CN110278179A - Single-point logging method, device and system and electronic equipment - Google Patents
Single-point logging method, device and system and electronic equipment Download PDFInfo
- Publication number
- CN110278179A CN110278179A CN201810215484.XA CN201810215484A CN110278179A CN 110278179 A CN110278179 A CN 110278179A CN 201810215484 A CN201810215484 A CN 201810215484A CN 110278179 A CN110278179 A CN 110278179A
- Authority
- CN
- China
- Prior art keywords
- token
- sign
- access request
- user terminal
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
Abstract
The embodiment of the invention provides a kind of single-point logging method, device and system and electronic equipments.This method comprises: generating token name, the token name and account central server are uniquely corresponding during user carries out single-sign-on by user terminal;The token name is written to the browser rs cache of the user terminal, so that the single sign-on client-side that target application is disposed initiates login authentication according to the token name.The embodiment of the present invention is during single-sign-on, it is generated and the unique corresponding token name of account central server by single-sign-on proxy server, and then login authentication is initiated to account central server by proxy server according to the token name, the difference of various account central servers can be masked, single sign-on client-side is adapted with any isomery account central server, in the account central server of the system of replacement, without being transformed to single sign-on client-side, operating cost is reduced.
Description
Technical field
The present invention relates to fields of communication technology more particularly to a kind of single-point logging method, device and system and electronics to set
It is standby.
Background technique
Single-sign-on is a kind of solution of current popular business event integration.Multiple applications are based on unified
The certification of account central login, and shared logging state, that is, user, which only needs to log in, can once access all mutual trusts
Application;And published at one, the overall situation is published.
In existing single-sign-on scheme, multiple single sign-on client-sides carry out account number cipher using unified account center
Verifying, after once logining successfully, user visits again other single sign-on client-sides, then without inputting account number cipher again, but
It is directly verified from current single sign-on client-side to unified account center.
In the implementation of the present invention, at least there are the following problems for the discovery prior art: due to different accounts by inventor
Number center uses different account formats, and existing single sign-on client-side can only be set for a kind of single account format
Meter, can not be adapted with multiple isomery accounts center.If wanting to replace the account center in single-node login system, need to all
Single sign-on client-side be transformed, operating cost is higher.
Summary of the invention
The embodiment of the present invention provides a kind of single-point logging method, device and system and electronic equipment, to solve existing skill
The defect of art realizes that single sign-on client-side is adapted with any isomery account center, behaviour when account center is replaced to reduce
Make cost.
In order to achieve the above objectives, the embodiment of the invention provides a kind of single-node login systems, comprising: user terminal, single-point
Log in client, account central server and single-sign-on proxy server, the single-sign-on proxy server are used for, with
During family carries out single-sign-on by the user terminal, token name is generated, and user's end is written into the token name
The browser rs cache at end, the token name and the account central server are uniquely corresponding;The single sign-on client-side is used for,
When receiving the access request of the user terminal, according to the access request and by the single-sign-on proxy server
Token name generated, Xiang Suoshu account central server initiate login authentication;The account central server is used for, and is being received
To the single-sign-on proxy server send access request when, according to the access request and by the single-sign-on generation
Server token name generated is managed, login authentication is carried out to the user, the access request is by the user terminal in institute
State user first log into it is produced when system.
The embodiment of the invention also provides a kind of single-point logging methods, comprising: carries out single-point by user terminal in user
In login process, token name is generated, the token name and account central server are uniquely corresponding;It will be described in token name write-in
The browser rs cache of user terminal, so that the single sign-on client-side that target application is disposed is initiated to log according to the token name
Verifying.
The embodiment of the invention also provides a kind of single-point logging methods, comprising: carries out single-point by user terminal in user
In login process, the access request of the user terminal is received;According to the access request and by single-sign-on agency service
Device token name generated initiates login authentication, the token name and the account central server to account central server
It is unique corresponding.
The embodiment of the invention also provides a kind of single-point logging methods, comprising: carries out single-point by user terminal in user
In login process, the access request that single-sign-on proxy server is sent is received, the access request is existed by the user terminal
The user first logs into produced when system;It is given birth to according to the access request and by the single-sign-on proxy server
At token name, to the user carry out login authentication.
The embodiment of the invention also provides a kind of single-sign-on devices, comprising: token name generation module, for logical in user
It crosses during user terminal progress single-sign-on, generates token name, the token name and account central server are uniquely corresponding;It enables
Board name writing module, for the token name to be written to the browser rs cache of the user terminal, so that target application is disposed
Single sign-on client-side according to the token name initiate login authentication.
The embodiment of the invention also provides a kind of single-sign-on devices, comprising: the first receiving module, for passing through in user
During user terminal carries out single-sign-on, the access request of the user terminal is received;First authentication module, for according to institute
Access request is stated, the token name generated by single-sign-on proxy server initiates login authentication, institute to account central server
It states token name and the account central server is uniquely corresponding.
The embodiment of the invention also provides a kind of single-sign-on devices, comprising: the second receiving module, for passing through in user
During user terminal carries out single-sign-on, the access request that single-sign-on proxy server is sent, the access request are received
It is produced when the user first logs into system by the user terminal;Second authentication module, for being asked according to the access
Ask and the single-sign-on proxy server generate token name, to the user carry out login authentication.
The embodiment of the present invention also provides a kind of electronic equipment, comprising: memory, for storing program;Processor, for transporting
The described program stored in the row memory, to be used for: during user carries out single-sign-on by user terminal, generating
Token name, the token name and account central server are uniquely corresponding;The token name is written to the browsing of the user terminal
Device caching, so that the single sign-on client-side that target application is disposed initiates login authentication according to the token name.
The embodiment of the present invention also provides a kind of electronic equipment, comprising: memory, for storing program;Processor, for transporting
The described program stored in the row memory, to be used for: during user carries out single-sign-on by user terminal, receiving
The access request of the user terminal;According to the access request and by single-sign-on proxy server token generated
Name initiates login authentication to account central server, and the token name and the account central server are uniquely corresponding.
The embodiment of the present invention also provides a kind of electronic equipment, comprising: memory, for storing program;Processor, for transporting
The described program stored in the row memory, to be used for: during user carries out single-sign-on by user terminal, receiving
The access request that single-sign-on proxy server is sent, the access request are first logged by the user terminal in the user
It is produced when system;According to the access request and by single-sign-on proxy server token name generated, to institute
It states user and carries out login authentication.
Single-point logging method, device and system and electronic equipment provided in an embodiment of the present invention, in single-sign-on process
In, by single-sign-on proxy server generate with the unique corresponding token name of account central server, and then according to the token
Name initiates login authentication to account central server by proxy server, can mask the difference of various account central servers
It is different, single sign-on client-side is adapted with any isomery account central server, at the account center of replacement system
When server, without being transformed to single sign-on client-side, operating cost is reduced.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the application
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 is the system block diagram of single-node login system embodiment provided by the invention;
Fig. 2 is the flow chart of single-point logging method one embodiment provided by the invention;
Fig. 3 is the flow chart of another embodiment of single-point logging method provided by the invention;
Fig. 4 is the flow chart of another embodiment of single-point logging method provided by the invention;
Fig. 5 is the flow chart of single-point logging method further embodiment provided by the invention;
Fig. 6 is the flow chart of one specific embodiment of single-point logging method provided by the invention;
Fig. 7 is the structural schematic diagram of single-sign-on device one embodiment provided by the invention;
Fig. 8 is the structural schematic diagram of another embodiment of single-sign-on device provided by the invention;
Fig. 9 is the structural schematic diagram of another embodiment of single-sign-on device provided by the invention;
Figure 10 is the structural schematic diagram of electronic equipment one embodiment provided by the invention;
Figure 11 is the structural schematic diagram of another embodiment of electronic equipment provided by the invention;
Figure 12 is the structural schematic diagram of another embodiment of electronic equipment provided by the invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
Single-sign-on (Single Sign On in the prior art;Hereinafter referred to as: SSO) client is for specific account
Number central server is specially designed, that is to say, that when system deployment, SSO client is just apprised of account center service
The token name (e.g., token) of device, so, when reading browser rs cache (cookie), SSO client is directly read in token
Token content (that is, token=xxxx).And if by SSO Client Design be it is universal, not be directed to a certain particular account number center
Server, at random with account central server phase configuration, then, SSO client will be unable to be known as genuinely convinced in the account of its configuration
The token name of business device.For single sign-on client-side in the prior art can not defect compatible with multiple isomery accounts center,
The application provides a solution, and cardinal principle is: during single-sign-on, being acted on behalf of and is taken by SSO when SSO client
When business device initiates login authentication (whether verifying user has logged in account central server) to account central server, by
SSO proxy server generates and the unique corresponding token name (token_name) (in SSO agency and account of account central server
Arranged between central server), and the token name is written in the cookie of user terminal, enables SSO client
Token (token) generated when obtaining account central server for user submission account and password according to the token name,
To further initiate login authentication to account central server according to the token (token).The solution of the present invention can overcome
The defect of the prior art, by SSO proxy server generate with the unique corresponding token name of account central server so that SSO
Client can be decoupled with account central server, mask the difference of various account central servers, with any isomery account
Center (e.g., Ali's cloud account center, Taobao's account center etc.) is adapted, at the account center of the system of replacement, without to SSO
Client is transformed, and reduces operating cost.
Above-described embodiment is the explanation to the technical principle of the embodiment of the present invention, is come below by multiple embodiments further
Specific technical solution of the embodiment of the present invention is described in detail.
Embodiment one
Fig. 1 is the system block diagram of single-node login system embodiment provided by the invention.As shown in Figure 1, the single-sign-on system
System includes: at least one user terminal, at least one SSO client and an account central server and a SSO agency
Server.Wherein, SSO proxy server is used to generate token name during user carries out single-sign-on by user terminal,
And by the browser rs cache (cookie) of token name write-in user terminal, the token name and account central server are uniquely corresponding;
SSO client is used in the access request for receiving user terminal, according to the access request and by SSO proxy server institute
The token name of generation initiates login authentication to account central server;Account central server is used to receive SSO agency's clothes
When the access request that business device is sent, according to the access request and by SSO proxy server token name generated, to the user
Login authentication is carried out, the access request is produced when the user first logs into system by user terminal.
In embodiments of the present invention, it when user first logs into system, is sent first by user terminal to SSO client
The access request is sent to SSO proxy server by access request, SSO client, SSO proxy server then generate in account
The unique corresponding token name of central server, and the access request is forwarded to account central server, so that account center service
Device carries out login authentication to the user according to the access request and token name.
Further, SSO client judges whether the user is in after the access request for receiving user terminal transmission
Logging state, for example, whether can be stored with and the user in the session object (session) by checking the SSO client
The user information judgement to match is then further advanced by if it does not exist and checks in the cookie carried in the access request and be
It is no to have token name and/or token to judge, if can not read in cookie, prove that the user is not logged in.Therefore, when
When not carrying token and/or token name in access request, SSO client can be also used for the access request passing through user's end
Hold directive sending (that is, the HTTP request by user terminal redirects) to SSO proxy server;When receiving user terminal
When access request, SSO proxy server is also used to generate token name, and the access request is passed through user terminal directive sending
(that is, redirect) is to account central server;Account central server is also used to be carried out according to the access request and user terminal
Interaction carries out account verifying to the user, generates token, and by the cookie of token write-in user terminal, and, it is enabled carrying
The access request of board and token name passes through user terminal directive sending (that is, redirection) to SSO client.
Further, if SSO client can read token from the access request received, the user has been proved
It is logged in account central server, therefore, when carrying token and token name in access request, SSO client can also be used
Token is read in the acquisition token name from access request, and according to token name;And the token read is acted on behalf of by SSO
Server is forwarded to account central server, to carry out token authentication.
In addition, what SSO proxy server returned after can be also used for carrying out account central server token authentication successfully
The user information of user is forwarded to SSO client;At this point, SSO client can be also used for for the user information received being stored in
Session object.In embodiments of the present invention the user data of user can include but is not limited to for identification unique ID of user,
Login name etc. for identity user.
The system of incremental data provided in an embodiment of the present invention, it is raw by SSO proxy server during single-sign-on
At uniquely corresponding token name, the token that account central server generates after being proved to be successful are deposited into account central server
Under one's name, the token name that SSO client is generated according to SSO proxy server is read unique corresponding token easily therewith
Token, to mask the difference of various account central servers, enable SSO client with it is genuinely convinced in any isomery account
Business device is adapted, in the account central server of the system of replacement, without being transformed to SSO client, reduce operation at
This.
Embodiment two
Fig. 2 is the flow chart of single-point logging method one embodiment provided by the invention, and the executing subject of this method can be with
For the SSO proxy server in system described in above-described embodiment.As shown in Fig. 2, the single-point logging method includes following step
It is rapid:
S201 generates token name during user carries out single-sign-on by user terminal, in the token name and account
Central server uniquely corresponds to.
In embodiments of the present invention, SSO client can be used for disposing the application with verifying account legitimacy demand, lead to
It is often the console of functional product, can be accessed by the browser of user terminal.When user first logs into system,
Access request is sent to SSO client by user terminal first, which is sent to SSO agency's clothes by SSO client
It is engaged in device, SSO proxy server then generates and the unique corresponding token name (token_name) of account central server.
S202, by the browser rs cache of token name write-in user terminal, so that the SSO client root that target application is disposed
Login authentication is initiated according to the token name.
The access is asked the browser rs cache (cookie) of token name write-in user terminal by SSO proxy server
Ask and be forwarded to account central server the SSO client that (that is, being used for the application to be accessed) is disposed so that target application according to
The token name initiates the login authentication for being directed to the user.
Single-point logging method provided in an embodiment of the present invention is generated during single-sign-on by SSO proxy server
With the unique corresponding token name of account central server, and then according to the token name by proxy server to account center service
Device initiates login authentication, can mask the difference of various account central servers, enables SSO client and any isomery
Account central server is adapted, and in the account central server of the system of replacement, without being transformed to SSO client, is dropped
Low operating cost.
Embodiment three
Fig. 3 is the flow chart of another embodiment of single-point logging method provided by the invention.As shown in figure 3, in above-mentioned Fig. 2
On the basis of illustrated embodiment, single-point logging method provided in this embodiment can with the following steps are included:
S301 generates token name when receiving the access request of user terminal.
In embodiments of the present invention, SSO client judges the user after the access request for receiving user terminal transmission
Whether logging state is in, for example, whether can be stored in the session object (session) by checking the SSO client
The user information to match with the user judges, if it does not exist, is then further advanced by and checks and carry in the access request
Whether there are token name and/or token in cookie to judge, if can not read in cookie, prove that the user does not step on
Record.Therefore, when not carrying token and/or token name in access request, which is passed through user's end by SSO client
Hold directive sending to SSO proxy server.When receiving the access request of user terminal, SSO proxy server generates token
Name, and by token name write-in user terminal cookie (token_name=aliyun_token).
S302, by access request by user terminal directive sending to account central server, the access request is by user
Terminal is produced when the user first logs into system.
Meanwhile the access request is passed through user terminal directive sending (that is, redirection) into account by SSO proxy server
Central server.Account central server is interacted according to the access request with user terminal, carries out account verifying to the user,
Token is generated, and token is written to the cookie (aliyun_token=xxxx) of user terminal.Account central server will be taken
Access request with token and token name passes through user terminal directive sending (that is, redirection) to SSO client.
SSO client is forwarded to account central server progress token according to the token that token name is read and tested by S303
Card.
SSO client obtains token name from access request, and reads token, and the token that will be read according to token name
It is sent to SSO proxy server.The token (aliyun_token=xxxx) is forwarded to genuinely convinced in account by SSO proxy server
Device progress token authentication be engaged in (that is, it is judged that the token corresponding with the user stored in the token and account central server is
It is no consistent, if unanimously, token authentication success).
The user information for the user that account central server return after token authentication success is forwarded to by S304
SSO client.
After account central server carries out token authentication success, the user information of the user can be back to SSO agency
Server, SSO proxy server then further forward it to SSO client and are stored.
Further, the embodiment of the present invention can be applicable to cross-domain single login, when SSO client with it is genuinely convinced in account
Be engaged in device not same area (not same father field under one's name) when, SSO client and account center cannot share cookie.At this point, of the invention
Embodiment provide single-point logging method can also include:
The token is converted billing information, and will carry bill letter when receiving the access request for carrying token by S305
The access request of breath passes through user terminal directive sending to SSO client.
S306 according to the billing information, obtains token, and token is sent in account when receiving billing information
Central server carries out token authentication.
In embodiments of the present invention, when SSO client and account central server not same area, account central server will
After the access request of carrying token and token name is by user terminal directive sending (that is, redirection) to SSO client, SSO visitor
Family end can not obtain the token in cookie, therefore, still determine that the user is not landed.At this point, SSO client is by access request
It is redirected to SSO proxy server, the parameter of access request carries the return address of SSO client, while access request carries
It is stored with the cookie of token (aliyun_token).It, will when SSO proxy server receives the access request for carrying token
The token is converted into billing information (ticket), and by billing information by user terminal directive sending to SSO client, specifically
Ground, ticket are disposable billing informations, and usually itself is not comprising data, but the user kept in account central server
Information association, one-time-consumption is failed, and validity period is very short, expired to fail.SSO proxy server is set as and account center
Server same area, therefore token can be obtained from cookie, and then be converted into ticket.In embodiments of the present invention, pass through
Uniform resource locator (Uniform Resource Locator;Hereinafter referred to as: the URL) ticket sent, not by cross-domain limit
System, therefore can be realized cross-domain single-sign-on.In addition, SSO proxy server can also be by the URL of user terminal, by ticket
It is believed that ceasing directive sending to SSO client.After SSO client gets the ticket in access request, by ticket from rear
End is sent to SSO proxy server.After SSO proxy server receives ticket, call open interface from account using ticket
Number central server obtains the token of user, then and token is sent to account central server and carries out token authentication.
In embodiments of the present invention, ticket can take the encryption mechanism similar with token.In addition, ticket can be with
It is stored in interim table, the ticket of periodic refreshing, cleaning time-out, and while primary read, destroys ticket.
Single-point logging method provided in an embodiment of the present invention is generated during single-sign-on by SSO proxy server
With the unique corresponding token name of account central server, the token that account central server generates after being proved to be successful be deposited into
Unique corresponding token under one's name, the token name that SSO client is generated according to SSO proxy server reads order easily
Board enables SSO client and any isomery account center service to mask the difference of various account central servers
Device is adapted, and in the account central server of the system of replacement, without being transformed to SSO client, reduces operating cost;
In addition, by converting billing information for token, and transmitted using URL, it can be realized cross-domain single login, further drop
Low operating cost.
Example IV
Fig. 4 is the flow chart of another embodiment of single-point logging method provided by the invention, and the executing subject of this method can
Think the SSO client in system described in above-described embodiment.As shown in figure 4, the single-point logging method includes the following steps:
S401 receives the access request of user terminal during user carries out SSO by user terminal.
S402, according to the access request and by SSO proxy server token name generated, to account central server
Login authentication is initiated, the token name and account central server are uniquely corresponding.
Specifically, when not carrying token and/or token name in access request, SSO client passes through access request
User terminal directive sending is to SSO proxy server, so that SSO proxy server generates token name and passes through access request
User terminal directive sending is to account central server.
When carrying token and token name in access request, SSO client obtains token name from the access request, and
Token is read according to token name, which is carrying out the user to be generated after account is proved to be successful by account central server,
The token name is generated by SSO proxy server;Then, SSO client turns the token read by SSO proxy server
It is sent to account central server, to carry out token authentication.
In embodiments of the present invention, for SSO client after the access request for receiving user terminal transmission, needing to judge should
Whether whether user is in logging state, for example, can deposit in the session object (session) by checking the SSO client
It contains the user information to match with the user to judge, if it does not exist, is then further advanced by and checks in the access request and carry
Cookie in whether have token name and/or token to judge, if can not read in cookie, prove the user not
It logs in.Therefore, when not carrying token and/or token name in access request, which is passed through user by SSO client
Terminal directive sending is to SSO proxy server.When receiving the access request of user terminal, SSO proxy server, which generates, to be enabled
Board name, and by token name write-in user terminal cookie (token_name=aliyun_token).
When carrying token and token name in access request, SSO client obtains token name, and root from access request
Token is read according to token name, and the token read is sent to SSO proxy server.SSO proxy server is by the token
(aliyun_token=xxxx) it is forwarded to account central server and carries out token authentication (that is, it is judged that the token and account center
Whether the token corresponding with the user stored in server is consistent, if unanimously, token authentication success).
S403, when receive SSO proxy server forwarding the user user information when, by the user information be stored in meeting
Talk about object.
It in embodiments of the present invention, can be by the user of the user after account central server carries out token authentication success
Information is back to SSO proxy server, and SSO proxy server then further forwards it to SSO client, and is stored in session pair
As (session).The caching of session SSO client, the browsing of user terminal associated with a session of user terminal
Device is closed, and session fails.
Further, the embodiment of the present invention can be applicable to cross-domain single login, when SSO client with it is genuinely convinced in account
Be engaged in device not same area (not same father field under one's name) when, SSO client and account center cannot share cookie.At this point, of the invention
Embodiment provide single-point logging method can also include:
The access request is passed through user terminal orientation hair when the token that can not be carried in read access request by S404
It send to SSO proxy server, so that the token is converted billing information by SSO proxy server.
In embodiments of the present invention, when SSO client and account central server not same area, account central server will
After the access request of carrying token and token name is by user terminal directive sending (that is, redirection) to SSO client, SSO visitor
Family end can not read the token in cookie, therefore, still determine that the user is not landed.At this point, SSO client is by access request
It is redirected to SSO proxy server, the parameter of access request carries the return address of SSO client, while access request carries
It is stored with the cookie of token (aliyun_token).It, will when SSO proxy server receives the access request for carrying token
The token is converted into billing information (ticket), and by billing information by user terminal directive sending to SSO client, specifically
Ground, ticket are disposable billing informations, and usually itself is not comprising data, but the user kept in account central server
Information association, one-time-consumption is failed, and validity period is very short, expired to fail.SSO proxy server is set as and account center
Server same area, therefore token can be obtained from cookie, and then be converted into ticket.In embodiments of the present invention, pass through
The ticket that URL is sent, not by cross-domain limitation, therefore can be realized cross-domain single-sign-on.
In the embodiment of the present invention, for verifying the back end interface of token or ticket, requires authorization access, authorize base
In the believable identity documents of SSO client.Identity documents are made of a pair of of key, a disclosed key carry in the request with
Show identity, the key of another secret is used for asking for an autograph, it was demonstrated that the authenticity of identity.Further, it can be carried in request
Time-out time stamp, to prevent from resetting.In addition, token, ticket or user information can be carried in the request and response of back end interface
Equal private datas, to the protections of these data, there are two types of optinal plans: first is that interface is by safely for the HTTP of target
(Hyper Text Transfer Protocol over Secure Socket Laye;Referred to as: HTTPS) agreement provides, by
Agreement guarantees transmission link safety;Another kind is that the private data secret key that requesting party holds is encrypted.
Single-point logging method provided in an embodiment of the present invention is generated during single-sign-on by SSO proxy server
With the unique corresponding token name of account central server, the token that account central server generates after being proved to be successful be deposited into
Unique corresponding token under one's name, the token name that SSO client is generated according to SSO proxy server reads order easily
Board enables SSO client and any isomery account center service to mask the difference of various account central servers
Device is adapted, and in the account central server of the system of replacement, without being transformed to SSO client, reduces operating cost;
In addition, by converting billing information for token, and transmitted using URL, it can be realized cross-domain single login, further drop
Low operating cost.
Embodiment five
Fig. 5 is the flow chart of single-point logging method further embodiment provided by the invention, and the executing subject of this method can
Think the account central server in system described in above-described embodiment.As shown in figure 5, the single-point logging method includes as follows
Step:
S501 receives the access that SSO proxy server is sent during user carries out single-sign-on by user terminal
Request, the access request are produced when the user first logs into system by user terminal.
In embodiments of the present invention, when user first logs into system, visit from user terminal to SSO client that sent by
It asks request, user terminal directive sending (that is, redirecting) to SSO proxy server can be passed through by SSO client.SSO agency
Server generates token name, by the cookie (token_name=aliyun_token) of token name write-in user terminal, and will
The access request directive sending (that is, redirection) is to account central server.Account central server then according to access request with
And by SSO proxy server token name generated, login authentication is carried out to the user.Specifically, further include following steps:
S502 is interacted according to access request and user terminal, carries out account verifying to user.
Specifically, in embodiments of the present invention, account central server can return to login page, user to user terminal
Account and password are submitted to account central server by the browser of user terminal, the account of the user is tested to realize
Card.
S503 generates token, and the token is written to the local cache of user terminal.
After account central server, which carries out account to the user, to be proved to be successful, token is generated, and is written into user's end
The cookie at end.Specifically, hypertext transfer protocol (HyperText Transfer Protocol can be passed through;Following letter
Claim: HTTP) response message, by the cookie of token write-in user terminal.The token (token) generated by account central server
Generally by information such as the unique ID of the processed user of cryptographic means, it can be used repeatedly, and validity period is longer.
In embodiments of the present invention, token (token) is stored in cookie, and content generally comprises the identity of login user
Information etc., itself is by account central server encryption and decryption, and SSO client is without understanding its content.Token (token) validity period
It is limited by cookie time-out, is arranged by server-side according to demand for security, most short to may be configured as session-level, browser, which is closed, to be lost
Effect.In addition timestamp can also further be added in token content, prevents from being extended the expiration date by illegally write-in cookie.Even if
Token is held as a hostage, and since back end interface needs to authorize access, still can not illegally obtain user information.
S504, carried by access request by user terminal directive sending to SSO client, in the access request token and
Token name.
Then, the access request for carrying token and token name is passed through user terminal directive sending extremely by account central server
SSO client.SSO client obtains token name from access request, and reads token, and the order that will be read according to token name
Board is sent to SSO proxy server.The token (aliyun_token=xxxx) is forwarded to account center by SSO proxy server
Server carries out token authentication.
Single-point logging method provided in an embodiment of the present invention is generated during single-sign-on by SSO proxy server
With the unique corresponding token name of account central server, the token that account central server generates after being proved to be successful be deposited into
Unique corresponding token under one's name, the token name that SSO client is generated according to SSO proxy server reads order easily
Board enables SSO client and any isomery account center service to mask the difference of various account central servers
Device is adapted, and in the account central server of the system of replacement, without being transformed to SSO client, reduces operating cost.
Embodiment six
Fig. 6 is the flow chart of one specific embodiment of single-point logging method provided by the invention.As shown in fig. 6, in this hair
In single-node login system applied by bright embodiment, there are a SSO proxy server, an account central server, two SSO
Client (SSO client 1 and SSO client 2) and a user terminal, the single-point logging method include the following steps:
S1, user apply (application is deployed in SSO client 1) by the browser maiden visit of user terminal;
S2, SSO client 1 determines that the user is not logged in, then access request is redirected to SSO agency by user terminal
Server, the parameter of the access request carry the return address of SSO client 1;
S3, SSO proxy server generate token (token_name=aliyun_token), and in user terminal
The token is written in cookie;
Access request is redirected to account central server by user terminal by S4, SSO proxy server, which asks
The return address of SSO client 1 is carried in the parameter asked;
Access request is redirected to account central server by user terminal by SSO proxy server, is passing through user
When terminal, by the cookie of the token name write-in user terminal of generation, therefore, step S3 and S4 can substantially regard as
One step, is completed at the same time.
S5, account central server return to login page to user terminal;
S6, user terminal submit account, password;
S7, account central server carries out account and is proved to be successful, and after account is proved to be successful, generates token (aliyun_
Token=xxxx), and it is written into the cookie of user terminal;
Access request is redirected to the return address of SSO client 1 by user terminal by S8, account central server,
The cookie of user terminal is carried in access request;
Access request is redirected to SSO client by user terminal by account central server, is passing through user terminal
When, by the cookie of token (aliyun_token=xxxx) the write-in user terminal of generation, therefore, step S7 and S8 are real
It can regard a step in matter as, be completed at the same time.
S9, SSO client 1 first obtains token from cookie, further according to token reading token (that is,
Aliyun_token=xxxx), SSO proxy server then is sent from rear end by aliyun_token;
S10, SSO proxy server send aliyun_token and carry out token authentication to account central server;
S11, account central server carries out token authentication, after token authentication success, returns to user information to SSO and acts on behalf of clothes
Business device;
S12, SSO proxy server return to user information to SSO client 1, and user information is stored in by SSO client 1
Session completes to log in.
In embodiments of the present invention, it when same user is again by user terminal access SSO client 1, executes as follows
Step:
S13, user terminal send access request to SSO client 1, and user's letter of the user is carried in the access request
Breath, then, SSO client 1 verifies user information, since the user information of the user has been stored in session,
Without logging on.
In embodiments of the present invention, when same user by user terminal access arrive SSO client 2 when, execute as follows walk
It is rapid:
S14, user terminal send access request to SSO client 2, carry in cookie in the access request
Token and aliyun_token;
In embodiments of the present invention, SSO client 1 is the different background servers of the same application from SSO client 2,
It is also possible to the different application of same set of system.
S15, SSO client 2 first obtains token from cookie, further according in token reading cookie
Then aliyun_token sends SSO proxy server from rear end for aliyun_token.
S16, SSO proxy server send aliyun_token and carry out token authentication to account central authentication server;
S17, account central server carries out token authentication, after token authentication success, returns to user information to SSO and acts on behalf of clothes
Business device;
S18, SSO proxy server return to user information to SSO client 2, and user information is stored in by SSO client 2
Session completes to log in.
Single-point logging method provided in an embodiment of the present invention is generated during single-sign-on by SSO proxy server
With the unique corresponding token name of account central server, the token that account central server generates after being proved to be successful be deposited into
Unique corresponding token under one's name, the token name that SSO client is generated according to SSO proxy server reads order easily
Board enables SSO client and any isomery account center service to mask the difference of various account central servers
Device is adapted, and in the account central server of the system of replacement, without being transformed to SSO client, reduces operating cost.
Embodiment seven
Fig. 7 is the structural schematic diagram of single-sign-on device one embodiment provided by the invention, can be used for executing such as Fig. 2 and
Method and step shown in Fig. 3.As shown in fig. 7, the apparatus may include: token name generation module 71 and token name writing module
72。
Wherein, token name generation module 71 is used to generate and enable during user carries out single-sign-on by user terminal
Board name, the token name and account central server are uniquely corresponding;Token name writing module 72 is used to be written above-mentioned token name and use
The browser rs cache of family terminal, so that the SSO client that target application is disposed initiates login authentication according to the token name.
In embodiments of the present invention, it when user first logs into system, is sent first by user terminal to SSO client
The access request is sent to SSO proxy server by access request, SSO client, and token name generation module 71 then generates and account
The unique corresponding token name of number central server.Token name writing module 72 delays the browser of token name write-in user terminal
It deposits (cookie), and the access request is forwarded to account central server, so that target application for what is accessed (that is, answer
With) the SSO client disposed initiates according to the token name login authentication for being directed to the user.
Further, token name generation module 71 can be also used for when receiving the access request of user terminal, generate
Token name, and access request is passed through into user terminal directive sending to account central server, the access request is by user terminal
It is produced when the user first logs into system.
Further, single-sign-on device provided in an embodiment of the present invention can also include: the first forwarding module 73.
First forwarding module 73 is used to SSO client being forwarded to account central server according to the token that token name is read and carry out
Token authentication.The device can also include: the second forwarding module 74.Second forwarding module 74 is used for account central server
The user information for carrying out the user returned after token authentication success is forwarded to SSO client.
Still further, single-sign-on device provided in an embodiment of the present invention, can also include: cross-domain processing module 75.
The cross-domain processing module 75 is used to convert billing information for token, and will take when receiving the access request for carrying token
Access request with billing information passes through user terminal directive sending to SSO client;When receiving billing information, according to ticket
It is believed that breath, obtains token, and token is sent to account central server and carries out token authentication.Specifically, the cross-domain processing mould
Block 75 can be used for the URL by user terminal, by billing information directive sending to SSO client.
The detailed functions of each module are no longer superfluous herein referring to above-mentioned Fig. 2 and embodiment illustrated in fig. 3 in the embodiment of the present invention
It states.
Single-sign-on device provided in an embodiment of the present invention is generated during single-sign-on by SSO proxy server
With the unique corresponding token name of account central server, the token that account central server generates after being proved to be successful be deposited into
Unique corresponding token under one's name, the token name that SSO client is generated according to SSO proxy server reads order easily
Board enables SSO client and any isomery account center service to mask the difference of various account central servers
Device is adapted, and in the account central server of the system of replacement, without being transformed to SSO client, reduces operating cost;
In addition, by converting billing information for token, and transmitted using URL, it can be realized cross-domain single login, further drop
Low operating cost.
Embodiment eight
Fig. 8 is the structural schematic diagram of another embodiment of single-sign-on device provided by the invention, can be used for executing such as Fig. 4
Shown in method and step.As shown in figure 8, the apparatus may include: the first receiving module 81 and the first authentication module 82.
Wherein, the first receiving module 81 is used to receive user during user carries out single-sign-on by user terminal
The access request of terminal;First authentication module 82 is used for according to access request, the token name generated by SSO proxy server,
Login authentication is initiated to account central server, token name and account central server are uniquely corresponding.
In embodiments of the present invention, after the first receiving module 81 receives the access request of user terminal transmission, first
Authentication module 82 is according to access request, the token name generated by SSO proxy server, initiates to log in account central server
Verifying.
Specifically, the first authentication module 82 can be also used for when not carrying token and/or token name in access request,
By access request by the user terminal directive sending to SSO proxy server, so that SSO proxy server generates token
Access request is simultaneously passed through user terminal directive sending to account central server by name.
Further, the first authentication module 82 can be also used for when carrying token and token name in access request, from
In access request obtain token name, and according to token name read token, the token by account central server to the user into
Row account is generated after being proved to be successful, which is generated and uniquely right with account central server by SSO proxy server
It answers;The token read is forwarded to account central server by SSO proxy server, to carry out token authentication.
Further, single-sign-on device provided in an embodiment of the present invention can also include: information storage module 83.
Information storage module 83 can be used for believing the user when receiving the user information of user of SSO proxy server forwarding
Breath deposit session object.The device can also include: sending module 84.The sending module 84 can be used for working as can not read access
When the token carried in request, by access request by user terminal directive sending to SSO proxy server, so that SSO is acted on behalf of
Token is converted billing information by server.
The detailed functions of each module are referring to above-mentioned embodiment illustrated in fig. 4 in the embodiment of the present invention, and details are not described herein.
Single-sign-on device provided in an embodiment of the present invention is generated during single-sign-on by SSO proxy server
With the unique corresponding token name of account central server, the token that account central server generates after being proved to be successful be deposited into
Unique corresponding token under one's name, the token name that SSO client is generated according to SSO proxy server reads order easily
Board enables SSO client and any isomery account center service to mask the difference of various account central servers
Device is adapted, and in the account central server of the system of replacement, without being transformed to SSO client, reduces operating cost;
In addition, by converting billing information for token, and transmitted using URL, it can be realized cross-domain single login, further drop
Low operating cost.
Embodiment nine
Fig. 9 is the structural schematic diagram of another embodiment of single-sign-on device provided by the invention, can be used for executing such as Fig. 5
Shown in method and step.As shown in figure 9, the apparatus may include: the second receiving module 91 and the second authentication module 92.
Wherein, the second receiving module 91 is used to receive SSO generation during user carries out single-sign-on by user terminal
The access request that server is sent is managed, the access request is produced when the user first logs into system by user terminal;Second
Authentication module 92 is used for the token name generated according to the access request and SSO proxy server, log in the user and test
Card.
In embodiments of the present invention, it when user first logs into system, is sent and is accessed to SSO client by user terminal
Request, after the second receiving module 91 receives the access request, the second authentication module 92 is acted on behalf of according to the access request and SSO
The token name that server generates carries out login authentication to the user.Specifically, the second authentication module 92 can pass through user terminal
By access request directive sending (that is, redirecting) to SSO proxy server.SSO proxy server generates token name, by token
The cookie (token_name=aliyun_token) of name write-in user terminal, and by the access request directive sending (that is, weight
Orientation) to account central server.Account central server is then generated according to access request and by SSO proxy server
Token name carries out login authentication to the user.
Further, the second authentication module 92 can be also used for being interacted according to access request and user terminal, to
Family carries out account verifying;Token is generated, and token is written to the local cache of user terminal;Access request is passed through into user terminal
Directive sending carries above-mentioned token and token name in the access request to SSO client.
Further, the second authentication module 92 can be also used for through http response message, and the use is written in token
The local cache of family terminal.
The detailed functions of each module are referring to above-mentioned embodiment illustrated in fig. 5 in the embodiment of the present invention, and details are not described herein.
Single-sign-on device provided in an embodiment of the present invention is generated during single-sign-on by SSO proxy server
With the unique corresponding token name of account central server, the token that account central server generates after being proved to be successful be deposited into
Unique corresponding token under one's name, the token name that SSO client is generated according to SSO proxy server reads order easily
Board enables SSO client and any isomery account center service to mask the difference of various account central servers
Device is adapted, and in the account central server of the system of replacement, without being transformed to SSO client, reduces operating cost.
Embodiment ten
The foregoing describe the built-in function and structure of each single-sign-on device, which can be realized as a kind of electronic equipment.
Figure 10 is the structural schematic diagram of electronic equipment one embodiment provided by the invention.As shown in Figure 10, which includes depositing
Reservoir 11 and processor 12.
Memory 11, for storing program.In addition to above procedure, memory 11 is also configured to store various other
Data are to support operation on an electronic device.The example of these data includes any application for operating on an electronic device
The instruction of program or method, contact data, telephone book data, message, picture, video etc..
Memory 11 can be by any kind of volatibility or non-volatile memory device or their combination realization, such as
Static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable is read-only to be deposited
Reservoir (EPROM), programmable read only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, disk or
CD.
Processor 12 is coupled with memory 11, executes the program that memory 11 is stored, to be used for:
User by user terminal carry out single-sign-on during, generate token name, the token name with it is genuinely convinced in account
Business device uniquely corresponds to;By the browser rs cache of token name write-in user terminal, so that the SSO client root that target application is disposed
Login authentication is initiated according to the token name.
Further, as shown in Figure 1, electronic equipment can also include: communication component 13, power supply module 14, audio component 15,
Other components such as display 16.Members are only schematically provided in Figure 10, are not meant to that electronic equipment only includes Figure 10 institute
Show component.
Communication component 13 is configured to facilitate the communication of wired or wireless way between electronic equipment and other equipment.Electronics
Equipment can access the wireless network based on communication standard, such as WiFi, 2G or 3G or their combination.In an exemplary reality
It applies in example, communication component 13 receives broadcast singal or the related letter of broadcast from external broadcasting management system via broadcast channel
Breath.In one exemplary embodiment, the communication component 13 further includes near-field communication (NFC) module, to promote short range communication.
For example, radio frequency identification (RFID) technology, Infrared Data Association (IrDA) technology, ultra wide band (UWB) skill can be based in NFC module
Art, bluetooth (BT) technology and other technologies are realized.
Power supply module 14 provides electric power for the various assemblies of electronic equipment.Power supply module 14 may include power management system
System, one or more power supplys and other with for electronic equipment generate, manage, and distribute the associated component of electric power.
Audio component 15 is configured as output and/or input audio signal.For example, audio component 15 includes a microphone
(MIC), when electronic equipment is in operation mode, when such as call mode, recording mode, and voice recognition mode, microphone is configured
To receive external audio signal.The received audio signal can be further stored in memory 11 or via communication component 13
It sends.In some embodiments, audio component 15 further includes a loudspeaker, is used for output audio signal.
Display 16 includes screen, and screen may include liquid crystal display (LCD) and touch panel (TP).If screen
Including touch panel, screen may be implemented as touch screen, to receive input signal from the user.Touch panel includes one
Or multiple touch sensors are to sense the gesture on touch, slide, and touch panel.The touch sensor can be sensed not only
The boundary of a touch or slide action, but also detect duration and pressure associated with the touch or slide operation.
Embodiment 11
The foregoing describe the built-in function and structure of each single-sign-on device, which can be realized as a kind of electronic equipment.
Figure 11 is the structural schematic diagram of another embodiment of electronic equipment provided by the invention.As shown in figure 11, which includes
Memory 21 and processor 22.
Memory 21, for storing program.In addition to above procedure, memory 21 is also configured to store various other
Data are to support operation on an electronic device.The example of these data includes any application for operating on an electronic device
The instruction of program or method, contact data, telephone book data, message, picture, video etc..
Memory 21 can be by any kind of volatibility or non-volatile memory device or their combination realization, such as
Static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable is read-only to be deposited
Reservoir (EPROM), programmable read only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, disk or
CD.
Processor 22 is coupled with memory 21, executes the program that memory 21 is stored, to be used for:
During user carries out single-sign-on by user terminal, the access request of user terminal is received;According to the visit
It asks request and by SSO proxy server token name generated, initiates login authentication, the token name to account central server
It is uniquely corresponding with account central server.
Further, as shown in figure 11, electronic equipment can also include: communication component 23, power supply module 24, audio component
25, other components such as display 26.Members are only schematically provided in Figure 11, are not meant to that electronic equipment only includes Figure 11
Shown component.
Communication component 23 is configured to facilitate the communication of wired or wireless way between electronic equipment and other equipment.Electronics
Equipment can access the wireless network based on communication standard, such as WiFi, 2G or 3G or their combination.In an exemplary reality
It applies in example, communication component 23 receives broadcast singal or the related letter of broadcast from external broadcasting management system via broadcast channel
Breath.In one exemplary embodiment, the communication component 23 further includes near-field communication (NFC) module, to promote short range communication.
For example, radio frequency identification (RFID) technology, Infrared Data Association (IrDA) technology, ultra wide band (UWB) skill can be based in NFC module
Art, bluetooth (BT) technology and other technologies are realized.
Power supply module 24 provides electric power for the various assemblies of electronic equipment.Power supply module 24 may include power management system
System, one or more power supplys and other with for electronic equipment generate, manage, and distribute the associated component of electric power.
Audio component 25 is configured as output and/or input audio signal.For example, audio component 25 includes a microphone
(MIC), when electronic equipment is in operation mode, when such as call mode, recording mode, and voice recognition mode, microphone is configured
To receive external audio signal.The received audio signal can be further stored in memory 21 or via communication component 23
It sends.In some embodiments, audio component 25 further includes a loudspeaker, is used for output audio signal.
Display 26 includes screen, and screen may include liquid crystal display (LCD) and touch panel (TP).If screen
Including touch panel, screen may be implemented as touch screen, to receive input signal from the user.Touch panel includes one
Or multiple touch sensors are to sense the gesture on touch, slide, and touch panel.The touch sensor can be sensed not only
The boundary of a touch or slide action, but also detect duration and pressure associated with the touch or slide operation.
Embodiment 12
The foregoing describe the built-in function and structure of each single-sign-on device, which can be realized as a kind of electronic equipment.
Figure 12 is the structural schematic diagram of electronic equipment embodiment provided by the invention.As shown in figure 12, which includes memory
31 and processor 32.
Memory 31, for storing program.In addition to above procedure, memory 31 is also configured to store various other
Data are to support operation on an electronic device.The example of these data includes any application for operating on an electronic device
The instruction of program or method, contact data, telephone book data, message, picture, video etc..
Memory 31 can be by any kind of volatibility or non-volatile memory device or their combination realization, such as
Static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable is read-only to be deposited
Reservoir (EPROM), programmable read only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, disk or
CD.
Processor 32 is coupled with memory 31, executes the program that memory 31 is stored, to be used for:
During user carries out single-sign-on by user terminal, the access request that SSO proxy server is sent is received,
The access request is produced when the user first logs into system by user terminal;It is acted on behalf of according to the access request and by SSO
Server token name generated carries out login authentication to the user.
Further, as shown in figure 12, electronic equipment can also include: communication component 33, power supply module 34, audio component
35, other components such as display 36.Members are only schematically provided in Figure 12, are not meant to that electronic equipment only includes Figure 12
Shown component.
Communication component 33 is configured to facilitate the communication of wired or wireless way between electronic equipment and other equipment.Electronics
Equipment can access the wireless network based on communication standard, such as WiFi, 2G or 3G or their combination.In an exemplary reality
It applies in example, communication component 33 receives broadcast singal or the related letter of broadcast from external broadcasting management system via broadcast channel
Breath.In one exemplary embodiment, the communication component 33 further includes near-field communication (NFC) module, to promote short range communication.
For example, radio frequency identification (RFID) technology, Infrared Data Association (IrDA) technology, ultra wide band (UWB) skill can be based in NFC module
Art, bluetooth (BT) technology and other technologies are realized.
Power supply module 34 provides electric power for the various assemblies of electronic equipment.Power supply module 34 may include power management system
System, one or more power supplys and other with for electronic equipment generate, manage, and distribute the associated component of electric power.
Audio component 35 is configured as output and/or input audio signal.For example, audio component 35 includes a microphone
(MIC), when electronic equipment is in operation mode, when such as call mode, recording mode, and voice recognition mode, microphone is configured
To receive external audio signal.The received audio signal can be further stored in memory 31 or via communication component 33
It sends.In some embodiments, audio component 35 further includes a loudspeaker, is used for output audio signal.
Display 36 includes screen, and screen may include liquid crystal display (LCD) and touch panel (TP).If screen
Including touch panel, screen may be implemented as touch screen, to receive input signal from the user.Touch panel includes one
Or multiple touch sensors are to sense the gesture on touch, slide, and touch panel.The touch sensor can be sensed not only
The boundary of a touch or slide action, but also detect duration and pressure associated with the touch or slide operation.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above-mentioned each method embodiment can lead to
The relevant hardware of program instruction is crossed to complete.Program above-mentioned can be stored in a computer readable storage medium.The journey
When being executed, execution includes the steps that above-mentioned each method embodiment to sequence;And storage medium above-mentioned include: ROM, RAM, magnetic disk or
The various media that can store program code such as person's CD.
Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent
Pipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according to
So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into
Row equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution
The range of scheme.
Claims (24)
1. a kind of single-node login system characterized by comprising user terminal, single sign-on client-side, account central server
With single-sign-on proxy server,
The single-sign-on proxy server is used for, and during user carries out single-sign-on by the user terminal, is generated
Token name, and the token name is written to the browser rs cache of the user terminal, the token name with it is genuinely convinced in the account
Business device uniquely corresponds to;
The single sign-on client-side is used for, when receiving the access request of the user terminal, according to the access request
And by single-sign-on proxy server token name generated, Xiang Suoshu account central server initiates login authentication;
The account central server is used for, when receiving the access request that the single-sign-on proxy server is sent, root
According to the access request and by single-sign-on proxy server token name generated, the user log in and is tested
Card, the access request are produced when the user first logs into system by the user terminal.
2. single-node login system according to claim 1, which is characterized in that
The single sign-on client-side is also used to, will be described when not carrying token and/or token name in the access request
Access request passes through the user terminal directive sending to the single-sign-on proxy server;
The single-sign-on proxy server is also used to, and when receiving the access request of the user terminal, generates the order
Board name, and the access request is passed through into the user terminal directive sending to the account central server;
The account central server is also used to, and is interacted according to the access request and the user terminal, to the use
Family carries out account verifying, generates token, and the token is written to the local cache of the user terminal;And by the visit
Ask that request by the user terminal directive sending to the single sign-on client-side, carries the token in the access request
With the token name.
3. single-node login system according to claim 2, which is characterized in that
The single sign-on client-side is also used to, when carrying token and token name in the access request, from the access
The token name is obtained in request, and the token is read according to the token name;And the token read is passed through
The single-sign-on proxy server is forwarded to the account central server, to carry out token authentication.
4. single-node login system according to claim 3, which is characterized in that
The single-sign-on proxy server is also used to, by what is returned after account central server progress token authentication success
The user information of the user is forwarded to the single sign-on client-side;
The single sign-on client-side is also used to, and the user information received is stored in session object.
5. a kind of single-point logging method characterized by comprising
During user carries out single-sign-on by user terminal, token name, the token name and account center service are generated
Device uniquely corresponds to;
The token name is written to the browser rs cache of the user terminal, so that the single-sign-on client that target application is disposed
End login authentication is initiated according to the token name.
6. single-point logging method according to claim 5, which is characterized in that described to carry out list by user terminal in user
In point login process, token name is generated, comprising:
When receiving the access request of the user terminal, the token name is generated, and by the access request described in
User terminal directive sending to the account central server, the access request by the user terminal the user for the first time
It is produced when login system.
7. single-point logging method according to claim 5, which is characterized in that further include:
By the single sign-on client-side according to the token that the token name is read be forwarded to the account central server into
Row token authentication.
8. single-point logging method according to claim 5, which is characterized in that further include:
The user information for the user that the account central server return after token authentication success is forwarded to described
Single sign-on client-side.
9. the single-point logging method according to any claim in claim 5 to 8, which is characterized in that further include:
When receiving the access request for carrying token, billing information is converted by the token, and the bill letter will be carried
The access request of breath passes through the user terminal directive sending to the single sign-on client-side;
When receiving the billing information, according to the billing information, the token is obtained, and the token is sent to institute
It states account central server and carries out token authentication.
10. single-point logging method according to claim 9, which is characterized in that the visit that the billing information will be carried
Ask request by the user terminal directive sending to the single sign-on client-side, comprising:
By the uniform resource locator of the user terminal, by the billing information directive sending to the single-sign-on client
End.
11. a kind of single-point logging method characterized by comprising
During user carries out single-sign-on by user terminal, the access request of the user terminal is received;
According to the access request and by single-sign-on proxy server token name generated, sent out to account central server
Login authentication is played, the token name and the account central server are uniquely corresponding.
12. single-point logging method according to claim 11, which is characterized in that it is described according to the access request and by
Single-sign-on proxy server token name generated initiates login authentication to account central server, comprising:
When not carrying token and/or token name in the access request, the access request is passed through into the user terminal
Directive sending is to the single-sign-on proxy server, so that the single-sign-on proxy server generates token name and by institute
It states access request and passes through the user terminal directive sending to the account central server.
13. single-point logging method according to claim 11, which is characterized in that it is described according to the access request and by
Single-sign-on proxy server token name generated initiates login authentication to account central server, comprising:
When carrying token and token name in the access request, the token name, and root are obtained from the access request
The token is read according to the token name, the token is carrying out account verifying to the user by the account central server
It is generated after success, the token name is generated and unique with account central server by the single-sign-on proxy server
It is corresponding;
The token read is forwarded to the account central server by single-sign-on proxy server, to be enabled
Board verifying.
14. single-point logging method according to claim 11, which is characterized in that further include:
When receiving the user information of the user of the single-sign-on proxy server forwarding, the user information is deposited
Enter session object.
15. single-point logging method described in any claim in 1 to 14 according to claim 1, which is characterized in that further include:
When the token carried in the access request can not be read, the access request is passed through into user terminal orientation hair
It send to the single-sign-on proxy server, believes so that the token is converted bill by the single-sign-on proxy server
Breath.
16. a kind of single-point logging method characterized by comprising
During user carries out single-sign-on by user terminal, receives the access that single-sign-on proxy server is sent and ask
It asks, the access request is produced when the user first logs into system by the user terminal;
According to the access request and by single-sign-on proxy server token name generated, the user is carried out
Login authentication.
17. single-point logging method according to claim 16, which is characterized in that it is described according to the access request and by
The single-sign-on proxy server token name generated carries out login authentication to the user, comprising:
It is interacted according to the access request and the user terminal, account verifying is carried out to the user;
Token is generated, and the token is written to the local cache of the user terminal;
By the access request by the user terminal directive sending to the single sign-on client-side, in the access request
Carry the token and the token name.
18. single-point logging method according to claim 17, which is characterized in that described that the user is written in the token
The local cache of terminal, comprising:
By hypertext transfer protocol response message, the token is written to the local cache of the user terminal.
19. a kind of single-sign-on device characterized by comprising
Token name generation module, for generating token name, the order during user carries out single-sign-on by user terminal
Board name and account central server are uniquely corresponding;
Token name writing module, for the token name to be written to the browser rs cache of the user terminal, so that target application
The single sign-on client-side disposed initiates login authentication according to the token name.
20. a kind of single-sign-on device characterized by comprising
First receiving module, for receiving the user terminal during user carries out single-sign-on by user terminal
Access request;
First authentication module, for according to the access request, the token name generated by single-sign-on proxy server, to account
Number central server initiates login authentication, and the token name and the account central server are uniquely corresponding.
21. a kind of single-sign-on device characterized by comprising
Second receiving module, for during user carries out single-sign-on by user terminal, receiving single-sign-on agency's clothes
The access request that business device is sent, the access request are produced when the user first logs into system by the user terminal;
Second authentication module, the token name for being generated according to the access request and the single-sign-on proxy server,
Login authentication is carried out to the user.
22. a kind of electronic equipment characterized by comprising
Memory, for storing program;
Processor, for running the described program stored in the memory, to be used for:
During user carries out single-sign-on by user terminal, token name, the token name and account center service are generated
Device uniquely corresponds to;
The token name is written to the browser rs cache of the user terminal, so that the single-sign-on client that target application is disposed
End login authentication is initiated according to the token name.
23. a kind of electronic equipment characterized by comprising
Memory, for storing program;
Processor, for running the described program stored in the memory, to be used for:
During user carries out single-sign-on by user terminal, the access request of the user terminal is received;
According to the access request and by single-sign-on proxy server token name generated, sent out to account central server
Login authentication is played, the token name and the account central server are uniquely corresponding.
24. a kind of electronic equipment characterized by comprising
Memory, for storing program;
Processor, for running the described program stored in the memory, to be used for:
During user carries out single-sign-on by user terminal, receives the access that single-sign-on proxy server is sent and ask
It asks, the access request is produced when the user first logs into system by the user terminal;
According to the access request and by single-sign-on proxy server token name generated, the user is carried out
Login authentication.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810215484.XA CN110278179B (en) | 2018-03-15 | 2018-03-15 | Single sign-on method, device and system and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810215484.XA CN110278179B (en) | 2018-03-15 | 2018-03-15 | Single sign-on method, device and system and electronic equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110278179A true CN110278179A (en) | 2019-09-24 |
CN110278179B CN110278179B (en) | 2021-08-10 |
Family
ID=67958103
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810215484.XA Active CN110278179B (en) | 2018-03-15 | 2018-03-15 | Single sign-on method, device and system and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110278179B (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111062023A (en) * | 2019-11-26 | 2020-04-24 | 深圳市思迪信息技术股份有限公司 | Method and device for realizing single sign-on of multiple application systems |
CN111107063A (en) * | 2019-12-04 | 2020-05-05 | 海南新软软件有限公司 | Login method and device |
CN111490974A (en) * | 2020-03-20 | 2020-08-04 | 支付宝(杭州)信息技术有限公司 | Cross-terminal registration method, client and registration server |
CN111736830A (en) * | 2020-06-17 | 2020-10-02 | 浙江申跃信息科技有限公司 | Page integration method based on symbolic path analysis |
CN112929378A (en) * | 2021-02-19 | 2021-06-08 | 广东云智安信科技有限公司 | Cross-domain single-point login service saving and acquiring method, system, device and medium |
CN113347163A (en) * | 2021-05-20 | 2021-09-03 | 远景智能国际私人投资有限公司 | Single sign-on method, device, equipment and medium |
CN114650142A (en) * | 2022-02-25 | 2022-06-21 | 深圳市梦网科技发展有限公司 | 5G message identity authentication method, system and computer readable storage medium |
CN111062023B (en) * | 2019-11-26 | 2024-04-30 | 深圳市思迪信息技术股份有限公司 | Method and device for realizing single sign-on of multi-application system |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060041933A1 (en) * | 2004-08-23 | 2006-02-23 | International Business Machines Corporation | Single sign-on (SSO) for non-SSO-compliant applications |
CN101277193A (en) * | 2008-05-05 | 2008-10-01 | 北京航空航天大学 | One-point entry and access system based on authentication service acting information facing to service architecture |
CN101626369A (en) * | 2008-07-11 | 2010-01-13 | 中国移动通信集团公司 | Method, device and system for single sign-on |
CN101645021A (en) * | 2009-06-18 | 2010-02-10 | 广东金宇恒科技有限公司 | Integrating method for multisystem single-spot logging under Java application server |
CN104378376A (en) * | 2014-11-18 | 2015-02-25 | 深圳中兴网信科技有限公司 | SOA-based single-point login method, authentication server and browser |
CN105592035A (en) * | 2015-04-03 | 2016-05-18 | 中国银联股份有限公司 | Single sign on method used for multiple application systems |
CN105897743A (en) * | 2016-05-26 | 2016-08-24 | 努比亚技术有限公司 | Cross-domain single sign-on method and server |
CN105959267A (en) * | 2016-04-25 | 2016-09-21 | 北京九州云腾科技有限公司 | Primary token acquiring method of single sign on technology, single sign on method, and single sign on system |
CN106131047A (en) * | 2016-08-12 | 2016-11-16 | 乐视控股(北京)有限公司 | Account login method and relevant device, account login system |
CN106789930A (en) * | 2016-11-28 | 2017-05-31 | 北京铭铭鑫软件有限公司 | A kind of single-point logging method of (SuSE) Linux OS |
-
2018
- 2018-03-15 CN CN201810215484.XA patent/CN110278179B/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060041933A1 (en) * | 2004-08-23 | 2006-02-23 | International Business Machines Corporation | Single sign-on (SSO) for non-SSO-compliant applications |
CN101277193A (en) * | 2008-05-05 | 2008-10-01 | 北京航空航天大学 | One-point entry and access system based on authentication service acting information facing to service architecture |
CN101626369A (en) * | 2008-07-11 | 2010-01-13 | 中国移动通信集团公司 | Method, device and system for single sign-on |
CN101645021A (en) * | 2009-06-18 | 2010-02-10 | 广东金宇恒科技有限公司 | Integrating method for multisystem single-spot logging under Java application server |
CN104378376A (en) * | 2014-11-18 | 2015-02-25 | 深圳中兴网信科技有限公司 | SOA-based single-point login method, authentication server and browser |
CN105592035A (en) * | 2015-04-03 | 2016-05-18 | 中国银联股份有限公司 | Single sign on method used for multiple application systems |
CN105959267A (en) * | 2016-04-25 | 2016-09-21 | 北京九州云腾科技有限公司 | Primary token acquiring method of single sign on technology, single sign on method, and single sign on system |
CN105897743A (en) * | 2016-05-26 | 2016-08-24 | 努比亚技术有限公司 | Cross-domain single sign-on method and server |
CN106131047A (en) * | 2016-08-12 | 2016-11-16 | 乐视控股(北京)有限公司 | Account login method and relevant device, account login system |
CN106789930A (en) * | 2016-11-28 | 2017-05-31 | 北京铭铭鑫软件有限公司 | A kind of single-point logging method of (SuSE) Linux OS |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111062023A (en) * | 2019-11-26 | 2020-04-24 | 深圳市思迪信息技术股份有限公司 | Method and device for realizing single sign-on of multiple application systems |
CN111062023B (en) * | 2019-11-26 | 2024-04-30 | 深圳市思迪信息技术股份有限公司 | Method and device for realizing single sign-on of multi-application system |
CN111107063A (en) * | 2019-12-04 | 2020-05-05 | 海南新软软件有限公司 | Login method and device |
CN111107063B (en) * | 2019-12-04 | 2022-04-22 | 海南新软软件有限公司 | Login method and device |
CN111490974A (en) * | 2020-03-20 | 2020-08-04 | 支付宝(杭州)信息技术有限公司 | Cross-terminal registration method, client and registration server |
CN111490974B (en) * | 2020-03-20 | 2022-03-29 | 支付宝(杭州)信息技术有限公司 | Cross-terminal registration method, client and registration server |
CN111736830A (en) * | 2020-06-17 | 2020-10-02 | 浙江申跃信息科技有限公司 | Page integration method based on symbolic path analysis |
CN112929378A (en) * | 2021-02-19 | 2021-06-08 | 广东云智安信科技有限公司 | Cross-domain single-point login service saving and acquiring method, system, device and medium |
CN113347163A (en) * | 2021-05-20 | 2021-09-03 | 远景智能国际私人投资有限公司 | Single sign-on method, device, equipment and medium |
CN114650142A (en) * | 2022-02-25 | 2022-06-21 | 深圳市梦网科技发展有限公司 | 5G message identity authentication method, system and computer readable storage medium |
CN114650142B (en) * | 2022-02-25 | 2024-01-30 | 深圳市梦网科技发展有限公司 | 5G message identity authentication method, system and computer readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN110278179B (en) | 2021-08-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11283797B2 (en) | Authenticating a user device associated with a user to communicate via a wireless network in a secure web-based environment | |
CN108901022B (en) | Micro-service unified authentication method and gateway | |
CN110278179A (en) | Single-point logging method, device and system and electronic equipment | |
US11297498B2 (en) | Identity authentication | |
KR102624700B1 (en) | Biometric identification and verification between IoT devices and applications | |
CN105007280B (en) | A kind of application login method and device | |
US10326759B2 (en) | Website authentication using an internet-connected device | |
US9608814B2 (en) | System and method for centralized key distribution | |
CN109165500B (en) | Single sign-on authentication system and method based on cross-domain technology | |
CN108011862A (en) | The mandate of mirror image warehouse, access, management method and server and client side | |
US20050120214A1 (en) | Systems and methods for enhancing security of communication over a public network | |
CN105144111A (en) | Relay service for different WEB service architectures | |
CN101809585A (en) | Password management | |
CN105556894A (en) | Network connection automation | |
CN104054321A (en) | Security management for cloud services | |
CN109768965A (en) | A kind of login method of server, equipment and storage device | |
TW200810460A (en) | Authentication of a principal in a federation | |
US20210014064A1 (en) | Method and apparatus for managing user authentication in a blockchain network | |
CN107241339A (en) | Auth method, device and storage medium | |
CN107464121A (en) | Electronic account is reported the loss, solves extension, business management method, device and equipment | |
CN103220261A (en) | Proxy method, device and system of open authentication application program interface | |
HUE026214T2 (en) | A qualified electronic signature system, associated method and mobile phone device for a qualified electronic signature | |
Sabadello et al. | Introduction to did auth | |
CN110493184A (en) | The processing method of login page, device, electronic device in the client | |
JP4897503B2 (en) | Account linking system, account linking method, linkage server device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |