CN104065616A - Single sign-on method and system - Google Patents
Single sign-on method and system Download PDFInfo
- Publication number
- CN104065616A CN104065616A CN201310089647.1A CN201310089647A CN104065616A CN 104065616 A CN104065616 A CN 104065616A CN 201310089647 A CN201310089647 A CN 201310089647A CN 104065616 A CN104065616 A CN 104065616A
- Authority
- CN
- China
- Prior art keywords
- application
- authentication
- middleware
- logging
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Information Transfer Between Computers (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a single sign-on method and system to solve problems, which exit in a single sign-on scheme provided by the prior art, that single sign-on can be carried out only after a client is started to trigger and start a browser. The method includes the following steps: a first application sends a login request which includes automatic login authorization information to a middleware which is arranged in a user terminal; after the middleware receives the login request, a shared key agreed with an authentication server is obtained and a login certificate is obtained after it is verified that the automatic login authorization information is correct according to the shared key and specified information; the middleware provides the login certificate to the first application; and the first application sends the login certificate to an application server, wherein the login certificate is used for representing that the user terminal successfully obtains authentication of the authentication server.
Description
Technical field
The present invention relates to data service field, relate in particular to a kind of single-point logging method and system.
Background technology
" single-sign-on " is a kind of business login form very common on current the Internet, can allow user once to authenticate, and repeatedly login, to avoid user to repeat to input password, thereby improves the experience that user uses business.Such as, when client is for the first time during access application server 1, because now client was not also logined application server arbitrarily, therefore can be directed in certificate server and login; The log-on message providing according to client, certificate server carries out identity effect, if by effect, can return to authority---the ticket of an authentication of client; When client visits again other application server, during as access application server 2, this ticket will be with, as self, passed through the authority of authentication; After other application server receives the access request with tichket, this ticket can be delivered to certificate server and carry out effect, check the legitimacy of ticket; If by verification, client just can be in the situation that need not again logining access application server 2.
Current single-sign-on scheme multiaspect is applied to Web, needs redirection mechanism and the session management mechanism of using browser keep user's logging status and transmit between different business, and such scheme is difficult to support the single-sign-on across client and browser.Specifically, following two class demands are that the such scheme that provides of prior art is implacable:
First kind demand: after user utilizes client to login successfully, open certain service page on browser, can be automatically login successfully with the user identity of client;
Equations of The Second Kind demand: after user utilizes browser to login successfully, certain client that operation is local, client can login successfully automatically.
For first kind demand, there is at present technology to propose the single-sign-on scheme of realization as shown in Figure 1 from client to browser.The implementation procedure of this scheme mainly comprises the steps:
First, client, after receiving the login instruction of user's input, successfully signs in to certificate server, and the authentication authority of access authentication server feedback (ticket as previously described);
Client, after the access instruction that the application link clicking client by user and provide produces is provided, according to the authentication authority of certificate server feedback, generates the URL that identity documents structure comprise this identity documents;
Client, by calling browser, makes browser to application server, send access request according to the above-mentioned URL that comprises identity documents generating;
Then, the identity documents comprising in application server request authentication server authentication access request;
Certificate server verifies identity documents, and after verifying client and successfully logining, to application server feedback the result;
Finally, application server, according to this result, sends to browser to show the information of the page after login.
Above-mentioned flow process shown in Fig. 1 is mainly deposited defect both ways:
1, must by starting client, trigger open any browser by user, and not support user's manual unlocking browser to carry out single-sign-on;
2, can not meet previously described Equations of The Second Kind demand.
Summary of the invention
The embodiment of the present invention provides a kind of single-point logging method and system, in order to what solve that single-sign-on scheme that prior art provides exists, must trigger open any browser and carry out single-sign-on by starting client, and the problem of not supporting previously described Equations of The Second Kind demand.
The embodiment of the present invention is by the following technical solutions:
A single-point logging method, comprising:
Be arranged at the application of first in user terminal and obtain login authorization message automatically; And send to the middleware being arranged in described user terminal the logging request that comprises described automatic login authorization message; Wherein: automatically login authorization message and use the operation of shared key and appointed information execution calculating summary to generate by certificate server; Described middleware receives after described logging request, obtains the described shared key with certificate server agreement, and according to described shared key and described appointed information, verify automatic login authorization message in described logging request correct after, obtain logging on authentication; Wherein: described logging on authentication is for characterizing the authentication that described user terminal successfully obtains described certificate server; Described middleware offers the first application by logging on authentication; The first application sends to application server by logging on authentication.
A single-node login system, comprises and is arranged at the application of first in user terminal and middleware, wherein:
Described the first application, for obtaining automatic login authorization message; And the logging request that comprises described automatic login authorization message to described middleware transmission; And obtain the logging on authentication that described middleware provides, and logging on authentication is sent to application server; Wherein: automatically login authorization message and use the operation of shared key and appointed information execution calculating summary to generate by certificate server;
Described middleware, for after receiving described logging request, obtain the described shared key with certificate server agreement, and according to described shared key and described appointed information, verify automatic login authorization message in described logging request correct after, obtain logging on authentication and also offer described the first application; Wherein: described logging on authentication is for characterizing the authentication that described user terminal successfully obtains described certificate server.
The beneficial effect of the embodiment of the present invention is as follows:
By the middleware of the single-sign-on authorization message of this user terminal that can access authentication server offers authentication success is set, thereby no matter user terminal utilizes browser or client-access application server, can, according to the single-sign-on authorization message of middleware acquisition, successfully realize the single-sign-on of user terminal.This has just met the Equations of The Second Kind demand of mentioning in background technology above, what the single-sign-on scheme that having solved prior art provides existed must trigger open any browser and carry out single-sign-on by starting client, and the problem of not supporting previously described Equations of The Second Kind demand.
Accompanying drawing explanation
Fig. 1 is the single-sign-on scheme from client to browser of the prior art;
The idiographic flow schematic diagram of a kind of single-point logging method that Fig. 2 provides for the embodiment of the present invention;
Fig. 3 is for realizing the system configuration schematic diagram of embodiment 1 and embodiment 2;
Fig. 4 is the specific implementation schematic flow sheet of embodiment 1;
Fig. 5 is the specific implementation schematic flow sheet of embodiment 2.
Embodiment
For what solve that single-sign-on scheme that prior art provides exists, must trigger open any browser and carry out single-sign-on by starting client, and the problem of not supporting previously described Equations of The Second Kind demand, the embodiment of the present invention provides a kind of novel single-sign-on scheme.This scheme is by arranging the middleware of the single-sign-on authorization message of the user terminal that can access authentication server offers authentication success, thereby no matter user terminal utilizes browser or client-access application server, can, according to the single-sign-on authorization message of middleware acquisition, successfully realize the single-sign-on of user terminal.
Below in conjunction with Figure of description, embodiments of the invention are described, should be appreciated that embodiment described herein, only for description and interpretation the present invention, is not limited to the present invention.And in the situation that not conflicting, embodiment and the feature in implementation column in this explanation can be interosculated.
First, the embodiment of the present invention provides a kind of single-point logging method as shown in Figure 2.The method mainly comprises the steps:
Step 21, is arranged at the application of first in user terminal and obtains login authorization message automatically;
Be different from prior art, in the embodiment of the present invention, when the first application wish is accessed certain server, need to first obtain this login authorization message automatically.This operation that login authorization message is generally used shared key and appointed information to carry out calculating summary by certificate server automatically generates.The first application can be, but not limited to by one of following two kinds of modes, obtains this login authorization message automatically:
Mode application in: the first, from the memory space of user terminal, is read the automatic login authorization message setting in advance in this memory space.Such as, can, when user terminal is carried out to Default Value, just in its memory space, store this login authorization message automatically.
Mode application in two: the first sends service request to application server; And receive application server according to the automatic login authorization message of this service request feedback.Wherein: application server can be as follows according to the specific implementation process of the automatic login authorization message of this service request feedback:
First, application server, after receiving this service request, sends the authentication request of the sign that comprises this application server to certificate server;
Then, certificate server receives authentication request, and judges whether the sign of the application server comprising in authentication request is present in pre-stored sign set; Wherein: this sign set is by allowing the sign of accessed application server to form;
Finally, certificate server judgment result is that while being, to application server, sends login authorization message automatically; The automatic login authorization message that application server sends certificate server is transmitted to user terminal, so that the first application obtains login authorization message automatically.
Adopt the advantage of aforesaid way two to be: can control the authority that the first application only possesses the accessed application server of permission that access sets in advance.Because the accessed application server of the permission setting in advance is often the valid application server being verified, therefore employing mode two can be avoided the illegal application server of the first application access and the problems such as user profile leakage that cause to a certain extent, thereby has improved the legitimacy of whole single-sign-on scheme.
Step 22, the logging request of the automatic login authorization message that the first application comprises acquisition to the middleware transmission being arranged in user terminal;
Wherein: middleware described here can be arranged on the software module in user terminal, can be also the entity module that software and hardware combining realizes.And this entity module can be arranged at user terminal inside, also can be placed in user terminal outside.When it is placed in user terminal outside, it can be connected to user terminal and carry out information interaction with user terminal.
Step 23, middleware receives after this logging request, obtains the shared key with certificate server agreement;
Wherein: a kind of specific implementation flow process that middleware obtains the shared key of arranging with certificate server is as follows:
First, the middleware logging on authentication that middleware access authentication server sends; Wherein: middleware logging on authentication is that certificate server verifies correct rear transmission of user authentication information that the second application in user terminal sends;
Then, middleware sends to certificate server by middleware logging on authentication;
Finally, middleware receives certificate server and is verifying the correct rear shared key sending of this middleware logging on authentication.Or, authentication proof server verify this middleware logging on authentication correct after, also can send shared key information generated to this middleware, by this middleware, according to this shared key information generated, generate shared key.
Or, middleware can also be directly according in advance with the key schedule of certificate server agreement, generate this shared key.
Step 24, middleware is according to this shared key and the previously described appointed information that obtain, and whether the automatic login authorization message in checking logging request is correct, at the result, be that this logins authorization message when correct automatically, execution step 25, otherwise can process ends;
Step 25, middleware obtains logging on authentication;
This logging on authentication is for characterizing the authentication of the successful access authentication server of user terminal.
Such as, in a kind of concrete implementation of the method that the embodiment of the present invention provides, shared key K and a counter C all can be set in middleware and certificate server.Middleware is received after the logging request of the first application, can utilize the random random number R (being challenging value) that generates of this counter to return to the first application, and the first application sends to certificate server by R; Certificate server is used shared key K and R to calculate summary H1, and usings H1 and return to the first application as automatic login authorization message, and the first application returns to middleware by this H1; Middleware is used K checking H1, if verify the words that K is correct, middleware is just used shared key K and C and other information (particular content of other information described here can referring to embodiment 1 hereinafter) to calculate summary H2, and usings this H2 of generating as logging on authentication.
In addition, this logging on authentication can also be by certificate server, to be offered successfully the user terminal of access authentication server authentication, and is stored in user terminal.
Or this logging on authentication can also be that the single-sign-on authorization message that middleware provides according to certificate server generates.Wherein: this single-sign-on authorization message characterizes the authentication of the successful access authentication server of user terminal.This kind of acquisition pattern for logging on authentication, if middleware is before receiving the logging request that the first application sends, just obtained and stored single-sign-on authorization message, middleware is after receiving this logging request, just can directly from the memory space of self, obtain single-sign-on authorization message, and using it as logging on authentication.And if middleware is when receiving this logging request, also do not obtain single-sign-on authorization message, middleware can be usingd this logging request as trigger condition, to certificate server, send user authentication information (being generally username and password), and access authentication server this single-sign-on authorization message of verifying user authentication information and providing after correct.
Step 26, middleware offers the first application by logging on authentication;
Step 27, the first application sends to application server by logging on authentication, and flow process finishes.
In the embodiment of the present invention, it can be the challenging value that the first application sends that certificate server generates the appointed information of utilizing while automatically logining authorization message.Under this scene, before the step 21 of said method, can further include following two steps:
Step 1: middleware, after receiving the login identity request of the first application transmission, generates challenging value at random;
Step 2: middleware sends the identify label response of this challenging value that comprises generation to the first application, so that the first application sends this challenging value to certificate server.
In the embodiment of the present invention, above-mentioned the first application can be browser, can be also other application except browser.No matter distinguish with prior art, after the scheme that the employing embodiment of the present invention provides, be the application of what type, and it,, when wish login application server, all can send login authorization message and logging request automatically to this middleware, to obtain logging on authentication.This has just met the Equations of The Second Kind demand of mentioning in background technology above, what the single-sign-on scheme that having solved prior art provides existed must trigger open any browser and carry out single-sign-on by starting client, and the problem of not supporting previously described Equations of The Second Kind demand.
In the embodiment of the present invention, the first application can be browser, and the second application can be other application of non-browser; Or second be applied as browser, and first is applied as other application of non-browser.Particularly, be applied as browser when second, and first while being applied as the client of non-browser, can meeting the Equations of The Second Kind demand described in background technology.
Two specific embodiments of take are below example, the scheme that the detailed description embodiment of the present invention provides application in practice.
Embodiment 1
Embodiment 1 is for realizing the single-sign-on flow process from client to browser, realizes after user logins successfully in client, opens certain service page on browser, can be automatically with the user identity of client, logins successfully.
For the system configuration schematic diagram of realizing embodiment 1 as shown in Figure 3, comprise user terminal, application server and certificate server.Wherein: in user terminal, comprise a plurality of application, those application comprise the application of browser and non-browser.Particularly, being applied in Fig. 3 of non-browser represents with " client " and " Web application ".
System based on shown in Fig. 3, below illustrates the specific implementation flow process of embodiment 1.This flow process comprises following step as shown in Figure 4:
Step 41, user terminal successfully passes through after the authentication of certificate server, the user key K that access authentication server returns to user terminal, and K is stored in the middleware being arranged in user terminal;
Particularly, user terminal can, after receiving the client operating instruction of user's input, be shown user authentication information inputting interface on display screen; Then, send to certificate server to authenticate the user authentication information (generally comprising username and password) of user's input.Verification in this user authentication information by certificate server be confirmed as correct after, the K that user terminal just can access authentication server feedback.
Step 42, user terminal receives user and is input to after the application server access instruction in browser, to application server, sends access request;
Such as, user terminal is input to after the application server domain name in browser receiving user, according to this domain name, to corresponding application server, send access request.
Step 43, application server is redirected to certificate server by browser;
Step 44, certificate server is to browser return authentication page info, wherein: in this certification page information, except comprising the content being presented in browser window, also comprise the script (as javascript script) of browsers local operation;
Step 45, browser, by calling this javascript script, triggers to local middleware listening port and sends login identity request;
Step 46, whether middleware judges user terminal is successfully by the authentication of certificate server, as while judgment result is that, middleware returns to user's identify label response (comprising user ID and challenging value) to browser, and continue to perform step 47, otherwise middleware returns to user terminal to browser and do not login notification message, and finish this single-sign-on flow process;
Usually, middleware can judge that whether user terminal is successfully by the authentication of certificate server according to the K that self whether stores certificate server transmission.
In addition, to can be, but not limited to be the random number that middleware generates to above-mentioned challenging value.
Optionally, in the user's that middleware returns to browser identify label response, can also comprise some additional informations (sending to the system time of the user terminal of certificate server, the URL of browser institute accession page or some fixed character strings etc. such as browser).
Step 47, browser sends to certificate server user ID and the challenging value that middleware returns, to ask login automatically to be authorized;
Step 48, the user ID that certificate server is stored from self and the corresponding relation of user key, determine user key K corresponding to user ID that browser sends, and use challenging value and the some other additional information (sending to the system time of the user terminal of certificate server, the URL of browser institute accession page or some fixed character strings etc. such as browser) that K sends browser to calculate summary, generate login authorization message automatically, and this automatic login authorization message generating is returned to browser;
Step 49, browser, by calling javascript script, triggers to middleware transmission identity documents and obtains request, carries automatic login authorization message in this request;
Step 410, middleware is used the K checking of self storing automatically to login the correctness of authorization message, if correct, generates logging on authentication;
Wherein: this logging on authentication of generation comprises the single-sign-on authorization message that certificate server offers user terminal.
Such as, due to the K information that to be certificate server send to the user terminal of success identity, so K can characterize user terminal and can carry out single-sign-on, thus K can be considered as the single-sign-on authorization message that certificate server offers user terminal.Or certificate server also can, after successfully realizing the authentication of user terminal, provide some other information as single-sign-on authorization message.
Step 411, middleware returns to logging on authentication to browser;
Step 412, browser sends logging on authentication to certificate server, certificate server verify logging on authentication correct after, generate identity documents, and browser be redirected to application server; Browser, when being redirected to application server, sends to application server the above-mentioned identity documents that certificate server offers browser;
Optionally, certificate server also can, when browser is redirected to application server, directly send to application server by the identity documents of generation.
Step 413, application server is inquired about the correctness of the identity documents of its acquisition to certificate server;
Step 414, application server inquiry obtain this identity documents correct after, to browser, return to the information of the page after the login of showing to the user terminal logining successfully.
Pass through above-mentioned steps, owing to being provided with one in user terminal, can obtain and authentication storage server offers the middleware of single-sign-on authorization message of this user terminal of authentication success, thereby user is utilizing client successfully to realize after the authentication of user terminal, follow-up when utilizing browser access application server, just can, according to the single-sign-on authorization message of middleware storage, successfully realize the single-sign-on of user terminal.
Embodiment 2
For the system configuration schematic diagram of realizing embodiment 2 still as shown in Figure 3, comprise user terminal, application server and certificate server.
System based on shown in Fig. 3, below illustrates the specific implementation flow process of embodiment 2.This flow process comprises following step as shown in Figure 5:
Step 51, user terminal receives user and inputs the user authentication information of browser, and utilizes this user authentication information access authentication server authentication;
Step 52, browser is to certificate server request middleware logging on authentication;
In embodiment 2, browser can adopt the mode that sends service request to application server, to certificate server request middleware logging on authentication.
Step 53, certificate server returns to middleware logging on authentication to browser;
If what browser adopted is to ask middleware logging on authentication to the mode of application server transmission service request, application server, after receiving this service request, can send to certificate server the authentication request of the sign that comprise this application server;
Certificate server is receiving this authentication request, and whether the sign of judging the application server comprising in authentication request is present in pre-stored sign set; Wherein: this sign set is by allowing the sign of accessed application server to form;
If the determination result is YES, time, certificate server sends login authorization message automatically to application server; Wherein: this is automatically logined authorization message and can be generated by the operation of certificate server user key and appointed information execution calculating summary;
Application server, after receiving the automatic login authorization message of certificate server transmission, is automatically logined authorization message and middleware logging on authentication by this and is sent to user terminal, so that the first application obtains automatic login authorization message and middleware voucher.
Step 54, browser passes through local method call middleware, and middleware logging on authentication is sent to middleware;
Such as, while middleware being installed in user terminal, middleware can be registered local application protocol (as: sso: //), the browser page in user terminal is when calling middleware, can be according to call parameters param assembling URL(as sso: //param), and browser is redirected to this URL, browser according to local application protocol (as sso/ /) just can find the middleware process of registering this agreement, and call this process, thereby realize calling middleware.
Step 55, middleware sends authentication request to certificate server, carries middleware logging on authentication in this authentication request;
Step 56, the correctness of certificate server check middleware logging on authentication;
Step 57, certificate server is after checking out middleware logging on authentication correct, to the response of middleware return authentication, both sides consult to generate shared user key simultaneously, and this user key can offer as certificate server the single-sign-on authorization message of the described user terminal of authentication success;
Step 58, client is enabled after instruction to user's input, by calling middleware acquisition of credentials interface, sends request the logging request of logging on authentication to middleware;
If browser has also obtained automatic login authorization message, browser is also automatically logined authorization message by this and is sent to middleware.
Step 59, middleware this locality, according to user key, is calculated generation logging on authentication and is returned to client;
Optionally, if middleware receives the automatic login authorization message that browser sends, middleware can be according to user key and appointed information, verify this automatically login authorization message correct after, regeneration logging on authentication also returns to client.
Step 510, client sends authentication request to application server, carries the logging on authentication that middleware returns in this authentication request;
Usually, in order to make certificate server can identify the user that this logging on authentication belongs to, in this authentication request that client sends, can also carry user ID.
Step 511, the logging on authentication carrying in the authentication request that application server sends to certificate server requests verification client, and receive certificate server at the notification message that is verifying the correct rear transmission of this logging on authentication;
Suppose also to carry user ID in authentication request, application server also can send to certificate server by this user ID.Certificate server, after receiving user ID and logging on authentication, in the corresponding relation of pre-stored user ID and user key, is searched the user key corresponding with this user ID receiving; And whether the user key relatively finding is consistent with the user key parsing from logging on authentication; At comparative result, while being consistent, determine that this logging on authentication is correct, otherwise determine that this logging on authentication is incorrect.
Step 512, application server returns to the information logining successfully for characterizing to client.
The above-mentioned steps comprising by embodiment 2, user is utilizing browser successfully to realize after the authentication of user terminal, follow-up when utilizing client-access application server, just can, according to the single-sign-on authorization message of middleware storage, successfully realize the single-sign-on of user terminal.This has also just met the Equations of The Second Kind demand of mentioning in background technology above, what thereby the single-sign-on scheme that having solved prior art provides existed must trigger open any browser and carry out single-sign-on by starting client, and the problem of not supporting previously described Equations of The Second Kind demand.
No matter what deserves to be explained is, be the middleware in embodiment 1 or embodiment 2, and it can possess to certificate server and sends user authentication information, thereby access authentication server offers the function of single-sign-on authorization message of the user terminal of authentication success.Therefore, even if browser (or client) is during to middleware request logging on authentication, middleware does not also obtain single-sign-on authorization message, middleware also can using that browser (or client) sends for asking the message of logging on authentication as trigger condition, to certificate server, send user authentication information, thereby access authentication server offers the single-sign-on authorization message of the user terminal of authentication success, and based on this single-sign-on authorization message, to browser (or client), provide logging on authentication.
For the inventive concept identical with previously described single-point logging method, the embodiment of the present invention also provides a kind of single-node login system, in order to what solve that single-sign-on scheme that prior art provides exists, must trigger open any browser and carry out single-sign-on by starting client, and the problem of not supporting previously described Equations of The Second Kind demand.This system mainly comprises that being arranged at first in user terminal applies and middleware, wherein: the function of the first application and middleware is as follows:
The first application, for obtaining automatic login authorization message; And the logging request of the automatic login authorization message that comprises acquisition to middleware transmission; And obtain the logging on authentication that middleware provides, and logging on authentication is sent to application server; Wherein: automatically login authorization message and use the operation of shared key and appointed information execution calculating summary to generate by certificate server;
Middleware, for after receiving logging request, obtain the shared key with certificate server agreement, and according to shared key and appointed information, verify automatic login authorization message in logging request correct after, obtain logging on authentication and also offer the first application; Wherein: logging on authentication is for characterizing the authentication of the successful access authentication server of user terminal.
Optionally, the first application specifically can be for:
From the memory space of user terminal, read the automatic login authorization message setting in advance in described memory space; Or
To application server, send service request; And obtain application server according to the automatic login authorization message of described service request feedback.
Wherein: the process that application server is logined authorization message automatically according to service request feedback specifically comprises:
Application server, after receiving service request, sends the authentication request of the sign that comprises this application server to certificate server;
Certificate server receives authentication request, and judges whether the sign of the application server comprising in authentication request is present in pre-stored sign set; Wherein: this sign set is by allowing the sign of accessed application server to form;
Certificate server judgment result is that while being, to application server, sends login authorization message automatically;
The automatic login authorization message that application server sends certificate server is transmitted to user terminal, so that the first application obtains login authorization message automatically.
Optionally, certificate server generates the challenging value that the first application sends that designates the information as utilizing while automatically logining authorization message.Under such scene, middleware can also be for: before obtaining automatically login authorization message, after receiving the login identity request that the first application sends, generate at random challenging value; To the first application, send the identify label response that comprises challenging value; The first application is also for sending challenging value to certificate server.
Optionally, this middleware that the embodiment of the present invention provides specifically can be for: the middleware logging on authentication that access authentication server sends, wherein: middleware logging on authentication is that certificate server verifies user authentication information that the second application in user terminal sends and sends after correct; Middleware logging on authentication is sent to certificate server; And receive certificate server in the shared key that is verifying the correct rear transmission of middleware logging on authentication; Or verifying the correct rear shared key information generated sending of middleware logging on authentication, generation shared key according to authentication proof server.Or described middleware specifically can be for: according in advance with the key schedule of certificate server agreement, generate shared key.
Optionally, the first application can be browser, and the second application can be other application of non-browser; Or second application can be browser, first application can be other application of non-browser.Or the first application and the second application can be all browser; Or the first application and the second application can be all other application of non-browser.
Those skilled in the art should understand, embodiments of the invention can be provided as method, system or computer program.Therefore, the present invention can adopt complete hardware implementation example, implement software example or in conjunction with the form of the embodiment of software and hardware aspect completely.And the present invention can adopt the form that wherein includes the upper computer program of implementing of computer-usable storage medium (including but not limited to magnetic disc store, CD-ROM, optical memory etc.) of computer usable program code one or more.
The present invention is with reference to describing according to flow chart and/or the block diagram of the method for the embodiment of the present invention, equipment (system) and computer program.Should understand can be in computer program instructions realization flow figure and/or block diagram each flow process and/or the flow process in square frame and flow chart and/or block diagram and/or the combination of square frame.Can provide these computer program instructions to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce a machine, the instruction of carrying out by the processor of computer or other programmable data processing device is produced for realizing the device in the function of flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame appointments.
These computer program instructions also can be stored in energy vectoring computer or the computer-readable memory of other programmable data processing device with ad hoc fashion work, the instruction that makes to be stored in this computer-readable memory produces the manufacture that comprises command device, and this command device is realized the function of appointment in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, make to carry out sequence of operations step to produce computer implemented processing on computer or other programmable devices, thereby the instruction of carrying out is provided for realizing the step of the function of appointment in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame on computer or other programmable devices.
Although described the preferred embodiments of the present invention, once those skilled in the art obtain the basic creative concept of cicada, can make other change and modification to these embodiment.So claims are intended to all changes and the modification that are interpreted as comprising preferred embodiment and fall into the scope of the invention.
Obviously, those skilled in the art can carry out various changes and modification and not depart from the spirit and scope of the present invention the present invention.Like this, if within of the present invention these are revised and modification belongs to the scope of the claims in the present invention and equivalent technologies thereof, the present invention is also intended to comprise these changes and modification interior.
Claims (12)
1. a single-point logging method, is characterized in that, comprising:
Be arranged at the application of first in user terminal and obtain login authorization message automatically, and send to the middleware being arranged in described user terminal the logging request that comprises described automatic login authorization message, wherein: automatically login authorization message and use the operation of shared key and appointed information execution calculating summary to generate by certificate server;
Described middleware receives after described logging request, obtain the described shared key with certificate server agreement, and according to described shared key and described appointed information, verify automatic login authorization message in described logging request correct after, obtain logging on authentication, wherein: described logging on authentication is for characterizing the authentication that described user terminal successfully obtains described certificate server;
Described middleware offers the first application by logging on authentication;
The first application sends to application server by logging on authentication.
2. the method for claim 1, is characterized in that, the first application obtains login authorization message automatically, specifically comprises:
The first application, from the memory space of described user terminal, is read the automatic login authorization message setting in advance in described memory space; Or
The first application sends service request to application server;
Application server, after receiving this service request, sends the authentication request of the sign that comprises this application server to certificate server;
Certificate server receives authentication request, and judges whether the sign of the application server comprising in authentication request is present in pre-stored sign set; Wherein: this sign set is by allowing the sign of accessed application server to form;
Certificate server judgment result is that while being, to application server, sends login authorization message automatically;
The automatic login authorization message that application server sends certificate server is transmitted to described user terminal, so that the first application obtains login authorization message automatically.
3. the method for claim 1, is characterized in that, described in utilizing, designates the information as the challenging value that the first application sends during the automatic login of certificate server generation authorization message; ?
The first application obtains automatically logins before authorization message, also comprises:
Described middleware, after receiving the login identity request of the first application transmission, generates described challenging value at random;
Described middleware sends the identify label response that comprises described challenging value to the first application, so that the first application sends described challenging value to certificate server.
4. the method for claim 1, is characterized in that, described middleware obtains the described shared key with certificate server agreement, specifically comprises:
The middleware logging on authentication that described middleware access authentication server sends, wherein: described middleware logging on authentication is that certificate server verifies correct rear transmission of user authentication information that the second application in described user terminal sends;
Described middleware sends to certificate server by described middleware logging on authentication; And
Receive certificate server and verifying the correct rear described shared key sending of described middleware logging on authentication; Or according to authentication proof server at the shared key information generated that verifies described middleware logging on authentication and send after correct, generate described shared key.
5. method as claimed in claim 4, is characterized in that, first is applied as browser, and second is applied as other application of non-browser; Or
Second is applied as browser, and first is applied as other application of non-browser.
6. the method for claim 1, is characterized in that, middleware obtains the shared key with certificate server agreement, specifically comprises:
Middleware according in advance with the key schedule of certificate server agreement, generate shared key.
7. a single-node login system, is characterized in that, comprise and be arranged at the application of first in user terminal and middleware, wherein:
Described the first application, for obtaining automatic login authorization message; And the logging request that comprises described automatic login authorization message to described middleware transmission; And obtain the logging on authentication that described middleware provides, and logging on authentication is sent to application server; Wherein: automatically login authorization message and use the operation of shared key and appointed information execution calculating summary to generate by certificate server;
Described middleware, for after receiving described logging request, obtain the described shared key with certificate server agreement, and according to described shared key and described appointed information, verify automatic login authorization message in described logging request correct after, obtain logging on authentication and also offer described the first application; Wherein: described logging on authentication is for characterizing the authentication that described user terminal successfully obtains described certificate server.
8. system as claimed in claim 7, is characterized in that, described first application specifically for:
From the memory space of described user terminal, read the automatic login authorization message setting in advance in described memory space; Or
To application server, send service request; And obtain described application server according to the automatic login authorization message of described service request feedback;
Wherein: the process that described application server is logined authorization message automatically according to described service request feedback specifically comprises:
Application server, after receiving described service request, sends the authentication request of the sign that comprises this application server to certificate server; Certificate server receives authentication request, and judges whether the sign of the application server comprising in authentication request is present in pre-stored sign set; Wherein: this sign set is by allowing the sign of accessed application server to form; Certificate server judgment result is that while being, to application server, sends login authorization message automatically; The automatic login authorization message that application server sends certificate server is transmitted to described user terminal, so that described the first application obtains login authorization message automatically.
9. system as claimed in claim 7, is characterized in that, described in utilizing, designates the information as the challenging value that described the first application sends during the automatic login of certificate server generation authorization message; ?
Described middleware also for: before obtaining automatically login authorization message, after receiving the login identity request that the first application sends, generate at random described challenging value; To described the first application, send the identify label response that comprises described challenging value; ?
Described the first application is also for sending described challenging value to certificate server.
10. system as claimed in claim 7, is characterized in that, described middleware specifically for:
The middleware logging on authentication that access authentication server sends, wherein: described middleware logging on authentication is that certificate server verifies correct rear transmission of user authentication information that the second application in described user terminal sends;
Described middleware sends to certificate server by described middleware logging on authentication; And
Receive certificate server and verifying the correct rear described shared key sending of described middleware logging on authentication; Or according to authentication proof server at the shared key information generated that verifies described middleware logging on authentication and send after correct, generate described shared key.
11. systems as claimed in claim 10, is characterized in that, described first is applied as browser, and described second is applied as other application of non-browser; Or
Described second is applied as browser, and described first is applied as other application of non-browser.
12. systems as claimed in claim 7, is characterized in that, described middleware specifically for: according in advance with the key schedule of described certificate server agreement, generate shared key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310089647.1A CN104065616B (en) | 2013-03-20 | 2013-03-20 | Single-point logging method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310089647.1A CN104065616B (en) | 2013-03-20 | 2013-03-20 | Single-point logging method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104065616A true CN104065616A (en) | 2014-09-24 |
| CN104065616B CN104065616B (en) | 2017-06-20 |
Family
ID=51553149
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310089647.1A Active CN104065616B (en) | 2013-03-20 | 2013-03-20 | Single-point logging method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104065616B (en) |
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753927A (en) * | 2015-03-12 | 2015-07-01 | 杭州华三通信技术有限公司 | Unified verification method and device |
| CN105790945A (en) * | 2014-12-22 | 2016-07-20 | 中国移动通信集团公司 | Authentication method, device and system for authenticating user unique identity |
| CN105812138A (en) * | 2014-12-31 | 2016-07-27 | 华为技术有限公司 | Logging-in processing method, processing device, user terminal, and logging-in system |
| CN106209726A (en) * | 2015-04-30 | 2016-12-07 | 中兴通讯股份有限公司 | A kind of Mobile solution single-point logging method and device |
| CN106302606A (en) * | 2015-06-08 | 2017-01-04 | 中国移动通信集团湖南有限公司 | A kind of across application access method and device |
| CN106982228A (en) * | 2017-05-08 | 2017-07-25 | 北京深思数盾科技股份有限公司 | One kind realizes identity authentication method and system |
| CN107844712A (en) * | 2017-11-03 | 2018-03-27 | 北京天融信网络安全技术有限公司 | A kind of browser shares the method, apparatus and computer-readable medium of voucher |
| CN107925572A (en) * | 2015-08-31 | 2018-04-17 | 维萨国际服务协会 | Secure binding of software applications to communication devices |
| CN108737398A (en) * | 2018-05-09 | 2018-11-02 | 平安信托有限责任公司 | Processing method, device, computer equipment and the storage medium of trust system |
| CN109246146A (en) * | 2018-11-01 | 2019-01-18 | 北京京航计算通讯研究所 | SAP ERP single-point logging method based on JAVA middleware intergration model |
| CN109388937A (en) * | 2018-11-05 | 2019-02-26 | 用友网络科技股份有限公司 | A kind of single-point logging method and login system of multiple-factor authentication |
| CN109492375A (en) * | 2018-11-01 | 2019-03-19 | 北京京航计算通讯研究所 | SAP ERP single-node login system based on JAVA middleware intergration model |
| CN109815674A (en) * | 2018-12-28 | 2019-05-28 | 深圳竹云科技有限公司 | A method of login process is automated based on image recognition |
| CN110032855A (en) * | 2019-02-28 | 2019-07-19 | 招银云创(深圳)信息技术有限公司 | Login method, device, computer equipment and the storage medium of application |
| CN110287682A (en) * | 2019-07-01 | 2019-09-27 | 北京芯盾时代科技有限公司 | A kind of login method, apparatus and system |
| CN110557259A (en) * | 2019-08-15 | 2019-12-10 | 中国人民银行数字货币研究所 | identity management method, device and system based on multiple identities |
| CN110704130A (en) * | 2019-10-10 | 2020-01-17 | 深圳前海微众银行股份有限公司 | Data processing method and device |
| CN110795720A (en) * | 2018-08-03 | 2020-02-14 | 北京京东尚科信息技术有限公司 | Information processing method, system, electronic device, and computer-readable medium |
| CN111353142A (en) * | 2019-02-15 | 2020-06-30 | 鸿合科技股份有限公司 | User information sharing method and device and electronic equipment |
| CN111771354A (en) * | 2017-11-28 | 2020-10-13 | 美国运通旅游有关服务公司 | Single sign-on scheme using blockchains |
| CN111800378A (en) * | 2020-05-21 | 2020-10-20 | 视联动力信息技术股份有限公司 | Login authentication method, device, system and storage medium |
| CN112804201A (en) * | 2020-12-30 | 2021-05-14 | 绿盟科技集团股份有限公司 | Method and device for acquiring equipment information |
| CN112948802A (en) * | 2020-04-28 | 2021-06-11 | 深圳市明源云科技有限公司 | Single sign-on method, device, equipment and storage medium |
| CN113572763A (en) * | 2021-07-22 | 2021-10-29 | 中国工商银行股份有限公司 | Data processing method and device, electronic equipment and storage medium |
| CN113965380A (en) * | 2021-10-21 | 2022-01-21 | 上海高顿教育科技有限公司 | Single sign-on control method and device based on multiple background applications |
| CN114584353A (en) * | 2022-02-23 | 2022-06-03 | 上海外服云信息技术有限公司 | Single sign-on method for mobile terminal to access CAS |
| WO2024124924A1 (en) * | 2022-12-13 | 2024-06-20 | 支付宝(杭州)信息技术有限公司 | Key agreement method and apparatus for applet |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101510877A (en) * | 2009-02-25 | 2009-08-19 | 中国网络通信集团公司 | Single-point logging-on method and system, communication apparatus |
| WO2009105988A1 (en) * | 2008-02-27 | 2009-09-03 | 华为技术有限公司 | Register method, authentication and authorization method, system and device for session initiation protocol |
| CN102065141A (en) * | 2010-12-27 | 2011-05-18 | 广州欢网科技有限责任公司 | Method and system for realizing single sign-on of cross-application and browser |
| CN102082666A (en) * | 2009-11-26 | 2011-06-01 | 中国移动通信集团公司 | Single login system and method and service management system as well as single login intermediate system |
-
2013
- 2013-03-20 CN CN201310089647.1A patent/CN104065616B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009105988A1 (en) * | 2008-02-27 | 2009-09-03 | 华为技术有限公司 | Register method, authentication and authorization method, system and device for session initiation protocol |
| CN101510877A (en) * | 2009-02-25 | 2009-08-19 | 中国网络通信集团公司 | Single-point logging-on method and system, communication apparatus |
| CN102082666A (en) * | 2009-11-26 | 2011-06-01 | 中国移动通信集团公司 | Single login system and method and service management system as well as single login intermediate system |
| CN102065141A (en) * | 2010-12-27 | 2011-05-18 | 广州欢网科技有限责任公司 | Method and system for realizing single sign-on of cross-application and browser |
Cited By (41)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105790945A (en) * | 2014-12-22 | 2016-07-20 | 中国移动通信集团公司 | Authentication method, device and system for authenticating user unique identity |
| CN105790945B (en) * | 2014-12-22 | 2019-09-03 | 中国移动通信集团公司 | A kind of authentication method, device and system realizing user's unique identities and authenticating |
| CN105812138A (en) * | 2014-12-31 | 2016-07-27 | 华为技术有限公司 | Logging-in processing method, processing device, user terminal, and logging-in system |
| CN104753927A (en) * | 2015-03-12 | 2015-07-01 | 杭州华三通信技术有限公司 | Unified verification method and device |
| CN106209726A (en) * | 2015-04-30 | 2016-12-07 | 中兴通讯股份有限公司 | A kind of Mobile solution single-point logging method and device |
| CN106209726B (en) * | 2015-04-30 | 2020-06-05 | 中兴通讯股份有限公司 | Mobile application single sign-on method and device |
| CN106302606A (en) * | 2015-06-08 | 2017-01-04 | 中国移动通信集团湖南有限公司 | A kind of across application access method and device |
| CN106302606B (en) * | 2015-06-08 | 2019-11-29 | 中国移动通信集团湖南有限公司 | Across the application access method and device of one kind |
| CN107925572B (en) * | 2015-08-31 | 2021-04-30 | 维萨国际服务协会 | Secure binding of software applications to communication devices |
| CN107925572A (en) * | 2015-08-31 | 2018-04-17 | 维萨国际服务协会 | Secure binding of software applications to communication devices |
| US10785287B2 (en) | 2015-08-31 | 2020-09-22 | Visa International Service Association | Secure binding of software application to a communication device |
| CN106982228B (en) * | 2017-05-08 | 2018-10-09 | 北京深思数盾科技股份有限公司 | A kind of realization identity authentication method and system |
| CN106982228A (en) * | 2017-05-08 | 2017-07-25 | 北京深思数盾科技股份有限公司 | One kind realizes identity authentication method and system |
| CN107844712A (en) * | 2017-11-03 | 2018-03-27 | 北京天融信网络安全技术有限公司 | A kind of browser shares the method, apparatus and computer-readable medium of voucher |
| US12099592B2 (en) | 2017-11-28 | 2024-09-24 | American Express Travel Related Services Company, Inc. | Single sign-on solution using blockchain |
| CN111771354A (en) * | 2017-11-28 | 2020-10-13 | 美国运通旅游有关服务公司 | Single sign-on scheme using blockchains |
| CN108737398B (en) * | 2018-05-09 | 2022-04-26 | 平安信托有限责任公司 | Processing method and device of trust system, computer equipment and storage medium |
| CN108737398A (en) * | 2018-05-09 | 2018-11-02 | 平安信托有限责任公司 | Processing method, device, computer equipment and the storage medium of trust system |
| CN110795720A (en) * | 2018-08-03 | 2020-02-14 | 北京京东尚科信息技术有限公司 | Information processing method, system, electronic device, and computer-readable medium |
| CN109246146A (en) * | 2018-11-01 | 2019-01-18 | 北京京航计算通讯研究所 | SAP ERP single-point logging method based on JAVA middleware intergration model |
| CN109492375B (en) * | 2018-11-01 | 2021-07-16 | 北京京航计算通讯研究所 | SAP ERP single sign-on system based on JAVA middleware integration mode |
| CN109492375A (en) * | 2018-11-01 | 2019-03-19 | 北京京航计算通讯研究所 | SAP ERP single-node login system based on JAVA middleware intergration model |
| CN109246146B (en) * | 2018-11-01 | 2020-10-13 | 北京京航计算通讯研究所 | SAP ERP single sign-on method based on JAVA middleware integration mode |
| CN109388937A (en) * | 2018-11-05 | 2019-02-26 | 用友网络科技股份有限公司 | A kind of single-point logging method and login system of multiple-factor authentication |
| CN109815674A (en) * | 2018-12-28 | 2019-05-28 | 深圳竹云科技有限公司 | A method of login process is automated based on image recognition |
| CN111353142A (en) * | 2019-02-15 | 2020-06-30 | 鸿合科技股份有限公司 | User information sharing method and device and electronic equipment |
| CN110032855A (en) * | 2019-02-28 | 2019-07-19 | 招银云创(深圳)信息技术有限公司 | Login method, device, computer equipment and the storage medium of application |
| CN110287682A (en) * | 2019-07-01 | 2019-09-27 | 北京芯盾时代科技有限公司 | A kind of login method, apparatus and system |
| CN110557259A (en) * | 2019-08-15 | 2019-12-10 | 中国人民银行数字货币研究所 | identity management method, device and system based on multiple identities |
| CN110704130A (en) * | 2019-10-10 | 2020-01-17 | 深圳前海微众银行股份有限公司 | Data processing method and device |
| CN112948802A (en) * | 2020-04-28 | 2021-06-11 | 深圳市明源云科技有限公司 | Single sign-on method, device, equipment and storage medium |
| CN112948802B (en) * | 2020-04-28 | 2024-03-12 | 深圳市明源云科技有限公司 | Single sign-on method, device, equipment and storage medium |
| CN111800378A (en) * | 2020-05-21 | 2020-10-20 | 视联动力信息技术股份有限公司 | Login authentication method, device, system and storage medium |
| CN112804201B (en) * | 2020-12-30 | 2023-04-28 | 绿盟科技集团股份有限公司 | Method and device for acquiring equipment information |
| CN112804201A (en) * | 2020-12-30 | 2021-05-14 | 绿盟科技集团股份有限公司 | Method and device for acquiring equipment information |
| CN113572763A (en) * | 2021-07-22 | 2021-10-29 | 中国工商银行股份有限公司 | Data processing method and device, electronic equipment and storage medium |
| CN113572763B (en) * | 2021-07-22 | 2022-10-14 | 中国工商银行股份有限公司 | Data processing method and device, electronic equipment and storage medium |
| CN113965380A (en) * | 2021-10-21 | 2022-01-21 | 上海高顿教育科技有限公司 | Single sign-on control method and device based on multiple background applications |
| CN113965380B (en) * | 2021-10-21 | 2024-10-15 | 上海高顿教育科技有限公司 | Single sign-on control method and device based on multiple background applications |
| CN114584353A (en) * | 2022-02-23 | 2022-06-03 | 上海外服云信息技术有限公司 | Single sign-on method for mobile terminal to access CAS |
| WO2024124924A1 (en) * | 2022-12-13 | 2024-06-20 | 支付宝(杭州)信息技术有限公司 | Key agreement method and apparatus for applet |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104065616B (en) | 2017-06-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104065616A (en) | Single sign-on method and system | |
| US12063208B2 (en) | Single sign-on for unmanaged mobile devices | |
| EP3308525B1 (en) | Single sign-on for unmanaged mobile devices | |
| US9686267B2 (en) | Establishing and maintaining an improved single sign-on (SSO) facility | |
| US9641513B2 (en) | Methods and systems for controlling mobile terminal access to a third-party server | |
| CN103051630B (en) | Method, the Apparatus and system of third-party application mandate is realized based on open platform | |
| CN111131242A (en) | Authority control method, device and system | |
| US20120174212A1 (en) | Connected account provider for multiple personal computers | |
| US9240991B2 (en) | Anti-phishing system for cross-domain web browser single sign-on | |
| CN105007280A (en) | Application sign-on method and device | |
| US9065818B2 (en) | Toggle between accounts | |
| CN111062023B (en) | Method and device for realizing single sign-on of multi-application system | |
| CN103609090A (en) | Method and device for identity login | |
| CN108632291A (en) | A kind of third party authorizes login method and system | |
| JP6044299B2 (en) | Data reference system and application authentication method | |
| US20200153814A1 (en) | Method for authentication with identity providers | |
| WO2014048749A1 (en) | Inter-domain single sign-on | |
| CN106452738A (en) | Authentication method, device and system for logging in equipment | |
| CN113761509B (en) | iframe verification login method and device | |
| CN109218389A (en) | The method, apparatus and storage medium and electronic equipment of processing business request | |
| CN111241523B (en) | Authentication processing method, device, equipment and storage medium | |
| CN105791249A (en) | Third-party application processing method, device and system | |
| CN114745156A (en) | Distributed single sign-on realization method and device, electronic equipment and storage medium | |
| CN105656856A (en) | Resource management method and device | |
| KR101627896B1 (en) | Authentication method by using certificate application and system thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |