication service agency is carried out execution in step 110 behind the buffer memory;
Step 110: authentication service agency 2 sends to B application system 32, execution in step 111 with described role's numbering of buffer memory;
Step 111:B application system 32 operates whether possess authority according to the URT inspection user to the access request of B application system 32; Not, execution in step 111a; Be execution in step 114;
Step 111a: be used to point out the user to have no right to visit, and execution in step 114;
Step 112:B application system 32 response users' access request realizes single-sign-on B application system 32 thereby reach the user.
Step 113: whether the inquiry user logins other application system in the application system 3 once more, if "Yes" execution in step 104 then; If "No" is execution in step 114 then;
Step 114: authentication service agency 2 calls serviceUITI, and user's overall identity token UIT is sent to certificate server 1; After certificate server 1 is carried out authentication service serviceUITI, user identity token UIT is discarded, and will discard and confirm that instruction sends to authentication service agency 2.
The specific design theory that the present invention is based on each module in Service-Oriented Architecture Based authentication service agency's information portal single-sign-on and the access system is:
One, authentication service design
The SSO service that certificate server provides is the core of whole mechanism.It is the emphasis of SSO Service Design that wherein rights management, security strategy and atomic service are divided.To set forth from these three aspects to authentication service design respectively below.
1, rights management strategy
The distribution of user right is extremely strict among the application system AS.The integrated difference of AS on service logic and workflow can be reflected in the delineation of power in mode the most intuitively usually in the gate system.Integrate difficulty and door rights management complexity to reduce AS in the present invention, the flexibility and the reusability that improve system of the present invention are target, and having designed based on secondary authentication system, role-map management system is the rights management strategy of assisting.
Secondary authentication system: refer to regard single AS as a door resource, the door role only is responsible for providing the inlet access right of user for AS, and the authority of user in AS is by AS otherwise allocated, management.System Privileges management strategy of the present invention is by adopting secondary authentication system, avoids in door the rights management to AS too much to interfere.But in the secondary authentication system, there is the blank phase of authority in newly-increased portal user---promptly Adding User possesses the door role that AS inlet access right can be provided, but it does not possess the inner role's of AS time period.System of the present invention adopts the role-map management system to solve the blank phase problem of authority.
Role-map management system: refer between door role and the inner role of AS, set up mapping relations.The user is long-pending according to its door role who holds and role-map when visit AS, draws the inner role of corresponding AS.So, the inlet access right that in a single day user possesses AS has also just possessed the inner role of certain AS simultaneously, and there is the authority deficiency of blank phase in newly-increased portal user in the secondary authentication system thereby remedy.
Carry out rights management by the rights management strategy, in native system, avoided because the modification to AS and door that the authority problem causes provides guarantee to the authority consistency of user in door and subsystem simultaneously.
2, security strategy design
In view of the institute of the Data Structures in the system of the present invention hosting Information is sensitive information, the safety requirements height, so system safety strategy of the present invention except that the security framework that depends on specific implementation, also need be realized following two kinds of security strategies:
(1) utilize SSL (Secure Socket Layer:SSL) agreement to guarantee transmission security
The embedded service broker of AS must show the SSL digital certificate that certificate server is issued when invokes authentication is served, call otherwise regard as illegally.
(2) utilize asymmetric encryption to guarantee the data element level security
The mode that adopts the RSA rivest, shamir, adelman to combine with the AES symmetric encipherment algorithm is encrypted the data structure of transmitting in service broker and the certificate server reciprocal process.Concrete steps are: when 1. the service broker sends service invocation request, generate a pair of RSA unsymmetrical key, and PKI is attached in the solicited message; When 2. certificate server sends response data, generate the AES symmetric key, with the AES symmetric key response data is encrypted earlier, the RSA PKI that provides with the service broker is encrypted AES key again, and the AES key after response data and the encryption is sent to the service broker in the lump; 3. the service broker uses the RSA private key that AES key is deciphered earlier, with AES key response data is deciphered again.
Above security strategy can guarantee effectively that mechanism is in transfer of data rank and other data security of data element level.In practice can with the information security of the common protection mechanism of security framework that specific implementation provided of mechanism.
3, atomic service is divided
System of the present invention integrates difficulty to reduce door, improving the door flexibility is target, is guidance with SOA thought, and single-sign-on is decomposed into one group of atomic service, this group atomic service externally provides unified, general calling interface to call for the authentication proxy among the AS, realizes the SSO function.For atomicity and the integrality that guarantees atomic service, when system authentication flow process of the present invention being carried out the atomic service division, need to satisfy:
Principle of unity: an atomic service can only comprise that a unique authentication proxy communicates by letter with the request between the certificate server;
The completeness principle: atomic service should be a complete function for a call request of authentication proxy, can not intersect to some extent on function with other atomic service.
Two, system authentication agency of the present invention design
In system of the present invention, AS calls the SSO service by authentication proxy.Owing to possess unified, general calling interface, so the work of authentication proxy only limits in conjunction with the specific implementation situation of AS the calling interface of authentication service is converted into the form that AS can directly use in conjunction with the designed authentication service of the system of the present invention of SOA thought.
Among the present invention, quote writing a Chinese character in simplified form and full name of letter, and Chinese meaning sees the following form:
Write a Chinese character in simplified form Full name The Chinese meaning
?ASID Application?System?ID The application service system numbering
?PRID Portal?Role?ID Door role numbering
?ARID Application?Role?ID Application system role's numbering
?UIT User?Identity?Token The user identity token
?URT User?Role?Token The user role token
?UTS User?Token?Stub The User Token counterfoil
?GUII Global?User?Identity?Info Overall situation subscriber identity information
?LURM Local?User?Role?Mapping The local users role-map
?serviceUITF User?Identity?Token?Fetching The user identity token obtains service
?serviceUITV User?Identity?Token?Validation The service of user identity token authentication
?serviceUFPC User?First?Privilege?Check The service of user's one-level authorization check
?servicePMRF Portal?Mapping?Role?Fetching Door mapping role obtains service
?serviceUITI User?Identity?Token?Invalidation The discarded service of identity token
?serviceUGIF User?Global?Identity?Fetching User's overall situation identity is obtained service
?serviceUIS User?Information?Synchronization The user profile synchronous service
?servicePRF Portal?Role?Fetching The door role obtains service
?serviceURMR User?Role?Mapping?Registration User role mapping registration service
?serviceASIQ Authorization?Service?Interface Query Authentication service invokes interface inquiry service
?serviceASIR Authorization?Service?Interface Registration The registration service of authentication service invokes interface

Claims (7)

1, a kind of information portal single-sign-on and access system based on Service-Oriented Architecture Based authentication service agency, include application system (3), user browser (4), it is characterized in that: also include certificate server (1) and authentication service agency (2) based on Service-Oriented Architecture Based;
Described certificate server (1) is used to provide single-sign-on services; It is made up of certificate server set of data structures (11), certificate server atomic service collection (12) and certificate server assistant service collection (13), and certificate server set of data structures (11) is used for carrying the data that the single-sign-on implementation exchanges; The call request of certificate server atomic service collection (12) by response authentication service broker (2), thus single-sign-on finished and to the visit of application system (3); Certificate server assistant service collection (13) is used for local users role-map LURM, the overall subscriber identity information GUII that (A) safeguards described certificate server (1) single-sign-on, (B) auxiliaryly finishes single-sign-on and to the visit of application system (3);
Described authentication service agency (2) is based on Service-Oriented Architecture Based, the single-sign-on services that provides by invokes authentication service end (1), make the user pass through user browser (4) and can use single-sign-on services to login, and realization is to the visit of application system (3).
2, information portal single-sign-on according to claim 1 and access system is characterized in that: application system (3) include according to the different rights scope be provided with as A application system (31), B application system (32) ... N application system (33).
3, information portal single-sign-on according to claim 1 and access system is characterized in that: certificate server set of data structures (11) is one eight tuple D 0={ ASID, PRID, ARID, UIT, URT, UTS, GUII, LURM}, ASID represent the application system numbering, PRID represents door role numbering, and ARID represents application system role numbering, and UIT represents the user identity token, URT represents the user role token, UTS represents the User Token counterfoil, and GUII represents overall subscriber identity information, and LURM represents the local users role-map.
4, information portal single-sign-on according to claim 1 and access system is characterized in that: certificate server atomic service collection (12) is a five-tuple S 0={ serviceUITF, serviceUITV, serviceUFPC, servicePMRF, serviceUITI}, serviceUITF represent that the user identity token obtains service, serviceUITV represents the service of user identity token authentication, serviceUFPC represents the service of user's one-level authorization check, and servicePMRF represents that door mapping role obtains service, and serviceUITI represents the discarded service of identity token.
5, information portal single-sign-on according to claim 1 and access system is characterized in that: certificate server assistant service collection (13) is a hexa-atomic group of A 0={ serviceUGIF, serviceUIS, servicePRF, serviceURMR, serviceASIQ, serviceASIR}, serviceUGIF represents that user overall situation identity obtains service, serviceUIS represents the user profile synchronous service, servicePRF represents the service of obtaining at the door role PRID of application system ASID, serviceURMR represents user role mapping registration service, and serviceASIQ represents authentication service invokes interface inquiry service, and serviceASIR represents the registration service of authentication service invokes interface.
6, information portal single-sign-on according to claim 1 and 2 and access system is characterized in that: the user by the execution in step that user browser (4) carries out single-sign-on access application system (3) is:
Behind the system initialization, the information portal provides a single login inlet, and the user enters step 101 after logining by described login inlet input GUII request;
Step 101: authentication service agency (2) calls serviceUITF, and GUII is passed to certificate server (1), execution in step 102 after intercepting and capturing described GUII request;
Step 102: certificate server (1) is carried out authentication service serviceUITF, and GUII is verified; After described GUII checking is passed through, (A) generate UIT, URT, UTS; (B) preserve URT and UTS; (C) send UIT to authentication service agency (2), execution in step 103; If the GUII checking is not passed through, then return invalid UIT to authentication service agency (2);
Does step 103: authentication service agency (2) judge whether the invalid UIT that returns effective?, do not return initial state; Be execution in step 104;
Step 104: the user sends access request to B application system (32), execution in step 105 by user browser (4);
Step 105: authentication service agency (2) intercepts and captures described access request, calls serviceUITV, and user's overall identity token UIT is passed to certificate server (1); Certificate server (1) is carried out serviceUITV and is verified the validity of UIT, and returns UIT to authentication service agency (2), execution in step 106;
Step 106: authentication service agency (2) judges whether UIT is effective, not, returns initial state; Be execution in step 107;
Step 107: authentication service agency (2) calls serviceUFPC, and serviceUFPC is exported to certificate server (1); Certificate server (1) is carried out serviceUFPC and is verified whether the user has the authority of visit B application system (32), and these access rights are returned to authentication service agency (2), execution in step 108;
Step 108: authentication service agency (2) exports (A) user and has access rights, execution in step 109 after access rights in the step 107 and threshold value are compared; (B) do not have access rights, execution in step 111a;
Step 111a: be used to point out the user to have no right to visit, and execution in step 114;
Step 109: authentication service agency (2) judges whether the role numbering of cache user in B application system (32), i.e. URT; Be that then execution in step 110; Not, then execution in step 901;
Step 901: authentication service agency (2) calls servicePMRF with UIT and ASID B, be sent to certificate server (1), execution in step 902;
Step 902: certificate server (1) obtains LURM from certificate server set of data structures (11), and carries out the role who obtains in B application system (32) behind the servicePMRF and number, and described role's numbering is sent to authentication service agency (2); Authentication service agency (2) carries out execution in step 110 behind the buffer memory to the described role's numbering that receives;
Step 110: authentication service agency (2) sends to B application system (32), execution in step 111 with described role's numbering of buffer memory;
Step 111:B application system (32) operates whether possess authority according to the URT inspection user to the access request of B application system (32); Not, execution in step 111a; Be execution in step 114;
Step 111a: be used to point out the user to have no right to visit, and execution in step 114;
Step 112:B application system (32) response user's access request realizes single-sign-on B application system (32) thereby reach the user;
Step 113: whether the inquiry user logins other application system in the application system (3) once more, if "Yes" execution in step 104 then; If "No" is execution in step 114 then;
Step 114: authentication service agency (2) calls serviceUITI, and user's overall identity token UIT is sent to certificate server (1); After certificate server (1) is carried out authentication service serviceUITI, user identity token UIT is discarded, and will discard and confirm that instruction sends to authentication service agency (2).
7, information portal single-sign-on according to claim 6 and access system is characterized in that: the threshold value in the step 108 " 1 " and " 0 ", and threshold value does not have access rights for " 1 " expression user, and threshold value has access rights for " 0 " expression user.
CNA2008101057529A 2008-05-05 2008-05-05 One-point entry and access system based on authentication service acting information facing to service architecture Pending CN101277193A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA2008101057529A CN101277193A (en) 2008-05-05 2008-05-05 One-point entry and access system based on authentication service acting information facing to service architecture

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2008101057529A CN101277193A (en) 2008-05-05 2008-05-05 One-point entry and access system based on authentication service acting information facing to service architecture

Publications (1)

Publication Number Publication Date
CN101277193A true CN101277193A (en) 2008-10-01

Family

ID=39996233

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2008101057529A Pending CN101277193A (en) 2008-05-05 2008-05-05 One-point entry and access system based on authentication service acting information facing to service architecture

Country Status (1)

Country Link
CN (1) CN101277193A (en)

Cited By (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101958881A (en) * 2009-07-17 2011-01-26 中国移动通信集团湖北有限公司 Access control method, device and system for service group
CN102306247A (en) * 2011-08-17 2012-01-04 广州启生信息技术有限公司 Network customer service and pass management system based on doctor on-line interaction
CN102457376A (en) * 2010-10-29 2012-05-16 中兴通讯股份有限公司 Method and system for uniformly authenticating cloud computing services
CN102739628A (en) * 2011-04-14 2012-10-17 英业达股份有限公司 System for application-side login and authentication, and method thereof
WO2012139482A1 (en) * 2011-04-15 2012-10-18 北京百度网讯科技有限公司 Network encyclopedia user management system and method of accessing applications thereof
CN102801808A (en) * 2012-07-30 2012-11-28 武汉理工大学 WebLogic-oriented Form identification single sign on integration method
CN101645021B (en) * 2009-06-18 2012-12-12 广东金宇恒科技有限公司 Integrating method for multisystem single-spot logging under Java application server
CN101764806B (en) * 2009-12-31 2012-12-26 卓望数码技术(深圳)有限公司 Single-point log-in method, system and log-in service platform
CN103209168A (en) * 2013-01-30 2013-07-17 广东欧珀移动通信有限公司 Method and system for achieving single sign-on
CN103227799A (en) * 2013-05-13 2013-07-31 山东临沂烟草有限公司 Implementing method of unified user management and single sign-on platform based on multiple application systems
CN103595713A (en) * 2013-11-08 2014-02-19 红云红河烟草(集团)有限责任公司 Enterprise identity information unified management and authentication platform
CN103617485A (en) * 2013-11-15 2014-03-05 中国航空无线电电子研究所 Uniform authority management and deployment system
CN104396290A (en) * 2012-07-02 2015-03-04 Sk普兰尼特有限公司 Single certificate service system and operational method thereof
CN104506542A (en) * 2014-12-29 2015-04-08 深圳中兴网信科技有限公司 Security certification method and security certification system
CN104821944A (en) * 2015-04-28 2015-08-05 广东小天才科技有限公司 Hybrid encryption network data security method and system
CN105847220A (en) * 2015-01-14 2016-08-10 北京神州泰岳软件股份有限公司 Authentication method and system, and service platform
CN106230850A (en) * 2016-08-26 2016-12-14 芜湖创易科技有限公司 A kind of unified identity authentication platform
CN106878455A (en) * 2017-03-16 2017-06-20 北京中电普华信息技术有限公司 A kind of acquisition methods and server of the information on services based on internet
CN107147496A (en) * 2017-04-28 2017-09-08 广东网金控股股份有限公司 Under a kind of service-oriented technological frame between different application unified authorization certification method
CN107566473A (en) * 2017-08-28 2018-01-09 南京南瑞继保电气有限公司 A kind of electric power secondary system equipment check method
CN108200099A (en) * 2011-09-29 2018-06-22 甲骨文国际公司 mobile application, identity relationship management
CN109033803A (en) * 2018-08-28 2018-12-18 南京南瑞信息通信科技有限公司 A kind of movement based on portal APP is micro- to apply login management method
CN109587148A (en) * 2018-12-11 2019-04-05 上海宜延电子商务有限公司 A kind of data calculate client, data calculation server and data computing system
CN109905365A (en) * 2019-01-14 2019-06-18 江苏第二师范学院(江苏省教育科学研究院) It is a kind of can distributed deployment single-sign-on and authorization of service system and method
CN110213223A (en) * 2019-03-21 2019-09-06 腾讯科技(深圳)有限公司 Business management method, device, system, computer equipment and storage medium
CN110278179A (en) * 2018-03-15 2019-09-24 阿里巴巴集团控股有限公司 Single-point logging method, device and system and electronic equipment
CN111143814A (en) * 2019-12-30 2020-05-12 武汉佰钧成技术有限责任公司 Single sign-on method, micro-service access platform and storage medium
CN111240863A (en) * 2020-01-10 2020-06-05 无锡华云数据技术服务有限公司 Data communication method, device, micro front-end system and storage medium
CN111355713A (en) * 2020-02-20 2020-06-30 深信服科技股份有限公司 Proxy access method, device, proxy gateway and readable storage medium
US10813002B2 (en) 2013-07-18 2020-10-20 Convida Wireless, Llc Capillary device charging
CN112182522A (en) * 2019-07-05 2021-01-05 北京地平线机器人技术研发有限公司 Access control method and device
CN112764725A (en) * 2021-02-22 2021-05-07 浪潮云信息技术股份公司 Method for realizing user synchronization based on JWT
CN116405573A (en) * 2023-06-07 2023-07-07 北京集度科技有限公司 Service-oriented architecture based system, communication method and computer program product

Cited By (47)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101645021B (en) * 2009-06-18 2012-12-12 广东金宇恒科技有限公司 Integrating method for multisystem single-spot logging under Java application server
CN101958881A (en) * 2009-07-17 2011-01-26 中国移动通信集团湖北有限公司 Access control method, device and system for service group
CN101958881B (en) * 2009-07-17 2013-12-04 中国移动通信集团湖北有限公司 Access control method, device and system for service group
CN101764806B (en) * 2009-12-31 2012-12-26 卓望数码技术(深圳)有限公司 Single-point log-in method, system and log-in service platform
CN102457376A (en) * 2010-10-29 2012-05-16 中兴通讯股份有限公司 Method and system for uniformly authenticating cloud computing services
CN102457376B (en) * 2010-10-29 2016-02-10 中兴通讯股份有限公司 A kind of method and system of cloud computing service unified certification
CN102739628A (en) * 2011-04-14 2012-10-17 英业达股份有限公司 System for application-side login and authentication, and method thereof
WO2012139482A1 (en) * 2011-04-15 2012-10-18 北京百度网讯科技有限公司 Network encyclopedia user management system and method of accessing applications thereof
CN102306247A (en) * 2011-08-17 2012-01-04 广州启生信息技术有限公司 Network customer service and pass management system based on doctor on-line interaction
CN108200099B (en) * 2011-09-29 2019-09-17 甲骨文国际公司 mobile application, identity relationship management
US10621329B2 (en) 2011-09-29 2020-04-14 Oracle International Corporation Mobile application, resource management advice
CN108200099A (en) * 2011-09-29 2018-06-22 甲骨文国际公司 mobile application, identity relationship management
CN104396290A (en) * 2012-07-02 2015-03-04 Sk普兰尼特有限公司 Single certificate service system and operational method thereof
CN104396290B (en) * 2012-07-02 2018-07-10 Sk普兰尼特有限公司 Single certificate service system and its operating method
CN102801808A (en) * 2012-07-30 2012-11-28 武汉理工大学 WebLogic-oriented Form identification single sign on integration method
CN102801808B (en) * 2012-07-30 2014-11-05 武汉理工大学 WebLogic-oriented Form identification single sign on integration method
CN103209168A (en) * 2013-01-30 2013-07-17 广东欧珀移动通信有限公司 Method and system for achieving single sign-on
CN103227799A (en) * 2013-05-13 2013-07-31 山东临沂烟草有限公司 Implementing method of unified user management and single sign-on platform based on multiple application systems
US10813002B2 (en) 2013-07-18 2020-10-20 Convida Wireless, Llc Capillary device charging
US11736968B2 (en) 2013-07-18 2023-08-22 Interdigital Patent Holdings, Inc. Capillary device charging
CN103595713A (en) * 2013-11-08 2014-02-19 红云红河烟草(集团)有限责任公司 Enterprise identity information unified management and authentication platform
CN103617485A (en) * 2013-11-15 2014-03-05 中国航空无线电电子研究所 Uniform authority management and deployment system
CN104506542A (en) * 2014-12-29 2015-04-08 深圳中兴网信科技有限公司 Security certification method and security certification system
CN105847220A (en) * 2015-01-14 2016-08-10 北京神州泰岳软件股份有限公司 Authentication method and system, and service platform
CN104821944A (en) * 2015-04-28 2015-08-05 广东小天才科技有限公司 Hybrid encryption network data security method and system
CN106230850A (en) * 2016-08-26 2016-12-14 芜湖创易科技有限公司 A kind of unified identity authentication platform
CN106878455A (en) * 2017-03-16 2017-06-20 北京中电普华信息技术有限公司 A kind of acquisition methods and server of the information on services based on internet
CN106878455B (en) * 2017-03-16 2020-09-29 北京中电普华信息技术有限公司 Internet-based service information acquisition method and server
CN107147496A (en) * 2017-04-28 2017-09-08 广东网金控股股份有限公司 Under a kind of service-oriented technological frame between different application unified authorization certification method
CN107566473A (en) * 2017-08-28 2018-01-09 南京南瑞继保电气有限公司 A kind of electric power secondary system equipment check method
CN110278179B (en) * 2018-03-15 2021-08-10 阿里巴巴集团控股有限公司 Single sign-on method, device and system and electronic equipment
CN110278179A (en) * 2018-03-15 2019-09-24 阿里巴巴集团控股有限公司 Single-point logging method, device and system and electronic equipment
CN109033803A (en) * 2018-08-28 2018-12-18 南京南瑞信息通信科技有限公司 A kind of movement based on portal APP is micro- to apply login management method
CN109587148A (en) * 2018-12-11 2019-04-05 上海宜延电子商务有限公司 A kind of data calculate client, data calculation server and data computing system
CN109905365A (en) * 2019-01-14 2019-06-18 江苏第二师范学院(江苏省教育科学研究院) It is a kind of can distributed deployment single-sign-on and authorization of service system and method
CN109905365B (en) * 2019-01-14 2020-10-09 江苏第二师范学院(江苏省教育科学研究院) Distributed deployed single sign-on and service authorization system and method
CN110213223A (en) * 2019-03-21 2019-09-06 腾讯科技(深圳)有限公司 Business management method, device, system, computer equipment and storage medium
CN110213223B (en) * 2019-03-21 2022-03-01 腾讯科技(深圳)有限公司 Service management method, device, system, computer equipment and storage medium
CN112182522A (en) * 2019-07-05 2021-01-05 北京地平线机器人技术研发有限公司 Access control method and device
CN111143814B (en) * 2019-12-30 2022-06-21 武汉佰钧成技术有限责任公司 Single sign-on method, micro-service access platform and storage medium
CN111143814A (en) * 2019-12-30 2020-05-12 武汉佰钧成技术有限责任公司 Single sign-on method, micro-service access platform and storage medium
CN111240863A (en) * 2020-01-10 2020-06-05 无锡华云数据技术服务有限公司 Data communication method, device, micro front-end system and storage medium
CN111240863B (en) * 2020-01-10 2024-02-06 无锡华云数据技术服务有限公司 Data communication method, device, micro front-end system and storage medium
CN111355713A (en) * 2020-02-20 2020-06-30 深信服科技股份有限公司 Proxy access method, device, proxy gateway and readable storage medium
CN112764725A (en) * 2021-02-22 2021-05-07 浪潮云信息技术股份公司 Method for realizing user synchronization based on JWT
CN116405573A (en) * 2023-06-07 2023-07-07 北京集度科技有限公司 Service-oriented architecture based system, communication method and computer program product
CN116405573B (en) * 2023-06-07 2023-08-15 北京集度科技有限公司 Service-oriented architecture based system, communication method and computer program product

Similar Documents

Publication Publication Date Title
CN101277193A (en) One-point entry and access system based on authentication service acting information facing to service architecture
US9386015B2 (en) Security model for industrial devices
US20170286653A1 (en) Identity risk score generation and implementation
US9300653B1 (en) Delivery of authentication information to a RESTful service using token validation scheme
US9391978B2 (en) Multiple access authentication
Gopalakrishnan Cloud computing identity management
US20180234464A1 (en) Brokered authentication with risk sharing
CN102801808B (en) WebLogic-oriented Form identification single sign on integration method
CN101242272B (en) Realization method for cross-grid secure platform based on mobile agent and assertion
US8275985B1 (en) Infrastructure to secure federated web services
CN105141580B (en) A kind of resource access control method based on the domain AD
Guija et al. Identity and access control for micro-services based 5G NFV platforms
CN108319827B (en) API (application program interface) authority management system and method based on OSGI (open service gateway initiative) framework
CN107070894A (en) A kind of software integrating method based on enterprise's cloud service platform
Kraft Designing a distributed access control processor for network services on the web
Zhang et al. A model of workflow-oriented attributed based access control
Nacer et al. A distributed authentication model for composite Web services
US8543810B1 (en) Deployment tool and method for managing security lifecycle of a federated web service
KR20090058536A (en) Client-based pseudonyms
Emig et al. Identity as a service–towards a service-oriented identity management architecture
CN110189440A (en) A kind of smart lock monitoring equipment and its method based on block chain
Chen et al. Design of web service single sign-on based on ticket and assertion
JP6037460B2 (en) Service providing apparatus, program, and method
Gao et al. An OAuth2. 0-based unified authentication system for secure services in the smart campus environment
CN109218329A (en) A kind of method and system authenticated using NetData-Auth user authentication frame

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Open date: 20081001