CN105897743A - Cross-domain single sign-on method and server - Google Patents

Cross-domain single sign-on method and server Download PDF

Info

Publication number
CN105897743A
CN105897743A CN201610362534.8A CN201610362534A CN105897743A CN 105897743 A CN105897743 A CN 105897743A CN 201610362534 A CN201610362534 A CN 201610362534A CN 105897743 A CN105897743 A CN 105897743A
Authority
CN
China
Prior art keywords
site
server
client
agent
token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610362534.8A
Other languages
Chinese (zh)
Inventor
王玉林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nubia Technology Co Ltd
Original Assignee
Nubia Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nubia Technology Co Ltd filed Critical Nubia Technology Co Ltd
Priority to CN201610362534.8A priority Critical patent/CN105897743A/en
Publication of CN105897743A publication Critical patent/CN105897743A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a cross-domain single sign-on method and a server. The method comprises the following steps that: when a client side is in a sign-on state of a first site and wants to sign on a second site, a server side generates a session key of the second site, and connects the session key of the second site to user session; the user session is user session between the server side and the client side established when the client side signs on the first site; the agent of the second site generates the session key of the second site, and requests user information from the server side; the server side returns the user information to the agent of the second site; and the agent of the second site redirects an index page from the client side to the second site.

Description

Cross-domain single sign-on method and server
Technical Field
The present invention relates to the field of computers, and in particular, to a cross-domain single sign-on method and server.
Background
Single Sign On (SSO) is a method in which a user only needs to log On once to access all mutually trusted application systems in a plurality of application systems. It includes a mechanism that can map this primary login to a login for the same user in other applications. It is one of the more popular solutions for enterprise business integration at present.
The single sign-on mechanism is shown in fig. 3, when a user accesses the application system 1 for the first time, because the user does not log on, the user is guided to the authentication system to log on; according to the login information provided by the user, the authentication system carries out identity verification, and if the verification is passed, an authenticated certificate-ticket is returned to the user; when the user accesses another application again, the ticket is taken as a certificate of self authentication, and after receiving the request, the application system sends the ticket to the authentication system for verification and checks the validity of the ticket. If verified, the user can access application system 2 and application system 3 without logging in again.
The single sign-on mainly solves the problems that: one account, common to multiple sites; one application logs in and the other applications log in simultaneously. Most single sign-on applications and protocols are very complex. Applications have their own relatively complete user management scheme, which makes them difficult to integrate. How to realize cross-domain single sign-on by using the principle of connection session does not have an effective solution at present.
Disclosure of Invention
In order to solve the technical problem, the invention provides a cross-domain single sign-on method and a server.
In order to achieve the purpose of the invention, the invention provides a cross-domain single sign-on method, which comprises the following steps:
when a client side is in a login state of a first site and wants to log in a second site, a server side generates a session key of the second site and connects the session key of the second site to a user session, wherein the user session is the user session between the server side and the client side, which is established when the client side logs in the first site;
the agent of the second site generates a session key of the second site and requests user information from the server;
and the server returns user information to the agent of the second site, and the agent of the second site redirects the client to the index page of the second site.
In one embodiment, before the client is in the login state of the first site, the server establishes the user session with the client, including:
the client acquires a first token, a first application identifier and a first application key from an agent of the first site and redirects the first token, the first application identifier and the first application key to the server;
and the server generates a session key of the first site based on the first token, the first application identifier and the first application key, and establishes the user session with the client.
In one embodiment, the client obtaining the first token, the first application identifier and the first application key from the agent of the first site includes:
the client sends an access request of a first site index page to an agent of the first site;
and the agent of the first station randomly generates the token and stores the token together with the first application identifier and the first application key which are stored locally in a cache to return to the client.
In an embodiment, before the server generates the session key of the second station, the method further includes: the client acquires a second token, a second application identifier and a second application key from an agent of the second site and redirects the second token, the second application identifier and the second application key to the server;
the server generates a session key of the second station, and the session key is: and the server generates a session key of the second station based on the second token, the second application identifier and the second application key.
In one embodiment, before the proxy of the second station generates the session key of the second station, the method further includes:
the server redirects the client back to the original Uniform Resource Locator (URL);
the client sends an access request of a second site index page to an agent of the second site;
the proxy of the second station generates a session key for the second station based on the second token, the second application identification, and the second application key.
In another aspect, a single sign-on server is provided, including:
the establishing module is used for establishing a user session with a client when the client logs in the first site;
the connection module is used for receiving the second token, the second application identifier and the second application key redirected by the client, generating a session key of the second site, and connecting the session key of the second site to the user session established by the establishment module;
and the user information processing module is used for directly returning the user information to the agent of the second site after receiving the user information request sent by the agent of the second site when detecting that the client is logged in.
In one embodiment, the connection module is further configured to redirect the client to an original uniform resource locator URL after connecting the session key of the second site to the user session established by the establishment module.
In one embodiment, further comprising: and the authentication module is used for receiving a login request sent by the agent of the first site, performing user authentication according to login information in the login request, and returning a response of successful authentication to the agent of the first site when the authentication passes.
In an embodiment, the user information processing module is further configured to return a response of detecting the non-login to the agent of the first site or the agent of the second site when the non-login is detected.
There is also provided a proxy server for cross-domain single sign-on, comprising:
the user information request module is used for generating a session key of the second site according to the second token, the second application identifier and the second application key of the second site and sending a user information request to the server;
and the redirection module is used for redirecting the client to the index page of the second site according to the user information returned by the server.
According to the cross-domain single sign-on method and the server provided by the embodiment of the invention, the client establishes the user session with the server when logging in the site for the first time, and then can directly log in other sites by establishing the session key and connecting the user session, so that the cross-domain single sign-on is realized by utilizing the principle of session connection.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the example serve to explain the principles of the invention and not to limit the invention.
Fig. 1 is a schematic diagram of a hardware structure of a mobile terminal implementing various embodiments of the present invention;
FIG. 2 is a diagram of a wireless communication system for the mobile terminal shown in FIG. 1;
FIG. 3 is a diagram illustrating a related art single sign-on;
FIG. 4 is a flowchart illustrating a cross-domain single sign-on method according to an embodiment of the present invention;
fig. 5 is a schematic flow chart of the client logging in the site 1 for the first time in the embodiment of the present invention;
fig. 6 is a schematic flowchart of logging in to the site 2 when the client is in the site 1 login state in the embodiment of the present invention;
FIG. 7 is a schematic structural diagram of a single sign-on server for cross-domain single sign-on according to an embodiment of the present invention;
FIG. 8 is a block diagram of a cross-domain single sign-on proxy server according to an embodiment of the present invention;
FIG. 9 is a schematic diagram of a cross-domain single sign-on system according to an embodiment of the present invention;
fig. 10 is a schematic diagram of an example of a server structure according to an embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
A mobile terminal implementing various embodiments of the present invention will now be described with reference to the accompanying drawings. In the following description, suffixes such as "module", "component", or "unit" used to denote elements are used only for facilitating the explanation of the present invention, and have no specific meaning in themselves. Thus, "module" and "component" may be used in a mixture.
The mobile terminal may be implemented in various forms. For example, the terminal described in the present invention may include a mobile terminal such as a mobile phone, a smart phone, a notebook computer, a digital broadcast receiver, a PDA (personal digital assistant), a PAD (tablet computer), a PMP (portable multimedia player), a navigation device, and the like, and a stationary terminal such as a digital TV, a desktop computer, and the like. In the following, it is assumed that the terminal is a mobile terminal. However, it will be understood by those skilled in the art that the configuration according to the embodiment of the present invention can be applied to a fixed type terminal in addition to elements particularly used for moving purposes.
Fig. 1 is a schematic hardware configuration of a mobile terminal implementing various embodiments of the present invention.
The mobile terminal 100 may include a wireless communication unit 110, a user input unit 130, an output unit 150, a memory 160, a controller 180, and a power supply unit 190, etc. Fig. 1 illustrates a mobile terminal having various components, but it is to be understood that not all illustrated components are required to be implemented. More or fewer components may alternatively be implemented. Elements of the mobile terminal will be described in detail below.
The wireless communication unit 110 typically includes one or more components that allow radio communication between the mobile terminal 100 and a wireless communication system or network. For example, the wireless communication unit may include at least one of a broadcast receiving module 111, a mobile communication module 112, a wireless internet module 113, a short-range communication module 114, and a location information module 115.
The broadcast receiving module 111 receives a broadcast signal and/or broadcast associated information from an external broadcast management server via a broadcast channel. The broadcast channel may include a satellite channel and/or a terrestrial channel. The broadcast management server may be a server that generates and transmits a broadcast signal and/or broadcast associated information or a server that receives a previously generated broadcast signal and/or broadcast associated information and transmits it to a terminal. The broadcast signal may include a TV broadcast signal, a radio broadcast signal, a data broadcast signal, and the like. Also, the broadcast signal may further include a broadcast signal combined with a TV or radio broadcast signal. The broadcast associated information may also be provided via a mobile communication network, and in this case, the broadcast associated information may be received by the mobile communication module 112. The broadcast signal may exist in various forms, for example, it may exist in the form of an Electronic Program Guide (EPG) of Digital Multimedia Broadcasting (DMB), an Electronic Service Guide (ESG) of digital video broadcasting-handheld (DVB-H), and the like. The broadcast receiving module 111 may receive a signal broadcast by using various types of broadcasting systems. In particular, the broadcast receiving module 111 may be implemented by enablingUsing a medium such as multimedia broadcasting-terrestrial (DMB-T), digital multimedia broadcasting-satellite (DMB-S), digital video broadcasting-handheld (DVB-H), forward link medium (MediaFLO)@) A digital broadcasting system of a terrestrial digital broadcasting integrated service (ISDB-T), etc. receives digital broadcasting. The broadcast receiving module 111 may be constructed to be suitable for various broadcasting systems that provide broadcast signals as well as the above-mentioned digital broadcasting systems. The broadcast signal and/or broadcast associated information received via the broadcast receiving module 111 may be stored in the memory 160 (or other type of storage medium).
The mobile communication module 112 transmits and/or receives radio signals to and/or from at least one of a base station (e.g., access point, node B, etc.), an external terminal, and a server. Such radio signals may include voice call signals, video call signals, or various types of data transmitted and/or received according to text and/or multimedia messages.
The wireless internet module 113 supports wireless internet access of the mobile terminal. The module may be internally or externally coupled to the terminal. The wireless internet access technology to which the module relates may include WLAN (wireless LAN) (Wi-Fi), Wibro (wireless broadband), Wimax (worldwide interoperability for microwave access), HSDPA (high speed downlink packet access), and the like.
The short-range communication module 114 is a module for supporting short-range communication. Some examples of short-range communication technologies include bluetoothTMRadio Frequency Identification (RFID), infrared data association (IrDA), Ultra Wideband (UWB), zigbeeTMAnd so on.
The location information module 115 is a module for checking or acquiring location information of the mobile terminal. A typical example of the location information module is a GPS (global positioning system). According to the current technology, the GPS module 115 calculates distance information and accurate time information from three or more satellites and applies triangulation to the calculated information, thereby accurately calculating three-dimensional current location information according to longitude, latitude, and altitude. Currently, a method for calculating position and time information uses three satellites and corrects an error of the calculated position and time information by using another satellite. In addition, the GPS module 115 can calculate speed information by continuously calculating current position information in real time.
The user input unit 130 may generate key input data according to a command input by a user to control various operations of the mobile terminal. The user input unit 130 allows a user to input various types of information, and may include a keyboard, dome sheet, touch pad (e.g., a touch-sensitive member that detects changes in resistance, pressure, capacitance, and the like due to being touched), scroll wheel, joystick, and the like. In particular, when the touch pad is superimposed on the display unit 151 in the form of a layer, a touch screen may be formed.
The display unit 151 may display information processed in the mobile terminal 100. For example, when the mobile terminal 100 is in a phone call mode, the display unit 151 may display a User Interface (UI) or a Graphical User Interface (GUI) related to a call or other communication (e.g., text messaging, multimedia file downloading, etc.). When the mobile terminal 100 is in a video call mode or an image capturing mode, the display unit 151 may display a captured image and/or a received image, a UI or GUI showing a video or an image and related functions, and the like.
The memory 160 may store software programs and the like for processing and controlling operations performed by the controller 180, or may temporarily store data (e.g., a phonebook, messages, still images, videos, and the like) that has been or will be output. Also, the memory 160 may store data regarding various ways of vibration and audio signals output when a touch is applied to the touch screen.
The memory 160 may include at least one type of storage medium including a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. Also, the mobile terminal 100 may cooperate with a network storage device that performs a storage function of the memory 160 through a network connection.
The controller 180 generally controls the overall operation of the mobile terminal. For example, the controller 180 performs control and processing related to voice calls, data communications, video calls, and the like. In addition, the controller 180 may include a multimedia module 1810 for reproducing (or playing back) multimedia data, and the multimedia module 1810 may be constructed within the controller 180 or may be constructed separately from the controller 180. The controller 180 may perform a pattern recognition process to recognize a handwriting input or a picture drawing input performed on the touch screen as a character or an image.
The power supply unit 190 receives external power or internal power and provides appropriate power required to operate various elements and components under the control of the controller 180.
The various embodiments described herein may be implemented in a computer-readable medium using, for example, computer software, hardware, or any combination thereof. For a hardware implementation, the embodiments described herein may be implemented using at least one of an Application Specific Integrated Circuit (ASIC), a Digital Signal Processor (DSP), a Digital Signal Processing Device (DSPD), a Programmable Logic Device (PLD), a Field Programmable Gate Array (FPGA), a processor, a controller, a microcontroller, a microprocessor, an electronic unit designed to perform the functions described herein, and in some cases, such embodiments may be implemented in the controller 180. For a software implementation, the implementation such as a process or a function may be implemented with a separate software module that allows performing at least one function or operation. The software codes may be implemented by software applications (or programs) written in any suitable programming language, which may be stored in the memory 160 and executed by the controller 180.
Up to this point, mobile terminals have been described in terms of their functionality. Hereinafter, a slide-type mobile terminal among various types of mobile terminals, such as a folder-type, bar-type, swing-type, slide-type mobile terminal, and the like, will be described as an example for the sake of brevity. Accordingly, the present invention can be applied to any type of mobile terminal, and is not limited to a slide type mobile terminal.
The mobile terminal 100 as shown in fig. 1 may be configured to operate with communication systems such as wired and wireless communication systems and satellite-based communication systems that transmit data via frames or packets.
A communication system in which a mobile terminal according to the present invention is operable will now be described with reference to fig. 2.
Such communication systems may use different air interfaces and/or physical layers. For example, the air interface used by the communication system includes, for example, Frequency Division Multiple Access (FDMA), Time Division Multiple Access (TDMA), Code Division Multiple Access (CDMA), and Universal Mobile Telecommunications System (UMTS) (in particular, Long Term Evolution (LTE)), global system for mobile communications (GSM), and the like. By way of non-limiting example, the following description relates to a CDMA communication system, but such teachings are equally applicable to other types of systems.
Referring to fig. 2, the CDMA wireless communication system may include a plurality of mobile terminals 100, a plurality of Base Stations (BSs) 270, Base Station Controllers (BSCs) 275, and a Mobile Switching Center (MSC) 280. The MSC280 is configured to interface with a Public Switched Telephone Network (PSTN) 290. The MSC280 is also configured to interface with a BSC275, which may be coupled to the base station 270 via a backhaul. The backhaul may be constructed according to any of several known interfaces including, for example, E1/T1, ATM, IP, PPP, frame Relay, HDSL, ADSL, or xDSL. It will be understood that a system as shown in fig. 2 may include multiple BSCs 2750.
Each BS270 may serve one or more sectors (or regions), each sector covered by a multi-directional antenna or an antenna pointing in a particular direction being radially distant from the BS 270. Alternatively, each partition may be covered by two or more antennas for diversity reception. Each BS270 may be configured to support multiple frequency allocations, with each frequency allocation having a particular frequency spectrum (e.g., 1.25MHz,5MHz, etc.).
The intersection of partitions with frequency allocations may be referred to as a CDMA channel. The BS270 may also be referred to as a Base Transceiver Subsystem (BTS) or other equivalent terminology. In such a case, the term "base station" may be used to generically refer to a single BSC275 and at least one BS 270. The base stations may also be referred to as "cells". Alternatively, each sector of a particular BS270 may be referred to as a plurality of cell sites.
As shown in fig. 2, a Broadcast Transmitter (BT)295 transmits a broadcast signal to the mobile terminal 100 operating within the system. A broadcast receiving module 111 as shown in fig. 1 is provided at the mobile terminal 100 to receive a broadcast signal transmitted by the BT 295. In fig. 2, several Global Positioning System (GPS) satellites 300 are shown. The satellite 300 assists in locating at least one of the plurality of mobile terminals 100.
In fig. 2, a plurality of satellites 300 are depicted, but it is understood that useful positioning information may be obtained with any number of satellites. The GPS module 115 as shown in fig. 1 is generally configured to cooperate with satellites 300 to obtain desired positioning information. Other techniques that can track the location of the mobile terminal may be used instead of or in addition to GPS tracking techniques. In addition, at least one GPS satellite 300 may selectively or additionally process satellite DMB transmission.
As a typical operation of the wireless communication system, the BS270 receives reverse link signals from various mobile terminals 100. The mobile terminal 100 is generally engaged in conversations, messaging, and other types of communications. Each reverse link signal received by a particular base station 270 is processed within the particular BS 270. The obtained data is forwarded to the associated BSC 275. The BSC provides call resource allocation and mobility management functions including coordination of soft handoff procedures between BSs 270. The BSCs 275 also route the received data to the MSC280, which provides additional routing services for interfacing with the PSTN 290. Similarly, the PSTN290 interfaces with the MSC280, the MSC interfaces with the BSCs 275, and the BSCs 275 accordingly control the BS270 to transmit forward link signals to the mobile terminal 100.
As shown in fig. 4, an embodiment of the present invention provides a cross-domain single sign-on method, which mainly includes:
step 401, when a client is in a login state of a first site and wants to log in a second site, a server generates a session key of the second site and connects the session key of the second site to a user session, where the user session is a user session between the server and the client, which is established when the client logs in the first site;
step 402, the agent of the second station generates a session key of the second station and requests user information from the server;
step 403, the server returns user information to the agent of the second site, and the agent of the second site redirects the client to the index page of the second site.
Before the client is in the login state of the first site, the method further comprises the following steps: the server establishes the user session with a client; the client acquires a first TOKEN _1, a first application identifier APPID _1 and a first application key APPKEY _1 from an agent of the first site and redirects the first TOKEN, the first application identifier APPID _1 and the first application key APPKEY _1 to the server; and the server generates a session key of the first site based on the TOKEN _1, the APPID _1 and the APPKEY _1, and establishes the user session with the client. Here, the client sends an access request of a first site index page to an agent of the first site; and the agent of the first site randomly generates the TOKEN _1, and stores the TOKEN _1 in a cache (Cookie) and returns the TOKEN _1 to the client.
Before the server generates the session key of the second station, the method further includes: the client acquires a second TOKEN _2, a second application identifier APPID _2 and a second application key APPKEY _2 from an agent of the second site and redirects the second TOKEN, the second application identifier APPID _2 and the second application key APPKEY _2 to the server; the server generates a session key of the second station, and the session key is: and the server generates a session key of the second station based on the TOKEN _2, the APPID _2 and the APPKEY _ 2. Here, the client sends an access request of a second site index page to an agent of the second site; and the proxy of the second site randomly generates the TOKEN _2, and stores the TOKEN _2 in a Cookie and returns the Cookie to the client.
Before the proxy of the second station generates the session key of the second station, the method further includes: the server side redirects the client side back to an original Uniform Resource Locator (URL); the client sends an access request of a second site index page to an agent of the second site; and the proxy of the second station generates the session key of the second station based on TOKEN _2, APPID _2 and APPKEY _ 2.
Before the client is in the login state of the first site and after the user session is established, the method further comprises the following steps: the agent of the first site redirects the client to a login page of the first site; the client acquires login information input by a user and sends the login information to an agent of the first site; the agent of the first site sends a login request to the server, wherein the login request carries login information; the server side carries out user authentication according to the login information in the login request, and returns a response of successful authentication to the agent of the first site when the authentication is passed; and the agent of the first station redirects the client to the index page of the first station, and the user successfully logs in the first station.
Here, before the redirecting the client to the login page of the first site, the proxy of the first site further includes: the server redirects the client back to the original URL; the client sends an access request of a first site index page to an agent of the first site; the agent of the first site generates a session key of the first site and requests user information from the server; and the server side detects that the server side does not log in, and returns a response of detecting that the server side does not log in to the agent of the first site.
In the embodiment of the invention, the client refers to a user browser; the proxy refers to a server or other equipment of a website accessed by a user, and each website has a unique identifier APPID and a key APPKEY stored in the proxy; the server is a single sign-on server and is used for storing and providing user information required by sign-on.
The proxy communicates with the single sign-on server on behalf of the client, so it is desirable for the proxy and client to use the same session, but since they are in different domains, it is not possible to share the session, so in this embodiment of the invention, the proxy requests TOKEN delivery to the server from the client, the server uses TOKEN, APPID, APPKEY to generate the session key to connect the client, the proxy also knows TOKEN, APPID, APPKEY, and can generate the same session key with which to proxy the login/logout command and request information from the server.
The process of the client logging in the site 1 for the first time is shown in fig. 5, and mainly includes the following steps:
step 501, a client accesses a site 1 for the first time and sends an access request of a site 1 index page to an agent 1 of the site 1;
step 502, the agent 1 receives the access request, randomly generates a TOKEN (TOKEN) and stores the TOKEN in the Cookie to return to the client;
step 503, the client carries the TOKEN, the encrypted application identifier (APPID) and the application key (APPKEY) to redirect to the server;
step 504, the single sign-on server of the server generates a session key for connecting the client based on TOKEN, decrypted APPID and APPKEY, and establishes a first user session with the client; for security, the session key contains a checksum to prevent hackers from obtaining session information by using a random session key.
Step 505, the single sign-on server of the server redirects the client back to the original Uniform Resource Locator (URL), and then can communicate with the proxy as when the SSO is not used;
step 506, the client sends an access request for requesting a site 1 index page to the agent 1 based on the original URL redirected by the server, and the index page needs to be logged in by a visitor.
Step 507, the agent 1 generates a session key based on TOKEN, APPID and APPKEY, where the session key corresponds to the first user session;
step 508, the agent 1 sends a request for obtaining user information to the server;
step 509, the server detects that the visitor is not logged in, and returns a response of detecting that the visitor is not logged in to the agent 1;
step 510, redirecting the client to a login page by the agent 1;
step 511, the client displays a login page to the user, receives login information such as a user name and a password input by the user on the login page, and sends the login information to the agent 1.
Step 512, the agent 1 sends a login request to the server, where the login request includes the user name, the password, and the session key;
step 513, step 514, the server performs user authentication according to the login request, and sends a response of successful authentication to the agent 1 if the authentication is successful.
In step 515, proxy 1 redirects the client to the index page of site 1.
Specifically, the client sends an access request of a site 1 index page to the agent 1, the agent 1 requests user information from the server, the server returns the user information to the agent 1, the agent 1 returns the information of the site 1 index page to the client, and the client prompts the client that login authentication is successful and then automatically jumps to the site 1 index page.
In the login state, the process of the user logging in another site 2 is shown in fig. 6, and mainly includes:
step 601, a client accesses a site 2 and sends an access request of a site 2 index page to an agent 2 of the site 2;
step 602, the agent 1 receives the access request, randomly generates a TOKEN (TOKEN) and stores the TOKEN in the Cookie to return to the client;
here, for security, the proxy generally stores the APPID and APPKEY in the Cookie, but stores them in the proxy side. Step 603, the client carries the TOKEN, the encrypted application identifier (APPID) and the application key (APPKEY) to redirect to the server;
step 604, the single sign-on server of the server generates a new session key for the agent 2 based on TOKEN, decrypted APPID and APPKEY, where the new session key is different from the session key of the agent 1, and the new session key is connected to the first user session, that is, the new session key and the session key of the agent 1 share the same user session;
step 605, the single sign-on server of the server redirects the client back to the original URL;
step 606, the client sends an access request of the site 2 index page to the agent 2;
step 607, the proxy 2 generates the new session key based on TOKEN, APPID and APPKEY, which is the same as the session key generated by the server in step 604 and is connected to the first user session;
step 608, the agent 2 sends a request for obtaining user information to the server, where the request includes the session key generated in step 607;
step 609-;
specifically, the server finds a first user session connected with the session key according to the session key included in the request sent by the agent 2, and detects that the corresponding client is logged in according to the first user session, that is, if the user information of the corresponding client is determined to exist according to the first user session, the user information of the client is directly returned to the agent 2.
In step 611, proxy 2 redirects the client to the index page of site 2.
In the above flow, the following steps may be further included:
step 612, the client sends a request for logging out to the agent 2;
step 613, the agent 2 sends the request for logging out to the server;
step 614, the server returns a response of successfully logging out to the agent 2, closes the user session, and destroys the session key;
in step 615, the proxy 2 redirects the client to the landing page for site 2.
It should be noted that, in the flow shown in fig. 6, it is also checked whether there is a Cookie storing the TOKEN of the proxy, each proxy is in its own domain and has different Cookies, and the above flow does not find the Cookie of the proxy, so in the flow shown in fig. 6, after the client initiates an access request of the site 2 index page, the proxy 2 is redirected to the server to connect the user session.
As shown in fig. 7, an embodiment of the present invention further provides a single sign-on server, including:
an establishing module 71, configured to establish a user session with a client when the client logs in the first site;
a connection module 72, configured to receive a second TOKEN _2, a second application identifier APPID _2, and a second application key APPKEY _2 redirected by the client, generate a session key of a second site, and connect the session key of the second site to the user session established by the establishment module;
and the user information processing module 73 is configured to, when it is detected that the client has logged in, directly return user information to the agent of the second site after receiving a user information request sent by the agent of the second site.
The connection module 72 is further configured to redirect the client to an original uniform resource locator URL after connecting the session key of the second site to the user session established by the establishment module.
Wherein, the single sign-on server further comprises: and the authentication module 74 is configured to receive a login request sent by the agent of the first site, perform user authentication according to login information in the login request, and return a response of successful authentication to the agent of the first site when the authentication passes.
The user information processing module 73 is further configured to return a response of detecting that the user information is not logged in to the agent of the first site or the agent of the second site when detecting that the user information is not logged in.
As shown in fig. 8, an embodiment of the present invention further provides a proxy server for cross-domain single sign-on, including:
the user information request module 81 is configured to generate a session key of the second site according to the second TOKEN _2, the second application identifier APPID _2, and the second application key APPKEY _2 of the second site, and send a user information request to the server;
and the redirection module 82 is configured to redirect the client to the index page of the second site according to the user information returned by the server.
Wherein the proxy server further comprises: the TOKEN returning module 83 is configured to randomly generate a TOKEN, and store the TOKEN in a Cookie and return the TOKEN to the client.
The embodiment of the present invention further provides a client for cross-domain single sign-on, including: and the acquisition module is used for acquiring the TOKEN, the application identifier APPID and the application key APPKEY and redirecting to the server. The obtaining module is specifically configured to send an access request of an index page to a proxy, and receive a Cookie returned by the proxy, where the Cookie stores TOKEN, APPID, and APPKEY. The client is specifically a browser, and the browser may be run on the mobile terminal shown in fig. 1 and 2, or may be run on an electronic device supporting the browser.
As shown in fig. 9, an embodiment of the present invention further provides a cross-domain single sign-on system, which includes the single sign-on server shown in fig. 7, the proxy server shown in fig. 8, and the client described above.
As shown in fig. 10, which is a schematic diagram illustrating a structure example of the server according to the embodiment of the present invention, the server may further include, in addition to the modules: an Input Output (IO) bus, a processor 40, a memory 41, a memory 42, and a communication device 43. Wherein,
the input/output (IO) bus is connected to other components (the processor 40, the memory 41, the memory 42, and the communication device 43) of the server to which the IO bus belongs, and provides a transmission line for the other components.
The processor 40 typically controls the overall operation of the server to which it belongs. For example, processor 40 performs computations, validation, etc. The processor 40 may be a Central Processing Unit (CPU).
The communication means 43, typically comprising one or more components, allows radio communication between the server to which it belongs and the wireless communication system or network.
The memory 41 stores processor 40 readable, processor executable software code containing instructions for controlling the processor 40 to perform the functions described herein (i.e., software performing functions). It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (10)

1. A method for cross-domain single sign-on, comprising:
when a client side is in a login state of a first site and wants to log in a second site, a server side generates a session key of the second site and connects the session key of the second site to a user session, wherein the user session is the user session between the server side and the client side, which is established when the client side logs in the first site;
the agent of the second site generates a session key of the second site and requests user information from the server;
and the server returns user information to the agent of the second site, and the agent of the second site redirects the client to the index page of the second site.
2. The method of claim 1, wherein the server establishes the user session with the client before the client is in a logged-on state at the first site, comprising:
the client acquires a first token, a first application identifier and a first application key from an agent of the first site and redirects the first token, the first application identifier and the first application key to the server;
and the server generates a session key of the first site based on the first token, the first application identifier and the first application key, and establishes the user session with the client.
3. The method of claim 1, wherein the client obtaining the first token, the first application identifier, and the first application key from a proxy at the first site comprises:
the client sends an access request of a first site index page to an agent of the first site;
and the agent of the first station randomly generates the token and stores the token together with the first application identifier and the first application key which are stored locally in a cache to return to the client.
4. The method of claim 1,
before the server generates the session key of the second station, the method further includes: the client acquires a second token, a second application identifier and a second application key from an agent of the second site and redirects the second token, the second application identifier and the second application key to the server;
the server generates a session key of the second station, and the session key is: and the server generates a session key of the second station based on the second token, the second application identifier and the second application key.
5. The method of claim 4, wherein before the proxy of the second station generating the session key of the second station, further comprising:
the server redirects the client back to the original Uniform Resource Locator (URL);
the client sends an access request of a second site index page to an agent of the second site;
the proxy of the second station generates a session key for the second station based on the second token, the second application identification, and the second application key.
6. A single sign-on server, comprising:
the establishing module is used for establishing a user session with a client when the client logs in the first site;
the connection module is used for receiving the second token, the second application identifier and the second application key redirected by the client, generating a session key of the second site, and connecting the session key of the second site to the user session established by the establishment module;
and the user information processing module is used for directly returning the user information to the agent of the second site after receiving the user information request sent by the agent of the second site when detecting that the client is logged in.
7. The single sign-on server of claim 6,
the connection module is further configured to redirect the client to an original uniform resource locator URL after connecting the session key of the second site to the user session established by the establishment module.
8. The single sign-on server of claim 6, further comprising:
and the authentication module is used for receiving a login request sent by the agent of the first site, performing user authentication according to login information in the login request, and returning a response of successful authentication to the agent of the first site when the authentication passes.
9. The single sign-on server of claim 10,
and the user information processing module is also used for returning a response of detecting no login to the agent of the first site or the agent of the second site when detecting no login.
10. A proxy server for cross-domain single sign-on, comprising:
the user information request module is used for generating a session key of the second site according to the second token, the second application identifier and the second application key of the second site and sending a user information request to the server;
and the redirection module is used for redirecting the client to the index page of the second site according to the user information returned by the server.
CN201610362534.8A 2016-05-26 2016-05-26 Cross-domain single sign-on method and server Pending CN105897743A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610362534.8A CN105897743A (en) 2016-05-26 2016-05-26 Cross-domain single sign-on method and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610362534.8A CN105897743A (en) 2016-05-26 2016-05-26 Cross-domain single sign-on method and server

Publications (1)

Publication Number Publication Date
CN105897743A true CN105897743A (en) 2016-08-24

Family

ID=56717926

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610362534.8A Pending CN105897743A (en) 2016-05-26 2016-05-26 Cross-domain single sign-on method and server

Country Status (1)

Country Link
CN (1) CN105897743A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108170745A (en) * 2017-12-20 2018-06-15 福建网龙计算机网络信息技术有限公司 It is a kind of to access web terminal data cached method and terminal
CN109145039A (en) * 2017-12-25 2019-01-04 北极星云空间技术股份有限公司 A method of the UI suitable for federalism workflow composing is bridged
CN110278179A (en) * 2018-03-15 2019-09-24 阿里巴巴集团控股有限公司 Single-point logging method, device and system and electronic equipment
CN112565291A (en) * 2017-03-01 2021-03-26 谷歌有限责任公司 Providing automatic playback of media content elements from cross-source resources
CN112771831A (en) * 2018-09-21 2021-05-07 微软技术许可有限责任公司 Random number handler for single point sign-on authentication in reverse proxy solutions
CN113259394A (en) * 2021-07-05 2021-08-13 北京小鸟科技股份有限公司 Cross-domain user authentication method, system and equipment based on routing computation
CN113591059A (en) * 2021-08-02 2021-11-02 云赛智联股份有限公司 User login authentication method
CN113839907A (en) * 2020-06-23 2021-12-24 武汉斗鱼鱼乐网络科技有限公司 Method and device for preventing hacker from embezzlement based on redirected encrypted address
CN115589336A (en) * 2022-11-25 2023-01-10 云筑信息科技(成都)有限公司 Cross-domain login method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102098158A (en) * 2009-12-10 2011-06-15 北大方正集团有限公司 Cross-domain name single sign on and off method and system as well as corresponding equipment
CN102546570A (en) * 2010-12-31 2012-07-04 国际商业机器公司 Processing method and system for single sign-on
US20120278872A1 (en) * 2011-04-27 2012-11-01 Woelfel John Harold System and method of federated authentication with reverse proxy
CN104092679A (en) * 2014-07-02 2014-10-08 百度在线网络技术(北京)有限公司 Method for logging in third-party site and server
CN105359486A (en) * 2013-05-03 2016-02-24 思杰系统有限公司 Secured access to resources using a proxy

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102098158A (en) * 2009-12-10 2011-06-15 北大方正集团有限公司 Cross-domain name single sign on and off method and system as well as corresponding equipment
CN102546570A (en) * 2010-12-31 2012-07-04 国际商业机器公司 Processing method and system for single sign-on
US20120278872A1 (en) * 2011-04-27 2012-11-01 Woelfel John Harold System and method of federated authentication with reverse proxy
CN105359486A (en) * 2013-05-03 2016-02-24 思杰系统有限公司 Secured access to resources using a proxy
CN104092679A (en) * 2014-07-02 2014-10-08 百度在线网络技术(北京)有限公司 Method for logging in third-party site and server

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ARNOLD DANIELS: "Simple Single Sign-on", 《HTTPS://GITHUB.COM/LEGALTHINGS/SSO/WIKI》 *

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112565291A (en) * 2017-03-01 2021-03-26 谷歌有限责任公司 Providing automatic playback of media content elements from cross-source resources
US11842150B2 (en) 2017-03-01 2023-12-12 Google Llc Delivering auto-play media content element from cross origin resources
CN108170745B (en) * 2017-12-20 2020-09-25 福建网龙计算机网络信息技术有限公司 Method and terminal for accessing cache data of web terminal
CN108170745A (en) * 2017-12-20 2018-06-15 福建网龙计算机网络信息技术有限公司 It is a kind of to access web terminal data cached method and terminal
CN109145039A (en) * 2017-12-25 2019-01-04 北极星云空间技术股份有限公司 A method of the UI suitable for federalism workflow composing is bridged
CN110278179A (en) * 2018-03-15 2019-09-24 阿里巴巴集团控股有限公司 Single-point logging method, device and system and electronic equipment
CN110278179B (en) * 2018-03-15 2021-08-10 阿里巴巴集团控股有限公司 Single sign-on method, device and system and electronic equipment
CN112771831B (en) * 2018-09-21 2022-12-27 微软技术许可有限责任公司 Random number handler for single point sign-on authentication in reverse proxy solutions
CN112771831A (en) * 2018-09-21 2021-05-07 微软技术许可有限责任公司 Random number handler for single point sign-on authentication in reverse proxy solutions
CN113839907B (en) * 2020-06-23 2023-09-05 武汉斗鱼鱼乐网络科技有限公司 Method and device for preventing hacker from stealing and brushing encryption address based on redirection
CN113839907A (en) * 2020-06-23 2021-12-24 武汉斗鱼鱼乐网络科技有限公司 Method and device for preventing hacker from embezzlement based on redirected encrypted address
CN113259394B (en) * 2021-07-05 2021-09-28 北京小鸟科技股份有限公司 Cross-domain user authentication method, system and equipment based on routing computation
CN113259394A (en) * 2021-07-05 2021-08-13 北京小鸟科技股份有限公司 Cross-domain user authentication method, system and equipment based on routing computation
CN113591059A (en) * 2021-08-02 2021-11-02 云赛智联股份有限公司 User login authentication method
CN113591059B (en) * 2021-08-02 2023-12-12 云赛智联股份有限公司 User login authentication method
CN115589336A (en) * 2022-11-25 2023-01-10 云筑信息科技(成都)有限公司 Cross-domain login method

Similar Documents

Publication Publication Date Title
CN105897743A (en) Cross-domain single sign-on method and server
CN104902463B (en) Mobile terminal, multi-card management method of virtual card terminal of mobile terminal and server
US9065819B1 (en) Single sign on (SSO) authorization and authentication for mobile communication devices
CN107066320B (en) Android process freezing and unfreezing device and method
CN106027804B (en) Unlocking method and unlocking device of mobile terminal
CN105978947A (en) Same account number login equipment number control method and mobile terminal
CN105578430A (en) Mobile terminal, and method for identifying pseudo base station short messages
KR20110016349A (en) A method and an apparatus for providing social network service
CN106341817A (en) Access control system, access control method, mobile terminals and access server
CN105262819B (en) A kind of mobile terminal and its method for realizing push
CN105515619B (en) Bluetooth communication method and system
CN105721024B (en) Card simulation method, terminal and system for near field wireless communication
CN106529956A (en) Terminal and verification method of terminal payment
WO2018010640A1 (en) Virtual card-based communication method, device, and computer storage medium
CN106534560B (en) Mobile terminal control device and method
CN107132967B (en) Application starting method and device, storage medium and terminal
CN104935577B (en) Authentication method, smart card cloud, the cloud APP, apparatus and system
CN105792327A (en) Wireless access method, mobile terminal and server
CN106485163A (en) Control method and control device that mobile terminal data storehouse accesses
CN106028286B (en) Wireless local area network access device and method
CN105792181B (en) A kind of data migration method of analog card, mobile terminal and TSM platform
CN106886713A (en) A kind of risk checking method of terminal, server and installation software
CN106507343A (en) A kind of information processing method, mobile terminal and server
CN106778557B (en) Fingerprint identification device and method
CN106778167B (en) Fingerprint identification device and method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20160824

RJ01 Rejection of invention patent application after publication