CN104065616A - Single sign-on method and system - Google Patents

Single sign-on method and system Download PDF

Info

Publication number
CN104065616A
CN104065616A CN201310089647.1A CN201310089647A CN104065616A CN 104065616 A CN104065616 A CN 104065616A CN 201310089647 A CN201310089647 A CN 201310089647A CN 104065616 A CN104065616 A CN 104065616A
Authority
CN
China
Prior art keywords
application
middleware
login
authentication server
authorization information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310089647.1A
Other languages
Chinese (zh)
Other versions
CN104065616B (en
Inventor
路晓明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201310089647.1A priority Critical patent/CN104065616B/en
Publication of CN104065616A publication Critical patent/CN104065616A/en
Application granted granted Critical
Publication of CN104065616B publication Critical patent/CN104065616B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Information Transfer Between Computers (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本发明公开了一种单点登录方法和系统,用以解决现有技术提供的单点登录方案存在的必须通过启动客户端而触发打开浏览器进行单点登录等问题。方法包括:第一应用向设置于用户终端中的中间件发送包含所述自动登录授权信息的登录请求;中间件接收登录请求后,获得与认证服务器约定的共享密钥,并在根据共享密钥和指定信息,验证出自动登录授权信息正确后,获得登录凭证;中间件将登录凭证提供给第一应用;第一应用将登录凭证发送给应用服务器;其中:登录凭证用于表征用户终端已成功获得认证服务器的认证。

The invention discloses a single-sign-on method and system, which are used to solve the problems in the single-sign-on scheme provided by the prior art that a client must be triggered to open a browser for single-sign-on. The method includes: the first application sends a login request including the automatic login authorization information to the middleware set in the user terminal; after receiving the login request, the middleware obtains the shared key agreed with the authentication server, and according to the shared key and the specified information, after verifying that the automatic login authorization information is correct, the login credential is obtained; the middleware provides the login credential to the first application; the first application sends the login credential to the application server; wherein: the login credential is used to indicate that the user terminal has successfully Obtain authentication from the authentication server.

Description

单点登录方法和系统Single sign-on method and system

技术领域technical field

本发明涉及数据业务领域,尤其涉及一种单点登录方法和系统。The invention relates to the field of data services, in particular to a single sign-on method and system.

背景技术Background technique

“单点登录”是目前互联网上非常常见的一种业务登录形式,可以允许用户一次认证,多次登录,以避免用户重复输入口令,从而提高用户使用业务的体验。比如,当客户端第一次访问应用服务器1时,因为此时客户端还没有登录过任意应用服务器,因此会被引导到认证服务器中进行登录;根据客户端提供的登录信息,认证服务器进行身份效验,如果通过效验,则可以返回给客户端一个认证的凭据——ticket;当客户端再访问别的应用服务器时,如访问应用服务器2时,就会将这个ticket带上,作为自身已经过认证的凭据;别的应用服务器接受到带有tichket的访问请求之后,会把该ticket送到认证服务器进行效验,检查ticket的合法性;如果通过校验,客户端就可以在不用再次登录的情况下访问应用服务器2了。"Single sign-on" is a very common business login form on the Internet at present. It allows users to authenticate once and log in multiple times, so as to avoid users from repeatedly entering passwords, thereby improving users' experience in using services. For example, when the client accesses application server 1 for the first time, because the client has not logged into any application server at this time, it will be directed to the authentication server to log in; according to the login information provided by the client, the authentication server will Validation, if it passes the validation, it can return an authentication credential——ticket to the client; when the client accesses other application servers, such as application server 2, it will bring this ticket with it as it has passed Authentication credentials; after receiving an access request with a tichket, other application servers will send the ticket to the authentication server for verification to check the legitimacy of the ticket; if the verification is passed, the client can log in without having to log in again Next visit the application server 2.

目前的单点登录方案多面向Web应用,即需要借用浏览器的重定向机制和会话管理机制保持用户的登录状态并在不同业务之间传递,这样的方案难以支持跨客户端和浏览器的单点登录。具体来说,下述两类需求是现有技术提供的上述方案难以满足的:The current single sign-on solution is mostly oriented to Web applications, that is, it needs to use the browser's redirection mechanism and session management mechanism to maintain the user's login status and transfer it between different services. Such a solution is difficult to support cross-client and browser single sign-on Click login. Specifically, the following two types of requirements are difficult to meet with the above solutions provided by the prior art:

第一类需求:用户利用客户端登录成功后,在浏览器上打开某服务页面,能够自动以客户端的用户身份登录成功;The first category of requirements: After the user successfully logs in with the client, he opens a service page on the browser, and can automatically log in successfully as the user of the client;

第二类需求:用户利用浏览器登录成功后,运行本地的某客户端,客户端能够自动登录成功。The second type of requirement: After the user successfully logs in with a browser, run a local client, and the client can automatically log in successfully.

针对第一类需求,目前有技术提出了如图1所示的实现从客户端到浏览器的单点登录方案。该方案的实现过程主要包括下述步骤:Aiming at the first type of requirements, currently there is a technology that proposes a single sign-on solution from the client to the browser as shown in FIG. 1 . The realization process of this scheme mainly includes the following steps:

首先,客户端在接收到用户输入的登录指令后,成功登录到认证服务器,并获得认证服务器反馈的认证凭据(如前文所述的ticket);First, after receiving the login instruction input by the user, the client successfully logs in to the authentication server and obtains the authentication credentials (such as the ticket mentioned above) fed back by the authentication server;

客户端在检测到通过用户点击客户端所提供的应用链接而产生的访问指令后,根据认证服务器反馈的认证凭据,生成身份凭证并构造包含该身份凭证的URL;After the client detects the access command generated by the user clicking the application link provided by the client, it generates an identity certificate and constructs a URL containing the identity certificate according to the authentication credentials fed back by the authentication server;

客户端通过调用浏览器,使得浏览器根据生成的包含身份凭证的上述URL向应用服务器发送访问请求;The client calls the browser to make the browser send an access request to the application server according to the generated URL containing the identity certificate;

然后,应用服务器请求认证服务器验证访问请求中包含的身份凭证;Then, the application server requests the authentication server to verify the identity credentials contained in the access request;

认证服务器对身份凭证进行验证,并在验证出客户端已成功登录后,向应用服务器反馈验证结果;The authentication server verifies the identity certificate, and after verifying that the client has successfully logged in, feeds back the verification result to the application server;

最后,应用服务器根据该验证结果,将登录后页面的信息发送给浏览器进行显示。Finally, the application server sends the information of the logged-in page to the browser for display according to the verification result.

图1所示的上述流程主要存在两方面的缺陷:The above-mentioned process shown in Figure 1 mainly has two defects:

1、必须由用户通过启动客户端而触发打开浏览器,而不支持用户手动打开浏览器进行单点登录;1. It must be triggered by the user to open the browser by starting the client, and does not support the user to manually open the browser for single sign-on;

2、不能满足前文所述的第二类需求。2. It cannot meet the second type of needs mentioned above.

发明内容Contents of the invention

本发明实施例提供一种单点登录方法和系统,用以解决现有技术提供的单点登录方案存在的必须通过启动客户端而触发打开浏览器进行单点登录,以及不支持前文所述的第二类需求的问题。The embodiment of the present invention provides a single sign-on method and system to solve the problem that the single sign-on solution provided by the prior art must be triggered to open the browser for single sign-on by starting the client, and does not support the above-mentioned The second category of needs.

本发明实施例采用以下技术方案:Embodiments of the present invention adopt the following technical solutions:

一种单点登录方法,包括:A single sign-on method that includes:

设置于用户终端中的第一应用获得自动登录授权信息;并向设置于所述用户终端中的中间件发送包含所述自动登录授权信息的登录请求;其中:自动登录授权信息是由认证服务器使用共享密钥和指定信息执行计算摘要的操作而生成的;所述中间件接收所述登录请求后,获得与认证服务器约定的所述共享密钥,并在根据所述共享密钥和所述指定信息,验证出所述登录请求中的自动登录授权信息正确后,获得登录凭证;其中:所述登录凭证用于表征所述用户终端已成功获得所述认证服务器的认证;所述中间件将登录凭证提供给第一应用;第一应用将登录凭证发送给应用服务器。The first application set in the user terminal obtains the automatic login authorization information; and sends a login request including the automatic login authorization information to the middleware set in the user terminal; wherein: the automatic login authorization information is used by the authentication server The shared key and the specified information are generated by performing the operation of calculating the summary; after the middleware receives the login request, it obtains the shared key agreed with the authentication server, and according to the shared key and the specified information, after verifying that the automatic login authorization information in the login request is correct, obtain a login credential; wherein: the login credential is used to indicate that the user terminal has successfully obtained the authentication of the authentication server; the middleware will log in The credentials are provided to the first application; the first application sends the login credentials to the application server.

一种单点登录系统,包括设置于用户终端中的第一应用和中间件,其中:A single sign-on system, including a first application and middleware set in a user terminal, wherein:

所述第一应用,用于获得自动登录授权信息;并向所述中间件发送包含所述自动登录授权信息的登录请求;以及获得所述中间件提供的登录凭证,并将登录凭证发送给应用服务器;其中:自动登录授权信息是由认证服务器使用共享密钥和指定信息执行计算摘要的操作而生成的;The first application is configured to obtain automatic login authorization information; and send a login request containing the automatic login authorization information to the middleware; and obtain a login credential provided by the middleware, and send the login credential to the application server; wherein: the automatic login authorization information is generated by the authentication server using the shared key and specified information to perform the operation of calculating the summary;

所述中间件,用于在接收到所述登录请求后,获得获得与认证服务器约定的所述共享密钥,并在根据所述共享密钥和所述指定信息,验证出所述登录请求中的自动登录授权信息正确后,获得登录凭证并提供给所述第一应用;其中:所述登录凭证用于表征所述用户终端已成功获得所述认证服务器的认证。The middleware is configured to obtain the shared key agreed with the authentication server after receiving the login request, and verify the login request according to the shared key and the specified information After the automatic login authorization information is correct, the login credential is obtained and provided to the first application; wherein: the login credential is used to indicate that the user terminal has successfully obtained the authentication of the authentication server.

本发明实施例的有益效果如下:The beneficial effects of the embodiments of the present invention are as follows:

通过设置可以获得认证服务器提供给认证成功的该用户终端的单点登录授权信息的中间件,从而无论用户终端是利用浏览器还是客户端访问应用服务器,都可以根据中间件获得的单点登录授权信息,成功实现用户终端的单点登录。这就满足了前文在背景技术中提到的第二类需求,解决了现有技术提供的单点登录方案存在的必须通过启动客户端而触发打开浏览器进行单点登录,以及不支持前文所述的第二类需求的问题。By setting middleware that can obtain the SSO authorization information provided by the authentication server to the user terminal that has successfully authenticated, no matter whether the user terminal accesses the application server through a browser or a client, it can obtain SSO authorization based on the middleware information, and the single sign-on of the user terminal is successfully implemented. This satisfies the second type of requirement mentioned above in the background technology, and solves the problem that the single sign-on solution provided by the prior art must be triggered to open the browser for single sign-on by starting the client, and does not support the above-mentioned problems of the second category of needs mentioned above.

附图说明Description of drawings

图1为现有技术中的从客户端到浏览器的单点登录方案;Fig. 1 is the single sign-on solution from the client to the browser in the prior art;

图2为本发明实施例提供的一种单点登录方法的具体流程示意图;FIG. 2 is a schematic flowchart of a single sign-on method provided by an embodiment of the present invention;

图3为用于实现实施例1和实施例2的系统结构示意图;Fig. 3 is a schematic diagram of the system structure for realizing Embodiment 1 and Embodiment 2;

图4为实施例1的具体实现流程示意图;Fig. 4 is the specific implementation flowchart schematic diagram of embodiment 1;

图5为实施例2的具体实现流程示意图。FIG. 5 is a schematic diagram of a specific implementation flow of Embodiment 2.

具体实施方式Detailed ways

为了解决现有技术提供的单点登录方案存在的必须通过启动客户端而触发打开浏览器进行单点登录,以及不支持前文所述的第二类需求的问题,本发明实施例提供了一种新型的单点登录方案。该方案通过设置可以获得认证服务器提供给认证成功的用户终端的单点登录授权信息的中间件,从而无论用户终端是利用浏览器还是客户端访问应用服务器,都可以根据中间件获得的单点登录授权信息,成功实现用户终端的单点登录。In order to solve the problem that the single sign-on solution provided by the prior art must be triggered to open the browser for single sign-on by starting the client, and does not support the second type of requirements mentioned above, the embodiment of the present invention provides a A new type of single sign-on solution. This solution sets middleware that can obtain the SSO authorization information provided by the authentication server to the successfully authenticated user terminal, so that no matter whether the user terminal uses a browser or a client to access the application server, the SSO can be obtained based on the middleware. Authorization information, and successfully realize the single sign-on of the user terminal.

以下结合说明书附图对本发明的实施例进行说明,应当理解,此处所描述的实施例仅用于说明和解释本发明,并不用于限制本发明。并且在不冲突的情况下,本说明中的实施例及实施列中的特征可以互相结合。The embodiments of the present invention will be described below in conjunction with the accompanying drawings. It should be understood that the embodiments described here are only used to illustrate and explain the present invention, and are not intended to limit the present invention. And, in the case of no conflict, the features in the embodiments and the series of embodiments in this description can be combined with each other.

首先,本发明实施例提供一种如图2所示的单点登录方法。该方法主要包括下述步骤:First, an embodiment of the present invention provides a single sign-on method as shown in FIG. 2 . The method mainly includes the following steps:

步骤21,设置于用户终端中的第一应用获得自动登录授权信息;Step 21, the first application set in the user terminal obtains automatic login authorization information;

不同于现有技术,本发明实施例中,第一应用欲访问某服务器时,需要先获得该自动登录授权信息。该自动登录授权信息一般是由认证服务器使用共享密钥和指定信息执行计算摘要的操作而生成的。第一应用可以但不限于通过下述两种方式之一,来获得该自动登录授权信息:Different from the prior art, in the embodiment of the present invention, when the first application wants to access a certain server, it needs to obtain the automatic login authorization information first. The automatic login authorization information is generally generated by the authentication server using the shared key and specified information to perform the operation of calculating the digest. The first application may, but is not limited to, obtain the automatic login authorization information in one of the following two ways:

方式一:第一应用从用户终端的存储空间中,读取预先设置于该存储空间中的自动登录授权信息。比如,可以在对用户终端进行出厂设置时,就在其存储空间中存储该自动登录授权信息。Way 1: The first application reads the automatic login authorization information preset in the storage space from the storage space of the user terminal. For example, the automatic login authorization information may be stored in the storage space of the user terminal when factory settings are performed on the user terminal.

方式二:第一应用向应用服务器发送业务请求;并接收应用服务器根据该业务请求反馈的自动登录授权信息。其中:应用服务器根据该业务请求反馈的自动登录授权信息的具体实现过程可以如下:Mode 2: the first application sends a service request to the application server; and receives automatic login authorization information fed back by the application server according to the service request. Among them: the specific implementation process of the automatic login authorization information fed back by the application server according to the service request can be as follows:

首先,应用服务器在接收到该业务请求后,向认证服务器发送包含该应用服务器的标识的认证请求;First, after receiving the service request, the application server sends an authentication request including the application server's identification to the authentication server;

然后,认证服务器接收认证请求,并判断认证请求中包含的应用服务器的标识是否存在于预先存储的标识集合中;其中:该标识集合由允许被访问的应用服务器的标识构成;Then, the authentication server receives the authentication request, and judges whether the identification of the application server included in the authentication request exists in the pre-stored identification set; wherein: the identification set is composed of the identifications of the application servers that are allowed to be accessed;

最后,认证服务器在判断结果为是时,向应用服务器发送自动登录授权信息;应用服务器将认证服务器发送的自动登录授权信息转发给用户终端,以使第一应用获得自动登录授权信息。Finally, when the judgment result is yes, the authentication server sends the automatic login authorization information to the application server; the application server forwards the automatic login authorization information sent by the authentication server to the user terminal, so that the first application obtains the automatic login authorization information.

采用上述方式二的优点在于:可以控制第一应用仅具备访问预先设置的允许被访问的应用服务器的权限。由于预先设置的允许被访问的应用服务器往往为被验证过的合法应用服务器,因此采用方式二可以从一定程度上避免第一应用访问不合法的应用服务器而造成的用户信息泄露等问题,从而提高了整个单点登录方案的合法性。The advantage of adopting the second method above is that the first application can be controlled to only have the permission to access the pre-set application server that is allowed to be accessed. Since the preset application servers that are allowed to be accessed are often verified legal application servers, the second method can avoid the leakage of user information caused by the first application accessing the illegal application server to a certain extent, thereby improving The legitimacy of the entire single sign-on scheme.

步骤22,第一应用向设置于用户终端中的中间件发送包含获得的自动登录授权信息的登录请求;Step 22, the first application sends a login request including the obtained automatic login authorization information to the middleware set in the user terminal;

其中:这里所述的中间件可以是设置在用户终端中的软件模块,也可以是软硬件结合实现的实体模块。且该实体模块可设置于用户终端内部,也可以置于用户终端外部。当其置于用户终端外部的时候,其可以连接到用户终端并与用户终端进行信息交互。Wherein: the middleware mentioned here may be a software module set in the user terminal, or a physical module realized by combining software and hardware. And the physical module can be set inside the user terminal, and can also be placed outside the user terminal. When it is placed outside the user terminal, it can be connected to the user terminal and perform information interaction with the user terminal.

步骤23,中间件接收该登录请求后,获得与认证服务器约定的共享密钥;Step 23, after receiving the login request, the middleware obtains the shared key agreed with the authentication server;

其中:中间件获得与认证服务器约定的共享密钥的一种具体实现流程如下:Among them: a specific implementation process for the middleware to obtain the shared key agreed with the authentication server is as follows:

首先,中间件获得认证服务器发送的中间件登录凭证;其中:中间件登录凭证是认证服务器验证出由用户终端中的第二应用所发送的用户验证信息正确后发送的;First, the middleware obtains the middleware login credential sent by the authentication server; wherein: the middleware login credential is sent after the authentication server verifies that the user verification information sent by the second application in the user terminal is correct;

然后,中间件将中间件登录凭证发送给认证服务器;Then, the middleware sends the middleware login credentials to the authentication server;

最后,中间件接收认证服务器在验证出该中间件登录凭证正确后发送的共享密钥。或者,认证证服务器在验证出该中间件登录凭证正确后,也可以向该中间件发送共享密钥生成信息,由该中间件根据该共享密钥生成信息,生成共享密钥。Finally, the middleware receives the shared key sent by the authentication server after verifying that the middleware login credentials are correct. Alternatively, after verifying that the middleware login credential is correct, the authentication server may also send shared key generation information to the middleware, and the middleware generates a shared key according to the shared key generation information.

或者,中间件还可以直接根据预先与认证服务器约定的密钥生成算法,生成该共享密钥。Alternatively, the middleware may directly generate the shared key according to a key generation algorithm pre-agreed with the authentication server.

步骤24,中间件根据获得的该共享密钥和前文所述的指定信息,验证登录请求中的自动登录授权信息是否正确,在验证结果为该自动登录授权信息正确时,执行步骤25,否则可以结束流程;In step 24, the middleware verifies whether the automatic login authorization information in the login request is correct according to the obtained shared key and the specified information mentioned above. end the process;

步骤25,中间件获得登录凭证;Step 25, the middleware obtains the login credentials;

该登录凭证用于表征用户终端已成功获得认证服务器的认证。The login credential is used to indicate that the user terminal has successfully been authenticated by the authentication server.

比如,本发明实施例提供的该方法的一种具体的实现方式中,中间件与认证服务器中均可以设置共享密钥K和一个计数器C。则中间件收到第一应用的登录请求后,可以利用该计数器随机生成一个随机数R(即挑战值)返回给第一应用,第一应用将R发送给认证服务器;认证服务器使用共享密钥K和R计算摘要H1,并以H1作为自动登录授权信息返回给第一应用,第一应用将该H1返回给中间件;中间件使用K验证H1,若验证出K正确的话,中间件就使用共享密钥K和C以及其他信息(这里所述的其他信息的具体内容可参见后文的实施例1)计算摘要H2,并以生成的该H2作为登录凭证。For example, in a specific implementation of the method provided by the embodiment of the present invention, the shared key K and a counter C can be set in both the middleware and the authentication server. After the middleware receives the login request from the first application, it can use the counter to randomly generate a random number R (that is, the challenge value) and return it to the first application, and the first application sends R to the authentication server; the authentication server uses the shared key K and R calculate the summary H1, and return H1 as the automatic login authorization information to the first application, and the first application returns the H1 to the middleware; the middleware uses K to verify H1, and if K is verified to be correct, the middleware uses The shared keys K and C and other information (for the details of other information described here, refer to Embodiment 1 below) calculate the digest H2, and use the generated H2 as a login credential.

此外,该登录凭证还可以是由认证服务器提供给成功获得认证服务器认证的用户终端,并存储在用户终端中的。In addition, the login credential may also be provided by the authentication server to the user terminal successfully authenticated by the authentication server, and stored in the user terminal.

或者,该登录凭证还可以是中间件根据认证服务器提供的单点登录授权信息生成的。其中:该单点登录授权信息表征用户终端已成功获得认证服务器的认证。针对登录凭证的该种获得方式,如果中间件在接收到第一应用所发送的登录请求之前,就已经获得并存储了单点登录授权信息,则中间件在接收到该登录请求后,就可以直接从自身的存储空间中获取单点登录授权信息,并以其作为登录凭证。而如果中间件在接收到该登录请求时,还未获得单点登录授权信息,则中间件可以以该登录请求作为触发条件,向认证服务器发送用户验证信息(一般为用户名和密码),并获得认证服务器在验证出用户验证信息正确后提供的该单点登录授权信息。Alternatively, the login credential may also be generated by the middleware according to the single sign-on authorization information provided by the authentication server. Wherein: the single sign-on authorization information indicates that the user terminal has been successfully authenticated by the authentication server. For this way of obtaining login credentials, if the middleware has already obtained and stored the SSO authorization information before receiving the login request sent by the first application, the middleware can, after receiving the login request, Obtain SSO authorization information directly from its own storage space and use it as login credentials. And if the middleware has not obtained the SSO authorization information when receiving the login request, the middleware can use the login request as a trigger condition to send user verification information (usually user name and password) to the authentication server, and obtain The SSO authorization information provided by the authentication server after verifying that the user authentication information is correct.

步骤26,中间件将登录凭证提供给第一应用;Step 26, the middleware provides the login credentials to the first application;

步骤27,第一应用将登录凭证发送给应用服务器,流程结束。Step 27, the first application sends the login credential to the application server, and the process ends.

本发明实施例中,认证服务器生成自动登录授权信息时所利用的指定信息可以为第一应用发送的挑战值。在该场景下,上述方法的步骤21之前还可以进一步包括下述两个步骤:In the embodiment of the present invention, the specified information used by the authentication server to generate the automatic login authorization information may be the challenge value sent by the first application. In this scenario, the above method may further include the following two steps before step 21:

步骤一:中间件在接收到第一应用发送的登录身份请求后,随机生成挑战值;Step 1: After receiving the login identity request sent by the first application, the middleware randomly generates a challenge value;

步骤二:中间件向第一应用发送包含生成的该挑战值的身份标识响应,以使第一应用向认证服务器发送该挑战值。Step 2: The middleware sends an identity response containing the generated challenge value to the first application, so that the first application sends the challenge value to the authentication server.

本发明实施例中,上述第一应用可以是浏览器,也可以是除浏览器外的其他应用。与现有技术相区别的是,采用本发明实施例提供的方案后,无论是什么类型的应用,其在欲登录应用服务器时,都会向该中间件发送自动登录授权信息和登录请求,以获取登录凭证。这就满足了前文在背景技术中提到的第二类需求,解决了现有技术提供的单点登录方案存在的必须通过启动客户端而触发打开浏览器进行单点登录,以及不支持前文所述的第二类需求的问题。In the embodiment of the present invention, the above-mentioned first application may be a browser, or other applications other than the browser. The difference from the prior art is that after adopting the solution provided by the embodiment of the present invention, no matter what type of application, when it wants to log in to the application server, it will send automatic login authorization information and a login request to the middleware to obtain login credentials. This satisfies the second type of requirement mentioned above in the background technology, and solves the problem that the single sign-on solution provided by the prior art must be triggered to open the browser for single sign-on by starting the client, and does not support the above-mentioned problems of the second category of needs mentioned above.

本发明实施例中,第一应用可以为浏览器,而第二应用可以为非浏览器的其他应用;或第二应用为浏览器,而第一应用为非浏览器的其他应用。具体地,当第二应用为浏览器,而第一应用为非浏览器的客户端时,可以满足背景技术中所述的第二类需求。In the embodiment of the present invention, the first application may be a browser, and the second application may be other applications other than the browser; or the second application may be the browser, and the first application may be other applications other than the browser. Specifically, when the second application is a browser and the first application is a non-browser client, the second type of requirements described in the background art can be met.

以下以两个具体的实施例为例,详细说明本发明实施例提供的方案在实际中的应用。Taking two specific embodiments as examples below, the practical application of the solutions provided by the embodiments of the present invention will be described in detail.

实施例1Example 1

实施例1用于实现从客户端到浏览器的单点登录流程,即实现用户在客户端上登录成功后,在浏览器上打开某服务页面,能够自动以客户端的用户身份登录成功。Embodiment 1 is used to implement the single sign-on process from the client to the browser, that is, after the user successfully logs in on the client, he opens a service page on the browser, and can automatically log in successfully as the user of the client.

用于实现实施例1的系统结构示意图如图3所示,包括用户终端、应用服务器和认证服务器。其中:用户终端中包含多个应用,该些应用包括浏览器以及非浏览器的应用。具体地,非浏览器的应用在图3中以“客户端”和“Web应用”进行表示。A schematic structural diagram of a system for implementing Embodiment 1 is shown in FIG. 3 , including a user terminal, an application server, and an authentication server. Wherein: the user terminal includes multiple applications, and these applications include browser and non-browser applications. Specifically, non-browser applications are represented by "client" and "Web application" in FIG. 3 .

基于图3所示的系统,以下具体说明实施例1的具体实现流程。该流程包括如图4所示的下述步骤:Based on the system shown in FIG. 3 , the specific implementation process of Embodiment 1 will be specifically described below. The process includes the following steps as shown in Figure 4:

步骤41,用户终端成功通过认证服务器的认证后,获得认证服务器向用户终端返回的用户密钥K,并将K存储于设置于用户终端中的中间件中;Step 41, after the user terminal successfully passes the authentication of the authentication server, obtain the user key K returned by the authentication server to the user terminal, and store K in the middleware provided in the user terminal;

具体地,用户终端可以在接收到用户输入的客户端运行指令后,在显示屏上展示用户验证信息输入界面;然后,将用户输入的用户验证信息(一般包括用户名和密码)发送给认证服务器进行认证。在该用户验证信息通过认证服务器的校验而被确定为正确后,用户终端就可以获得认证服务器反馈的K。Specifically, the user terminal can display the user authentication information input interface on the display screen after receiving the client operation instruction input by the user; certified. After the user verification information is confirmed to be correct through the verification by the authentication server, the user terminal can obtain the K fed back by the authentication server.

步骤42,用户终端接收到用户输入到浏览器中的应用服务器访问指令后,向应用服务器发送访问请求;Step 42, the user terminal sends an access request to the application server after receiving the application server access instruction input by the user into the browser;

比如,用户终端在接收到用户输入到浏览器中的应用服务器域名后,根据该域名,向相应的应用服务器发送访问请求。For example, after receiving the domain name of the application server entered by the user into the browser, the user terminal sends an access request to the corresponding application server according to the domain name.

步骤43,应用服务器将浏览器重定向到认证服务器;Step 43, the application server redirects the browser to the authentication server;

步骤44,认证服务器向浏览器返回认证页面信息,其中:该认证页面信息中除包含显示在浏览器窗口中的内容外,还包含浏览器本地运行的脚本(如javascript脚本);Step 44, the authentication server returns authentication page information to the browser, wherein: the authentication page information includes not only the content displayed in the browser window, but also scripts (such as javascript scripts) run locally by the browser;

步骤45,浏览器通过调用该javascript脚本,触发向本地中间件监听端口发送登录身份请求;Step 45, the browser triggers sending a login identity request to the local middleware listening port by calling the javascript script;

步骤46,中间件判断用户终端是否已成功通过认证服务器的认证,如判断结果为时,则中间件向浏览器返回用户的身份标识响应(包含用户标识和挑战值),并继续执行步骤47,否则,中间件向浏览器返回用户终端未登录通知消息,并结束该单点登录流程;Step 46, the middleware judges whether the user terminal has successfully passed the authentication of the authentication server, if the judgment result is yes, the middleware returns the user's identity response (including the user identifier and challenge value) to the browser, and proceeds to step 47, Otherwise, the middleware returns a notification message that the user terminal is not logged in to the browser, and ends the single sign-on process;

一般地,中间件可以根据自身是否存储有认证服务器发送的K来判断用户终端是否已成功通过认证服务器的认证。Generally, the middleware can judge whether the user terminal has successfully passed the authentication of the authentication server according to whether it stores the K sent by the authentication server.

此外,上述挑战值可以但不限于是中间件生成的一个随机数。In addition, the above challenge value may be, but not limited to, a random number generated by the middleware.

可选的,中间件向浏览器返回的用户的身份标识响应中还可以包含一些附加信息(诸如浏览器发送给认证服务器的用户终端的系统时间、浏览器所访问页面的URL或一些固定字符串等)。Optionally, the user's identity response returned by the middleware to the browser may also contain some additional information (such as the system time of the user terminal sent by the browser to the authentication server, the URL of the page visited by the browser, or some fixed character strings wait).

步骤47,浏览器向认证服务器发送中间件返回的用户标识和挑战值,以请求自动登录授权;Step 47, the browser sends the user ID and challenge value returned by the middleware to the authentication server to request automatic login authorization;

步骤48,认证服务器从自身存储的用户标识与用户密钥的对应关系中,确定浏览器发送的用户标识对应的用户密钥K,并使用K对浏览器发送来的挑战值和其他一些附加信息(诸如浏览器发送给认证服务器的用户终端的系统时间、浏览器所访问页面的URL或一些固定字符串等)计算摘要,生成自动登录授权信息,并将生成的该自动登录授权信息返回给浏览器;Step 48: The authentication server determines the user key K corresponding to the user ID sent by the browser from the correspondence between the user ID and the user key stored in itself, and uses K to verify the challenge value and other additional information sent by the browser. (such as the system time of the user terminal sent by the browser to the authentication server, the URL of the page visited by the browser or some fixed strings, etc.) calculate the summary, generate automatic login authorization information, and return the generated automatic login authorization information to the browser device;

步骤49,浏览器通过调用javascript脚本,触发向中间件发送身份凭证获取请求,该请求中携带自动登录授权信息;Step 49, the browser triggers sending an identity credential acquisition request to the middleware by calling a javascript script, and the request carries automatic login authorization information;

步骤410,中间件使用自身存储的K验证自动登录授权信息的正确性,若正确,则生成登录凭证;Step 410, the middleware uses the K stored in itself to verify the correctness of the automatic login authorization information, and if correct, generates a login credential;

其中:生成的该登录凭证包含认证服务器提供给用户终端的单点登录授权信息。Wherein: the generated login credential includes the single sign-on authorization information provided by the authentication server to the user terminal.

比如,由于K为认证服务器向成功认证的用户终端发送的信息,因此K可以表征用户终端可以进行单点登录,从而K可以视为认证服务器提供给用户终端的单点登录授权信息。或者,认证服务器也可以在成功实现对用户终端的认证后,提供其他一些信息作为单点登录授权信息。For example, since K is the information sent by the authentication server to the successfully authenticated user terminal, K can indicate that the user terminal can perform single sign-on, so K can be regarded as the single sign-on authorization information provided by the authentication server to the user terminal. Alternatively, the authentication server may also provide other information as SSO authorization information after successfully authenticating the user terminal.

步骤411,中间件向浏览器返回登录凭证;Step 411, the middleware returns the login credentials to the browser;

步骤412,浏览器向认证服务器发送登录凭证,认证服务器在验证出登录凭证正确后,生成身份凭证,并将浏览器重定向到应用服务器;浏览器在重定向到应用服务器时,向应用服务器发送认证服务器提供给浏览器的上述身份凭证;Step 412, the browser sends the login credential to the authentication server, and the authentication server generates the identity credential after verifying that the login credential is correct, and redirects the browser to the application server; when redirecting to the application server, the browser sends the The above identity credentials provided by the authentication server to the browser;

可选的,认证服务器也可以在将浏览器重定向到应用服务器时,直接将生成的身份凭证发送给应用服务器。Optionally, the authentication server may also directly send the generated identity certificate to the application server when redirecting the browser to the application server.

步骤413,应用服务器向认证服务器查询其获得的身份凭证的正确性;Step 413, the application server queries the authentication server for the correctness of the obtained identity certificate;

步骤414,应用服务器在查询得到该身份凭证正确后,向浏览器返回向登录成功的用户终端所展示的登录后的页面的信息。Step 414, after the application server finds that the identity credential is correct, it returns to the browser the information of the logged-in page displayed to the user terminal that has successfully logged in.

通过上述步骤,由于在用户终端中设置了一个可以获得并存储认证服务器提供给认证成功的该用户终端的单点登录授权信息的中间件,从而用户在利用客户端成功实现用户终端的认证后,后续在利用浏览器访问应用服务器时,就可以根据中间件存储的单点登录授权信息,成功实现用户终端的单点登录。Through the above steps, since a middleware that can obtain and store the single sign-on authorization information provided by the authentication server to the successfully authenticated user terminal is set in the user terminal, after the user successfully authenticates the user terminal by using the client, When using the browser to access the application server later, the single sign-on of the user terminal can be successfully realized according to the single sign-on authorization information stored in the middleware.

实施例2Example 2

用于实现实施例2的系统结构示意图仍然如图3所示,包括用户终端、应用服务器和认证服务器。The schematic structural diagram of the system for implementing Embodiment 2 is still shown in FIG. 3 , including a user terminal, an application server, and an authentication server.

基于图3所示的系统,以下具体说明实施例2的具体实现流程。该流程包括如图5所示的下述步骤:Based on the system shown in FIG. 3 , the specific implementation process of Embodiment 2 will be specifically described below. The process includes the following steps as shown in Figure 5:

步骤51,用户终端接收用户输入浏览器的用户验证信息,并利用该用户验证信息获得认证服务器认证;Step 51, the user terminal receives the user verification information input by the user into the browser, and uses the user verification information to obtain authentication from the authentication server;

步骤52,浏览器向认证服务器请求中间件登录凭证;Step 52, the browser requests the middleware login credentials from the authentication server;

实施例2中,浏览器可以采用向应用服务器发送业务请求的方式,向认证服务器请求中间件登录凭证。In Embodiment 2, the browser may request the middleware login credentials from the authentication server by sending a service request to the application server.

步骤53,认证服务器向浏览器返回中间件登录凭证;Step 53, the authentication server returns the middleware login credentials to the browser;

若浏览器采用的是向应用服务器发送业务请求的方式来请求中间件登录凭证,则应用服务器在接收到该业务请求后,可以向认证服务器发送包含该应用服务器的标识的认证请求;If the browser requests the middleware login credential by sending a service request to the application server, the application server may send an authentication request containing the application server's identity to the authentication server after receiving the service request;

认证服务器在接收到该认证请求,判断出认证请求中包含的应用服务器的标识是否存在于预先存储的标识集合中;其中:该标识集合由允许被访问的应用服务器的标识构成;After receiving the authentication request, the authentication server judges whether the identification of the application server contained in the authentication request exists in the pre-stored identification set; wherein: the identification set is composed of the identifications of the application servers that are allowed to be accessed;

若判断结果为是时,则认证服务器向应用服务器发送自动登录授权信息;其中:该自动登录授权信息可以是由认证服务器使用用户密钥和指定信息执行计算摘要的操作而生成的;If the judgment result is yes, the authentication server sends automatic login authorization information to the application server; wherein: the automatic login authorization information may be generated by the authentication server using the user key and specified information to perform the operation of calculating the summary;

应用服务器在接收到认证服务器发送的自动登录授权信息后,将该自动登录授权信息和中间件登录凭证发送给用户终端,以使第一应用获得自动登录授权信息和中间件凭证。After receiving the automatic login authorization information sent by the authentication server, the application server sends the automatic login authorization information and the middleware login credential to the user terminal, so that the first application obtains the automatic login authorization information and the middleware credential.

步骤54,浏览器通过本地方法调用中间件,并将中间件登录凭证发送给中间件;Step 54, the browser invokes the middleware through a local method, and sends the middleware login credentials to the middleware;

比如,在用户终端中安装中间件时,中间件可以注册本地应用协议(如:sso://),则用户终端中的浏览器页面在调用中间件时,可以根据调用参数param组装URL(如sso://param),并将浏览器重定向到该URL,则浏览器根据本地应用协议(如sso//)就可以找到注册该协议的中间件进程,并调用该进程,从而实现对中间件的调用。For example, when middleware is installed in the user terminal, the middleware can register the local application protocol (such as: sso://), and when the browser page in the user terminal calls the middleware, it can assemble the URL according to the calling parameter param (such as sso://param), and redirect the browser to this URL, then the browser can find the middleware process registered with the protocol according to the local application protocol (such as sso//), and call the process, so as to realize the intermediate file calls.

步骤55,中间件向认证服务器发送认证请求,该认证请求中携带中间件登录凭证;Step 55, the middleware sends an authentication request to the authentication server, and the authentication request carries middleware login credentials;

步骤56,认证服务器检验中间件登录凭证的正确性;Step 56, the authentication server checks the correctness of the middleware login credentials;

步骤57,认证服务器在检验出中间件登录凭证正确后,向中间件返回认证响应,同时双方协商生成共享的用户密钥,该用户密钥可以用作认证服务器提供给认证成功的所述用户终端的单点登录授权信息;Step 57: After verifying that the middleware login credentials are correct, the authentication server returns an authentication response to the middleware, and at the same time, the two parties negotiate to generate a shared user key, which can be used as the authentication server to provide to the user terminal that has successfully authenticated Single sign-on authorization information;

步骤58,客户端接收到用户输入的启用指令后,通过调用中间件凭证获取接口,向中间件发送请求登录凭证的登录请求;Step 58, after the client receives the enabling instruction input by the user, it sends a login request requesting the login credential to the middleware by calling the middleware credential acquisition interface;

若浏览器还获得了自动登录授权信息,则浏览器还将该自动登录授权信息发送给中间件。If the browser also obtains the automatic login authorization information, the browser also sends the automatic login authorization information to the middleware.

步骤59,中间件本地根据用户密钥,计算生成登录凭证返回给客户端;Step 59, the middleware locally calculates and generates a login credential according to the user key and returns it to the client;

可选的,若中间件接收到浏览器发送的自动登录授权信息,则中间件会根据用户密钥和指定信息,验证出该自动登录授权信息正确后,再生成登录凭证并返回给客户端。Optionally, if the middleware receives the automatic login authorization information sent by the browser, the middleware will verify that the automatic login authorization information is correct according to the user key and specified information, and then generate a login credential and return it to the client.

步骤510,客户端向应用服务器发送认证请求,该认证请求中携带中间件返回的登录凭证;Step 510, the client sends an authentication request to the application server, and the authentication request carries the login credentials returned by the middleware;

一般地,为了使认证服务器可以识别出该登录凭证所归属的用户,客户端发送的该认证请求中还可以携带用户标识。Generally, in order for the authentication server to identify the user to whom the login credential belongs, the authentication request sent by the client may also carry a user identifier.

步骤511,应用服务器向认证服务器请求验证客户端发送的认证请求中携带的登录凭证,并接收认证服务器在验证出该登录凭证正确后发送的通知消息;Step 511, the application server requests the authentication server to verify the login credential carried in the authentication request sent by the client, and receives a notification message sent by the authentication server after verifying that the login credential is correct;

假设认证请求中还携带有用户标识,则应用服务器也会将该用户标识发送给认证服务器。认证服务器在接收到用户标识和登录凭证后,在预先存储的用户标识和用户密钥的对应关系中,查找与接收到的该用户标识对应的用户密钥;并比较查找到的用户密钥和从登录凭证中解析出的用户密钥是否一致;在比较结果为一致时,确定该登录凭证正确,否则则确定该登录凭证不正确。Assuming that the authentication request also carries a user ID, the application server will also send the user ID to the authentication server. After receiving the user ID and login credentials, the authentication server searches for the user key corresponding to the received user ID in the pre-stored correspondence between the user ID and the user key; and compares the found user key with the Whether the user key parsed from the login credentials is consistent; if the comparison result is consistent, it is determined that the login credentials are correct; otherwise, it is determined that the login credentials are incorrect.

步骤512,应用服务器向客户端返回用于表征登录成功的信息。In step 512, the application server returns information indicating successful login to the client.

通过实施例2包含的上述步骤,用户在利用浏览器成功实现用户终端的认证后,后续在利用客户端访问应用服务器时,就可以根据中间件存储的单点登录授权信息,成功实现用户终端的单点登录。这也就满足了前文在背景技术中提到的第二类需求,从而解决了现有技术提供的单点登录方案存在的必须通过启动客户端而触发打开浏览器进行单点登录,以及不支持前文所述的第二类需求的问题。Through the above steps included in Embodiment 2, after the user successfully implements the authentication of the user terminal by using the browser, when subsequently using the client to access the application server, the user can successfully implement the authentication of the user terminal according to the SSO authorization information stored in the middleware. sign in. This also satisfies the second type of requirement mentioned above in the background technology, thereby solving the problem that the single sign-on solution provided by the prior art must be triggered to open the browser for single sign-on by starting the client, and does not support Problems with the second category of needs mentioned above.

值得说明的是,无论是实施例1还是实施例2中的中间件,其都可以具备向认证服务器发送用户验证信息,从而获得认证服务器提供给认证成功的用户终端的单点登录授权信息的功能。因此,即便浏览器(或客户端)向中间件请求登录凭证时,中间件还没有获得单点登录授权信息,中间件也可以以浏览器(或客户端)发送的用于请求登录凭证的消息作为触发条件,向认证服务器发送用户验证信息,从而获得认证服务器提供给认证成功的用户终端的单点登录授权信息,并基于该单点登录授权信息,向浏览器(或客户端)提供登录凭证。It is worth noting that, whether it is the middleware in Embodiment 1 or Embodiment 2, it can have the function of sending user verification information to the authentication server, so as to obtain the single sign-on authorization information provided by the authentication server to the successfully authenticated user terminal . Therefore, even if the middleware has not obtained the SSO authorization information when the browser (or client) requests the login credentials from the middleware, the middleware can also use the message sent by the browser (or client) to request the login credentials As a trigger condition, send user verification information to the authentication server, so as to obtain the single sign-on authorization information provided by the authentication server to the successfully authenticated user terminal, and provide login credentials to the browser (or client) based on the single sign-on authorization information .

出于与前文所述的单点登录方法相同的发明构思,本发明实施例还提供一种单点登录系统,用以解决现有技术提供的单点登录方案存在的必须通过启动客户端而触发打开浏览器进行单点登录,以及不支持前文所述的第二类需求的问题。该系统主要包括设置于用户终端中的第一应用和中间件,其中:第一应用和中间件的功能如下:Based on the same inventive concept as the single sign-on method described above, the embodiment of the present invention also provides a single sign-on system to solve the problem that the single sign-on solution provided by the prior art must be triggered by starting the client Open the browser for single sign-on, and the problem of not supporting the second type of requirements mentioned above. The system mainly includes a first application and middleware set in the user terminal, wherein: the functions of the first application and middleware are as follows:

第一应用,用于获得自动登录授权信息;并向中间件发送包含获得的自动登录授权信息的登录请求;以及获得中间件提供的登录凭证,并将登录凭证发送给应用服务器;其中:自动登录授权信息是由认证服务器使用共享密钥和指定信息执行计算摘要的操作而生成的;The first application is used to obtain automatic login authorization information; and send a login request including the obtained automatic login authorization information to the middleware; and obtain the login credentials provided by the middleware, and send the login credentials to the application server; wherein: automatic login The authorization information is generated by the authentication server using the shared secret key and the specified information to perform the operation of calculating the summary;

中间件,用于在接收到登录请求后,获得获得与认证服务器约定的共享密钥,并在根据共享密钥和指定信息,验证出登录请求中的自动登录授权信息正确后,获得登录凭证并提供给第一应用;其中:登录凭证用于表征用户终端已成功获得认证服务器的认证。The middleware is used to obtain the shared key agreed with the authentication server after receiving the login request, and after verifying that the automatic login authorization information in the login request is correct according to the shared key and specified information, obtain the login credential and Provided to the first application; wherein: the login credential is used to indicate that the user terminal has successfully obtained the authentication of the authentication server.

可选的,第一应用具体可以用于:Optionally, the first application may specifically be used for:

从用户终端的存储空间中,读取预先设置于所述存储空间中的自动登录授权信息;或From the storage space of the user terminal, read the automatic login authorization information preset in the storage space; or

向应用服务器发送业务请求;并获得应用服务器根据所述业务请求反馈的自动登录授权信息。Sending a service request to the application server; and obtaining automatic login authorization information fed back by the application server according to the service request.

其中:应用服务器根据业务请求反馈自动登录授权信息的过程具体包括:Among them: the process of the application server feeding back the automatic login authorization information according to the business request specifically includes:

应用服务器在接收到业务请求后,向认证服务器发送包含该应用服务器的标识的认证请求;After receiving the service request, the application server sends an authentication request including the application server's identification to the authentication server;

认证服务器接收认证请求,并判断认证请求中包含的应用服务器的标识是否存在于预先存储的标识集合中;其中:该标识集合由允许被访问的应用服务器的标识构成;The authentication server receives the authentication request, and judges whether the identification of the application server included in the authentication request exists in the pre-stored identification set; wherein: the identification set is composed of the identifications of the application servers that are allowed to be accessed;

认证服务器在判断结果为是时,向应用服务器发送自动登录授权信息;The authentication server sends automatic login authorization information to the application server when the judgment result is yes;

应用服务器将认证服务器发送的自动登录授权信息转发给用户终端,以使第一应用获得自动登录授权信息。The application server forwards the automatic login authorization information sent by the authentication server to the user terminal, so that the first application obtains the automatic login authorization information.

可选的,认证服务器生成自动登录授权信息时所利用的指定信息为第一应用发送的挑战值。在这样的场景下,中间件还可以用于:在获得自动登录授权信息前,在接收到第一应用发送的登录身份请求后,随机生成挑战值;向第一应用发送包含挑战值的身份标识响应;则第一应用还用于向认证服务器发送挑战值。Optionally, the specified information used by the authentication server to generate the automatic login authorization information is the challenge value sent by the first application. In such a scenario, the middleware can also be used to: before obtaining the automatic login authorization information, randomly generate a challenge value after receiving the login identity request sent by the first application; send the identity identifier containing the challenge value to the first application response; then the first application is also used to send the challenge value to the authentication server.

可选的,本发明实施例提供的该中间件具体可以用于:获得认证服务器发送的中间件登录凭证,其中:中间件登录凭证是认证服务器验证出由用户终端中的第二应用所发送的用户验证信息正确后发送的;将中间件登录凭证发送给认证服务器;并接收认证服务器在验证出中间件登录凭证正确后发送的共享密钥;或根据认证证服务器在验证出中间件登录凭证正确后发送的共享密钥生成信息,生成共享密钥。或者,所述中间件具体可以用于:根据预先与认证服务器约定的密钥生成算法,生成共享密钥。Optionally, the middleware provided by the embodiment of the present invention may be specifically used to: obtain the middleware login credential sent by the authentication server, wherein: the middleware login credential is the certificate sent by the second application in the user terminal verified by the authentication server Sent after the user verification information is correct; send the middleware login credentials to the authentication server; and receive the shared key sent by the authentication server after verifying that the middleware login credentials are correct; or verify that the middleware login credentials are correct according to the authentication server The shared key generation information sent later generates a shared key. Alternatively, the middleware may be specifically configured to: generate a shared key according to a key generation algorithm pre-agreed with the authentication server.

可选的,第一应用可以为浏览器,则第二应用可以为非浏览器的其他应用;或第二应用可以为浏览器,则第一应用可以为非浏览器的其他应用。或者第一应用和第二应用均可以为浏览器;或者第一应用和第二应用均可以为非浏览器的其他应用。Optionally, the first application may be a browser, and the second application may be other applications other than the browser; or the second application may be a browser, and the first application may be other applications other than the browser. Alternatively, both the first application and the second application may be browsers; or both the first application and the second application may be other applications other than the browser.

本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, systems, or computer program products. Accordingly, the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and combinations of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a Means for realizing the functions specified in one or more steps of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart flow or flows and/or block diagram block or blocks.

尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。While preferred embodiments of the invention have been described, additional changes and modifications to these embodiments can be made by those skilled in the art once the basic inventive concept is appreciated. Therefore, it is intended that the appended claims be construed to cover the preferred embodiment as well as all changes and modifications which fall within the scope of the invention.

显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention also intends to include these modifications and variations.

Claims (12)

1.一种单点登录方法,其特征在于,包括:1. A single sign-on method, characterized in that, comprising: 设置于用户终端中的第一应用获得自动登录授权信息,并向设置于所述用户终端中的中间件发送包含所述自动登录授权信息的登录请求,其中:自动登录授权信息是由认证服务器使用共享密钥和指定信息执行计算摘要的操作而生成的;The first application set in the user terminal obtains the automatic login authorization information, and sends a login request containing the automatic login authorization information to the middleware set in the user terminal, wherein: the automatic login authorization information is used by the authentication server Generated by performing the operation of calculating the summary of the shared key and specified information; 所述中间件接收所述登录请求后,获得与认证服务器约定的所述共享密钥,并在根据所述共享密钥和所述指定信息,验证出所述登录请求中的自动登录授权信息正确后,获得登录凭证,其中:所述登录凭证用于表征所述用户终端已成功获得所述认证服务器的认证;After receiving the login request, the middleware obtains the shared key agreed with the authentication server, and verifies that the automatic login authorization information in the login request is correct according to the shared key and the specified information After that, the login credential is obtained, wherein: the login credential is used to indicate that the user terminal has successfully obtained the authentication of the authentication server; 所述中间件将登录凭证提供给第一应用;the middleware provides login credentials to the first application; 第一应用将登录凭证发送给应用服务器。The first application sends the login credentials to the application server. 2.如权利要求1所述的方法,其特征在于,第一应用获得自动登录授权信息,具体包括:2. The method according to claim 1, wherein the first application obtains the automatic login authorization information, which specifically includes: 第一应用从所述用户终端的存储空间中,读取预先设置于所述存储空间中的自动登录授权信息;或The first application reads the automatic login authorization information preset in the storage space from the storage space of the user terminal; or 第一应用向应用服务器发送业务请求;The first application sends a service request to the application server; 应用服务器在接收到该业务请求后,向认证服务器发送包含该应用服务器的标识的认证请求;After receiving the service request, the application server sends an authentication request containing the application server's identification to the authentication server; 认证服务器接收认证请求,并判断认证请求中包含的应用服务器的标识是否存在于预先存储的标识集合中;其中:该标识集合由允许被访问的应用服务器的标识构成;The authentication server receives the authentication request, and judges whether the identification of the application server included in the authentication request exists in the pre-stored identification set; wherein: the identification set is composed of the identifications of the application servers that are allowed to be accessed; 认证服务器在判断结果为是时,向应用服务器发送自动登录授权信息;The authentication server sends automatic login authorization information to the application server when the judgment result is yes; 应用服务器将认证服务器发送的自动登录授权信息转发给所述用户终端,以使第一应用获得自动登录授权信息。The application server forwards the automatic login authorization information sent by the authentication server to the user terminal, so that the first application obtains the automatic login authorization information. 3.如权利要求1所述的方法,其特征在于,认证服务器生成自动登录授权信息时所利用的所述指定信息为第一应用发送的挑战值;则3. The method according to claim 1, wherein the specified information used by the authentication server to generate the automatic login authorization information is the challenge value sent by the first application; 第一应用获得自动登录授权信息前,还包括:Before the first app obtains the automatic login authorization information, it also includes: 所述中间件在接收到第一应用发送的登录身份请求后,随机生成所述挑战值;The middleware randomly generates the challenge value after receiving the login identity request sent by the first application; 所述中间件向第一应用发送包含所述挑战值的身份标识响应,以使第一应用向认证服务器发送所述挑战值。The middleware sends an identity response containing the challenge value to the first application, so that the first application sends the challenge value to the authentication server. 4.如权利要求1所述的方法,其特征在于,所述中间件获得与认证服务器约定的所述共享密钥,具体包括:4. The method according to claim 1, wherein the middleware obtains the shared key agreed with the authentication server, specifically comprising: 所述中间件获得认证服务器发送的中间件登录凭证,其中:所述中间件登录凭证是认证服务器验证出由所述用户终端中的第二应用所发送的用户验证信息正确后发送的;The middleware obtains the middleware login credential sent by the authentication server, wherein: the middleware login credential is sent after the authentication server verifies that the user verification information sent by the second application in the user terminal is correct; 所述中间件将所述中间件登录凭证发送给认证服务器;并the middleware sends the middleware login credentials to an authentication server; and 接收认证服务器在验证出所述中间件登录凭证正确后发送的所述共享密钥;或根据认证证服务器在验证出所述中间件登录凭证正确后发送的共享密钥生成信息,生成所述共享密钥。receiving the shared key sent by the authentication server after verifying that the middleware login credentials are correct; or generating the shared key according to the shared key generation information sent by the authentication server after verifying that the middleware login credentials are correct key. 5.如权利要求4所述的方法,其特征在于,第一应用为浏览器,第二应用为非浏览器的其他应用;或5. The method according to claim 4, wherein the first application is a browser, and the second application is other applications other than browsers; or 第二应用为浏览器,第一应用为非浏览器的其他应用。The second application is a browser, and the first application is other applications other than the browser. 6.如权利要求1所述的方法,其特征在于,中间件获得与认证服务器约定的共享密钥,具体包括:6. The method according to claim 1, wherein the middleware obtains the shared key agreed with the authentication server, specifically comprising: 中间件根据预先与认证服务器约定的密钥生成算法,生成共享密钥。The middleware generates a shared key according to the key generation algorithm pre-agreed with the authentication server. 7.一种单点登录系统,其特征在于,包括设置于用户终端中的第一应用和中间件,其中:7. A single sign-on system, characterized in that it includes a first application and middleware disposed in a user terminal, wherein: 所述第一应用,用于获得自动登录授权信息;并向所述中间件发送包含所述自动登录授权信息的登录请求;以及获得所述中间件提供的登录凭证,并将登录凭证发送给应用服务器;其中:自动登录授权信息是由认证服务器使用共享密钥和指定信息执行计算摘要的操作而生成的;The first application is configured to obtain automatic login authorization information; and send a login request containing the automatic login authorization information to the middleware; and obtain a login credential provided by the middleware, and send the login credential to the application server; wherein: the automatic login authorization information is generated by the authentication server using the shared key and specified information to perform the operation of calculating the summary; 所述中间件,用于在接收到所述登录请求后,获得获得与认证服务器约定的所述共享密钥,并在根据所述共享密钥和所述指定信息,验证出所述登录请求中的自动登录授权信息正确后,获得登录凭证并提供给所述第一应用;其中:所述登录凭证用于表征所述用户终端已成功获得所述认证服务器的认证。The middleware is configured to obtain the shared key agreed with the authentication server after receiving the login request, and verify the login request according to the shared key and the specified information After the automatic login authorization information is correct, the login credential is obtained and provided to the first application; wherein: the login credential is used to indicate that the user terminal has successfully obtained the authentication of the authentication server. 8.如权利要求7所述的系统,其特征在于,所述第一应用具体用于:8. The system according to claim 7, wherein the first application is specifically used for: 从所述用户终端的存储空间中,读取预先设置于所述存储空间中的自动登录授权信息;或From the storage space of the user terminal, read the automatic login authorization information preset in the storage space; or 向应用服务器发送业务请求;并获得所述应用服务器根据所述业务请求反馈的自动登录授权信息;Sending a service request to the application server; and obtaining automatic login authorization information fed back by the application server according to the service request; 其中:所述应用服务器根据所述业务请求反馈自动登录授权信息的过程具体包括:Wherein: the process of the application server feeding back the automatic login authorization information according to the service request specifically includes: 应用服务器在接收到所述业务请求后,向认证服务器发送包含该应用服务器的标识的认证请求;认证服务器接收认证请求,并判断认证请求中包含的应用服务器的标识是否存在于预先存储的标识集合中;其中:该标识集合由允许被访问的应用服务器的标识构成;认证服务器在判断结果为是时,向应用服务器发送自动登录授权信息;应用服务器将认证服务器发送的自动登录授权信息转发给所述用户终端,以使所述第一应用获得自动登录授权信息。After receiving the service request, the application server sends an authentication request containing the identity of the application server to the authentication server; the authentication server receives the authentication request, and judges whether the identity of the application server contained in the authentication request exists in the pre-stored identity set Among them: the identity set is composed of the identity of the application server that is allowed to be accessed; the authentication server sends the automatic login authorization information to the application server when the judgment result is yes; the application server forwards the automatic login authorization information sent by the authentication server to all The user terminal, so that the first application obtains automatic login authorization information. 9.如权利要求7所述的系统,其特征在于,认证服务器生成自动登录授权信息时所利用的所述指定信息为所述第一应用发送的挑战值;则9. The system according to claim 7, wherein the designated information used by the authentication server to generate the automatic login authorization information is the challenge value sent by the first application; 所述中间件还用于:在获得自动登录授权信息前,在接收到第一应用发送的登录身份请求后,随机生成所述挑战值;向所述第一应用发送包含所述挑战值的身份标识响应;则The middleware is also used for: before obtaining the automatic login authorization information, after receiving the login identity request sent by the first application, randomly generating the challenge value; sending the identity request containing the challenge value to the first application identify the response; then 所述第一应用还用于向认证服务器发送所述挑战值。The first application is further configured to send the challenge value to an authentication server. 10.如权利要求7所述的系统,其特征在于,所述中间件具体用于:10. The system according to claim 7, wherein the middleware is specifically used for: 获得认证服务器发送的中间件登录凭证,其中:所述中间件登录凭证是认证服务器验证出由所述用户终端中的第二应用所发送的用户验证信息正确后发送的;Obtaining the middleware login credential sent by the authentication server, wherein: the middleware login credential is sent after the authentication server verifies that the user verification information sent by the second application in the user terminal is correct; 所述中间件将所述中间件登录凭证发送给认证服务器;并the middleware sends the middleware login credentials to an authentication server; and 接收认证服务器在验证出所述中间件登录凭证正确后发送的所述共享密钥;或根据认证证服务器在验证出所述中间件登录凭证正确后发送的共享密钥生成信息,生成所述共享密钥。receiving the shared key sent by the authentication server after verifying that the middleware login credentials are correct; or generating the shared key according to the shared key generation information sent by the authentication server after verifying that the middleware login credentials are correct key. 11.如权利要求10所述的系统,其特征在于,所述第一应用为浏览器,所述第二应用为非浏览器的其他应用;或11. The system according to claim 10, wherein the first application is a browser, and the second application is an application other than a browser; or 所述第二应用为浏览器,所述第一应用为非浏览器的其他应用。The second application is a browser, and the first application is other applications other than the browser. 12.如权利要求7所述的系统,其特征在于,所述中间件具体用于:根据预先与所述认证服务器约定的密钥生成算法,生成共享密钥。12. The system according to claim 7, wherein the middleware is specifically configured to: generate a shared key according to a key generation algorithm pre-agreed with the authentication server.
CN201310089647.1A 2013-03-20 2013-03-20 Single-point logging method and system Active CN104065616B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310089647.1A CN104065616B (en) 2013-03-20 2013-03-20 Single-point logging method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310089647.1A CN104065616B (en) 2013-03-20 2013-03-20 Single-point logging method and system

Publications (2)

Publication Number Publication Date
CN104065616A true CN104065616A (en) 2014-09-24
CN104065616B CN104065616B (en) 2017-06-20

Family

ID=51553149

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310089647.1A Active CN104065616B (en) 2013-03-20 2013-03-20 Single-point logging method and system

Country Status (1)

Country Link
CN (1) CN104065616B (en)

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104753927A (en) * 2015-03-12 2015-07-01 杭州华三通信技术有限公司 Unified verification method and device
CN105790945A (en) * 2014-12-22 2016-07-20 中国移动通信集团公司 Authentication method, device and system for authenticating user unique identity
CN105812138A (en) * 2014-12-31 2016-07-27 华为技术有限公司 Logging-in processing method, processing device, user terminal, and logging-in system
CN106209726A (en) * 2015-04-30 2016-12-07 中兴通讯股份有限公司 A kind of Mobile solution single-point logging method and device
CN106302606A (en) * 2015-06-08 2017-01-04 中国移动通信集团湖南有限公司 A kind of across application access method and device
CN106982228A (en) * 2017-05-08 2017-07-25 北京深思数盾科技股份有限公司 One kind realizes identity authentication method and system
CN107844712A (en) * 2017-11-03 2018-03-27 北京天融信网络安全技术有限公司 A kind of browser shares the method, apparatus and computer-readable medium of voucher
CN107925572A (en) * 2015-08-31 2018-04-17 维萨国际服务协会 Secure binding of software applications to communication devices
CN108737398A (en) * 2018-05-09 2018-11-02 平安信托有限责任公司 Processing method, device, computer equipment and the storage medium of trust system
CN109246146A (en) * 2018-11-01 2019-01-18 北京京航计算通讯研究所 SAP ERP single-point logging method based on JAVA middleware intergration model
CN109388937A (en) * 2018-11-05 2019-02-26 用友网络科技股份有限公司 A kind of single-point logging method and login system of multiple-factor authentication
CN109492375A (en) * 2018-11-01 2019-03-19 北京京航计算通讯研究所 SAP ERP single-node login system based on JAVA middleware intergration model
CN109815674A (en) * 2018-12-28 2019-05-28 深圳竹云科技有限公司 A method of login process is automated based on image recognition
CN110032855A (en) * 2019-02-28 2019-07-19 招银云创(深圳)信息技术有限公司 Login method, device, computer equipment and the storage medium of application
CN110287682A (en) * 2019-07-01 2019-09-27 北京芯盾时代科技有限公司 A kind of login method, apparatus and system
CN110557259A (en) * 2019-08-15 2019-12-10 中国人民银行数字货币研究所 identity management method, device and system based on multiple identities
CN110704130A (en) * 2019-10-10 2020-01-17 深圳前海微众银行股份有限公司 Data processing method and device
CN110795720A (en) * 2018-08-03 2020-02-14 北京京东尚科信息技术有限公司 Information processing method, system, electronic device, and computer-readable medium
CN111353142A (en) * 2019-02-15 2020-06-30 鸿合科技股份有限公司 User information sharing method and device and electronic equipment
CN111771354A (en) * 2017-11-28 2020-10-13 美国运通旅游有关服务公司 Single sign-on scheme using blockchains
CN111800378A (en) * 2020-05-21 2020-10-20 视联动力信息技术股份有限公司 Login authentication method, device, system and storage medium
CN112804201A (en) * 2020-12-30 2021-05-14 绿盟科技集团股份有限公司 Method and device for acquiring equipment information
CN112948802A (en) * 2020-04-28 2021-06-11 深圳市明源云科技有限公司 Single sign-on method, device, equipment and storage medium
CN113572763A (en) * 2021-07-22 2021-10-29 中国工商银行股份有限公司 Data processing method and device, electronic equipment and storage medium
CN113965380A (en) * 2021-10-21 2022-01-21 上海高顿教育科技有限公司 Single sign-on control method and device based on multiple background applications
CN114584353A (en) * 2022-02-23 2022-06-03 上海外服云信息技术有限公司 Single sign-on method for mobile terminal to access CAS
WO2024124924A1 (en) * 2022-12-13 2024-06-20 支付宝(杭州)信息技术有限公司 Key agreement method and apparatus for applet

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101510877A (en) * 2009-02-25 2009-08-19 中国网络通信集团公司 Single-point logging-on method and system, communication apparatus
WO2009105988A1 (en) * 2008-02-27 2009-09-03 华为技术有限公司 Register method, authentication and authorization method, system and device for session initiation protocol
CN102065141A (en) * 2010-12-27 2011-05-18 广州欢网科技有限责任公司 Method and system for realizing single sign-on of cross-application and browser
CN102082666A (en) * 2009-11-26 2011-06-01 中国移动通信集团公司 Single login system and method and service management system as well as single login intermediate system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009105988A1 (en) * 2008-02-27 2009-09-03 华为技术有限公司 Register method, authentication and authorization method, system and device for session initiation protocol
CN101510877A (en) * 2009-02-25 2009-08-19 中国网络通信集团公司 Single-point logging-on method and system, communication apparatus
CN102082666A (en) * 2009-11-26 2011-06-01 中国移动通信集团公司 Single login system and method and service management system as well as single login intermediate system
CN102065141A (en) * 2010-12-27 2011-05-18 广州欢网科技有限责任公司 Method and system for realizing single sign-on of cross-application and browser

Cited By (41)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105790945A (en) * 2014-12-22 2016-07-20 中国移动通信集团公司 Authentication method, device and system for authenticating user unique identity
CN105790945B (en) * 2014-12-22 2019-09-03 中国移动通信集团公司 An authentication method, device and system for realizing unique user identity authentication
CN105812138A (en) * 2014-12-31 2016-07-27 华为技术有限公司 Logging-in processing method, processing device, user terminal, and logging-in system
CN104753927A (en) * 2015-03-12 2015-07-01 杭州华三通信技术有限公司 Unified verification method and device
CN106209726A (en) * 2015-04-30 2016-12-07 中兴通讯股份有限公司 A kind of Mobile solution single-point logging method and device
CN106209726B (en) * 2015-04-30 2020-06-05 中兴通讯股份有限公司 A mobile application single sign-on method and device
CN106302606A (en) * 2015-06-08 2017-01-04 中国移动通信集团湖南有限公司 A kind of across application access method and device
CN106302606B (en) * 2015-06-08 2019-11-29 中国移动通信集团湖南有限公司 Across the application access method and device of one kind
CN107925572B (en) * 2015-08-31 2021-04-30 维萨国际服务协会 Secure binding of software applications to communication devices
CN107925572A (en) * 2015-08-31 2018-04-17 维萨国际服务协会 Secure binding of software applications to communication devices
US10785287B2 (en) 2015-08-31 2020-09-22 Visa International Service Association Secure binding of software application to a communication device
CN106982228B (en) * 2017-05-08 2018-10-09 北京深思数盾科技股份有限公司 A kind of realization identity authentication method and system
CN106982228A (en) * 2017-05-08 2017-07-25 北京深思数盾科技股份有限公司 One kind realizes identity authentication method and system
CN107844712A (en) * 2017-11-03 2018-03-27 北京天融信网络安全技术有限公司 A kind of browser shares the method, apparatus and computer-readable medium of voucher
US12099592B2 (en) 2017-11-28 2024-09-24 American Express Travel Related Services Company, Inc. Single sign-on solution using blockchain
CN111771354A (en) * 2017-11-28 2020-10-13 美国运通旅游有关服务公司 Single sign-on scheme using blockchains
CN108737398B (en) * 2018-05-09 2022-04-26 平安信托有限责任公司 Processing method and device of trust system, computer equipment and storage medium
CN108737398A (en) * 2018-05-09 2018-11-02 平安信托有限责任公司 Processing method, device, computer equipment and the storage medium of trust system
CN110795720A (en) * 2018-08-03 2020-02-14 北京京东尚科信息技术有限公司 Information processing method, system, electronic device, and computer-readable medium
CN109246146A (en) * 2018-11-01 2019-01-18 北京京航计算通讯研究所 SAP ERP single-point logging method based on JAVA middleware intergration model
CN109492375A (en) * 2018-11-01 2019-03-19 北京京航计算通讯研究所 SAP ERP single-node login system based on JAVA middleware intergration model
CN109246146B (en) * 2018-11-01 2020-10-13 北京京航计算通讯研究所 SAP ERP single sign-on method based on JAVA middleware integration mode
CN109492375B (en) * 2018-11-01 2021-07-16 北京京航计算通讯研究所 SAP ERP single sign-on system based on JAVA middleware integration mode
CN109388937A (en) * 2018-11-05 2019-02-26 用友网络科技股份有限公司 A kind of single-point logging method and login system of multiple-factor authentication
CN109815674A (en) * 2018-12-28 2019-05-28 深圳竹云科技有限公司 A method of login process is automated based on image recognition
CN111353142A (en) * 2019-02-15 2020-06-30 鸿合科技股份有限公司 User information sharing method and device and electronic equipment
CN110032855A (en) * 2019-02-28 2019-07-19 招银云创(深圳)信息技术有限公司 Login method, device, computer equipment and the storage medium of application
CN110287682A (en) * 2019-07-01 2019-09-27 北京芯盾时代科技有限公司 A kind of login method, apparatus and system
CN110557259A (en) * 2019-08-15 2019-12-10 中国人民银行数字货币研究所 identity management method, device and system based on multiple identities
CN110704130A (en) * 2019-10-10 2020-01-17 深圳前海微众银行股份有限公司 Data processing method and device
CN112948802A (en) * 2020-04-28 2021-06-11 深圳市明源云科技有限公司 Single sign-on method, device, equipment and storage medium
CN112948802B (en) * 2020-04-28 2024-03-12 深圳市明源云科技有限公司 Single sign-on method, device, equipment and storage medium
CN111800378A (en) * 2020-05-21 2020-10-20 视联动力信息技术股份有限公司 Login authentication method, device, system and storage medium
CN112804201B (en) * 2020-12-30 2023-04-28 绿盟科技集团股份有限公司 Method and device for acquiring equipment information
CN112804201A (en) * 2020-12-30 2021-05-14 绿盟科技集团股份有限公司 Method and device for acquiring equipment information
CN113572763A (en) * 2021-07-22 2021-10-29 中国工商银行股份有限公司 Data processing method and device, electronic equipment and storage medium
CN113572763B (en) * 2021-07-22 2022-10-14 中国工商银行股份有限公司 Data processing method and device, electronic equipment and storage medium
CN113965380A (en) * 2021-10-21 2022-01-21 上海高顿教育科技有限公司 Single sign-on control method and device based on multiple background applications
CN113965380B (en) * 2021-10-21 2024-10-15 上海高顿教育科技有限公司 Single sign-on control method and device based on multiple background applications
CN114584353A (en) * 2022-02-23 2022-06-03 上海外服云信息技术有限公司 Single sign-on method for mobile terminal to access CAS
WO2024124924A1 (en) * 2022-12-13 2024-06-20 支付宝(杭州)信息技术有限公司 Key agreement method and apparatus for applet

Also Published As

Publication number Publication date
CN104065616B (en) 2017-06-20

Similar Documents

Publication Publication Date Title
CN104065616B (en) Single-point logging method and system
CN111385100B (en) Method, computer readable medium and mobile device for accessing resources
CN102201915B (en) A terminal authentication method and device based on single sign-on
US20200099677A1 (en) Security object creation, validation, and assertion for single sign on authentication
US9641513B2 (en) Methods and systems for controlling mobile terminal access to a third-party server
US9729539B1 (en) Network access session detection to provide single-sign on (SSO) functionality for a network access control device
US8024777B2 (en) Domain based authentication scheme
US9584615B2 (en) Redirecting access requests to an authorized server system for a cloud service
US10225260B2 (en) Enhanced authentication security
US9787478B2 (en) Service provider certificate management
EP3308525A1 (en) Single sign-on for unmanaged mobile devices
CN103905395B (en) WEB access control method and system based on redirection
CN104378376A (en) SOA-based single-point login method, authentication server and browser
CN103384198B (en) A kind of authenticating user identification method of servicing based on mailbox and system
WO2014032543A1 (en) Authentication and authorization processing method and apparatus
WO2014048749A1 (en) Inter-domain single sign-on
CN106331003B (en) A method and device for accessing an application portal system on a cloud desktop
WO2016095540A1 (en) Authorization processing method, device and system
CN102112991B (en) Means for managing user authentication
CN106375348B (en) Portal authentication method and device
WO2010075798A1 (en) Configuration and authentication method for cross-domain authorization, the equipment and system thereof
WO2011144081A2 (en) Method, system and server for user service authentication
CN105592026A (en) Multi-network-segment multi-system single sign on method
KR101637155B1 (en) A system providing trusted identity management service using trust service device and its methods of operation
Baker OAuth2

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant