CN110519296B - Single sign-on and sign-off method of heterogeneous web system - Google Patents

Single sign-on and sign-off method of heterogeneous web system Download PDF

Info

Publication number
CN110519296B
CN110519296B CN201910874265.7A CN201910874265A CN110519296B CN 110519296 B CN110519296 B CN 110519296B CN 201910874265 A CN201910874265 A CN 201910874265A CN 110519296 B CN110519296 B CN 110519296B
Authority
CN
China
Prior art keywords
application
slave
sign
user
master
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910874265.7A
Other languages
Chinese (zh)
Other versions
CN110519296A (en
Inventor
丁金龙
钱诗住
钱兆良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Focus Technology Co Ltd
Original Assignee
Focus Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Focus Technology Co Ltd filed Critical Focus Technology Co Ltd
Priority to CN201910874265.7A priority Critical patent/CN110519296B/en
Publication of CN110519296A publication Critical patent/CN110519296A/en
Application granted granted Critical
Publication of CN110519296B publication Critical patent/CN110519296B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes

Abstract

The invention discloses a single sign-on and sign-off method of a heterogeneous web system, which is characterized in that in a heterogeneous web system environment, a single sign-on authentication center requests to acquire slave application information after a master application finishes sign-on and sign-off by configuring a master-slave application matching table and a sign-on and sign-off operation table, and actively informs all sub-applications to synchronously execute sign-on and sign-off, wherein the single sign-on and sign-off method comprises a single sign-on method and a single sign-on method. The method can avoid the situation that the sub-application needs to request the authentication center to execute login when logging in, and reduce the frequent interaction between different heterogeneous systems and the SSO authentication center so as to reduce the load of the SSO authentication center; the method has the advantages that the effect of solving the single sign-on problem of the web heterogeneous system of the multi-account system is achieved by the minimum code modifier under the condition that the original heterogeneous web system is not changed.

Description

Single sign-on and sign-off method of heterogeneous web system
Technical Field
The invention belongs to the technical field of internet, and particularly relates to a single sign-on and sign-off method of a heterogeneous web system.
Background
With the development of enterprises, more and more systems are provided, so that the problem of accessing other mutually trusted application systems through logging once needs to be solved for the convenience of user operation, and the single sign-on system is produced at the same time. The Single Sign On (SSO) refers to that, in a plurality of application systems, other mutually trusted application systems can be accessed only by logging On once. Most of the existing systems for realizing single sign-on are homogeneous systems, that is, different systems have the same account system, and the realization process is as follows: the login is integrated in the authentication system, and when a user accesses the application system 1 for the first time, the user is guided to the authentication system for login because the user does not log in; according to the login information provided by the user, the authentication system carries out identity verification, and if the verification is passed, an authentication certificate-ticket should be returned to the user; when the user accesses another application, the ticket is taken on the tape as a certificate of self authentication, and after receiving the request, the application system sends the ticket to the authentication system for verification and checks the validity of the ticket. If verified, the user can access application system 2 and application system 3 without logging in again. However, the generally approved method is not a real synchronous login, because the system 2 and the system 3 can only log in by requesting to acquire an account password from the authentication system during access login, each login needs to request the authentication system, and frequent requests undoubtedly increase the load rate of the authentication system; moreover, if single sign-on is performed for different account systems, the authentication system needs to be configured for login authentication of different accounts, and heavy modification work is brought to each change of the account system.
The market proposes a single sign-on method between heterogeneous systems, and the patent 'a single sign-on method for heterogeneous WEB systems' utilizes the advantage that a CAS client can conveniently integrate WEB systems under various technical frameworks, and the steps are as follows: step S1: the single sign-on client reads the ST information from the user request URL, and if the ST information is successfully read, the step S5 is executed; if the reading fails, go to step S2; step S2: the single sign-on client reads the TGT information from the browser Cookie, and if the TGT information exists, the step S4 is executed; if not, go to step S3; step S3: the single sign-on server side verifies the user identity authentication information and generates a TGT; step S4: the single sign-on server side authenticates the TGT and generates an ST; step S5: the single sign-on server authenticates the ST and loads the page content. Although the patent is improved based on the traditional CAS, the problems of high single sign-on difficulty and poor system stability of the existing heterogeneous WEB system are solved, the frequent requests of the heterogeneous WEB application to the authentication center for each sign-on access can not be avoided, and the real synchronous sign-on is not realized; if the patent technology is applied to solve single sign-on of different account systems, the modification difficulty is also quite large.
In conclusion, how to support an active single sign-on and sign-off method of a multi-account system without modifying the original web heterogeneous system is a difficult problem worthy of being researched currently.
Disclosure of Invention
The technical problem to be solved by the invention is to overcome the defects of the prior art, and provide a single sign-on and sign-off method of a heterogeneous web system, which comprises the following steps: in a heterogeneous web system environment, a master-slave application matching table and a login/logout operation table are configured in a single-point authentication center, a single-point login authentication center requests to acquire slave application information after a master application finishes login/logout, and each sub-application is actively informed to synchronously execute login/logout, so that the condition that the sub-application needs to request the authentication center to execute login when logging in is avoided, and frequent interaction between different heterogeneous systems and an SSO authentication center is reduced, so that the load of the SSO authentication center is reduced; on the other hand, the problem of single sign-on of the web heterogeneous system of the multi-account system is solved by the minimum code modifier under the condition that the original heterogeneous web system is not changed.
In order to solve the technical problems, the invention provides a single sign-on and sign-off method of a heterogeneous web system, which is characterized in that in a heterogeneous web system environment, a master-slave application matching table and a sign-on and sign-off operation table are configured in a single sign-on authentication center, after the master application finishes sign-on and sign-off, the single sign-on authentication center requests to acquire slave application information, and actively informs all sub-applications to synchronously execute sign-on and sign-off, wherein the single sign-on and sign-off method comprises a single sign-on method and a single sign-on method; the single sign-on method is an active single sign-on method under different account systems, and the single sign-off method is an active single sign-off method under different account systems, and the method comprises the following specific steps:
step 1: obtaining login account information of the same user in different web applications, establishing a user login account binding relation based on the application according to a defined single-point login application group, and forming a master-slave application matching table, wherein the table field comprises: a master application web address, a master application login user name, a master application user ID, a slave application web address, a slave application login user name, a slave application user ID; the master-slave application matching table is stored in a single sign-on authentication center (the single sign-on authentication center is abbreviated as SSO authentication center);
the main application is an application which is actively logged in or logged out by a user; the slave application is associated with the master application and completes login together;
the SSO authentication center is used for providing single sign-on service and sign-on authentication service for the master application and the slave application; the synchronous login between the master application and the slave application is subjected to identity verification through an SSO authentication center;
determining all other slave applications and corresponding login accounts which are in a single sign-on application group with the master application based on the record value of the master-slave application matching table according to the login account of the master application;
step 2: a user sends a request for accessing a main application through a browser, and requests a single sign-on service from an SSO authentication center after the request is responded by a main application background server to complete the sign-on; finding out the slave application and the login account information of the user in the slave application according to a master-slave application matching table stored in an SSO authentication center; the master application informs each slave application to actively acquire account information needing to be logged in from an SSO authentication center according to the acquired slave application information, and executes login logic in an account system of the master application, specifically:
step 2-1: the main application analyzes the URL which the user requests to access, the URL request comprises a main application web address and a user login account, and after the URL request responds, the login of the main application is completed through identity authentication in an account system of the main application; after the main application finishes logging in, packaging user information, main application information and access Cookie information and sending the user information, the main application information and the access Cookie information to an SSO authentication center to request single sign-on authentication;
the user information includes: the login user name of the login user, the user ID number registered by the main application and the user IP address; the application information includes: a master application web address;
the Cookie information is used for accurately positioning the same request record;
step 2-2: the SSO authentication center scans the master-slave application matching table records according to the user information and the master application information in the single sign-on authentication request, extracts the information of all slave applications participating in the single sign-on according to the sign-on user name and the master application Web address, including slave application Web addresses, slave application user IDs and sign-on user names, and randomly generates a verification code (the verification code is called a Token code for short) by using an MD5 encryption algorithm for verifying the sign-on authentication of the slave applications;
step 2-3: generating an operation record for each matched slave application to be recorded in a single sign-on operation table, wherein the table content comprises a master application web address, a master application sign-on user name, a slave application web address, a slave application sign-on user name, a slave application user ID, a Token code and a Token state value; the Token state value is used for identifying whether the Token code state is normal or not, and is divided into '0' and '1', wherein 0 is identified as the Token code is normal, namely, the Token code is not logged in from the application; wherein 1 is marked as Token code failure, namely, the fact that the slave application executes login; the Token state value defaults to "0" when generated for the first time;
step 2-4: the SSO authentication center obtains each slave application web address from the single sign-on operation table, and the assembly message URL is as follows: sending the setCookieurl (slave application web address) and token (token code) to the master application;
step 2-5: the master application receives the message and extracts the web address and the Token code of the slave application in the message;
step 2-6: as the main application and the auxiliary application have different domain name addresses, the asynchronous login request message URL is written based on JSONP, and the main contents are as follows: com/logic/Token code, to each slave application to perform the access;
step 2-7: responding the login request from the application, extracting a Token code from the request message and sending the Token code to the SSO authentication center; the SSO login authentication center positions the single sign-on operation record according to the Token code scanning single sign-on operation table; if the corresponding record is located, the SSO logs in the authentication center to complete single sign-on verification of the slave application, and the ID and the user name of the slave application user are extracted and fed back to the slave application; meanwhile, updating the Token state value in the single sign-on operation table to 1;
step 2-8: obtaining a user ID and a user name from the application, calling user login account information from a background database, and executing login of the slave application through identity authentication in a slave application account system;
and step 3: when a user exits any web application in the single sign-on application group, a main application which the user actively exits sends a single sign-off request to an SSO authentication center; the SSO authentication center responds to the request and returns all the slave application web addresses; the master application informs all slave applications to execute logout logic according to the acquired slave application web addresses.
The main application and the slave application belong to 2 independent application systems respectively and have different account systems, namely, the login accounts and passwords of the main application and the slave application are inconsistent.
The single sign-out step of step 3 specifically includes:
step 301: after the main application finishes logout, the main application requests a single point logout from the SSO authentication center; the SSO authentication center responds to a single point exit request sent by a main application user and acquires all slave application web addresses bound with the main application based on a main-slave application matching table;
step 302: the SSO authentication center packs all the slave application web addresses into a message and sends the message to the master application;
step 303: writing an asynchronous logout request message based on JSONP, wherein the message content mainly comprises the following contents: com/logout, the master application sends a logout request message to the slave application; the logout operation is performed directly after receiving the message from the application.
If a new web application is added to the single sign-on application group, on the premise that the original account system of the new web application is not modified, the binding relationship between the new web application and the login accounts of other web applications is added in a master-slave application matching table of the SSO authentication center, and the matching of the same user on the login accounts of different web applications is established;
if a web application is cancelled to participate in the single sign-on application group, the binding relationship between the application and other web applications is deleted in the master-slave application matching table directly in the SSO authentication center.
The main application or the slave application also comprises a mobile APP, under the condition that the mobile APP is logged in, the mobile APP acquires login account information of other logged-in web applications, establishes a binding relationship between the login account of the mobile APP and the login accounts of the other logged-in web applications, and records the binding relationship into a main-slave application matching table; because the login account is shared between the web version of the application and the mobile APP, the login account of the mobile APP recorded in the matching table is bound with the login accounts of other application web versions, and is also bound with the accounts of the application web versions; and then notifying the application web version to execute login operation according to the single login implementation process between the heterogeneous web applications.
The invention achieves the following beneficial effects:
(1) according to the invention, the account association between the web heterogeneous systems is established by establishing the master-slave application matching table in the SSO authentication center, so that the login account information of the associated slave application can be obtained when the master application requests the login service from the SSO authentication center, the single-point login and logout among different account systems are supported, the trouble of designing access entries for the different account systems is reduced, and the work of compiling a large number of manual codes is reduced;
(2) according to the invention, the SSO authentication center feeds back the relevant information of the slave application to the master application, the master application actively informs the slave application to acquire the account information from the SSO authentication center, and login is carried out together with the master application, so that the single-point login efficiency and the response speed are obviously improved, and the high load of the SSO authentication center caused by frequent interaction between different heterogeneous system login and the SSO authentication center is reduced.
Drawings
FIG. 1 is a flowchart illustrating a single sign-on process of a heterogeneous web system according to an embodiment of the present invention;
FIG. 2 is a flow chart of a single logout procedure of a heterogeneous web system according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a single sign-on between a mobile APP and a Web application in an embodiment of the present invention;
fig. 4 is a simplified single sign-on architecture of a heterogeneous web system according to an embodiment of the present invention.
Detailed Description
The invention will be further described with reference to the drawings and the exemplary embodiments:
in the embodiment of the present invention, aa.com is a master application, bb.com is a slave application, and the login account information of the user W in the AA system is: user ID: UA-1; user name: a user 135; login account information of the user W in the BB system: user name: UB-2; user name: a user 246;
as shown in fig. 1, a single sign-on flowchart of a heterogeneous web system includes the following specific steps:
step S101: binding account corresponding relations of AA.com and BB.com in a master-slave application matching table, wherein table contents comprise a master application web address, a master application login user name, a master application user ID, a slave application web address, a slave application login user name and a slave application user ID, and the following table 1 is shown in the specification; storing the master-slave application matching table in an SSO authentication center, and acquiring a slave application which executes login operation together with the master application in the single-point login process;
TABLE 1
Figure BDA0002203824080000051
Step S102: the method comprises the steps that a user W sends a request URL for logging in the AA.com through a browser, the AA.com analyzes the user request URL, login account information of the user W is extracted and passes verification in an account system a, and login access of the user W to the AA.com is completed;
step S103: com obtains user ID and user name of user W from background database, and packs them together with user IP, application name and Cookie information and sends them to SSO authentication center to request single sign-on authentication;
step S104: the SSO authentication center obtains information of all slave applications corresponding to the aa.com from the master-slave application matching table according to the user ID, the user name, and the application name, including the slave application Web address, and the user ID and the user name registered by the user W in the slave application, and the obtained matching information in the embodiment of the present invention is: com, B-2 and user _ B2, randomly generating a verification code (hereinafter, referred to as a Token code) by using an MD5 encryption algorithm, and checking the login authentication of the bb.com;
step S105: inserting AA.com, A-1, user _ A1, BB.com, B-2, user _ B2, Token code and Token state value into a single sign-on operation table, wherein the Token state value is used for identifying whether the Token code state is normal or not, the values are '0' and '1', and the 0 is identified as the Token code is normal, namely, the application does not execute sign-on; wherein 1 is marked as Token code failure, namely, the fact that the slave application executes login; the Token state value defaults to "0" when generated for the first time;
step S106: the SSO authentication center obtains the web address of BB.com from the single sign-on operation table, and the assembly message is as follows: sending the setCookieurl and token code to the main application AA.com;
step S107: com receives the message and extracts the web address and Token code of the application BB.com in the message, writes the asynchronous login request message based on JSONP, and the main contents are as follows: a logic.bb.com/logic/Token code that notifies the slave application bb.com to perform login;
step S108: com extracts Token code from request message and sends it to SSO authentication center; the SSO authentication center scans a single sign-on operation table according to the Token code and locates the corresponding single sign-on operation record, acquires the user ID (B-2) and the user name (user _ B2) logged in from the application and feeds back the user ID and the user name to the slave application; meanwhile, updating the Token state value of the currently positioned single sign-on operation record to 1, indicating that the Token code is invalid, so as to prevent a malicious access user from forging the same Token code to execute login;
step S109: com according to user ID: b-2 and user name: the user _ B2 acquires the user login password from the background database, sends the user name and the login password to the account system B for verification, and can complete login after the verification of the account system B;
when the user wants to quit the main application, the main application sends a quit request to the SSO authentication center: the SSO authentication center responds to the request and returns all the slave application web addresses; the master application executes exit and sends a notice of stopping access to all other slave applications;
as shown in fig. 2, a single-point logout flowchart of a heterogeneous web system includes the following specific steps:
step S201: after the main application finishes logout, the main application requests a single point logout from the SSO authentication center; the SSO authentication center responds to a single point exit request sent by a main application user and acquires all slave application web addresses bound with the main application based on a main-slave application matching table;
step S202: the SSO authentication center packs all the slave application web addresses into a message and sends the message to the master application;
step S203: writing an asynchronous logout request message based on JSONP, wherein the message content mainly comprises the following contents: com/logout, the master application sends a logout request message to the slave application; directly executing logout operation after receiving the message from the application;
as shown in the flow chart of single sign-on between mobile APP and Web application in fig. 3, in the embodiment of the present invention, the Web system CC has a Web version (abbreviated as cc.com) and a mobile version (abbreviated as mobile CC), and there is no binding relationship between cc.com and bb.com currently, and the single sign-on process specifically includes:
step S301: the same user respectively executes login operation in the master application and the slave application APP: the account system of the mobile CC responds to the login request, and the login of the user W in the mobile CC is completed by verifying the account information; com account system responds to login request, and completes user W login in BB.com by verifying account information
Step S302: acquiring account information of the master application and the slave application app, and registering account binding relationship of the master application and the slave application app in an SSO authentication center: the method comprises the steps that BB.com opens an account information acquisition inlet in a two-dimensional code form, the mobile CC acquires the login account information of the BB.com by scanning the two-dimensional code, the login account information of the BB.com and the login account information of the mobile CC are recorded in a master-slave application matching table, the account binding relationship between the BB.com and the CC.com is established, and the BB.com and the CC.com are configured in an SSO authentication center;
step S303: based on the account binding relationship entered in the SSO authentication center, according to the implementation procedures of steps 203-209, single sign-on between the slave application (such as cc.com) and the slave application APP (mobile CC) is completed: com obtains website and Token code of cc.com from SSO authentication center and requests cc.com login remotely; and according to the Token code, the CC.com acquires a login account number of the user W for logging in the CC.com from the SSO authentication center, and the login is completed through the verification of the account number system of the CC.com.
Fig. 4 shows a deployment diagram of a single sign-on system of a heterogeneous web system, which includes a web system aa.com, an SSO authentication center, and a web system bb.com, where aa.com and bb.com belong to a single sign-on application group, are web applications related to each other, but each has an account system and a login interface that are independent of each other, such as account system a and account system b in the diagram;
in a single sign-on environment, a user actively logs in/out an application as a main application, for example, a user W logs in AA.com firstly, the AA.com is the main application, and the applications which complete logging in together with the AA.com are slave applications; com and BB.com, and the single sign-on of the two web applications needs to be verified by the SSO authentication center.
The invention relates to a single sign-on and sign-off method of a heterogeneous web system, which has the following beneficial effects:
(1) according to the invention, the account association between the web heterogeneous systems is established by establishing the master-slave application matching table in the SSO authentication center, so that the login account information of the associated slave application can be obtained when the master application requests the login service from the SSO authentication center, the single-point login and logout among different account systems are supported, the trouble of designing access entries for the different account systems is reduced, and the work of compiling a large number of manual codes is reduced;
(2) according to the invention, the SSO authentication center feeds back the relevant information of the slave application to the master application, the master application actively informs the slave application to acquire the account information from the SSO authentication center, and login is carried out together with the master application, so that the single-point login efficiency and the response speed are obviously improved, and the high load of the SSO authentication center caused by frequent interaction between different heterogeneous system login and the SSO authentication center is reduced.
The above embodiments do not limit the present invention in any way, and all other modifications and applications that can be made to the above embodiments in equivalent ways are within the scope of the present invention.

Claims (4)

1. A single sign-on and log-out method of a heterogeneous web system is characterized in that in a heterogeneous web system environment, a single sign-on authentication center requests to acquire slave application information after a master application completes the sign-on and log-out through configuring a master-slave application matching table and a sign-on and log-out operation table, and actively informs all sub-applications to synchronously execute the sign-on and log-out, wherein the single sign-on and log-out method comprises a single sign-on method and a single sign-on method; the single sign-on method is an active single sign-on method under different account systems, and the single sign-off method is an active single sign-off method under different account systems, and the method comprises the following specific steps: step 1: obtaining login account information of the same user in different web applications, establishing a user login account binding relation based on the application according to a defined single-point login application group, and forming a master-slave application matching table, wherein the table field comprises: a master application web address, a master application login user name, a master application user ID, a slave application web address, a slave application login user name, a slave application user ID; the master-slave application matching table is stored in a single sign-on authentication center, and the single sign-on authentication center is called an SSO authentication center for short; the main application is an application which is actively logged in or logged out by a user; the slave application is associated with the master application and completes login together; the SSO authentication center is used for providing single sign-on service and sign-on authentication service for the master application and the slave application; the synchronous login between the master application and the slave application is subjected to identity verification through an SSO authentication center; determining all other slave applications and corresponding login accounts which are in a single sign-on application group with the master application based on the record value of the master-slave application matching table according to the login account of the master application;
step 2: a user sends a request for accessing a main application through a browser, and requests a single sign-on service from an SSO authentication center after the request is responded by a main application background server to complete the sign-on; finding out the slave application and the login account information of the user in the slave application according to a master-slave application matching table stored in an SSO authentication center; the master application informs each slave application to actively acquire account information needing to be logged in from an SSO authentication center according to the acquired slave application information, and executes login logic in an account system of the master application, specifically:
step 2-1: the main application analyzes the URL which the user requests to access, the URL request comprises a main application web address and a user login account, and after the URL request responds, the login of the main application is completed through identity authentication in an account system of the main application; after the main application finishes logging in, packaging user information, main application information and access Cookie information and sending the user information, the main application information and the access Cookie information to an SSO authentication center to request single sign-on authentication; the user information includes: the login user name of the login user, the user ID number registered by the main application and the user IP address; the master application information includes: a master application web address; the Cookie information is used for accurately positioning the same request record;
step 2-2: the SSO authentication center scans the master-slave application matching table records according to the user information and the master application information in the single sign-on authentication request, extracts all slave application information participating in the single sign-on according to the sign-on user name and the master application Web address, including slave application Web addresses, slave application user IDs and sign-on user names, and randomly generates a verification code by using an MD5 encryption algorithm, wherein the verification code is called a Token code for short and is used for verifying the sign-on authentication of the slave applications;
step 2-3: generating an operation record for each matched slave application to be recorded in a single sign-on operation table, wherein the table content comprises a master application web address, a master application sign-on user name, a slave application web address, a slave application sign-on user name, a slave application user ID, a Token code and a Token state value; the Token state value is used for identifying whether the Token code state is normal or not, and is divided into '0' and '1', wherein 0 is identified as the Token code is normal, namely, the Token code is not logged in from the application; wherein 1 is marked as Token code failure, namely, the fact that the slave application executes login; the Token state value defaults to "0" when generated for the first time;
step 2-4: the SSO authentication center obtains each slave application web address from the single sign-on operation table, and the assembly message URL is as follows: sending the setCookieurl (slave application web address) and token (token code) to the master application;
step 2-5: the master application receives the message and extracts the web address and the Token code of the slave application in the message; step 2-6: as the main application and the auxiliary application have different domain name addresses, the asynchronous login request message URL is written based on JSONP, and the main contents are as follows: com/logic/Token code, to each slave application to perform the access;
step 2-7: responding the login request from the application, extracting a Token code from the request message and sending the Token code to the SSO authentication center; the SSO login authentication center positions the single sign-on operation record according to the Token code scanning single sign-on operation table; if the corresponding record is located, the SSO logs in the authentication center to complete single sign-on verification of the slave application, and the ID and the user name of the slave application user are extracted and fed back to the slave application; meanwhile, updating the Token state value in the single sign-on operation table to 1;
step 2-8: obtaining a user ID and a user name from the application, calling user login account information from a background database, and executing login of the slave application through identity authentication in a slave application account system;
and step 3: when a user exits any web application in the single sign-on application group, a main application which the user actively exits sends a single sign-off request to an SSO authentication center; the SSO authentication center responds to the request and returns all the slave application web addresses; the master application informs all slave applications to execute logout logic according to the acquired slave application web addresses.
2. The single sign-on and sign-off method for a heterogeneous web system of claim 1, wherein: the main application and the slave application belong to 2 independent application systems respectively and have different account systems, namely, the login accounts and passwords of the main application and the slave application are inconsistent.
3. The single sign-on and sign-off method for a heterogeneous web system of claim 2, wherein: the single sign-out step of step 3 specifically includes:
step 301: after the main application finishes logout, the main application requests a single point logout from the SSO authentication center; the SSO authentication center responds to a single point exit request sent by a main application user and acquires all slave application web addresses bound with the main application based on a main-slave application matching table;
step 302: the SSO authentication center packs all the slave application web addresses into a message and sends the message to the master application;
step 303: writing an asynchronous logout request message based on JSONP, wherein the message content mainly comprises the following contents: com/logout, the master application sends a logout request message to the slave application; the logout operation is performed directly after receiving the message from the application.
4. The single sign-on and sign-off method for a heterogeneous web system of claim 3, wherein: if a new web application is added to the single sign-on application group, on the premise of not modifying the original account system of the new web application, the binding relationship between the new web application and the login accounts of other web applications is added in a master-slave application matching table of the SSO authentication center, and the matching of the login accounts of different web applications of the same user is established;
if a web application is cancelled to participate in the single sign-on application group, the binding relationship between the application and other web applications is deleted in the master-slave application matching table directly in the SSO authentication center.
CN201910874265.7A 2019-09-17 2019-09-17 Single sign-on and sign-off method of heterogeneous web system Active CN110519296B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910874265.7A CN110519296B (en) 2019-09-17 2019-09-17 Single sign-on and sign-off method of heterogeneous web system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910874265.7A CN110519296B (en) 2019-09-17 2019-09-17 Single sign-on and sign-off method of heterogeneous web system

Publications (2)

Publication Number Publication Date
CN110519296A CN110519296A (en) 2019-11-29
CN110519296B true CN110519296B (en) 2021-10-15

Family

ID=68631096

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910874265.7A Active CN110519296B (en) 2019-09-17 2019-09-17 Single sign-on and sign-off method of heterogeneous web system

Country Status (1)

Country Link
CN (1) CN110519296B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111586054A (en) * 2020-05-09 2020-08-25 山东健康医疗大数据有限公司 Single sign-on implementation method based on Internet architecture
CN112199659B (en) * 2020-12-03 2021-03-23 湖北亿咖通科技有限公司 Access method, system and electronic device for multi-service platform of vehicle
CN112887331B (en) * 2021-02-26 2022-07-08 政采云有限公司 Bidirectional authentication method, device and equipment between different single sign-on systems
CN112948804B (en) * 2021-03-05 2022-11-04 腾讯科技(深圳)有限公司 Program control method, device and computer readable storage medium
CN114978728A (en) * 2022-05-27 2022-08-30 中国银行股份有限公司 Login method, device, equipment and medium based on multiple applications
CN117290385B (en) * 2023-11-27 2024-01-19 成都天用唯勤科技股份有限公司 Data read-write method, device and medium based on transaction inquiry application layer separation

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1732465A (en) * 2002-12-31 2006-02-08 国际商业机器公司 Method and system for consolidated sign-off in a heterogeneous federated environment
CN104052746A (en) * 2014-06-18 2014-09-17 华为技术有限公司 Heterogeneous application single sign-on system and method
CN104394133A (en) * 2014-11-14 2015-03-04 百度在线网络技术(北京)有限公司 Login method and login system
CN105812350A (en) * 2016-02-03 2016-07-27 北京中搜云商网络技术有限公司 Cross-platform single-point registration system
CN106534143A (en) * 2016-11-28 2017-03-22 上海斐讯数据通信技术有限公司 Method and system capable of realizing cross-application authentication authorization

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8464063B2 (en) * 2010-03-10 2013-06-11 Avaya Inc. Trusted group of a plurality of devices with single sign on, secure authentication
US10476857B2 (en) * 2015-11-19 2019-11-12 Electronics And Telecommunications Research Institute Method and apparatus for communication between heterogeneous platforms

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1732465A (en) * 2002-12-31 2006-02-08 国际商业机器公司 Method and system for consolidated sign-off in a heterogeneous federated environment
CN104052746A (en) * 2014-06-18 2014-09-17 华为技术有限公司 Heterogeneous application single sign-on system and method
CN104394133A (en) * 2014-11-14 2015-03-04 百度在线网络技术(北京)有限公司 Login method and login system
CN105812350A (en) * 2016-02-03 2016-07-27 北京中搜云商网络技术有限公司 Cross-platform single-point registration system
CN106534143A (en) * 2016-11-28 2017-03-22 上海斐讯数据通信技术有限公司 Method and system capable of realizing cross-application authentication authorization

Also Published As

Publication number Publication date
CN110519296A (en) 2019-11-29

Similar Documents

Publication Publication Date Title
CN110519296B (en) Single sign-on and sign-off method of heterogeneous web system
US11706218B2 (en) Systems and methods for controlling sign-on to web applications
CN104320423B (en) Single-sign-on lightweight implementation method based on Cookie
US8782765B2 (en) Techniques for environment single sign on
CN112564916A (en) Access client authentication system applied to micro-service architecture
US20130019300A1 (en) System, control method therefor, service providing apparatus, relay apparatus and computer-readable medium
CN110177120A (en) A kind of method, apparatus and computer readable storage medium of single-sign-on
US9413751B2 (en) Cooperation system, cooperation method thereof, information processing system, and storage medium
CN111030812A (en) Token verification method, device, storage medium and server
CN103139200A (en) Single sign-on method of web service
CN105162775A (en) Logging method and device of virtual machine
CN113221093B (en) Single sign-on system, method, equipment and product based on block chain
CN106101134A (en) User's multiple domain is under one's name across the method for station roaming checking logging status
CN111241523B (en) Authentication processing method, device, equipment and storage medium
CN112765583A (en) Single sign-on method, device, equipment and medium
US10735399B2 (en) System, service providing apparatus, control method for system, and storage medium
CN113901428A (en) Login method and device of multi-tenant system
JP2018037025A (en) Program, authentication system, and authentication cooperative system
Huang et al. Research on Single Sign-on Technology for Educational Administration Information Service Platform
CN112632491A (en) Method for realizing account system shared by multiple information systems
CN112217816A (en) Method and system for supporting enterprise account identity authentication by K8s container cloud platform
CN111814130A (en) Single sign-on method and system
Ying Research on multi-level security of shibboleth authentication mechanism
US20230127695A1 (en) Cloud service artifact tokens
KR101853350B1 (en) Method and apparatus for the world wide federated authentication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant