CN103716285A - Single sign on method, proxy server and single sign on system - Google Patents
Single sign on method, proxy server and single sign on system Download PDFInfo
- Publication number
- CN103716285A CN103716285A CN201210376039.4A CN201210376039A CN103716285A CN 103716285 A CN103716285 A CN 103716285A CN 201210376039 A CN201210376039 A CN 201210376039A CN 103716285 A CN103716285 A CN 103716285A
- Authority
- CN
- China
- Prior art keywords
- application system
- user
- client
- proxy server
- described application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
Abstract
The invention discloses a single sign on method. The method comprises the steps of receiving a sign on request, sent by a client to an application system, of a user, analyzing a communication protocol between the client and the application system to generate an authentication data packet according to the received sign on request and sending the authentication data packet to the application system, receiving an authentication result returned by the application system and returning the received authentication result to the client, wherein the authentication result is generated after the application system authenticates the received authentication data packet. The invention further discloses a proxy server and a single sign on system which are used for realizing the method. The single sign on method of the invention is suitable for being implemented in the existing application system, simple to realize and lower in implementation cost.
Description
Technical field
The present invention relates to the communications field, relate in particular to a kind of single-point logging method, proxy server and system.
Background technology
Different application systems may have different hardware platforms, operating system and certification mode, and at single-sign-on (Single Sign On, SSO), in mechanism, user only need to login once the application system that (input a user name and user cipher) just can access all mutual trusts.This mechanism is one of solution of current popular business event integration.
Single-point logging method can be divided into two classes substantially: the method based on bill (ticket-based approaches) and the method based on credential vault (credential vault approaches).
Method based on bill has more fail safe.It has applied Kerberos agreement, and Kerberos agreement is based upon on the cryptographic system of symmetric key, can for different user, in unsafe network system, adopt safe mode to exchange.But the method based on bill need to be revised the application system of SSO conventionally to support the authentication of bill and deciphering.
Method based on credential vault adopts mode safely to store user's voucher (generally including user's name and the password of user in different system), for example, can store by encrypting database.User can login all application systems by inputting user's name and password, wherein client utility can be in credential vault the credential information of inquiring user, and by inputting user name and user cipher carrys out analog subscriber input.Method based on credential vault does not need the application system of SSO system to carry out any modification, therefore uses comparatively extensive.
Method based on credential vault is in most cases to be completed by client utility (also referred to as code management device), and it has certain defect:
Code management device need be configured on each user terminal, and can increase the complexity administering and maintaining like this.
Summary of the invention
In view of this, the object of this invention is to provide a kind of single-sign-on mechanism, so that implement in existing application system, realize easyly, reduce implementation cost.
According to one embodiment of present invention, a kind of single-point logging method, comprises the following steps:
Receive client and to application system, send user's logging request;
By analyzing the communication protocol between described client and described application system, according to the logging request receiving, generate authentication data packet and send to described application system;
Receive the authentication result that described application system is returned, and the authentication result of reception is returned to described client; Wherein said authentication result is that described application system authenticates rear generation to the authentication data packet receiving.
According to one embodiment of present invention, a kind of proxy server, comprising:
Receiver module, the logging request sending to application system for receiving client, and receive the authentication result that described application system is returned; Wherein said authentication result is that described application system authenticates rear generation to the authentication data packet receiving;
Generation module, for by analyzing the communication protocol between described client and described application system, generates described authentication data packet according to the logging request receiving;
Sending module, for sending described authentication data packet to described application system, and returns to described authentication result to described client.
According to one embodiment of present invention, a kind of single-node login system, comprising:
Client, for send user's logging request to application system, and the authentication result returned of Receiving Agent server;
Described proxy server, be used for receiving described logging request, by analyzing the communication protocol between described client and described application system, according to the logging request receiving, generate authentication data packet and send to described application system, receive the authentication result that described application system is returned, and return to described authentication result to described client;
Described application system, for the authentication data packet receiving is authenticated, returns to authentication result to described client.
Accompanying drawing explanation
Below by the mode with clearly understandable by the explanation of preferred implementation come by reference to the accompanying drawings the above-mentioned characteristic of the present invention, technical characterictic, advantage and execution mode thereof to be further described, wherein:
Fig. 1 is the primary structure figure of single-node login system when credential vault is positioned at proxy server outside in the embodiment of the present invention;
Fig. 2 is the main flow chart of single-point logging method in the embodiment of the present invention;
Fig. 3 is the flow chart of the single-point logging method based on Telnet agreement in the embodiment of the present invention;
Fig. 4 A is the flow chart of the login method that uses in prior art under File Transfer Protocol;
Fig. 4 B be in the embodiment of the present invention under File Transfer Protocol the flow chart of single-sign-on;
Fig. 5 A is the flow chart of the login method that uses in prior art under SSH-1 agreement;
Fig. 5 B be in the embodiment of the present invention under SSH-1 agreement the flow chart of single-sign-on.
Embodiment
For to technical characterictic of the present invention, object and effect have more clearly to be understood, and now contrasts accompanying drawing explanation the specific embodiment of the present invention, and in each figure, identical label represents identical part.For the clear correlation that represents each parts, in accompanying drawing, the proportionate relationship of each parts is only schematically, does not represent the proportionate relationship of practical structures.
Fig. 1 is the primary structure figure of single-node login system in the embodiment of the present invention.It mainly comprises: client 101, proxy server 102 and application system 103.Described system can also comprise credential vault 104.In Fig. 1, credential vault 104 is positioned at proxy server 102 outsides.
Before sending logging request, client 101 can first be carried out handshake procedure by proxy server 102 and application system 103, the number of times of specifically shaking hands needs according to concrete agreement definite, and first handshake procedure is initiated by client 101 or first initiated all can by application system 103.When handshake procedure finishes, verification process starts, and client 101 is logined the logging request of application system 103 for sending user, and the logging request of its transmission receives through proxy server 102.
If single-node login system is C/S(client/server) framework, the client in the embodiment of the present invention 101 can be the client of application system, if single-node login system is B/S (browser/server) framework, the client in the embodiment of the present invention 101 can be browser.Those skilled in the art also should understand, if single-node login system adopts other framework, the client in the embodiment of the present invention 101 can be carried out corresponding change to adapt with the framework of single-node login system.As long as client 101 is can be with application system 103 mutual and for sending user's logging request, it is all within protection scope of the present invention.
In a single-node login system, client 101 can have a plurality of, may have different users to application system 103, to send logging request by different client 101; Also may there be a plurality of users to application system 103, to send logging request by a client 101.In the embodiment of the present invention, no matter there are being a plurality of clients 101, still having a plurality of users to use in the application scenarios of a client 101, it all can share a proxy server 102, without increasing more equipment, thereby simplify the complexity of System Implementation, reduced the cost of System Implementation.
In the embodiment of the present invention, described credential information can comprise user ID and the user cipher of this user in application system 103, or described credential information can comprise the bill of this user in application system 103, or described credential information can be also other information.
For example, in general, use which kind of agreement conventionally by port numbers, to distinguish, for example: http(HTML (Hypertext Markup Language)) generally use 80 ports, ftp(file transfer protocol (FTP)) generally use 21 ports, telnet(Telnet) agreement is generally used 23 ports, SSH(Secure Shell) agreement is generally used 22 ports, SMTP(Simple Mail Transfer protocol) generally use 25 ports, etc., certainly port numbers that also can agreement protocol between client 101 and application system 103, if now disposed proxy server 102, proxy server 102 is responsible for the port that replaces client 101 and application system 103 agreement protocols to use.By port, known after the agreement of using, proxy server 102 just can be analyzed 103 mutual message of client 101 and application system by its protocol state machine, and replacement client 101 provides corresponding credential information to application system 103.
If according to protocal analysis, need generate reply data according to this random number, proxy server 102 generates reply data and reply data is sent to application system 103.
When proxy server 102 receives authentication success message that application system 103 returns or authentification failure message, this authentication result can be returned to client 101.
Whole verification process can be transparent for user 101 and application system 103, and user and application system can not known the existence of proxy server 102 completely.
Credential vault (credential vault) 104 can be positioned at proxy server 102, also can be the storage device being positioned at outside proxy server 102, for storing user's the credential information when logining each system, in credential vault 104, can be by each user's user ID and its credential information corresponding stored one by one.For proxy server 102, according to user ID, inquire about corresponding credential information.Wherein, described user ID can be exactly also a part for corresponding credential information or corresponding credential information, and for example, described user ID can be exactly user name, and proxy server 102 can be inquired about corresponding user cipher according to user name.In the embodiment of the present invention, credential vault 104 can be provided with password, or has other safety measure, is stored the fail safe of data to guarantee.
Adopt the technical scheme of the embodiment of the present invention, only need carry out maintenance and management to a proxy server 102, and without reconfiguring client 101, make maintenance management process more easy, and save cost.In the embodiment of the present invention, proxy server 102 is independent of outside client 101 and application system 103, go for the client application of dissimilar different editions, and proxy server 102 is between client 101 and application system 103, needn't revise configuration and the applied environment of client 101 and application system 103, be convenient to be configured.
In order better thought of the present invention to be described, below by realization flow, introduce the method for single-sign-on in the embodiment of the present invention.
Referring to Fig. 2, in the embodiment of the present invention, the main method flow process of single-sign-on is as follows, and described method can be applied to proxy server 102 sides:
Step 201: receive client 101 and send user's logging request to application system 103.
Step 202: by protocal analysis, generate authentication data packet and send to application system 103 according to the logging request receiving.
Step 203: receive the authentication result that application system 103 is returned, and the authentication result of reception is returned to client 101; Wherein said authentication result is that described application system authenticates rear generation to the authentication data packet receiving.
In an embodiment of the present invention, suppose that client 101 and application system 103 have a secret function f consulting (wherein, for application system 103, think that this secret function f is that itself and client 101 consult to generate, but in fact, when consulting this secret function, that proxy server 102 has received the information that application system 103 sends, and carry out information interaction with application system and consult to have generated this secret function f, therefore in fact this secret function f is that proxy server 102 is consulted to generate with application system 103), challenge response verification process: application system 103 sends a random message m to client 101, for challenge process, proxy server 102 receives this random message m, according to this random information, calculate, to application system 103, respond the distortion r=f(m of m), for answering.Whether application system 103 can be correct by independently calculating the r that r verifies that proxy server 102 returns, if correct, can be to the successful message of client 101 return authentication, proxy server 102 can receive the message of this authentication success.If incorrect, application system 103 can be to client 101 return authentication failures, and proxy server 102 receives the message of this authentification failure, and application system 103 is equivalent to authentication result to send to proxy server 102.For example, proxy server 102 can use unidirectional Hash(Hash) function, according to user name, credential information and random information generate a byte serial and send to application system 103 as response message, application system 103 receives after the response message of proxy server 102, response message and the result of calculation of self are compared, if the two is identical, can be to the successful message of client 101 return authentication, proxy server 102 receives the message of this authentication success, otherwise authentification failure, can be to client 101 return authentication failures, proxy server 102 receives the message of this authentification failure.Or verification process also can not selected challenge response mechanism, also can select as required other authentication mechanism.
By realization flow example, introduce below the method for single-sign-on in the embodiment of the present invention.
One, take Telnet agreement is introduced as example.
First simply introduce under Telnet agreement the login method using in prior art:
Step 1, terminal send logging request to application system.Wherein, under Telnet agreement, it doesn't matter for the reciprocal process that handshake procedure and user authenticate, and omitted herein.
Step 2, application system are responded login(login to terminal) information.
Step 3, terminal use input user name.
Step 4, application system generate " password " information, and warning terminal user input user cipher.
Step 5, terminal input user cipher.
Step 6, application system identifying user identity authentication information, respond " welcome " information to terminal.Verification process completes.
In verification process, may there is different terminals to need authentication, may in each terminal, need to configure code management device, increased the complexity of management maintenance.If there are a plurality of terminals to need authentication, although each terminal has identical destination server, be also operated under identical agreement, each terminal may have dissimilar and client application different editions, and this has also increased work difficulty.
Referring to Fig. 3, in the embodiment of the present invention under Telnet agreement the detailed method flow process of single-sign-on:
Step 301: client 101 sends user's logging request to application system 103.
In fact client 101 is to application system 103, to send logging request by proxy server 102, and proxy server 102 has therefrom received this logging request.May have different users to application system 103, to send logging request by a client 101, each user has the credential information of oneself, and these credential informations and corresponding user ID can be stored in credential vault 104.
Step 302: proxy server 102 directly forwards described logging request.
Step 303: application system 103 is to client 101 prompting " login " information.Proxy server 102 receives should " login " information.For example, should " login " information can be that prompting user inputs user name.
Step 304, proxy server 102, according to the user ID of the user in the logging request receiving, is inquired about this user corresponding credential information in application system 103, as username and password in credential vault 104.
Step 305: proxy server 102 generates response data bag according to user name, and sends to application system 103.
Step 306: server is to client 101 prompting " Password " information.Proxy server 102 receives should " password " information.For example, should " Password " information can be that prompting user inputs user cipher.
Step 307: proxy server 102 generates the second response data bag according to user cipher, and send to application system 103.
Step 308: 103 pairs of user profile of application system authenticate, to client 101 return authentication results.Proxy server 102 receives this authentication result.If authentication success, can return to client 101 " welcome(welcome) " information, if authentification failure, could be to the information of client 101 return authentication failures.Verification process finishes.
Step 309: proxy server 102 returns to the authentication result of reception to client 101.
Two, take File Transfer Protocol is introduced as example.
Referring to Fig. 4 A, first simply introduce under File Transfer Protocol the login method using in prior art:
Step 1, terminal send logging request to application system.Wherein, under File Transfer Protocol, it doesn't matter for the reciprocal process that handshake procedure and user authenticate, and omitted herein.
Step 2: application system and terminal are held consultation.
Step 3: after negotiation, application system is replied response message to terminal.This response message can be that prompt terminal is inputted user name.
Step 4: terminal is inputted user name to application system.
Step 5: application system is replied response message.This response message can be prompting application system input password.
Step 6, terminal input user cipher.
Step 7, application system identifying user identity authentication information, respond " welcome " information to terminal.Verification process completes.
Referring to Fig. 4 B, in the embodiment of the present invention under File Transfer Protocol the detailed method flow process of single-sign-on:
Step 401: client 101 sends user's logging request to application system 103.
In fact client 101 is to application system 103, to send logging request by proxy server 102, and proxy server 102 directly forwards this logging request.May have different users to application system 103, to send logging request by a client 101, each user has the credential information of oneself, and these credential informations and corresponding user ID can be stored in credential vault 104.
Step 402: application system 103 is held consultation by proxy server 102 and client 101.
Step 403: after negotiation, application system 103 is replied response message to client 101.Proxy server 102 receives this response message, and this response message can be that prompting user inputs user name.
For example, application system 103 is to client 101 prompting " login " information.Proxy server 102 receives should " login " information.
Step 404, proxy server 102, according to the user ID of the user in the logging request receiving, is inquired about this user corresponding credential information in application system 103, as username and password in credential vault 104.
Step 405: proxy server 102 generates response data bag according to user name, and sends to application system 103.
Step 406: application system 103 is replied response message to client 101.Proxy server 102 receives this response message, and this response message can be that prompting user inputs password.
For example, application system 103 is to client 101 prompting " Password " information.Proxy server 102 receives should " password " information.
Step 407: proxy server 102 generates the second response data bag according to user cipher, and send to application system 103.
Step 408: 103 pairs of user profile of application system authenticate, to client 101 return authentication results.Proxy server 102 receives this authentication result.
Step 409: proxy server 102 returns to the authentication result of reception to client 101.
Verification process finishes.
Three, take SSH-1 agreement is introduced as example.
Referring to Fig. 5 A, first simply introduce under SSH-1 agreement the login method using in prior art:
Step 1: terminal and the application program version of holding consultation.
Step 2: terminal and application program are consulted algorithm.
Step 3: terminal is inputted user name.
Step 4: application program is replied response message.This response message can be prompting application system input password.
Step 5, terminal input user cipher.
Step 6, application system identifying user identity authentication information, respond " welcome " information to terminal.Verification process completes.
Referring to Fig. 5 B, in the embodiment of the present invention under SSH-1 agreement the detailed method flow process of single-sign-on:
Step 501: client 101 is consulted version by proxy server 102 and application program 103.
Step 502: client 101 is consulted algorithm by proxy server 102 and application program 103.
Step 503: proxy server 102 receives the response message that application program 103 is returned to client 101.This response message can be that prompting user inputs user name.
For example, application system 103 is to client 101 prompting " SSH_CMSG_USER " information.Proxy server 102 receives should " SSH_CMSG_USER " information.
Step 504: proxy server 102 generates response data bag according to user name, and sends to application system 103.
Step 505: proxy server receives the response message that application system 103 is replied to client 101.This response message can be that prompting user inputs password.
For example, application system 103 is to client 101 prompting " SSH_CMSG_PASSWORD " information.Proxy server 102 receives should " SSH_CMSG_PASSWORD " information.
Step 506: proxy server 102 generates the second response data bag according to user cipher, and send to application system 103.
Step 507: 103 pairs of user profile of application system authenticate, to client 101 return authentication results.Proxy server 102 receives this authentication result.
Step 508: proxy server 102 returns to the authentication result of reception to client 101.
Verification process finishes.
According to embodiments of the invention, in proxy server 102, can comprise receiver module, generation module and sending module.
The logging request that receiver module sends to application system 103 for receiving client 101, and receive the authentication result that described application system 103 is returned.
Generation module, for by analyzing the communication protocol between described client and described application system, generates authentication data packet according to the logging request receiving.
In an embodiment of the present invention, generation module specifically can, for inquiring about the credential information of this user in described application system 103 according to the user ID in the logging request receiving in credential vault, generate authentication data packet according to this user's described credential information.
Sending module is used for sending described authentication data packet to described application system 103, and returns to described authentication result to described client 101.
In the embodiment of the present invention, between client 101 and application system 103, proxy server 102 is set, this proxy server 102 can be by the method for protocal analysis client 101 on behalf of obtaining corresponding credential information, thereby solved in prior art need be in different clients 101 problem of deploying client instruments respectively.
Increase a proxy server 102 between client 101 and application system 103, login process can be carried out information interaction by proxy server 102 and application system 103 and be completed, without configure code management device in client 101, only need proxy server 102 of maintenance management, save step and the expense of maintenance management, and because there is no code management device, just there is no the restriction of client application to code management device yet, made work more easy.Can authenticate for different terminals, can not increase the complexity of management maintenance.
In prior art, different user is probably logined object equipment by dissimilar and client terminal program version, although these code management devices have identical object equipment and are operated under identical agreement, but also must configure code management device according to dissimilar and client terminal program version, so also increased the difficulty of work, and most code management devices are only supported the client terminal program of the windows platform (a kind of operating system) based on Microsoft, and do not support LinuxX-Windows(operating system) or the client terminal program of other types.And adopt after method of the present invention, cause is without code management device is installed in client, naturally also without configuring code management device according to different client terminal programs, alleviated workload, without consideration code management device, do not support the problem of the client terminal program of some type, strengthened versatility yet.
It should be noted that, in above-mentioned each flow process and each structure drawing of device, not every step and module are all necessary, can ignore according to the actual needs some step or module.The execution sequence of each step is not fixed, and can adjust as required.The modular structure of describing in the various embodiments described above can be physical structure, can be also logical construction,, some module may be realized by Same Physical entity, or some module may be divided by a plurality of physical entities and realized, or, can jointly realize by some parts in a plurality of autonomous devices.
Above in each embodiment, hardware cell can be mechanically or electric means realize.For example, a hardware cell can comprise that the circuit of permanent special use or logic (as special processor, FPGA or ASIC) complete corresponding operating.Hardware cell can also comprise FPGA (Field Programmable Gate Array) or circuit (as general processor or other programmable processor), can carry out interim setting to complete corresponding operating by software.Concrete implementation (mechanical system or special-purpose permanent circuit or the interim circuit arranging) can be determined based on cost and temporal consideration.
The present invention also provides a kind of machine readable media, and storage is for making a machine carry out the instruction of the method for single-sign-on as described herein.Particularly, system or the device of being furnished with storage medium can be provided, on this storage medium, storing the software program code of the function of arbitrary embodiment in realizing above-described embodiment, and making the computer (or CPU or MPU) of this system or device read and carry out the program code being stored in storage medium.
In this case, itself can realize the function of any one embodiment above-described embodiment the program code reading from storage medium, so program code and program code stored storage medium have formed a part of the present invention.
For providing the storage medium embodiment of program code to comprise floppy disk, hard disk, magneto optical disk, CD (as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), tape, Nonvolatile memory card and ROM.Selectively, can be by communication network download program code from server computer.
In addition, be noted that, the program code that not only can read by object computer, and the operating system that can make by the instruction based on program code to calculate hands-operation etc. completes practical operation partly or completely, thereby realize the function of any one embodiment in above-described embodiment.
In addition, be understandable that, the program code of being read by storage medium write in memory set in the expansion board of inserting in computer or write in the memory arranging in the expanding element being connected with computer, instruction based on program code subsequently makes to be arranged on the CPU on expansion board or expanding element etc. and comes operating part and all practical operations, thereby realizes the function of arbitrary embodiment in above-described embodiment.
By accompanying drawing and preferred implementation, the present invention has been carried out to detail display and explanation above, yet the invention is not restricted to the execution mode that these have disclosed, other scheme that those skilled in the art therefrom derive is also within protection scope of the present invention.
Claims (11)
1. a single-point logging method, is characterized in that, comprises the following steps:
Receive client to the user's of application system transmission logging request;
By analyzing the communication protocol between described client and described application system, according to the logging request receiving, generate authentication data packet and send to described application system;
Receive the authentication result that described application system is returned, and the authentication result of reception is returned to described client; Wherein said authentication result is that described application system authenticates rear generation to the authentication data packet receiving.
2. the method for claim 1, it is characterized in that, according to the logging request receiving, generate authentication data packet and send to the step of described application system to comprise: according to the user ID in the logging request receiving, in credential vault, inquiring about the credential information of this user in described application system, according to this user's described credential information, generate authentication data packet, and send to described application system.
3. method as claimed in claim 2, is characterized in that, described credential information comprises user ID and the user cipher of this user in described application system; Or described credential information comprises the bill of this user in described application system.
4. a proxy server, comprising:
Receiver module, the logging request sending to application system for receiving client, and receive the authentication result that described application system is returned; Wherein said authentication result is that described application system authenticates rear generation to the authentication data packet receiving;
Generation module, for by analyzing the communication protocol between described client and described application system, generates described authentication data packet according to the logging request receiving;
Sending module, for sending described authentication data packet to described application system, and returns to described authentication result to described client.
5. proxy server as claimed in claim 4, it is characterized in that, described generation module, specifically for inquiring about the credential information of this user in described application system according to the user ID in the logging request receiving in credential vault, generates described authentication data packet according to this user's described credential information.
6. proxy server as claimed in claim 5, is characterized in that, described credential information comprises user ID and the user cipher of this user in described application system; Or described credential information comprises the bill of this user in described application system.
7. a single-node login system, is characterized in that, comprising:
Client, for send user's logging request to application system, and the authentication result returned of Receiving Agent server;
Described proxy server, be used for receiving described logging request, by analyzing the communication protocol between described client and described application system, according to the logging request receiving, generate authentication data packet and send to described application system, receive the authentication result that described application system is returned, and return to described authentication result to described client;
Described application system, for the authentication data packet receiving is authenticated, returns to authentication result to described client.
8. system as claimed in claim 7, is characterized in that, also comprises: credential vault, for corresponding stored user ID and its corresponding credential information;
Described proxy server is also for inquiring about the credential information of this user in described application system according to the user ID of the logging request receiving in described credential vault, and generates authentication data packet according to this user's described credential information.
9. system as claimed in claim 8, is characterized in that, described credential information comprises user ID and the user cipher of this user in described application system; Or described credential information comprises the bill of this user in described application system.
10. system as claimed in claim 7, is characterized in that, described application system is also for adopting challenge response mechanism to authenticate the authentication data packet receiving.
11. systems as claimed in claim 10, is characterized in that, described application system is also for sending challenge data to described client, and the reply data of the reply data of reception and self generation is compared, if the two is identical, described user authenticates by, otherwise authentification failure;
Described proxy server, also for receiving described challenge data, generates reply data according to the challenge data receiving, and sends to described application system.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210376039.4A CN103716285A (en) | 2012-09-29 | 2012-09-29 | Single sign on method, proxy server and single sign on system |
| PCT/EP2013/068986 WO2014048769A1 (en) | 2012-09-29 | 2013-09-13 | Single sign-on method, proxy server and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210376039.4A CN103716285A (en) | 2012-09-29 | 2012-09-29 | Single sign on method, proxy server and single sign on system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103716285A true CN103716285A (en) | 2014-04-09 |
Family
ID=49223756
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210376039.4A Pending CN103716285A (en) | 2012-09-29 | 2012-09-29 | Single sign on method, proxy server and single sign on system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN103716285A (en) |
| WO (1) | WO2014048769A1 (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106506498A (en) * | 2016-11-07 | 2017-03-15 | 安徽四创电子股份有限公司 | A kind of inter-system data calls authorization and authentication method |
| CN107154936A (en) * | 2017-04-27 | 2017-09-12 | 腾讯科技(深圳)有限公司 | Login method, device and system |
| CN110177111A (en) * | 2019-06-06 | 2019-08-27 | 北京芯盾时代科技有限公司 | A kind of Information Authentication method, system and device |
| CN112749182A (en) * | 2019-10-30 | 2021-05-04 | 深圳市傲冠软件股份有限公司 | Method, audit terminal, device and storage medium for agent access to Oracle database |
| CN114285897A (en) * | 2021-12-22 | 2022-04-05 | 杭州安恒信息技术股份有限公司 | Application docking method, device, system, electronic equipment and readable storage medium |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9584515B2 (en) * | 2014-04-30 | 2017-02-28 | Citrix Systems, Inc. | Enterprise system authentication and authorization via gateway |
| CN111314366B (en) * | 2020-02-25 | 2022-07-08 | 广州致远电子有限公司 | MQTT protocol-based secure login system and method |
| EP3996342A1 (en) * | 2020-11-09 | 2022-05-11 | Bull SAS | Method and system for access to a remote application |
| CN112769826B (en) * | 2021-01-08 | 2023-05-12 | 深信服科技股份有限公司 | Information processing method, device, equipment and storage medium |
| CN114021094B (en) * | 2021-11-29 | 2023-05-26 | 北京深盾科技股份有限公司 | Remote server login method, electronic device and storage medium |
| CN114584353A (en) * | 2022-02-23 | 2022-06-03 | 上海外服云信息技术有限公司 | Single sign-on method for mobile terminal to access CAS |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1805336A (en) * | 2005-01-12 | 2006-07-19 | 北京航空航天大学 | Single entering method and system facing ASP mode |
| CN101087192A (en) * | 2006-06-06 | 2007-12-12 | 富士施乐株式会社 | Controlling device, recording medium storing control program and communication system |
| CN101902329A (en) * | 2009-05-31 | 2010-12-01 | 西门子(中国)有限公司 | Method and device for single sign on |
| CN101938356A (en) * | 2009-06-30 | 2011-01-05 | 西门子(中国)有限公司 | Method and device used for certificating user identity |
| CN102111410A (en) * | 2011-01-13 | 2011-06-29 | 中国科学院软件研究所 | Agent-based single sign on (SSO) method and system |
| US20110265166A1 (en) * | 2010-04-26 | 2011-10-27 | Research In Motion Limited | Integrated authentication |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6606663B1 (en) * | 1998-09-29 | 2003-08-12 | Openwave Systems Inc. | Method and apparatus for caching credentials in proxy servers for wireless user agents |
| US8453225B2 (en) * | 2009-12-23 | 2013-05-28 | Citrix Systems, Inc. | Systems and methods for intercepting and automatically filling in forms by the appliance for single-sign on |
-
2012
- 2012-09-29 CN CN201210376039.4A patent/CN103716285A/en active Pending
-
2013
- 2013-09-13 WO PCT/EP2013/068986 patent/WO2014048769A1/en active Application Filing
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1805336A (en) * | 2005-01-12 | 2006-07-19 | 北京航空航天大学 | Single entering method and system facing ASP mode |
| CN101087192A (en) * | 2006-06-06 | 2007-12-12 | 富士施乐株式会社 | Controlling device, recording medium storing control program and communication system |
| CN101902329A (en) * | 2009-05-31 | 2010-12-01 | 西门子(中国)有限公司 | Method and device for single sign on |
| CN101938356A (en) * | 2009-06-30 | 2011-01-05 | 西门子(中国)有限公司 | Method and device used for certificating user identity |
| US20110265166A1 (en) * | 2010-04-26 | 2011-10-27 | Research In Motion Limited | Integrated authentication |
| CN102111410A (en) * | 2011-01-13 | 2011-06-29 | 中国科学院软件研究所 | Agent-based single sign on (SSO) method and system |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106506498A (en) * | 2016-11-07 | 2017-03-15 | 安徽四创电子股份有限公司 | A kind of inter-system data calls authorization and authentication method |
| CN107154936A (en) * | 2017-04-27 | 2017-09-12 | 腾讯科技(深圳)有限公司 | Login method, device and system |
| CN107154936B (en) * | 2017-04-27 | 2018-11-06 | 腾讯科技(深圳)有限公司 | Login method, device and system |
| CN110177111A (en) * | 2019-06-06 | 2019-08-27 | 北京芯盾时代科技有限公司 | A kind of Information Authentication method, system and device |
| CN110177111B (en) * | 2019-06-06 | 2021-09-14 | 北京芯盾时代科技有限公司 | Information verification method, system and device |
| CN112749182A (en) * | 2019-10-30 | 2021-05-04 | 深圳市傲冠软件股份有限公司 | Method, audit terminal, device and storage medium for agent access to Oracle database |
| CN112749182B (en) * | 2019-10-30 | 2023-01-31 | 深圳市傲冠软件股份有限公司 | Method for accessing Oracle database by proxy, audit terminal, device and computer readable storage medium |
| CN114285897A (en) * | 2021-12-22 | 2022-04-05 | 杭州安恒信息技术股份有限公司 | Application docking method, device, system, electronic equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2014048769A1 (en) | 2014-04-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10972290B2 (en) | User authentication with self-signed certificate and identity verification | |
| CN103716285A (en) | Single sign on method, proxy server and single sign on system | |
| US8776176B2 (en) | Multi-factor password-authenticated key exchange | |
| US10630489B2 (en) | Apparatus and method for managing digital certificates | |
| JP6689828B2 (en) | System and method for integrating authentication services within a network architecture | |
| US20200145409A1 (en) | Internet of things (iot) device management | |
| US20170032111A1 (en) | Approaches for providing multi-factor authentication credentials | |
| US8769289B1 (en) | Authentication of a user accessing a protected resource using multi-channel protocol | |
| US20170251367A1 (en) | Authenticating mobile applications using policy files | |
| CN103139181B (en) | A kind of authorization method of open authentication, device and system | |
| EP2932428B1 (en) | Method of allowing establishment of a secure session between a device and a server | |
| CN103716292A (en) | Cross-domain single-point login method and device thereof | |
| CN101689991A (en) | Device provisioning and domain join emulation over non-secured networks | |
| CN109150907A (en) | Vehicle-mounted industrial personal computer login method, device, system, computer equipment and medium | |
| CN112491881A (en) | Cross-platform single sign-on method, system, electronic equipment and storage medium | |
| CN102624720A (en) | Method, device and system for identity authentication | |
| KR20170041741A (en) | System and method for implementing a hosted authentication service | |
| EP2894891A2 (en) | Mobile token | |
| ES2963837T3 (en) | Service connection technique | |
| Kalra et al. | Advanced password based authentication scheme for wireless sensor networks | |
| EP2926527B1 (en) | Virtual smartcard authentication | |
| US11838323B2 (en) | Server-initiated secure sessions | |
| CN103024735A (en) | Method and equipment for service access of card-free terminal | |
| CN110166471A (en) | A kind of portal authentication method and device | |
| KR102016976B1 (en) | Unified login method and system based on single sign on service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140409 |
|
| WD01 | Invention patent application deemed withdrawn after publication |