CN105592026A - Multi-network-segment multi-system single sign on method - Google Patents
Multi-network-segment multi-system single sign on method Download PDFInfo
- Publication number
- CN105592026A CN105592026A CN201410645753.8A CN201410645753A CN105592026A CN 105592026 A CN105592026 A CN 105592026A CN 201410645753 A CN201410645753 A CN 201410645753A CN 105592026 A CN105592026 A CN 105592026A
- Authority
- CN
- China
- Prior art keywords
- cas
- user
- multisegment
- multisystem
- ticket
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention relates to a multi-network-segment multi-system single sign on method. The method is realized based on CAS. The CAS comprises a CAS server and a CAS client. The method comprises the following steps: a user browser accessing the CAS client; redirectioning to the CAS server; performing user authentication; redirectioning to the CAS client and sending authentication parameters; confirming sign on success; and after the sign on success, redirectioning to a request address. The method can reduce the time consumed by a user in signing on different systems and reduces the possibility of sign on errors of the user; and while secure sign on is realized, the situation in which user authentication information of multiple systems is processed and preserved can also be avoided.
Description
Technical field:
The present invention relates to a kind of single-point logging method, more specifically relate to a kind of multisegment multisystem single-sign-onMethod.
Background technology:
Single-sign-on (SingleSignOn, SSO), refers to a mistake based on user/session authenticationJourney, the disposable voucher (only once login) that provides is only provided user, just can access multiple application. At presentSingle-sign-on is mainly the multiple application program based on Web, realizes multiple B/S frameworks by browserThe unified account certification of application.
Single-sign-on scheme effectively integrates existing business system, and the user's unification that solves multiple operation systems is recognizedCard problem, realizes single-sign-on and access control, and adopts relevant security mechanism enhancing user identity to recognizeThe security of card process. At some specific area, for the consideration of information security, jurisdiction network can be dividedFor Inside and outside network, be even divided into multiple network segments. For example, multiple application of national grid control centre areSystem is served the customer group of different segment, therefore needs to realize multiple application and be directed to the unification of different segmentLogin.
It is very high to the demand of SSO that business SSO is generally applicable to client, but business SSO software is except price problemOutward, another major issue is exactly may not be very perfect to client's oneself application system support; SSO increases incomeSubstantially can not meet the demand to intranet and extranet and multisegment application unified login. Therefore it is many to propose a kind of multisegmentSystem single-point logging method, to address the above problem.
Summary of the invention:
The object of this invention is to provide a kind of multisegment multisystem single-point logging method, the method reduces systemRedundant operation, reduces and implements to dispose difficulty, saves hardware resource cost.
For achieving the above object, the present invention by the following technical solutions: a kind of multisegment multisystem single-point is stepped onRecording method, described method realizes based on CAS; Described CAS comprises CAS server and CAS client;Said method comprising the steps of:
(1) user browser access CAS client;
(2) redirect to CAS server;
(3) user authenticates;
(4) be redirected to CAS client and send parameters for authentication;
(5) confirm to login successfully;
(6) after logining successfully, be redirected to request address.
A kind of multisegment multisystem single-point logging method provided by the invention, described step (1) is by enteringThe login interface that enters CAS is accessed described CAS client; Described login interface is by starting its application programEnter.
A kind of multisegment multisystem single-point logging method provided by the invention, the login interface of described CAS is wantedAsk user to input username and password.
Another preferred a kind of multisegment multisystem single-point logging method provided by the invention, described step(3) pass through obtained username and password, authenticate at authentication mechanism.
A preferred a kind of multisegment multisystem single-point logging method more provided by the invention, when userWhile successfully logining CAS, described CAS sends an internal memory cookie back to browser; Described cookieBe not to be really kept in internal memory, but close when described browser one, described cookie just automaticallyExpired.
Another preferred a kind of multisegment multisystem single-point logging method provided by the invention, when user authenticatesAfter success, described CAS server creates a random character string Ticket who generates; Described CAS is by instituteState together with the user of ticket, success login and the service linkage of user's application.
Another preferred a kind of multisegment multisystem single-point logging method provided by the invention, described ticketBe disposable voucher, the user that it is only logined success and service thereof are used once, used withAfter at once lost efficacy.
Another preferred a kind of multisegment multisystem single-point logging method provided by the invention, described step(4) client of CAS described in, please according to its client in turning to CAS from its application programAsk source, can be by the address of subsystem, the address URL that is converted into the corresponding network segment is submitted certification to, andThis URL is recorded; In the time that CAS is redirected, described ticket is passed as a parameterThe application program of pulling over.
Another preferred a kind of multisegment multisystem single-point logging method provided by the invention, described step (5)By the whether successfully login of described Verification; After described application program is received ticket, needChecking ticket; Described ticket is that the URL by passing to CAS server and providing realizes verification.
Another preferred a kind of multisegment multisystem single-point logging method provided by the invention is described CASObtain after ticket, by CAS server, it is judged: if judge described ticketBe effectively, return to a mark to its application program; CAS cancels ticket subsequently, andAnd stay next cookie in client; Other application programs are just used this cookie to authenticate,And no longer need to input username and password.
Compare with immediate prior art, the invention provides technical scheme and have the following advantages:
1, the present invention reduces user and logins the time of expending in different system, reduces user's login and makes mistakesPossibility;
2, the present invention realizes and has avoided processing and preserving many cover systems user's authentication information safe time;
3, the time that the present invention has reduced system manager's increase, deleted user and amendment user right;
4, the present invention has increased security: system manager has had better management by methods user, for exampleCan be by directly forbidding and deleting user and cancel the access rights of this user to all system resources;
5, the present invention does not have invasive to the each subsystem that needs unified certification, does not need extra volume simultaneouslyJourney;
6, the present invention has good autgmentability, supports multiple authentication mechanism and AES; By system phaseClose the self-defined certificate of order, common host-host protocol can be converted into safer https agreement.
Brief description of the drawings
Fig. 1 is method flow diagram of the present invention.
Detailed description of the invention
Below in conjunction with embodiment, the invention will be described in further detail.
Embodiment 1:
As shown in Figure 1, a kind of multisegment multisystem of the invention of this example single-point logging method, described method baseRealize in CAS; This single-sign-on is divided into " service end (CASServer) " and " client (CASClient) ". Service end is single logging-on server, and client is class libraries plug-in unit bag. Use single-point is stepped onThe application program of record, need to be integrated into client class libraries plug-in unit bag in the system of oneself. Single-sign-onThe authentication interface that the common simple realization plug-in unit of client bag provides, has replaced the authentication department of original application programDivide code.
In the situation that first certain application program will be initiated to authenticate for the first time, the client who embeds in application programEnd class libraries bag can be tackled login screen original application program, and directly forwards single logging-on server toLogin page; After inputting correct username and password, can enter former application program system, other sonsSystem also can directly be accessed in this client.
Security:
The software systems that electrical network is relevant often need higher security. Application multisegment multisystem single-point is stepped onRecord implementation user need only input correct username and password in single logging-on server, and service end is rawBecome unique voucher ticket of user login, client browser and each subsystem and certificate server itBetween, by ticket verification and communication, the directly relevant information of transmission user, security phaseTo higher.
Principle: 1 cookie+N session
The Cookie that some logon server can create in client an encryption, has wherein preserved user's loginInformation, be applied in when login for all sons. If user now wishes to enter other Web applicationProgram, is integrated in the single-sign-on client in these application programs, first still can be redirected to CASServer. But now CAS server no longer requires user to input username and password, but first certainlyThe moving Cookie that finds, according to the information of preserving in Cookie, logins. After success verification, CASBe redirected back to user's application program, each application program creates by client browser and uses oneselfSession.
CAS processes when login:
● application program at the beginning, is conventionally skipped original log-in interface, and login is intercepted to CAS'sLogin interface (if user likes, also can directly enter by hand the login interface of CAS,First login, starting other application program).
● the login interface of CAS is processed so-called " main body certification ". It require user input user name andPassword, just as common login interface.
● when main body certification, CAS obtains username and password, then recognizes by certain authentication mechanismCard. Conventionally authentication mechanism be LDAP (or use the authentication method of some standards, for example LDAP orDatabase), in collaborative platform, adopt Custom Encryption algorithm to authenticate in conjunction with database.
● in order to carry out later single-sign-on, CAS sends a so-called " internal memory back to browserCookie ". This cookie is really kept in internal memory, and just browser one cuts out, cookieJust automatically expired. This cookie is called " ticket-grantingcookie " (being TGC), usesShow successfully login of user.
● after authentication success, CAS server creates very long, the random character string generating, and is called" Ticket ". Subsequently, CAS is by the user of this ticket and success login, and service linkage existsTogether. This ticket is disposable a kind of voucher, it only to the user who logins successfully andService is used once. After using, lost efficacy at once.
● after main body has authenticated, CAS is redirected user's browser, gets back to original application. CASClient, in turning to CAS from application, according to client-requested source, can be by the ground of subsystemLocation, the address URL that is converted into the corresponding network segment is submitted certification to, and this URL is recorded, thereforeCAS knows who is calling oneself. When CAS is redirected, ticket is returned as a parameter transmissionGo.
● after receiving ticket, application program need to be verified ticket. This is by ticket is passedPass that a verification URL realizes. Verification URL is also that CAS server provides.
● CAS judges it by server inside after having obtained ticket by verification path.If be judged as effectively, return to a mark to application program.
● CAS cancels ticket subsequently, and stays next cookie in client.
Other application programs are just used this cookie to authenticate later, and no longer need to input user nameAnd password.
Finally should be noted that: above embodiment is only in order to technical scheme of the present invention to be described but not to itRestriction, although those of ordinary skill in the field are to be understood that with reference to above-described embodiment: still can be rightThe specific embodiment of the present invention is modified or is equal to replacement, and these do not depart from spirit of the present invention and modelAny amendment of enclosing or be equal to replacement, the claim protection domain of the present invention all awaiting the reply in application itIn.
Claims (10)
1. this method is a kind of multisegment multisystem single-point logging method, and described method realizes based on CAS; InstituteState CAS and comprise CAS server and CAS client; It is characterized in that: said method comprising the steps of:
(1) user browser access CAS client;
(2) redirect to CAS server;
(3) user authenticates;
(4) be redirected to CAS client and send parameters for authentication;
(5) confirm to login successfully;
(6) after logining successfully, be redirected to request address.
2. a kind of multisegment multisystem single-point logging method as claimed in claim 1, is characterized in that: instituteState step (1) and access described CAS client by entering the login interface of CAS; Described login interface passes throughStarting its application program enters.
3. a kind of multisegment multisystem single-point logging method as claimed in claim 2, is characterized in that: instituteThe login interface of stating CAS requires user to input username and password.
4. a kind of multisegment multisystem single-point logging method as claimed in claim 3, is characterized in that: instituteState step (3) and pass through obtained username and password, authenticate at authentication mechanism.
5. a kind of multisegment multisystem single-point logging method as claimed in claim 4, is characterized in that: whenWhen user has successfully logined CAS, described CAS sends an internal memory cookie back to browser; DescribedCookie is really kept in internal memory, but closes when described browser one, and described cookie just certainlyMoving expired.
6. a kind of multisegment multisystem single-point logging method as claimed in claim 5, is characterized in that: whenAfter user's authentication success, described CAS server creates a random character string Ticket who generates; Described CASThe user that described ticket, success are logined is together with the service linkage of user's application.
7. a kind of multisegment multisystem single-point logging method as claimed in claim 6, is characterized in that: instituteStating ticket is disposable voucher, and the user that it is only logined success and service thereof are used once, makeLost efficacy at once with after crossing.
8. a kind of multisegment multisystem single-point logging method as claimed in claim 7, is characterized in that: instituteState CAS client described in step (4) in turning to CAS from its application program, according to its clientRequest source, can be by the address of subsystem, and the address URL that is converted into the corresponding network segment is submitted certification to, andThis URL is recorded; In the time that CAS is redirected, described ticket is returned as a parameter transmissionApplication program.
9. a kind of multisegment multisystem single-point logging method as claimed in claim 8, is characterized in that: instituteState step (5) by the whether successfully login of described Verification; When described application program receive ticket itAfter, need to verify ticket; Described ticket realizes school by the URL that passes to CAS server and provideTest.
10. a kind of multisegment multisystem single-point logging method as claimed in claim 9, is characterized in that: instituteState CAS and obtain after ticket, by CAS server, it is judged; If judge described ticketBe effectively, return to a mark to its application program; CAS cancels ticket subsequently, and visitorFamily end stays next cookie; Other application programs just can be used this cookie to authenticate, and no longer needInput username and password.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410645753.8A CN105592026A (en) | 2014-11-14 | 2014-11-14 | Multi-network-segment multi-system single sign on method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410645753.8A CN105592026A (en) | 2014-11-14 | 2014-11-14 | Multi-network-segment multi-system single sign on method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105592026A true CN105592026A (en) | 2016-05-18 |
Family
ID=55931244
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410645753.8A Pending CN105592026A (en) | 2014-11-14 | 2014-11-14 | Multi-network-segment multi-system single sign on method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105592026A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107819610A (en) * | 2017-10-23 | 2018-03-20 | 中国南方电网有限责任公司 | A kind of integrated method of Regulation system single-point |
| CN111614672A (en) * | 2017-05-26 | 2020-09-01 | 朱海燕 | CAS basic verification method and CAS-based authority authentication device |
| CN111654501A (en) * | 2020-06-05 | 2020-09-11 | 山东汇贸电子口岸有限公司 | Unified safe login method for electronic government affair safety supervision platform |
| CN112104641A (en) * | 2020-09-11 | 2020-12-18 | 中国联合网络通信集团有限公司 | Login form conversion method and device, storage medium and electronic equipment |
| CN112825516A (en) * | 2019-11-21 | 2021-05-21 | 广州凡科互联网科技股份有限公司 | Token-based multi-system unified login method |
| CN115459954A (en) * | 2022-08-10 | 2022-12-09 | 国家电网有限公司客户服务中心 | Authentication method of system and related equipment |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101355527A (en) * | 2008-08-15 | 2009-01-28 | 深圳市中兴移动通信有限公司 | Method for implementing single-point LOG striding domain name |
| CN101631052A (en) * | 2009-08-25 | 2010-01-20 | 杭州华三通信技术有限公司 | Method and device for detecting number of access terminals |
| CN102571822A (en) * | 2012-02-27 | 2012-07-11 | 杭州闪亮科技有限公司 | Single sign-on system and implementation method thereof |
| CN103179134A (en) * | 2013-04-19 | 2013-06-26 | 中国建设银行股份有限公司 | Single sign on method and system based on Cookie and application server thereof |
| CN103188248A (en) * | 2011-12-31 | 2013-07-03 | 卓望数码技术(深圳)有限公司 | Identity authentication system and method based on single sign-on |
| CN103428191A (en) * | 2012-05-18 | 2013-12-04 | 无锡指网生物识别科技有限公司 | Single sign on method based on combination of CAS framework and fingerprint |
| US8713658B1 (en) * | 2012-05-25 | 2014-04-29 | Graphon Corporation | System for and method of providing single sign-on (SSO) capability in an application publishing environment |
| US20140189839A1 (en) * | 2012-12-31 | 2014-07-03 | Michal Jezek | Single sign-on methods and apparatus therefor |
-
2014
- 2014-11-14 CN CN201410645753.8A patent/CN105592026A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101355527A (en) * | 2008-08-15 | 2009-01-28 | 深圳市中兴移动通信有限公司 | Method for implementing single-point LOG striding domain name |
| CN101631052A (en) * | 2009-08-25 | 2010-01-20 | 杭州华三通信技术有限公司 | Method and device for detecting number of access terminals |
| CN103188248A (en) * | 2011-12-31 | 2013-07-03 | 卓望数码技术(深圳)有限公司 | Identity authentication system and method based on single sign-on |
| CN102571822A (en) * | 2012-02-27 | 2012-07-11 | 杭州闪亮科技有限公司 | Single sign-on system and implementation method thereof |
| CN103428191A (en) * | 2012-05-18 | 2013-12-04 | 无锡指网生物识别科技有限公司 | Single sign on method based on combination of CAS framework and fingerprint |
| US8713658B1 (en) * | 2012-05-25 | 2014-04-29 | Graphon Corporation | System for and method of providing single sign-on (SSO) capability in an application publishing environment |
| US20140189839A1 (en) * | 2012-12-31 | 2014-07-03 | Michal Jezek | Single sign-on methods and apparatus therefor |
| CN103179134A (en) * | 2013-04-19 | 2013-06-26 | 中国建设银行股份有限公司 | Single sign on method and system based on Cookie and application server thereof |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111614672A (en) * | 2017-05-26 | 2020-09-01 | 朱海燕 | CAS basic verification method and CAS-based authority authentication device |
| CN107819610A (en) * | 2017-10-23 | 2018-03-20 | 中国南方电网有限责任公司 | A kind of integrated method of Regulation system single-point |
| CN112825516A (en) * | 2019-11-21 | 2021-05-21 | 广州凡科互联网科技股份有限公司 | Token-based multi-system unified login method |
| CN111654501A (en) * | 2020-06-05 | 2020-09-11 | 山东汇贸电子口岸有限公司 | Unified safe login method for electronic government affair safety supervision platform |
| CN111654501B (en) * | 2020-06-05 | 2022-08-12 | 浪潮云信息技术股份公司 | Unified safe login method for electronic government affair safety supervision platform |
| CN112104641A (en) * | 2020-09-11 | 2020-12-18 | 中国联合网络通信集团有限公司 | Login form conversion method and device, storage medium and electronic equipment |
| CN112104641B (en) * | 2020-09-11 | 2022-07-29 | 中国联合网络通信集团有限公司 | Login form conversion method and device, storage medium and electronic equipment |
| CN115459954A (en) * | 2022-08-10 | 2022-12-09 | 国家电网有限公司客户服务中心 | Authentication method of system and related equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10484375B2 (en) | Systems and methods for authenticating an online user using a secure authorization server | |
| CN108600203B (en) | Cookie-based safe single sign-on method and unified authentication service system thereof | |
| TWI659313B (en) | Automatic login method and device between multiple websites | |
| CN106209749B (en) | Single sign-on method and device, and related equipment and application processing method and device | |
| US10404678B2 (en) | Security object creation, validation, and assertion for single sign on authentication | |
| CN105917630B (en) | Use single-sign-on bootstrapping to the redirection for checking agency | |
| US8832782B2 (en) | Single sign-on system and method | |
| US20170149774A1 (en) | Multi factor user authentication on multiple devices | |
| CN112468481B (en) | Single-page and multi-page web application identity integrated authentication method based on CAS | |
| CN105592026A (en) | Multi-network-segment multi-system single sign on method | |
| US9584615B2 (en) | Redirecting access requests to an authorized server system for a cloud service | |
| CN109672675B (en) | OAuth 2.0-based WEB authentication method of password service middleware | |
| US9805185B2 (en) | Disposition engine for single sign on (SSO) requests | |
| CN103986584A (en) | Double-factor identity verification method based on intelligent equipment | |
| US20140075513A1 (en) | Device token protocol for authorization and persistent authentication shared across applications | |
| US9942200B1 (en) | End user authentication using a virtual private network | |
| US20160021113A1 (en) | Techniques for secure debugging and monitoring | |
| CN109792433B (en) | Method and apparatus for binding device applications to network services | |
| CN110730077A (en) | Method and system for micro-service identity authentication and interface authentication | |
| US10601809B2 (en) | System and method for providing a certificate by way of a browser extension | |
| KR101824562B1 (en) | Gateway and method for authentication | |
| CN109962892A (en) | A kind of authentication method and client, server logging in application | |
| KR20230145009A (en) | Single sign on authentication method and system based on terminal using dynamic token generation agent | |
| CN103716280A (en) | Data transmission method, server and system | |
| JP2018055582A (en) | Communication management program, communication management method and communication management apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160518 |
|
| RJ01 | Rejection of invention patent application after publication |