CN106161348B - Single sign-on method, system and terminal - Google Patents

Single sign-on method, system and terminal Download PDF

Info

Publication number
CN106161348B
CN106161348B CN201510145659.0A CN201510145659A CN106161348B CN 106161348 B CN106161348 B CN 106161348B CN 201510145659 A CN201510145659 A CN 201510145659A CN 106161348 B CN106161348 B CN 106161348B
Authority
CN
China
Prior art keywords
sign
information
terminal
request
authentication server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510145659.0A
Other languages
Chinese (zh)
Other versions
CN106161348A (en
Inventor
李睿
邓启周
王恩子
程克依
李锡杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201510145659.0A priority Critical patent/CN106161348B/en
Publication of CN106161348A publication Critical patent/CN106161348A/en
Application granted granted Critical
Publication of CN106161348B publication Critical patent/CN106161348B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L29/00Arrangements, apparatus, circuits or systems, not covered by a single one of groups H04L1/00 - H04L27/00
    • H04L29/02Communication control; Communication processing
    • H04L29/06Communication control; Communication processing characterised by a protocol

Abstract

The single sign-on method, the single sign-on system and the single sign-on terminal are applied to the field of communication. The terminal acquires identification information of a current user after the user starts an application program, and acquires corresponding single sign-on information from a local secure storage area according to the identification information; when the single sign-on information is successfully acquired, the terminal verifies the single sign-on information; when the authentication is passed, the terminal allows the current user to log in the application program. Compared with the prior art, the single sign-on information is stored in the safe storage area, the sign-on password information of the user is not directly stored, the safety of the user information can be improved, the single sign-on information can be verified, and the single sign-on can be carried out in any place, so that the safety of the single sign-on is further improved. By adopting the method, a safe and efficient application single sign-on mode can be realized, and the experience degree of the user is improved.

Description

Single sign-on method, system and terminal
Technical Field
The present invention relates to the field of communications, and in particular, to a method, a system, and a terminal for single sign-on.
Background
With the development of mobile internet, many enterprises have a great demand for mobility in the aspects of applications such as OA, finance and customer relations, single sign-on mobile devices is a basic function in the aspect of enterprise application mobility, and after a user logs in one application of an enterprise on one mobile device, another application of the enterprise is opened without inputting user Id and password again for logging in.
Patent No. 201210291230.9, entitled single sign on method on mobile device. The patent stores user information in a trusted module, and simultaneously the trusted module records the login state of a user and broadcasts the login state when the login state changes; when a user logs in the association module, the association module acquires user information from the trusted module through the secure channel, and single sign-on is achieved. Although the patent is directed to a method for implementing single sign-on a mobile device, the method is based on a trusted module, and the trusted module resides in some application, but other applications must install an application with the trusted module on the mobile device to use the application to implement single sign-on; the trusted module only records the login state and the logout state, and other applications can be single-point after the login is successful no matter how long the login is, so that the method is unsafe; in addition, the trusted module records private information of the user, such as: password information of the user; this way of keeping the user password on the mobile device is very insecure. How to improve the security of single sign-on becomes an urgent problem to be solved.
Disclosure of Invention
The invention provides a method, a system and a terminal for single sign-on, and aims to solve the problem of poor safety of the conventional single sign-on.
In order to solve the above problem, the present invention provides a single sign-on method, which comprises:
the terminal acquires identification information of a current user after the user starts an application program, and acquires corresponding single sign-on information from a local secure storage area according to the identification information;
when the single sign-on information is successfully acquired, the terminal verifies the single sign-on information;
and when the verification is passed, the terminal allows the current user to log in the application program.
In an embodiment of the present invention, the verifying the single sign-on information by the terminal includes: and the terminal judges whether the application program is initially loaded or not, and selects a corresponding single sign-on information verification mode for verification according to the judgment result.
In one embodiment of the invention, the single sign-on information comprises a security token; the terminal selects a corresponding single sign-on information verification mode for verification according to the judgment result, and the verification comprises the following steps:
when the judgment result is that the security token is not the initial load, the terminal verifies whether the security token is overdue or not;
and when the judgment result is the initial load, the terminal sends a security token verification request to the single-point authentication server, so that the single-point authentication server verifies the security token according to the security token verification request.
In one embodiment of the invention, the single sign-on information comprises a timestamp; the terminal verifying whether the security token is expired comprises: and verifying whether the security token is expired according to the timestamp.
In an embodiment of the present invention, when the acquisition fails or the verification fails, the terminal sends a single sign-on request to a single authentication server, so that the single authentication server performs verification according to the single sign-on request and generates single sign-on information; and the terminal receives the single sign-on information returned by the single-point authentication server and stores the single sign-on information into a local safe storage area.
In one embodiment of the invention, when the obtaining fails, the single sign-on request includes enterprise identification information, application identification information, user identification information, a password, and terminal information.
In one embodiment of the invention, when the authentication fails, the single sign-on information includes a session key, and the single sign-on request includes the session key of the last single sign-on.
In order to solve the above problem, the present invention further provides a single sign-on method, including:
the terminal acquires identification information of a current user after the user starts an application program, and acquires corresponding single sign-on information from a local secure storage area according to the identification information;
when the single sign-on information is successfully acquired, the terminal verifies the single sign-on information;
when the acquisition fails, the terminal sends a single sign-on request to a single point authentication server; the single sign-on request comprises enterprise identification information, application program identification information, user identification information, a password and terminal information; the authentication server receives the single sign-on request, verifies the single sign-on request according to the single sign-on request, generates single sign-on information and sends the single sign-on information to the terminal; the terminal receives the single sign-on information returned by the single point authentication server and stores the single point sign-on information into a local safe storage area;
when the verification is passed, the terminal allows the current user to log in the application program;
when the verification fails, the terminal sends a single sign-on request to a single point authentication server; the single sign-on request comprises a session key of the last single sign-on; the authentication server receives the single sign-on request, verifies the single sign-on request according to the single sign-on request, generates single sign-on information and sends the single sign-on information to the terminal; and the terminal receives the single sign-on information returned by the single-point authentication server and stores the single sign-on information into a local safe storage area.
In order to solve the above problem, the present invention further provides a terminal, including an obtaining module, an authenticating module, and a single sign-on module:
the acquisition module is used for acquiring the identification information of the current user after the user starts the application program and acquiring the corresponding single sign-on information from the local safe storage area according to the identification information;
when the single sign-on information is successfully acquired, the verification module is used for verifying the single sign-on information;
and when the authentication is passed, the single sign-on module allows the current user to log in the application program.
In an embodiment of the present invention, the verification module is further configured to determine whether the application program is initially loaded, and select a corresponding single sign-on information verification manner for verification according to a determination result.
In one embodiment of the invention, the single sign-on information comprises a security token; the verification module is further to:
when the judgment result is that the security token is not the initial load, the terminal verifies whether the security token is overdue or not;
and when the judgment result is the initial load, the terminal sends a security token verification request to the single-point authentication server, so that the single-point authentication server verifies the security token according to the security token verification request.
In an embodiment of the present invention, the verification module is further configured to send a single sign-on request to a single authentication server when the obtaining fails or the verification fails, so that the single authentication server performs verification according to the single sign-on request and generates single sign-on information; and receiving the single sign-on information returned by the single point authentication server, and storing the single point sign-on information into a local safe storage area.
In order to solve the above problem, the present invention further provides a single sign-on system, which includes a terminal and a single authentication server:
the terminal is used for acquiring the identification information of the current user after the user starts the application program, and acquiring the corresponding single sign-on information from the local safe storage area according to the identification information;
when the single sign-on information is successfully acquired, the terminal is also used for verifying the single sign-on information;
when the acquisition fails, the terminal is also used for sending a single sign-on request to a single authentication server; the single sign-on request comprises enterprise identification information, application program identification information, user identification information, a password and terminal information; the authentication server is used for receiving the single sign-on request, verifying according to the single sign-on request, generating single sign-on information and sending the single sign-on information to the terminal; the terminal is also used for receiving the single sign-on information returned by the single-point authentication server and storing the single-point sign-on information into a local safe storage area;
when the verification is passed, the terminal is also used for allowing the current user to log in the application program;
when the verification fails, the terminal is also used for sending a single sign-on request to the single point authentication server; the single sign-on request comprises a session key of the last single sign-on; the authentication server is also used for receiving the single sign-on request, verifying according to the single sign-on request, generating single sign-on information and sending the single sign-on information to the terminal; the terminal is also used for receiving the single sign-on information returned by the single-point authentication server and storing the single sign-on information into a local safe storage area.
The invention has the beneficial effects that:
according to the single sign-on method, the single sign-on system and the single sign-on terminal, the terminal acquires the identification information of the current user after the user starts an application program, and acquires the corresponding single sign-on information from the local safe storage area according to the identification information; when the single sign-on information is successfully acquired, the terminal verifies the single sign-on information; when the authentication is passed, the terminal allows the current user to log in the application program. Compared with the prior art, the single sign-on information is stored in the safe storage area, the sign-on password information of the user is not directly stored, the safety of the user information can be improved, the single sign-on information can be verified, and the single sign-on can be carried out in any place, so that the safety of the single sign-on is further improved. By adopting the method, a safe and efficient application single sign-on mode can be realized, and the experience degree of the user is improved.
Drawings
Fig. 1 is a schematic flowchart of a single sign-on method according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a single sign-on method according to a second embodiment of the present invention;
fig. 3 is a flowchart illustrating a single sign-on method according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a terminal according to a third embodiment of the present invention;
fig. 5 is a schematic structural diagram of a single sign-on system according to a third embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
Example one
The single sign-on method of the present embodiment, as shown in fig. 1, includes the following steps:
step S101: the terminal acquires identification information of a current user after the user starts an application program, and acquires corresponding single sign-on information from a local secure storage area according to the identification information;
in this step, the terminal herein mainly refers to a mobile terminal, and may be a mobile phone, for example. The identification information of the user can be the ID of the user and other common identification information. The single sign-on information refers to an authentication message of single sign-on, and not a single user login password information. The secure storage area refers to a storage area with a higher security factor, for example, a storage area which needs to be authorized to view the relevant entrance data. For example, if a third employee of a company wants to log in OA of their company through a mobile phone, the third employee opens an OA client on the mobile phone, the terminal obtains an ID of the third employee, and obtains single sign-on information of the third employee on the OA in a mobile phone security storage area through the ID of the third employee. It should be noted that the single sign-on information in the secure storage area may be obtained from a single authentication service, or may be stored by a terminal input.
Step S102: when the single sign-on information is successfully acquired, the terminal verifies the single sign-on information;
in this step, after the terminal acquires the single sign-on information, the terminal verifies the single sign-on information instead of directly logging in, so that the security of the single sign-on can be improved. In the description of the example in step S101, after the single sign-on information corresponding to the zhang-san login OA is acquired, the single sign-on information is first verified, instead of being directly logged in through the single sign-on information.
Step S103: when the authentication is passed, the terminal allows the current user to log in the application program.
In this step, the description is made with reference to the example in step S102, and after the single sign-on information verification of the zhang san log-in OA passes, zhang san succeeds in logging in the OA, and the relevant operation can be performed in the OA.
Specifically, in step S102, the verifying the single sign-on information by the terminal includes: and the terminal judges whether the application program is initially loaded, and selects a corresponding single sign-on information verification mode for verification according to the judgment result. The specific single sign-on information comprises a security token, and when the judgment result is that the security token is not an initial load, the terminal verifies whether the security token is overdue or not; and when the judgment result is the initial load, the terminal sends a security token verification request to the single-point authentication server, so that the single-point authentication server verifies the security token according to the security token verification request. Specifically, whether the security token is expired or not is judged, if the single sign-on information has the time stamp of the security token, whether the security token is expired or not is judged according to the time stamp, namely whether the time stamp is expired or not is judged, if yes, the verification fails, and if not, the verification succeeds. Therefore, the single sign-on can be avoided being carried out at any time, and the single sign-on can be carried out only within a certain authorization time, so that the safety of the single sign-on can be further improved, and the user experience degree is improved. Certainly, if the application program is initialized for the first time, the application program cannot be authorized at this time, and the single-point authentication server needs to send a security token verification request to the single-point authentication server to judge whether the application program is legal or not, so that the security of using the application program is provided, the illegal application program is prevented from being authorized to access, and the information of the user is protected. In the above example of zhang san, it is determined whether OA is the first initialization, i.e., the initial load, when zhang san is registered with OA. If the OA is not the initial load, whether the security token in the single sign-on information is valid or not is judged, namely whether the timestamp of the security token is expired or not is judged, if the timestamp is expired, the verification is not passed, the single sign-on OA fails, if the timestamp is not expired, the verification is passed, the single sign-on OA succeeds, and Zhang III can perform related operations on the OA. If the OA is an initial load, even if the security token is acquired, the security token is verified by the single-point authentication server to see whether the security token can allow single-point login of the OA. I.e. the terminal will send a security token verification request to the single point authentication server to see if it is capable of single sign-on OA. If authentication is allowed, then a single sign-on to OA is possible, and if authentication is not passed, then the sign-on to OA is not allowed.
Further, in the method, when the acquisition fails or the verification fails, if the user also wants to perform single sign-on at the moment, the terminal sends a single sign-on request to the single sign-on authentication server, so that the single sign-on authentication server performs verification according to the single sign-on request and generates single sign-on information; and the terminal receives the single-point login information returned by the single-point authentication server and stores the single-point login information into a local safe storage area. Preferably, the single sign-on request may be sent automatically. Specifically, when the acquisition fails, the single sign-on request includes enterprise identification information, application identification information, user identification information, a password, and terminal information. When the authentication fails, the single sign-on information includes a session key, and the single sign-on request includes the session key of the last single sign-on. In the above example of zhang san, when zhang san performs the OA single sign-on, the single sign-on information corresponding to zhang san is not found in the secure storage area, or the single sign-on information of zhang san is found, but the verification fails, and zhang san also wants to continue the use of OA, if the zhang san does not have the single sign-on information of zhang, the single sign-on request is sent to the single-point authentication server, and the specific single sign-on request includes data such as the corporate Id of zhang, the application Id, zhang san Id, the password, and the mobile phone information, and the like, and is sent to the single-point authentication server through the secure channel to perform the sign-on request. The single-point authentication server firstly verifies the legality of the enterprise and the application according to the enterprise Id and the application Id; secondly, verifying the validity of Zusanli identity according to Zusanli Id and the password; and then associating the device information, the application Id and the Zhang Id to generate a security token, a session key of the current authentication and a timestamp. The time stamp is used as the maximum failure time of the single sign-on, and when the single sign-on time of the application on the mobile device exceeds the time stamp, the single-point authentication server sets the security token of the single sign-on of the application on the mobile device to be expired, and the application must reinitiate the single sign-on request. After the terminal obtains the security token about Zhang III, the OA login can be carried out on Zhang III, and the single sign-on information of Zhang III is stored in the security storage area of the mobile phone. If there is a third security token, for example, because the security token is expired, a single sign-on request is also sent to the single-point authentication server, and a certain single sign-on information is known at this time, the single sign-on information can be verified only by the simple session key of the last single sign-on, and if the verification is successful, the third single sign-on information is regenerated, which may include the security token, the timestamp, and a new session key. After the terminal obtains the security token about Zusanli, the Zusanli can be subjected to OA login, and new single sign-on information of Zusanli is stored in a security storage area of the mobile phone, so that the next single sign-on is facilitated.
Example two
In the single sign-on method of the present embodiment, the single sign-on is mainly performed by a first initialization procedure, as shown in fig. 2, the method includes the following steps:
step S201: the terminal sends a single sign-on request to a single point authentication server;
step S202: after the authentication server successfully authenticates, sending the corresponding single sign-on information to the terminal;
step S203: the terminal acquires single sign-on information and stores the single sign-on information in a secure storage area;
step S204: after the application single sign-on the equipment is successful, when the service data of the application server is accessed, the single sign-on information is sent to the application server;
step S205: and the application server goes to the single-machine authentication service for verification according to the single-point login information, the verification is successful, and the terminal is allowed to access the related data.
EXAMPLE III
The single sign-on method of the present embodiment, as shown in fig. 3, includes the following steps:
step S301: initializing or starting an application program by a terminal application program, and acquiring a current enterprise ID, the application program ID, user information and terminal information;
step S302: the terminal acquires a corresponding security token and a corresponding time stamp from the security storage area according to the user information; judging whether the corresponding security token is stored in the security storage area, and if so, entering the step S303; if not, the flow proceeds to step S309;
step S303: judging whether the application program is initially loaded or not; if not, go to step S304; if yes, go to step S306;
step S304: judging whether the security token is expired or not according to the timestamp; if yes, go to step S307; if not, go to step S305;
step S305: the security token passes the verification, and the step S311 is entered;
step S306: initiating a security token verification request to the single-point authentication server, and if the verification is passed, entering step S305; if not, go to step S307;
step S307: if the security token fails to be verified, the step S308 is executed;
step S308: automatically initiating a single sign-on request to a single point authentication server, and entering step S310;
step S309: automatically initiating a single sign-on request to a single point authentication server, and entering step S310;
step S310: updating the user Id, the security token, the timestamp and the current session key in the local security storage area, and entering step S311;
step S311: switching to the main page of the application after the single sign-on is successful;
step S312: initiating a service data request to a server of the application;
step S313: the application server initiates a security token verification request to the single-point authentication server;
step S314: after the verification is passed, the basic information of the user is obtained, and the user can access the application service data.
Example four
The present embodiment provides a terminal 400, as shown in fig. 4, including an obtaining module 401, an authenticating module 402, and a single sign-on module 403: the obtaining module 401 is configured to obtain identification information of a current user after a user starts an application program, and obtain corresponding single sign-on information from a local secure storage area according to the identification information; when the acquisition is successful, the verification module 402 is configured to verify the single sign-on information; when the authentication is passed, the single sign-on module 403 allows the current user to log on to the application.
Specifically, the verification module 402 is further configured to determine whether the application program is an initial load, and select a corresponding single sign-on information verification method for verification according to the determination result.
Specifically, the single sign-on information includes a security token; the verification module 402 is further configured to: when the judgment result is that the security token is not the initial load, the terminal 400 verifies whether the security token is expired; when the determination result is the initial load, the terminal 400 sends a security token verification request to the single-point authentication server, so that the single-point authentication server verifies the security token according to the security token verification request.
Specifically, the verification module 402 is further configured to send a single sign-on request to the single-point authentication server when the acquisition fails or the verification fails, so that the single-point authentication server performs verification according to the single-point sign-on request and generates single-point sign-on information; and receiving the single-point login information returned by the single-point authentication server, and storing the single-point login information into a local secure storage area.
The embodiment provides a single sign-on system, which includes a terminal 400 and a single authentication server 500: the terminal 400 is configured to obtain identification information of a current user after the user starts an application program, and obtain corresponding single sign-on information from a local secure storage area according to the identification information; when the acquisition is successful, the terminal 400 is further configured to verify the single sign-on information; when the acquisition fails, the terminal 400 is further configured to send a single sign-on request to the single authentication server 500; the single sign-on request includes enterprise identification information, application identification information, user identification information, a password, and terminal 400 information; the authentication server is used for receiving the single sign-on request, verifying the single sign-on request according to the single sign-on request, generating single sign-on information and sending the single sign-on information to the terminal 400; the terminal 400 is further configured to receive the single sign-on information returned by the single point authentication server 500, and store the single point sign-on information in the local secure storage area; when the authentication is passed, the terminal 400 is also used to allow the current user to log in to the application; when the verification fails, the terminal 400 is further configured to send a single sign-on request to the single authentication server 500; the single sign-on request comprises a session key of the last single sign-on; the authentication server is further configured to receive the single sign-on request, perform verification according to the single sign-on request, generate single sign-on information, and send the single sign-on information to the terminal 400; the terminal 400 is further configured to receive the single sign-on information returned by the single sign-on server 500, and store the single sign-on information in the local secure storage area.
It will be understood by those skilled in the art that all or part of the steps of the above methods may be implemented by instructing the relevant hardware through a program, and the program may be stored in a computer readable storage medium, such as a read-only memory, a magnetic or optical disk, and the like. Alternatively, all or part of the steps of the above embodiments may be implemented using one or more integrated circuits. Accordingly, each module/unit in the above embodiments may be implemented in the form of hardware, and may also be implemented in the form of a software functional module. The present invention is not limited to any specific form of combination of hardware and software.
The above embodiments are merely to illustrate the technical solutions of the present invention and not to limit the present invention, and the present invention has been described in detail with reference to the preferred embodiments. It will be understood by those skilled in the art that various modifications and equivalent arrangements may be made without departing from the spirit and scope of the present invention and it should be understood that the present invention is to be covered by the appended claims.

Claims (13)

1. A method of single sign-on, comprising:
the method comprises the steps that a terminal acquires identification information of a current user after a user starts an application program, and acquires corresponding single sign-on information from a local secure storage area according to the identification information, wherein the single sign-on information is generated by a single sign-on authentication server according to the application program identification information, the user identification information and terminal information in a single sign-on request;
when the single sign-on information is successfully acquired, the terminal verifies the single sign-on information;
and when the verification is passed, the terminal allows the current user to log in the application program.
2. The method of single sign-on of claim 1, wherein the terminal authenticating the single sign-on information comprises: and the terminal judges whether the application program is initially loaded or not, and selects a corresponding single sign-on information verification mode for verification according to the judgment result.
3. The method of single sign-on of claim 2, wherein the single sign-on information comprises a security token; the terminal selects a corresponding single sign-on information verification mode for verification according to the judgment result, and the verification comprises the following steps:
when the judgment result is that the security token is not the initial load, the terminal verifies whether the security token is overdue or not;
and when the judgment result is the initial load, the terminal sends a security token verification request to the single-point authentication server, so that the single-point authentication server verifies the security token according to the security token verification request.
4. The method of single sign-on of claim 3, wherein the single sign-on information includes a timestamp; the terminal verifying whether the security token is expired comprises: and verifying whether the security token is expired according to the timestamp.
5. The single sign-on method according to any one of claims 1 to 4, wherein when acquisition fails or verification fails, the terminal sends a single sign-on request to a single sign-on authentication server, so that the single sign-on authentication server performs verification according to the single sign-on request and generates single sign-on information; and the terminal receives the single sign-on information returned by the single-point authentication server and stores the single sign-on information into a local safe storage area.
6. The method of single sign-on of claim 5, wherein the single sign-on request includes enterprise identification information, application identification information, user identification information, a password, and terminal information when acquisition fails.
7. The method of single sign-on of claim 5, wherein the single sign-on information includes a session key when authentication fails, and the single sign-on request includes the session key of the last single sign-on.
8. A method of single sign-on, comprising:
the method comprises the steps that a terminal acquires identification information of a current user after a user starts an application program, and acquires corresponding single sign-on information from a local secure storage area according to the identification information, wherein the single sign-on information is generated by a single sign-on authentication server according to the application program identification information, the user identification information and terminal information in a single sign-on request;
when the single sign-on information is successfully acquired, the terminal verifies the single sign-on information;
when the acquisition fails, the terminal sends a single sign-on request to a single point authentication server; the single sign-on request comprises enterprise identification information, application program identification information, user identification information, a password and terminal information; the authentication server receives the single sign-on request, verifies the single sign-on request according to the single sign-on request, generates single sign-on information and sends the single sign-on information to the terminal; the terminal receives the single sign-on information returned by the single point authentication server and stores the single point sign-on information into a local safe storage area;
when the verification is passed, the terminal allows the current user to log in the application program;
when the verification fails, the terminal sends a single sign-on request to a single point authentication server; the single sign-on request comprises a session key of the last single sign-on; the authentication server receives the single sign-on request, verifies the single sign-on request according to the single sign-on request, generates single sign-on information and sends the single sign-on information to the terminal; and the terminal receives the single sign-on information returned by the single-point authentication server and stores the single sign-on information into a local safe storage area.
9. A terminal is characterized by comprising an acquisition module, an authentication module and a single sign-on module:
the acquisition module is used for acquiring identification information of a current user after the user starts an application program, and acquiring corresponding single sign-on information from a local secure storage area according to the identification information, wherein the single sign-on information is generated by a single point authentication server according to the application program identification information, user identification information and terminal information in a single sign-on request;
when the single sign-on information is successfully acquired, the verification module is used for verifying the single sign-on information;
and when the authentication is passed, the single sign-on module allows the current user to log in the application program.
10. The terminal of claim 9, wherein the authentication module is further configured to determine whether the application program is initially loaded, and select a corresponding single sign-on information authentication manner for authentication according to a determination result.
11. The terminal of claim 10, wherein the single sign-on information includes a security token; the verification module is further to:
when the judgment result is that the security token is not the initial load, the terminal verifies whether the security token is overdue or not;
and when the judgment result is the initial load, the terminal sends a security token verification request to the single-point authentication server, so that the single-point authentication server verifies the security token according to the security token verification request.
12. The terminal according to any of claims 9-11, wherein the verification module is further configured to send a single sign-on request to a single-point authentication server when the acquisition fails or the verification fails, so that the single-point authentication server performs verification according to the single-point sign-on request and generates single-point sign-on information; and receiving the single sign-on information returned by the single point authentication server, and storing the single point sign-on information into a local safe storage area.
13. A single sign-on system is characterized by comprising a terminal and a single authentication server:
the terminal is used for acquiring identification information of a current user after the user starts an application program, acquiring corresponding single sign-on information from a local safe storage area according to the identification information, and generating the single sign-on information by a single point authentication server according to the application program identification information, the user identification information and the terminal information in the single sign-on request;
when the single sign-on information is successfully acquired, the terminal is also used for verifying the single sign-on information;
when the acquisition fails, the terminal is also used for sending a single sign-on request to a single authentication server; the single sign-on request comprises enterprise identification information, application program identification information, user identification information, a password and terminal information; the authentication server is used for receiving the single sign-on request, verifying according to the single sign-on request, generating single sign-on information and sending the single sign-on information to the terminal; the terminal is also used for receiving the single sign-on information returned by the single-point authentication server and storing the single-point sign-on information into a local safe storage area;
when the verification is passed, the terminal is also used for allowing the current user to log in the application program;
when the verification fails, the terminal is also used for sending a single sign-on request to the single point authentication server; the single sign-on request comprises a session key of the last single sign-on; the authentication server is also used for receiving the single sign-on request, verifying according to the single sign-on request, generating single sign-on information and sending the single sign-on information to the terminal; the terminal is also used for receiving the single sign-on information returned by the single-point authentication server and storing the single sign-on information into a local safe storage area.
CN201510145659.0A 2015-03-30 2015-03-30 Single sign-on method, system and terminal Active CN106161348B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510145659.0A CN106161348B (en) 2015-03-30 2015-03-30 Single sign-on method, system and terminal

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510145659.0A CN106161348B (en) 2015-03-30 2015-03-30 Single sign-on method, system and terminal
PCT/CN2015/088306 WO2016155220A1 (en) 2015-03-30 2015-08-27 Single sign-on method, system and terminal

Publications (2)

Publication Number Publication Date
CN106161348A CN106161348A (en) 2016-11-23
CN106161348B true CN106161348B (en) 2020-12-22

Family

ID=57003963

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510145659.0A Active CN106161348B (en) 2015-03-30 2015-03-30 Single sign-on method, system and terminal

Country Status (2)

Country Link
CN (1) CN106161348B (en)
WO (1) WO2016155220A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789987B (en) * 2016-12-08 2020-04-10 武汉斗鱼网络科技有限公司 Method and system for single sign-on of multi-service interconnection APP (application) of mobile terminal
CN106911714B (en) * 2017-04-05 2020-06-19 南京南瑞集团公司 Mobile application single sign-on method based on interprocess communication for Android device
CN106850699B (en) * 2017-04-10 2019-11-29 中国工商银行股份有限公司 A kind of mobile terminal login authentication method and system

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1469583A (en) * 2002-07-16 2004-01-21 北京创原天地科技有限公司 Method of sharing subscriber confirming information in different application systems of internet
CN101510877A (en) * 2009-02-25 2009-08-19 中国网络通信集团公司 Single-point logging-on method and system, communication apparatus
CN102111410A (en) * 2011-01-13 2011-06-29 中国科学院软件研究所 Agent-based single sign on (SSO) method and system
CN102404314A (en) * 2010-09-30 2012-04-04 微软公司 Remote resources single-point sign on
US8296828B2 (en) * 2008-12-16 2012-10-23 Microsoft Corporation Transforming claim based identities to credential based identities
CN103634111A (en) * 2013-11-19 2014-03-12 北京国双科技有限公司 Single sign-on method and system as well as single sign-on client-side
CN104320394A (en) * 2014-10-24 2015-01-28 华迪计算机集团有限公司 Single sign-on achievement method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101694663A (en) * 2009-10-20 2010-04-14 上海欧菲司健康管理咨询有限公司 System for one-station registering, logging and all-web authentication

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1469583A (en) * 2002-07-16 2004-01-21 北京创原天地科技有限公司 Method of sharing subscriber confirming information in different application systems of internet
US8296828B2 (en) * 2008-12-16 2012-10-23 Microsoft Corporation Transforming claim based identities to credential based identities
CN101510877A (en) * 2009-02-25 2009-08-19 中国网络通信集团公司 Single-point logging-on method and system, communication apparatus
CN102404314A (en) * 2010-09-30 2012-04-04 微软公司 Remote resources single-point sign on
CN102111410A (en) * 2011-01-13 2011-06-29 中国科学院软件研究所 Agent-based single sign on (SSO) method and system
CN103634111A (en) * 2013-11-19 2014-03-12 北京国双科技有限公司 Single sign-on method and system as well as single sign-on client-side
CN104320394A (en) * 2014-10-24 2015-01-28 华迪计算机集团有限公司 Single sign-on achievement method and system

Also Published As

Publication number Publication date
CN106161348A (en) 2016-11-23
WO2016155220A1 (en) 2016-10-06

Similar Documents

Publication Publication Date Title
WO2017197974A1 (en) Biometric characteristic-based security authentication method, device and electronic equipment
US9736131B2 (en) Secure login for subscriber devices
US20160277383A1 (en) Binding to a user device
US20140282992A1 (en) Systems and methods for securing the boot process of a device using credentials stored on an authentication token
US8402552B2 (en) System and method for securely accessing mobile data
US8769289B1 (en) Authentication of a user accessing a protected resource using multi-channel protocol
US9780950B1 (en) Authentication of PKI credential by use of a one time password and pin
US10212151B2 (en) Method for operating a designated service, service unlocking method, and terminal
KR101451359B1 (en) User account recovery
CN103986584A (en) Double-factor identity verification method based on intelligent equipment
CN101986598B (en) Authentication method, server and system
US9742766B2 (en) System, design and process for easy to use credentials management for accessing online portals using out-of-band authentication
CN106161475B (en) Method and device for realizing user authentication
CN106161348B (en) Single sign-on method, system and terminal
CN106559408B (en) SDN authentication method based on trust management
CN109787988B (en) Identity strengthening authentication and authorization method and device
WO2017076216A1 (en) Server, mobile terminal, and internet real name authentication system and method
CN105429943B (en) Information processing method and terminal thereof
CN103902880A (en) Windows system two-factor authentication method based on challenge responding type dynamic passwords
CN109257391A (en) A kind of access authority opening method, device, server and storage medium
CN107241329B (en) Account login processing method and device
CN103716366A (en) Cloud computing server access system and access method
CN105703910A (en) Dynamic password verifying method based on Wechat service number
CN107590662B (en) Authentication method for calling online bank system, authentication server and system
KR20180039037A (en) Cross authentication method and system between online service server and client

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant