CN110769001B - Cross-domain authentication method and cross-domain access method - Google Patents
Cross-domain authentication method and cross-domain access method Download PDFInfo
- Publication number
- CN110769001B CN110769001B CN201911059537.4A CN201911059537A CN110769001B CN 110769001 B CN110769001 B CN 110769001B CN 201911059537 A CN201911059537 A CN 201911059537A CN 110769001 B CN110769001 B CN 110769001B
- Authority
- CN
- China
- Prior art keywords
- domain
- information
- identification information
- authentication
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Abstract
The embodiment of the invention provides a cross-domain authentication method and a cross-domain access method, which are applied to an authentication client, wherein the cross-domain authentication method comprises the steps of sending authentication request information to a first domain; connecting the first domain according to the first identification information of the first domain; wherein the first identification information is generated in the first domain based on the authentication request information; based on the association between the first domain and the second domain, sending first identification information to the second domain through the first domain; acquiring second identification information of a second domain and resource information of the second domain so that the authentication client can access the resource information of the second domain; wherein the second identification information is generated in the second domain based on at least the first identification information. By using the cross-domain authentication method provided by the invention, cross-domain authentication can be realized only by associating different domains in advance, so that the transformation of interactive communication of related systems in the prior art is not needed.
Description
Technical Field
The invention belongs to the field of network security, and particularly relates to a cross-domain authentication method and a cross-domain access method.
Background
With the development of information technology, people rely on the information technology more and more strongly, hundreds of application systems exist in government offices, military troops, public security, large enterprise groups and the like, and in order to simplify management and operation, the functions of a plurality of application systems can be accessed by realizing one-time login through a single-point login system, so that the working efficiency is greatly improved. However, with the explosive development of data information, the requirements on the depth and the breadth of the information are higher and higher, and the data information of a single department or a single unit cannot meet the requirements of people on the information, so that cross-unit and cross-organization information sharing is needed. In order to meet the requirement of information sharing among different units, the required units can search information by communication through a telephone, and the information inquiry flow is carried to other units to log in the system to inquire information on site. However, this method is inefficient, complicated in flow, and increasingly unable to meet the real-time requirement of information processing.
In view of the above circumstances, there is a need to be able to access system information of other units in real time, but the authentication system of each unit is independently constructed and managed, that is, each unit has its own authentication domain and is isolated, so that there is a need for applications requiring cross-domain (cross) authentication and cross-domain single sign-on access. For example, in the prior art, by modifying the authentication system, when a system a initiates an access request to a system B, the system B performs authentication through the authentication server of the system B, and when the authentication request is found to be the authentication request of the system a, the authentication server of the system B initiates an authentication request to the authentication server of the system a, and the access request sent by the system a is allowed after the authentication is passed. This allows cross-domain access. However, in the prior art, the related systems need to be modified and adjusted in parallel, so that the period is long and the cost is high. As more and more associated systems are needed, and more systems are needed to be modified, the difficulty of integration is increased.
Disclosure of Invention
The invention provides a cross-domain authentication method and a cross-domain access method. By using the cross-domain authentication method provided by the invention, cross-domain authentication can be realized only by associating different domains in advance (for example, by importing the root certificate of the system into the authentication server of the other system), so that the transformation of interactive communication of the related systems in the prior art is not needed. The invention effectively solves the problems that data mapping and interface calling are required to be carried out among different domain systems in the traditional cross-domain access scheme, thereby simplifying the processing flow and complexity among the systems during single sign-on cross-domain access and being beneficial to the quick deployment and later maintenance of the systems.
In order to solve the above technical problem, an embodiment of the present invention provides the following technical solutions:
the invention provides a cross-domain authentication method, which is applied to an authentication client and comprises the following steps,
sending authentication request information to a first domain;
connecting the first domain according to the first identification information of the first domain; wherein the first identification information is generated in the first domain based on the authentication request information;
based on the association between the first domain and the second domain, sending first identification information to the second domain through the first domain;
acquiring second identification information of a second domain and resource information of the second domain so that the authentication client can access the resource information of the second domain; wherein the second identification information is generated in the second domain based on at least the first identification information.
Preferably, the sending of the authentication request information to the first domain includes,
and sending personal information and a resource code of a user to a first domain, wherein the user corresponds to the authentication client.
Preferably, the first domain includes a first login module and a first authorization module, and the sending of the authentication request information to the first domain includes,
sending authentication request information to a first login module;
the first login module sends the authentication request information to the first authorization module.
Preferably, said connecting the first domain according to the first identification information of the first domain includes,
the first authorization module generates the first identification information based on the authentication request information;
and connecting with the first login module based on the first identification information.
Preferably, the sending the first identification information to the second domain through the first domain based on the association between the first domain and the second domain includes,
based on the root certificate of the first domain stored in the second domain, the first domain sends the first identification information to the second domain.
Preferably, the second domain includes a second login module and a second authentication module, and the first identification information is sent to the second domain through the first domain based on the association between the first domain and the second domain, including,
and based on the second authentication module storing the root certificate of the first domain, the first login module sends first identification information to the second login module.
Preferably, the second domain further comprises a second authorization module; the obtaining of the second identification information of the second domain and the resource information of the second domain to enable the authentication client to access the resource information of the second domain includes,
the second authentication module generates the second identification information based on the first identification information and the identity mapping information; the identity mapping information is information obtained by the first identification information in a second domain based on a mapping relation;
the second login module receives second identification information from the second authentication module and sends the second identification information to the second authorization module, and the second authorization module generates resource information based on the second identification information; the second login module receives the resource information;
the second login module sends the second identification information and the resource information to the first login module;
and the authentication client receives the second identification information and the resource information from the first login module to complete authentication so that the authentication client can access the resource information of the second domain.
Preferably, the second domain further comprises a mapping database, further comprising, before the second authentication module generates the second identification information based on the first identification information and the identity mapping information,
the second login module analyzes the first identification information to obtain personal information of the user;
calling identity mapping information corresponding to the personal information of the user from the mapping database;
and the second login module sends the first identification information and the identity mapping information to the second authentication module.
Preferably, the second authentication module generates the second identification information based on the first identification information and the identity mapping information, including,
the second authentication module compares the root certificate stored in the second authentication module with the first identification information;
when the first identification information can be matched with the root certificate, the second authentication module generates the second identification information based on the first identification information and the identity mapping information.
A second aspect of the present invention provides a cross-domain access method applied to an authentication client, the method comprising,
based on any method, cross-domain authentication is performed on a second domain through a first domain, and after the authentication is passed, resource information of the second domain is accessed.
Based on the disclosure of the above embodiments, it can be known that the embodiments of the present invention have the following beneficial effects:
by using the cross-domain authentication method provided by the invention, cross-domain authentication can be realized only by associating different domains in advance (for example, by importing the root certificate of the system into the authentication server of the other system), so that the transformation of interactive communication of the related systems in the prior art is not needed. The invention effectively solves the problems that data mapping and interface calling are required to be carried out among different domain systems in the traditional cross-domain access scheme, thereby simplifying the processing flow and complexity among the systems during single sign-on cross-domain access and being beneficial to the quick deployment and later maintenance of the systems.
Drawings
Fig. 1 is a schematic flowchart of a cross-domain authentication method according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a cross-domain authentication apparatus according to an embodiment of the present invention;
the system comprises a first domain 1, a second domain 2, an authentication client 3, a first login module 4, a first authorization module 5, a second authorization module 6, a second login module 7 and a second authentication module 8.
Detailed Description
The following detailed description of specific embodiments of the present invention is provided in connection with the accompanying drawings, which are not intended to limit the invention.
It will be understood that various modifications may be made to the embodiments disclosed herein. Accordingly, the foregoing description should not be construed as limiting, but merely as exemplifications of embodiments. Other modifications will occur to those skilled in the art within the scope and spirit of the disclosure.
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the disclosure and, together with a general description of the disclosure given above, and the detailed description of the embodiments given below, serve to explain the principles of the disclosure.
These and other characteristics of the invention will become apparent from the following description of a preferred form of embodiment, given as a non-limiting example, with reference to the accompanying drawings.
It should also be understood that, although the invention has been described with reference to some specific examples, a person of skill in the art shall certainly be able to achieve many other equivalent forms of the invention, having the characteristics as set forth in the claims and hence all coming within the field of protection defined thereby.
The above and other aspects, features and advantages of the present disclosure will become more apparent in view of the following detailed description when taken in conjunction with the accompanying drawings.
Specific embodiments of the present disclosure are described hereinafter with reference to the accompanying drawings; however, it is to be understood that the disclosed embodiments are merely examples of the disclosure that may be embodied in various forms. Well-known and/or repeated functions and constructions are not described in detail to avoid obscuring the disclosure in unnecessary or unnecessary detail. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present disclosure in virtually any appropriately detailed structure.
The specification may use the phrases "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may each refer to one or more of the same or different embodiments in accordance with the disclosure.
The embodiments of the present invention will be described in detail below with reference to the accompanying drawings,
as shown in fig. 1-2, a first embodiment of the present invention provides a cross-domain authentication method applied to authenticate a client 3, the method includes,
transmitting authentication request information to the first domain 1;
connecting the first domain 1 according to the first identification information of the first domain 1; wherein the first identification information is generated in the first domain 1 based on the authentication request information;
based on the association between the first domain 1 and the second domain 2, sending first identification information to the second domain 2 through the first domain 1;
acquiring second identification information of a second domain 2 and resource information of the second domain 2, so that the authentication client 3 can access the resource information of the second domain 2; wherein the second identification information is generated in the second domain 2 based on at least the first identification information.
In this embodiment, a certain user a may send authentication request information to the first domain 1 through the authentication client 3, where the first domain 1 may be, for example, a system a of a unit where the user a is located, that is, the authentication client 3 sends the authentication request information to the first domain 1, that is, the authentication client 3 sends the authentication request information to the system a, the system a may generate first identification information based on the authentication request information, where the first identification information is information that identifies the identity of the user a in the system a, and may include content such as information of the unit where the user a is located and personal information of the user a, and may be, for example, Token in the system a. The authentication client 3 then connects to system a based on the first identification information of system a. In this embodiment, if a user wants to access resource information of another system across domains, for example, wants to access resource information in the second domain 2 across domains, the user first needs to perform authentication in the first domain 1, that is, first needs to prove that the user is an employee of a unit corresponding to the first domain 1, and then is qualified to access the second domain 2 through the first domain 1 based on the pre-association between the first domain 1 and the second domain 2.
After passing authentication in the first domain 1 and connecting with the first domain 1, based on the association between the first domain 1 and the second domain 2, the first identification information is sent to the second domain 2 through the first domain 1, specifically, the second domain 2 may be a process in which the user a accesses the system B of other unit through the system a of the unit, after connecting with the first domain 1, the first identification information is generated by the first domain 1 and sent to the second domain 2, and then, based on at least the first identification information, the second identification information is generated in the second domain 2, the second identification information is identity information of the user a in the system B, and may include information of the unit and personal information of the user a in the system B, for example, may be Token in the system B. Finally, the authentication client 3 obtains the second identification information of the second domain 2 and the resource information of the second domain 2, so that the authentication client 3 can access the resource information of the second domain 2.
By using the cross-domain authentication method provided by the invention, cross-domain authentication can be realized only by associating different domains in advance (for example, by importing the root certificate of the system into the authentication server of the other system), so that the transformation of interactive communication of the related systems in the prior art is not needed. The invention effectively solves the problems that data mapping and interface calling are required to be carried out among different domain systems in the traditional cross-domain access scheme, thereby simplifying the processing flow and complexity among the systems during single sign-on cross-domain access and being beneficial to the quick deployment and later maintenance of the systems.
In one embodiment provided by the present invention, the sending of the authentication request information to the first domain 1 includes,
personal information and resource codes of a user corresponding to the authentication client 3 are transmitted to the first domain 1.
In this embodiment, the sending of the authentication request information to the first domain 1 is to authenticate the first domain 1, for example, after authentication, it can be proved that the user has the right to access the first domain 1, and then, through the pre-association between the first domain 1 and the second domain 2, the second domain 2 can be accessed through the first domain 1, so as to achieve the purpose of cross-domain access. The authentication request information comprises personal information of the user, wherein the personal information of the user can be a login name and a password of the user; the authentication request information also comprises a resource code, and the resource code is the resource information which the user A wants to access across domains.
As shown in fig. 2, in another embodiment provided by the present invention, the first domain 1 includes a first login module 4 and a first authorization module 5, and the sending of the authentication request information to the first domain 1 includes,
sending authentication request information to the first login module 4;
the first login module 4 sends the authentication request information to the first authorization module 5.
In this embodiment, the first login module 4 may be, for example, a first login server, the first authorization module 5 may be, for example, a first authorization server, and the specific process of the authentication client 3 sending the authentication request information to the first domain 1 is as follows: authentication request information is first sent by the authentication client 3 to the first login module 4 and then sent by the first login module 4 to the first authorization module 5.
In another embodiment provided by the present invention, the connecting the first domain 1 according to the first identification information of the first domain 1 includes,
the first authorization module 5 generates the first identification information based on the authentication request information;
and connecting with the first login module 4 based on the first identification information.
In this embodiment, after the first authorization module 5 receives the authentication request information from the first login module 4, the first authorization module 5 generates first identification information based on the authentication request information, which indicates that the authentication client 3 corresponding to the user a passes the authentication of the first domain 1, so that the authentication client 3 can be connected to the first login module 4 in the first domain 1 based on the first identification information.
In other embodiments provided by the present invention, the sending the first identification information to the second domain 2 through the first domain 1 based on the association between the first domain 1 and the second domain 2 includes,
based on the root certificate of the first domain 1 stored in the second domain 2, the first domain 1 sends the first identification information to the second domain 2.
In this embodiment, the association between the first domain 1 and the second domain 2 is to store the root certificate of the first domain 1 in the second domain 2 in advance, that is, to prove that, in the validity period of the root certificate, as long as the access comes from the first domain 1, the access is authorized to the resource of the second domain 2. When the first domain 1 sends the first identification information to the second domain 2, the second domain 2 can determine that the access is from the unit corresponding to the first domain 1 based on the first identification information because the first identification information contains the information of the unit where the access user is located, and the authentication client 3 can be authenticated by the second domain 2 when accessing the resource of the second domain 2 through the first domain 1 because the root certificate of the first domain 1 is stored in the second domain 2. If the second domain 2 does not store the root certificate of the first domain 1 in advance, when the access comes from the first domain 1, the authentication cannot be passed, and the resource information in the second domain 2 cannot be accessed through the first domain 1.
As shown in fig. 2, in an embodiment provided by the present invention, the second domain 2 includes a second login module 7 and a second authentication module 8, and the sending of the first identification information to the second domain 2 through the first domain 1 based on the association between the first domain 1 and the second domain 2 includes,
based on the second authentication module 8 storing the root certificate of the first domain 1, the first login module 4 sends the first identification information to the second login module 7.
In this embodiment, the second login module 7 may be a second login server, the second authentication module 8 may be a second authentication server, the root certificate of the first domain 1 is stored in the second authentication module 8 of the second domain 2, so that when the second authentication module 8 receives the first identification information from the second login module 7, the unit information included in the first identification information may be compared with the root certificate stored in the second authentication module 8, and when all the root certificates stored in the second authentication module 8 do not include the unit represented by the first identification information, the access to the second domain 2 is not passed, and the resource information in the second domain 2 cannot be accessed; when all the root certificates stored in the second authentication module 8 include the unit represented by the first identification information, the resource information in the second domain 2 can be accessed by the access to the second domain 2.
Continuing to refer to fig. 2, in another embodiment provided by the present invention, the second domain 2 further comprises a second authorization module 6; the obtaining of the second identification information of the second domain 2 and the resource information of the second domain 2 to enable the authentication client 3 to access the resource information of the second domain 2 includes,
the second authentication module 8 generates the second identification information based on the first identification information and the identity mapping information; the identity mapping information is information obtained by the first identification information in the second domain 2 based on a mapping relation;
the second login module 7 receives second identification information from the second authentication module 8, and sends the second identification information to the second authorization module 6, and the second authorization module 6 generates resource information based on the second identification information; the second login module 7 receives the resource information;
the second login module 7 sends the second identification information and the resource information to the first login module 4;
the authentication client 3 receives the second identification information and the resource information from the first login module 4, and completes authentication, so that the authentication client 3 can access the resource information of the second domain 2.
In this embodiment, the second authorization module 6 may be a second authorization server, the second login module 7 may send the first identification information and the identity mapping information to the second authentication module 8, and the second authentication module 8 generates the second identification information based on the first identification information and the identity mapping information. The identity mapping information is information obtained by the first identification information in the second domain 2 based on a mapping relationship, specifically, for example, the first identification information represents zhangsan from the system a, and after the first identification information is sent to the second login module 7, the second login module 7 obtains a name of zhangsan in the second domain 2 based on the mapping relationship, for example, when an employee with the name of zhangsan is not included in the second domain 2, the identity mapping information of zhangsan in the second domain 2 is zhangsan; when the second domain 2 itself includes employees with name zhang, the name zhang in the second domain 2 needs to be changed, for example, the name zhang in the second domain 2 may be lee.
When the first identification information received by the second authentication module 8 is personal information representing zhang san and the received identity mapping information is zhang san, based on the judgment that the two are the same, second identification information is generated, the second identification information represents personal information of zhang san in the second domain 2, and in this case, the generated second identification information is the same as the first identification information.
When the first identification information received by the second authentication module 8 is personal information representing zhang san and the received identity mapping information is lie san, based on the judgment that the two are different, second identification information is generated, the second identification information represents personal information of zhang san in the second domain 2, and in this case, the generated second identification information is different from the first identification information.
After the second identification information is generated, the second authentication module 8 sends the second identification information to the second login module 7, then the second login module 7 sends the second identification information to the second authorization module 6, the second authorization module 6 decides the authority scope of the user based on the second identification information, that is, resource information is generated based on the second identification information, for example, in a specific embodiment, when the resource information contained in the second domain 2 includes an OA system, a human resource system, a financial system and a warehousing system, when the second authorization module 6 identifies that the user with the name of lee in the second domain 2 accesses based on the second identification information, an authorization scope for the user is formed, for example, for the user, the authorization scope is a human resource system and a warehousing system, that is, only the human resources system and warehousing system in the second domain 2 are accessible to the user. In the present invention, different users have different authorization ranges, for example, for some users, they can access all resources in the second domain 2, but for some users, they can access only a part of resources in the second domain 2, and the present invention is not limited in particular, and different access authorization ranges can be set for different users according to actual requirements.
After the second authorization module 6 generates resource information based on the second identification information, the second login module 7 receives the resource information and sends the second identification information and the resource information to the first login module 4; the authentication client 3 receives the second identification information and the resource information from the first login module 4, and completes authentication, so that the authentication client 3 can access the resource information of the second domain 2.
In another embodiment provided by the present invention, the second domain 2 further comprises a mapping database, and before the second authentication module 8 generates the second identification information based on the first identification information and the identity mapping information, further comprises,
the second login module 7 analyzes the first identification information to obtain personal information of the user;
calling identity mapping information corresponding to the personal information of the user from the mapping database;
the second login module 7 sends the first identification information and the identity mapping information to the second authentication module 8.
In this embodiment, after receiving the first identification information, the second login module 7 first analyzes the first identification information to obtain the personal information of the user, for example, the obtained personal information of the user is a user with a name of zhangsan. Then, the second login module 7 calls the identity mapping information corresponding to the personal information of the user from the mapping database based on the data pre-stored in the mapping database, for example, the called identity mapping information is the user with the name of lee. The second login module 7 sends the first identification information and the identity mapping information to the second authentication module 8, and the second authentication module 8 generates the second identification information based on the first identification information and the identity mapping information.
In other embodiments provided by the present invention, the second authentication module 8 generates the second identification information based on the first identification information and the identity mapping information, including,
the second authentication module 8 compares the root certificate stored therein with the first identification information;
when the first identification information can be matched with the root certificate, the second authentication module 8 generates the second identification information based on the first identification information and the identity mapping information.
In this embodiment, a domain that wants to access resource information in the second domain 2 stores a root certificate thereof in the second authentication module 8 in the second domain 2 in advance, and in a specific embodiment, for example, the first domain 1 wants to access resource information in the second domain 2, stores a root certificate of the first domain 1 in the second authentication module 8 in advance, stores a root certificate of a third domain in the second authentication module 8 in advance if the third domain wants to access resource information in the second domain 2, and so on. After receiving the first identification information, the second authentication module 8 compares the unit information represented by the first identification information with the root certificate stored therein, for example, the unit information represented by the first identification information is the unit information of the first domain 1, the root certificate of the first domain 1 and the root certificate of the third domain are stored in the second authentication module 8, and the comparison of the two results shows that the root certificate corresponding to the unit information represented by the first identification information is stored in the second authentication module 8, and the second authentication module 8 generates the second identification information based on the first identification information and the identity mapping information, which indicates that the authentication is passed.
For another example, the unit information represented by the first identifier is the unit information of the first domain 1, the root certificate of the third domain and the root certificate of the fourth domain are stored in the second authentication module 8, and the comparison between the two results shows that the root certificate corresponding to the unit information represented by the first identifier is not stored in the second authentication module 8, and the second authentication module 8 does not generate the second identifier based on the first identifier and the identity mapping information, which indicates that the authentication fails.
A second embodiment of the present invention provides a cross-domain access method, applied to an authentication client 3, the method including,
based on any method, cross-domain authentication is performed on the second domain 2 through the first domain 1, and after the authentication is passed, the resource information of the second domain 2 is accessed.
In another embodiment provided by the present invention, the second domain 2 further includes a resource module, and the resource module stores specific content of resource information, where the resource information may be, for example, an OA system, a human resource system, a financial system, and a warehousing system, after the authentication is passed, the first login module 4 establishes a session with the second login module 7, and the user a finally establishes a session with the resource module in the second domain 2 through the first login module 4 and the second login module 7, so as to access the specific resource information content in the resource module.
The above embodiments are only exemplary embodiments of the present invention, and are not intended to limit the present invention, and the scope of the present invention is defined by the claims. Various modifications and equivalents may be made by those skilled in the art within the spirit and scope of the present invention, and such modifications and equivalents should also be considered as falling within the scope of the present invention.
Claims (7)
1. A cross-domain authentication method applied to an authentication client is characterized in that the method comprises the following steps,
sending authentication request information to a first domain; wherein the content of the first and second substances,
the first domain comprises a first login module and a first authorization module, and sends authentication request information to the first login module; the first login module sends the authentication request information to the first authorization module;
connecting the first domain according to the first identification information of the first domain; wherein the first identification information is generated in the first domain based on the authentication request information;
the second domain comprises a second login module and a second authentication module, and first identification information is sent to the second domain through the first domain based on the root certificate of the first domain stored in the second domain; wherein the content of the first and second substances,
based on the second authentication module storing the root certificate of the first domain, the first login module sends first identification information to the second login module;
acquiring second identification information of a second domain and resource information of the second domain so that the authentication client can access the resource information of the second domain; wherein the second identification information is generated in the second domain based on at least the first identification information.
2. The method of claim 1, wherein sending authentication request information to the first domain comprises,
and sending personal information and a resource code of a user to a first domain, wherein the user corresponds to the authentication client.
3. The method of claim 1, wherein said connecting the first domain based on the first identification information of the first domain comprises,
the first authorization module generates the first identification information based on the authentication request information;
and connecting with the first login module based on the first identification information.
4. The method of claim 1, wherein the second domain further comprises a second authorization module; the obtaining of the second identification information of the second domain and the resource information of the second domain to enable the authentication client to access the resource information of the second domain includes,
the second authentication module generates the second identification information based on the first identification information and the identity mapping information; the identity mapping information is information obtained by the first identification information in a second domain based on a mapping relation;
the second login module receives second identification information from the second authentication module and sends the second identification information to the second authorization module, and the second authorization module generates resource information based on the second identification information; the second login module receives the resource information;
the second login module sends the second identification information and the resource information to the first login module;
and the authentication client receives the second identification information and the resource information from the first login module to complete authentication so that the authentication client can access the resource information of the second domain.
5. The method of claim 4, wherein the second domain further comprises a mapping database, further comprising, prior to the second authentication module generating the second identification information based on the first identification information and identity mapping information,
the second login module analyzes the first identification information to obtain personal information of the user;
calling identity mapping information corresponding to the personal information of the user from the mapping database;
and the second login module sends the first identification information and the identity mapping information to the second authentication module.
6. The method of claim 4, wherein the second authentication module generates the second identification information based on the first identification information and identity mapping information, including,
the second authentication module compares the root certificate stored in the second authentication module with the first identification information;
when the first identification information can be matched with the root certificate, the second authentication module generates the second identification information based on the first identification information and the identity mapping information.
7. A cross-domain access method applied to an authentication client, the method comprising,
based on any one of the methods in claims 1-6, performing cross-domain authentication from a first domain to a second domain, and accessing resource information of the second domain after the authentication is passed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911059537.4A CN110769001B (en) | 2019-11-01 | 2019-11-01 | Cross-domain authentication method and cross-domain access method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911059537.4A CN110769001B (en) | 2019-11-01 | 2019-11-01 | Cross-domain authentication method and cross-domain access method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110769001A CN110769001A (en) | 2020-02-07 |
| CN110769001B true CN110769001B (en) | 2022-05-17 |
Family
ID=69335202
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911059537.4A Active CN110769001B (en) | 2019-11-01 | 2019-11-01 | Cross-domain authentication method and cross-domain access method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110769001B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113395160B (en) * | 2020-03-11 | 2022-11-01 | 大唐移动通信设备有限公司 | Certificate management method and device, issuing entity, management entity and vehicle networking equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101399671A (en) * | 2008-11-18 | 2009-04-01 | 中国科学院软件研究所 | Cross-domain authentication method and system thereof |
| CN106161361A (en) * | 2015-04-03 | 2016-11-23 | 北京神州泰岳软件股份有限公司 | The access method of a kind of cross-domain resource and device |
| CN106341428A (en) * | 2016-11-21 | 2017-01-18 | 航天信息股份有限公司 | Cross-domain access control method and system |
| CN106790209A (en) * | 2017-01-03 | 2017-05-31 | 北京并行科技股份有限公司 | A kind of login authentication method and system |
| CN109274694A (en) * | 2018-11-14 | 2019-01-25 | 天津市国瑞数码安全系统股份有限公司 | A kind of general cross-domain authentication method based on mark |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108833445B (en) * | 2018-07-31 | 2021-04-16 | 中国银联股份有限公司 | Authentication method and device suitable for Internet of things system |
-
2019
- 2019-11-01 CN CN201911059537.4A patent/CN110769001B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101399671A (en) * | 2008-11-18 | 2009-04-01 | 中国科学院软件研究所 | Cross-domain authentication method and system thereof |
| CN106161361A (en) * | 2015-04-03 | 2016-11-23 | 北京神州泰岳软件股份有限公司 | The access method of a kind of cross-domain resource and device |
| CN106341428A (en) * | 2016-11-21 | 2017-01-18 | 航天信息股份有限公司 | Cross-domain access control method and system |
| CN106790209A (en) * | 2017-01-03 | 2017-05-31 | 北京并行科技股份有限公司 | A kind of login authentication method and system |
| CN109274694A (en) * | 2018-11-14 | 2019-01-25 | 天津市国瑞数码安全系统股份有限公司 | A kind of general cross-domain authentication method based on mark |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110769001A (en) | 2020-02-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110213246B (en) | Wide-area multi-factor identity authentication system | |
| US8955082B2 (en) | Authenticating using cloud authentication | |
| US10708276B2 (en) | Authentication system and method | |
| CN111931144B (en) | Unified safe login authentication method and device for operating system and service application | |
| US20160125416A1 (en) | Authentication system | |
| CA2557143C (en) | Trust inheritance in network authentication | |
| CN104767616B (en) | A kind of information processing method, system and relevant device | |
| EP1208522A1 (en) | System, method and computer program product for allowing access to enterprise resources using biometric devices | |
| JP2012517139A (en) | Conversion to become two-factor authentication of static password system | |
| EP1107089A1 (en) | Strong authentication method using a telecommunications device | |
| US7512967B2 (en) | User authentication in a conversion system | |
| CN104767617A (en) | Message processing method, system and related device | |
| CN108881309A (en) | Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform | |
| CN110545274A (en) | Method, device and system for UMA service based on people and evidence integration | |
| CN109784024A (en) | One kind authenticating FIDO method and system based on the polyfactorial quick online identity of more authenticators | |
| KR102308859B1 (en) | Surrogate authentication service system and method based on biometric information | |
| CN112383401B (en) | User name generation method and system for providing identity authentication service | |
| US6611916B1 (en) | Method of authenticating membership for providing access to a secure environment by authenticating membership to an associated secure environment | |
| CN110769001B (en) | Cross-domain authentication method and cross-domain access method | |
| CN105187417B (en) | Authority acquiring method and apparatus | |
| CN103428698A (en) | Identity strong authentication method of mobile interconnection participants | |
| Taufiq et al. | Implementing One-Time Password Mutual Authentication Scheme on Sharing Renewed Finite Random Sub-Passwords Using Raspberry Pi as a Room Access Control to Prevent Replay Attack | |
| CN110505199A (en) | Email safe login method based on the asymmetric identity of lightweight | |
| US7631344B2 (en) | Distributed authentication framework stack | |
| CN104038482B (en) | The method and apparatus of multi-line routing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |