CN103414684A - Single sign-on method and system - Google Patents
Single sign-on method and system Download PDFInfo
- Publication number
- CN103414684A CN103414684A CN2013102216307A CN201310221630A CN103414684A CN 103414684 A CN103414684 A CN 103414684A CN 2013102216307 A CN2013102216307 A CN 2013102216307A CN 201310221630 A CN201310221630 A CN 201310221630A CN 103414684 A CN103414684 A CN 103414684A
- Authority
- CN
- China
- Prior art keywords
- bill
- user
- login
- sign
- tgt
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a single sign-on method and a single sign-on system. The single sign-on method comprising the steps of: requesting ST tickets from a single sign-on information maintainer through a browser plug-in when a B/S application client side needs to log in, then requesting fast login from an application server side, or carrying out normal login if the ST ticket information does not exist, and then synchronizing the login information to the single sign-on information maintainer through the browser plug-in; and requesting ST tickets from the single sign-on information maintainer when a C/S application client side logs in, then requesting fast login from the application server side, or carrying out normal login if the ST ticket information does not exist, and then responding to the single sign-on information maintainer. When the client sides requests ST tickets of target service from the single sign-on information maintainer, if the weight of TGT tickets of current logged-in user is not lower than login weight of the target service, then the ST tickets of target service are generated for the client sides, otherwise the \permission is insufficient, and the fast login fails.
Description
Technical field
The present invention relates to technical field of the computer network, relate in particular to a kind of single-point logging method and system.
Background technology
Continuous progress and enterprise improving constantly the informatization attention degree along with Internet technology, the informatization of modern enterprise is more and more perfect, and various efficient information systems, as Human Resources Management System, wages system, e-mail system etc. enter each enterprise one after another.The employee is when normal operation, and because the system quantity related to is more, the register of each system has become a kind of burden.For these problems, single-sign-on (SSO, Single Sign On) technology is arisen at the historic moment, it provides unified information resources authentication access entrance for the enterprise customer, the user just only need once be logined and can between different application systems, exempt from the login switching according to the rule of setting, to improve the ease for use of information system.
CAS(Central Authentication Servie) be the project of increasing income that Yale University initiates, being intended to provides a kind of reliable single-point logging method for application system.CAS single-sign-on agreement is as shown in Figure 1: CAS Server is the independent Web application of disposing, and distribution, maintenance and the check of subscriber authentication function and bill are provided for single-node login system, is equivalent to exempt from logon server.
CAS Client is protecting the limited resources of application system in the mode of filter; and merge with the target application system; be deployed in together, CAS Client filter filters each HTTP request of coming from user browser, and assists CAS Server to complete the verification process to the user.
Web Browser is the user, the browser used for the user here, and it visits destination service by the mode of keying in destination service URL.
Its groundwork principle is: when user's access destination is served, CAS Client interception user's request, and allow the user be redirected to CAS Server to login verification, if the user once logined, in user browser, can there be with the form of Cookie the TGT(bill generation bill that CAS Server issues), and can directly generate the ST(service ticket for the access destination service), so just completed the Authorized operation of exempting to login.
At present, CAS is because of its safety and stability, and simple and flexible is supported the client environment of numerous main flows, as JavaEE, PHP .NET, Ruby etc., and open source code and enjoying great popularity.
But through long-term use, find, still there is following defect in CAS single-sign-on scheme: 1) the CAS client is only supported the Web environment of B/S framework, and helpless to the multipad of C/S framework; 2) single-sign-on of CAS is only effective in same browser, can not between a plurality of main flow browsers, merge; 3) CAS makes no exception to integrated service of coming in, and can't control to fine granularity the logon rights of each service.
Summary of the invention
Shortcoming and deficiency that the present invention exists in order to overcome prior art, provide a kind of single-point logging method and system.
The present invention adopts following technical scheme:
A kind of single-point logging method comprises:
S1 has the application client of C/S framework, by single-sign-on client end AP I, send the request of ST bill to single-sign-on maintenance of information device, the request of described ST bill comprises single-sign-on union domain and the service identifiers that need to login, and described service identifiers is the service ID of application program service end;
S2 single-sign-on maintenance of information device is searched logged-in user information in corresponding login union domain, if there is log-on message, according to TGT bill, user profile and the service identifiers deposited, generate legal ST bill and session key to exempting from the logon server request, if there is no logged-in user information, response application program client, carry out common login;
S3 exempts from logon server checking TGT bill, is proved to be successful, and generates legal ST bill and session key as response single-sign-on maintenance of information device, otherwise returns to error message, requires the user to carry out common login;
The response that S4 single-sign-on maintenance of information device will be exempted from logon server as quick login list response to application client;
The S5 application client passes through single-sign-on client end AP I, and carries the request of ST bill to application program service end checking ST bill; The application program service end, by single-sign-on services end API, to exempting from logon server requests verification ST bill, is proved to be successful if exempt from logon server, returns to the user profile of session key as response, completes login.
Described common login is specially:
Application client provides common login page to the user, the user inputs user's voucher, and user's voucher and the service identifiers that need to login are sent to single-sign-on maintenance of information device, the request broker login, single-sign-on maintenance of information device sends to the agent logs request to exempt from logon server;
Exempt from logon server identifying user identity voucher, if be proved to be successful, generate legal TGT bill, ST bill and session key and send to single-sign-on maintenance of information device, if authentication failed is returned to error message;
Single-sign-on maintenance of information device is preserved the relation of user and TGT bill, as the log-on message of user in the login union domain.
Described checking TGT bill, be specially: the login weight of the TGT bill weight of current logged-in user and destination service is compared, if being more than or equal to the login weight of destination service, TGT bill weight gives the ST bill that generates destination service with client, complete the login of exempting to input user's voucher, otherwise insufficient permission, ask unsuccessfully.
A kind of single-point logging method, comprise
S1 user sends resource access request at the application client of B/S framework to Web server, and this request meeting is tackled by the Web service filter, and the application client of described B/S framework is specially user browser;
The S2Web service filter judges that resource access request, whether with the ST bill, if having, forwards the checking that S9 carries out the ST bill to, otherwise forwards to and exempt from the checking that logon server carries out user identity in the mode be redirected;
S3 exempts from logon server and carries out subscriber authentication, comprise: exempt from logon server and check whether user browser has the cookie information of TGT bill, if have, verify the TGT billing information, generate legal ST bill to the user, and forward S2 to, otherwise user browser is redirected to exempts from the common login page of game server;
S4 is when common login page, and browser sends the request of ST bill by the Web browser plug-in unit to single-sign-on maintenance of information device, and the request of described ST bill comprises single-sign-on union domain and the service identifiers that need to login;
S5 single-sign-on maintenance of information device is searched logged-in user information in corresponding single-sign-on union domain, if exist, according to the TGT bill existed, logged-in user information list and destination service, identify to the ST bill of exempting from logon server request login destination service; Otherwise response Web browser plug-in unit shows that without this user profile user browser provides user's voucher to exempting from the common login of logon server request;
S6 exempts from logon server authentication of users TGT bill, if be proved to be successful, generate legal ST bill as response, otherwise returns to error message, and the result is responded to single-sign-on maintenance of information device;
ST bill, user profile that S7 single-sign-on maintenance of information device will be exempted from logon server response to the Web browser plug-in unit, and show login list fast as quick login list response on login page;
S8 user, by clicking login fast, carries legal ST bill and carries out resource access, forwards S2 to
S9 exempts from the legitimacy of login service end checking ST bill, if successfully, returns to this user's user profile, if failure, the prompting user makes mistakes, and the result is responded to the Web service filter;
The S10Web service filter, according to the result of exempting from the login service end, determines whether the user is let pass.
Described checking TGT bill, be specially: the login weight of the TGT bill weight of current logged-in user and destination service is compared, if being more than or equal to the login weight of destination service, TGT bill weight gives the ST bill that generates destination service with client, complete the login of exempting to input user's voucher, otherwise insufficient permission, ask unsuccessfully.
Described common login is specially:
The user inputs user's voucher to exempting from the common login of logon server request by browser;
Exempt from logon server and accept logging request, and verify its identity information, if authentication failed is returned to error message, if be proved to be successful, the mode with Cookie in user browser arranges the TGT bill, and returns to the ST bill;
The Web browser plug-in unit is synchronized to single-sign-on maintenance of information device by user profile and the TGT bill with distribution;
Single-sign-on maintenance of information device is preserved the relation of user and TGT bill, the log-on message as this user in the single-sign-on territory.
A kind of single-node login system, comprise application client, application program service end, also comprises
Single-sign-on maintenance of information device, operate in application client, for preserving user's log-on message, the single-sign-on services territory that described log-on message comprises user name, login and this user's TGT bill, receive user's ST bill request and respond to exempting from logon server, the result of logon server checking TGT bill is exempted from reception, and response is to application client;
Exempt from logon server: be used to verifying the TGT bill, and generate corresponding ST bill and session key, and result is responded to single-sign-on maintenance of information device, be used to verifying the request of ST bill, and return to the result as response; For the authentication of users voucher, generate legal TGT bill and ST bill, and set Cookie, for subscriber authentication;
Described application client comprises the application client that has the C/S framework or have the B/S framework.
Described application client is equipped with the Web browser plug-in unit, and described Web browser plug-in unit is for communicating by letter between the application client of B/S framework and single-sign-on maintenance of information device;
Further, also comprise single-sign-on client end AP I, be used to having application client access single-sign-on maintenance of information device and the application program service end of C/S framework;
Single-sign-on services end API, exempt from logon server be used to the application program service end access with C/S framework.
Further, also comprise the Web service filter, be used to tackling the Web server resource access request, checking ST bill; In the mode be redirected, forward to and exempt from logon server, the result of logon server checking ST is exempted from response, and determines whether the user is let pass.
Beneficial effect of the present invention:
The log-on message of user in B/S application or C/S application is synchronized in single-sign-on maintenance of information device, when next time, the user needed to login again, can be by each client to single-sign-on maintenance of information device request log-on message, reach the effect of quick login, thereby provide more perfect service and more humane experience for the user.
The accompanying drawing explanation
Fig. 1 is the schematic diagram of prior art CAS single-sign-on agreement of the present invention;
Fig. 2 is structural representation of the present invention;
Fig. 3 is the method flow diagram of the embodiment of the present invention 1;
Fig. 4 is the method flow diagram of the embodiment of the present invention 2;
Fig. 5 is the method flow diagram of the embodiment of the present invention 3;
Fig. 6 is the method flow diagram of the embodiment of the present invention 4.
Embodiment
Below in conjunction with embodiment and accompanying drawing, the present invention is described in further detail, but embodiments of the present invention are not limited to this.
Embodiment
As shown in Figure 2, a kind of single-node login system, comprise application client and the single-sign-on maintenance of information device that is positioned at subscription client and be positioned at the apps server on network and exempt from logon server;
Described application client comprises the application client that has the C/S framework or have the B/S framework, and apps server comprises the apps server that has the C/S framework or have the B/S framework.
Single-sign-on maintenance of information device, operate in application client, for preserving user's log-on message, the single-sign-on services territory that described log-on message comprises user name, login and this user's TGT bill, receive user's ST bill request and respond to exempting from logon server, the result of logon server checking TGT bill is exempted from reception, and response is to application client;
Exempt from logon server: be used to verifying the TGT bill, and the result is responded to single-sign-on maintenance of information device, be used to verifying the request of ST bill, and return to user profile as response.
For the application client with C/S framework, native system also comprises single-sign-on client end AP I, be used to having application client access single-sign-on maintenance of information device and the application program service end of C/S framework;
Single-sign-on client end AP I, be used to having application client access single-sign-on maintenance of information device and the application program service end of C/S framework;
Single-sign-on services end API, exempt from logon server be used to the application program service end access with C/S framework.
For the application client with B/S framework, native system also comprises the Web browser plug-in unit, and described Web browser plug-in unit is for communicating by letter between the application client of B/S framework and single-sign-on maintenance of information device; Also comprise the Web service filter, be used to tackling the Web server resource access request, checking ST bill; In the mode be redirected, forward to and exempt from logon server, the result of logon server checking ST is exempted from response, and determines whether the user is let pass.
Embodiment 1
Be illustrated in figure 3 the user and at the application client with C/S framework, carry out single-sign-on for the first time, concrete steps are as follows:
S301 has the application client of C/S framework, by single-sign-on client end AP I, send the request of ST bill to single-sign-on maintenance of information device, the request of described ST bill comprises single-sign-on union domain and the service identifiers that need to login, and described service identifiers is the service ID of multipad service end;
S302 single-sign-on maintenance of information device is searched logged-in user information in corresponding login union domain, if exist, logins fast, and if there is no logged-in user information, forward flow process S303 to, requires the user to carry out common login;
The S303 application client provides login page to the user, requires the user to carry out common login;
S304 user inputs user's voucher, application client sends to single-sign-on maintenance of information device by user's voucher and the service identifiers that need to login, the request broker login, single-sign-on maintenance of information device sends to the agent logs request to exempt from logon server, and described user's voucher can be username and password;
Whether S305 exempts from logon server identifying user identity voucher effective, if be proved to be successful, forwards S306 to, otherwise forwards S303 to, requires the user again to login.
S306 exempts from legal TGT bill, ST bill and the session key of logon server generation and sends to single-sign-on maintenance of information device;
S307 single-sign-on maintenance of information device is preserved the relation of user and TGT bill, and as the log-on message of user in the login union domain, single-sign-on maintenance of information device returns to legal ST bill and session key and logins to application client;
The S308 application client carries the ST bill and logins to the request of application program service end by single-sign-on client end AP I, the application program service end is by single-sign-on services end API, to the legitimacy of exempting from logon server requests verification ST bill, if exempting from logon server is proved to be successful, return to the user profile of session key as response, purpose is to wish to confirm by session key the other side's identity, and the identity that shows self, complete login, this session key whether client and service end later communicate by letter in use, by each client and service end by business need determine.
Embodiment 2
As shown in Figure 4, a kind of method of single-sign-on, the present embodiment is described the user and was once logined single-node login system, and application client is exempted to input user's voucher and is logined fast, comprising:
S401 has the application client of C/S framework, by single-sign-on client end AP I, send the request of ST bill to single-sign-on maintenance of information device, the request of described ST bill comprises single-sign-on union domain and the service identifiers that need to login, and described service identifiers is the service ID of multipad service end;
S402 single-sign-on maintenance of information device is searched logged-in user name information in corresponding login union domain, and if there is no log-on message, forward flow process S403 to, requires the user to carry out common login; If there is logged-in user information, forward flow process S404 to;
The S403 application client provides login page to the user, requires the user to carry out common login;
S404 single-sign-on maintenance of information device, according to the login user information found, mainly comprises TGT bill, user profile and service identifiers, generates legal ST bill and session key to exempting from the logon server request.
Whether S405 exempts from the logon server checking legal TGT bill, if having, forwards flow process S406 to, otherwise returns to error message, and forward flow process S403 to, requires the user to carry out common login;
S406 exempts from legal ST bill and the session key of logon server generation and sends to single-sign-on maintenance of information device;
The response that S407 single-sign-on maintenance of information device will be exempted from logon server as quick login list response to application client;
The S408 application client, by single-sign-on client end AP I, carries the request of ST bill to multipad service end checking ST bill; The multipad service end, by single-sign-on services end API, to exempting from logon server requests verification ST bill, is proved to be successful if exempt from logon server, returns to the user profile of session key as response, completes login.
Embodiment 3
As shown in Figure 5, a kind of single-node login system comprises, be positioned at the user browser that the Web browser plug-in unit is housed and the single-sign-on maintenance of information device of subscription client, Web service filter, the Web Application Server of network deploy and exempt from logon server, the present embodiment has been described when the user uses the browser access Web service, need to carry out the single-point logging method of common login
Concrete steps are as follows:
S501 user sends resource access request at the application client of B/S framework to Web server, and this request meeting is tackled by the Web service filter, and the application client of described B/S framework is specially user browser;
The S502Web service filter judges that resource access request, whether with the ST bill, if having, forwards the checking that S512 carries out the ST bill to, otherwise forwards to and exempt from the checking that logon server carries out user identity in the mode be redirected, and forwards flow process S503 to;
S503 exempts from logon server and carries out subscriber authentication, comprise: exempt from logon server and check whether user browser has the cookie information of TGT bill, if have, verify the TGT billing information, generate legal ST bill to the user, and allow the user to Web server, send resource access request with the ST bill, forward S502 to, otherwise in the mode be redirected, forwarding the user to common login page is S504;
S504 is when common login page, browser sends the request of ST bill by the Web browser plug-in unit to single-sign-on maintenance of information device, the request of described ST bill comprises single-sign-on union domain and the service identifiers that need to login, is specially the URL of Goal Web Services;
S505 single-sign-on maintenance of information device is searched logged-in user information in corresponding single-sign-on union domain, if exist, forwards flow process S506 to; Otherwise, forward flow process S507 to;
S506 single-sign-on maintenance of information device identifies to the ST bill list of exempting from logon server request login destination service according to the TGT bill existed, logged-in user information list and destination service, and allow user browser to Web server, send resource access request with the ST bill, forward S502 to;
S507 single-sign-on maintenance of information device response Web browser plug-in unit, show without this user profile, user browser need provide user's voucher to exempting from the common login of logon server request, and now the user carries out common login by input user voucher exempting from logon server;
S508 exempts from logon server and accepts logging request, and verifies its identity information, if authentication failed forwards flow process S507 to, if be proved to be successful, forwards flow process S509 to;
S509 exempts from logon server mode with Cookie in user browser the TGT bill is set, and generates legal ST bill to user browser;
The S510Web browser plug-in is synchronized to single-sign-on maintenance of information device by the TGT bill of user profile and distribution; Single-sign-on maintenance of information device is preserved the relation of user and TGT bill, the log-on message as this user in the single-sign-on territory.
The S511 user browser carries the ST bill and sends resource access request to Web server, and this request meeting is tackled by the Web service filter, forwards S502 to;
The S512Web service filter, to the legitimacy of exempting from login service end checking ST bill, if success is returned to this user's user profile, and forwarded flow process S513 to, otherwise the user is redirected to common login page, forwards flow process S504 to;
The S513Web service filter is let pass to user's request, allows user access resources.
As shown in Figure 6, the present embodiment is described be the user under the prerequisite of once logining Single-point system, when the user reuses the browser access Web service, exempt to input user's voucher, concrete steps are as follows:
S601 user sends resource access request at the application client of B/S framework to Web server, and this request meeting is tackled by the Web service filter, and the application client of described B/S framework is specially user browser;
The S602Web service filter judges that resource access request, whether with the ST bill, if having, forwards the checking that S612 carries out the ST bill to, otherwise forwards to and exempt from the checking that logon server carries out user identity in the mode be redirected, and forwards flow process S603 to;
S603 exempts from logon server and carries out subscriber authentication, comprise: exempt from logon server and check whether user browser has the cookie information of TGT bill, if have, verify the TGT billing information, generate legal ST bill to the user, and allow the user to Web server, send resource access request with the ST bill, forward S602 to, otherwise in the mode be redirected, forwarding the user to common login page is S604;
S604 is when common login page, browser sends the request of ST bill by the Web browser plug-in unit to single-sign-on maintenance of information device, the request of described ST bill comprises single-sign-on union domain and the service identifiers that need to login, and the service identifiers here is the URL of Goal Web Services;
S605 single-sign-on maintenance of information device is searched logged-in user information in corresponding single-sign-on union domain, if there is no, forwards flow process S606 to; Otherwise, forward flow process S607 to;
The S606 user browser need provide user's voucher to exempting from the common login of logon server request;
S607 single-sign-on maintenance of information device identifies to the ST bill list of exempting from logon server request login destination service according to the TGT bill existed, logged-in user information list and destination service;
S608 exempts from logon server authentication of users TGT bill, if the success of TGT note validating is arranged, forwards flow process S609 to, otherwise forwards flow process S606 to;
S609 exempts from logon server and as response, sends to single-sign-on maintenance of information device according to legal ST bill and the user profile of TGT billing information generation of logged-in user;
ST bill, user profile that S610 single-sign-on maintenance of information device will be exempted from logon server response to the Web browser plug-in unit, and show login list fast as quick login list response on login page;
S611 user, by clicking login fast, carries legal ST bill and sends resource access request to Web server, forwards S602 to;
The S612Web service filter, to the legitimacy of exempting from login service end checking ST bill, if success is returned to this user's user profile, and forwarded flow process S613 to, otherwise the user is redirected to common login page, forwards flow process S604 to;
The S613Web service filter is let pass to user's request, allows user access resources.
Checking TGT bill in described method, be specially: the login weight of the TGT bill weight of current logged-in user and destination service is compared, if being more than or equal to the login weight of destination service, TGT bill weight gives the ST bill that generates destination service with client, complete the login of exempting to input user's voucher, otherwise insufficient permission, ask unsuccessfully.
Above-described embodiment is preferably execution mode of the present invention; but embodiments of the present invention are not limited by the examples; other any do not deviate from change, the modification done under Spirit Essence of the present invention and principle, substitutes, combination, simplify; all should be equivalent substitute mode, within being included in protection scope of the present invention.
Claims (10)
1. a single-point logging method, is characterized in that, comprising:
S1 has the application client of C/S framework, by single-sign-on client end AP I, send the request of ST bill to single-sign-on maintenance of information device, the request of described ST bill comprises single-sign-on union domain and the service identifiers that need to login, and described service identifiers is the service ID of application program service end;
S2 single-sign-on maintenance of information device is searched logged-in user information in corresponding login union domain, if there is log-on message, according to TGT bill, user profile and the service identifiers deposited, generate legal ST bill and session key to exempting from the logon server request, if there is no logged-in user information, response application program client, carry out common login;
S3 exempts from logon server checking TGT bill, is proved to be successful, and generates legal ST bill and session key as response single-sign-on maintenance of information device, otherwise returns to error message, requires the user to carry out common login;
The response that S4 single-sign-on maintenance of information device will be exempted from logon server as quick login list response to application client;
The S5 application client passes through single-sign-on client end AP I, and carries the request of ST bill to application program service end checking ST bill; The application program service end, by single-sign-on services end API, to exempting from logon server requests verification ST bill, is proved to be successful if exempt from logon server, returns to the user profile of session key as response, completes login.
2. a kind of single-point logging method according to claim 1, is characterized in that, described common login is specially:
Application client provides common login page to the user, the user inputs user's voucher, and user's voucher and the service identifiers that need to login are sent to single-sign-on maintenance of information device, the request broker login, single-sign-on maintenance of information device sends to the agent logs request to exempt from logon server;
Exempt from logon server identifying user identity voucher, if be proved to be successful, generate legal TGT bill, ST bill and session key and send to single-sign-on maintenance of information device, if authentication failed is returned to error message;
Single-sign-on maintenance of information device is preserved the relation of user and TGT bill, as the log-on message of user in the login union domain.
3. a kind of single-point logging method according to claim 1, it is characterized in that, described checking TGT bill, be specially: the login weight of the TGT bill weight of current logged-in user and destination service is compared, if being more than or equal to the login weight of destination service, TGT bill weight gives the ST bill that generates destination service with client, complete the login of exempting to input user's voucher, otherwise insufficient permission is asked unsuccessfully.
4. a single-point logging method, is characterized in that, comprises
S1 user sends resource access request at the application client of B/S framework to Web server, and this request meeting is tackled by the Web service filter, and the application client of described B/S framework is specially user browser;
The S2Web service filter judges that resource access request, whether with the ST bill, if having, forwards the checking that S9 carries out the ST bill to, otherwise forwards to and exempt from the checking that logon server carries out user identity in the mode be redirected;
S3 exempts from logon server and carries out subscriber authentication, comprise: exempt from logon server and check whether user browser has the cookie information of TGT bill, if have, verify the TGT billing information, generate legal ST bill to the user, and forward S2 to, otherwise user browser is redirected to exempts from the common login page of logon server;
S4 is when common login page, and browser sends the request of ST bill by the Web browser plug-in unit to single-sign-on maintenance of information device, and the request of described ST bill comprises single-sign-on union domain and the service identifiers that need to login;
S5 single-sign-on maintenance of information device is searched logged-in user information in corresponding single-sign-on union domain, if exist, according to the TGT bill existed, logged-in user information list and destination service, identify to the ST bill of exempting from logon server request login destination service; Otherwise response Web browser plug-in unit shows that without this user profile user browser provides user's voucher to exempting from the common login of logon server request;
S6 exempts from logon server authentication of users TGT bill, if be proved to be successful, generate legal ST bill as response, otherwise returns to error message, and the result is responded to single-sign-on maintenance of information device;
ST bill, user profile that S7 single-sign-on maintenance of information device will be exempted from logon server response to the Web browser plug-in unit, and show login list fast as quick login list response on login page;
S8 user, by clicking login fast, carries legal ST bill and sends resource access request to Web server, forwards S2 to
S9 exempts from the legitimacy of login service end checking ST bill, if successfully, returns to this user's user profile, if failure, the prompting user makes mistakes, and the result is responded to the Web service filter;
The S10Web service filter, according to the result of exempting from the login service end, determines whether the user is let pass.
5. a kind of single-point logging method according to claim 4, it is characterized in that, described checking TGT bill, be specially: the login weight of the TGT bill weight of current logged-in user and destination service is compared, if being more than or equal to the login weight of destination service, TGT bill weight gives the ST bill that generates destination service with client, complete the login of exempting to input user's voucher, otherwise insufficient permission is asked unsuccessfully.
6. method according to claim 4, is characterized in that, described common login is specially:
The user inputs user's voucher to exempting from the common login of logon server request by browser;
Exempt from logon server and accept logging request, and verify its identity information, if authentication failed is returned to error message, if be proved to be successful, the mode with Cookie in user browser arranges the TGT bill, and returns to the ST bill;
The Web browser plug-in unit is synchronized to single-sign-on maintenance of information device by user profile and the TGT bill with distribution;
Single-sign-on maintenance of information device is preserved the relation of user and TGT bill, the single-sign-on information as this user in the single-sign-on territory.
7. a single-node login system, comprise application client, application program service end, it is characterized in that, also comprises
Single-sign-on maintenance of information device, operate in application client, for preserving user's log-on message, the single-sign-on services territory that described log-on message comprises user name, login and this user's TGT bill, receive user's ST bill request and respond to exempting from logon server, the result of logon server checking TGT bill is exempted from reception, and response is to application client;
Exempt from logon server: be used to verifying the TGT bill, and generate corresponding ST bill and session key, and result is responded to single-sign-on maintenance of information device, be used to verifying the request of ST bill, and return to the result as response; For the authentication of users voucher, generate legal TGT bill and ST bill;
Described application client comprises the application client that has the C/S framework or have the B/S framework.
8. a kind of single-node login system according to claim 7, it is characterized in that, described application client is equipped with the Web browser plug-in unit, and described Web browser plug-in unit is for communicating by letter between the application client of B/S framework and single-sign-on maintenance of information device.
9. a kind of single-node login system according to claim 7, is characterized in that, also comprises single-sign-on client end AP I, be used to having application client access single-sign-on maintenance of information device and the application program service end of C/S framework;
Single-sign-on services end API, exempt from logon server be used to the application program service end access with C/S framework.
10. according to the described a kind of single-node login system of claim 7 or 8, it is characterized in that, also comprise the Web service filter, be used to tackling the Web server resource access request, checking ST bill; In the mode be redirected, forward to and exempt from logon server, the result of logon server checking ST is exempted from response, and determines whether the user is let pass.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013102216307A CN103414684A (en) | 2013-06-05 | 2013-06-05 | Single sign-on method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013102216307A CN103414684A (en) | 2013-06-05 | 2013-06-05 | Single sign-on method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103414684A true CN103414684A (en) | 2013-11-27 |
Family
ID=49607670
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013102216307A Pending CN103414684A (en) | 2013-06-05 | 2013-06-05 | Single sign-on method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103414684A (en) |
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104320423A (en) * | 2014-11-19 | 2015-01-28 | 重庆邮电大学 | Single sign-on light weight implementation method based on Cookie |
| CN104506555A (en) * | 2015-01-06 | 2015-04-08 | 北京艾力泰尔信息技术有限公司 | Client zero-storage single sign-on method |
| CN104537486A (en) * | 2014-12-25 | 2015-04-22 | 中建材国际贸易有限公司 | Data transmission method for main control system and sub-control system by using PHP language |
| CN104683219A (en) * | 2015-02-13 | 2015-06-03 | 腾讯科技(深圳)有限公司 | Information interaction method and device |
| CN105187917A (en) * | 2014-06-11 | 2015-12-23 | 中兴通讯股份有限公司 | Client access method and device |
| CN106357686A (en) * | 2016-10-26 | 2017-01-25 | 中企动力科技股份有限公司 | Single-point authentication method and single-point authentication system |
| CN106850513A (en) * | 2015-12-03 | 2017-06-13 | 山大鲁能信息科技有限公司 | A kind of the single-point logging method and its device of the logical application system in school |
| CN107241361A (en) * | 2017-08-07 | 2017-10-10 | 中国石油工程建设有限公司 | A kind of unified identity authentication method based on cloud environment |
| CN107844712A (en) * | 2017-11-03 | 2018-03-27 | 北京天融信网络安全技术有限公司 | A kind of browser shares the method, apparatus and computer-readable medium of voucher |
| CN108040072A (en) * | 2018-01-22 | 2018-05-15 | 公安部交通管理科学研究所 | The system and method for mobile Internet APP single-sign-ons under distributed network |
| CN108322461A (en) * | 2018-01-31 | 2018-07-24 | 百度在线网络技术(北京)有限公司 | Method, system, device, equipment and the medium of application program automated log on |
| CN108848077A (en) * | 2018-05-31 | 2018-11-20 | 北京五八信息技术有限公司 | The login method and device of application program |
| CN109547432A (en) * | 2018-11-19 | 2019-03-29 | 中国银行股份有限公司 | Multisystem verification method and device, storage medium and electronic equipment |
| CN109600342A (en) * | 2017-09-30 | 2019-04-09 | 广东亿迅科技有限公司 | Uniform authentication method and device based on one-point technique |
| CN109617933A (en) * | 2013-09-20 | 2019-04-12 | 甲骨文国际公司 | Utilize the network-based single-sign-on of form filling agent application |
| CN109729045A (en) * | 2017-10-30 | 2019-05-07 | 腾讯科技(深圳)有限公司 | Single-point logging method, system, server and storage medium |
| CN110891060A (en) * | 2019-11-26 | 2020-03-17 | 昆明能讯科技有限责任公司 | Unified authentication system based on multi-service system integration |
| CN111404921A (en) * | 2020-03-12 | 2020-07-10 | 广州市百果园信息技术有限公司 | Webpage application access method, device, equipment, system and storage medium |
| CN111538965A (en) * | 2020-04-15 | 2020-08-14 | 支付宝(杭州)信息技术有限公司 | Authorized login method, device and system of application program |
| CN111786969A (en) * | 2020-06-17 | 2020-10-16 | 朗新科技集团股份有限公司 | Single sign-on method, device and system |
| CN112422528A (en) * | 2020-11-03 | 2021-02-26 | 北京锐安科技有限公司 | Client login method, device, system, electronic equipment and storage medium |
| CN112653673A (en) * | 2020-12-08 | 2021-04-13 | 中国人寿保险股份有限公司 | Multi-factor authentication method and system based on single sign-on |
| CN113852622A (en) * | 2021-09-18 | 2021-12-28 | 数字广东网络建设有限公司 | Single sign-on method, device, equipment and storage medium based on government affair application |
| CN115189975A (en) * | 2022-09-14 | 2022-10-14 | 中化现代农业有限公司 | Login method, login device, electronic equipment and storage medium |
| CN116074129A (en) * | 2023-04-06 | 2023-05-05 | 广东电网有限责任公司佛山供电局 | Login method and system integrating and compatible with third party authentication |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286843A (en) * | 2008-06-03 | 2008-10-15 | 江西省电力信息通讯有限公司 | Single-point login method under point-to-point model |
| CN101399671A (en) * | 2008-11-18 | 2009-04-01 | 中国科学院软件研究所 | Cross-domain authentication method and system thereof |
-
2013
- 2013-06-05 CN CN2013102216307A patent/CN103414684A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286843A (en) * | 2008-06-03 | 2008-10-15 | 江西省电力信息通讯有限公司 | Single-point login method under point-to-point model |
| CN101399671A (en) * | 2008-11-18 | 2009-04-01 | 中国科学院软件研究所 | Cross-domain authentication method and system thereof |
Non-Patent Citations (1)
| Title |
|---|
| 雷传锐: "基于CAS的跨平台安全单点登录服务的设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (42)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109617933B (en) * | 2013-09-20 | 2021-09-17 | 甲骨文国际公司 | Web-based single sign-on with form-filling proxy application |
| CN109617933A (en) * | 2013-09-20 | 2019-04-12 | 甲骨文国际公司 | Utilize the network-based single-sign-on of form filling agent application |
| CN105187917A (en) * | 2014-06-11 | 2015-12-23 | 中兴通讯股份有限公司 | Client access method and device |
| CN104320423B (en) * | 2014-11-19 | 2018-12-28 | 重庆邮电大学 | Single-sign-on lightweight implementation method based on Cookie |
| CN104320423A (en) * | 2014-11-19 | 2015-01-28 | 重庆邮电大学 | Single sign-on light weight implementation method based on Cookie |
| CN104537486A (en) * | 2014-12-25 | 2015-04-22 | 中建材国际贸易有限公司 | Data transmission method for main control system and sub-control system by using PHP language |
| CN104537486B (en) * | 2014-12-25 | 2018-07-20 | 中建材国际贸易有限公司 | A kind of data transmission method of turn-key system using PHP language and sub- control system |
| CN104506555A (en) * | 2015-01-06 | 2015-04-08 | 北京艾力泰尔信息技术有限公司 | Client zero-storage single sign-on method |
| CN104683219A (en) * | 2015-02-13 | 2015-06-03 | 腾讯科技(深圳)有限公司 | Information interaction method and device |
| CN104683219B (en) * | 2015-02-13 | 2018-01-19 | 腾讯科技(深圳)有限公司 | Information interacting method and device |
| CN106850513A (en) * | 2015-12-03 | 2017-06-13 | 山大鲁能信息科技有限公司 | A kind of the single-point logging method and its device of the logical application system in school |
| CN106357686A (en) * | 2016-10-26 | 2017-01-25 | 中企动力科技股份有限公司 | Single-point authentication method and single-point authentication system |
| CN107241361A (en) * | 2017-08-07 | 2017-10-10 | 中国石油工程建设有限公司 | A kind of unified identity authentication method based on cloud environment |
| CN109600342B (en) * | 2017-09-30 | 2021-12-24 | 广东亿迅科技有限公司 | Unified authentication method and device based on single-point technology |
| CN109600342A (en) * | 2017-09-30 | 2019-04-09 | 广东亿迅科技有限公司 | Uniform authentication method and device based on one-point technique |
| CN109729045A (en) * | 2017-10-30 | 2019-05-07 | 腾讯科技(深圳)有限公司 | Single-point logging method, system, server and storage medium |
| CN109729045B (en) * | 2017-10-30 | 2021-01-05 | 腾讯科技(深圳)有限公司 | Single sign-on method, system, server and storage medium |
| CN107844712A (en) * | 2017-11-03 | 2018-03-27 | 北京天融信网络安全技术有限公司 | A kind of browser shares the method, apparatus and computer-readable medium of voucher |
| CN108040072B (en) * | 2018-01-22 | 2021-04-20 | 公安部交通管理科学研究所 | System and method for mobile internet APP single sign-on under distributed network |
| CN108040072A (en) * | 2018-01-22 | 2018-05-15 | 公安部交通管理科学研究所 | The system and method for mobile Internet APP single-sign-ons under distributed network |
| CN108322461A (en) * | 2018-01-31 | 2018-07-24 | 百度在线网络技术(北京)有限公司 | Method, system, device, equipment and the medium of application program automated log on |
| CN108322461B (en) * | 2018-01-31 | 2020-10-27 | 百度在线网络技术(北京)有限公司 | Method, system, device, equipment and medium for automatically logging in application program |
| CN108848077A (en) * | 2018-05-31 | 2018-11-20 | 北京五八信息技术有限公司 | The login method and device of application program |
| CN109547432A (en) * | 2018-11-19 | 2019-03-29 | 中国银行股份有限公司 | Multisystem verification method and device, storage medium and electronic equipment |
| CN109547432B (en) * | 2018-11-19 | 2020-11-27 | 中国银行股份有限公司 | Multi-system verification method and device, storage medium and electronic equipment |
| CN110891060A (en) * | 2019-11-26 | 2020-03-17 | 昆明能讯科技有限责任公司 | Unified authentication system based on multi-service system integration |
| CN111404921A (en) * | 2020-03-12 | 2020-07-10 | 广州市百果园信息技术有限公司 | Webpage application access method, device, equipment, system and storage medium |
| CN111404921B (en) * | 2020-03-12 | 2022-05-17 | 广州市百果园信息技术有限公司 | Webpage application access method, device, equipment, system and storage medium |
| CN111538965B (en) * | 2020-04-15 | 2021-10-12 | 支付宝(杭州)信息技术有限公司 | Authorized login method, device and system of application program |
| CN111538965A (en) * | 2020-04-15 | 2020-08-14 | 支付宝(杭州)信息技术有限公司 | Authorized login method, device and system of application program |
| CN111786969A (en) * | 2020-06-17 | 2020-10-16 | 朗新科技集团股份有限公司 | Single sign-on method, device and system |
| CN111786969B (en) * | 2020-06-17 | 2024-04-23 | 朗新科技集团股份有限公司 | Single sign-on method, device and system |
| CN112422528A (en) * | 2020-11-03 | 2021-02-26 | 北京锐安科技有限公司 | Client login method, device, system, electronic equipment and storage medium |
| CN112422528B (en) * | 2020-11-03 | 2022-10-14 | 北京锐安科技有限公司 | Client login method, device, system, electronic equipment and storage medium |
| CN112653673B (en) * | 2020-12-08 | 2023-05-02 | 中国人寿保险股份有限公司 | Multi-factor authentication method and system based on single sign-on |
| CN112653673A (en) * | 2020-12-08 | 2021-04-13 | 中国人寿保险股份有限公司 | Multi-factor authentication method and system based on single sign-on |
| CN113852622A (en) * | 2021-09-18 | 2021-12-28 | 数字广东网络建设有限公司 | Single sign-on method, device, equipment and storage medium based on government affair application |
| CN113852622B (en) * | 2021-09-18 | 2023-09-19 | 数字广东网络建设有限公司 | Single sign-on method, device, equipment and storage medium based on government affair application |
| CN115189975B (en) * | 2022-09-14 | 2022-12-27 | 中化现代农业有限公司 | Login method, login device, electronic equipment and storage medium |
| CN115189975A (en) * | 2022-09-14 | 2022-10-14 | 中化现代农业有限公司 | Login method, login device, electronic equipment and storage medium |
| CN116074129A (en) * | 2023-04-06 | 2023-05-05 | 广东电网有限责任公司佛山供电局 | Login method and system integrating and compatible with third party authentication |
| CN116074129B (en) * | 2023-04-06 | 2023-06-02 | 广东电网有限责任公司佛山供电局 | Login method and system integrating and compatible with third party authentication |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103414684A (en) | Single sign-on method and system | |
| CN101626369B (en) | Method, device and system for single sign-on | |
| CN105007280B (en) | A kind of application login method and device | |
| CN102638454B (en) | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol | |
| US9825948B2 (en) | Actively federated mobile authentication | |
| US8683565B2 (en) | Authentication | |
| JP5744656B2 (en) | System for providing single sign-on and control method thereof, service providing apparatus, relay apparatus, and program | |
| US8869253B2 (en) | Electronic system for securing electronic services | |
| CN102457507B (en) | Cloud computing resources secure sharing method, Apparatus and system | |
| CN105592003B (en) | A kind of cross-domain single login method and system based on notice | |
| CN104580184B (en) | Identity identifying method between mutual trust application system | |
| US9584615B2 (en) | Redirecting access requests to an authorized server system for a cloud service | |
| CN104320423A (en) | Single sign-on light weight implementation method based on Cookie | |
| CN104378376A (en) | SOA-based single-point login method, authentication server and browser | |
| CN112468481B (en) | Single-page and multi-page web application identity integrated authentication method based on CAS | |
| CN105556894A (en) | Network connection automation | |
| CN105049427B (en) | The management method and device of application system login account | |
| CN107172054A (en) | A kind of purview certification method based on CAS, apparatus and system | |
| CN107210916A (en) | Condition, which is logged in, to be promoted | |
| CN106134155A (en) | Flow for the acceleration by carrying outer safety certification device loads | |
| US20110289575A1 (en) | Directory authentication method for policy driven web filtering | |
| CN103986734B (en) | Authentication management method and authentication management system applicable to high-security service system | |
| CN102104483A (en) | Single sign-on method, system and load balancing equipment based on load balance | |
| CN102209046A (en) | Network resource integration system and method | |
| CN103546290B (en) | Third Party Authentication system or method with user group |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20131127 |