CN109450890B - Single sign-on method and device - Google Patents
Single sign-on method and device Download PDFInfo
- Publication number
- CN109450890B CN109450890B CN201811301183.5A CN201811301183A CN109450890B CN 109450890 B CN109450890 B CN 109450890B CN 201811301183 A CN201811301183 A CN 201811301183A CN 109450890 B CN109450890 B CN 109450890B
- Authority
- CN
- China
- Prior art keywords
- login
- single sign
- configuration
- access application
- cookie
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
Abstract
The invention discloses a single sign-on method and a single sign-on device, and relates to the technical field of computers. One embodiment of the method comprises: acquiring request configuration of access application; processing the request configuration according to the packet where the access application is located to obtain the packet configuration; the success or failure of single sign-on is determined based on the packet configuration. The implementation mode can isolate the login state of the access application under different groups and support multiple data sources, thereby realizing single-point logout and single online; and simplifies the configuration work of the access application.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a single sign-on method and a single sign-on device.
Background
Single Sign On (Single Sign On), abbreviated as SSO, is one of the solutions for enterprise business integration that is popular at present. SSO is defined as the fact that in multiple applications, a user only needs to log in once to access all mutually trusted applications.
Currently, the single sign-on is implemented by requesting a logged-on domain by a browser, verifying that the login is valid by the logged-on domain, redirecting a token to an unregistered domain, verifying that the token is valid by the unregistered domain, responding to cookie information, and writing the cookie information into the browser. The existing single sign-on modes mainly include the following two types:
the first mode is realized by redirecting the login token to the unregistered domain and then directly writing the cookie by the unregistered domain. Taking two websites (website A and website B) with the same user login information as an example, when a user logs in the website A, the front end of accessing the website B judges that the website A is not logged in, a request (dynamic redirection link) for the website B is initiated, the user is redirected to the login domain of the website A, because the user logs in the website A at the moment, the current login cookie of the user is transmitted to the server by accessing the redirection link, the server judges that the login is effective, the login domain redirected to the website B by generating a login token, the server verifies that the token is effective, and the cookie is written in the website B to finish the login;
and secondly, accessing the master station, and requesting to substitute cookies for other domains through JSONP after login is completed to complete cross-domain of other domains. Taking a master website (website D) with a plurality of sub websites (websites D1, D2 … … dn) as an example, after the user successfully logs in the website D, the user writes a cookie, then initiates a JSONP request, and returns a list for writing cookies across domains, because the user logs in the website D, when the user requests D1, D2 … … dn, the user requests a corresponding cookie to bring in login information of the website D, the server authenticates the logged-in state, redirects the client to the login domains of the websites D1, D2 … … dn, verifies that a specific parameter (similar to token) is valid, and tells a browser to write the cookie in a response header, thereby indirectly achieving the effect that the domain name of the website D writes in the websites D1, D2 … … dn to log in the cookie.
The cookie is a browser server data interaction technology, is stored in a browser and is commonly used for verifying login credentials; JSONP is a technology for realizing cross-domain cookie reading and writing and data transmission by introducing cross-domain scripts; the token is an authentication identifier used for transmitting between servers, a sender and a receiver negotiate a token authentication mechanism in advance, and the receiver judges whether the received data is credible or not through the authentication token; the domains are independently operated units in a Windows operating system (Windows) network, and the mutual access between the domains needs to establish a trust relationship, which is a bridge connecting the domains. After a trust relationship is established between one domain and other domains, the two domains can be mutually managed according to requirements, and equipment resources such as files, printers and the like can be distributed across networks, so that sharing and management of network resources are realized among different domains.
In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art:
1. the method does not support multiple data sources, and can not realize the scene of login state isolation;
2. single-point logout cannot be realized, and single person is online;
3. the deployment is complex, and the new access domain needs the front-end and back-end collaborative deployment and provides a separate login domain to provide the login service.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for single sign-on, which can isolate the sign-on states of access applications in different groups and support multiple data sources, thereby implementing single sign-on and single online; and simplifies the configuration work of the access application.
To achieve the above object, according to an aspect of an embodiment of the present invention, a method of single sign-on is provided.
The single sign-on method of the embodiment of the invention comprises the following steps: acquiring request configuration of access application; processing the request configuration according to the packet where the access application is located to obtain packet configuration; determining a single sign-on success or failure based on the grouping configuration.
Optionally, obtaining the request configuration for accessing the application includes: when an access application is started, receiving request configuration of the access application; wherein the request configuration comprises a packet ID, a single point sign-off identification, an expiration date of an ignore link, or a cookie.
Optionally, processing the request configuration according to the packet where the access application is located, and obtaining the packet configuration includes: acquiring a group ID of a group in which the access application is positioned; acquiring corresponding login configuration according to the group ID; processing the request configuration based on the login configuration to obtain a grouping configuration; wherein the packet configuration comprises a cookie name, a login identification and a single point logout identification.
Optionally, determining success or failure of single sign-on based on the grouping configuration comprises: when the user who does not log in accesses the access application, acquiring a cookie based on the cookie name; verifying the cookie, the login identification and the single sign-on identification to determine success or failure of single sign-on; and updating the cookie in the configured configuration of the partition upon successful single sign-on or single sign-off.
Optionally, verifying the cookie, the login identifier, and the single sign-on identifier in the distribution group to determine success or failure of single sign-on comprises: verifying whether the cookie is in a login state; if yes, the user logs in; if not, redirecting the user to a login system for login authentication; if the authentication is successful, judging whether the login is cross-domain login; if so, redirecting the login identification to the access application to verify whether the login identification is valid; if the single-point logout identifier is valid, determining whether the access application needs single-point logout based on the single-point logout identifier; if so, verifying whether the login identification is consistent with a pre-stored identification; if the two-way log-in is consistent, the access application writes the cookie and single sign-on is successful; if not, the single sign-on fails; if not, the access application writes the cookie and the single sign-on is successful; if the single sign-on is invalid, the single sign-on fails; if not, the single sign-on fails; if the authentication fails, the single sign-on fails.
Optionally, the grouping configuration further includes configuration information, a login uniform resource locator, and a logout uniform resource locator.
To achieve the above object, according to another aspect of the embodiments of the present invention, there is provided a single sign-on apparatus.
The single sign-on device of the embodiment of the invention comprises: the acquisition module is used for acquiring request configuration of access application; the processing module is used for processing the request configuration according to the packet where the access application is located to obtain the packet configuration; a determination module to determine a single sign-on success or failure based on the grouping configuration.
Optionally, the obtaining module is further configured to: when an access application is started, receiving request configuration of the access application; wherein the request configuration comprises a packet ID, a single point sign-off identification, an expiration date of an ignore link, or a cookie.
Optionally, the processing module is further configured to: acquiring a group ID of a group in which the access application is positioned; acquiring corresponding login configuration according to the group ID; processing the request configuration based on the login configuration to obtain a grouping configuration; wherein the packet configuration comprises a cookie name, a login identification and a single point logout identification.
Optionally, the determining module is further configured to: when the user who does not log in accesses the access application, acquiring a cookie based on the cookie name; verifying the cookie, the login identification and the single sign-on identification to determine success or failure of single sign-on; and the apparatus further comprises: an update module to update the cookie in the distribution configuration upon a successful single sign-on or single sign-off.
Optionally, the determining module is further configured to: verifying whether the cookie is in a login state; if yes, the user logs in; if not, redirecting the user to a login system for login authentication; if the authentication is successful, judging whether the login is cross-domain login; if so, redirecting the login identification to the access application to verify whether the login identification is valid; if the single-point logout identifier is valid, determining whether the access application needs single-point logout based on the single-point logout identifier; if so, verifying whether the login identification is consistent with a pre-stored identification; if the two-way log-in is consistent, the access application writes the cookie and single sign-on is successful; if not, the single sign-on fails; if not, the access application writes the cookie and the single sign-on is successful; if the single sign-on is invalid, the single sign-on fails; if not, the single sign-on fails; if the authentication fails, the single sign-on fails.
Optionally, the grouping configuration further includes configuration information, a login uniform resource locator, and a logout uniform resource locator.
To achieve the above object, according to another aspect of the embodiments of the present invention, there is provided an electronic device for single sign-on.
The electronic equipment for single sign-on of the embodiment of the invention comprises: one or more processors; a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement a method of single sign-on in accordance with an embodiment of the present invention.
To achieve the above object, according to still another aspect of embodiments of the present invention, there is provided a computer-readable storage medium.
A computer-readable storage medium of an embodiment of the present invention has stored thereon a computer program that, when executed by a processor, implements a method of single sign-on of an embodiment of the present invention.
One embodiment of the above invention has the following advantages or benefits: because the request configuration for obtaining the access application is adopted; processing the request configuration according to the packet where the access application is located to obtain the packet configuration; the technical means of success or failure of single sign-on is determined based on grouping configuration, the grouping configuration is obtained through grouping of access application, the login state of the access application is isolated, the access application can complete single sign-on based on the grouping configuration, and the configuration work of the access application is simplified, so that the situation that multiple data sources are not supported and the isolation of the login state cannot be realized in the prior art is overcome; single-point logout cannot be realized, and single person is online; the technical problems that the deployment is complex, the new access domain needs the collaborative deployment of the front end and the back end, and the independent login domain is provided to provide the login service are solved, so that the login state is isolated, and the single-point logout and the single online are realized; the single sign-on process does not involve front-end logic, and the technical effect of simplifying the configuration work of the access application is achieved.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram of the main steps of a method of single sign-on according to an embodiment of the invention;
FIG. 2 is a schematic diagram of an initialization packet configuration of a method of single sign-on according to an embodiment of the invention;
FIG. 3 is a flow chart of cross-domain login of a method of single sign-on according to an embodiment of the present invention;
FIG. 4 is a schematic view of a main flow of a single sign-on method according to a referential embodiment of the present invention;
FIG. 5 is a schematic diagram of the main modules of a single sign-on device according to an embodiment of the present invention;
FIG. 6 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 7 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server of an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
It should be noted that the embodiments of the present invention and the technical features of the embodiments may be combined with each other without conflict.
In the prior art, when accessing a domain, a specific sub-domain is needed to process cross-domain login, a cookie is written into a main domain, and all sub-domains share login cookies through a cookie sharing mechanism, so that single sign-on is realized; meanwhile, in order to achieve the effect of displaying user information on the unregistered page, a front-end script request mode is used for realizing cross-domain.
When single sign-on is made through the prior art, the following problems still exist: for a scene with multiple data sources and requiring isolation of login states, support cannot be provided, namely grouping is not supported; for no good solution for single sign-on, some systems with higher requirements on security need to meet the requirement that one account can only keep one user online; deployment is complex, front-end and back-end collaborative deployment is needed, and a login domain name write login cookie is needed to be provided for the subdomain to use when accessing other domain names. Therefore, the embodiment of the invention provides a single sign-on method, which can directly write the cookie in a server redirection mode, thereby avoiding the problem that a specific domain name is required to process cross-domain sign-on; in addition, because there is no scene that the unregistered page displays the user information, the front-end logic is not involved, and the front-end logic refers to the execution logic accessed to the cross-domain application, for example, a request for creating an interactive webpage application is initiated at the front end to make a login domain, and corresponding page rendering (displaying the login name of the user and the like) is performed, or JSONP (cross-domain cookie reading and writing and data transmission are realized by introducing a cross-domain script) is processed, and the like.
Fig. 1 is a schematic diagram of the main steps of a single sign-on method according to an embodiment of the present invention.
As shown in fig. 1, the method for single sign-on in the embodiment of the present invention mainly includes the following steps:
step S101: and acquiring request configuration for accessing the application.
In the embodiment of the invention, a domain to be accessed to the single sign-on is called an access application, and a domain providing account password sign-on is called a sign-on system. The single sign-on method of the embodiment of the invention mainly relates to two aspects, namely initialization grouping configuration and cross-domain sign-on process. The request configuration of the access application is obtained firstly, initialization configuration can be carried out on the access application based on the request configuration, the request configuration of the access application can be uploaded to a login system by the access application, and the request configuration of the access application can also be obtained from the access application by the login system.
In embodiments of the present invention, the request configuration may include a packet ID, a single point sign-off identification, an expiration date for an ignore link or cookie. The packet ID is an ID of a packet where the access application is located (for example, an identification number, an account number, a unique code, a dedicated number, or the like of the packet), and the access application may be added to the corresponding packet according to a service type or a function of the access application. When the access application is started, the login system receives the request configuration of the access application.
Step S102: and processing the request configuration according to the packet where the access application is located to obtain the packet configuration.
After receiving the request configuration of the access application, the login system can process the request configuration according to the packet where the access application is located to obtain the packet configuration, and the access application can complete the initial configuration based on the packet configuration. And each group corresponds to a unique group configuration, and the group configuration is obtained through the group of the access application, so that the login state interval of the access application is realized.
In an embodiment of the invention, the packet configuration may include a cookie name, a login link, a logout link, and an encryption/decryption KEY. Step S102 may be implemented by: when the user who does not log in accesses the access application, the access application redirects the user to the uniform resource identifier of the login system; obtaining a group ID of a group where the access application is located according to the uniform resource identifier; acquiring corresponding login configuration according to the group ID; and processing the request configuration based on the login configuration to obtain a grouping configuration.
A Uniform Resource Identifier (URI), which includes a Uniform Resource Name (URN) and a Uniform Resource Locator (URL), is a string used to identify the name of an internet resource, including HTML pages, XML documents, images, multimedia files, and the like. The login system may obtain the group ID of the access application according to the uniform resource identifier of the access application, thereby obtaining a login configuration corresponding to the access application, and further process the request configuration to obtain the group configuration. The processing of the request configuration may be performed according to a certain rule, for example, if the access application does not configure an ignore link suffix, the login system may set the ignore link suffix in the configuration of the allocation group (e.g.,. jpg,. png, etc.); or the validity period of the cookie passed by the access application to the login system is 1 year, the login system may consider the validity period to be too long, and the validity period is shortened to 30 days, etc. It should be noted that if the packet ID in the request configuration is not set or is set illegally, the login configuration corresponding to the default packet ID (e.g., an empty string) may be searched.
In an embodiment of the present invention, the packet configuration may further include configuration information, a login uniform resource locator and a logout uniform resource locator, the configuration information being a default configuration of a login domain of the access application, such as ". jpg", ". jpeg", ". png", ". gif", ". js", ". css", "/static", "/resources", and "/logic", etc. The login system provides configuration information for the access application, configuration work of the access application can be reduced, loading speed is increased, and therefore user experience is improved. And returning the grouping configuration to the access application, and maintaining the same grouping configuration by the access application and the login system so as to facilitate the two parties to obtain the login configuration.
Step S103: the success or failure of single sign-on is determined based on the packet configuration.
In order to ensure the information security of the user and to enable the user to obtain a good user experience, during single sign-on, it is determined whether the single sign-on is successful based on the grouping configuration obtained in step S101 and step S102.
In the embodiment of the present invention, step S103 may be implemented by: when the user without login accesses the access application, the cookie, the login identification and the single sign-on identification which are configured in the sub-group are verified to determine the success or failure of the single sign-on; and updating the cookie in the configuration of the distribution group when the single sign-on is successful or the single sign-off is performed.
When the user who does not log in accesses the access application, whether the single sign-on is legal or not can be determined by verifying the cookie, the sign-on identifier and the single sign-off identifier which are distributed in the group, or whether the single sign-on meets the requirement corresponding to the group where the access application is located. In addition, the maintenance of the login state and the verification of the login identification are realized through cookies, and the cookies are updated when the single-point login is successful or the single-point logout is carried out every time, so that the access application can verify whether the current login is effective or not according to respective configuration, and the login is carried out again when the single-point login is invalid, thereby achieving the effects of single-point logout and single online.
Specifically, the verification of the cookie, the login identifier and the single sign-out identifier in the configuration may be performed according to the following procedures:
verifying whether the cookie is in a login state;
if yes, logging in;
if not, redirecting the user to a login system for login authentication;
if the authentication fails, the single sign-on fails;
if the authentication is successful, judging whether the login is cross-domain login;
if not, the single sign-on is successful;
if so, redirecting the login identification to the access application to verify whether the login identification is valid;
if the single sign-on is invalid, the single sign-on fails;
if the single sign-out identifier is valid, determining whether the access application needs single sign-out based on the single sign-out identifier;
if not, the access application writes the cookie, and the single sign-on is successful;
if so, verifying whether the login identification is consistent with the pre-stored identification;
if the two-point login information is consistent with the cookie information, the access application writes the cookie information, and the single-point login is successful;
if not, the single sign-on fails.
The pre-stored identifier is a login identifier in a grouping configuration returned by a login system which is locally stored by the access system. The maintenance of the login state and the verification of redirecting the token to the access application are realized by caching, the cached login identification is updated when the login is successful or the login is logout, the access application verifies whether the current login is effective or not according to respective configuration when the access application requests each time, and the login is re-logged when the current login is invalid, so that the effects of single-point logout and single-person online are achieved.
According to the single sign-on method provided by the embodiment of the invention, the request configuration for obtaining the access application is adopted; processing the request configuration according to the packet where the access application is located to obtain the packet configuration; the technical means of success or failure of single sign-on is determined based on grouping configuration, so that the scenes that multiple data sources are not supported and the isolation of the sign-on state cannot be realized in the prior art are overcome; single-point logout cannot be realized, and single person is online; the technical problems that the deployment is complex, the new access domain needs the collaborative deployment of the front end and the back end, and the independent login domain is provided to provide the login service are solved, the login states of the access applications under different groups are isolated, multiple data sources are supported, and single-point logout and single-person online are realized; the single sign-on process does not involve front-end logic, and the technical effect of simplifying the configuration work of the access application is achieved.
Fig. 2 is a schematic diagram of an initialization packet configuration of a single sign-on method according to an embodiment of the present invention.
As shown in fig. 2, the main flow of initializing the packet configuration includes:
step S201: when the access application is started, calling an interface of a login system, and transmitting request configuration of the access application;
step S202: after receiving the request configuration of the access application, the login system processes according to a certain rule:
obtaining a group ID of a group where the access application is located according to the uniform resource identifier of the access application; acquiring corresponding login configuration according to the group ID; processing the request configuration based on the login configuration to obtain a grouping configuration;
the login system receives the grouping configuration of the access application and performs some special processing, for example, if the access application does not configure an ignored link suffix, the login system sets the ignored link suffix in the grouping configuration; limiting the cookie validity range; returning different cookies, login URLs and logout URLs according to different packet IDs; redirecting parameter names and the like, wherein the redirecting parameter names refer to links from a login system to an access application accessed before when a user successfully logs in a login domain, if the access application and the login system are not in a main domain, an encryption string used for judging whether the user logs in is transmitted to the access application in a parameter transmission mode, the access application determines whether to write a login cookie by verifying whether the encryption string is legal or not, and the parameter names of the encryption string are the redirecting parameter names;
step S203: logging in a system storage grouping configuration;
step S204: the login system returns the packet configuration to the access application:
if the access application group ID is not set or is set illegally, the login system will return the group configuration corresponding to the default group ID (e.g. empty string), which may be performed simultaneously with step S203;
step S205: the access application stores the packet configuration.
It should be noted that the access application and the packet configuration maintained by the login system are the same, which facilitates both parties to obtain the relevant information. The login state interval is realized through cookies, the transmission of the grouping configuration in the single sign-on process is identified through a URL (Uniform resource locator), for example, the grouping ID is 'groupId', the cookie name returned by the login system can be '$ { groupId }. CookieName', so that the login state isolation under each grouping is achieved, the URI of returned jump login can be '/sso/$ { groupId }/login', and when the browser jumps login, the grouping ID is obtained according to the URI, so that the corresponding grouping configuration is obtained. In addition, the configuration corresponding to each group ID can be checked and customized by logging in the system background, and the currently accessed host computer and the like can also be browsed.
Fig. 3 is a schematic flow chart of cross-domain login of the single sign-on method according to the embodiment of the present invention.
As shown in fig. 3, the main flow of cross-domain login includes:
step S301: the login system verifies whether the cookie logs in; if yes, it indicates that the user has logged in, otherwise, the single sign-on fails, and the step S302 is continuously executed:
when the user without login accesses the access application, whether the cookie name in the distribution group is in the login state is verified,
step S302: and (4) jumping to a login system:
if the login system judges that the user does not log in, a login interface is displayed to prompt the user to log in, different data sources are taken according to different group IDs, whether the user login is legal or not is verified, and then the cross-domain login process is restarted; in addition, in order to hide information and prevent the link from being tampered, the return link, a signature of the return link and other additional information can be encrypted and transmitted through BASE64 encoding, and Base64 encoding is encoding for representing binary data based on 64 printable characters;
step S303: the login system authenticates the cookie or the account password of the user; if the authentication is passed, the step S304 is continued, and if the authentication is failed, the step S302 is continued:
if the login system verifies that the corresponding cookie is logged in, the login system indicates that other access applications are logged in but the current access application is not logged in;
step S304: the login system redirects the token to the access application;
step S305: remotely verifying whether the token is valid by the access application; if yes, continuing to execute step S306, and if not, continuing to execute step S302;
step S306: the access application judges whether a single point logout is needed; if yes, continue to step S307, otherwise continue to step S308:
determining whether the access application needs single-point logout based on the single-point logout identifier;
step S307: the access application verifies whether the token is consistent with the pre-stored identification; if yes, continue to execute step S308, and if not, continue to execute step S302:
generally, to improve security, tokens are typically validated at a fixed frequency and added to IP address validation, e.g., every 30 seconds; in addition, a final redirection can be made to mask token passing of the URL to the user.
Step S308: and (4) successful login:
the access application writes a cookie.
For the access application, the operation flow only needs to introduce the provided interceptors and configure the attributes of the interceptors according to the needs, and does not need the front end to be deployed in a matching manner, so that the deployment is convenient.
Fig. 4 is a schematic diagram of a main flow of a single sign-on method according to a reference embodiment of the present invention.
As shown in fig. 4, the method for pushing a message according to the embodiment of the present invention may be implemented by the following processes:
step S401: when the access application is started, calling an interface of a login system, and transmitting request configuration of the access application;
step S402: the login system processes the request configuration to obtain a group configuration, and stores the group configuration;
step S403: the login system returns the packet configuration to the access application;
step S404: the access application stores the packet configuration;
step S405: when the user who does not log in accesses the access application, the login system verifies whether the cookie name in the distribution group is in a login state;
step S406: if the user logs in, the access application is informed to write in the cookie to complete single sign-on; if not, authenticating the cookie or the account password of the user, and redirecting the token to the access application when the authentication is passed, and in addition, if the authentication is failed, the access application displays a login interface to prompt the user to log in;
step S407: remotely verifying whether the token is valid by the access application;
step S408: if the token is valid, the login system continuously judges whether the access application needs single-point logout;
step S409: if the access application does not need single-point logout, the access application writes cookie to complete single-point login; if the access application needs single-point logout, the access application verifies whether the token is consistent with the pre-stored identification; if the two are consistent, the access application writes the cookie to complete single sign-on; and if not, accessing an application display login interface to prompt the user to log in.
In order to further explain the technical idea of the present invention, the technical solution of the embodiment of the present invention is now described with reference to specific application scenarios.
Similar to e-commerce websites, a user browsing a shopping cart does not need username and password authentication, and accessing sensitive information of an account generally requires user name and password authentication again. For applications, even if two access applications correspond to a set of user system (i.e. a data source), there are sensitive and non-sensitive points, for example, some public information systems and background management systems need to be logged in for state isolation, i.e. the management background needs to log in again.
When two user systems are integrated, single sign-on is needed, but the data sources are different, two systems need to be deployed according to the traditional mode, only one set of sign-on needs to be deployed according to the grouping idea, the access systems of different user systems define the same grouping ID, and the grouping can support a very high number. In addition, single sign-on output to some small websites and the like can be considered.
Fig. 5 is a schematic diagram of the main modules of a single sign-on device according to an embodiment of the present invention.
As shown in fig. 5, the single sign-on apparatus 500 of the embodiment of the present invention includes: an acquisition module 501, a processing module 502 and a determination module 503.
Wherein the content of the first and second substances,
an obtaining module 501, configured to obtain a request configuration for accessing an application;
a processing module 502, configured to process the request configuration according to the packet where the access application is located, so as to obtain a packet configuration;
a determining module 503, configured to determine success or failure of single sign-on based on the grouping configuration.
In this embodiment of the present invention, the obtaining module 501 is further configured to: when an access application is started, receiving request configuration of the access application; wherein the request configuration comprises a packet ID, a single point sign-off identification, an expiration date of an ignore link, or a cookie.
In this embodiment of the present invention, the processing module 502 is further configured to: acquiring a group ID of a group in which the access application is positioned; acquiring corresponding login configuration according to the group ID; processing the request configuration based on the login configuration to obtain a grouping configuration; wherein the packet configuration comprises a cookie name, a login identification and a single sign-out.
In this embodiment of the present invention, the determining module 503 is further configured to: when the user who does not log in accesses the access application, acquiring a cookie based on the cookie name; verifying the cookie, the login identification and the single sign-on identification to determine success or failure of single sign-on; and the apparatus 500 further comprises: an update module (not shown) for updating the cookie in the configured configuration of the distribution group when the single sign-on is successful or the single sign-off is performed.
In this embodiment of the present invention, the determining module 503 is further configured to: verifying whether the cookie is in a login state; if yes, the user logs in; if not, redirecting the user to a login system for login authentication; if the authentication is successful, judging whether the login is cross-domain login; if so, redirecting the login identification to the access application to verify whether the login identification is valid; if the single-point logout identifier is valid, determining whether the access application needs single-point logout based on the single-point logout identifier; if so, verifying whether the login identification is consistent with a pre-stored identification; if the two-way log-in is consistent, the access application writes the cookie and single sign-on is successful; if not, the single sign-on fails; if not, the access application writes the cookie and the single sign-on is successful; if the single sign-on is invalid, the single sign-on fails; if not, the single sign-on fails; if the authentication fails, the single sign-on fails.
In addition, the grouping configuration further comprises configuration information, a login uniform resource locator and a logout uniform resource locator.
According to the single sign-on device disclosed by the embodiment of the invention, the request configuration for acquiring the access application is adopted; processing the request configuration according to the packet where the access application is located to obtain the packet configuration; the technical means of success or failure of single sign-on is determined based on grouping configuration, so that the scenes that multiple data sources are not supported and the isolation of the sign-on state cannot be realized in the prior art are overcome; single-point logout cannot be realized, and single person is online; the technical problems that the deployment is complex, the new access domain needs the collaborative deployment of the front end and the back end, and the independent login domain is provided to provide the login service are solved, the login states of the access applications under different groups are isolated, multiple data sources are supported, and single-point logout and single-person online are realized; the single sign-on process does not involve front-end logic, and the technical effect of simplifying the configuration work of the access application is achieved.
Fig. 6 illustrates an exemplary system architecture 600 of a single sign-on method or single sign-on apparatus to which embodiments of the invention may be applied.
As shown in fig. 6, the system architecture 600 may include terminal devices 601, 602, 603, a network 604, and a server 605. The network 604 serves to provide a medium for communication links between the terminal devices 601, 602, 603 and the server 605. Network 604 may include various types of connections, such as wire, wireless communication links, or fiber optic cables, to name a few.
A user may use the terminal devices 601, 602, 603 to interact with the server 605 via the network 604 to receive or send messages or the like. Various communication client applications, such as shopping applications, web browser applications, search applications, instant messaging tools, mailbox clients, social platform software, and the like, may be installed on the terminal devices 601, 602, and 603.
The terminal devices 601, 602, 603 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 605 may be a server that provides various services, such as a background management server that supports shopping websites browsed by users using the terminal devices 601, 602, and 603. The background management server may analyze and perform other processing on the received data such as the product information query request, and feed back a processing result (e.g., target push information and product information) to the terminal device.
It should be noted that the single sign-on method provided by the embodiment of the present invention is generally executed by the server 605, and accordingly, the single sign-on apparatus is generally disposed in the server 605.
It should be understood that the number of terminal devices, networks, and servers in fig. 6 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 7, shown is a block diagram of a computer system 700 suitable for use with a terminal device implementing an embodiment of the present invention. The terminal device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 7, the computer system 700 includes a Central Processing Unit (CPU)701, which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. In the RAM 703, various programs and data necessary for the operation of the system 700 are also stored. The CPU 701, the ROM 702, and the RAM 703 are connected to each other via a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
The following components are connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 701.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor includes an acquisition module, a processing module, and a determination module. The names of these modules do not in some cases form a limitation on the module itself, and for example, the acquiring module may also be described as a "module for acquiring a request configuration for accessing an application".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: step S101: acquiring request configuration of access application; step S102: processing the request configuration according to the packet where the access application is located to obtain the packet configuration; step S103: the success or failure of single sign-on is determined based on the packet configuration.
According to the technical scheme of the embodiment of the invention, the request configuration for obtaining the access application is adopted; processing the request configuration according to the packet where the access application is located to obtain the packet configuration; the technical means of success or failure of single sign-on is determined based on grouping configuration, so that the scenes that multiple data sources are not supported and the isolation of the sign-on state cannot be realized in the prior art are overcome; single-point logout cannot be realized, and single person is online; the technical problems that the deployment is complex, the new access domain needs the collaborative deployment of the front end and the back end, and the independent login domain is provided to provide the login service are solved, so that the login state is isolated, and the single-point logout and the single online are realized; the single sign-on process does not involve front-end logic, and the technical effect of simplifying the configuration work of the access application is achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (12)
1. A method of single sign-on, comprising:
when the access application is started, receiving request configuration of the access application, and calling a domain to be accessed to the single sign-on as the access application;
the login system processes the request configuration according to the grouping where the access application is located to obtain grouping configuration, each grouping corresponds to unique grouping configuration, and a domain providing account password login is called as a login system;
verifying the cookie, the login identification, and the single sign-on identification in the grouping configuration to determine success or failure of single sign-on comprises:
verifying whether the cookie is in a login state;
if yes, the user logs in;
if not, redirecting the user to a login system for login authentication;
if the authentication is successful, judging whether the login is cross-domain login;
if so, redirecting the login identification to the access application to verify whether the login identification is valid;
if the single-point logout identifier is valid, determining whether the access application needs single-point logout based on the single-point logout identifier;
if so, verifying whether the login identification is consistent with a pre-stored identification;
if the two-way log-in is consistent, the access application writes the cookie and single sign-on is successful;
if not, the single sign-on fails;
if not, the access application writes the cookie and the single sign-on is successful;
if the single sign-on is invalid, the single sign-on fails;
if not, the single sign-on is successful;
if the authentication fails, the single sign-on fails.
2. The method of claim 1, wherein the request configuration comprises a packet ID, a single sign-off identification, an expiration date for an ignore link, or a cookie.
3. The method of claim 1, wherein processing the request configuration according to the packet in which the access application is located, and obtaining the packet configuration comprises:
acquiring a group ID of a group in which the access application is positioned;
acquiring corresponding login configuration according to the group ID;
processing the request configuration based on the login configuration to obtain a grouping configuration; wherein the packet configuration comprises a cookie name, a login identification and a single point logout identification.
4. The method of claim 3, wherein determining success or failure of single sign-on based on the packet configuration comprises:
when the user who does not log in accesses the access application, acquiring a cookie based on the cookie name;
verifying the cookie, the login identification and the single sign-on identification to determine success or failure of single sign-on; and
updating the cookie in the configured configuration of the partition upon successful single sign-on or single sign-off.
5. The method of claim 3, wherein the grouping configuration further comprises configuration information, a login uniform resource locator, and a logout uniform resource locator.
6. A single sign-on apparatus, comprising:
the acquisition module is used for receiving the request configuration of the access application when the access application is started, and a domain to be accessed to the single sign-on is called the access application;
the processing module is used for processing the request configuration by the login system according to the packet where the access application is located to obtain packet configuration, each packet corresponds to unique packet configuration, and a domain providing account password login is called as a login system;
a determination module to determine a single sign-on success or failure based on the grouping configuration;
the determination module is further to:
verifying whether the cookie is in a login state;
if yes, the user logs in;
if not, redirecting the user to a login system for login authentication;
if the authentication is successful, judging whether the login is cross-domain login;
if so, redirecting the login identification to the access application to verify whether the login identification is valid;
if the single-point logout identifier is valid, determining whether the access application needs single-point logout based on the single-point logout identifier;
if so, verifying whether the login identification is consistent with a pre-stored identification;
if the two-way log-in is consistent, the access application writes the cookie and single sign-on is successful;
if not, the single sign-on fails;
if not, the access application writes the cookie and the single sign-on is successful;
if the single sign-on is invalid, the single sign-on fails;
if not, the single sign-on is successful;
if the authentication fails, the single sign-on fails.
7. The apparatus of claim 6, wherein the request configuration comprises a packet ID, a single sign-off identification, an ignore link, or a cookie validity period.
8. The apparatus of claim 6, wherein the processing module is further configured to:
acquiring a group ID of a group in which the access application is positioned;
acquiring corresponding login configuration according to the group ID;
processing the request configuration based on the login configuration to obtain a grouping configuration; wherein the packet configuration comprises a cookie name, a login identification and a single point logout identification.
9. The apparatus of claim 8, wherein the determining module is further configured to:
when the user who does not log in accesses the access application, acquiring a cookie based on the cookie name; verifying the cookie, the login identification and the single sign-on identification to determine success or failure of single sign-on; and
the device further comprises:
an update module to update the cookie in the distribution configuration upon a successful single sign-on or single sign-off.
10. The apparatus of claim 8, wherein the grouping configuration further comprises configuration information, a login uniform resource locator, and a logout uniform resource locator.
11. A single sign-on electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-5.
12. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811301183.5A CN109450890B (en) | 2018-11-02 | 2018-11-02 | Single sign-on method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811301183.5A CN109450890B (en) | 2018-11-02 | 2018-11-02 | Single sign-on method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109450890A CN109450890A (en) | 2019-03-08 |
| CN109450890B true CN109450890B (en) | 2022-02-22 |
Family
ID=65550709
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811301183.5A Active CN109450890B (en) | 2018-11-02 | 2018-11-02 | Single sign-on method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109450890B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112685726A (en) * | 2021-01-20 | 2021-04-20 | 浪潮云信息技术股份公司 | Single-point authentication method based on KEYCLOAK |
| CN113301050B (en) * | 2021-05-26 | 2022-05-17 | 重庆紫光华山智安科技有限公司 | Multi-user real-time login and logout management method, system, terminal and medium for webpage |
| CN113329028B (en) * | 2021-06-17 | 2022-08-30 | 中国农业银行股份有限公司 | Cross-domain access method and device |
| CN113852622B (en) * | 2021-09-18 | 2023-09-19 | 数字广东网络建设有限公司 | Single sign-on method, device, equipment and storage medium based on government affair application |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1761188A (en) * | 2005-09-09 | 2006-04-19 | 中国移动通信集团公司 | Simple point logging in method and simple point logging out method |
| CN102325029A (en) * | 2011-09-20 | 2012-01-18 | 深圳市深信服电子科技有限公司 | AD (Active Directory) domain single sign on method and server |
| CN102546575A (en) * | 2010-12-31 | 2012-07-04 | 上海博泰悦臻电子设备制造有限公司 | Single sign-on method and system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101399671B (en) * | 2008-11-18 | 2011-02-02 | 中国科学院软件研究所 | Cross-domain authentication method and system thereof |
| CN103533447A (en) * | 2013-10-30 | 2014-01-22 | 乐视致新电子科技(天津)有限公司 | Method and device for accessing website page |
| CN104270399A (en) * | 2014-10-28 | 2015-01-07 | 用友软件股份有限公司 | Login method and login device for application program |
-
2018
- 2018-11-02 CN CN201811301183.5A patent/CN109450890B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1761188A (en) * | 2005-09-09 | 2006-04-19 | 中国移动通信集团公司 | Simple point logging in method and simple point logging out method |
| CN102546575A (en) * | 2010-12-31 | 2012-07-04 | 上海博泰悦臻电子设备制造有限公司 | Single sign-on method and system |
| CN102325029A (en) * | 2011-09-20 | 2012-01-18 | 深圳市深信服电子科技有限公司 | AD (Active Directory) domain single sign on method and server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109450890A (en) | 2019-03-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11665146B2 (en) | Migrating authenticated content towards content consumer | |
| US10880287B2 (en) | Out of box experience application API integration | |
| CN109450890B (en) | Single sign-on method and device | |
| US10277409B2 (en) | Authenticating mobile applications using policy files | |
| US9641513B2 (en) | Methods and systems for controlling mobile terminal access to a third-party server | |
| US9584615B2 (en) | Redirecting access requests to an authorized server system for a cloud service | |
| US20100043065A1 (en) | Single sign-on for web applications | |
| CN115021991A (en) | Single sign-on for unmanaged mobile devices | |
| CN104378376A (en) | SOA-based single-point login method, authentication server and browser | |
| US10375073B2 (en) | Configuration based client for OAuth authorization with arbitrary services and applications | |
| US20200153814A1 (en) | Method for authentication with identity providers | |
| CN112583834B (en) | Method and device for single sign-on through gateway | |
| US11228437B1 (en) | Methods for secure access to protected content in a content management system | |
| CN112887284A (en) | Access authentication method and device | |
| CN113992446B (en) | Cross-domain browser user authentication method, system and computer storage medium | |
| CN113055186B (en) | Cross-system service processing method, device and system | |
| CN113411324B (en) | Method and system for realizing login authentication based on CAS and third-party server | |
| CN113329028A (en) | Cross-domain access method and device | |
| KR101815145B1 (en) | Certificate sharing method between cross domain | |
| CN112383542B (en) | User login method and system, authentication end and user end | |
| CN114244607B (en) | Single sign-on method, system, device, medium, and program | |
| US11734408B2 (en) | Remapping of uniform resource locators for accessing network applications | |
| CN110602074B (en) | Service identity using method, device and system based on master-slave association | |
| CN111783044A (en) | Method and device for sharing login state |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 101111 Room 221, 2nd Floor, Block C, 18 Kechuang 11th Street, Beijing Economic and Technological Development Zone Applicant after: Jingdong Technology Holding Co.,Ltd. Address before: 101111 Room 221, 2nd Floor, Block C, 18 Kechuang 11th Street, Beijing Economic and Technological Development Zone Applicant before: Jingdong Digital Technology Holding Co.,Ltd. Address after: 101111 Room 221, 2nd Floor, Block C, 18 Kechuang 11th Street, Beijing Economic and Technological Development Zone Applicant after: Jingdong Digital Technology Holding Co.,Ltd. Address before: 101111 Room 221, 2nd Floor, Block C, 18 Kechuang 11th Street, Beijing Economic and Technological Development Zone Applicant before: JINGDONG DIGITAL TECHNOLOGY HOLDINGS Co.,Ltd. Address after: 101111 Room 221, 2nd Floor, Block C, 18 Kechuang 11th Street, Beijing Economic and Technological Development Zone Applicant after: JINGDONG DIGITAL TECHNOLOGY HOLDINGS Co.,Ltd. Address before: 101111 Room 221, 2nd Floor, Block C, 18 Kechuang 11th Street, Beijing Economic and Technological Development Zone Applicant before: BEIJING JINGDONG FINANCIAL TECHNOLOGY HOLDING Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |