CN108462706B - Single sign-on method and system - Google Patents
Single sign-on method and system Download PDFInfo
- Publication number
- CN108462706B CN108462706B CN201810183584.9A CN201810183584A CN108462706B CN 108462706 B CN108462706 B CN 108462706B CN 201810183584 A CN201810183584 A CN 201810183584A CN 108462706 B CN108462706 B CN 108462706B
- Authority
- CN
- China
- Prior art keywords
- application system
- user
- web application
- password
- single sign
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 97
- 238000013500 data storage Methods 0.000 claims description 27
- 230000006870 function Effects 0.000 claims description 8
- 230000005540 biological transmission Effects 0.000 description 14
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 235000014510 cooky Nutrition 0.000 description 3
- 230000007812 deficiency Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
Abstract
本发明涉及单点登录方法:当用户使用浏览器访问一个Web应用系统需要在Web应用系统登录时,或者通过门户网站请求访问一个需要登录才能访问的Web应用系统时,Web应用系统或门户网站将用户浏览器引导到单点登录服务器;单点登录服务器检查使用浏览器请求登录Web应用系统的用户是否已在单点登录服务器完成身份鉴别,若没有,则对用户进行身份鉴别;对于已完成身份鉴别的用户,单点登录服务器根据Web应用系统的标识信息从应用系统帐户名和口令存储库获得用户要登录的Web应用系统的帐户名、口令,然后通过浏览器将用户在Web应用系统的帐户名、口令按Web应用系统约定的帐户名、口令的提交方式提交到Web应用系统。
The invention relates to a single sign-on method: when a user uses a browser to access a Web application system and needs to log in in the Web application system, or requests to access a Web application system that needs to be logged in through a portal website, the Web application system or the portal website will The user's browser is guided to the single sign-on server; the single sign-on server checks whether the user who uses the browser to log in to the Web application system has completed the identity authentication on the single sign-on server; if not, the user is authenticated; For the identified user, the single sign-on server obtains the account name and password of the Web application system to be logged in by the user from the application system account name and password repository according to the identification information of the Web application system, and then sends the user's account name in the Web application system through the browser. , The password is submitted to the Web application system according to the account name and password submission method agreed by the Web application system.
Description
技术领域technical field
本发明属于信息安全技术领域,特别是一种针对系统登录的单点登录方法及系统。The invention belongs to the technical field of information security, in particular to a single sign-on method and system for system login.
背景技术Background technique
单点登录(Single Sign On,SSO)即用户只需进行一次登录(logon)操作,比如只需输入一次帐户名、口令,就能访问不同的应用系统(单点登录严格说来是Single Sign On的不准确翻译,更准确的说法应该是单次登录)。Single sign-on (Single Sign On, SSO) means that users only need to perform a login (logon) operation, for example, they only need to enter the account name and password once to access different application systems (single sign-on strictly speaking is Single Sign On). Inaccurate translation of , a more accurate statement should be single sign-on).
单点登录由于给用户带来了方便,因此,获得广泛的应用。目前单点登录常用的几种技术如下:Single sign-on is widely used because it brings convenience to users. Several commonly used technologies for single sign-on are as follows:
采用单点登录协议,如SAML(Security Assertion Markup Language)、WS-Federation、Kerberos等),不同的应用系统通过支持单点登录协议实现单点登录;Using single sign-on protocols, such as SAML (Security Assertion Markup Language), WS-Federation, Kerberos, etc.), different application systems implement single sign-on by supporting single sign-on protocols;
采用单点登录网关,将一个安全网关放置在多个应用系统的前面,用户在安全网关完成登录操作后,才能通过安全网关访问后面的应用系统;用户通过安全网关访问后面的应用系统时,无需再进行登录操作;Using a single sign-on gateway, a security gateway is placed in front of multiple application systems. After the user completes the login operation on the security gateway, he can access the subsequent application systems through the security gateway; when the user accesses the subsequent application systems through the security gateway, no need Log in again;
采用共享Cookie,多个Web应用系统通过共享标记用户已完成登录(身份鉴别)的Cookie来实现单点登录。Using shared cookies, multiple Web application systems realize single sign-on by sharing cookies that mark the user's completed login (identity authentication).
对于采用单点登录协议、单点登录网关的单点登录,应用系统原本的登录逻辑或方式要进行修改或者不作修改。若应用系统原本采用的登录逻辑或方式不修改,则通常采用口令代填技术,即由应用系统中的单点登录协议组件或单点登录网关代用户填写登录应用系统的帐户名、口令。若应用系统原本采用的登录逻辑或方式进行了修改,则应用系统原本的登录逻辑或方式被去掉,不再起作用。For the single sign-on using the single sign-on protocol and the single sign-on gateway, the original login logic or method of the application system needs to be modified or not modified. If the original login logic or method used by the application system is not modified, the password filling technology is usually used, that is, the single sign-on protocol component or the single sign-on gateway in the application system fills in the account name and password for logging in to the application system on behalf of the user. If the login logic or method originally adopted by the application system is modified, the original login logic or method of the application system is removed and no longer works.
目前的单点登录技术存在以下问题:The current single sign-on technology has the following problems:
(1)若采用单点登录协议,则需实施专门的单点登录协议组件;(1) If a single sign-on protocol is adopted, a special single sign-on protocol component needs to be implemented;
(2)若在单点登录协议的基础上,同时采用了口令代填技术,则单点登录系统需要主动获取、保存用户在不同应用系统的帐户名、口令,并负责保证其保存的用户在不同应用系统的帐户口令与应用系统中保存的用户帐户口令一致(同步);(2) On the basis of the single sign-on agreement, the password filling technology is used at the same time, the single sign-on system needs to actively obtain and save the user's account name and password in different application systems, and is responsible for ensuring that the saved user is in the The account passwords of different application systems are consistent with the user account passwords stored in the application system (synchronized);
(3)若采用单点登录网关,由于所有的请求、响应都需要经过单点登录网关,则会对访问应用系统的性能造成显著影响;(3) If a single sign-on gateway is used, since all requests and responses need to pass through the single sign-on gateway, the performance of accessing the application system will be significantly affected;
(4)采用共享Cookie,则需要不同的Web应用系统有共同的域名部分。(4) Using shared cookies, different Web application systems need to have a common domain name part.
发明内容SUMMARY OF THE INVENTION
本发明的目的是提出一种单点登录技术方案以克服现有技术的不足。The purpose of the present invention is to propose a single sign-on technical solution to overcome the deficiencies of the prior art.
为了实现本发明的目的,本发明所提出的技术方案是:一种单点登录方法,具体如下:In order to achieve the purpose of the present invention, the technical solution proposed by the present invention is: a single sign-on method, which is specifically as follows:
当用户使用浏览器请求访问一个Web应用系统或请求访问Web应用系统的受控资源或功能需要在Web应用系统登录(logon)时,或者使用浏览器通过一个门户网站请求访问一个需要登录才能访问的Web应用系统时,Web应用系统或门户网站通过页面代码将用户浏览器引导到单点登录服务器(如通过URL重定向、自动POST、异步传输方式如Ajax),请求登录Web应用系统;浏览器提交给单点登录服务器的登录Web应用系统的请求中包含有用户要登录的Web应用系统的标识信息(如Web应用系统的名称、域名、标识符等);When a user uses a browser to request access to a web application system or requests to access controlled resources or functions of the web application system that require a login (logon) in the web application system, or use a browser to request access to a web application that requires a login to access through a portal website When the web application system is used, the web application system or portal website guides the user's browser to the single sign-on server through the page code (such as through URL redirection, automatic POST, asynchronous transmission such as Ajax), and requests to log in to the web application system; the browser submits The request for logging in to the web application system to the single sign-on server contains the identification information of the web application system to be logged in by the user (such as the name, domain name, identifier, etc. of the web application system);
单点登录服务器检查请求登录Web应用系统的用户是否已在单点登录服务器完成身份鉴别(或登录),若没有,则对用户进行身份鉴别,完成身份鉴别之后进行后续操作;若已完成,则进行后续操作;The single sign-on server checks whether the user requesting to log in to the Web application system has completed identity authentication (or login) on the single sign-on server. carry out follow-up operations;
单点登录服务器根据用户要登录的Web应用系统的标识信息(以及用户在单点登录服务器的身份或帐户信息),从应用系统帐户名和口令存储库获得用户在Web应用系统的帐户名、口令,然后通过浏览器将用户在Web应用系统的帐户名、口令按Web应用系统约定的帐户名、口令提交方式提交到Web应用系统(如通过URL重定向将帐户名、口令包含在重定向后的URL中,或者通过自动POST方式以Form数据的形式将帐户名、口令提交到Web应用系统,或者通过异步传输方式如Ajax将帐户名、口令提交到Web应用系统);The SSO server obtains the user's account name and password in the Web application system from the application system account name and password repository according to the identification information of the Web application system to which the user wants to log in (and the user's identity or account information in the SSO server). Then submit the user's account name and password in the web application system to the web application system through the browser according to the account name and password submission method agreed by the web application system (for example, include the account name and password in the redirected URL through URL redirection) , or submit the account name and password to the Web application system in the form of Form data through automatic POST, or submit the account name and password to the Web application system through asynchronous transmission such as Ajax);
所述单点登录服务器是一个辅助用户登录Web应用系统的系统;所述单点登录服务器维护有自己的用户帐户数据,用以对使用单点登录服务器的用户进行身份鉴别;The single sign-on server is a system for assisting users to log in to the Web application system; the single sign-on server maintains its own user account data for identifying users who use the single sign-on server;
所述应用系统帐户名和口令存储库是用于存放用户在不同Web应用系统的帐户名、口令的数据存储系统;所述应用系统帐户名和口令存储库是单点登录服务器能直接访问的数据存储系统(如数据库、文件),或者是用户移动终端(如手机、平板电脑、智能穿戴装置等)中的数据存储系统(如移动终端中的微小数据库、文件)。The application system account name and password repository is a data storage system for storing user account names and passwords in different Web application systems; the application system account name and password repository are data storage systems that the single sign-on server can directly access (such as databases, files), or data storage systems (such as tiny databases and files in mobile terminals) in user mobile terminals (such as mobile phones, tablet computers, smart wearable devices, etc.).
在以上登录过程中,若所述单点登录服务器通过浏览器提交到Web应用系统的用户帐户名、口令不正确,则:In the above login process, if the user account name and password submitted by the single sign-on server to the web application system through the browser are incorrect, then:
Web应用系统通过浏览器向单点登录服务器报告出错信息;The web application system reports error information to the single sign-on server through the browser;
接收到出错信息后,单点登录服务器要求用户通过浏览器提交登录Web应用系统的帐户名、口令;After receiving the error message, the single sign-on server requires the user to submit the account name and password for logging in to the Web application system through the browser;
用户通过浏览器提交登录Web应用系统的帐户名、口令后,单点登录服务器一方面使用用户提交的帐户名、口令对应用系统帐户名和口令存储库中的用户帐户名、口令进行更新,另一方面通过浏览器将用户提交的帐户名、口令按Web应用系统约定的帐户名、口令提交方式提交到Web应用系统。After the user submits the account name and password for logging in to the Web application system through the browser, the single sign-on server uses the account name and password submitted by the user to update the application system account name and the user account name and password in the password repository, and the other In the aspect, the account name and password submitted by the user are submitted to the Web application system through the browser according to the account name and password submission method agreed by the Web application system.
以上所述帐户名、口令更新包括如下情形:The above account name and password update include the following situations:
情形1:应用系统帐户名和口令存储库中保存的用户在Web应用系统的帐户名与用户通过浏览器提交的帐户名相同,单点登录服务器使用用户通过浏览器提交的口令替代应用系统帐户名和口令存储库中保存的原有口令;Scenario 1: The user's account name in the web application system stored in the application system account name and password repository is the same as the account name submitted by the user through the browser, and the single sign-on server replaces the application system account name and password with the password submitted by the user through the browser. the original password stored in the repository;
情形2:应用系统帐户名和口令存储库中保存的用户在Web应用系统的帐户名与用户通过浏览器提交的帐户名不相同,单点登录服务器删除应用系统帐户名和口令存储库中原有保存的用户在Web应用系统的帐户名、口令,将用户通过浏览器提交的帐户名、口令保存到应用系统帐户名和口令存储库中。Scenario 2: The user's account name in the web application system stored in the application system account name and password repository is different from the account name submitted by the user through the browser, and the single sign-on server deletes the application system account name and the user originally stored in the password repository. In the account name and password of the Web application system, the account name and password submitted by the user through the browser are stored in the application system account name and password repository.
对于以上所述单点登录方法,若被Web应用系统(通过页面代码)引导到单点登录服务器的浏览器提交给单点登录服务器的登录Web应用系统的请求中包含有被Web应用系统(采用对称或非对称密钥)加密的随机码(随机字串或随机数),则单点登录服务器解密获得随机码,并通过浏览器将解密的随机码(连同用户登录Web应用系统的帐户名、口令一起)按Web应用系统约定的方式提交到Web应用系统。For the single sign-on method described above, if the request for logging in to the Web application system submitted to the single sign-on server by the browser guided by the Web application system (through the page code) to the single sign-on server includes the request for logging in to the Web application system by the Web application system (using the page code) Symmetric or asymmetric key) encrypted random code (random string or random number), the single sign-on server decrypts to obtain the random code, and the decrypted random code (together with the user's account name for logging in to the web application system, password together) submitted to the web application system in the manner agreed by the web application system.
对于以上所述单点登录方法,若用户在Web应用系统的帐户名、口令保存在用户移动终端中(即应用系统帐户名和口令存储库是用户移动终端中的数据存储系统),则用户使用移动终端(中的专门的辅助登录程序或app)连接单点登录服务器,单点登录服务器从用户移动终端中获得用户登录Web应用系统的帐户名、口令。For the single sign-on method described above, if the user's account name and password in the Web application system are stored in the user's mobile terminal (that is, the application system account name and password repository are the data storage system in the user's mobile terminal), the user will use the mobile The terminal (the special auxiliary login program or app in it) is connected to the single sign-on server, and the single sign-on server obtains the user's account name and password for logging in to the Web application system from the user's mobile terminal.
对于以上所述单点登录方法,当用户浏览器被Web应用系统或门户网站(通过页面代码)引导到单点登录服务器请求登录Web应用系统后,若单点登录服务器无法从应用系统帐户名和口令存储库获得用户在Web应用系统中的帐户名、口令(即应用系统帐户名和口令存储库中没有用户在Web应用系统的帐户名、口令),则单点登录服务器要求用户通过浏览器提交用户在Web应用系统的帐户名、口令,而在用户提交其在Web应用系统的帐户名、口令之后,单点登录服务器一方面将用户提交的帐户名、口令保存到应用系统帐户名和口令存储库中,另一方面通过浏览器将用户提交的帐户名、口令按Web应用系统约定的帐户名、口令提交方式提交到Web应用系统。For the above single sign-on method, after the user's browser is guided by the web application system or portal website (through the page code) to the single sign-on server to request to log in to the web application system, if the single sign-on server cannot obtain the account name and password from the application system The repository obtains the user's account name and password in the web application system (that is, the application system account name and password repository do not contain the user's account name and password in the web application system), then the single sign-on server requires the user to submit the user's account name and password through the browser. The account name and password of the web application system, and after the user submits his account name and password in the web application system, the single sign-on server saves the account name and password submitted by the user to the application system account name and password repository on the one hand, On the other hand, the account name and password submitted by the user are submitted to the web application system through the browser according to the account name and password submission method agreed by the web application system.
对于以上所述单点登录方法,若所述单点登录服务器同时也作为一个门户网站,则:For the above single sign-on method, if the single sign-on server also serves as a portal website, then:
当用户使用浏览器访问同时作为一个门户网站的单点登录服务器、点击请求访问一个需要登录才能访问的Web应用系统时,单点登录服务器检查请求登录Web应用系统的用户是否已在单点登录服务器完成身份鉴别(或登录),若没有,则对用户进行身份鉴别,完成身份鉴别之后进行后续操作;若已完成,则进行后续操作;When a user uses a browser to access the single sign-on server that is also a portal website, and clicks to request access to a web application system that requires login to access, the single sign-on server checks whether the user who requests to log in to the web application system is already on the single sign-on server. Complete identity authentication (or login), if not, perform identity authentication on the user, and perform follow-up operations after completing identity authentication; if completed, perform follow-up operations;
单点登录服务器根据用户要登录的Web应用系统的标识信息(以及用户在单点登录服务器的身份或帐户信息),从应用系统帐户名和口令存储库获得用户在Web应用系统的帐户名、口令,然后通过浏览器将用户在Web应用系统的帐户名、口令按Web应用系统约定的帐户名、口令提交方式提交到Web应用系统。The SSO server obtains the user's account name and password in the Web application system from the application system account name and password repository according to the identification information of the Web application system to which the user wants to log in (and the user's identity or account information in the SSO server). Then, the user's account name and password in the web application system are submitted to the web application system through the browser according to the account name and password submission method agreed upon by the web application system.
针对以上所述单点登录方法的一种口令更新方法如下:A password update method for the single sign-on method described above is as follows:
当用户使用浏览器在Web应用系统进行帐户的口令更新时,Web应用系统通过页面代码将用户浏览器引导到单点登录服务器,请求更新用户在Web应用系统的帐户的口令;浏览器提交给单点登录服务器的口令更新请求中包含有用户要更新口令的Web应用系统的标识信息(如Web应用系统的名称、域名、标识符等);When the user uses the browser to update the password of the account in the web application system, the web application system guides the user's browser to the single sign-on server through the page code, and requests to update the password of the user's account in the web application system; the browser submits to the single sign-on server. The password update request of the log-in server contains the identification information of the Web application system (such as the name, domain name, identifier, etc. of the Web application system) of which the user wants to update the password;
单点登录服务器检查请求更新口令的用户是否已在单点登录服务器完成身份鉴别(或登录),若没有,则对用户进行身份鉴别,完成身份鉴别之后进行后续操作;若已完成,则进行后续操作;The single sign-on server checks whether the user who requests to update the password has completed the identity authentication (or login) on the single sign-on server. If not, the user is authenticated, and the follow-up operation is performed after the identity authentication is completed; if it has been completed, the follow-up operation is performed. operate;
单点登录服务器根据用户要更新口令的Web应用系统的标识信息确定用户要更新口令的帐户所在的Web应用系统;The single sign-on server determines, according to the identification information of the Web application system for which the user wants to update the password, the Web application system where the account whose password the user wants to update is located;
单点登录服务器要求用户通过浏览器提交更新的口令;The single sign-on server requires the user to submit an updated password through the browser;
接收到用户提交的更新的口令后,单点登录服务器一方面使用用户提交的更新的口令更新应用系统帐户名和口令存储库中的用户在Web应用系统的帐户的口令,另一方面通过浏览器将用户提交的更新的口令按Web应用系统约定的更新的口令的提交方式提交到Web应用系统。After receiving the updated password submitted by the user, on the one hand, the SSO server uses the updated password submitted by the user to update the application system account name and the password of the user's account in the Web application system in the password repository, and on the other hand, through the browser The updated password submitted by the user is submitted to the web application system according to the submission method of the updated password agreed upon by the web application system.
对于以上所述口令更新方法,若用户在Web应用系统的帐户名、口令保存在用户移动终端中(即应用系统帐户名和口令存储库是用户移动终端中的数据存储系统),则在用户更新其在Web应用系统的帐户的口令的过程中,用户使用移动终端(中的专门辅助登录程序或app)连接单点登录服务器,单点登录服务器使用用户提交的更新的口令更新用户移动终端中保存的用户在Web应用系统的帐户的口令。For the above-mentioned password update method, if the user's account name and password in the Web application system are stored in the user's mobile terminal (that is, the application system account name and password repository are the data storage system in the user's mobile terminal), then when the user updates the password In the process of password of the account of the web application system, the user uses the mobile terminal (the special auxiliary login program or app in the) to connect to the single sign-on server, and the single sign-on server uses the updated password submitted by the user to update the stored in the user's mobile terminal. The password of the user's account in the web application system.
对于以上所述单点登录方法,若所述应用系统帐户名和口令存储库是单点登录服务器能直接访问的数据存储系统(如数据库、文件),但其中存储的(每个或某些)用户的帐户数据(包括帐户名、口令)被对应用户的密钥(公钥或对称密钥)加密,则当单点登录服务器需要对用户的帐户数据进行操作时(如获取用户在要登录的Web应用系统中的帐户名、口令,或者对用户在Web应用系统中的帐户名、口令进行更新等),用户使用移动终端(中的专门程序或app)连接单点登录服务器,由移动终端中的程序或app使用用户密钥(如私钥、对称密钥)解密用户的帐户数据,之后单点登录服务器对解密后的用户帐户数据进行操作(如获取用户在要登录的Web应用系统中的帐户名、口令,或者对用户在Web应用系统中的帐户名、口令进行更新等)。For the single sign-on method described above, if the application system account name and password repository is a data storage system (such as a database, file) that the single sign-on server can directly access, but the (each or some) users stored therein The account data (including account name and password) of the user is encrypted by the corresponding user's key (public key or symmetric key), then when the single sign-on server needs to operate the user's account data (such as obtaining the user's Web account name and password in the application system, or update the user's account name and password in the web application system, etc.), the user uses the mobile terminal (special program or app in the) to connect to the single sign-on server, and the user in the mobile terminal connects to the SSO server. The program or app uses the user key (such as private key, symmetric key) to decrypt the user's account data, and then the single sign-on server operates on the decrypted user account data (such as obtaining the user's account in the web application system to be logged in). name and password, or update the user's account name and password in the Web application system, etc.).
相对于现有的单点登录技术,本发明的方法具有以下优点:Compared with the existing single sign-on technology, the method of the present invention has the following advantages:
(1)Web应用系统仍然采用原本的帐户名、口令登录方式,无需实施专门的单点登录协议组件,只需对Web应用系统的登录页面作少量的改动,而且如果需要的话,可以进一步对Web应用系统的帐户口令更新页面作少量改动(但这也不是必须的);(1) The web application system still uses the original account name and password login method, no need to implement a special single sign-on protocol component, only a small amount of changes to the login page of the web application system, and if necessary, you can further Make minor changes to the account password update page of the application system (but this is not required);
(2)单点登录系统无需主动获取、保存用户在不同Web应用系统的帐户名、口令,无需负责保证其保存的用户在不同Web应用系统的帐户口令与Web应用系统中保存的用户帐户口令一致(同步),单点登录系统最多被动地保存、更新用户在不同Web应用系统的帐户名、口令,甚至完全不需要保存用户在不同Web应用系统的帐户名、口令;(2) The single sign-on system does not need to actively obtain and save the account names and passwords of users in different web application systems, and does not need to be responsible for ensuring that the saved user account passwords in different web application systems are consistent with the user account passwords saved in the web application system. (Synchronization), the single sign-on system passively saves and updates the user's account name and password in different Web application systems at most, and even does not need to save the user's account name and password in different Web application systems at all;
(3)不会对Web应用系统的性能造成任何影响。(3) It will not have any impact on the performance of the Web application system.
在本发明的实施中,若用户在Web应用系统的帐户名、口令保存在用户的移动终端中,那么,单点登录系统甚至不用保存用户在Web应用系统的帐户名、口令,这样更安全。In the implementation of the present invention, if the user's account name and password in the Web application system are stored in the user's mobile terminal, the single sign-on system does not even need to store the user's account name and password in the Web application system, which is more secure.
当然,本发明实施简单所付出的代价是:将用户在不同Web应用系统的帐户名、口令保存到应用系统帐户名和口令存储库中需要用户手工干预,但这也是一次性的、偶发性的。Of course, the price paid by the simple implementation of the present invention is that the user's manual intervention is required to save the user's account name and password in different Web application systems into the application system account name and password repository, but this is also one-time and accidental.
以上所述单点登录方法针对的是Web应用系统直接采用口令对用户进行登录鉴别的情形,所述方法可以扩展到Web应用系统不是直接采用口令对用户进行登录鉴别而是采用口令散列值对用户进行登录鉴别的情形,具体如下:应用系统帐户名和口令存储库中存储的是用户登录Web应用系统的帐户所对应的口令或帐户所对应的口令的散列值;The single sign-on method described above is aimed at the situation that the Web application system directly uses the password to log in and authenticate the user. The situation in which the user performs login authentication is as follows: what is stored in the application system account name and the password repository is the password corresponding to the account of the user logging in to the Web application system or the hash value of the password corresponding to the account;
在用户登录Web应用系统的过程中,所述扩展得到的单点登录方法与原有方法的差别如下(根据口令的存储方式又分为两种情况):In the process of the user logging in to the Web application system, the difference between the single sign-on method obtained by the expansion and the original method is as follows (it is divided into two situations according to the storage method of the password):
若应用系统帐户名和口令存储库中存储的是用户登录Web应用系统的帐户所对应的口令,则在用户登录Web应用系统的过程中,单点登录服务器从应用系统帐户名和口令存储库获得用户在Web应用系统的帐户的口令,然后生成口令的散列值,之后,单点登录服务器通过浏览器将用户在Web应用系统的帐户名以及口令散列值所形成的登录鉴别数据按Web应用系统约定的登录鉴别数据提交方式提交到Web应用系统(如通过URL重定向将帐户名以及口令散列值所形成的登录鉴别数据包含在重定向后的URL中,或者通过自动POST方式以Form数据的形式将帐户名以及口令散列值所形成的登录鉴别数据提交到Web应用系统,或者通过异步传输方式如Ajax将帐户名以及口令散列值所形成的登录鉴别数据提交到Web应用系统);If the account name and password repository of the application system stores the password corresponding to the account of the user logging in to the web application system, then during the process of logging in to the web application system, the single sign-on server obtains the user's password from the application system account name and password repository. The password of the account of the web application system, and then the hash value of the password is generated. After that, the single sign-on server uses the browser to convert the login authentication data formed by the user's account name in the web application system and the hash value of the password according to the agreement of the web application system. The login authentication data submission method is submitted to the Web application system (for example, the login authentication data formed by the account name and password hash value is included in the redirected URL through URL redirection, or in the form of Form data through automatic POST method. Submit the login authentication data formed by the account name and the hash value of the password to the Web application system, or submit the login authentication data formed by the account name and the hash value of the password to the Web application system through an asynchronous transmission method such as Ajax);
若应用系统帐户名和口令存储库中存储的是用户登录Web应用系统的帐户所对应的口令的散列值,则在用户登录Web应用系统的过程中,单点登录服务器从应用系统帐户名和口令存储库获得用户在Web应用系统的帐户的口令的散列值,然后单点登录服务器通过浏览器将用户在Web应用系统的帐户名以及口令散列值所形成的登录鉴别数据按Web应用系统约定的登录鉴别数据提交方式提交到Web应用系统。If the application system account name and password store store the hash value of the password corresponding to the user's account for logging in to the web application system, the single sign-on server stores the account name and password from the application system account name and password during the process of the user logging in to the web application system. The library obtains the hash value of the password of the user's account in the web application system, and then the single sign-on server uses the browser to convert the login authentication data formed by the user's account name in the web application system and the hash value of the password according to the agreement of the web application system. The login authentication data submission method is submitted to the Web application system.
附图说明Description of drawings
图1为本发明方法的流程图。Figure 1 is a flow chart of the method of the present invention.
图2为本发明实施案例1的示意图。FIG. 2 is a schematic diagram of Embodiment 1 of the present invention.
图3为本发明实施案例2的示意图。FIG. 3 is a schematic diagram of Embodiment 2 of the present invention.
图4为本发明实施案例3的示意图。FIG. 4 is a schematic diagram of Embodiment 3 of the present invention.
图5为本发明实施案例4的示意图。FIG. 5 is a schematic diagram of Embodiment 4 of the present invention.
图6为本发明实施案例5的示意图。FIG. 6 is a schematic diagram of Embodiment 5 of the present invention.
图7为本发明实施案例6的示意图。FIG. 7 is a schematic diagram of Embodiment 6 of the present invention.
具体实施方式Detailed ways
下面结合实施例对本发明的具体实施方式进行描述。以下实施例仅仅描述的是本发明的几种可能实施方式,不代表全部可能的实施方式,不作为对本发明保护范围的限制。The specific embodiments of the present invention will be described below with reference to the examples. The following examples only describe several possible embodiments of the present invention, do not represent all possible embodiments, and do not limit the protection scope of the present invention.
图1为本发明方法的流程图,本发明的单点登录方法主要包括以下步骤:Fig. 1 is the flow chart of the method of the present invention, the single sign-on method of the present invention mainly comprises the following steps:
用户使用浏览器请求访问一个Web应用系统或请求访问Web应用系统的受控资源或功能需要在Web应用系统登录,或者使用浏览器通过一个门户网站请求访问一个需要登录才能访问的Web应用系统;The user uses a browser to request access to a web application system or requests to access the controlled resources or functions of the web application system, which requires logging in to the web application system, or use a browser to request access to a web application system that requires login to access through a portal website;
Web应用系统或门户网站通过页面代码将用户浏览器引导到单点登录服务器,请求登录Web应用系统;浏览器提交给单点登录服务器的登录Web应用系统的请求中包含有用户要登录的Web应用系统的标识信息;The web application system or portal website guides the user's browser to the single sign-on server through the page code, and requests to log in to the web application system; the request for logging in to the web application system submitted by the browser to the single sign-on server contains the web application that the user wants to log in to System identification information;
单点登录服务器检查请求登录Web应用系统的用户是否已在单点登录服务器完成身份鉴别,若没有,则对用户进行身份鉴别,完成身份鉴别之后进行后续操作;若已完成,则进行后续操作;The single sign-on server checks whether the user who requests to log in to the Web application system has completed the identity authentication on the single sign-on server. If not, the user is authenticated, and the follow-up operation is performed after the identity authentication is completed; if it has been completed, the follow-up operation is performed;
单点登录服务器根据用户要登录的Web应用系统的标识信息,从应用系统帐户名和口令存储库获得用户在Web应用系统的帐户名、口令;The single sign-on server obtains the user's account name and password in the Web application system from the application system account name and password repository according to the identification information of the Web application system to which the user wants to log in;
单点登录服务器通过浏览器将用户在Web应用系统的帐户名、口令按Web应用系统约定的帐户名、口令提交方式提交到Web应用系统;The single sign-on server submits the user's account name and password in the web application system to the web application system through the browser according to the account name and password submission method agreed by the web application system;
其中,单点登录服务器是一个辅助用户登录Web应用系统的系统;所述单点登录服务器维护有自己的用户帐户数据,用以对使用单点登录服务器的用户进行身份鉴别;Wherein, the single sign-on server is a system that assists users to log in to the Web application system; the single sign-on server maintains its own user account data for identifying users who use the single sign-on server;
应用系统帐户名和口令存储库是用于存放用户在不同Web应用系统的帐户名、口令的数据存储系统;所述应用系统帐户名和口令存储库是单点登录服务器能直接访问的数据存储系统,或者是用户移动终端中的数据存储系统。The application system account name and password repository is a data storage system for storing user account names and passwords in different Web application systems; the application system account name and password repository are data storage systems that the single sign-on server can directly access, or It is a data storage system in the user's mobile terminal.
实施例1、Embodiment 1,
此实施例的应用场景如图2所示,有一个或多个Web应用系统,有一个辅助用户在Web应用系统登录的单点登录服务器,单点登录服务器维护有对用户进行身份鉴别的帐户数据库,有一个用于存放用户在不同Web应用系统的帐户名、口令的应用系统帐户名和口令存储库,此应用系统帐户名和口令存储库是单点登录服务器能直接访问的数据存储系统(如数据库、文件)。The application scenario of this embodiment is shown in Figure 2. There are one or more Web application systems, a single sign-on server that assists users to log in to the Web application system, and the single sign-on server maintains an account database that authenticates users. , there is an application system account name and password repository for storing user account names and passwords in different Web application systems. This application system account name and password repository is a data storage system (such as database, document).
当用户使用浏览器请求访问一个Web应用系统或访问Web应用系统的受控资源或功能而需要在Web应用系统登录时,Web应用系统通过页面代码将用户浏览器引导到单点登录服务器(如通过URL重定向、自动POST、异步传输方式如Ajax),请求登录Web应用系统;浏览器提交给单点登录服务器的登录Web应用系统的请求中包含有用户要登录的Web应用系统的标识信息(如Web应用系统的名称、域名、标识符等);When a user uses a browser to request access to a web application system or access controlled resources or functions of the web application system and needs to log in to the web application system, the web application system guides the user's browser to the single sign-on server through the page code (such as through URL redirection, automatic POST, asynchronous transmission methods such as Ajax), requesting to log in to the web application system; the request for logging in to the web application system submitted by the browser to the single sign-on server contains the identification information of the web application system the user wants to log in (such as Web application system name, domain name, identifier, etc.);
单点登录服务器检查请求登录Web应用系统的用户是否已在单点登录服务器完成身份鉴别(或登录),若没有,则对用户进行身份鉴别,完成身份鉴别之后进行后续操作;若已完成,则进行后续操作;The single sign-on server checks whether the user requesting to log in to the Web application system has completed identity authentication (or login) on the single sign-on server. carry out follow-up operations;
单点登录服务器根据用户要登录的Web应用系统的标识信息(以及用户在单点登录服务器的身份或帐户信息),从应用系统帐户名和口令存储库获得用户在Web应用系统的帐户名、口令,然后通过浏览器将用户在Web应用系统的帐户名、口令按Web应用系统约定的帐户名、口令提交方式提交到Web应用系统(如通过URL重定向将帐户名、口令包含在重定向后的URL中,或者通过自动POST方式以Form数据的形式将帐户名、口令提交到Web应用系统,或者通过异步传输方式如Ajax将帐户名、口令提交到Web应用系统)。The SSO server obtains the user's account name and password in the Web application system from the application system account name and password repository according to the identification information of the Web application system to which the user wants to log in (and the user's identity or account information in the SSO server). Then submit the user's account name and password in the web application system to the web application system through the browser according to the account name and password submission method agreed by the web application system (for example, include the account name and password in the redirected URL through URL redirection) , or submit the account name and password to the Web application system in the form of Form data through automatic POST, or submit the account name and password to the Web application system through asynchronous transmission such as Ajax).
实施例2、Embodiment 2,
此实施例的应用场景如图3所示,有一个或多个Web应用系统,有一个辅助用户在Web应用系统登录的单点登录服务器,单点登录服务器维护有对用户进行身份鉴别的帐户数据库,用户的移动终端(如手机、平板电脑、智能穿戴装置)有一个用于存放用户在不同Web应用系统的帐户名、口令的应用系统帐户名和口令存储库。The application scenario of this embodiment is shown in FIG. 3 , there are one or more web application systems, a single sign-on server assisting users to log in to the web application system, and the single sign-on server maintains an account database for identifying users , the user's mobile terminal (such as a mobile phone, a tablet computer, and a smart wearable device) has an application system account name and password repository for storing the user's account name and password in different Web application systems.
当用户使用浏览器请求访问一个Web应用系统或访问Web应用系统的受控资源或功能而需要在Web应用系统登录时,Web应用系统通过页面代码将用户浏览器引导到单点登录服务器(如通过URL重定向、自动POST、异步传输方式如Ajax),请求登录Web应用系统;浏览器提交给单点登录服务器的登录Web应用系统的请求中包含有用户要登录的Web应用系统的标识信息(如Web应用系统的名称、域名、标识符等);When a user uses a browser to request access to a web application system or access controlled resources or functions of the web application system and needs to log in to the web application system, the web application system guides the user's browser to the single sign-on server through the page code (such as through URL redirection, automatic POST, asynchronous transmission methods such as Ajax), requesting to log in to the web application system; the request for logging in to the web application system submitted by the browser to the single sign-on server contains the identification information of the web application system the user wants to log in (such as Web application system name, domain name, identifier, etc.);
单点登录服务器检查请求登录Web应用系统的用户是否已在单点登录服务器完成身份鉴别(或登录),若没有,则对用户进行身份鉴别,完成身份鉴别之后进行后续操作;若已完成,则进行后续操作;The single sign-on server checks whether the user requesting to log in to the Web application system has completed identity authentication (or login) on the single sign-on server. carry out follow-up operations;
用户预先或此时使用移动终端(中的专门的辅助登录程序或app)连接单点登录服务器;The user uses the mobile terminal (the special auxiliary login program or app in it) to connect to the single sign-on server in advance or at this time;
单点登录服务器根据用户要登录的Web应用系统的标识信息,从移动终端中的应用系统帐户名和口令存储库获得用户在Web应用系统的帐户名、口令,然后通过浏览器将用户在Web应用系统的帐户名、口令按Web应用系统约定的帐户名、口令提交方式提交到Web应用系统(如通过URL重定向将帐户名、口令包含在重定向后的URL中,或者通过自动POST方式以Form数据的形式将帐户名、口令提交到Web应用系统,或者通过异步传输方式如Ajax将帐户名、口令提交到Web应用系统)。The single sign-on server obtains the user's account name and password in the Web application system from the application system account name and password repository in the mobile terminal according to the identification information of the Web application system that the user wants to log in, and then sends the user to the Web application system through the browser. The account name and password are submitted to the web application system according to the account name and password submission method agreed by the web application system (for example, the account name and password are included in the redirected URL through URL redirection, or the form data is sent by automatic POST method. Submit the account name and password to the Web application system in the form of an asynchronous transmission method such as Ajax, submit the account name and password to the Web application system).
实施例3、Embodiment 3,
此实施例的应用场景如图4所示,有一个或多个Web应用系统,有一个门户网站,用户通过门户网站可以点击访问不同的Web应用系统,有一个辅助用户在Web应用系统登录的单点登录服务器,单点登录服务器维护有对用户进行身份鉴别的帐户数据库,有一个用于存放用户在不同Web应用系统的帐户名、口令的应用系统帐户名和口令存储库,此应用系统帐户名和口令存储库是单点登录服务器能直接访问的数据存储系统(如数据库、文件)。The application scenario of this embodiment is shown in Figure 4. There are one or more web application systems, a portal website, through which the user can click to access different web application systems, and there is a single page for assisting users to log in to the web application system. The single sign-on server maintains an account database that authenticates users, and has an application system account name and password repository for storing user account names and passwords in different Web application systems. The application system account name and password A repository is a data storage system (eg, database, file) that a single sign-on server can directly access.
当用户在门户网站点击请求访问一个需要登录才能访问的Web应用系统时,门户网站通过页面代码将用户浏览器引导到单点登录服务器(如通过URL重定向、自动POST、异步传输方式如Ajax),请求登录Web应用系统;浏览器提交给单点登录服务器的登录Web应用系统的请求中包含有用户要登录的Web应用系统的标识信息(如Web应用系统的名称、域名、标识符等);When the user clicks on the portal website to request access to a web application system that requires login, the portal website guides the user's browser to the single sign-on server through the page code (such as through URL redirection, automatic POST, asynchronous transmission such as Ajax) , requesting to log in to the web application system; the request for logging in to the web application system submitted by the browser to the single sign-on server contains the identification information of the web application system that the user wants to log in (such as the name, domain name, identifier, etc. of the web application system);
单点登录服务器检查请求登录Web应用系统的用户是否已在单点登录服务器完成身份鉴别(或登录),若没有,则对用户进行身份鉴别,完成身份鉴别之后进行后续操作;若已完成,则进行后续操作;The single sign-on server checks whether the user requesting to log in to the Web application system has completed identity authentication (or login) on the single sign-on server. carry out follow-up operations;
单点登录服务器根据用户要登录的Web应用系统的标识信息(以及用户在单点登录服务器的身份或帐户信息),从应用系统帐户名和口令存储库获得用户在Web应用系统的帐户名、口令,然后通过浏览器将用户在Web应用系统的帐户名、口令按Web应用系统约定的帐户名、口令提交方式提交到Web应用系统(如通过URL重定向将帐户名、口令包含在重定向后的URL中,或者通过自动POST方式以Form数据的形式将帐户名、口令提交到Web应用系统,或者通过异步传输方式如Ajax将帐户名、口令提交到Web应用系统)。The SSO server obtains the user's account name and password in the Web application system from the application system account name and password repository according to the identification information of the Web application system to which the user wants to log in (and the user's identity or account information in the SSO server). Then submit the user's account name and password in the web application system to the web application system through the browser according to the account name and password submission method agreed by the web application system (for example, include the account name and password in the redirected URL through URL redirection) , or submit the account name and password to the Web application system in the form of Form data through automatic POST, or submit the account name and password to the Web application system through asynchronous transmission such as Ajax).
实施例4、Embodiment 4,
此实施例的应用场景如图5所示,有一个或多个Web应用系统,有一个门户网站,用户通过门户网站可以点击访问不同的Web应用系统,有一个辅助用户在Web应用系统登录的单点登录服务器,单点登录服务器维护有对用户进行身份鉴别的帐户数据库,用户的移动终端(如手机、平板电脑、智能穿戴装置)有一个用于存放用户在不同Web应用系统的帐户名、口令的应用系统帐户名和口令存储库。The application scenario of this embodiment is shown in Figure 5. There are one or more Web application systems, and there is a portal website. Through the portal website, users can click to access different Web application systems. The SSO server maintains an account database that authenticates the user, and the user's mobile terminal (such as a mobile phone, tablet computer, and smart wearable device) has an account name and password for storing the user's account name and password in different Web application systems. application system account name and password repository.
当用户在门户网站点击请求访问一个需要登录才能访问的Web应用系统时,门户网站通过页面代码将用户浏览器引导到单点登录服务器(如通过URL重定向、自动POST、异步传输方式如Ajax),请求登录Web应用系统;浏览器提交给单点登录服务器的登录Web应用系统的请求中包含有用户要登录的Web应用系统的标识信息(如Web应用系统的名称、域名、标识符等);When the user clicks on the portal website to request access to a web application system that requires login, the portal website guides the user's browser to the single sign-on server through the page code (such as through URL redirection, automatic POST, asynchronous transmission such as Ajax) , requesting to log in to the web application system; the request for logging in to the web application system submitted by the browser to the single sign-on server contains the identification information of the web application system that the user wants to log in (such as the name, domain name, identifier, etc. of the web application system);
单点登录服务器检查请求登录Web应用系统的用户是否已在单点登录服务器完成身份鉴别(或登录),若没有,则对用户进行身份鉴别,完成身份鉴别之后进行后续的操作;若已完成,则进行后续的操作;The single sign-on server checks whether the user requesting to log in to the Web application system has completed identity authentication (or login) on the single sign-on server. then carry out subsequent operations;
用户预先或此时使用移动终端(中的专门的辅助登录程序或app)连接单点登录服务器;The user uses the mobile terminal (the special auxiliary login program or app in it) to connect to the single sign-on server in advance or at this time;
单点登录服务器根据用户要登录的Web应用系统的标识信息,从移动终端中的应用系统帐户名和口令存储库获得用户在Web应用系统的帐户名、口令,然后通过浏览器将用户在Web应用系统的帐户名、口令按Web应用系统约定的帐户名、口令提交方式提交到Web应用系统(如通过URL重定向将帐户名、口令包含在重定向后的URL中,或者通过自动POST方式以Form数据的形式将帐户名、口令提交到Web应用系统,或者通过异步传输方式如Ajax将帐户名、口令提交到Web应用系统)。The single sign-on server obtains the user's account name and password in the Web application system from the application system account name and password repository in the mobile terminal according to the identification information of the Web application system that the user wants to log in, and then sends the user to the Web application system through the browser. The account name and password are submitted to the web application system according to the account name and password submission method agreed by the web application system (for example, the account name and password are included in the redirected URL through URL redirection, or the form data is sent by automatic POST method. Submit the account name and password to the Web application system in the form of an asynchronous transmission method such as Ajax, submit the account name and password to the Web application system).
实施例5、Embodiment 5,
此实施例的应用场景如图6所示,有一个或多个Web应用系统,有一个辅助用户在Web应用系统登录的单点登录服务器,单点登录服务器同时作为一个门户网站,用户通过单点登录服务器可以点击访问不同的Web应用系统,单点登录服务器维护有对用户进行身份鉴别的帐户数据库,有一个用于存放用户在不同Web应用系统的帐户名、口令的应用系统帐户名和口令存储库,此应用系统帐户名和口令存储库是单点登录服务器能直接访问的数据存储系统(如数据库、文件)。The application scenario of this embodiment is shown in Figure 6. There are one or more Web application systems, and there is a single sign-on server that assists users to log in to the Web application system. The single sign-on server also acts as a portal website. The login server can click to access different web application systems. The single sign-on server maintains an account database for user authentication, and an application system account name and password repository for storing user account names and passwords in different web application systems. , this application system account name and password repository is a data storage system (such as database, file) that the single sign-on server can directly access.
当用户使用浏览器访问同时作为一个门户网站的单点登录服务器点击请求访问一个需要登录的Web应用系统时,单点登录服务器检查请求登录Web应用系统的用户是否已在单点登录服务器完成身份鉴别(或登录),若没有,则对用户进行身份鉴别,完成身份鉴别之后进行后续的操作;若已完成,则进行后续的操作;When a user uses a browser to access the single sign-on server that is also a portal website and clicks to request access to a web application system that needs to be logged in, the single sign-on server checks whether the user requesting to log in to the web application system has completed the identity authentication on the single sign-on server (or login), if not, perform identity authentication on the user, and perform subsequent operations after completing identity authentication; if completed, perform subsequent operations;
单点登录服务器根据用户要登录的Web应用系统的标识信息(以及用户在单点登录服务器的身份或帐户信息),从应用系统帐户名和口令存储库获得用户在Web应用系统的帐户名、口令,然后通过浏览器将用户在Web应用系统的帐户名、口令按Web应用系统约定的帐户名、口令提交方式提交到Web应用系统(如通过URL重定向将帐户名、口令包含在重定向后的URL中,或者通过自动POST方式以Form数据的形式将帐户名、口令提交到Web应用系统,或者通过异步传输方式如Ajax将帐户名、口令提交到Web应用系统)。The SSO server obtains the user's account name and password in the Web application system from the application system account name and password repository according to the identification information of the Web application system to which the user wants to log in (and the user's identity or account information in the SSO server). Then submit the user's account name and password in the web application system to the web application system through the browser according to the account name and password submission method agreed by the web application system (for example, include the account name and password in the redirected URL through URL redirection) , or submit the account name and password to the Web application system in the form of Form data through automatic POST, or submit the account name and password to the Web application system through asynchronous transmission such as Ajax).
实施例6、Embodiment 6,
此实施例的应用场景如图7所示,有一个或多个Web应用系统,有一个辅助用户在Web应用系统登录的单点登录服务器,单点登录服务器同时作为一个门户网站,用户通过单点登录服务器可以点击访问不同的Web应用系统,单点登录服务器维护有对用户进行身份鉴别的帐户数据库,用户的移动终端(如手机、平板电脑、智能穿戴装置)有一个用于存放用户在不同Web应用系统的帐户名、口令的应用系统帐户名和口令存储库。The application scenario of this embodiment is shown in Figure 7. There are one or more Web application systems, and there is a single sign-on server that assists users to log in to the Web application system. The single sign-on server also acts as a portal website. The login server can click to access different Web application systems. The single sign-on server maintains an account database that authenticates the user. The user's mobile terminal (such as a mobile phone, tablet computer, and smart wearable device) has an The account name of the application system, the application system account name of the password, and the password repository.
当用户使用浏览器访问作为一个门户网站的单点登录服务器点击请求访问一个需要登录的Web应用系统时,单点登录服务器检查请求登录Web应用系统的用户是否已在单点登录服务器完成身份鉴别(或登录),若没有,则对用户进行身份鉴别,完成身份鉴别之后进行后续的操作;若已完成,则进行后续的操作;When a user uses a browser to access the single sign-on server as a portal website and clicks to request access to a web application system that needs to be logged in, the single sign-on server checks whether the user who requests to log in to the web application system has completed the authentication on the single sign-on server ( or login), if not, perform identity authentication on the user, and perform subsequent operations after completing the identity authentication; if it has been completed, perform subsequent operations;
用户预先或此时使用移动终端(中的专门的辅助登录程序或app)连接单点登录服务器;The user uses the mobile terminal (the special auxiliary login program or app in it) to connect to the single sign-on server in advance or at this time;
单点登录服务器根据用户要登录的Web应用系统的标识信息,从移动终端中的应用系统帐户名和口令存储库获得用户在Web应用系统的帐户名、口令,然后通过浏览器将用户在Web应用系统的帐户名、口令按Web应用系统约定的帐户名、口令提交方式提交到Web应用系统(如通过URL重定向将帐户名、口令包含在重定向后的URL中,或者通过自动POST方式以Form数据的形式将帐户名、口令提交到Web应用系统,或者通过异步传输方式如Ajax将帐户名、口令提交到Web应用系统)。The single sign-on server obtains the user's account name and password in the Web application system from the application system account name and password repository in the mobile terminal according to the identification information of the Web application system that the user wants to log in, and then sends the user to the Web application system through the browser. The account name and password are submitted to the web application system according to the account name and password submission method agreed by the web application system (for example, the account name and password are included in the redirected URL through URL redirection, or the form data is sent by automatic POST method. Submit the account name and password to the Web application system in the form of an asynchronous transmission method such as Ajax, submit the account name and password to the Web application system).
实施例7、Embodiment 7,
在此实施例中,应用系统帐户名和口令存储库是单点登录服务器能直接访问的数据存储系统(如数据库、文件),但其中存储的(每个或某些)用户的帐户数据(包括帐户名、口令)被对应用户的密钥(公钥或对称密钥)加密;在应用前述单点登录方法进行用户登录的过程中,当单点登录服务器需要对用户的帐户数据进行操作时(如获取用户在要登录的Web应用系统中的帐户名、口令,或者对用户在Web应用系统中的帐户名、口令进行更新等),用户使用移动终端(中的专门程序或app)连接单点登录服务器,由移动终端中的程序或app使用用户密钥(如私钥、对称密钥)解密用户的帐户数据,之后单点登录服务器对解密后的用户帐户数据进行操作(如获取用户在要登录的Web应用系统中的帐户名、口令,或者对用户在Web应用系统中的帐户名、口令进行更新等);这里,移动终端可以将解密后的用户帐户数据全部返回给单点登录服务器供单点登录服务器使用,或者移动终端仅将解密后的用户帐户数据中单点登录服务器需要的数据返回给单点登录服务器;若单点登录服务器对用户帐户数据进行的操作是对帐户数据进行更新,则移动终端将更新的用户帐户数据加密后返回给单点登录服务器供单点登录服务器保存。In this embodiment, the application system account name and password repository is a data storage system (such as a database, file) that the single sign-on server can directly access, but the account data of (each or some) users (including account name, password) are encrypted by the corresponding user's key (public key or symmetric key); in the process of applying the aforementioned single sign-on method for user login, when the single sign-on server needs to operate the user's account data (such as Obtain the user's account name and password in the Web application system to be logged in, or update the user's account name and password in the Web application system, etc.), the user uses a mobile terminal (special program or app in the) to connect to single sign-on The server, the program or app in the mobile terminal uses the user key (such as private key, symmetric key) to decrypt the user's account data, and then the single sign-on server operates on the decrypted user account data (for example, obtaining the user's account data when he wants to log in) account name and password in the web application system of the user, or update the account name and password of the user in the web application system, etc.); here, the mobile terminal can return all the decrypted user account data to the single sign-on server for single sign-on The SSO server is used, or the mobile terminal only returns the data required by the SSO server in the decrypted user account data to the SSO server; if the operation performed by the SSO server on the user account data is to update the account data, Then, the mobile terminal encrypts the updated user account data and returns it to the single sign-on server for storage by the single sign-on server.
实施例7可以在实施例2、4、6的基础上实施。Embodiment 7 can be implemented on the basis of Embodiments 2, 4, and 6.
实施例8、Embodiment 8,
此实施例可以在实施例1-7中任一个的基础上实施,此实施例与实施例1-7的差别在于:This embodiment can be implemented on the basis of any one of Embodiments 1-7, and the difference between this embodiment and Embodiments 1-7 is:
当用户登录Web应用系统时,Web应用系统不是直接采用口令对用户进行登录鉴别而是采用口令散列值对用户进行登录鉴别,此时,应用系统帐户名和口令存储库中存储的是用户登录Web应用系统的帐户的口令或帐户的口令的散列值;When a user logs in to the web application system, the web application system does not directly use the password to authenticate the user, but uses the hash value of the password to authenticate the user. The password of the account of the application system or the hash value of the password of the account;
若应用系统帐户名和口令存储库中存储的是用户登录Web应用系统的帐户所对应的口令,则在用户登录Web应用系统的过程中,单点登录服务器从应用系统帐户名和口令存储库获得用户在Web应用系统的帐户的口令,然后生成口令的散列值,之后,单点登录服务器通过浏览器将用户在Web应用系统的帐户名以及口令散列值所形成的登录鉴别数据按Web应用系统约定的登录鉴别数据提交方式提交到Web应用系统(如通过URL重定向将帐户名以及口令散列值所形成的登录鉴别数据包含在重定向后的URL中,或者通过自动POST方式以Form数据的形式将帐户名以及口令散列值所形成的登录鉴别数据提交到Web应用系统,或者通过异步传输方式如Ajax将帐户名以及口令散列值所形成的登录鉴别数据提交到Web应用系统);If the account name and password repository of the application system stores the password corresponding to the account of the user logging in to the web application system, then during the process of logging in to the web application system, the single sign-on server obtains the user's password from the application system account name and password repository. The password of the account of the web application system, and then the hash value of the password is generated. After that, the single sign-on server uses the browser to convert the login authentication data formed by the user's account name in the web application system and the hash value of the password according to the agreement of the web application system. The login authentication data submission method is submitted to the Web application system (for example, the login authentication data formed by the account name and password hash value is included in the redirected URL through URL redirection, or in the form of Form data through automatic POST method. Submit the login authentication data formed by the account name and the hash value of the password to the Web application system, or submit the login authentication data formed by the account name and the hash value of the password to the Web application system through an asynchronous transmission method such as Ajax);
若应用系统帐户名和口令存储库中存储的是用户登录Web应用系统的帐户所对应的口令的散列值,则在用户登录Web应用系统的过程中,单点登录服务器从应用系统帐户名和口令存储库获得用户在Web应用系统的帐户的口令的散列值,然后单点登录服务器通过浏览器将用户在Web应用系统的帐户名以及口令散列值所形成的登录鉴别数据按Web应用系统约定的登录鉴别数据提交方式提交到Web应用系统。If the application system account name and password store store the hash value of the password corresponding to the user's account for logging in to the web application system, the single sign-on server stores the account name and password from the application system account name and password during the process of the user logging in to the web application system. The library obtains the hash value of the password of the user's account in the web application system, and then the single sign-on server uses the browser to convert the login authentication data formed by the user's account name in the web application system and the hash value of the password according to the agreement of the web application system. The login authentication data submission method is submitted to the Web application system.
基于本发明的方法可以构建相应的单点登录系统,系统包括单点登录服务器和应用系统帐户名和口令存储库,具体地:Based on the method of the present invention, a corresponding single sign-on system can be constructed, and the system includes a single sign-on server and an application system account name and password repository, specifically:
单点登录服务器:一个辅助用户登录Web应用系统的系统;所述单点登录服务器维护有自己的用户帐户数据库,用以对使用单点登录服务器的用户进行身份鉴别;Single sign-on server: a system that assists users to log in to the Web application system; the single sign-on server maintains its own user account database to authenticate users who use the single sign-on server;
应用系统帐户名和口令存储库:用于存放用户在不同Web应用系统的帐户名、口令的数据存储系统;所述应用系统帐户名和口令存储库是单点登录服务器能直接访问的数据存储系统(如数据库、文件),或者是用户移动终端中的数据存储系统(如微小数据库、文件);Application system account name and password repository: a data storage system for storing user account names and passwords in different Web application systems; the application system account name and password repository are data storage systems that can be directly accessed by the single sign-on server (such as database, file), or a data storage system (such as a tiny database, file) in the user's mobile terminal;
当用户使用浏览器访问一个Web应用系统或请求访问Web应用系统的受控资源或功能需要在Web应用系统进行登录时,或者使用浏览器通过一个门户网站请求访问一个需要登录才能访问的Web应用系统时,所述单点登录系统按前述单点登录方法辅助用户完成在Web应用系统的登录操作;When a user uses a browser to access a web application system or requests to access controlled resources or functions of the web application system and requires login in the web application system, or uses a browser to request access to a web application system that requires login to access through a portal website , the single sign-on system assists the user to complete the login operation in the Web application system according to the aforementioned single sign-on method;
当用户使用浏览器在Web应用系统进行帐户的口令更新时,所述单点登录系统按前述口令更新方法辅助用户完成在Web应用系统的口令更新。When the user uses the browser to update the password of the account in the web application system, the single sign-on system assists the user to complete the password update in the web application system according to the aforementioned password update method.
其他未说明的具体技术实施,对于相关领域的技术人员而言是众所周知,不言自明的。Other unexplained specific technical implementations are well known and self-evident to those skilled in the relevant art.
Claims (13)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810183584.9A CN108462706B (en) | 2018-03-06 | 2018-03-06 | Single sign-on method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810183584.9A CN108462706B (en) | 2018-03-06 | 2018-03-06 | Single sign-on method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108462706A CN108462706A (en) | 2018-08-28 |
| CN108462706B true CN108462706B (en) | 2022-05-03 |
Family
ID=63217436
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810183584.9A Active CN108462706B (en) | 2018-03-06 | 2018-03-06 | Single sign-on method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108462706B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102624737A (en) * | 2012-03-27 | 2012-08-01 | 武汉理工大学 | Single sign-on integration method for Form identity authentication in single sign-on system |
| CN103795731A (en) * | 2014-02-26 | 2014-05-14 | 北京京东尚科信息技术有限公司 | User account login method |
| CN105281902A (en) * | 2015-12-03 | 2016-01-27 | 武汉理工大学 | Web system safety login method based on mobile terminal |
| CN106888225A (en) * | 2017-04-28 | 2017-06-23 | 努比亚技术有限公司 | A kind of control method of single-sign-on application, mobile terminal and computer-readable medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104580074B (en) * | 2013-10-14 | 2018-08-24 | 阿里巴巴集团控股有限公司 | The login method of client application and its corresponding server |
| CN104767621B (en) * | 2015-04-16 | 2018-04-10 | 深圳市高星文网络科技有限公司 | A kind of Mobile solution accesses the one-point safety authentication method of business data |
| US10171447B2 (en) * | 2015-06-15 | 2019-01-01 | Airwatch Llc | Single sign-on for unmanaged mobile devices |
| CN105978994B (en) * | 2016-06-22 | 2019-01-18 | 武汉理工大学 | A kind of login method of web oriented system |
-
2018
- 2018-03-06 CN CN201810183584.9A patent/CN108462706B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102624737A (en) * | 2012-03-27 | 2012-08-01 | 武汉理工大学 | Single sign-on integration method for Form identity authentication in single sign-on system |
| CN103795731A (en) * | 2014-02-26 | 2014-05-14 | 北京京东尚科信息技术有限公司 | User account login method |
| CN105281902A (en) * | 2015-12-03 | 2016-01-27 | 武汉理工大学 | Web system safety login method based on mobile terminal |
| CN106888225A (en) * | 2017-04-28 | 2017-06-23 | 努比亚技术有限公司 | A kind of control method of single-sign-on application, mobile terminal and computer-readable medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108462706A (en) | 2018-08-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10541991B2 (en) | Method for OAuth service through blockchain network, and terminal and server using the same | |
| US9787664B1 (en) | Methods systems and articles of manufacture for implementing user access to remote resources | |
| CN102638454B (en) | A plug-in single sign-on integration method for HTTP authentication protocol | |
| EP2984589B1 (en) | System and method for mobile single sign-on integration | |
| US8799639B2 (en) | Method and apparatus for converting authentication-tokens to facilitate interactions between applications | |
| US8196193B2 (en) | Method for retrofitting password enabled computer software with a redirection user authentication method | |
| CN102624737B (en) | Single sign-on integrated method for Form identity authentication in single login system | |
| US11366803B2 (en) | Method for providing relational decentralized identifier service and blockchain node using the same | |
| US20170250984A1 (en) | Authentication proxy agent | |
| CN106209726B (en) | A mobile application single sign-on method and device | |
| US20150007299A1 (en) | Mobile multifactor single-sign-on authentication | |
| JP2020057363A (en) | Method and Program for Security Assertion Markup Language (SAML) Service Provider Initiated Single Sign-On | |
| KR102323522B1 (en) | DID system that can be verified on a browser using credentials and its control method | |
| US20100077467A1 (en) | Authentication service for seamless application operation | |
| CN115021991A (en) | Single sign-on for unmanaged mobile devices | |
| CN104378376A (en) | SOA-based single-point login method, authentication server and browser | |
| US20200322151A1 (en) | Apparatus and methods for secure access to remote content | |
| JP2015535984A5 (en) | ||
| ES2963837T3 (en) | Service connection technique | |
| US10104526B2 (en) | Method and apparatus for issuing a credential for an incident area network | |
| CN110519296A (en) | A kind of single-sign-on of isomery web system and publish method | |
| CN102710621B (en) | A kind of user authentication method and system | |
| KR102232763B1 (en) | Single-sign-on method and system for multi-domain services | |
| CN114338078B (en) | A CS client login method and device | |
| US11849041B2 (en) | Secure exchange of session tokens for claims-based tokens in an extensible system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20221123 Address after: 518000 Room 201, building A, 1 front Bay Road, Shenzhen Qianhai cooperation zone, Shenzhen, Guangdong Patentee after: Shenzhen Tianwei Chengxin Technology Co.,Ltd. Address before: 430070 Hubei Province, Wuhan city Hongshan District Luoshi Road No. 122 Patentee before: WUHAN University OF TECHNOLOGY |