CN110278179A

CN110278179A - Single-point logging method, device and system and electronic equipment

Info

Publication number: CN110278179A
Application number: CN201810215484.XA
Authority: CN
Inventors: 丛邵鹏
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2018-03-15
Filing date: 2018-03-15
Publication date: 2019-09-24
Anticipated expiration: 2038-03-15
Also published as: CN110278179B

Abstract

The embodiment of the invention provides a kind of single-point logging method, device and system and electronic equipments.This method comprises: generating token name, the token name and account central server are uniquely corresponding during user carries out single-sign-on by user terminal；The token name is written to the browser rs cache of the user terminal, so that the single sign-on client-side that target application is disposed initiates login authentication according to the token name.The embodiment of the present invention is during single-sign-on, it is generated and the unique corresponding token name of account central server by single-sign-on proxy server, and then login authentication is initiated to account central server by proxy server according to the token name, the difference of various account central servers can be masked, single sign-on client-side is adapted with any isomery account central server, in the account central server of the system of replacement, without being transformed to single sign-on client-side, operating cost is reduced.

Description

Single-point logging method, device and system and electronic equipment

Technical field

The present invention relates to fields of communication technology more particularly to a kind of single-point logging method, device and system and electronics to set It is standby.

Background technique

Single-sign-on is a kind of solution of current popular business event integration.Multiple applications are based on unified The certification of account central login, and shared logging state, that is, user, which only needs to log in, can once access all mutual trusts Application；And published at one, the overall situation is published.

In existing single-sign-on scheme, multiple single sign-on client-sides carry out account number cipher using unified account center Verifying, after once logining successfully, user visits again other single sign-on client-sides, then without inputting account number cipher again, but It is directly verified from current single sign-on client-side to unified account center.

In the implementation of the present invention, at least there are the following problems for the discovery prior art: due to different accounts by inventor Number center uses different account formats, and existing single sign-on client-side can only be set for a kind of single account format Meter, can not be adapted with multiple isomery accounts center.If wanting to replace the account center in single-node login system, need to all Single sign-on client-side be transformed, operating cost is higher.

Summary of the invention

The embodiment of the present invention provides a kind of single-point logging method, device and system and electronic equipment, to solve existing skill The defect of art realizes that single sign-on client-side is adapted with any isomery account center, behaviour when account center is replaced to reduce Make cost.

In order to achieve the above objectives, the embodiment of the invention provides a kind of single-node login systems, comprising: user terminal, single-point Log in client, account central server and single-sign-on proxy server, the single-sign-on proxy server are used for, with During family carries out single-sign-on by the user terminal, token name is generated, and user's end is written into the token name The browser rs cache at end, the token name and the account central server are uniquely corresponding；The single sign-on client-side is used for, When receiving the access request of the user terminal, according to the access request and by the single-sign-on proxy server Token name generated, Xiang Suoshu account central server initiate login authentication；The account central server is used for, and is being received To the single-sign-on proxy server send access request when, according to the access request and by the single-sign-on generation Server token name generated is managed, login authentication is carried out to the user, the access request is by the user terminal in institute State user first log into it is produced when system.

The embodiment of the invention also provides a kind of single-point logging methods, comprising: carries out single-point by user terminal in user In login process, token name is generated, the token name and account central server are uniquely corresponding；It will be described in token name write-in The browser rs cache of user terminal, so that the single sign-on client-side that target application is disposed is initiated to log according to the token name Verifying.

The embodiment of the invention also provides a kind of single-point logging methods, comprising: carries out single-point by user terminal in user In login process, the access request of the user terminal is received；According to the access request and by single-sign-on agency service Device token name generated initiates login authentication, the token name and the account central server to account central server It is unique corresponding.

The embodiment of the invention also provides a kind of single-point logging methods, comprising: carries out single-point by user terminal in user In login process, the access request that single-sign-on proxy server is sent is received, the access request is existed by the user terminal The user first logs into produced when system；It is given birth to according to the access request and by the single-sign-on proxy server At token name, to the user carry out login authentication.

The embodiment of the invention also provides a kind of single-sign-on devices, comprising: token name generation module, for logical in user It crosses during user terminal progress single-sign-on, generates token name, the token name and account central server are uniquely corresponding；It enables Board name writing module, for the token name to be written to the browser rs cache of the user terminal, so that target application is disposed Single sign-on client-side according to the token name initiate login authentication.

The embodiment of the invention also provides a kind of single-sign-on devices, comprising: the first receiving module, for passing through in user During user terminal carries out single-sign-on, the access request of the user terminal is received；First authentication module, for according to institute Access request is stated, the token name generated by single-sign-on proxy server initiates login authentication, institute to account central server It states token name and the account central server is uniquely corresponding.

The embodiment of the invention also provides a kind of single-sign-on devices, comprising: the second receiving module, for passing through in user During user terminal carries out single-sign-on, the access request that single-sign-on proxy server is sent, the access request are received It is produced when the user first logs into system by the user terminal；Second authentication module, for being asked according to the access Ask and the single-sign-on proxy server generate token name, to the user carry out login authentication.

The embodiment of the present invention also provides a kind of electronic equipment, comprising: memory, for storing program；Processor, for transporting The described program stored in the row memory, to be used for: during user carries out single-sign-on by user terminal, generating Token name, the token name and account central server are uniquely corresponding；The token name is written to the browsing of the user terminal Device caching, so that the single sign-on client-side that target application is disposed initiates login authentication according to the token name.

The embodiment of the present invention also provides a kind of electronic equipment, comprising: memory, for storing program；Processor, for transporting The described program stored in the row memory, to be used for: during user carries out single-sign-on by user terminal, receiving The access request of the user terminal；According to the access request and by single-sign-on proxy server token generated Name initiates login authentication to account central server, and the token name and the account central server are uniquely corresponding.

The embodiment of the present invention also provides a kind of electronic equipment, comprising: memory, for storing program；Processor, for transporting The described program stored in the row memory, to be used for: during user carries out single-sign-on by user terminal, receiving The access request that single-sign-on proxy server is sent, the access request are first logged by the user terminal in the user It is produced when system；According to the access request and by single-sign-on proxy server token name generated, to institute It states user and carries out login authentication.

Single-point logging method, device and system and electronic equipment provided in an embodiment of the present invention, in single-sign-on process In, by single-sign-on proxy server generate with the unique corresponding token name of account central server, and then according to the token Name initiates login authentication to account central server by proxy server, can mask the difference of various account central servers It is different, single sign-on client-side is adapted with any isomery account central server, at the account center of replacement system When server, without being transformed to single sign-on client-side, operating cost is reduced.

The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention, And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can It is clearer and more comprehensible, the followings are specific embodiments of the present invention.

Detailed description of the invention

By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the application Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:

Fig. 1 is the system block diagram of single-node login system embodiment provided by the invention；

Fig. 2 is the flow chart of single-point logging method one embodiment provided by the invention；

Fig. 3 is the flow chart of another embodiment of single-point logging method provided by the invention；

Fig. 4 is the flow chart of another embodiment of single-point logging method provided by the invention；

Fig. 5 is the flow chart of single-point logging method further embodiment provided by the invention；

Fig. 6 is the flow chart of one specific embodiment of single-point logging method provided by the invention；

Fig. 7 is the structural schematic diagram of single-sign-on device one embodiment provided by the invention；

Fig. 8 is the structural schematic diagram of another embodiment of single-sign-on device provided by the invention；

Fig. 9 is the structural schematic diagram of another embodiment of single-sign-on device provided by the invention；

Figure 10 is the structural schematic diagram of electronic equipment one embodiment provided by the invention；

Figure 11 is the structural schematic diagram of another embodiment of electronic equipment provided by the invention；

Figure 12 is the structural schematic diagram of another embodiment of electronic equipment provided by the invention.

Specific embodiment

Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure It is fully disclosed to those skilled in the art.

Single-sign-on (Single Sign On in the prior art；Hereinafter referred to as: SSO) client is for specific account Number central server is specially designed, that is to say, that when system deployment, SSO client is just apprised of account center service The token name (e.g., token) of device, so, when reading browser rs cache (cookie), SSO client is directly read in token Token content (that is, token=xxxx).And if by SSO Client Design be it is universal, not be directed to a certain particular account number center Server, at random with account central server phase configuration, then, SSO client will be unable to be known as genuinely convinced in the account of its configuration The token name of business device.For single sign-on client-side in the prior art can not defect compatible with multiple isomery accounts center, The application provides a solution, and cardinal principle is: during single-sign-on, being acted on behalf of and is taken by SSO when SSO client When business device initiates login authentication (whether verifying user has logged in account central server) to account central server, by SSO proxy server generates and the unique corresponding token name (token_name) (in SSO agency and account of account central server Arranged between central server), and the token name is written in the cookie of user terminal, enables SSO client Token (token) generated when obtaining account central server for user submission account and password according to the token name, To further initiate login authentication to account central server according to the token (token).The solution of the present invention can overcome The defect of the prior art, by SSO proxy server generate with the unique corresponding token name of account central server so that SSO Client can be decoupled with account central server, mask the difference of various account central servers, with any isomery account Center (e.g., Ali's cloud account center, Taobao's account center etc.) is adapted, at the account center of the system of replacement, without to SSO Client is transformed, and reduces operating cost.

Above-described embodiment is the explanation to the technical principle of the embodiment of the present invention, is come below by multiple embodiments further Specific technical solution of the embodiment of the present invention is described in detail.

Embodiment one

Fig. 1 is the system block diagram of single-node login system embodiment provided by the invention.As shown in Figure 1, the single-sign-on system System includes: at least one user terminal, at least one SSO client and an account central server and a SSO agency Server.Wherein, SSO proxy server is used to generate token name during user carries out single-sign-on by user terminal, And by the browser rs cache (cookie) of token name write-in user terminal, the token name and account central server are uniquely corresponding； SSO client is used in the access request for receiving user terminal, according to the access request and by SSO proxy server institute The token name of generation initiates login authentication to account central server；Account central server is used to receive SSO agency's clothes When the access request that business device is sent, according to the access request and by SSO proxy server token name generated, to the user Login authentication is carried out, the access request is produced when the user first logs into system by user terminal.

In embodiments of the present invention, it when user first logs into system, is sent first by user terminal to SSO client The access request is sent to SSO proxy server by access request, SSO client, SSO proxy server then generate in account The unique corresponding token name of central server, and the access request is forwarded to account central server, so that account center service Device carries out login authentication to the user according to the access request and token name.

Further, SSO client judges whether the user is in after the access request for receiving user terminal transmission Logging state, for example, whether can be stored with and the user in the session object (session) by checking the SSO client The user information judgement to match is then further advanced by if it does not exist and checks in the cookie carried in the access request and be It is no to have token name and/or token to judge, if can not read in cookie, prove that the user is not logged in.Therefore, when When not carrying token and/or token name in access request, SSO client can be also used for the access request passing through user's end Hold directive sending (that is, the HTTP request by user terminal redirects) to SSO proxy server；When receiving user terminal When access request, SSO proxy server is also used to generate token name, and the access request is passed through user terminal directive sending (that is, redirect) is to account central server；Account central server is also used to be carried out according to the access request and user terminal Interaction carries out account verifying to the user, generates token, and by the cookie of token write-in user terminal, and, it is enabled carrying The access request of board and token name passes through user terminal directive sending (that is, redirection) to SSO client.

Further, if SSO client can read token from the access request received, the user has been proved It is logged in account central server, therefore, when carrying token and token name in access request, SSO client can also be used Token is read in the acquisition token name from access request, and according to token name；And the token read is acted on behalf of by SSO Server is forwarded to account central server, to carry out token authentication.

In addition, what SSO proxy server returned after can be also used for carrying out account central server token authentication successfully The user information of user is forwarded to SSO client；At this point, SSO client can be also used for for the user information received being stored in Session object.In embodiments of the present invention the user data of user can include but is not limited to for identification unique ID of user, Login name etc. for identity user.

The system of incremental data provided in an embodiment of the present invention, it is raw by SSO proxy server during single-sign-on At uniquely corresponding token name, the token that account central server generates after being proved to be successful are deposited into account central server Under one's name, the token name that SSO client is generated according to SSO proxy server is read unique corresponding token easily therewith Token, to mask the difference of various account central servers, enable SSO client with it is genuinely convinced in any isomery account Business device is adapted, in the account central server of the system of replacement, without being transformed to SSO client, reduce operation at This.

Embodiment two

Fig. 2 is the flow chart of single-point logging method one embodiment provided by the invention, and the executing subject of this method can be with For the SSO proxy server in system described in above-described embodiment.As shown in Fig. 2, the single-point logging method includes following step It is rapid:

S201 generates token name during user carries out single-sign-on by user terminal, in the token name and account Central server uniquely corresponds to.

In embodiments of the present invention, SSO client can be used for disposing the application with verifying account legitimacy demand, lead to It is often the console of functional product, can be accessed by the browser of user terminal.When user first logs into system, Access request is sent to SSO client by user terminal first, which is sent to SSO agency's clothes by SSO client It is engaged in device, SSO proxy server then generates and the unique corresponding token name (token_name) of account central server.

S202, by the browser rs cache of token name write-in user terminal, so that the SSO client root that target application is disposed Login authentication is initiated according to the token name.

The access is asked the browser rs cache (cookie) of token name write-in user terminal by SSO proxy server Ask and be forwarded to account central server the SSO client that (that is, being used for the application to be accessed) is disposed so that target application according to The token name initiates the login authentication for being directed to the user.

Single-point logging method provided in an embodiment of the present invention is generated during single-sign-on by SSO proxy server With the unique corresponding token name of account central server, and then according to the token name by proxy server to account center service Device initiates login authentication, can mask the difference of various account central servers, enables SSO client and any isomery Account central server is adapted, and in the account central server of the system of replacement, without being transformed to SSO client, is dropped Low operating cost.

Embodiment three

Fig. 3 is the flow chart of another embodiment of single-point logging method provided by the invention.As shown in figure 3, in above-mentioned Fig. 2 On the basis of illustrated embodiment, single-point logging method provided in this embodiment can with the following steps are included:

S301 generates token name when receiving the access request of user terminal.

In embodiments of the present invention, SSO client judges the user after the access request for receiving user terminal transmission Whether logging state is in, for example, whether can be stored in the session object (session) by checking the SSO client The user information to match with the user judges, if it does not exist, is then further advanced by and checks and carry in the access request Whether there are token name and/or token in cookie to judge, if can not read in cookie, prove that the user does not step on Record.Therefore, when not carrying token and/or token name in access request, which is passed through user's end by SSO client Hold directive sending to SSO proxy server.When receiving the access request of user terminal, SSO proxy server generates token Name, and by token name write-in user terminal cookie (token_name=aliyun_token).

S302, by access request by user terminal directive sending to account central server, the access request is by user Terminal is produced when the user first logs into system.

Meanwhile the access request is passed through user terminal directive sending (that is, redirection) into account by SSO proxy server Central server.Account central server is interacted according to the access request with user terminal, carries out account verifying to the user, Token is generated, and token is written to the cookie (aliyun_token=xxxx) of user terminal.Account central server will be taken Access request with token and token name passes through user terminal directive sending (that is, redirection) to SSO client.

SSO client is forwarded to account central server progress token according to the token that token name is read and tested by S303 Card.

SSO client obtains token name from access request, and reads token, and the token that will be read according to token name It is sent to SSO proxy server.The token (aliyun_token=xxxx) is forwarded to genuinely convinced in account by SSO proxy server Device progress token authentication be engaged in (that is, it is judged that the token corresponding with the user stored in the token and account central server is It is no consistent, if unanimously, token authentication success).

The user information for the user that account central server return after token authentication success is forwarded to by S304 SSO client.

After account central server carries out token authentication success, the user information of the user can be back to SSO agency Server, SSO proxy server then further forward it to SSO client and are stored.

Further, the embodiment of the present invention can be applicable to cross-domain single login, when SSO client with it is genuinely convinced in account Be engaged in device not same area (not same father field under one's name) when, SSO client and account center cannot share cookie.At this point, of the invention Embodiment provide single-point logging method can also include:

The token is converted billing information, and will carry bill letter when receiving the access request for carrying token by S305 The access request of breath passes through user terminal directive sending to SSO client.

S306 according to the billing information, obtains token, and token is sent in account when receiving billing information Central server carries out token authentication.

In embodiments of the present invention, when SSO client and account central server not same area, account central server will After the access request of carrying token and token name is by user terminal directive sending (that is, redirection) to SSO client, SSO visitor Family end can not obtain the token in cookie, therefore, still determine that the user is not landed.At this point, SSO client is by access request It is redirected to SSO proxy server, the parameter of access request carries the return address of SSO client, while access request carries It is stored with the cookie of token (aliyun_token).It, will when SSO proxy server receives the access request for carrying token The token is converted into billing information (ticket), and by billing information by user terminal directive sending to SSO client, specifically Ground, ticket are disposable billing informations, and usually itself is not comprising data, but the user kept in account central server Information association, one-time-consumption is failed, and validity period is very short, expired to fail.SSO proxy server is set as and account center Server same area, therefore token can be obtained from cookie, and then be converted into ticket.In embodiments of the present invention, pass through Uniform resource locator (Uniform Resource Locator；Hereinafter referred to as: the URL) ticket sent, not by cross-domain limit System, therefore can be realized cross-domain single-sign-on.In addition, SSO proxy server can also be by the URL of user terminal, by ticket It is believed that ceasing directive sending to SSO client.After SSO client gets the ticket in access request, by ticket from rear End is sent to SSO proxy server.After SSO proxy server receives ticket, call open interface from account using ticket Number central server obtains the token of user, then and token is sent to account central server and carries out token authentication.

In embodiments of the present invention, ticket can take the encryption mechanism similar with token.In addition, ticket can be with It is stored in interim table, the ticket of periodic refreshing, cleaning time-out, and while primary read, destroys ticket.

Single-point logging method provided in an embodiment of the present invention is generated during single-sign-on by SSO proxy server With the unique corresponding token name of account central server, the token that account central server generates after being proved to be successful be deposited into Unique corresponding token under one's name, the token name that SSO client is generated according to SSO proxy server reads order easily Board enables SSO client and any isomery account center service to mask the difference of various account central servers Device is adapted, and in the account central server of the system of replacement, without being transformed to SSO client, reduces operating cost； In addition, by converting billing information for token, and transmitted using URL, it can be realized cross-domain single login, further drop Low operating cost.

Example IV

Fig. 4 is the flow chart of another embodiment of single-point logging method provided by the invention, and the executing subject of this method can Think the SSO client in system described in above-described embodiment.As shown in figure 4, the single-point logging method includes the following steps:

S401 receives the access request of user terminal during user carries out SSO by user terminal.

S402, according to the access request and by SSO proxy server token name generated, to account central server Login authentication is initiated, the token name and account central server are uniquely corresponding.

Specifically, when not carrying token and/or token name in access request, SSO client passes through access request User terminal directive sending is to SSO proxy server, so that SSO proxy server generates token name and passes through access request User terminal directive sending is to account central server.

When carrying token and token name in access request, SSO client obtains token name from the access request, and Token is read according to token name, which is carrying out the user to be generated after account is proved to be successful by account central server, The token name is generated by SSO proxy server；Then, SSO client turns the token read by SSO proxy server It is sent to account central server, to carry out token authentication.

In embodiments of the present invention, for SSO client after the access request for receiving user terminal transmission, needing to judge should Whether whether user is in logging state, for example, can deposit in the session object (session) by checking the SSO client It contains the user information to match with the user to judge, if it does not exist, is then further advanced by and checks in the access request and carry Cookie in whether have token name and/or token to judge, if can not read in cookie, prove the user not It logs in.Therefore, when not carrying token and/or token name in access request, which is passed through user by SSO client Terminal directive sending is to SSO proxy server.When receiving the access request of user terminal, SSO proxy server, which generates, to be enabled Board name, and by token name write-in user terminal cookie (token_name=aliyun_token).

When carrying token and token name in access request, SSO client obtains token name, and root from access request Token is read according to token name, and the token read is sent to SSO proxy server.SSO proxy server is by the token (aliyun_token=xxxx) it is forwarded to account central server and carries out token authentication (that is, it is judged that the token and account center Whether the token corresponding with the user stored in server is consistent, if unanimously, token authentication success).

S403, when receive SSO proxy server forwarding the user user information when, by the user information be stored in meeting Talk about object.

It in embodiments of the present invention, can be by the user of the user after account central server carries out token authentication success Information is back to SSO proxy server, and SSO proxy server then further forwards it to SSO client, and is stored in session pair As (session).The caching of session SSO client, the browsing of user terminal associated with a session of user terminal Device is closed, and session fails.

The access request is passed through user terminal orientation hair when the token that can not be carried in read access request by S404 It send to SSO proxy server, so that the token is converted billing information by SSO proxy server.

In embodiments of the present invention, when SSO client and account central server not same area, account central server will After the access request of carrying token and token name is by user terminal directive sending (that is, redirection) to SSO client, SSO visitor Family end can not read the token in cookie, therefore, still determine that the user is not landed.At this point, SSO client is by access request It is redirected to SSO proxy server, the parameter of access request carries the return address of SSO client, while access request carries It is stored with the cookie of token (aliyun_token).It, will when SSO proxy server receives the access request for carrying token The token is converted into billing information (ticket), and by billing information by user terminal directive sending to SSO client, specifically Ground, ticket are disposable billing informations, and usually itself is not comprising data, but the user kept in account central server Information association, one-time-consumption is failed, and validity period is very short, expired to fail.SSO proxy server is set as and account center Server same area, therefore token can be obtained from cookie, and then be converted into ticket.In embodiments of the present invention, pass through The ticket that URL is sent, not by cross-domain limitation, therefore can be realized cross-domain single-sign-on.

In the embodiment of the present invention, for verifying the back end interface of token or ticket, requires authorization access, authorize base In the believable identity documents of SSO client.Identity documents are made of a pair of of key, a disclosed key carry in the request with Show identity, the key of another secret is used for asking for an autograph, it was demonstrated that the authenticity of identity.Further, it can be carried in request Time-out time stamp, to prevent from resetting.In addition, token, ticket or user information can be carried in the request and response of back end interface Equal private datas, to the protections of these data, there are two types of optinal plans: first is that interface is by safely for the HTTP of target (Hyper Text Transfer Protocol over Secure Socket Laye；Referred to as: HTTPS) agreement provides, by Agreement guarantees transmission link safety；Another kind is that the private data secret key that requesting party holds is encrypted.

Embodiment five

Fig. 5 is the flow chart of single-point logging method further embodiment provided by the invention, and the executing subject of this method can Think the account central server in system described in above-described embodiment.As shown in figure 5, the single-point logging method includes as follows Step:

S501 receives the access that SSO proxy server is sent during user carries out single-sign-on by user terminal Request, the access request are produced when the user first logs into system by user terminal.

In embodiments of the present invention, when user first logs into system, visit from user terminal to SSO client that sent by It asks request, user terminal directive sending (that is, redirecting) to SSO proxy server can be passed through by SSO client.SSO agency Server generates token name, by the cookie (token_name=aliyun_token) of token name write-in user terminal, and will The access request directive sending (that is, redirection) is to account central server.Account central server then according to access request with And by SSO proxy server token name generated, login authentication is carried out to the user.Specifically, further include following steps:

S502 is interacted according to access request and user terminal, carries out account verifying to user.

Specifically, in embodiments of the present invention, account central server can return to login page, user to user terminal Account and password are submitted to account central server by the browser of user terminal, the account of the user is tested to realize Card.

S503 generates token, and the token is written to the local cache of user terminal.

After account central server, which carries out account to the user, to be proved to be successful, token is generated, and is written into user's end The cookie at end.Specifically, hypertext transfer protocol (HyperText Transfer Protocol can be passed through；Following letter Claim: HTTP) response message, by the cookie of token write-in user terminal.The token (token) generated by account central server Generally by information such as the unique ID of the processed user of cryptographic means, it can be used repeatedly, and validity period is longer.

In embodiments of the present invention, token (token) is stored in cookie, and content generally comprises the identity of login user Information etc., itself is by account central server encryption and decryption, and SSO client is without understanding its content.Token (token) validity period It is limited by cookie time-out, is arranged by server-side according to demand for security, most short to may be configured as session-level, browser, which is closed, to be lost Effect.In addition timestamp can also further be added in token content, prevents from being extended the expiration date by illegally write-in cookie.Even if Token is held as a hostage, and since back end interface needs to authorize access, still can not illegally obtain user information.

S504, carried by access request by user terminal directive sending to SSO client, in the access request token and Token name.

Then, the access request for carrying token and token name is passed through user terminal directive sending extremely by account central server SSO client.SSO client obtains token name from access request, and reads token, and the order that will be read according to token name Board is sent to SSO proxy server.The token (aliyun_token=xxxx) is forwarded to account center by SSO proxy server Server carries out token authentication.

Single-point logging method provided in an embodiment of the present invention is generated during single-sign-on by SSO proxy server With the unique corresponding token name of account central server, the token that account central server generates after being proved to be successful be deposited into Unique corresponding token under one's name, the token name that SSO client is generated according to SSO proxy server reads order easily Board enables SSO client and any isomery account center service to mask the difference of various account central servers Device is adapted, and in the account central server of the system of replacement, without being transformed to SSO client, reduces operating cost.

Embodiment six

Fig. 6 is the flow chart of one specific embodiment of single-point logging method provided by the invention.As shown in fig. 6, in this hair In single-node login system applied by bright embodiment, there are a SSO proxy server, an account central server, two SSO Client (SSO client 1 and SSO client 2) and a user terminal, the single-point logging method include the following steps:

S1, user apply (application is deployed in SSO client 1) by the browser maiden visit of user terminal；

S2, SSO client 1 determines that the user is not logged in, then access request is redirected to SSO agency by user terminal Server, the parameter of the access request carry the return address of SSO client 1；

S3, SSO proxy server generate token (token_name=aliyun_token), and in user terminal The token is written in cookie；

Access request is redirected to account central server by user terminal by S4, SSO proxy server, which asks The return address of SSO client 1 is carried in the parameter asked；

Access request is redirected to account central server by user terminal by SSO proxy server, is passing through user When terminal, by the cookie of the token name write-in user terminal of generation, therefore, step S3 and S4 can substantially regard as One step, is completed at the same time.

S5, account central server return to login page to user terminal；

S6, user terminal submit account, password；

S7, account central server carries out account and is proved to be successful, and after account is proved to be successful, generates token (aliyun_ Token=xxxx), and it is written into the cookie of user terminal；

Access request is redirected to the return address of SSO client 1 by user terminal by S8, account central server, The cookie of user terminal is carried in access request；

Access request is redirected to SSO client by user terminal by account central server, is passing through user terminal When, by the cookie of token (aliyun_token=xxxx) the write-in user terminal of generation, therefore, step S7 and S8 are real It can regard a step in matter as, be completed at the same time.

S9, SSO client 1 first obtains token from cookie, further according to token reading token (that is, Aliyun_token=xxxx), SSO proxy server then is sent from rear end by aliyun_token；

S10, SSO proxy server send aliyun_token and carry out token authentication to account central server；

S11, account central server carries out token authentication, after token authentication success, returns to user information to SSO and acts on behalf of clothes Business device；

S12, SSO proxy server return to user information to SSO client 1, and user information is stored in by SSO client 1 Session completes to log in.

In embodiments of the present invention, it when same user is again by user terminal access SSO client 1, executes as follows Step:

S13, user terminal send access request to SSO client 1, and user's letter of the user is carried in the access request Breath, then, SSO client 1 verifies user information, since the user information of the user has been stored in session, Without logging on.

In embodiments of the present invention, when same user by user terminal access arrive SSO client 2 when, execute as follows walk It is rapid:

S14, user terminal send access request to SSO client 2, carry in cookie in the access request Token and aliyun_token；

In embodiments of the present invention, SSO client 1 is the different background servers of the same application from SSO client 2, It is also possible to the different application of same set of system.

S15, SSO client 2 first obtains token from cookie, further according in token reading cookie Then aliyun_token sends SSO proxy server from rear end for aliyun_token.

S16, SSO proxy server send aliyun_token and carry out token authentication to account central authentication server；

S17, account central server carries out token authentication, after token authentication success, returns to user information to SSO and acts on behalf of clothes Business device；

S18, SSO proxy server return to user information to SSO client 2, and user information is stored in by SSO client 2 Session completes to log in.

Embodiment seven

Fig. 7 is the structural schematic diagram of single-sign-on device one embodiment provided by the invention, can be used for executing such as Fig. 2 and Method and step shown in Fig. 3.As shown in fig. 7, the apparatus may include: token name generation module 71 and token name writing module 72。

Wherein, token name generation module 71 is used to generate and enable during user carries out single-sign-on by user terminal Board name, the token name and account central server are uniquely corresponding；Token name writing module 72 is used to be written above-mentioned token name and use The browser rs cache of family terminal, so that the SSO client that target application is disposed initiates login authentication according to the token name.

In embodiments of the present invention, it when user first logs into system, is sent first by user terminal to SSO client The access request is sent to SSO proxy server by access request, SSO client, and token name generation module 71 then generates and account The unique corresponding token name of number central server.Token name writing module 72 delays the browser of token name write-in user terminal It deposits (cookie), and the access request is forwarded to account central server, so that target application for what is accessed (that is, answer With) the SSO client disposed initiates according to the token name login authentication for being directed to the user.

Further, token name generation module 71 can be also used for when receiving the access request of user terminal, generate Token name, and access request is passed through into user terminal directive sending to account central server, the access request is by user terminal It is produced when the user first logs into system.

Further, single-sign-on device provided in an embodiment of the present invention can also include: the first forwarding module 73. First forwarding module 73 is used to SSO client being forwarded to account central server according to the token that token name is read and carry out Token authentication.The device can also include: the second forwarding module 74.Second forwarding module 74 is used for account central server The user information for carrying out the user returned after token authentication success is forwarded to SSO client.

Still further, single-sign-on device provided in an embodiment of the present invention, can also include: cross-domain processing module 75. The cross-domain processing module 75 is used to convert billing information for token, and will take when receiving the access request for carrying token Access request with billing information passes through user terminal directive sending to SSO client；When receiving billing information, according to ticket It is believed that breath, obtains token, and token is sent to account central server and carries out token authentication.Specifically, the cross-domain processing mould Block 75 can be used for the URL by user terminal, by billing information directive sending to SSO client.

The detailed functions of each module are no longer superfluous herein referring to above-mentioned Fig. 2 and embodiment illustrated in fig. 3 in the embodiment of the present invention It states.

Single-sign-on device provided in an embodiment of the present invention is generated during single-sign-on by SSO proxy server With the unique corresponding token name of account central server, the token that account central server generates after being proved to be successful be deposited into Unique corresponding token under one's name, the token name that SSO client is generated according to SSO proxy server reads order easily Board enables SSO client and any isomery account center service to mask the difference of various account central servers Device is adapted, and in the account central server of the system of replacement, without being transformed to SSO client, reduces operating cost； In addition, by converting billing information for token, and transmitted using URL, it can be realized cross-domain single login, further drop Low operating cost.

Embodiment eight

Fig. 8 is the structural schematic diagram of another embodiment of single-sign-on device provided by the invention, can be used for executing such as Fig. 4 Shown in method and step.As shown in figure 8, the apparatus may include: the first receiving module 81 and the first authentication module 82.

Wherein, the first receiving module 81 is used to receive user during user carries out single-sign-on by user terminal The access request of terminal；First authentication module 82 is used for according to access request, the token name generated by SSO proxy server, Login authentication is initiated to account central server, token name and account central server are uniquely corresponding.

In embodiments of the present invention, after the first receiving module 81 receives the access request of user terminal transmission, first Authentication module 82 is according to access request, the token name generated by SSO proxy server, initiates to log in account central server Verifying.

Specifically, the first authentication module 82 can be also used for when not carrying token and/or token name in access request, By access request by the user terminal directive sending to SSO proxy server, so that SSO proxy server generates token Access request is simultaneously passed through user terminal directive sending to account central server by name.

Further, the first authentication module 82 can be also used for when carrying token and token name in access request, from In access request obtain token name, and according to token name read token, the token by account central server to the user into Row account is generated after being proved to be successful, which is generated and uniquely right with account central server by SSO proxy server It answers；The token read is forwarded to account central server by SSO proxy server, to carry out token authentication.

Further, single-sign-on device provided in an embodiment of the present invention can also include: information storage module 83. Information storage module 83 can be used for believing the user when receiving the user information of user of SSO proxy server forwarding Breath deposit session object.The device can also include: sending module 84.The sending module 84 can be used for working as can not read access When the token carried in request, by access request by user terminal directive sending to SSO proxy server, so that SSO is acted on behalf of Token is converted billing information by server.

The detailed functions of each module are referring to above-mentioned embodiment illustrated in fig. 4 in the embodiment of the present invention, and details are not described herein.

Embodiment nine

Fig. 9 is the structural schematic diagram of another embodiment of single-sign-on device provided by the invention, can be used for executing such as Fig. 5 Shown in method and step.As shown in figure 9, the apparatus may include: the second receiving module 91 and the second authentication module 92.

Wherein, the second receiving module 91 is used to receive SSO generation during user carries out single-sign-on by user terminal The access request that server is sent is managed, the access request is produced when the user first logs into system by user terminal；Second Authentication module 92 is used for the token name generated according to the access request and SSO proxy server, log in the user and test Card.

In embodiments of the present invention, it when user first logs into system, is sent and is accessed to SSO client by user terminal Request, after the second receiving module 91 receives the access request, the second authentication module 92 is acted on behalf of according to the access request and SSO The token name that server generates carries out login authentication to the user.Specifically, the second authentication module 92 can pass through user terminal By access request directive sending (that is, redirecting) to SSO proxy server.SSO proxy server generates token name, by token The cookie (token_name=aliyun_token) of name write-in user terminal, and by the access request directive sending (that is, weight Orientation) to account central server.Account central server is then generated according to access request and by SSO proxy server Token name carries out login authentication to the user.

Further, the second authentication module 92 can be also used for being interacted according to access request and user terminal, to Family carries out account verifying；Token is generated, and token is written to the local cache of user terminal；Access request is passed through into user terminal Directive sending carries above-mentioned token and token name in the access request to SSO client.

Further, the second authentication module 92 can be also used for through http response message, and the use is written in token The local cache of family terminal.

The detailed functions of each module are referring to above-mentioned embodiment illustrated in fig. 5 in the embodiment of the present invention, and details are not described herein.

Single-sign-on device provided in an embodiment of the present invention is generated during single-sign-on by SSO proxy server With the unique corresponding token name of account central server, the token that account central server generates after being proved to be successful be deposited into Unique corresponding token under one's name, the token name that SSO client is generated according to SSO proxy server reads order easily Board enables SSO client and any isomery account center service to mask the difference of various account central servers Device is adapted, and in the account central server of the system of replacement, without being transformed to SSO client, reduces operating cost.

Embodiment ten

The foregoing describe the built-in function and structure of each single-sign-on device, which can be realized as a kind of electronic equipment. Figure 10 is the structural schematic diagram of electronic equipment one embodiment provided by the invention.As shown in Figure 10, which includes depositing Reservoir 11 and processor 12.

Memory 11, for storing program.In addition to above procedure, memory 11 is also configured to store various other Data are to support operation on an electronic device.The example of these data includes any application for operating on an electronic device The instruction of program or method, contact data, telephone book data, message, picture, video etc..

Memory 11 can be by any kind of volatibility or non-volatile memory device or their combination realization, such as Static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable is read-only to be deposited Reservoir (EPROM), programmable read only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, disk or CD.

Processor 12 is coupled with memory 11, executes the program that memory 11 is stored, to be used for:

User by user terminal carry out single-sign-on during, generate token name, the token name with it is genuinely convinced in account Business device uniquely corresponds to；By the browser rs cache of token name write-in user terminal, so that the SSO client root that target application is disposed Login authentication is initiated according to the token name.

Further, as shown in Figure 1, electronic equipment can also include: communication component 13, power supply module 14, audio component 15, Other components such as display 16.Members are only schematically provided in Figure 10, are not meant to that electronic equipment only includes Figure 10 institute Show component.

Communication component 13 is configured to facilitate the communication of wired or wireless way between electronic equipment and other equipment.Electronics Equipment can access the wireless network based on communication standard, such as WiFi, 2G or 3G or their combination.In an exemplary reality It applies in example, communication component 13 receives broadcast singal or the related letter of broadcast from external broadcasting management system via broadcast channel Breath.In one exemplary embodiment, the communication component 13 further includes near-field communication (NFC) module, to promote short range communication. For example, radio frequency identification (RFID) technology, Infrared Data Association (IrDA) technology, ultra wide band (UWB) skill can be based in NFC module Art, bluetooth (BT) technology and other technologies are realized.

Power supply module 14 provides electric power for the various assemblies of electronic equipment.Power supply module 14 may include power management system System, one or more power supplys and other with for electronic equipment generate, manage, and distribute the associated component of electric power.

Audio component 15 is configured as output and/or input audio signal.For example, audio component 15 includes a microphone (MIC), when electronic equipment is in operation mode, when such as call mode, recording mode, and voice recognition mode, microphone is configured To receive external audio signal.The received audio signal can be further stored in memory 11 or via communication component 13 It sends.In some embodiments, audio component 15 further includes a loudspeaker, is used for output audio signal.

Display 16 includes screen, and screen may include liquid crystal display (LCD) and touch panel (TP).If screen Including touch panel, screen may be implemented as touch screen, to receive input signal from the user.Touch panel includes one Or multiple touch sensors are to sense the gesture on touch, slide, and touch panel.The touch sensor can be sensed not only The boundary of a touch or slide action, but also detect duration and pressure associated with the touch or slide operation.

Embodiment 11

The foregoing describe the built-in function and structure of each single-sign-on device, which can be realized as a kind of electronic equipment. Figure 11 is the structural schematic diagram of another embodiment of electronic equipment provided by the invention.As shown in figure 11, which includes Memory 21 and processor 22.

Memory 21, for storing program.In addition to above procedure, memory 21 is also configured to store various other Data are to support operation on an electronic device.The example of these data includes any application for operating on an electronic device The instruction of program or method, contact data, telephone book data, message, picture, video etc..

Memory 21 can be by any kind of volatibility or non-volatile memory device or their combination realization, such as Static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable is read-only to be deposited Reservoir (EPROM), programmable read only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, disk or CD.

Processor 22 is coupled with memory 21, executes the program that memory 21 is stored, to be used for:

During user carries out single-sign-on by user terminal, the access request of user terminal is received；According to the visit It asks request and by SSO proxy server token name generated, initiates login authentication, the token name to account central server It is uniquely corresponding with account central server.

Further, as shown in figure 11, electronic equipment can also include: communication component 23, power supply module 24, audio component 25, other components such as display 26.Members are only schematically provided in Figure 11, are not meant to that electronic equipment only includes Figure 11 Shown component.

Communication component 23 is configured to facilitate the communication of wired or wireless way between electronic equipment and other equipment.Electronics Equipment can access the wireless network based on communication standard, such as WiFi, 2G or 3G or their combination.In an exemplary reality It applies in example, communication component 23 receives broadcast singal or the related letter of broadcast from external broadcasting management system via broadcast channel Breath.In one exemplary embodiment, the communication component 23 further includes near-field communication (NFC) module, to promote short range communication. For example, radio frequency identification (RFID) technology, Infrared Data Association (IrDA) technology, ultra wide band (UWB) skill can be based in NFC module Art, bluetooth (BT) technology and other technologies are realized.

Power supply module 24 provides electric power for the various assemblies of electronic equipment.Power supply module 24 may include power management system System, one or more power supplys and other with for electronic equipment generate, manage, and distribute the associated component of electric power.

Audio component 25 is configured as output and/or input audio signal.For example, audio component 25 includes a microphone (MIC), when electronic equipment is in operation mode, when such as call mode, recording mode, and voice recognition mode, microphone is configured To receive external audio signal.The received audio signal can be further stored in memory 21 or via communication component 23 It sends.In some embodiments, audio component 25 further includes a loudspeaker, is used for output audio signal.

Display 26 includes screen, and screen may include liquid crystal display (LCD) and touch panel (TP).If screen Including touch panel, screen may be implemented as touch screen, to receive input signal from the user.Touch panel includes one Or multiple touch sensors are to sense the gesture on touch, slide, and touch panel.The touch sensor can be sensed not only The boundary of a touch or slide action, but also detect duration and pressure associated with the touch or slide operation.

Embodiment 12

The foregoing describe the built-in function and structure of each single-sign-on device, which can be realized as a kind of electronic equipment. Figure 12 is the structural schematic diagram of electronic equipment embodiment provided by the invention.As shown in figure 12, which includes memory 31 and processor 32.

Memory 31, for storing program.In addition to above procedure, memory 31 is also configured to store various other Data are to support operation on an electronic device.The example of these data includes any application for operating on an electronic device The instruction of program or method, contact data, telephone book data, message, picture, video etc..

Memory 31 can be by any kind of volatibility or non-volatile memory device or their combination realization, such as Static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable is read-only to be deposited Reservoir (EPROM), programmable read only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, disk or CD.

Processor 32 is coupled with memory 31, executes the program that memory 31 is stored, to be used for:

During user carries out single-sign-on by user terminal, the access request that SSO proxy server is sent is received, The access request is produced when the user first logs into system by user terminal；It is acted on behalf of according to the access request and by SSO Server token name generated carries out login authentication to the user.

Further, as shown in figure 12, electronic equipment can also include: communication component 33, power supply module 34, audio component 35, other components such as display 36.Members are only schematically provided in Figure 12, are not meant to that electronic equipment only includes Figure 12 Shown component.

Communication component 33 is configured to facilitate the communication of wired or wireless way between electronic equipment and other equipment.Electronics Equipment can access the wireless network based on communication standard, such as WiFi, 2G or 3G or their combination.In an exemplary reality It applies in example, communication component 33 receives broadcast singal or the related letter of broadcast from external broadcasting management system via broadcast channel Breath.In one exemplary embodiment, the communication component 33 further includes near-field communication (NFC) module, to promote short range communication. For example, radio frequency identification (RFID) technology, Infrared Data Association (IrDA) technology, ultra wide band (UWB) skill can be based in NFC module Art, bluetooth (BT) technology and other technologies are realized.

Power supply module 34 provides electric power for the various assemblies of electronic equipment.Power supply module 34 may include power management system System, one or more power supplys and other with for electronic equipment generate, manage, and distribute the associated component of electric power.

Audio component 35 is configured as output and/or input audio signal.For example, audio component 35 includes a microphone (MIC), when electronic equipment is in operation mode, when such as call mode, recording mode, and voice recognition mode, microphone is configured To receive external audio signal.The received audio signal can be further stored in memory 31 or via communication component 33 It sends.In some embodiments, audio component 35 further includes a loudspeaker, is used for output audio signal.

Display 36 includes screen, and screen may include liquid crystal display (LCD) and touch panel (TP).If screen Including touch panel, screen may be implemented as touch screen, to receive input signal from the user.Touch panel includes one Or multiple touch sensors are to sense the gesture on touch, slide, and touch panel.The touch sensor can be sensed not only The boundary of a touch or slide action, but also detect duration and pressure associated with the touch or slide operation.

Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above-mentioned each method embodiment can lead to The relevant hardware of program instruction is crossed to complete.Program above-mentioned can be stored in a computer readable storage medium.The journey When being executed, execution includes the steps that above-mentioned each method embodiment to sequence；And storage medium above-mentioned include: ROM, RAM, magnetic disk or The various media that can store program code such as person's CD.

Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations；To the greatest extent Pipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according to So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into Row equivalent replacement；And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution The range of scheme.

Claims

1. a kind of single-node login system characterized by comprising user terminal, single sign-on client-side, account central server With single-sign-on proxy server,

The single-sign-on proxy server is used for, and during user carries out single-sign-on by the user terminal, is generated Token name, and the token name is written to the browser rs cache of the user terminal, the token name with it is genuinely convinced in the account Business device uniquely corresponds to；

The single sign-on client-side is used for, when receiving the access request of the user terminal, according to the access request And by single-sign-on proxy server token name generated, Xiang Suoshu account central server initiates login authentication；

The account central server is used for, when receiving the access request that the single-sign-on proxy server is sent, root According to the access request and by single-sign-on proxy server token name generated, the user log in and is tested Card, the access request are produced when the user first logs into system by the user terminal.

2. single-node login system according to claim 1, which is characterized in that

The single sign-on client-side is also used to, will be described when not carrying token and/or token name in the access request Access request passes through the user terminal directive sending to the single-sign-on proxy server；

The single-sign-on proxy server is also used to, and when receiving the access request of the user terminal, generates the order Board name, and the access request is passed through into the user terminal directive sending to the account central server；

The account central server is also used to, and is interacted according to the access request and the user terminal, to the use Family carries out account verifying, generates token, and the token is written to the local cache of the user terminal；And by the visit Ask that request by the user terminal directive sending to the single sign-on client-side, carries the token in the access request With the token name.

3. single-node login system according to claim 2, which is characterized in that

The single sign-on client-side is also used to, when carrying token and token name in the access request, from the access The token name is obtained in request, and the token is read according to the token name；And the token read is passed through The single-sign-on proxy server is forwarded to the account central server, to carry out token authentication.

4. single-node login system according to claim 3, which is characterized in that

The single-sign-on proxy server is also used to, by what is returned after account central server progress token authentication success The user information of the user is forwarded to the single sign-on client-side；

The single sign-on client-side is also used to, and the user information received is stored in session object.

5. a kind of single-point logging method characterized by comprising

During user carries out single-sign-on by user terminal, token name, the token name and account center service are generated Device uniquely corresponds to；

The token name is written to the browser rs cache of the user terminal, so that the single-sign-on client that target application is disposed End login authentication is initiated according to the token name.

6. single-point logging method according to claim 5, which is characterized in that described to carry out list by user terminal in user In point login process, token name is generated, comprising:

When receiving the access request of the user terminal, the token name is generated, and by the access request described in User terminal directive sending to the account central server, the access request by the user terminal the user for the first time It is produced when login system.

7. single-point logging method according to claim 5, which is characterized in that further include:

By the single sign-on client-side according to the token that the token name is read be forwarded to the account central server into Row token authentication.

8. single-point logging method according to claim 5, which is characterized in that further include:

The user information for the user that the account central server return after token authentication success is forwarded to described Single sign-on client-side.

9. the single-point logging method according to any claim in claim 5 to 8, which is characterized in that further include:

When receiving the access request for carrying token, billing information is converted by the token, and the bill letter will be carried The access request of breath passes through the user terminal directive sending to the single sign-on client-side；

When receiving the billing information, according to the billing information, the token is obtained, and the token is sent to institute It states account central server and carries out token authentication.

10. single-point logging method according to claim 9, which is characterized in that the visit that the billing information will be carried Ask request by the user terminal directive sending to the single sign-on client-side, comprising:

By the uniform resource locator of the user terminal, by the billing information directive sending to the single-sign-on client End.

11. a kind of single-point logging method characterized by comprising

During user carries out single-sign-on by user terminal, the access request of the user terminal is received；

According to the access request and by single-sign-on proxy server token name generated, sent out to account central server Login authentication is played, the token name and the account central server are uniquely corresponding.

12. single-point logging method according to claim 11, which is characterized in that it is described according to the access request and by Single-sign-on proxy server token name generated initiates login authentication to account central server, comprising:

When not carrying token and/or token name in the access request, the access request is passed through into the user terminal Directive sending is to the single-sign-on proxy server, so that the single-sign-on proxy server generates token name and by institute It states access request and passes through the user terminal directive sending to the account central server.

13. single-point logging method according to claim 11, which is characterized in that it is described according to the access request and by Single-sign-on proxy server token name generated initiates login authentication to account central server, comprising:

When carrying token and token name in the access request, the token name, and root are obtained from the access request The token is read according to the token name, the token is carrying out account verifying to the user by the account central server It is generated after success, the token name is generated and unique with account central server by the single-sign-on proxy server It is corresponding；

The token read is forwarded to the account central server by single-sign-on proxy server, to be enabled Board verifying.

14. single-point logging method according to claim 11, which is characterized in that further include:

When receiving the user information of the user of the single-sign-on proxy server forwarding, the user information is deposited Enter session object.

15. single-point logging method described in any claim in 1 to 14 according to claim 1, which is characterized in that further include:

When the token carried in the access request can not be read, the access request is passed through into user terminal orientation hair It send to the single-sign-on proxy server, believes so that the token is converted bill by the single-sign-on proxy server Breath.

16. a kind of single-point logging method characterized by comprising

During user carries out single-sign-on by user terminal, receives the access that single-sign-on proxy server is sent and ask It asks, the access request is produced when the user first logs into system by the user terminal；

According to the access request and by single-sign-on proxy server token name generated, the user is carried out Login authentication.

17. single-point logging method according to claim 16, which is characterized in that it is described according to the access request and by The single-sign-on proxy server token name generated carries out login authentication to the user, comprising:

It is interacted according to the access request and the user terminal, account verifying is carried out to the user；

Token is generated, and the token is written to the local cache of the user terminal；

By the access request by the user terminal directive sending to the single sign-on client-side, in the access request Carry the token and the token name.

18. single-point logging method according to claim 17, which is characterized in that described that the user is written in the token The local cache of terminal, comprising:

By hypertext transfer protocol response message, the token is written to the local cache of the user terminal.

19. a kind of single-sign-on device characterized by comprising

Token name generation module, for generating token name, the order during user carries out single-sign-on by user terminal Board name and account central server are uniquely corresponding；

Token name writing module, for the token name to be written to the browser rs cache of the user terminal, so that target application The single sign-on client-side disposed initiates login authentication according to the token name.

20. a kind of single-sign-on device characterized by comprising

First receiving module, for receiving the user terminal during user carries out single-sign-on by user terminal Access request；

First authentication module, for according to the access request, the token name generated by single-sign-on proxy server, to account Number central server initiates login authentication, and the token name and the account central server are uniquely corresponding.

21. a kind of single-sign-on device characterized by comprising

Second receiving module, for during user carries out single-sign-on by user terminal, receiving single-sign-on agency's clothes The access request that business device is sent, the access request are produced when the user first logs into system by the user terminal；

Second authentication module, the token name for being generated according to the access request and the single-sign-on proxy server, Login authentication is carried out to the user.

22. a kind of electronic equipment characterized by comprising

Memory, for storing program；

Processor, for running the described program stored in the memory, to be used for:

23. a kind of electronic equipment characterized by comprising

Memory, for storing program；

24. a kind of electronic equipment characterized by comprising

Memory, for storing program；