CN106790272A - A kind of system and method for single-sign-on, a kind of application server - Google Patents
A kind of system and method for single-sign-on, a kind of application server Download PDFInfo
- Publication number
- CN106790272A CN106790272A CN201710084124.6A CN201710084124A CN106790272A CN 106790272 A CN106790272 A CN 106790272A CN 201710084124 A CN201710084124 A CN 201710084124A CN 106790272 A CN106790272 A CN 106790272A
- Authority
- CN
- China
- Prior art keywords
- request
- sign
- destination address
- certified
- target spoke
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a kind of system and method for single-sign-on, a kind of application server, the system, including:Gate system, identity information for verifying user input, when user is by verifying, receive the request that user input accesses either objective application system in application server, the request of application token and the destination address of intended application system are sent to application server, the target spoke that application server is sent is received, according to target spoke and destination address, generation single-sign-on request, sends single-sign-on and asks to application server;Application server, request and destination address for receiving application token, generation target spoke, target spoke and destination address are preserved, target spoke is sent to gate system, receive single-sign-on request, according to the target spoke and destination address that preserve, checking single-sign-on request, when by verifying, it is allowed to user's access target application system.The present invention can more easily log in different application systems.
Description
Technical field
The present invention relates to field of computer technology, more particularly to a kind of system and method for single-sign-on, a kind of application clothes
Business device.
Background technology
With the fast development of science and technology, same user may need to use multiple application systems.For enterprise, together
One enterprises generally comprises multiple application systems.
In the prior art, user log in these application systems when, user need input the application system to be logged in use
The authentication information such as name in an account book and password can be just signed in in corresponding application system.For example, for an enterprise, enterprise
A inside includes application system 1, application system 2 and application system 3.User is accomplished by input if necessary to login application system 1 should
With the corresponding username and password of system 1, it is corresponding that user is accomplished by input application system 2 if necessary to login application system 2
Username and password, user is accomplished by being input into the corresponding username and password of application system 3 if necessary to log in application system 3.
Visible by foregoing description, in the prior art, user is when different application systems are logged in, it is necessary to be directed to different
Application system is input into different authentication informations, operates more complicated.
The content of the invention
A kind of system and method for single-sign-on, a kind of application server are the embodiment of the invention provides, can be more square
Just different application systems are logged in.
In a first aspect, a kind of system of single-sign-on is the embodiment of the invention provides, including:
Gate system and application server, wherein, the application server includes at least one application system;
The gate system, the identity information for verifying user input, when the user is by verifying, receives described
User input accesses the request of the either objective application system at least one application system, is sent out to the application server
The request of application token and the destination address of the intended application system are sent, the target order that the application server is sent is received
Board, according to the target spoke and the destination address, generation single-sign-on request sends the list to the application server
Point logging request;
The application server, for the request for receiving the application token and the destination address, generates the target
Token, preserves the target spoke and the destination address, and the target spoke is sent into the gate system, receives described
Single-sign-on is asked, and according to the target spoke and the destination address that preserve, the single-sign-on request is verified, when described
When single-sign-on is asked by verifying, it is allowed to which the user accesses the intended application system.
Further, the single-sign-on request includes:Token to be certified and address to be certified;
The gate system, for using the target spoke as the token to be certified, using the destination address as
The address to be certified, generates the single-sign-on request;
The application server, for judging whether the single-sign-on request meets:In the single-sign-on request
The token to be certified with preserve the target spoke it is identical, and the single-sign-on request in address described to be certified with
The destination address for preserving is identical, if it is, allowing the user to access the intended application system, otherwise, does not allow
The user accesses the intended application system.
Further, the application server, is further used for after the reception single-sign-on request, in institute
State and judge whether the single-sign-on request meets:Token described to be certified in the single-sign-on request is described with what is preserved
Target spoke is identical, and the single-sign-on request in address described to be certified with preservation the destination address it is identical it
Before, judge whether the time interval for issuing the time currently with the target spoke is more than or equal to default very first time length,
If it is, terminating current process, otherwise, execution is described to judge whether the single-sign-on request meets:The single-sign-on
Wait to recognize described in during token described to be certified in request is identical with the target spoke for preserving, and the single-sign-on is asked
Card address is identical with the destination address for preserving.
Further, the system is further included:Subscription client;
The application server, for when single-sign-on request is by verifying, sending single to the gate system
Point logs in instruction, when the logging request that the subscription client is sent is received, according to the target spoke and institute that preserve
Destination address is stated, the logging request is verified, when the logging request is by verifying, it is allowed to which the user passes through the user
Client accesses the intended application system;
The gate system, for when the single-sign-on instruction is received, sending described to the subscription client
Target spoke and the destination address;
The subscription client, for receiving the target spoke and the destination address, according to the target spoke and
The destination address, generates the logging request, and the logging request is sent into the application server.
Further, the application server, is further used for the time span that real-time detection preserves the target spoke
Whether default second time span is more than or equal to, if it is, removing the target spoke.
Further, the interactive information between the gate system and the application server is the ciphertext after encryption;
Further, the application server is ERP server.
Second aspect, the embodiment of the invention provides a kind of method of single-sign-on, be applied to application server, described to answer
Included with server:At least one application system, including:
Receive the either objective application system in the request and at least one application system of the outside application token sent
The destination address of system;
Generation target spoke;
Preserve the target spoke and the destination address;
To the outside return target spoke, so that the outside is according to the target spoke and the destination address
Generation single-sign-on request;
Receive the single-sign-on request sent the outside;
According to the target spoke and the destination address that preserve, the single-sign-on request is verified, when the single-point
When logging request is by verifying, it is allowed to access the intended application system.
Further, the single-sign-on request includes:Token to be certified and address to be certified;
The target spoke and the destination address according to preservation, verifies the single-sign-on request, when described
When single-sign-on is asked by verifying, it is allowed to access the intended application system, including:
Judge whether the single-sign-on request meets:Token described to be certified and preservation in the single-sign-on request
The target spoke it is identical, and the single-sign-on request in address described to be certified with preservation the destination address phase
Together, if it is, allowing to access the intended application system, otherwise, do not allow to access the intended application system.
Further, after the reception single-sign-on request, judge that the single-sign-on request is described
No satisfaction:Token described to be certified in the single-sign-on request is identical with the target spoke for preserving, and the single-point
Before address described to be certified in logging request is identical with the destination address for preserving, further include:
Judge whether the time interval for issuing the time currently with the target spoke is more than or equal to the default very first time
Length, if it is, not allowing to access the intended application system, terminates current process, otherwise, performs the judgement list
Whether point logging request meets:Token described to be certified and the target spoke phase for preserving in the single-sign-on request
Together, the address described to be certified and in single-sign-on request is identical with the destination address for preserving.
The third aspect, the embodiment of the invention provides a kind of application server, including:
At least one application system;
First receiving unit, in the request and at least one application system that receive the outside application token sent
Either objective application system destination address;
Generation unit, the corresponding target spoke of request for generating the application token;
Storage unit, for preserving the target spoke and the destination address;
Transmitting element, for the outside return target spoke, so that the outside is according to the target spoke
Asked with destination address generation single-sign-on;
Second receiving unit, for receiving the single-sign-on sent outside request;
Authentication unit, for according to the target spoke and the destination address for preserving, verifying that the single-sign-on please
Ask, when single-sign-on request is by verifying, it is allowed to access the intended application system.
Further, the single-sign-on request includes:Token to be certified and address to be certified;
The authentication unit, for judging whether the single-sign-on request meets:Institute in the single-sign-on request
It is identical with the target spoke for preserving to state token to be certified, and the address described to be certified in single-sign-on request and guarantor
The destination address deposited is identical, if it is, allowing to access the intended application system, otherwise, does not allow to access the mesh
Mark application system.
Further, the authentication unit, is further used for judging whether the single-sign-on request meets described:Institute
The token described to be certified stated in single-sign-on request is identical with the target spoke for preserving, and in single-sign-on request
Address described to be certified it is identical with the destination address for preserving before, judge currently to issue the time with the target spoke
Time interval whether be more than or equal to default very first time length, if it is, do not allow to access the intended application system,
Terminate current process, otherwise, execution is described to judge whether the single-sign-on request meets:Institute in the single-sign-on request
It is identical with the target spoke for preserving to state token to be certified, and the address described to be certified in single-sign-on request and guarantor
The destination address deposited is identical.
In embodiments of the present invention, user by gate system by that after the authentication of gate system, can be accessed
Each application system on application server, when each application system is accessed, user without being input into user's checking identity again
Identity information, verified automatically between gate system and application server, by the way that after checking, user can be directly logged onto
Each application system so that user more easily logs in different application systems.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
The accompanying drawing to be used needed for having technology description is briefly described, it should be apparent that, drawings in the following description are the present invention
Some embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis
These accompanying drawings obtain other accompanying drawings.
Fig. 1 is a kind of schematic diagram of the system of single-sign-on that one embodiment of the invention is provided;
Fig. 2 is the schematic diagram of the system of another single-sign-on that one embodiment of the invention is provided;
Fig. 3 is a kind of flow chart of the method for single-sign-on that one embodiment of the invention is provided;
Fig. 4 is the flow chart of the method for another single-sign-on that one embodiment of the invention is provided;
Fig. 5 is a kind of schematic diagram of application server that one embodiment of the invention is provided.
Specific embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is
A part of embodiment of the present invention, rather than whole embodiments, based on the embodiment in the present invention, those of ordinary skill in the art
The every other embodiment obtained on the premise of creative work is not made, belongs to the scope of protection of the invention.
As shown in figure 1, the embodiment of the invention provides a kind of system of single-sign-on, the system includes:
Gate system 101 and application server 102, wherein, the application server includes at least one application system;
The gate system 101, the identity information for verifying user input, when the user is by verifying, is received
The user input accesses the request of the either objective application system at least one application system, to the application service
Device sends the request of application token and the destination address of the intended application system, receives the target that the application server is sent
Token, according to the target spoke and the destination address, generation single-sign-on request sends described to the application server
Single-sign-on is asked;
The application server 102, for the request for receiving the application token and the destination address, generates the mesh
Mark token, preserves the target spoke and the destination address, and the target spoke is sent into the gate system, receives institute
Single-sign-on request is stated, according to the target spoke and the destination address that preserve, the single-sign-on request is verified, works as institute
When stating single-sign-on request by verifying, it is allowed to which the user accesses the intended application system.
In embodiments of the present invention, user by gate system by that after the authentication of gate system, can be accessed
Each application system on application server, when each application system is accessed, user without being input into user's checking identity again
Identity information, verified automatically between gate system and application server, by the way that after checking, user can be directly logged onto
Each application system so that user more easily logs in different application systems.
In an embodiment of the present invention, the single-sign-on request includes:Token to be certified and address to be certified;
The gate system, for using the target spoke as the token to be certified, using the destination address as
The address to be certified, generates the single-sign-on request;
The application server, for judging whether the single-sign-on request meets:In the single-sign-on request
The token to be certified with preserve the target spoke it is identical, and the single-sign-on request in address described to be certified with
The destination address for preserving is identical, if it is, allowing the user to access the intended application system, otherwise, does not allow
The user accesses the intended application system.
In embodiments of the present invention, token to be certified in the single-sign-on request sent due to gate system and to be certified
Address may be tampered in transmitting procedure, therefore, in order to ensure safety, it is necessary to re-start checking, only application server
Token to be certified and address to be certified and the target spoke and destination address for preserving before in the single-sign-on request for receiving
During correspondent equal, single-sign-on request is by checking, it is allowed to which user accesses the intended application system in application server.
In an embodiment of the present invention, the application server, being further used for please in the reception single-sign-on
After asking, judge whether the single-sign-on request meets described:Token described to be certified in the single-sign-on request
It is identical with the target spoke for preserving, and the address described to be certified in single-sign-on request and the target for preserving
Before address is identical, judge whether the time interval for issuing the time currently with the target spoke is more than or equal to default first
Time span, if it is, terminating current process, otherwise, execution is described to judge whether the single-sign-on request meets:It is described
Token described to be certified in single-sign-on request is identical with the target spoke for preserving, and in single-sign-on request
The address to be certified is identical with the destination address for preserving.
In embodiments of the present invention, it is that each target spoke sets the term of validity, the time of preservation exceedes the target of the term of validity
Token is invalid token, and application system cannot be accessed by invalid token.Wherein very first time length is target spoke
The term of validity, can be 6 hours.If the holding time of target spoke has exceeded very first time length, after need not carrying out
Continuous checking, directly forbids the corresponding user's access target application system of the target spoke.
Based on a kind of system of the single-sign-on shown in Fig. 1, in an embodiment of the present invention, as shown in Fig. 2 the system is entered
One step includes:Subscription client 201;
The application server, for when single-sign-on request is by verifying, sending single to the gate system
Point logs in instruction, when the logging request that the subscription client is sent is received, according to the target spoke and institute that preserve
Destination address is stated, the logging request is verified, when the logging request is by verifying, it is allowed to which the user passes through the user
Client accesses the intended application system;
The gate system, for when the single-sign-on instruction is received, sending described to the subscription client
Target spoke and the destination address;
The subscription client 201, for receiving the target spoke and the destination address, according to the target spoke
With the destination address, the logging request is generated, the logging request is sent to the application server.
In embodiments of the present invention, system set subscription client, between the application system in application server with
Family client carries out data interaction, responds the request of subscription client.In order to avoid the logging request that subscription client sends exists
It is tampered in transmitting procedure, application server needs to verify logging request, just allows to access by checking, it is ensured that should
With server and the safety of each application system.
In an embodiment of the present invention, the application server, is further used for real-time detection and preserves the target spoke
Time span whether be more than or equal to default second time span, if it is, removing the target spoke.
In embodiments of the present invention, invalid token is cleared up in application server timing, can save memory space, reduces fortune
Dimension cost.
In an embodiment of the present invention, after the interactive information between the gate system and the application server is for encryption
Ciphertext.
In embodiments of the present invention, it is encrypted between gate system and application server and is interacted, it is ensured that interaction safety.
Specifically, can be encrypted by symmetric encipherment algorithm, or be encrypted using MD5.
Specifically, token to be certified and address to be certified during gate system is asked single-sign-on are encrypted, and will add
Single-sign-on request after close treatment is sent to application server.
In an embodiment of the present invention, the application server is ERP (Enterprise Resources Plan, Enterprise
Resource Planning) server.
In embodiments of the present invention, the mode of authentication uses ERP self-authentication modes, it is not necessary to build certification again
Server, it is not necessary to which the essential information of initial user includes user's name, authentication mode etc. again, without developing again
Authentication mode, greatly reduces O&M cost, while also greatly reducing the workload of development authentication mode.
In an embodiment of the present invention, when single-sign-on request is by verifying, it is allowed to which the user accesses institute
State after intended application system, further include:Understand target spoke.
In embodiments of the present invention, same target spoke is only run and is once logged in, it is impossible to Reusability, it is to avoid illegal
User logs in certain application system using the target spoke having been used, it is ensured that the safety of each application system.
In an embodiment of the present invention, the request token page can be set in gate system, and gate system can pass through
The request token page, when the request of application token is sent, also sends loopback address to application server request target token, makes
Obtain application server and target spoke is returned to by loopback address.The single-sign-on page, user can also be set in gate system
Request can be fetched by the single-sign-on chain clicked on the single-sign-on page and access any application system.Gate system is received
After user clicks on single-sign-on link, if the user is currently without login, user input identity information is pointed out, it is defeated to user
The identity information for entering is verified.
In an embodiment of the present invention, a database can be set in the application server, and application server can be by
Destination address, target spoke are saved in database.Furthermore it is also possible to destination address is encrypted by MD5, by what is generated
Ciphertext is saved in database.Can determine whether to need whether the destination address verified is tampered by the ciphertext.
In an embodiment of the present invention, single-sign-on request can also include single-sign-on parameter, the single-sign-on parameter
Can cause that intended application Solutions of Systems separates out the data of needs return and needs operation to be performed etc..
In an embodiment of the present invention, gate system can be when single-sign-on instruction be received, by OCX (object class
Other extension component, Object Linking and Embedding (OLE) Control Extension) start subscription client.
A kind of system of single-sign-on provided in an embodiment of the present invention, can preventing playback attack, prevent single-sign-on from linking
Replay Attack, effectively prevent malice or fraudulent access application server, effectively prevent destroy certification security.Pass through
Encrypted link information, prevents from obtaining effective user authentication information from link, so as to avoid the leakage of user profile.Pass through
Token clears up mechanism, there is provided a set of sound effective cleaning mechanism, the invalid token of periodic cleaning prevents database purchase a large amount of
Invalid token information.It is authenticated by application server itself, greatly simplifies the cost of the system integration.
In embodiments of the present invention, the application server where application system is eliminated again as certificate server
The tedious steps of certificate server are built, the tedious work of initial user wilfulness information is eliminated again, is simplified and is developed again
The work of new authentication mode.
In embodiments of the present invention, the single-sign-on for being controlled by token mechanism is had secure access to, it is ensured that single-sign-on is visited
The anti-replay-attack asked, ensure that link information is not compromised further through encryption, greatly reduce the workload of secondary development,
Access safety, reliability are ensure that, O&M cost is reduced, can be with Quick thread.
In embodiments of the present invention, certificate server can not be built, new authentication mode is not developed, system safety,
Do not reveal user basic information.
As shown in figure 3, the embodiment of the invention provides a kind of method of single-sign-on, application server is applied to, it is described
Application server includes:At least one application system, including:
Step 301:Receive any mesh in the request and at least one application system of the outside application token sent
Mark the destination address of application system;
Step 302:Generation target spoke;
Step 303:Preserve the target spoke and the destination address;
Step 304:To it is described it is outside return to the target spoke so that the outside is according to the target spoke and described
Destination address generation single-sign-on request;
Step 305:Receive the single-sign-on request sent the outside;
Step 306:According to the target spoke and the destination address that preserve, the single-sign-on request is verified, when
When the single-sign-on request is by verifying, it is allowed to access the intended application system.
In an embodiment of the present invention, the single-sign-on request includes:Token to be certified and address to be certified;
The target spoke and the destination address according to preservation, verifies the single-sign-on request, when described
When single-sign-on is asked by verifying, it is allowed to access the intended application system, including:
Judge whether the single-sign-on request meets:Token described to be certified and preservation in the single-sign-on request
The target spoke it is identical, and the single-sign-on request in address described to be certified with preservation the destination address phase
Together, if it is, allowing to access the intended application system, otherwise, do not allow to access the intended application system.
In an embodiment of the present invention, after the reception single-sign-on request, the single-point is judged described
Whether logging request meets:Token described to be certified in the single-sign-on request is identical with the target spoke for preserving,
And before address described to be certified in single-sign-on request is identical with the destination address of preservation, further include:
Judge whether the time interval for issuing the time currently with the target spoke is more than or equal to the default very first time
Length, if it is, not allowing to access the intended application system, terminates current process, otherwise, performs the judgement list
Whether point logging request meets:Token described to be certified and the target spoke phase for preserving in the single-sign-on request
Together, the address described to be certified and in single-sign-on request is identical with the destination address for preserving.
As shown in figure 4, the embodiment of the invention provides a kind of method of single-sign-on, the method application and application service
Device, the application server includes:At least one application system, the method includes:
Step 401:Receive at least one of request and the application server of the outside application token sent application system
In either objective application system destination address.
For example, application server includes:Application system A, application system B and application system C.As outside user
When needing to access application system A, the address of application system A will be sent to application server, the address is exactly destination address.
Step 402:Generation target spoke.
What the target spoke can be randomly generated, at application server end, the target spoke is only used for logging in application
System A, for safety, the general target spoke intelligent logging-on is once.
Step 403:Preserve target spoke and destination address.
On the application server, database can be set, target spoke and destination address is saved in database.Data
The ciphertext that encryption destination address is obtained can also be preserved in storehouse, the ciphertext can be used for verifying address to be certified.
Step 404:Target spoke is returned to outside, so that outside is according to target spoke and destination address generation single-sign-on
Request, single-sign-on request includes:Token to be certified and address to be certified.
Be externally generated single-sign-on ask when, typically using target spoke as token to be certified, using destination address as
Address to be certified.
Step 405:Receive the outside single-sign-on request sent.
Step 406:Judge whether the time interval for issuing the time currently with target spoke is more than or equal to default first
Time span, if it is, performing step 407, otherwise, performs step 408.
Very first time length is the term of validity of target spoke.If target spoke is used outside the term of validity, cannot log in
To intended application system, before the deadline, then continue follow-up checking.
Step 407:Access target application system is not allowed, terminates current process.
For example, if target spoke is used outside the term of validity, application system A cannot be signed in.
Step 408:Judge whether single-sign-on request meets:Token to be certified and the mesh for preserving in single-sign-on request
Address to be certified during mark token is identical, and single-sign-on is asked is identical with the destination address for preserving, if it is, performing step
409, otherwise, perform step 410.
Although when single-sign-on request is generated, the token to be certified in single-sign-on request is identical with target spoke, and
Address to be certified in single-sign-on request is identical with destination address, but, single-sign-on is asked in transmitting procedure, may
It is tampered, therefore, in order to ensure the safety of single-sign-on, it is necessary to be verified to single-sign-on request, it is to avoid disabled user
Access target application system.
Step 409:Allow access target application system.
After this step, can also include:Remove target spoke.Target spoke can be so avoided to be reused,
After avoiding target spoke from being illegally accessed, application system is logged in for illegal, it is ensured that the safety of single-sign-on.
Step 410:Access target application system is not allowed.
A kind of application server is the embodiment of the invention provides, including:
At least one application system;
First receiving unit, in the request and at least one application system that receive the outside application token sent
Either objective application system destination address;
Generation unit, the corresponding target spoke of request for generating the application token;
Storage unit, for preserving the target spoke and the destination address;
Transmitting element, for the outside return target spoke, so that the outside is according to the target spoke
Asked with destination address generation single-sign-on;
Second receiving unit, for receiving the single-sign-on sent outside request;
Authentication unit, for according to the target spoke and the destination address for preserving, verifying that the single-sign-on please
Ask, when single-sign-on request is by verifying, it is allowed to which the user accesses the intended application system.
As shown in figure 5, a kind of application server is the embodiment of the invention provides, including:
Three application systems 500;
First receiving unit 501, for appointing in the request and three application systems that receive the outside application token sent
The destination address of one intended application system;
Generation unit 502, the corresponding target spoke of request for generating the application token;
Storage unit 503, for preserving target spoke and destination address;
Transmitting element 504, for returning to target spoke to outside, so that outside generates according to target spoke and destination address
Single-sign-on is asked;
Second receiving unit 505, for receiving the outside single-sign-on request sent;
Authentication unit 506, for according to the target spoke and destination address for preserving, single-point to be worked as in checking single-sign-on request
When logging request is by verifying, it is allowed to user's access target application system.
In an embodiment of the present invention, the single-sign-on request includes:Token to be certified and address to be certified;
The authentication unit, for judging whether the single-sign-on request meets:Institute in the single-sign-on request
It is identical with the target spoke for preserving to state token to be certified, and the address described to be certified in single-sign-on request and guarantor
The destination address deposited is identical, if it is, allowing the user to access the intended application system, otherwise, institute is not allowed
State user and access the intended application system.
In an embodiment of the present invention, the authentication unit, is further used for judging the single-sign-on request described
Whether meet:Token described to be certified in the single-sign-on request is identical with the target spoke for preserving, and the list
Point logging request in address described to be certified with preserve the destination address it is identical before, judge currently with the target order
Whether the time interval for issuing the time of board is more than or equal to default very first time length, if it is, terminate current process, it is no
Then, execution is described judges whether the single-sign-on request meets:Token described to be certified in single-sign-on request with
The target spoke for preserving is identical, and address described to be certified and the target ground for preserving in single-sign-on request
Location is identical.
The contents such as the information exchange between each unit, implementation procedure in said apparatus, due to implementing with the inventive method
Example is based on same design, and particular content can be found in the narration in the inventive method embodiment, and here is omitted.
Each embodiment of the invention at least has the advantages that:
1st, in embodiments of the present invention, user by gate system by that after the authentication of gate system, can be visited
Each application system on application server is asked, when each application system is accessed, user without being input into user's checking body again
The identity information of part, is verified, by the way that after checking, user can directly log in automatically between gate system and application server
To each application system so that user more easily logs in different application systems.
2nd, in embodiments of the present invention, the mode of authentication uses application server self-authentication mode, it is not necessary to weight
Newly build certificate server, it is not necessary to which the essential information of initial user includes user's name, authentication mode etc. again, from without
Will development authentication mode again, O&M cost is greatly reduced, while also greatly reducing the work of development authentication mode
Amount.
3rd, the system of a kind of single-sign-on provided in an embodiment of the present invention, can preventing playback attack, prevent single-sign-on chain
The Replay Attack for connecing, accesses application server with effectively preventing malice or fraudulent, effectively prevents from destroying the security of certification.It is logical
Encrypted link information is crossed, prevents from obtaining effective user authentication information from link, so as to avoid the leakage of user profile.It is logical
Cross token cleaning mechanism, there is provided a set of sound effective cleaning mechanism, the invalid token of periodic cleaning prevents database purchase big
The invalid token information of amount.It is authenticated by application server itself, greatly simplifies the cost of the system integration.
It should be noted that herein, such as first and second etc relational terms are used merely to an entity
Or operation makes a distinction with another entity or operation, and not necessarily require or imply these entities or exist between operating
Any this actual relation or order.And, term " including ", "comprising" or its any other variant be intended to it is non-
It is exclusive to include, so that process, method, article or equipment including a series of key elements not only include those key elements,
But also other key elements including being not expressly set out, or also include by this process, method, article or equipment are solid
Some key elements.In the absence of more restrictions, the key element limited by sentence " including a 〃 ", does not arrange
Except also there is other identical factor in the process including the key element, method, article or equipment.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can pass through
Programmed instruction related hardware is completed, and foregoing program can be stored in the storage medium of embodied on computer readable, the program
Upon execution, the step of including above method embodiment is performed;And foregoing storage medium includes:ROM, RAM, magnetic disc or light
Disk etc. is various can be with the medium of store program codes.
It is last it should be noted that:Presently preferred embodiments of the present invention is the foregoing is only, skill of the invention is merely to illustrate
Art scheme, is not intended to limit the scope of the present invention.All any modifications made within the spirit and principles in the present invention,
Equivalent, improvement etc., are all contained in protection scope of the present invention.
Claims (10)
1. a kind of system of single-sign-on, it is characterised in that including:
Gate system and application server, wherein, the application server includes at least one application system;
The gate system, the identity information for verifying user input, when the user is by verifying, receives the user
Input accesses the request of the either objective application system at least one application system, and Shen is sent to the application server
Please token request and the destination address of the intended application system, receive the target spoke that the application server is sent, root
According to the target spoke and the destination address, generation single-sign-on request sends the single-point and steps on to the application server
Record request;
The application server, for the request for receiving the application token and the destination address, generates the target spoke,
The target spoke and the destination address are preserved, the target spoke is sent to the gate system, receive the single-point
Logging request, according to the target spoke and the destination address that preserve, verifies the single-sign-on request, when the single-point
When logging request is by verifying, it is allowed to which the user accesses the intended application system.
2. system according to claim 1, it is characterised in that
The single-sign-on request includes:Token to be certified and address to be certified;
The gate system, for using the target spoke as the token to be certified, using the destination address as described
Address to be certified, generates the single-sign-on request;
The application server, for judging whether the single-sign-on request meets:It is described in the single-sign-on request
Token to be certified is identical with the target spoke for preserving, and the address described to be certified in single-sign-on request and preservation
The destination address it is identical, if it is, allowing the user to access the intended application system, otherwise, do not allow described
User accesses the intended application system.
3. system according to claim 2, it is characterised in that
The application server, is further used for after the reception single-sign-on request, and the list is judged described
Whether point logging request meets:Token described to be certified and the target spoke phase for preserving in the single-sign-on request
Together, and the single-sign-on request in address described to be certified with preserve the destination address it is identical before, judge currently
Whether the time interval for issuing the time with the target spoke is more than or equal to default very first time length, if it is, knot
Beam current process, otherwise, execution is described to judge whether the single-sign-on request meets:It is described in the single-sign-on request
Token to be certified is identical with the target spoke for preserving, and the address described to be certified in single-sign-on request and preservation
The destination address it is identical.
4. according to any described system in claim 1-3, it is characterised in that
Further include:Subscription client;
The application server, for when single-sign-on request is by verifying, sending single-point to the gate system and stepping on
Record instruction, when the logging request that the subscription client is sent is received, according to the target spoke and the mesh that preserve
Mark address, verifies the logging request, when the logging request is by verifying, it is allowed to which the user passes through the user client
End accesses the intended application system;
The gate system, for when the single-sign-on instruction is received, the target being sent to the subscription client
Token and the destination address;
The subscription client, for receiving the target spoke and the destination address, according to the target spoke and described
Destination address, generates the logging request, and the logging request is sent into the application server;
And/or,
Whether the application server, is further used for real-time detection and preserves the time span of the target spoke more than or equal to pre-
If the second time span, if it is, removing the target spoke;
And/or,
Interactive information between the gate system and the application server is the ciphertext after encryption;
And/or,
The application server is ERP server.
5. a kind of method of single-sign-on, it is characterised in that be applied to application server, the application server includes:Extremely
A few application system, including:
Receive asking and the either objective application system at least one application system for the outside application token sent
Destination address;
Generation target spoke;
Preserve the target spoke and the destination address;
To the outside return target spoke, so that the outside generates according to the target spoke and the destination address
Single-sign-on is asked;
Receive the single-sign-on request sent the outside;
According to the target spoke and the destination address that preserve, the single-sign-on request is verified, when the single-sign-on
When request is by verifying, it is allowed to access the intended application system.
6. method according to claim 5, it is characterised in that
The single-sign-on request includes:Token to be certified and address to be certified;
The target spoke and the destination address according to preservation, verifies the single-sign-on request, when the single-point
When logging request is by verifying, it is allowed to access the intended application system, including:
Judge whether the single-sign-on request meets:Token described to be certified and the institute for preserving in the single-sign-on request
The address described to be certified stated during target spoke is identical, and the single-sign-on is asked is identical with the destination address for preserving,
If it is, allowing to access the intended application system, otherwise, do not allow to access the intended application system.
7. method according to claim 6, it is characterised in that
After the reception single-sign-on request, judge whether the single-sign-on request meets described:The list
Token described to be certified in point logging request is identical with the target spoke for preserving, and the institute in single-sign-on request
State address to be certified with preserve the destination address it is identical before, further include:
Judge whether the time interval for issuing the time currently with the target spoke is more than or equal to default very first time length,
If it is, not allowing to access the intended application system, terminate current process, otherwise, perform the judgement single-point and step on
Whether record request meets:Token described to be certified in the single-sign-on request is identical with the target spoke for preserving, and
Address described to be certified in the single-sign-on request is identical with the destination address for preserving.
8. a kind of application server, it is characterised in that including:
At least one application system;
First receiving unit, for appointing in the request and at least one application system that receive the outside application token sent
The destination address of one intended application system;
Generation unit, the corresponding target spoke of request for generating the application token;
Storage unit, for preserving the target spoke and the destination address;
Transmitting element, for the outside return target spoke, so that the outside is according to the target spoke and institute
State destination address generation single-sign-on request;
Second receiving unit, for receiving the single-sign-on sent outside request;
Authentication unit, for according to the target spoke and the destination address for preserving, verifying the single-sign-on request, when
When the single-sign-on request is by verifying, it is allowed to access the intended application system.
9. application server according to claim 8, it is characterised in that
The single-sign-on request includes:Token to be certified and address to be certified;
The authentication unit, for judging whether the single-sign-on request meets:Treated described in the single-sign-on request
Authentication token is identical with the target spoke for preserving, and the address described to be certified in single-sign-on request and preservation
The destination address is identical, if it is, allow to access the intended application system, otherwise, not allowing to access the target should
Use system.
10. application server according to claim 9, it is characterised in that
The authentication unit, is further used for judging whether the single-sign-on request meets described:The single-sign-on please
Token described to be certified in asking is identical with the target spoke for preserving, and described to be certified in single-sign-on request
Before address is identical with the destination address for preserving, judge that the time interval for issuing the time currently with the target spoke is
It is no more than or equal to default very first time length, if it is, not allowing to access the intended application system, terminate current stream
Journey, otherwise, execution is described to judge whether the single-sign-on request meets:Order described to be certified in the single-sign-on request
Board is identical with the target spoke for preserving, and the address described to be certified in single-sign-on request and the mesh for preserving
Mark address is identical.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710084124.6A CN106790272A (en) | 2017-02-16 | 2017-02-16 | A kind of system and method for single-sign-on, a kind of application server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710084124.6A CN106790272A (en) | 2017-02-16 | 2017-02-16 | A kind of system and method for single-sign-on, a kind of application server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106790272A true CN106790272A (en) | 2017-05-31 |
Family
ID=58958065
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710084124.6A Pending CN106790272A (en) | 2017-02-16 | 2017-02-16 | A kind of system and method for single-sign-on, a kind of application server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106790272A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108023948A (en) * | 2017-12-04 | 2018-05-11 | 山东浪潮通软信息科技有限公司 | A kind of system and method for handling third party system information |
| CN109150800A (en) * | 2017-06-16 | 2019-01-04 | 中兴通讯股份有限公司 | Login access method, system and storage medium |
| CN109379369A (en) * | 2018-11-09 | 2019-02-22 | 中国平安人寿保险股份有限公司 | Single-point logging method, device, server and storage medium |
| CN109688114A (en) * | 2018-12-10 | 2019-04-26 | 迈普通信技术股份有限公司 | Single-point logging method, certificate server and application server |
| CN109936579A (en) * | 2019-03-21 | 2019-06-25 | 广东瑞恩科技有限公司 | Single-point logging method, device, equipment and computer readable storage medium |
| CN110781485A (en) * | 2019-11-07 | 2020-02-11 | 北京推想科技有限公司 | Single sign-on method and device |
| CN110830493A (en) * | 2019-11-14 | 2020-02-21 | 北京京航计算通讯研究所 | Single sign-on implementation method based on intelligent enterprise portal |
| CN110826049A (en) * | 2019-11-14 | 2020-02-21 | 北京京航计算通讯研究所 | Single sign-on implementation system based on intelligent enterprise portal |
| CN112685719A (en) * | 2020-12-29 | 2021-04-20 | 武汉联影医疗科技有限公司 | Single sign-on method, device, system, computer equipment and storage medium |
| CN112800410A (en) * | 2021-02-02 | 2021-05-14 | 北京明略昭辉科技有限公司 | Multi-product login management method, device, equipment and storage medium |
| CN113515395A (en) * | 2021-06-16 | 2021-10-19 | 国云科技股份有限公司 | Application access method and device based on multi-cloud management platform |
| CN114884724A (en) * | 2022-05-06 | 2022-08-09 | 杭州联吉技术有限公司 | Cloud server interaction method and device, readable storage medium and terminal equipment |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101166173A (en) * | 2006-10-20 | 2008-04-23 | 北京直真节点技术开发有限公司 | A single-node login system, device and method |
| CN101075875B (en) * | 2007-06-14 | 2011-08-31 | 中国电信股份有限公司 | Method and system for realizing monopoint login between gate and system |
| CN103023856A (en) * | 2011-09-20 | 2013-04-03 | 中兴通讯股份有限公司 | Single sign-on method, single sign-on system, information processing method and information processing system |
| CN102111410B (en) * | 2011-01-13 | 2013-07-03 | 中国科学院软件研究所 | Agent-based single sign on (SSO) method and system |
| CN103795690A (en) * | 2012-10-31 | 2014-05-14 | 华为技术有限公司 | Cloud access control method, proxy server, and cloud access control system |
| CN104917727A (en) * | 2014-03-12 | 2015-09-16 | 中国移动通信集团福建有限公司 | Account authentication method, system and apparatus |
| CN102857484B (en) * | 2011-07-01 | 2015-11-25 | 阿里巴巴集团控股有限公司 | A kind of method, system and device realizing single-sign-on |
-
2017
- 2017-02-16 CN CN201710084124.6A patent/CN106790272A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101166173A (en) * | 2006-10-20 | 2008-04-23 | 北京直真节点技术开发有限公司 | A single-node login system, device and method |
| CN101075875B (en) * | 2007-06-14 | 2011-08-31 | 中国电信股份有限公司 | Method and system for realizing monopoint login between gate and system |
| CN102111410B (en) * | 2011-01-13 | 2013-07-03 | 中国科学院软件研究所 | Agent-based single sign on (SSO) method and system |
| CN102857484B (en) * | 2011-07-01 | 2015-11-25 | 阿里巴巴集团控股有限公司 | A kind of method, system and device realizing single-sign-on |
| CN103023856A (en) * | 2011-09-20 | 2013-04-03 | 中兴通讯股份有限公司 | Single sign-on method, single sign-on system, information processing method and information processing system |
| CN103795690A (en) * | 2012-10-31 | 2014-05-14 | 华为技术有限公司 | Cloud access control method, proxy server, and cloud access control system |
| CN104917727A (en) * | 2014-03-12 | 2015-09-16 | 中国移动通信集团福建有限公司 | Account authentication method, system and apparatus |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109150800A (en) * | 2017-06-16 | 2019-01-04 | 中兴通讯股份有限公司 | Login access method, system and storage medium |
| CN109150800B (en) * | 2017-06-16 | 2022-05-13 | 中兴通讯股份有限公司 | Login access method, system and storage medium |
| CN108023948A (en) * | 2017-12-04 | 2018-05-11 | 山东浪潮通软信息科技有限公司 | A kind of system and method for handling third party system information |
| CN109379369A (en) * | 2018-11-09 | 2019-02-22 | 中国平安人寿保险股份有限公司 | Single-point logging method, device, server and storage medium |
| CN109688114B (en) * | 2018-12-10 | 2021-07-06 | 迈普通信技术股份有限公司 | Single sign-on method, authentication server and application server |
| CN109688114A (en) * | 2018-12-10 | 2019-04-26 | 迈普通信技术股份有限公司 | Single-point logging method, certificate server and application server |
| CN109936579A (en) * | 2019-03-21 | 2019-06-25 | 广东瑞恩科技有限公司 | Single-point logging method, device, equipment and computer readable storage medium |
| CN110781485B (en) * | 2019-11-07 | 2022-02-22 | 推想医疗科技股份有限公司 | Single sign-on method and device |
| CN110781485A (en) * | 2019-11-07 | 2020-02-11 | 北京推想科技有限公司 | Single sign-on method and device |
| CN110826049A (en) * | 2019-11-14 | 2020-02-21 | 北京京航计算通讯研究所 | Single sign-on implementation system based on intelligent enterprise portal |
| CN110830493A (en) * | 2019-11-14 | 2020-02-21 | 北京京航计算通讯研究所 | Single sign-on implementation method based on intelligent enterprise portal |
| CN112685719A (en) * | 2020-12-29 | 2021-04-20 | 武汉联影医疗科技有限公司 | Single sign-on method, device, system, computer equipment and storage medium |
| CN112800410A (en) * | 2021-02-02 | 2021-05-14 | 北京明略昭辉科技有限公司 | Multi-product login management method, device, equipment and storage medium |
| CN113515395A (en) * | 2021-06-16 | 2021-10-19 | 国云科技股份有限公司 | Application access method and device based on multi-cloud management platform |
| CN113515395B (en) * | 2021-06-16 | 2024-01-02 | 国云科技股份有限公司 | Application access method and device based on multi-cloud management platform |
| CN114884724A (en) * | 2022-05-06 | 2022-08-09 | 杭州联吉技术有限公司 | Cloud server interaction method and device, readable storage medium and terminal equipment |
| CN114884724B (en) * | 2022-05-06 | 2024-03-22 | 杭州联吉技术有限公司 | Cloud server interaction method and device, readable storage medium and terminal equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106790272A (en) | A kind of system and method for single-sign-on, a kind of application server | |
| CN112597472B (en) | Single sign-on method, device and storage medium | |
| CN107172054B (en) | Authority authentication method, device and system based on CAS | |
| US8250627B2 (en) | Transaction authorization | |
| US8424061B2 (en) | Method, system and program product for authenticating a user seeking to perform an electronic service request | |
| US10778668B2 (en) | HTTP session validation module | |
| CN108200050A (en) | Single logging-on server, method and computer readable storage medium | |
| US7975288B2 (en) | Method and apparatus for imposing quorum-based access control in a computer system | |
| CN109257209A (en) | A kind of data center server centralized management system and method | |
| CN107070880A (en) | A kind of method and system of single-sign-on, a kind of authentication center's server | |
| CN106302606B (en) | Across the application access method and device of one kind | |
| US10057254B2 (en) | Mobile terminal for providing one time password and operating method thereof | |
| CN110311926A (en) | Application access control method, system and medium | |
| CN102073822A (en) | Method and system for preventing user information from leaking | |
| CN104954330A (en) | Method of accessing data resources, device and system | |
| CN111092910B (en) | Database security access method, device, equipment, system and readable storage medium | |
| CN110222085B (en) | Processing method and device for certificate storage data and storage medium | |
| CN110069909B (en) | Method and device for login of third-party system without secret | |
| US20150180850A1 (en) | Method and system to provide additional security mechanism for packaged web applications | |
| US20150067772A1 (en) | Apparatus, method and computer-readable storage medium for providing notification of login from new device | |
| WO2016045541A1 (en) | Method and device for identifying the presence of man-in-the-middle | |
| CN109040030A (en) | Single-point logging method and system | |
| CN110516470A (en) | Access control method, device, equipment and storage medium | |
| US20100058441A1 (en) | Information processing limitation system and information processing limitation device | |
| CN102045310B (en) | Industrial Internet intrusion detection as well as defense method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170531 |