CN105577667A - Multi-account one-key login and authentication mechanism - Google Patents
Multi-account one-key login and authentication mechanism Download PDFInfo
- Publication number
- CN105577667A CN105577667A CN201510995538.5A CN201510995538A CN105577667A CN 105577667 A CN105577667 A CN 105577667A CN 201510995538 A CN201510995538 A CN 201510995538A CN 105577667 A CN105577667 A CN 105577667A
- Authority
- CN
- China
- Prior art keywords
- user
- identity
- idmp
- account
- login
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a multi-account one-key login and authentication mechanism, relating to the technical field of unified login authentication of a multi-account role and particularly relating to a multi-account one-key login access right and a multi-account authentication granted user right access database resource mechanism. In a distributed multi-service network environment, through one-time authentication and login of a user, legal identity certificates of all services in an access system are obtained, so an administrator can carry out safety control conveniently without modifying or interfering with a user login. The embodiment of the invention provides the multi-account one-key login access right and the multi-account authentication granted user right access database resource mechanism; an identity federation server is proposed, thereby realizing the joint mapping among multiple identities of the user, and providing inquiry and registration bound user identities for an SP (Service Provider). The authentication is changed from being completed by each of sites independently into centralized authentication, so that the dispersed user resources on an internet can be shared by partner sites to use, thereby providing a condition and a basis for opening and cooperation of a web service.
Description
Technical field
The present invention relates to the unified login authentication techniques field of many account roles, particularly relate to many account one key sign-on access authorities and many accounts certification imparting user right accessing database resources mechanism.
Background technology
The unified login certification of many account roles is exactly briefly in the network environment of distribution, many services, is logged in, obtain the legitimacy proof of identification of all services in visiting distribution formula system by the disposable discriminating of user.Along with the development of information technology and network technology, various application service is constantly online universal, and user needs to sign in many different application systems every day.Along with user needs increasing of login system, user constantly must repeat to input oneself ID in corresponding system and password every day, while extremely not convenient, too increase the possibility of makeing mistakes.For avoiding this embarrassment, user generally can simplify password, or uses identical password in multiple system, or creates a password " list ", and these all make log-on message be subject to illegal possibility increase of intercepting and capturing and destroy, and fail safe also will correspondingly reduce.When these security risks progressively reflect, time keeper increases some new safety measures, these measures but can reduce the availability of system, and can increase the complexity of system management.
Along with the development of Web service technology, the Services Integration degree of various sing on web improves constantly, and a service request of user may be made up of a series of sub-services, and these sub-services are dynamical correlation and provided by different ISPs.Under traditional login mode, need user along with the progress of service execution, constantly sign in in corresponding sub-services system, also require to contradict with the transparency of Services Integration while causing user not convenient.Based on above-mentioned situation, there has been proposed such demand: the network user based on time authentication of a during initial accesses network, can carry out seamless access to all authorized Internet resources, namely the unified login certification of so-called many account roles logs in.
The benefit of the login of System Implementation many accounts one key and authentication mechanism: the unified login certification realizing many account roles at systematic difference program layer, the access rights of system are achieved simply, safely, manages efficiently, significantly reduce burden and the cost of the login authentication of many account roles, and the service management specification making the login authentication of system many account roles more meet application system reduces the requirement to system manager, reduce further burden and the cost of System right management.
Summary of the invention
In order to overcome the existing deficiency relating to the unified login authentication techniques field of many account roles, the invention provides a kind of many accounts one key sign-on access authority and many accounts certification imparting user right accessing database resources mechanism.Introduce identity combination, the mutual mapping relations between the multiple different account setting up same user.Mobile core network increases identity combination server (IDMP) newly, the core network identity of maintenance customer and the identity combination information of SP identity, when user accesses certain business, whether business has logged in core net or other business by IDMP inquiring user, as logged in, then IDMP obtains this user at this operational identity information by identity map relation, thus login process during completing user use business.
The technical solution adopted for the present invention to solve the technical problems is: propose a kind of new functional entity, i.e. identity combination server (IDMP).IDMP is arranged in mobile core network, the Joint Mapping between it achieving the multiple identity of user, and provides the function of inquiry and registration user bound identity to SP.IDMP is in the hub site of unified login certification, and sip terminal, browser are by IDMP unified certification, and IDMP and GGSN and WebSP carries out information interaction, user only need be logged in and once can use business by the whole network.IDMP inside can be divided into two logic entities: IDMP server (comprising Portal) and database.IDMP network in charge realizes the function of unified login, universal retrieval and identity combination, wherein Portal to user provide unified login from service page, as created by Portal and safeguarding identity combination information, or log in other SP by Portal.Database is responsible for the identity combination information storing user.
The invention has the beneficial effects as follows, many account one keys are adopted to log in and authentication mechanism, be exactly briefly in the network environment of distribution, many services, logged in by the disposable discriminating of user, the legitimacy proof of identification of all services in visiting distribution formula system can be obtained, with this understanding, keeper logs in without the need to amendment or interference user the security control just can easily implementing to wish to obtain.Many account one key logins and authentication mechanism are with regard to Replay Attack, and the problems such as transmission security, add timestamp, encryption mechanism, for the safety of system.Certification is changed into centralized certification by each website complete independently, each business provides website to adopt unified user identity, and whole process is to user transparent, the user resources belonged to originally in each website making to disperse on internet can be shared by all cooperation websites and use, and move towardss opening and cooperation provides condition and basis for Web service.
Accompanying drawing explanation
Below in conjunction with drawings and Examples, the present invention is further described.
Fig. 1 is that the many accounts of example of the present invention initiate identity combination flow chart figure.
Fig. 2 is example many accounts single-sign-on flow chart figure of the present invention.
Fig. 3 is example many accounts login process general flow chart of the present invention.
Fig. 4 is example many accounts login process schematic diagram of the present invention.
Fig. 5 is that the many accounts of example of the present invention publish schematic flow sheet.
Embodiment
In the diagram, the login process of the login of many account one keys and authentication mechanism is illustrated.Whether business takes turns doing following judgement to each user's request reaching (and not yet logging in): visit after whether starting browser by software terminal, adopt GPRS to access.For each judgement, if so, then to IDMP inquiring user identity, otherwise do next judgement.If obtain user identity by IDMP successful query, then unified login flow performing terminates, and business obtains user identity, and provides service to user; If IDMP inquires about unsuccessfully, illustrate that this user does not carry out identity combination, then adopt common mode to log in, namely allow user input username and password, cell-phone number also can be adopted to log in.If three judgements are failure, then common mode is adopted to log in.Detailed process is as follows:
1. user asks arrival WebSP, WebSP first to judge whether this user logs in by Cookie, can preserve identity information and the log-on message of user, as user name, login time, the term of validity etc. in the Cookie record of logged-in user.If no record in Cookie, then SP checks whether user has logged in IMS network by software terminal, and inspection method judges whether carry IMPU in URL, if having, then inquires about to IDMP.
2.SP sends to IDMP the IMPU in URL, inquires about this user to should the identity of SP.IDMP inquires about identity combination record and obtains user to should the identity information of SP.IDMP returns Query Result.If successful inquiring, returning results is the user name of this user on this SP, otherwise result is inquired about unsuccessfully.If without IMPU in request, then SP checks whether user adopts GPRS to access, and inspection method sends IP address to IDMP to carry out inquiring user identity.If user adopts GPRS to access, by the binding information between the cell-phone number of recording user and IP address in the Radius server of so mobile core network; IDMP can obtain the cell-phone number of user from the IP address of Radius server lookup user.
After 3.IDMP obtains the cell-phone number of user, the identity information of this user on this SP can be obtained further according to identity combination record.IDMP returns Query Result.If successful inquiring, returning results is the user name of this user on this SP, otherwise result is inquired about unsuccessfully.If user does not adopt GPRS to access, then SP checks whether this user has logged in other SP or Portal, and inspection method is unified log-on message of being preserved user by Portal in Cookie.
After 4.Portal receives redirect request, read Cookie and judge whether user has logged in other SP or Portal.If user logs in, then obtain user to should the identity of SP according to identity combination information further.IDMP returns Query Result.If successful inquiring, returning results is the user name of this user on this SP, otherwise result is inquired about unsuccessfully.
5. if unified login success, then SP preserves the log-on message of user in Cookie, comprises user name, login time and the term of validity etc., and the term of validity of setting Cookie is the set time, such as 1 hour.Otherwise SP allows user's manual entry or employing cell-phone number log in.
Claims (3)
1. account more than key logs in and authentication mechanism, it is characterized in that: based on many account one key sign-on access authorities, gives user right accessing database resources mechanism based on the certification of many accounts; Be exactly briefly in the network environment of distribution, many services, logged in by the disposable discriminating of user, the legitimacy proof of identification of all services in visiting distribution formula system can be obtained, with this understanding, keeper logs in without the need to amendment or interference user the security control just can easily implementing to wish to obtain.Many account one keys log in and authentication mechanism with regard to the problem such as Replay Attack, transmission security, add timestamp, encryption mechanism for the safety of system.
2. according to claim 1 based on many account one key sign-on access authorities, it is characterized in that: introduce identity combination, the mutual mapping relations between the multiple different identity setting up same user.Mobile core network increases identity combination server (IDMP) newly, the core network identity of maintenance customer and the identity combination information of SP identity.When user accesses certain business, whether business has logged in core net or other business by IDMP inquiring user, as logged in, then IDMP obtains this user at this operational identity information by identity map relation, thus login process during completing user use business.
3. according to claim 1 based on many accounts certification imparting user right accessing database resources mechanism, it is characterized in that: propose a kind of new functional entity, i.e. identity combination server (IDMP), Joint Mapping between it achieving the multiple identity of user, and the function that inquiry and registration user bound identity are provided to SP.IDMP is in the hub site of unified login certification, and sip terminal, browser are by IDMP unified certification, and IDMP and GGSN and WebSP carries out information interaction, user only need be logged in and once can use business by the whole network.IDMP inside can be divided into two logic entities: IDMP server (comprising Portal) and database.IDMP network in charge realizes the function of unified login, universal retrieval and identity combination, and database is responsible for the identity combination information storing user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510995538.5A CN105577667A (en) | 2015-12-28 | 2015-12-28 | Multi-account one-key login and authentication mechanism |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510995538.5A CN105577667A (en) | 2015-12-28 | 2015-12-28 | Multi-account one-key login and authentication mechanism |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105577667A true CN105577667A (en) | 2016-05-11 |
Family
ID=55887324
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510995538.5A Pending CN105577667A (en) | 2015-12-28 | 2015-12-28 | Multi-account one-key login and authentication mechanism |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105577667A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108429732A (en) * | 2018-01-23 | 2018-08-21 | 平安普惠企业管理有限公司 | A kind of method and system obtaining resource |
| CN108449361A (en) * | 2018-04-25 | 2018-08-24 | 苏州云坤信息科技有限公司 | It is a kind of that login identity identifying method is exempted from based on application gateway |
| CN109388922A (en) * | 2017-08-04 | 2019-02-26 | 镇江雅迅软件有限责任公司 | A kind of user management based on RBAC model and a key log in realizing method |
| CN109936565A (en) * | 2019-01-28 | 2019-06-25 | 平安科技(深圳)有限公司 | Log in the method, apparatus, computer equipment and storage medium of multiple service clusters |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20130140509A (en) * | 2012-06-14 | 2013-12-24 | (주)아이비즈소프트웨어 | Methods and apparatus for integrated authentication for auto-login |
| CN104394141A (en) * | 2014-11-21 | 2015-03-04 | 南京邮电大学 | Unified authentication method based on distributed file system |
| CN105162779A (en) * | 2015-08-20 | 2015-12-16 | 南威软件股份有限公司 | Method for using uniform user authentication in multiple systems |
| CN105187401A (en) * | 2015-08-13 | 2015-12-23 | 浪潮(北京)电子信息产业有限公司 | Method and system for unified login of multiple systems |
-
2015
- 2015-12-28 CN CN201510995538.5A patent/CN105577667A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20130140509A (en) * | 2012-06-14 | 2013-12-24 | (주)아이비즈소프트웨어 | Methods and apparatus for integrated authentication for auto-login |
| CN104394141A (en) * | 2014-11-21 | 2015-03-04 | 南京邮电大学 | Unified authentication method based on distributed file system |
| CN105187401A (en) * | 2015-08-13 | 2015-12-23 | 浪潮(北京)电子信息产业有限公司 | Method and system for unified login of multiple systems |
| CN105162779A (en) * | 2015-08-20 | 2015-12-16 | 南威软件股份有限公司 | Method for using uniform user authentication in multiple systems |
Non-Patent Citations (1)
| Title |
|---|
| 刘宝义: "统一登录认证方案设计与原型实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109388922A (en) * | 2017-08-04 | 2019-02-26 | 镇江雅迅软件有限责任公司 | A kind of user management based on RBAC model and a key log in realizing method |
| CN108429732A (en) * | 2018-01-23 | 2018-08-21 | 平安普惠企业管理有限公司 | A kind of method and system obtaining resource |
| CN108449361A (en) * | 2018-04-25 | 2018-08-24 | 苏州云坤信息科技有限公司 | It is a kind of that login identity identifying method is exempted from based on application gateway |
| CN109936565A (en) * | 2019-01-28 | 2019-06-25 | 平安科技(深圳)有限公司 | Log in the method, apparatus, computer equipment and storage medium of multiple service clusters |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102638454B (en) | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol | |
| US7793095B2 (en) | Distributed hierarchical identity management | |
| Erdos et al. | Shibboleth architecture draft v05 | |
| US20060218630A1 (en) | Opt-in linking to a single sign-on account | |
| US9584615B2 (en) | Redirecting access requests to an authorized server system for a cloud service | |
| WO2013099065A1 (en) | Authentication coordination system and id provider device | |
| US20090094383A1 (en) | User Enrollment in an E-Community | |
| CN104836803B (en) | Single-point logging method based on session mechanism | |
| CN106612246A (en) | Unified authentication method for simulation identity | |
| US8555365B2 (en) | Directory authentication method for policy driven web filtering | |
| WO2007125180A1 (en) | Authentication | |
| ZA200500060B (en) | Distributed hierarchical identity management | |
| US10601809B2 (en) | System and method for providing a certificate by way of a browser extension | |
| CN104683306A (en) | Safe and controllable internet real-name certification mechanism | |
| CN102104483A (en) | Single sign-on method, system and load balancing equipment based on load balance | |
| CN105577667A (en) | Multi-account one-key login and authentication mechanism | |
| Bazaz et al. | A review on single sign on enabling technologies and protocols | |
| CN101989974A (en) | Safety control method for intranet WEB access of security socket layer virtual private network (SSL VPN) | |
| EP1517510B1 (en) | Moving principals across security boundaries without service interruptions | |
| Zhang et al. | Blockchain‐Based DNS Root Zone Management Decentralization for Internet of Things | |
| CN103118025B (en) | Based on the single-point logging method of networking certification, device and certificate server | |
| CN101771534A (en) | Single sign-on method for network browser and system thereof | |
| CN107819564A (en) | A kind of design method of the single-node login system based on Public Key Infrastructure | |
| CA2458257A1 (en) | Distributed hierarchical identity management | |
| KR20060067732A (en) | Method of service logout in single sign on service using federated identity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160511 |
|
| WD01 | Invention patent application deemed withdrawn after publication |