CN108462706B - Single sign-on method and system - Google Patents

Single sign-on method and system Download PDF

Info

Publication number
CN108462706B
CN108462706B CN201810183584.9A CN201810183584A CN108462706B CN 108462706 B CN108462706 B CN 108462706B CN 201810183584 A CN201810183584 A CN 201810183584A CN 108462706 B CN108462706 B CN 108462706B
Authority
CN
China
Prior art keywords
application system
user
web application
password
single sign
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810183584.9A
Other languages
Chinese (zh)
Other versions
CN108462706A (en
Inventor
龙毅宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Tianwei Chengxin Technology Co.,Ltd.
Original Assignee
Wuhan University of Technology WUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Technology WUT filed Critical Wuhan University of Technology WUT
Priority to CN201810183584.9A priority Critical patent/CN108462706B/en
Publication of CN108462706A publication Critical patent/CN108462706A/en
Application granted granted Critical
Publication of CN108462706B publication Critical patent/CN108462706B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention relates to a single sign-on method: when a user accesses a Web application system by using a browser and needs to log in the Web application system, or requests to access the Web application system which can be accessed only by logging in through a portal website, the Web application system or the portal website guides the browser of the user to a single sign-on server; the single sign-on server checks whether the user who uses the browser to request to log in the Web application system finishes identity authentication in the single sign-on server or not, and if not, the identity authentication is carried out on the user; for the user who has finished the identity authentication, the single sign-on server obtains the account name and the password of the Web application system to be logged in from the application system account name and password repository according to the identification information of the Web application system, and then submits the account name and the password of the user in the Web application system to the Web application system through the browser according to the submission mode of the account name and the password appointed by the Web application system.

Description

Single sign-on method and system
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a single sign-on method and a single sign-on system for system login.
Background
Single Sign On (SSO), i.e. a user only needs to perform a Single Sign On operation, e.g. only needs to input an account name and password, to access different application systems (Single Sign On is strictly an inaccurate translation of Single Sign On, and more accurately speaking, it should be a Single Sign On).
Single sign-on is widely used because it brings convenience to users. Several commonly used techniques for single sign-on are as follows:
adopting a single sign-on protocol, such as SAML (Security Association Markup Language), WS-Federation, Kerberos and the like, different application systems realize single sign-on by supporting the single sign-on protocol;
adopting a single sign-on gateway, placing a security gateway in front of a plurality of application systems, and accessing the following application systems through the security gateway only after a user finishes the sign-on operation; when a user accesses a following application system through the security gateway, no login operation is needed;
by adopting the shared Cookie, a plurality of Web application systems realize single sign-on by sharing the Cookie which marks that the user finishes sign-on (identity authentication).
For single sign-on using a single sign-on protocol and a single sign-on gateway, the original login logic or mode of the application system needs to be modified or not modified. If the originally used login logic or mode of the application system is not modified, a password substitution technique is usually adopted, that is, a single sign-on protocol component or a single sign-on gateway in the application system substitutes for a user to fill in an account name and a password for logging in the application system. If the original login logic or mode of the application system is modified, the original login logic or mode of the application system is removed and no longer functions.
The current single sign-on technology has the following problems:
(1) if the single sign-on protocol is adopted, a special single sign-on protocol component is required to be implemented;
(2) if the password substitution filling technology is adopted on the basis of the single sign-on protocol, the single sign-on system needs to actively acquire and store account names and passwords of users in different application systems and is responsible for ensuring that the account passwords of the users stored in the single sign-on system in different application systems are consistent (synchronous) with the user account passwords stored in the application systems;
(3) if the single sign-on gateway is adopted, all requests and responses need to pass through the single sign-on gateway, the performance of accessing the application system is obviously influenced;
(4) with shared cookies, different Web application systems need to have a common domain name part.
Disclosure of Invention
The invention aims to provide a single sign-on technical scheme to overcome the defects of the prior art.
In order to realize the purpose of the invention, the technical scheme provided by the invention is as follows: a single sign-on method specifically comprises the following steps:
when a user requests to access a Web application system by using a browser or requests to access controlled resources or functions of the Web application system and needs to log in (logon) at the Web application system, or requests to access the Web application system which can be accessed by logging in through a portal website by using the browser, the Web application system or the portal website guides the user browser to a single sign-on server through page codes (such as URL redirection, automatic POST and asynchronous transmission modes such as Ajax) and requests to log in the Web application system; the request submitted to the single sign-on server by the browser to log on the Web application system contains identification information (such as name, domain name, identifier and the like of the Web application system) of the Web application system to be logged on by the user;
the single sign-on server checks whether the user requesting to log on the Web application system finishes identity authentication (or login) in the single sign-on server, if not, the user is subjected to identity authentication, and subsequent operation is carried out after the identity authentication is finished; if the operation is finished, performing subsequent operation;
the single sign-on server obtains the account name and the password of the user in the Web application system from an application system account name and password repository according to the identification information of the Web application system (and the identity or account information of the user in the single sign-on server), and then submits the account name and the password of the user in the Web application system to the Web application system in a mode of submitting the account name and the password appointed by the Web application system through a browser (for example, the account name and the password are contained in the redirected URL through URL redirection, or the account name and the password are submitted to the Web application system in a Form of Form data through an automatic POST mode, or the account name and the password are submitted to the Web application system through an asynchronous transmission mode such as Ajax);
the single sign-on server is a system for assisting a user to log in a Web application system; the single sign-on server maintains own user account data for authenticating the identity of the user using the single sign-on server;
the application system account name and password repository is a data storage system used for storing account names and passwords of users in different Web application systems; the application system account name and password repository is a data storage system (such as a database and a file) which can be directly accessed by a single sign-on server, or a data storage system (such as a tiny database and a file in a mobile terminal) in a user mobile terminal (such as a mobile phone, a tablet computer, an intelligent wearable device and the like).
In the login process, if the user account name and password submitted to the Web application system by the single sign-on server through the browser are incorrect, then:
the Web application system reports error information to the single sign-on server through the browser;
after receiving the error information, the single sign-on server requires a user to submit an account name and a password for logging in the Web application system through a browser;
after a user submits an account name and a password for logging in a Web application system through a browser, the single sign-on server updates the account name and the password of the user in an application system account name and password repository by using the account name and the password submitted by the user, and submits the account name and the password submitted by the user to the Web application system through the browser according to an account name and password submission mode appointed by the Web application system.
The above-mentioned updating of account name and password includes the following situations:
case 1: the account name of the user in the Web application system, which is stored in the account name and password storage library of the application system, is the same as the account name submitted by the user through a browser, and the single sign-on server replaces the original password stored in the account name and password storage library of the application system by the password submitted by the user through the browser;
case 2: the account name of the user in the Web application system, which is stored in the account name and password repository of the application system, is different from the account name submitted by the user through a browser, the single sign-on server deletes the account name and the password of the user in the Web application system, which are stored in the account name and the password repository of the application system, and stores the account name and the password submitted by the user through the browser into the account name and password repository of the application system.
For the single sign-on method, if the request submitted to the single sign-on server by the browser of the single sign-on server from the Web application system (through the page code) contains the random code (random string or random number) encrypted by the Web application system (using a symmetric or asymmetric key), the single sign-on server decrypts to obtain the random code, and submits the decrypted random code (together with the account name and password of the user logging in the Web application system) to the Web application system in a manner agreed by the Web application system through the browser.
For the above single sign-on method, if the account name and password of the user in the Web application system are stored in the user mobile terminal (i.e. the application system account name and password repository is a data storage system in the user mobile terminal), the user uses the mobile terminal (in which a special auxiliary login program or app) to connect to the single sign-on server, and the single sign-on server obtains the account name and password of the user logging in the Web application system from the user mobile terminal.
For the above single sign-on method, after the user browser is guided to the single sign-on server by the Web application system or the Web portal (through the page code) to request to log on the Web application system, if the single sign-on server cannot obtain the account name and password of the user in the Web application system from the account name and password repository of the application system (i.e. the account name and password of the user in the Web application system are not available in the account name and password repository of the application system), the single sign-on server requests the user to submit the account name and password of the user in the Web application system through the browser, and after the user submits the account name and password of the user in the Web application system, the single sign-on server stores the account name and password submitted by the user in the account name and password repository of the application system on one hand, and on the other hand, the account name and password submitted by the user are stored in the account name and password repository of the Web application system through the browser, And submitting the password to the Web application system.
For the above single sign-on method, if the single sign-on server also serves as a web portal, then:
when a user accesses a single sign-on server which is simultaneously used as a portal website by using a browser and clicks to request to access a Web application system which can be accessed only by logging in, the single sign-on server checks whether the user requesting to log in the Web application system finishes identity authentication (or login) in the single sign-on server, if not, the user is subjected to identity authentication, and subsequent operation is carried out after the identity authentication is finished; if the operation is finished, performing subsequent operation;
the single sign-on server obtains the account name and the password of the user in the Web application system from an application system account name and password repository according to the identification information of the Web application system to be logged in by the user (and the identity or account information of the user in the single sign-on server), and then submits the account name and the password of the user in the Web application system to the Web application system through a browser according to the account name and the password submission mode appointed by the Web application system.
A password updating method for the above single sign-on method is as follows:
when a user uses a browser to update the password of an account in a Web application system, the Web application system guides the browser of the user to a single sign-on server through a page code to request for updating the password of the account of the user in the Web application system; the password updating request submitted to the single sign-on server by the browser contains identification information (such as name, domain name, identifier and the like of the Web application system) of the Web application system of which the password is to be updated by the user;
the single sign-on server checks whether the user requesting to update the password completes identity authentication (or login) in the single sign-on server, if not, the user is subjected to identity authentication, and subsequent operation is performed after the identity authentication is completed; if the operation is finished, performing subsequent operation;
the single sign-on server determines the Web application system where the account of the password to be updated is located according to the identification information of the Web application system of the password to be updated;
the single sign-on server requires a user to submit an updated password through a browser;
after receiving the updated password submitted by the user, the single sign-on server updates the account name of the application system and the password of the account of the user in the Web application system in the password repository by using the updated password submitted by the user on one hand, and submits the updated password submitted by the user to the Web application system through the browser according to the submission mode of the updated password appointed by the Web application system on the other hand.
For the above password updating method, if the account name and the password of the user in the Web application system are stored in the user mobile terminal (i.e. the application system account name and password repository is the data storage system in the user mobile terminal), in the process of updating the password of the account of the user in the Web application system, the user uses the mobile terminal (in the special auxiliary login program or app) to connect to the single sign-on server, and the single sign-on server updates the password of the account of the user in the Web application system, which is stored in the user mobile terminal, by using the updated password submitted by the user.
For the above single sign-on method, if the application system account name and password repository is a data storage system (e.g. database, file) that can be directly accessed by the single sign-on server, but the account data (including account name and password) of the (each or some) user stored therein is encrypted by the key (public key or symmetric key) of the corresponding user, when the single sign-on server needs to operate the account data of the user (e.g. obtaining the account name and password of the user in the Web application system to be logged on, or updating the account name and password of the user in the Web application system, etc.), the user uses the mobile terminal (special program or app) to connect to the single sign-on server, the program or app in the mobile terminal uses the user key (e.g. private key, symmetric key) to decrypt the account data of the user, and then the single sign-on server operates the decrypted account data of the user (e.g. obtaining the account data of the user in the Web application system to be logged on) The account name and the password in (1), or updating the account name and the password of the user in the Web application system, etc.).
Compared with the existing single sign-on technology, the method of the invention has the following advantages:
(1) the Web application system still adopts the original account name and password login mode, does not need to implement a special single sign-on protocol component, only needs to slightly change the login page of the Web application system, and can further slightly change the account password updating page of the Web application system if necessary (but the change is not necessary);
(2) the single sign-on system does not need to actively acquire and store account names and passwords of users in different Web application systems, and does not need to be responsible for ensuring that account passwords of the users stored in the single sign-on system in different Web application systems are consistent (synchronous) with the account passwords of the users stored in the Web application systems, and the single sign-on system most passively stores and updates the account names and the passwords of the users in different Web application systems, even completely does not need to store the account names and the passwords of the users in different Web application systems;
(3) the performance of the Web application system is not affected at all.
In the implementation of the invention, if the account name and the password of the user in the Web application system are stored in the mobile terminal of the user, the single sign-on system does not even need to store the account name and the password of the user in the Web application system, thereby being safer.
Of course, the cost for the simple implementation of the present invention is: saving the user's account names and passwords on different Web applications into the application system account name and password repository requires manual intervention by the user, but it is also disposable and sporadic.
The single sign-on method is directed at the situation that the Web application system directly adopts the password to perform the login authentication on the user, and the method can be extended to the situation that the Web application system does not directly adopt the password to perform the login authentication on the user but adopts the password hash value to perform the login authentication on the user, and specifically comprises the following steps: the application system account name and password storage library stores a password corresponding to an account of a user logging in the Web application system or a hash value of the password corresponding to the account;
in the process of logging in the Web application system by the user, the difference between the single sign-on method obtained by the expansion and the original method is as follows (the method is divided into two cases according to the storage mode of the password):
if the account name and password repository of the application system stores the password corresponding to the account of the user logging in the Web application system, in the process of logging in the Web application system by the user, the single sign-on server obtains the password of the account of the user in the Web application system from the account name and password repository of the application system, then generates a hash value of the password, and then submits login authentication data formed by the account name and the password hash value of the user in the Web application system to the Web application system by a browser according to a login authentication data submission mode agreed by the Web application system (for example, the login authentication data formed by the account name and the password hash value is included in a redirected URL by URL redirection or the login authentication data formed by the account name and the password hash value is submitted to the Web application system in a Form of Form data by an automatic POST mode, or submitting login authentication data formed by the account name and the password hash value to a Web application system in an asynchronous transmission mode such as Ajax);
if the hash value of the password corresponding to the account of the user logging in the Web application system is stored in the account name and password repository of the application system, the single sign-on server obtains the hash value of the password of the account of the user in the Web application system from the account name and password repository of the application system in the process of logging in the Web application system by the user, and then the single sign-on server submits login authentication data formed by the account name and the password hash value of the user in the Web application system to the Web application system through a browser according to a login authentication data submission mode appointed by the Web application system.
Drawings
FIG. 1 is a flow chart of the method of the present invention.
Fig. 2 is a schematic diagram of embodiment 1 of the present invention.
Fig. 3 is a schematic diagram of embodiment 2 of the present invention.
Fig. 4 is a schematic diagram of embodiment 3 of the present invention.
FIG. 5 is a diagram of example 4 of the present invention.
Fig. 6 is a schematic diagram of embodiment 5 of the present invention.
Fig. 7 is a schematic diagram of embodiment 6 of the present invention.
Detailed Description
The following describes a specific embodiment of the present invention with reference to examples. The following examples merely illustrate a few possible embodiments of the present invention, and are not intended to represent all possible embodiments, and are not intended to limit the scope of the present invention.
Fig. 1 is a flowchart of the method of the present invention, and the single sign-on method of the present invention mainly includes the following steps:
a user requests to access a Web application system by using a browser or requests to access controlled resources or functions of the Web application system, and logs in the Web application system, or requests to access the Web application system which can be accessed only by logging in by using the browser through a portal website;
the Web application system or the portal website guides a user browser to the single sign-on server through the page code to request to log in the Web application system; the request submitted to the single sign-on server by the browser for logging in the Web application system comprises identification information of the Web application system to be logged in by the user;
the single sign-on server checks whether the user requesting to log in the Web application system completes identity authentication in the single sign-on server, if not, the user is subjected to identity authentication, and subsequent operation is performed after the identity authentication is completed; if the operation is finished, performing subsequent operation;
the single sign-on server obtains the account name and the password of the user in the Web application system from an application system account name and password repository according to the identification information of the Web application system to be logged in by the user;
the single sign-on server submits the account name and the password of the user in the Web application system to the Web application system through a browser according to the account name and the password submission mode appointed by the Web application system;
the single sign-on server is a system for assisting a user to log in a Web application system; the single sign-on server maintains own user account data for authenticating the identity of the user using the single sign-on server;
the application system account name and password repository is a data storage system used for storing account names and passwords of users in different Web application systems; the application system account name and password repository is a data storage system directly accessible by the single sign-on server or a data storage system in the user mobile terminal.
Examples 1,
The application scenario of this embodiment is shown in fig. 2, which includes one or more Web application systems, a single sign-on server for assisting a user in logging on the Web application system, the single sign-on server maintaining an account database for authenticating the user, and an application system account name and password repository for storing account names and passwords of users on different Web application systems, the application system account name and password repository being a data storage system (e.g., database, file) directly accessible by the single sign-on server.
When a user requests to access a Web application system or access controlled resources or functions of the Web application system by using a browser and needs to log in the Web application system, the Web application system guides the user browser to a single sign-on server through page codes (such as URL redirection, automatic POST and asynchronous transmission mode such as Ajax) and requests to log in the Web application system; the request submitted to the single sign-on server by the browser to log on the Web application system contains identification information (such as name, domain name, identifier and the like of the Web application system) of the Web application system to be logged on by the user;
the single sign-on server checks whether the user requesting to log on the Web application system finishes identity authentication (or login) in the single sign-on server, if not, the user is subjected to identity authentication, and subsequent operation is carried out after the identity authentication is finished; if the operation is finished, performing subsequent operation;
the single sign-on server obtains the account name and password of the user in the Web application system from the application system account name and password repository according to the identification information of the Web application system (and the identity or account information of the user in the single sign-on server), and then submits the account name and password of the user in the Web application system to the Web application system through a browser according to the account name and password submission mode appointed by the Web application system (for example, the account name and password are contained in the redirected URL through URL redirection, or the account name and password are submitted to the Web application system in the Form of Form data through an automatic POST mode, or the account name and password are submitted to the Web application system through an asynchronous transmission mode such as Ajax).
Examples 2,
The application scenario of this embodiment is shown in fig. 3, which includes one or more Web application systems, a single sign-on server for assisting a user to log on the Web application system, the single sign-on server maintaining an account database for authenticating the user, and a mobile terminal (e.g., a mobile phone, a tablet computer, or an intelligent wearable device) of the user having an application system account name and password repository for storing account names and passwords of the user on different Web application systems.
When a user requests to access a Web application system or access controlled resources or functions of the Web application system by using a browser and needs to log in the Web application system, the Web application system guides the user browser to a single sign-on server through page codes (such as URL redirection, automatic POST and asynchronous transmission mode such as Ajax) and requests to log in the Web application system; the request submitted to the single sign-on server by the browser to log on the Web application system contains identification information (such as name, domain name, identifier and the like of the Web application system) of the Web application system to be logged on by the user;
the single sign-on server checks whether the user requesting to log on the Web application system finishes identity authentication (or login) in the single sign-on server, if not, the user is subjected to identity authentication, and subsequent operation is carried out after the identity authentication is finished; if the operation is finished, performing subsequent operation;
the user uses the mobile terminal (a special auxiliary login program or app) to connect with the single sign-on server in advance or at the moment;
the single sign-on server obtains the account name and the password of the user in the Web application system from an application system account name and password repository in the mobile terminal according to the identification information of the Web application system to be logged in by the user, and then submits the account name and the password of the user in the Web application system to the Web application system in an account name and password submitting mode appointed by the Web application system through a browser (for example, the account name and the password are contained in a redirected URL through URL redirection, or the account name and the password are submitted to the Web application system in a Form of Form data through an automatic POST mode, or the account name and the password are submitted to the Web application system through an asynchronous transmission mode such as Ajax).
Examples 3,
The application scenario of this embodiment is shown in fig. 4, which includes one or more Web application systems, a Web portal, a single sign-on server for assisting a user in logging on the Web application system, an account database for authenticating the user, an application system account name and password repository for storing account names and passwords of the user on different Web application systems, and the application system account name and password repository is a data storage system (e.g., database, file) directly accessible by the single sign-on server.
When a user clicks and requests to access a Web application system which can be accessed only by logging in at a portal website, the portal website guides a user browser to a single sign-on server through a page code (for example, through URL redirection, automatic POST and an asynchronous transmission mode such as Ajax) and requests to log in the Web application system; the request submitted to the single sign-on server by the browser to log on the Web application system contains identification information (such as name, domain name, identifier and the like of the Web application system) of the Web application system to be logged on by the user;
the single sign-on server checks whether the user requesting to log on the Web application system finishes identity authentication (or login) in the single sign-on server, if not, the user is subjected to identity authentication, and subsequent operation is carried out after the identity authentication is finished; if the operation is finished, performing subsequent operation;
the single sign-on server obtains the account name and password of the user in the Web application system from the application system account name and password repository according to the identification information of the Web application system (and the identity or account information of the user in the single sign-on server), and then submits the account name and password of the user in the Web application system to the Web application system through a browser according to the account name and password submission mode appointed by the Web application system (for example, the account name and password are contained in the redirected URL through URL redirection, or the account name and password are submitted to the Web application system in the Form of Form data through an automatic POST mode, or the account name and password are submitted to the Web application system through an asynchronous transmission mode such as Ajax).
Examples 4,
The application scenario of this embodiment is shown in fig. 5, which includes one or more Web application systems, a Web portal, a single sign-on server for assisting a user in logging on the Web application system, an account database for authenticating the user, and an application system account name and password repository for storing account names and passwords of the user on different Web application systems.
When a user clicks and requests to access a Web application system which can be accessed only by logging in at a portal website, the portal website guides a user browser to a single sign-on server through a page code (for example, through URL redirection, automatic POST and an asynchronous transmission mode such as Ajax) and requests to log in the Web application system; the request submitted to the single sign-on server by the browser to log on the Web application system contains identification information (such as name, domain name, identifier and the like of the Web application system) of the Web application system to be logged on by the user;
the single sign-on server checks whether the user requesting to log on the Web application system finishes identity authentication (or login) in the single sign-on server, if not, the user is subjected to identity authentication, and subsequent operation is carried out after the identity authentication is finished; if the operation is finished, performing subsequent operation;
the user uses the mobile terminal (a special auxiliary login program or app) to connect with the single sign-on server in advance or at the moment;
the single sign-on server obtains the account name and the password of the user in the Web application system from an application system account name and password repository in the mobile terminal according to the identification information of the Web application system to be logged in by the user, and then submits the account name and the password of the user in the Web application system to the Web application system in an account name and password submitting mode appointed by the Web application system through a browser (for example, the account name and the password are contained in a redirected URL through URL redirection, or the account name and the password are submitted to the Web application system in a Form of Form data through an automatic POST mode, or the account name and the password are submitted to the Web application system through an asynchronous transmission mode such as Ajax).
Examples 5,
The application scenario of this embodiment is shown in fig. 6, which includes one or more Web application systems, a single sign-on server for assisting a user in logging on the Web application system, the single sign-on server simultaneously serving as a Web portal, the user being able to click to access different Web application systems through the single sign-on server, the single sign-on server maintaining an account database for authenticating the user, and an application system account name and password repository for storing account names and passwords of the user on different Web application systems, the application system account name and password repository being a data storage system (e.g., database, file) directly accessible by the single sign-on server.
When a user uses a browser to access and simultaneously clicks and requests to access a Web application system needing to be logged in by a single sign-on server serving as a portal website, the single sign-on server checks whether the user requesting to log in the Web application system finishes identity authentication (or login) in the single sign-on server, if not, the user is subjected to identity authentication, and subsequent operation is carried out after the identity authentication is finished; if the operation is finished, performing subsequent operation;
the single sign-on server obtains the account name and password of the user in the Web application system from the application system account name and password repository according to the identification information of the Web application system (and the identity or account information of the user in the single sign-on server), and then submits the account name and password of the user in the Web application system to the Web application system through a browser according to the account name and password submission mode appointed by the Web application system (for example, the account name and password are contained in the redirected URL through URL redirection, or the account name and password are submitted to the Web application system in the Form of Form data through an automatic POST mode, or the account name and password are submitted to the Web application system through an asynchronous transmission mode such as Ajax).
Examples 6,
The application scenario of this embodiment is as shown in fig. 7, which includes one or more Web application systems, a single sign-on server for assisting a user to log on the Web application system, the single sign-on server simultaneously serves as a Web portal, the user can click to access different Web application systems through the single sign-on server, the single sign-on server maintains an account database for authenticating the user, and the mobile terminal (e.g., mobile phone, tablet computer, smart wearable device) of the user has an application system account name and password repository for storing account names and passwords of the user on different Web application systems.
When a user uses a browser to access a single sign-on server serving as a portal website to click and request to access a Web application system needing to be logged on, the single sign-on server checks whether the user requesting to log on the Web application system finishes identity authentication (or login) in the single sign-on server, if not, the user is subjected to identity authentication, and subsequent operation is carried out after the identity authentication is finished; if the operation is finished, performing subsequent operation;
the user uses the mobile terminal (a special auxiliary login program or app) to connect with the single sign-on server in advance or at the moment;
the single sign-on server obtains the account name and the password of the user in the Web application system from an application system account name and password repository in the mobile terminal according to the identification information of the Web application system to be logged in by the user, and then submits the account name and the password of the user in the Web application system to the Web application system in an account name and password submitting mode appointed by the Web application system through a browser (for example, the account name and the password are contained in a redirected URL through URL redirection, or the account name and the password are submitted to the Web application system in a Form of Form data through an automatic POST mode, or the account name and the password are submitted to the Web application system through an asynchronous transmission mode such as Ajax).
Example 7,
In this embodiment, the application system account name and password repository is a data storage system (e.g., database, file) that is directly accessible to the single sign-on server, but in which the account data (including account name, password) of the user(s) stored therein is encrypted by the corresponding user's key (public or symmetric); in the process of performing user login by applying the foregoing single sign-on method, when the single sign-on server needs to operate account data of a user (for example, obtain an account name and a password of the user in a to-be-logged-on Web application system, or update the account name and the password of the user in the Web application system, etc.), the user connects to the single sign-on server by using a mobile terminal (a special program or app therein), decrypts the account data of the user by using a user key (for example, a private key and a symmetric key) by using the program or app in the mobile terminal, and then the single sign-on server operates the decrypted user account data (for example, obtain the account name and the password of the user in the to-be-logged-on Web application system, or update the account name and the password of the user in the Web application system, etc.); here, the mobile terminal may return all decrypted user account data to the single sign-on server for use by the single sign-on server, or the mobile terminal may return only data required by the single sign-on server in the decrypted user account data to the single sign-on server; if the operation of the single sign-on server on the user account data is to update the account data, the mobile terminal encrypts the updated user account data and returns the encrypted user account data to the single sign-on server for the single sign-on server to store.
Embodiment 7 can be implemented on the basis of embodiments 2, 4 and 6.
Example 8,
This embodiment can be implemented on the basis of any of embodiments 1 to 7, and the difference between this embodiment and embodiments 1 to 7 is that:
when a user logs in a Web application system, the Web application system does not directly adopt a password to carry out login authentication on the user but adopts a password hash value to carry out login authentication on the user, and at the moment, the account name of the application system and the hash value of the password of the account or the password of the account of the user logging in the Web application system are stored in a password repository;
if the account name and password repository of the application system stores the password corresponding to the account of the user logging in the Web application system, in the process of logging in the Web application system by the user, the single sign-on server obtains the password of the account of the user in the Web application system from the account name and password repository of the application system, then generates a hash value of the password, and then submits login authentication data formed by the account name and the password hash value of the user in the Web application system to the Web application system by a browser according to a login authentication data submission mode agreed by the Web application system (for example, the login authentication data formed by the account name and the password hash value is included in a redirected URL by URL redirection or the login authentication data formed by the account name and the password hash value is submitted to the Web application system in a Form of Form data by an automatic POST mode, or submitting login authentication data formed by the account name and the password hash value to a Web application system in an asynchronous transmission mode such as Ajax);
if the hash value of the password corresponding to the account of the user logging in the Web application system is stored in the account name and password repository of the application system, the single sign-on server obtains the hash value of the password of the account of the user in the Web application system from the account name and password repository of the application system in the process of logging in the Web application system by the user, and then the single sign-on server submits login authentication data formed by the account name and the password hash value of the user in the Web application system to the Web application system through a browser according to a login authentication data submission mode appointed by the Web application system.
The method based on the invention can construct a corresponding single sign-on system, the system comprises a single sign-on server and an application system account name and password repository, and specifically:
single sign-on server: a system for assisting a user in logging on to a Web application system; the single sign-on server maintains a user account database of the single sign-on server and is used for carrying out identity authentication on a user using the single sign-on server;
application system account name and password repository: the data storage system is used for storing account names and passwords of users in different Web application systems; the application system account name and password repository is a data storage system (such as a database and a file) which can be directly accessed by the single sign-on server or a data storage system (such as a tiny database and a file) in the mobile terminal of the user;
when a user accesses a Web application system by using a browser or requests to access controlled resources or functions of the Web application system and needs to log in the Web application system, or requests to access the Web application system which can be accessed by logging in through a portal website by using the browser, the single sign-on system assists the user to complete the login operation on the Web application system according to the single sign-on method;
when a user uses a browser to update the password of the account in the Web application system, the single sign-on system assists the user in completing the password update in the Web application system according to the password update method.
Other specific technical implementations not described are well known to those skilled in the relevant art and will be apparent to those skilled in the relevant art.

Claims (13)

1. A single sign-on method is characterized in that:
when a user requests to access a Web application system by using a browser or requests to access controlled resources or functions of the Web application system and needs to log in the Web application system, or requests to access the Web application system which can be accessed by logging in by using the browser through a portal website, the Web application system or the portal website guides the user browser to a single sign-on server through a page code to request to log in the Web application system; the request submitted to the single sign-on server by the browser for logging in the Web application system comprises identification information of the Web application system to be logged in by the user;
the single sign-on server checks whether the user requesting to log in the Web application system completes identity authentication in the single sign-on server, if not, the user is subjected to identity authentication, and subsequent operation is performed after the identity authentication is completed; if the operation is finished, performing subsequent operation;
the single sign-on server acquires the account name and the password of the user in the Web application system from an application system account name and password repository according to the identification information of the Web application system to be logged in by the user, and then submits the account name and the password of the user in the Web application system to the Web application system through a browser according to the account name and the password submitted by the Web application system;
the single sign-on server is a system for assisting a user to log in a Web application system; the single sign-on server maintains own user account data for authenticating the identity of the user using the single sign-on server;
the application system account name and password repository is a data storage system used for storing account names and passwords of users in different Web application systems; the application system account name and password repository is a data storage system which can be directly accessed by the single sign-on server or a data storage system in the user mobile terminal; for the situation that the application system account name and password repository is a data storage system which can be directly accessed by a single sign-on server, the Web application system does not deploy a single sign-on protocol component, the Web application system still adopts the original account name and password sign-on mode to carry out sign-on processing, and a user can realize single sign-on only by using a browser to access the Web application system according to the original mode.
2. The single sign-on method of claim 1, wherein:
if the user account name and password submitted to the Web application system by the single sign-on server through the browser are incorrect, then:
the Web application system reports error information to the single sign-on server through the browser;
after receiving the error information, the single sign-on server requires a user to submit an account name and a password for logging in the Web application system through a browser;
after a user submits an account name and a password for logging in a Web application system through a browser, the single sign-on server updates the account name and the password of the user in an application system account name and password repository by using the account name and the password submitted by the user, and submits the account name and the password submitted by the user to the Web application system through the browser according to an account name and password submission mode appointed by the Web application system.
3. The single sign-on method of claim 2, wherein: the account name and password updating comprises the following conditions:
case 1: the account name of the user in the Web application system, which is stored in the account name and password storage library of the application system, is the same as the account name submitted by the user through a browser, and the single sign-on server replaces the original password stored in the account name and password storage library of the application system by the password submitted by the user through the browser;
case 2: the account name of the user in the Web application system, which is stored in the account name and password repository of the application system, is different from the account name submitted by the user through a browser, the single sign-on server deletes the account name and the password of the user in the Web application system, which are stored in the account name and the password repository of the application system, and stores the account name and the password submitted by the user through the browser into the account name and password repository of the application system.
4. The single sign-on method of claim 1, wherein:
if the request of the single sign-on server for logging on the Web application system, which is submitted to the single sign-on server by the browser guided to the single sign-on server by the Web application system, contains the random code encrypted by the Web application system, the single sign-on server decrypts to obtain the random code, and submits the decrypted random code to the Web application system through the browser in a mode appointed by the Web application system.
5. The single sign-on method of claim 1, wherein:
if the account name and the password of the user in the Web application system are stored in the user mobile terminal, the user uses the mobile terminal to connect with the single sign-on server, and the single sign-on server obtains the account name and the password of the user logging in the Web application system from the user mobile terminal.
6. The single sign-on method of claim 1, wherein:
when a user browser is guided to a single sign-on server by a Web application system or a portal to request to log on the Web application system, if the single sign-on server can not obtain the account name and the password of the user in the Web application system from an account name and password repository of the application system, the single sign-on server requires the user to submit the account name and the password of the user in the Web application system through the browser, and after the user submits the account name and the password of the user in the Web application system, the single sign-on server stores the account name and the password submitted by the user in the account name and password repository of the application system on one hand, and submits the account name and the password submitted by the user to the Web application system through the browser according to the account name and the password submitted by the Web application system.
7. The single sign-on method of claim 1, wherein:
if the single sign-on server is also used as a portal website, then:
when a user accesses a single sign-on server which is simultaneously used as a portal website by using a browser and clicks a request to access a Web application system which can be accessed only by logging in, the single sign-on server checks whether the user requesting to log in the Web application system finishes identity authentication on the single sign-on server, if not, the user is subjected to identity authentication, and subsequent operation is carried out after the identity authentication is finished; if the operation is finished, performing subsequent operation;
the single sign-on server obtains the account name and the password of the user in the Web application system from an application system account name and password repository according to the identification information of the Web application system to be logged in by the user, and then submits the account name and the password of the user in the Web application system to the Web application system through a browser according to the account name and the password submitted by the Web application system.
8. The single sign-on method of claim 1, wherein:
if the application system account name and password repository is a data storage system which can be directly accessed by the single sign-on server, but the account data of the user stored in the application system account name and password repository is encrypted by the key of the corresponding user, when the single sign-on server needs to operate the account data of the user, the user uses the mobile terminal to connect the single sign-on server, the program or the app in the mobile terminal uses the user key to decrypt the account data of the user, and then the single sign-on server operates the decrypted account data of the user.
9. A password updating method for the single sign-on method of claim 1, wherein:
when a user uses a browser to update the password of an account in a Web application system, the Web application system guides the browser of the user to a single sign-on server through a page code to request for updating the password of the account of the user in the Web application system; the password updating request submitted to the single sign-on server by the browser contains identification information of a Web application system of which the password is to be updated by a user;
the single sign-on server checks whether the user requesting to update the password completes identity authentication in the single sign-on server, if not, the user is subjected to identity authentication, and subsequent operation is performed after the identity authentication is completed; if the operation is finished, performing subsequent operation;
the single sign-on server determines the Web application system where the account of the password to be updated is located according to the identification information of the Web application system of the password to be updated;
the single sign-on server requires a user to submit an updated password through a browser;
after receiving the updated password submitted by the user, the single sign-on server updates the account name of the application system and the password of the account of the user in the Web application system in the password repository by using the updated password submitted by the user on one hand, and submits the updated password submitted by the user to the Web application system through the browser according to the submission mode of the updated password appointed by the Web application system on the other hand.
10. The password updating method as claimed in claim 9, wherein:
if the account name and the password of the user in the Web application system are stored in the user mobile terminal, the user uses the mobile terminal to connect the single sign-on server in the process of updating the password of the account of the user in the Web application system, and the single sign-on server updates the password of the account of the user in the Web application system, which is stored in the user mobile terminal, by using the updated password submitted by the user.
11. A single sign-on method extended from the method of claim 1, characterized by:
when a user logs in the Web application system, the Web application system does not directly adopt a password to carry out login authentication on the user but adopts a password hash value to carry out login authentication on the user;
the application system account name and password storage library stores a password corresponding to an account of a user logging in the Web application system or a hash value of the password corresponding to the account;
in the process of logging in the Web application system by the user, the difference between the single sign-on method obtained by the expansion and the original method is as follows:
if the account name and password repository of the application system stores the password corresponding to the account of the user for logging in the Web application system, the single sign-on server obtains the password of the account of the user in the Web application system from the account name and password repository of the application system in the process of logging in the Web application system by the user, then generates a hash value of the password, and then submits login identification data formed by the account name of the user in the Web application system and the hash value of the password to the Web application system through a browser according to a login identification data submission mode appointed by the Web application system;
if the hash value of the password corresponding to the account of the user logging in the Web application system is stored in the account name and password repository of the application system, the single sign-on server obtains the hash value of the password of the account of the user in the Web application system from the account name and password repository of the application system in the process of logging in the Web application system by the user, and then the single sign-on server submits login authentication data formed by the account name and the password hash value of the user in the Web application system to the Web application system through a browser according to a login authentication data submission mode appointed by the Web application system.
12. A single sign-on system according to any one of claims 1 to 8 and 11, wherein: the single sign-on system comprises a single sign-on server and an application system account name and password repository, wherein:
single sign-on server: a system for assisting a user in logging on to a Web application system; the single sign-on server maintains a user account database of the single sign-on server and is used for carrying out identity authentication on a user using the single sign-on server;
application system account name and password repository: the data storage system is used for storing account names and passwords of users in different Web application systems; the application system account name and password repository is a data storage system which can be directly accessed by the single sign-on server or a data storage system in the user mobile terminal;
when a user accesses a Web application system by using a browser or requests to access controlled resources or functions of the Web application system and needs to log in the Web application system, or requests to access the Web application system which can be accessed by logging in through a portal website by using the browser, the single sign-on system assists the user to complete the login operation on the Web application system according to the single sign-on method.
13. A single sign-on system according to claim 9 or 10, wherein: the single sign-on system comprises a single sign-on server and an application system account name and password repository, wherein:
single sign-on server: a system for assisting a user in logging on to a Web application system; the single sign-on server maintains a user account database of the single sign-on server and is used for carrying out identity authentication on a user using the single sign-on server;
application system account name and password repository: the data storage system is used for storing account names and passwords of users in different Web application systems; the application system account name and password repository is a data storage system which can be directly accessed by the single sign-on server or a data storage system in the user mobile terminal;
when a user accesses a Web application system by using a browser or requests to access controlled resources or functions of the Web application system and needs to log in the Web application system, or requests to access the Web application system which can be accessed by logging in through a portal website by using the browser, the single sign-on system assists the user to complete the login operation on the Web application system according to the single sign-on method;
when a user uses a browser to update the password of the account in the Web application system, the single sign-on system assists the user in completing the password update in the Web application system according to the password update method.
CN201810183584.9A 2018-03-06 2018-03-06 Single sign-on method and system Active CN108462706B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810183584.9A CN108462706B (en) 2018-03-06 2018-03-06 Single sign-on method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810183584.9A CN108462706B (en) 2018-03-06 2018-03-06 Single sign-on method and system

Publications (2)

Publication Number Publication Date
CN108462706A CN108462706A (en) 2018-08-28
CN108462706B true CN108462706B (en) 2022-05-03

Family

ID=63217436

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810183584.9A Active CN108462706B (en) 2018-03-06 2018-03-06 Single sign-on method and system

Country Status (1)

Country Link
CN (1) CN108462706B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102624737A (en) * 2012-03-27 2012-08-01 武汉理工大学 Single sign-on integrated method for Form identity authentication in single login system
CN103795731A (en) * 2014-02-26 2014-05-14 北京京东尚科信息技术有限公司 User account login method
CN105281902A (en) * 2015-12-03 2016-01-27 武汉理工大学 Web system safety login method based on mobile terminal
CN106888225A (en) * 2017-04-28 2017-06-23 努比亚技术有限公司 A kind of control method of single-sign-on application, mobile terminal and computer-readable medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104580074B (en) * 2013-10-14 2018-08-24 阿里巴巴集团控股有限公司 The login method of client application and its corresponding server
CN104767621B (en) * 2015-04-16 2018-04-10 深圳市高星文网络科技有限公司 A kind of Mobile solution accesses the one-point safety authentication method of business data
US10171447B2 (en) * 2015-06-15 2019-01-01 Airwatch Llc Single sign-on for unmanaged mobile devices
CN105978994B (en) * 2016-06-22 2019-01-18 武汉理工大学 A kind of login method of web oriented system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102624737A (en) * 2012-03-27 2012-08-01 武汉理工大学 Single sign-on integrated method for Form identity authentication in single login system
CN103795731A (en) * 2014-02-26 2014-05-14 北京京东尚科信息技术有限公司 User account login method
CN105281902A (en) * 2015-12-03 2016-01-27 武汉理工大学 Web system safety login method based on mobile terminal
CN106888225A (en) * 2017-04-28 2017-06-23 努比亚技术有限公司 A kind of control method of single-sign-on application, mobile terminal and computer-readable medium

Also Published As

Publication number Publication date
CN108462706A (en) 2018-08-28

Similar Documents

Publication Publication Date Title
US11924214B2 (en) Systems and methods for accessing cloud resources from a local development environment
US20240333701A1 (en) Secure authentication for accessing remote resources
US10887313B2 (en) Systems and methods for controlling sign-on to web applications
US9787664B1 (en) Methods systems and articles of manufacture for implementing user access to remote resources
US9935934B1 (en) Token management
US8196193B2 (en) Method for retrofitting password enabled computer software with a redirection user authentication method
US8898764B2 (en) Authenticating user through web extension using token based authentication scheme
CN103347002B (en) Socialization's login method, system and device
EP3210107B1 (en) Method and apparatus for facilitating the login of an account
US20100077467A1 (en) Authentication service for seamless application operation
US9923990B2 (en) User information widgets and methods for updating and retrieving user information
CN104378376A (en) SOA-based single-point login method, authentication server and browser
CN105577835B (en) Cross-platform single sign-on system based on cloud computing
US9137094B1 (en) Method for setting DNS records
EP3488589B1 (en) Login proxy for third-party applications
US11153293B1 (en) Identity information linking
CN111770072B (en) Method and device for accessing function page through single sign-on
US10475018B1 (en) Updating account data for multiple account providers
CN109150862B (en) Method and server for realizing token roaming
CN108462706B (en) Single sign-on method and system
KR101636986B1 (en) A Integrated interface user authentication method
US11106778B2 (en) Toggle between accounts
Choukse et al. Implementing new-age authentication techniques using openid for security automation
CN115664791A (en) Associated application authentication access method based on dynamic certificate and application thereof
Lakshmiraghavan OAuth 2.0 Using Live Connect API

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20221123

Address after: 518000 Room 201, building A, 1 front Bay Road, Shenzhen Qianhai cooperation zone, Shenzhen, Guangdong

Patentee after: Shenzhen Tianwei Chengxin Technology Co.,Ltd.

Address before: 430070 Hubei Province, Wuhan city Hongshan District Luoshi Road No. 122

Patentee before: WUHAN University OF TECHNOLOGY

TR01 Transfer of patent right