CN110365716A - A kind of implementation method of single-sign-on mode - Google Patents
A kind of implementation method of single-sign-on mode Download PDFInfo
- Publication number
- CN110365716A CN110365716A CN201910799808.3A CN201910799808A CN110365716A CN 110365716 A CN110365716 A CN 110365716A CN 201910799808 A CN201910799808 A CN 201910799808A CN 110365716 A CN110365716 A CN 110365716A
- Authority
- CN
- China
- Prior art keywords
- bill
- information
- ticket
- sign
- platform
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides a kind of implementation method of single-sign-on mode, belong to calculation machine applied technical field, for the present invention for submitting the third party of application message, system platform provides appcode and signing certificate for it.Platform application end request platform service end obtains interim code and is transmitted to applications client.Applications client is digitally signed using interim code and application identities, obtains ticket bill to sso platform.Check whether ticket state needs to refresh.User basic information and authentication information are obtained using using ticket.High degree ensure that the safety of user information.
Description
Technical field
The present invention relates to calculate machine application technology more particularly to a kind of implementation method of single-sign-on mode.
Background technique
At the beginning of enterprise development, the system that each enterprise uses is seldom, two or less, each system independent operating,
Possess oneself login module alone respectively.Over time, mutually indepedent between system to take as the system that enterprise uses increases
The time-consuming drawback of thing just gradually reveals, and sso (Single Sign On, single-node login system) just comes into being, and connection is each
A system logs in i.e. browsable whole related systems at one, no longer needs to repeat logon.
However even with sso single-node login system, if we want to realize that logging in multiple spot at one exempts from the demand stepped on, it is still necessary to
Possessing an account as the pass is logged in just may browse through the related web page of other systems.And the use more nervous for the time
Family virtually causes unnecessary time wave to experience the quick to go one new account of registration again of single-sign-on
Take, and conveniently original intention is also tried to go south by driving the chariot north;And application account is tantamount to increase the risk of information leakage again, so that
The more harsh user of some pairs of personal privacy protections hangs back.
Summary of the invention
In order to solve the above technical problems, the present invention provides and a kind of realizes single-sign-on using third-party application access
Technical method had both been able to achieve the design concept that other intercommunications are logged at one, also can improve and innovate on its basis, allowed user
Without undertaking the risk of information leakage without enduring the cumbersome of register flow path.
The technical scheme is that
A kind of implementation method of single-sign-on mode passes through login detection, the login to system platform and third-party application
Authorization transmits identity information to complete to complete single-sign-on using third party.
Further,
Platform application end request platform service end obtains interim code and is transmitted to applications client;
Applications client is digitally signed using interim code and application identities, obtains ticket bill to sso platform;
Check whether ticket bill state needs to refresh;User basic information and authentication information are obtained using ticket.
Further,
Third-party application provides corresponding information, and the content that system platform is provided according to third party can issue a signing certificate
And certification mark.
The ticket bill includes: basic information bill accessTicket, refreshes bill refreshTicket, recognizes
Demonstrate,prove information bill realAuthTicket.
Returned content are as follows: to return to status indicator returnCode, information describes description, returns the result
result。
If basic information bill accessTicket is expired, transmits refreshTicket parameter and refreshed
Ticket operation, obtains newest login bill.
Return value includes: that result describes description, newest bill result, returns to status indicator
returnCode。
Further,
Application service end uses basic information bill accessTicket, appcode and sign, obtains user base letter
Breath, wherein sign is generated according to signing certificate and appCode mark.
It is signed using signature authentication tool-class RsaUtils.java at application service end.
Further,
Third-party application obtains user's real-name authentication information using realAuthTicket
Encryption: base64 encryption, padding before the character string then obtained after encryption are carried out to character field first.
Decryption: the specific character of front is removed, and is then carried out using base64 algorithm to the character string after removal character
Decryption.
The beneficial effects of the invention are as follows
This method omits many and diverse register flow path, only need to log in third-party application and authorize, and it is total that account information can be realized
It enjoys and accesses required resource.
This method is encrypted transmission obtaining user basic information and authentication information to sso, and high degree ensure that user
The safety of information.
This method, can be clear using third-party information by the interaction and transmission data of third-party application homologous ray platform
Look at all contents under system platform.
Detailed description of the invention
Fig. 1 is workflow schematic diagram of the invention;
Fig. 2 is that information schematic diagram is provided needed for third party.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments, based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
A kind of implementation method of single-sign-on of the invention, for submitting the third party of application message, system platform is it
Appcode and signing certificate are provided, carry out signature authentication when obtaining user information for application.Applications client obtains ticket
It when bill, is digitally signed using interim code and application identities, and whether ticket state needs to refresh.It is used using obtaining
Family essential information and authentication information are encrypted state, to be decrypted, guarantee safety.
The present invention is based on single-sign-on realization principles, pass through login detection, the login to system platform and third-party application
Authorization transmits identity information to complete to complete single-sign-on using third party.Flow chart is as shown in Figure 1.
A) apply for access platform
Third-party application provides corresponding information, and the content that system platform is provided according to third party can issue a signing certificate
And certification mark
If needing to provide the content as needed for Fig. 2 using access platform.
B) application end obtains ticket
Third-party application server-side obtains basic information using the interim code of system platform server-side and itself application identities
Bill refreshes bill, authentication information bill:
It returns the result as returnCode (returning to status indicator), description (information description), result
(returning the result).
C) check whether ticket is expired and refreshes (refreshTicket)
If accessTicket bill is expired, transmits refreshTicket parameter and carry out refreshing ticket operation, obtain
Take newest login bill.Return value include description (result description), result (newest ticket),
ReturnCode (returns to status indicator)
D) user base information (certificate signature certification) is obtained
Application service end uses accessTicket, appcode, sign, obtains user base information, wherein sign is root
It is generated according to signing certificate and appCode mark, is directed to signature authentication tool-class.Application service end uses signature authentication work
Tool class RsaUtils.java signs.Example: String sign=RsaUtil.sign (loginTicket+appCode);
(loginTicket: the content signed, appCode:
The application coding of each application, a corresponding signing certificate file * .P8)
E) user authentication information (realAuthTicket encryption constraint) is exchanged for
Third-party application obtains user's real-name authentication information using realAuthTicket
I. it encrypts: base64 encryption being carried out to character field first, adds one section before the character string then obtained after encryption
Specific character.Such as:
Li Ming carries out base64 encryption, obtains " 5p2O5piO ", in stem plus " ch ", finally obtains " ch5p2O5piO "
Ii. decrypt: the specific character of front removed, then using base64 algorithm to the character string after removal character into
Row decryption.Such as:
String " ch5p2O5piO " is removed first 2, then base64 algorithm is decrypted, and obtains normal value.
The foregoing is merely presently preferred embodiments of the present invention, is only used to illustrate the technical scheme of the present invention, and is not intended to limit
Determine protection scope of the present invention.Any modification, equivalent substitution, improvement and etc. done all within the spirits and principles of the present invention,
It is included within the scope of protection of the present invention.
Claims (9)
1. a kind of implementation method of single-sign-on mode, which is characterized in that
It authorized by login detection, the login to system platform and third-party application, transmit identity information to complete to utilize third
Complete single-sign-on in side.
2. the method according to claim 1, wherein
Platform application end request platform service end obtains interim code and is transmitted to applications client;
Applications client is digitally signed using interim code and application identities, obtains ticket bill to sso platform;
Check whether ticket bill state needs to refresh;User basic information and authentication information are obtained using ticket.
3. according to the method described in claim 2, it is characterized in that,
Third-party application provides corresponding information, and the content that system platform is provided according to third party can issue a signing certificate and recognize
Card mark.
4. according to the method described in claim 2, it is characterized in that,
The ticket bill includes: basic information bill accessTicket, refreshes bill refreshTicket, certification letter
Coupon is according to realAuthTicket.
Returned content are as follows: to return to status indicator returnCode, information describes description, returns the result result.
5. according to the method described in claim 4, it is characterized in that,
If basic information bill accessTicket is expired, transmits refreshTicket parameter and carry out refreshing ticket behaviour
Make, obtains newest login bill;
Return value includes: that result describes description, newest bill result, returns to status indicator returnCode.
6. according to the method described in claim 5, it is characterized in that,
Application service end uses basic information bill accessTicket, appcode and sign, obtains user base information,
Middle sign is generated according to signing certificate and appCode mark.
7. according to the method described in claim 6, it is characterized in that,
It is signed using signature authentication tool-class RsaUtils.java at application service end.
8. the method according to claim 1, wherein
Third-party application obtains user's real-name authentication information using realAuthTicket.
9. according to the method described in claim 8, it is characterized in that,
Encryption: base64 encryption, padding before the character string then obtained after encryption are carried out to character field first.
Decryption: the specific character of front is removed, and then the character string after removal character is decrypted using base64 algorithm.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910799808.3A CN110365716A (en) | 2019-08-28 | 2019-08-28 | A kind of implementation method of single-sign-on mode |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910799808.3A CN110365716A (en) | 2019-08-28 | 2019-08-28 | A kind of implementation method of single-sign-on mode |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110365716A true CN110365716A (en) | 2019-10-22 |
Family
ID=68225290
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910799808.3A Pending CN110365716A (en) | 2019-08-28 | 2019-08-28 | A kind of implementation method of single-sign-on mode |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110365716A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112491881A (en) * | 2020-11-26 | 2021-03-12 | 中国人寿保险股份有限公司 | Cross-platform single sign-on method, system, electronic equipment and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105897757A (en) * | 2016-06-12 | 2016-08-24 | 上海携程商务有限公司 | Authorization and authentication system and authorization and authentication method |
US20160285858A1 (en) * | 2015-03-27 | 2016-09-29 | Hong Li | Technologies for authentication and single-sign-on using device security assertions |
CN107294916A (en) * | 2016-03-31 | 2017-10-24 | 北京神州泰岳软件股份有限公司 | Single-point logging method, single-sign-on terminal and single-node login system |
CN107645474A (en) * | 2016-07-20 | 2018-01-30 | 腾讯科技(深圳)有限公司 | Log in the method for open platform and log in the device of open platform |
CN107786571A (en) * | 2017-11-07 | 2018-03-09 | 昆山云景商务服务有限公司 | A kind of method of user's unified certification |
CN110032842A (en) * | 2019-03-03 | 2019-07-19 | 北京立思辰安科技术有限公司 | The method for supporting single-sign-on and third party login simultaneously |
-
2019
- 2019-08-28 CN CN201910799808.3A patent/CN110365716A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160285858A1 (en) * | 2015-03-27 | 2016-09-29 | Hong Li | Technologies for authentication and single-sign-on using device security assertions |
CN107294916A (en) * | 2016-03-31 | 2017-10-24 | 北京神州泰岳软件股份有限公司 | Single-point logging method, single-sign-on terminal and single-node login system |
CN105897757A (en) * | 2016-06-12 | 2016-08-24 | 上海携程商务有限公司 | Authorization and authentication system and authorization and authentication method |
CN107645474A (en) * | 2016-07-20 | 2018-01-30 | 腾讯科技(深圳)有限公司 | Log in the method for open platform and log in the device of open platform |
CN107786571A (en) * | 2017-11-07 | 2018-03-09 | 昆山云景商务服务有限公司 | A kind of method of user's unified certification |
CN110032842A (en) * | 2019-03-03 | 2019-07-19 | 北京立思辰安科技术有限公司 | The method for supporting single-sign-on and third party login simultaneously |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112491881A (en) * | 2020-11-26 | 2021-03-12 | 中国人寿保险股份有限公司 | Cross-platform single sign-on method, system, electronic equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106961336B (en) | A kind of key components trustship method and system based on SM2 algorithm | |
CN109274503A (en) | Distributed collaboration endorsement method and distributed collaboration signature apparatus, soft shield system | |
JP4600851B2 (en) | Establishing a secure context for communicating messages between computer systems | |
CN103973736B (en) | A kind of method and device of data sharing | |
CN100580657C (en) | Distributed single sign-on service | |
CN104917741B (en) | A kind of plain text document public network secure transmission system based on USBKEY | |
CN102377788B (en) | Single sign-on (SSO) system and single sign-on (SSO) method | |
CN101212293B (en) | Identity authentication method and system | |
US20050154923A1 (en) | Single use secure token appliance | |
CN102685110B (en) | Universal method and system for user registration authentication based on fingerprint characteristics | |
CN107810617A (en) | Secret certification and supply | |
CN102148819B (en) | Information leakage-prevention collaborative office security system and method | |
KR20060100920A (en) | Trusted third party authentication for web services | |
CN107465689A (en) | The key management system and method for virtual credible platform module under cloud environment | |
CN106060078B (en) | User information encryption method, register method and verification method applied to cloud platform | |
JP2004048679A (en) | Session key security protocol | |
CN104394172A (en) | Single sign-on device and method | |
CN103414559B (en) | A kind of identity identifying method of based on class IBE system under cloud computing environment | |
CN109150821A (en) | Data interactive method and system based on hypertext transfer protocol http | |
CN105827395A (en) | Network user authentication method | |
CN108632035A (en) | A kind of Oblivious Transfer system and method with access control | |
Weaver | Secure sockets layer | |
CN102769623A (en) | Two-factor authentication method based on digital certificate and biological identification information | |
CN102404337A (en) | Data encryption method and device | |
CN109981287A (en) | A kind of code signature method and its storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191022 |
|
RJ01 | Rejection of invention patent application after publication |