CN110365716A - A kind of implementation method of single-sign-on mode - Google Patents

A kind of implementation method of single-sign-on mode Download PDF

Info

Publication number
CN110365716A
CN110365716A CN201910799808.3A CN201910799808A CN110365716A CN 110365716 A CN110365716 A CN 110365716A CN 201910799808 A CN201910799808 A CN 201910799808A CN 110365716 A CN110365716 A CN 110365716A
Authority
CN
China
Prior art keywords
bill
information
ticket
sign
platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910799808.3A
Other languages
Chinese (zh)
Inventor
路以恒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Health And Medical Big Data Co Ltd
Original Assignee
Shandong Health And Medical Big Data Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Health And Medical Big Data Co Ltd filed Critical Shandong Health And Medical Big Data Co Ltd
Priority to CN201910799808.3A priority Critical patent/CN110365716A/en
Publication of CN110365716A publication Critical patent/CN110365716A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides a kind of implementation method of single-sign-on mode, belong to calculation machine applied technical field, for the present invention for submitting the third party of application message, system platform provides appcode and signing certificate for it.Platform application end request platform service end obtains interim code and is transmitted to applications client.Applications client is digitally signed using interim code and application identities, obtains ticket bill to sso platform.Check whether ticket state needs to refresh.User basic information and authentication information are obtained using using ticket.High degree ensure that the safety of user information.

Description

A kind of implementation method of single-sign-on mode
Technical field
The present invention relates to calculate machine application technology more particularly to a kind of implementation method of single-sign-on mode.
Background technique
At the beginning of enterprise development, the system that each enterprise uses is seldom, two or less, each system independent operating, Possess oneself login module alone respectively.Over time, mutually indepedent between system to take as the system that enterprise uses increases The time-consuming drawback of thing just gradually reveals, and sso (Single Sign On, single-node login system) just comes into being, and connection is each A system logs in i.e. browsable whole related systems at one, no longer needs to repeat logon.
However even with sso single-node login system, if we want to realize that logging in multiple spot at one exempts from the demand stepped on, it is still necessary to Possessing an account as the pass is logged in just may browse through the related web page of other systems.And the use more nervous for the time Family virtually causes unnecessary time wave to experience the quick to go one new account of registration again of single-sign-on Take, and conveniently original intention is also tried to go south by driving the chariot north;And application account is tantamount to increase the risk of information leakage again, so that The more harsh user of some pairs of personal privacy protections hangs back.
Summary of the invention
In order to solve the above technical problems, the present invention provides and a kind of realizes single-sign-on using third-party application access Technical method had both been able to achieve the design concept that other intercommunications are logged at one, also can improve and innovate on its basis, allowed user Without undertaking the risk of information leakage without enduring the cumbersome of register flow path.
The technical scheme is that
A kind of implementation method of single-sign-on mode passes through login detection, the login to system platform and third-party application Authorization transmits identity information to complete to complete single-sign-on using third party.
Further,
Platform application end request platform service end obtains interim code and is transmitted to applications client;
Applications client is digitally signed using interim code and application identities, obtains ticket bill to sso platform;
Check whether ticket bill state needs to refresh;User basic information and authentication information are obtained using ticket.
Further,
Third-party application provides corresponding information, and the content that system platform is provided according to third party can issue a signing certificate And certification mark.
The ticket bill includes: basic information bill accessTicket, refreshes bill refreshTicket, recognizes Demonstrate,prove information bill realAuthTicket.
Returned content are as follows: to return to status indicator returnCode, information describes description, returns the result result。
If basic information bill accessTicket is expired, transmits refreshTicket parameter and refreshed Ticket operation, obtains newest login bill.
Return value includes: that result describes description, newest bill result, returns to status indicator returnCode。
Further,
Application service end uses basic information bill accessTicket, appcode and sign, obtains user base letter Breath, wherein sign is generated according to signing certificate and appCode mark.
It is signed using signature authentication tool-class RsaUtils.java at application service end.
Further,
Third-party application obtains user's real-name authentication information using realAuthTicket
Encryption: base64 encryption, padding before the character string then obtained after encryption are carried out to character field first.
Decryption: the specific character of front is removed, and is then carried out using base64 algorithm to the character string after removal character Decryption.
The beneficial effects of the invention are as follows
This method omits many and diverse register flow path, only need to log in third-party application and authorize, and it is total that account information can be realized It enjoys and accesses required resource.
This method is encrypted transmission obtaining user basic information and authentication information to sso, and high degree ensure that user The safety of information.
This method, can be clear using third-party information by the interaction and transmission data of third-party application homologous ray platform Look at all contents under system platform.
Detailed description of the invention
Fig. 1 is workflow schematic diagram of the invention;
Fig. 2 is that information schematic diagram is provided needed for third party.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments, based on the embodiments of the present invention, those of ordinary skill in the art Every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
A kind of implementation method of single-sign-on of the invention, for submitting the third party of application message, system platform is it Appcode and signing certificate are provided, carry out signature authentication when obtaining user information for application.Applications client obtains ticket It when bill, is digitally signed using interim code and application identities, and whether ticket state needs to refresh.It is used using obtaining Family essential information and authentication information are encrypted state, to be decrypted, guarantee safety.
The present invention is based on single-sign-on realization principles, pass through login detection, the login to system platform and third-party application Authorization transmits identity information to complete to complete single-sign-on using third party.Flow chart is as shown in Figure 1.
A) apply for access platform
Third-party application provides corresponding information, and the content that system platform is provided according to third party can issue a signing certificate And certification mark
If needing to provide the content as needed for Fig. 2 using access platform.
B) application end obtains ticket
Third-party application server-side obtains basic information using the interim code of system platform server-side and itself application identities Bill refreshes bill, authentication information bill:
It returns the result as returnCode (returning to status indicator), description (information description), result
(returning the result).
C) check whether ticket is expired and refreshes (refreshTicket)
If accessTicket bill is expired, transmits refreshTicket parameter and carry out refreshing ticket operation, obtain Take newest login bill.Return value include description (result description), result (newest ticket), ReturnCode (returns to status indicator)
D) user base information (certificate signature certification) is obtained
Application service end uses accessTicket, appcode, sign, obtains user base information, wherein sign is root It is generated according to signing certificate and appCode mark, is directed to signature authentication tool-class.Application service end uses signature authentication work Tool class RsaUtils.java signs.Example: String sign=RsaUtil.sign (loginTicket+appCode); (loginTicket: the content signed, appCode:
The application coding of each application, a corresponding signing certificate file * .P8)
E) user authentication information (realAuthTicket encryption constraint) is exchanged for
Third-party application obtains user's real-name authentication information using realAuthTicket
I. it encrypts: base64 encryption being carried out to character field first, adds one section before the character string then obtained after encryption Specific character.Such as:
Li Ming carries out base64 encryption, obtains " 5p2O5piO ", in stem plus " ch ", finally obtains " ch5p2O5piO "
Ii. decrypt: the specific character of front removed, then using base64 algorithm to the character string after removal character into Row decryption.Such as:
String " ch5p2O5piO " is removed first 2, then base64 algorithm is decrypted, and obtains normal value.
The foregoing is merely presently preferred embodiments of the present invention, is only used to illustrate the technical scheme of the present invention, and is not intended to limit Determine protection scope of the present invention.Any modification, equivalent substitution, improvement and etc. done all within the spirits and principles of the present invention, It is included within the scope of protection of the present invention.

Claims (9)

1. a kind of implementation method of single-sign-on mode, which is characterized in that
It authorized by login detection, the login to system platform and third-party application, transmit identity information to complete to utilize third Complete single-sign-on in side.
2. the method according to claim 1, wherein
Platform application end request platform service end obtains interim code and is transmitted to applications client;
Applications client is digitally signed using interim code and application identities, obtains ticket bill to sso platform;
Check whether ticket bill state needs to refresh;User basic information and authentication information are obtained using ticket.
3. according to the method described in claim 2, it is characterized in that,
Third-party application provides corresponding information, and the content that system platform is provided according to third party can issue a signing certificate and recognize Card mark.
4. according to the method described in claim 2, it is characterized in that,
The ticket bill includes: basic information bill accessTicket, refreshes bill refreshTicket, certification letter Coupon is according to realAuthTicket.
Returned content are as follows: to return to status indicator returnCode, information describes description, returns the result result.
5. according to the method described in claim 4, it is characterized in that,
If basic information bill accessTicket is expired, transmits refreshTicket parameter and carry out refreshing ticket behaviour Make, obtains newest login bill;
Return value includes: that result describes description, newest bill result, returns to status indicator returnCode.
6. according to the method described in claim 5, it is characterized in that,
Application service end uses basic information bill accessTicket, appcode and sign, obtains user base information, Middle sign is generated according to signing certificate and appCode mark.
7. according to the method described in claim 6, it is characterized in that,
It is signed using signature authentication tool-class RsaUtils.java at application service end.
8. the method according to claim 1, wherein
Third-party application obtains user's real-name authentication information using realAuthTicket.
9. according to the method described in claim 8, it is characterized in that,
Encryption: base64 encryption, padding before the character string then obtained after encryption are carried out to character field first.
Decryption: the specific character of front is removed, and then the character string after removal character is decrypted using base64 algorithm.
CN201910799808.3A 2019-08-28 2019-08-28 A kind of implementation method of single-sign-on mode Pending CN110365716A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910799808.3A CN110365716A (en) 2019-08-28 2019-08-28 A kind of implementation method of single-sign-on mode

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910799808.3A CN110365716A (en) 2019-08-28 2019-08-28 A kind of implementation method of single-sign-on mode

Publications (1)

Publication Number Publication Date
CN110365716A true CN110365716A (en) 2019-10-22

Family

ID=68225290

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910799808.3A Pending CN110365716A (en) 2019-08-28 2019-08-28 A kind of implementation method of single-sign-on mode

Country Status (1)

Country Link
CN (1) CN110365716A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112491881A (en) * 2020-11-26 2021-03-12 中国人寿保险股份有限公司 Cross-platform single sign-on method, system, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105897757A (en) * 2016-06-12 2016-08-24 上海携程商务有限公司 Authorization and authentication system and authorization and authentication method
US20160285858A1 (en) * 2015-03-27 2016-09-29 Hong Li Technologies for authentication and single-sign-on using device security assertions
CN107294916A (en) * 2016-03-31 2017-10-24 北京神州泰岳软件股份有限公司 Single-point logging method, single-sign-on terminal and single-node login system
CN107645474A (en) * 2016-07-20 2018-01-30 腾讯科技(深圳)有限公司 Log in the method for open platform and log in the device of open platform
CN107786571A (en) * 2017-11-07 2018-03-09 昆山云景商务服务有限公司 A kind of method of user's unified certification
CN110032842A (en) * 2019-03-03 2019-07-19 北京立思辰安科技术有限公司 The method for supporting single-sign-on and third party login simultaneously

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160285858A1 (en) * 2015-03-27 2016-09-29 Hong Li Technologies for authentication and single-sign-on using device security assertions
CN107294916A (en) * 2016-03-31 2017-10-24 北京神州泰岳软件股份有限公司 Single-point logging method, single-sign-on terminal and single-node login system
CN105897757A (en) * 2016-06-12 2016-08-24 上海携程商务有限公司 Authorization and authentication system and authorization and authentication method
CN107645474A (en) * 2016-07-20 2018-01-30 腾讯科技(深圳)有限公司 Log in the method for open platform and log in the device of open platform
CN107786571A (en) * 2017-11-07 2018-03-09 昆山云景商务服务有限公司 A kind of method of user's unified certification
CN110032842A (en) * 2019-03-03 2019-07-19 北京立思辰安科技术有限公司 The method for supporting single-sign-on and third party login simultaneously

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112491881A (en) * 2020-11-26 2021-03-12 中国人寿保险股份有限公司 Cross-platform single sign-on method, system, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN106961336B (en) A kind of key components trustship method and system based on SM2 algorithm
CN109274503A (en) Distributed collaboration endorsement method and distributed collaboration signature apparatus, soft shield system
JP4600851B2 (en) Establishing a secure context for communicating messages between computer systems
CN103973736B (en) A kind of method and device of data sharing
CN100580657C (en) Distributed single sign-on service
CN104917741B (en) A kind of plain text document public network secure transmission system based on USBKEY
CN102377788B (en) Single sign-on (SSO) system and single sign-on (SSO) method
CN101212293B (en) Identity authentication method and system
US20050154923A1 (en) Single use secure token appliance
CN102685110B (en) Universal method and system for user registration authentication based on fingerprint characteristics
CN107810617A (en) Secret certification and supply
CN102148819B (en) Information leakage-prevention collaborative office security system and method
KR20060100920A (en) Trusted third party authentication for web services
CN107465689A (en) The key management system and method for virtual credible platform module under cloud environment
CN106060078B (en) User information encryption method, register method and verification method applied to cloud platform
JP2004048679A (en) Session key security protocol
CN104394172A (en) Single sign-on device and method
CN103414559B (en) A kind of identity identifying method of based on class IBE system under cloud computing environment
CN109150821A (en) Data interactive method and system based on hypertext transfer protocol http
CN105827395A (en) Network user authentication method
CN108632035A (en) A kind of Oblivious Transfer system and method with access control
Weaver Secure sockets layer
CN102769623A (en) Two-factor authentication method based on digital certificate and biological identification information
CN102404337A (en) Data encryption method and device
CN109981287A (en) A kind of code signature method and its storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20191022

RJ01 Rejection of invention patent application after publication