CN110826049A - Single sign-on implementation system based on intelligent enterprise portal - Google Patents

Single sign-on implementation system based on intelligent enterprise portal Download PDF

Info

Publication number
CN110826049A
CN110826049A CN201911114504.5A CN201911114504A CN110826049A CN 110826049 A CN110826049 A CN 110826049A CN 201911114504 A CN201911114504 A CN 201911114504A CN 110826049 A CN110826049 A CN 110826049A
Authority
CN
China
Prior art keywords
verification
portal
module
security token
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911114504.5A
Other languages
Chinese (zh)
Other versions
CN110826049B (en
Inventor
王波
刘东宇
孟祥超
张羽
王学勇
杜贝娜
王佳星
潘云鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jinghang Computing Communication Research Institute
Original Assignee
Beijing Jinghang Computing Communication Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jinghang Computing Communication Research Institute filed Critical Beijing Jinghang Computing Communication Research Institute
Priority to CN201911114504.5A priority Critical patent/CN110826049B/en
Publication of CN110826049A publication Critical patent/CN110826049A/en
Application granted granted Critical
Publication of CN110826049B publication Critical patent/CN110826049B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2117User registration
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2151Time stamp

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention belongs to the technical field of internet, and particularly relates to a single sign-on implementation system based on an intelligent enterprise portal. The system can use a uniform authentication standard for application systems developed by various technical frameworks, particularly realizes the authentication of a CS framework system, and has the advantages of less workload for modifying the application systems and high standardization degree. The system has no mandatory requirements on https and a domain name, the whole verification process of the BS system is carried out at a background server, and the risk that verification information is maliciously intercepted and tampered can be effectively reduced by using a high-strength encryption mode and a complete authentication means compared with other modes of storing the verification information by using Cookie. The system is used as a functional module of the intelligent enterprise portal system, is combined with unified users and unified authorities of the portal, and effectively solves the problem of enterprise information isolated island.

Description

Single sign-on implementation system based on intelligent enterprise portal
Technical Field
The invention belongs to the technical field of internet, and particularly relates to a single sign-on implementation system based on an intelligent enterprise portal.
Background
In recent years, with the deep application of various systems such as OA, PDM, ERP, etc., the construction of an intelligent enterprise portal system featuring effective integration of existing information resources and realization of heterogeneous information sharing, etc., has gradually become the key point of the IT construction of domestic and foreign enterprises. In foreign countries, portal systems have been included in the information planning of many multinational enterprises, large and medium-sized enterprises. In China, the construction of enterprise portal systems in the industries such as telecommunication, finance, petrifaction, electric power, aerospace, military and the like is in the front. For example, in the aerospace science and industry group, an intelligent enterprise portal system is constructed, various application systems such as OA, mail, AVIDM and the like in an enterprise are integrated, integration of enterprise portals is realized through cross-system single sign-on, unified user interfaces and the like, and a unified working platform is constructed for employees.
After a user logs in the portal, the user can seamlessly access all authorized network resources by only performing identity verification once without inputting verification information of other application systems again, so that the working efficiency of the user can be improved, and the error probability of the system is reduced.
Currently, the mainstream single sign-on method includes several ways of using cookies as a credential medium, realizing through JSONP, and redirecting through pages, so that single sign-on technologies and protocols such as CAS and Oauth2 are derived, and the method is widely applied to internet enterprises. However, in the homeowned enterprises, the enterprise informatization construction is staged and continuous, spans many years, and application systems constructed in different periods may be different in development technology and architecture design, such as a PDM system and an MRPII system developed by using a C #, an OA system developed by using a Net, a website system developed by using a PHP, a financial system developed by using JAVA, and a retrieval system developed by using Python. Among them, there is the CS architecture and also the BS architecture. The CAS and the Oauth2 are used to modify and develop the client side of the application system, so that the early technology has poor compatibility, low friendliness and large modification workload. For a system with a CS framework, the method cannot be basically used for modification. Meanwhile, the CAS authentication mechanism suggests the use of https protocol and domain name access, but the above requirements cannot be met in many enterprises, especially military intranet environments. Although the method can be bypassed by other technical means in the development process, the method has the problems that the risk exists in the authentication process and the overall safety is reduced.
Disclosure of Invention
Technical problem to be solved
The technical problem to be solved by the invention is as follows: how to realize a single sign-on method which accords with the situation of national enterprise informatization construction in a portal system based on the construction of an intelligent enterprise portal system (hereinafter referred to as a portal system) and solve the problems of high transformation difficulty of an application system and risk in an authentication process.
(II) technical scheme
In order to solve the above technical problem, the present invention provides a single sign-on implementation system based on an intelligent enterprise portal, including: a portal system side component and an application system side component;
the portal system side component comprises: the system comprises an authentication module, a cache service module, a security token acquisition module, a comparison module, a decryption module, a verification module and a feedback module;
the authentication module includes: the system comprises a security token generation unit and an address calling and information sending unit;
the application system side component comprises: a registration application module and a callback module;
wherein the content of the first and second substances,
the registration application module is used for sending registration information to the portal system and registering the application system to which the registration application module belongs; the registration information includes: the name of the application system, the unique identifier of the application system and the address of the single sign-on authentication interface;
the authentication module is used for actively initiating an authentication request to the application system according to the registration information of the application system when a user accesses the application system in the portal system, and performing handshake verification;
the method specifically comprises the following steps: generating a security token for the authentication request by a security token generation unit; the security token comprises: session control information, a unique user identity identifier, a unique application system identifier, a timestamp of a current request server and a random number; then the encryption module encrypts the information and stores the random number and the security token into the cache service module in a key-value pair mode;
after the security token generating unit generates a security token, the address calling and information sending unit calls a single sign-on authentication interface address of the application system, starts a first handshake process, and sends a portal system calling request comprising the security token, a random number and a portal callback verification address to the application system;
the callback module is used for acquiring a security token, a random number and a portal system callback verification address after the application system receives a portal system calling request; the system is used for calling the portal system to call back the verification address, forming verification information by the three parameters of the security token, the random number and the unique identifier of the application system, transmitting the verification information to the portal system and starting a second handshake process;
the security token acquisition module is used for acquiring a security token in the cache service module through a random number in a key-value pair mode after the portal system receives verification information returned by the application system;
under the conditions of stable service operation, smooth network communication, no malicious attack and the like, the security token can be obtained by the method, and the next verification step is executed;
if the security token cannot be acquired, indicating that the verification process is abnormal, and performing exception handling by the feedback module;
after the portal system acquires the security token, information verification is carried out;
the comparison module is used for comparing the security token acquired in the cache service module with the security token returned in the verification information recalled by the application system;
if the comparison information is inconsistent, the request is possibly maliciously intercepted and tampered, and the feedback module performs exception processing;
if the information comparison is consistent, the decryption module decrypts the security token, and then the verification module verifies the validity of the session control information, the unique user identity identifier, the unique application system identifier, the timestamp and the random number which are obtained after decryption;
if the validity verification passes all, starting a third handshake process;
if not, indicating that the verification information is invalid, and carrying out exception handling by a feedback module;
the feedback module is used for generating verification result success feedback information by the unique user identifier and the verification success identifier under the condition that the identity verification request passes and returning the verification result success feedback information to the application system;
the login module of the application system is used for logging in the system after receiving the successful feedback information of the verification result and the unique user identifier; the third handshake process is finished, and the single sign-on process is finished;
the feedback module is also used for generating a verification result failure feedback information by the failure identification which fails in verification and the specific adaptation reason and returning the verification result failure feedback information to the application system when abnormal processing is carried out; the single sign-on process ends.
And the encryption module encrypts the session control information, the unique user identity identifier, the unique application system identifier, the timestamp of the current request server and the random number by adopting a symmetric encryption algorithm.
Aiming at the application system of the BS framework, the address calling and information sending unit writes the encrypted security token, the random number and the portal callback verification address into a message header of an HTTP (hyper text transport protocol) protocol through a client programming toolkit supporting the HTTP protocol, forms a portal system calling request and transmits the portal system calling request to the application system, so that the probability of interception and tampering by a malicious system is reduced.
The system for realizing single sign-on based on the intelligent enterprise portal according to claim 1, wherein for the application system of the CS framework, if the portal system uses an IE browser, the address calling and information sending unit calls a CS client through a script command through a component object model of the IE browser;
if the portal system uses a Firefox browser and a Google browser, the address calling and information sending unit calls a CS client by adopting a 'network scene plug-in application programming interface' plug-in; and then forming a portal system call request by the security token, the random number and the portal system callback verification address, and transmitting the portal system call request to the CS client in a parameter mode.
After receiving a portal system call request, an application system of a BS framework acquires a security token, a random number and a portal system callback verification address in a message header of an HTTP protocol.
When the application system of the CS framework receives the portal request, the security token, the random number and the portal system callback verification address are obtained through the client and then transmitted to the server of the application system of the CS framework.
And the unique identifier of the application system when the callback module forms the verification information is consistent with the unique identifier of the application system in the registration information sent to the portal system by the registration application module.
The verification module performs validity verification on the session control information, the unique user identity identifier, the unique application system identifier, the timestamp and the random number which are obtained after decryption as follows:
(1) verifying whether the session control information is valid in the current portal system;
(2) verifying whether the unique identification of the application system is consistent with the unique identification of the application system returned from the verification information of the callback of the application system;
(3) and verifying the difference value between the timestamp and the current time of the portal system server, and if the difference value between the timestamp and the current time of the portal system server is greater than a preset authentication time threshold, invalidating the request.
Wherein the authentication time threshold is 1500 ms.
And the feedback module feeds back information of successful verification results to the application system and deletes the security token data requested this time in the cache service module.
(III) advantageous effects
Compared with the prior art, the invention has the following beneficial effects:
(1) the system can use a uniform authentication standard for application systems developed by various technical frameworks, particularly realizes the authentication of a CS framework system, and has the advantages of less workload for modifying the application systems and high standardization degree.
(2) The system has no mandatory requirements on https and a domain name, the whole verification process of the BS system is carried out at a background server, and the risk that verification information is maliciously intercepted and tampered can be effectively reduced by using a high-strength encryption mode and a complete authentication means compared with other modes of storing the verification information by using Cookie.
(3) The system is used as a functional module of the intelligent enterprise portal system, is combined with unified users and unified authorities of the portal, and effectively solves the problem of enterprise information isolated island.
In summary, compared with the technologies such as CAS, Oauth2 and the like, the system is more in line with the requirements of various information system integration of the nationally owned enterprises.
Drawings
Fig. 1 is a schematic diagram of a single sign-on authentication process.
FIG. 2 is a schematic diagram of interaction between a portal and an application system.
Detailed Description
In order to make the objects, contents, and advantages of the present invention clearer, the following detailed description of the embodiments of the present invention will be made in conjunction with the accompanying drawings and examples.
In order to solve the above technical problem, the present invention provides a single sign-on implementation system based on an intelligent enterprise portal, including: a portal system side component and an application system side component;
the portal system side component comprises: the system comprises an authentication module, a cache service module, a security token acquisition module, a comparison module, a decryption module, a verification module and a feedback module;
the authentication module includes: the system comprises a security token generation unit and an address calling and information sending unit;
the application system side component comprises: a registration application module and a callback module;
wherein the content of the first and second substances,
the registration application module is used for sending registration information to the portal system and registering the application system to which the registration application module belongs; the registration information includes: the name of the application system, the unique identifier of the application system and the address of the single sign-on authentication interface;
the authentication module is used for actively initiating an authentication request to the application system according to the registration information of the application system when a user accesses the application system in the portal system, and performing handshake verification;
the method specifically comprises the following steps: generating a security token for the authentication request by a security token generation unit; the security token comprises: session control information, a unique user identity identifier, a unique application system identifier, a timestamp of a current request server and a random number; then the encryption module encrypts the information and stores the random number and the security token into the cache service module in a key-value pair mode;
after the security token generating unit generates a security token, the address calling and information sending unit calls a single sign-on authentication interface address of the application system, starts a first handshake process, and sends a portal system calling request comprising the security token, a random number and a portal callback verification address to the application system;
the callback module is used for acquiring a security token, a random number and a portal system callback verification address after the application system receives a portal system calling request; the system is used for calling the portal system to call back the verification address, forming verification information by the three parameters of the security token, the random number and the unique identifier of the application system, transmitting the verification information to the portal system and starting a second handshake process;
the security token acquisition module is used for acquiring a security token in the cache service module through a random number in a key-value pair mode after the portal system receives verification information returned by the application system;
under the conditions of stable service operation, smooth network communication, no malicious attack and the like, the security token can be obtained by the method, and the next verification step is executed;
if the security token cannot be acquired, indicating that the verification process is abnormal, and performing exception handling by the feedback module;
after the portal system acquires the security token, information verification is carried out;
the comparison module is used for comparing the security token acquired in the cache service module with the security token returned in the verification information recalled by the application system;
if the comparison information is inconsistent, the request is possibly maliciously intercepted and tampered, and the feedback module performs exception processing;
if the information comparison is consistent, the decryption module decrypts the security token, and then the verification module verifies the validity of the session control information, the unique user identity identifier, the unique application system identifier, the timestamp and the random number which are obtained after decryption;
if the validity verification passes all, starting a third handshake process;
if not, indicating that the verification information is invalid, and carrying out exception handling by a feedback module;
the feedback module is used for generating verification result success feedback information by the unique user identifier and the verification success identifier under the condition that the identity verification request passes and returning the verification result success feedback information to the application system;
the login module of the application system is used for logging in the system after receiving the successful feedback information of the verification result and the unique user identifier; the third handshake process is finished, and the single sign-on process is finished;
the feedback module is also used for generating a verification result failure feedback information by the failure identification which fails in verification and the specific adaptation reason and returning the verification result failure feedback information to the application system when abnormal processing is carried out; the single sign-on process ends.
And the encryption module encrypts the session control information, the unique user identity identifier, the unique application system identifier, the timestamp of the current request server and the random number by adopting a symmetric encryption algorithm.
Aiming at the application system of the BS framework, the address calling and information sending unit writes the encrypted security token, the random number and the portal callback verification address into a message header of an HTTP (hyper text transport protocol) protocol through a client programming toolkit supporting the HTTP protocol, forms a portal system calling request and transmits the portal system calling request to the application system, so that the probability of interception and tampering by a malicious system is reduced.
The system for realizing single sign-on based on the intelligent enterprise portal according to claim 1, wherein for the application system of the CS framework, if the portal system uses an IE browser, the address calling and information sending unit calls a CS client through a script command through a component object model of the IE browser;
if the portal system uses a Firefox browser and a Google browser, the address calling and information sending unit calls a CS client by adopting a 'network scene plug-in application programming interface' plug-in; and then forming a portal system call request by the security token, the random number and the portal system callback verification address, and transmitting the portal system call request to the CS client in a parameter mode.
After receiving a portal system call request, an application system of a BS framework acquires a security token, a random number and a portal system callback verification address in a message header of an HTTP protocol.
When the application system of the CS framework receives the portal request, the security token, the random number and the portal system callback verification address are obtained through the client and then transmitted to the server of the application system of the CS framework.
And the unique identifier of the application system when the callback module forms the verification information is consistent with the unique identifier of the application system in the registration information sent to the portal system by the registration application module.
The verification module performs validity verification on the session control information, the unique user identity identifier, the unique application system identifier, the timestamp and the random number which are obtained after decryption as follows:
(1) verifying whether the session control information is valid in the current portal system;
(2) verifying whether the unique identification of the application system is consistent with the unique identification of the application system returned from the verification information of the callback of the application system;
(3) and verifying the difference value between the timestamp and the current time of the portal system server, and if the difference value between the timestamp and the current time of the portal system server is greater than a preset authentication time threshold, invalidating the request.
Wherein the authentication time threshold is 1500 ms.
And the feedback module feeds back information of successful verification results to the application system and deletes the security token data requested this time in the cache service module.
In addition, the present invention also provides a method for implementing single sign-on based on an intelligent enterprise portal, as shown in fig. 1 and fig. 2, the method is implemented based on a single sign-on implementation system, and the single sign-on implementation system includes: a portal system side component and an application system side component;
the portal system side component comprises: the system comprises an authentication module, a cache service module, a security token acquisition module, a comparison module, a decryption module, a verification module and a feedback module;
the authentication module includes: the system comprises a security token generation unit and an address calling and information sending unit;
the application system side component comprises: a registration application module and a callback module;
the method comprises the following steps:
step 1: the registration application module sends registration information to a portal system and registers an application system to which the registration application module belongs;
the registration information includes: the name of the application system, the unique identifier of the application system and the address of the single sign-on authentication interface;
step 2: when a user accesses the application system in the portal system, the authentication module actively initiates an authentication request to the application system according to the registration information of the application system, and handshake verification is carried out;
the method specifically comprises the following steps:
step 21: generating a security token for the authentication request by a security token generation unit; the security token comprises: session control information (session), a unique user identity, a unique application system identity, a timestamp of a current request server and a random number; then, the encryption module encrypts the information by adopting a symmetric encryption Algorithm (AES), and stores the random number and the security token into the cache service module in a key-value pair mode;
step 22: after the security token generating unit generates a security token, the address calling and information sending unit calls a single sign-on authentication interface address of the application system, starts a first handshake process, and sends a portal system calling request comprising the security token, a random number and a portal callback verification address to the application system;
aiming at the application system of the BS framework, the address calling and information sending unit writes the encrypted security token, the random number and the portal callback verification address into a message header of an HTTP (hyper text transport protocol) protocol through a client programming tool packet supporting the HTTP protocol to form a portal system calling request and transmit the portal system calling request to the application system so as to reduce the probability of interception and tampering by a malicious system;
for an application system of a CS framework, if an IE browser is used by a portal system, an address calling and information sending unit calls a CS client through a script command through a component object model (ActiveX control) of the IE browser; if the portal system uses a Firefox and Google browser, the address calling and information sending unit calls a CS client by adopting a 'network scene plug-in application programming interface (NPAPI)' plug-in; then, the security token, the random number and the portal system callback verification address form a portal system calling request and are transmitted to the CS client in a parameter mode;
and step 3: when an application system of a BS framework receives a portal system call request, a security token, a random number and a portal system callback verification address are obtained from a message header of an HTTP (hyper text transport protocol);
when the application system of the CS framework receives a portal request, the security token, the random number and the portal system callback verification address are obtained through a client and then transmitted to a server of the application system of the CS framework;
and 4, step 4: in the application system of the BS/CS framework, a callback module calls a portal system callback verification address, and forms verification information by three parameters, namely a security token, a random number and an application system unique identifier (consistent with registration in the portal system), and transmits the verification information to the portal system to start a second handshake process;
and 5: after the portal system receives the verification information returned by the application system, the security token acquisition module acquires a security token through a random number in a key-value pair mode in the cache service module;
under the conditions of stable service operation, smooth network communication, no malicious attack and the like, the security token can be obtained by the method, and the step 6 is executed to carry out the next verification step;
if the security token cannot be obtained, indicating that the verification process is abnormal, executing the step 9, and performing exception handling;
step 6: after the portal system acquires the security token, information verification is carried out;
the comparison module compares the security token acquired in the cache service module with the security token returned in the verification information recalled by the application system;
if the comparison information is inconsistent, the request is possibly maliciously intercepted and tampered, and the step 10 is entered for exception handling;
if the information comparison is consistent, the decryption module decrypts the security token, and then the verification module verifies the validity of the following three aspects of session control information (session), the unique user identity, the unique application system identity, the timestamp and the random number, which are obtained after decryption;
step 61: verifying whether session control information (session) is valid in a current portal system;
step 62: verifying whether the unique identification of the application system is consistent with the unique identification of the application system returned from the verification information of the callback of the application system;
and step 63: verifying the difference value between the timestamp and the current time of the portal system server, and if the difference value between the timestamp and the current time of the portal system server is greater than a preset authentication time threshold (for example, 1500ms), determining that the request is invalid;
if the validity verification is passed, performing step 7, and starting a third handshake process;
if one item fails, the verification information is invalid, and step 9 is carried out to carry out exception handling;
and 7: entering the step, indicating that the identity authentication request passes, generating authentication result success feedback information by the feedback module of the portal system through the user unique identifier and the authentication success identifier, returning the authentication result success feedback information to the application system, and deleting the security token data of the request in the cache service module;
and 8: the login module of the application system receives the successful feedback information of the verification result and the unique user identifier to log in the system; the third handshake process is finished, and the single sign-on process is finished;
and step 9: the feedback module generates verification result failure feedback information by the failure identification which fails in the step 5 and the step 6 and the specific adaptation reason and returns the verification result failure feedback information to the application system; the single sign-on process ends.
In step 21, the encryption module encrypts the session control information, the unique user identity, the unique application system identity, the timestamp of the current request server, and the random number by using a symmetric encryption Algorithm (AES).
In step 22, for the application system of the BS architecture, the address invoking and information sending unit writes the encrypted security token, the random number, and the portal callback verification address into a message header of the HTTP protocol through a client programming toolkit supporting the HTTP protocol, and forms a portal system invoking request and transmits the portal system invoking request to the application system, so as to reduce the probability of interception and tampering by a malicious system.
In step 22, for the CS-structured application system, if the portal system uses the IE browser, the address calling and information sending unit calls the CS client through a script command through a component object model (ActiveX control) of the IE browser;
if the portal system uses a Firefox and Google browser, the address calling and information sending unit calls a CS client by adopting a 'network scene plug-in application programming interface (NPAPI)' plug-in; and then forming a portal system call request by the security token, the random number and the portal system callback verification address, and transmitting the portal system call request to the CS client in a parameter mode.
In step 3, after the application system of the BS architecture receives the portal system call request, the security token, the random number, and the portal system callback verification address are obtained in the message header of the HTTP protocol.
In step 3, when the application system of the CS architecture receives the portal request, the security token, the random number, and the portal system callback verification address are obtained through the client, and then the obtained security token, random number, and portal system callback verification address are transmitted to the server of the application system of the CS architecture.
And the unique application system identifier in the step 4 is kept consistent with the unique application system identifier registered in the step 1.
In step 6, the verification module performs validity verification on the session control information (session), the unique user identity, the unique application system identity, the timestamp and the random number, which are obtained after decryption, as follows:
step 61: verifying whether session control information (session) is valid in a current portal system;
step 62: verifying whether the unique identification of the application system is consistent with the unique identification of the application system returned from the verification information of the callback of the application system;
and step 63: and if the difference value between the verification timestamp and the current time of the portal system server is greater than a preset authentication time threshold (for example, 1500ms), the request is invalid.
In step 63, the authentication time threshold is 1500 ms.
In step 7, the information is fed back after the verification result is successful and returned to the application system, and the security token data requested this time in the cache service module is deleted.
Example 1
As shown in fig. 1 and fig. 2, the present embodiment includes the following steps:
step 1: the invention realizes the single sign-on method based on the portal system, and the portal system realizes the registration function of the application system. Taking the example of realizing single sign-on by a certain system, in the registration function of the application system, the name of the system, the unique system identifier and the single sign-on authentication interface address are registered. And the user enters the portal system, clicks the system menu in the portal system, starts to initiate an authentication request to the system and performs handshake verification.
Step 2: the portal background generates a security token, the security token splices control information (session), a user name, a system unique identifier, current server time and a random number in a character string mode, encrypts by using an AES symmetric encryption algorithm, self-writes an encryption function EncryptAES (), and then puts the encrypted security token and the random number into a cache service in a key-value pair mode.
And step 3: the portal system writes three parameters, namely a security token, a random number and a portal system callback verification address, into a message header of an HTTP (hyper text transport protocol) by using a client programming toolkit (HttpClient technology) supporting the HTTP, and transmits the three parameters to a single sign-on interface of an application system.
And 4, step 4: in the single sign-on interface code logic of the application system, parameters such as a security token, a random number, a portal system callback verification address and the like in a message header of an HTTP protocol are obtained by using a request.
And 5: the application system calls a portal system callback verification address by using technologies such as CXF, Axis2 and RPC, and transmits a security token, a random number and a system unique identifier back to the portal system.
Step 6: and after the portal system obtains the return parameters, the portal system uses the random number as a key to obtain the security token from the caching service.
And 7: the portal performs an authentication process. And if the security token returned by the application system is equal to the security token obtained from the cache service, performing validity verification. And carrying out AES decryption on the security token to obtain the control information (session), the user name, the unique system identifier, the timestamp and the random number. The following three validity verifications are carried out: 1. it is verified whether the control information (session) is valid in the current portal system. 2. And verifying whether the system unique identification is consistent with the system unique identification returned by the callback verification of the application system. 3. And verifying the server time parameter time, comparing the nowTime with the current server time, and judging whether a time parameter difference value (nowTime-time) is smaller than a set safety threshold value. If the verification is passed, the process proceeds to step 8.
And 8: an authentication success message and username are returned. The Token value in Redis is deleted.
And step 9: and the application system receives the return success value and the unique user name identification and logs in the application system.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims (10)

1. A single sign-on implementation system based on an intelligent enterprise portal, the single sign-on implementation system comprising: a portal system side component and an application system side component;
the portal system side component comprises: the system comprises an authentication module, a cache service module, a security token acquisition module, a comparison module, a decryption module, a verification module and a feedback module;
the authentication module includes: the system comprises a security token generation unit and an address calling and information sending unit;
the application system side component comprises: a registration application module and a callback module;
wherein the content of the first and second substances,
the registration application module is used for sending registration information to the portal system and registering the application system to which the registration application module belongs; the registration information includes: the name of the application system, the unique identifier of the application system and the address of the single sign-on authentication interface;
the authentication module is used for actively initiating an authentication request to the application system according to the registration information of the application system when a user accesses the application system in the portal system, and performing handshake verification;
the method specifically comprises the following steps: generating a security token for the authentication request by a security token generation unit; the security token comprises: session control information, a unique user identity identifier, a unique application system identifier, a timestamp of a current request server and a random number; then the encryption module encrypts the information and stores the random number and the security token into the cache service module in a key-value pair mode;
after the security token generating unit generates a security token, the address calling and information sending unit calls a single sign-on authentication interface address of the application system, starts a first handshake process, and sends a portal system calling request comprising the security token, a random number and a portal callback verification address to the application system;
the callback module is used for acquiring a security token, a random number and a portal system callback verification address after the application system receives a portal system calling request; the system is used for calling the portal system to call back the verification address, forming verification information by the three parameters of the security token, the random number and the unique identifier of the application system, transmitting the verification information to the portal system and starting a second handshake process;
the security token acquisition module is used for acquiring a security token in the cache service module through a random number in a key-value pair mode after the portal system receives verification information returned by the application system;
under the conditions of stable service operation, smooth network communication, no malicious attack and the like, the security token can be obtained by the method, and the next verification step is executed;
if the security token cannot be acquired, indicating that the verification process is abnormal, and performing exception handling by the feedback module;
after the portal system acquires the security token, information verification is carried out;
the comparison module is used for comparing the security token acquired in the cache service module with the security token returned in the verification information recalled by the application system;
if the comparison information is inconsistent, the request is possibly maliciously intercepted and tampered, and the feedback module performs exception processing;
if the information comparison is consistent, the decryption module decrypts the security token, and then the verification module verifies the validity of the session control information, the unique user identity identifier, the unique application system identifier, the timestamp and the random number which are obtained after decryption;
if the validity verification passes all, starting a third handshake process;
if not, indicating that the verification information is invalid, and carrying out exception handling by a feedback module;
the feedback module is used for generating verification result success feedback information by the unique user identifier and the verification success identifier under the condition that the identity verification request passes and returning the verification result success feedback information to the application system;
the login module of the application system is used for logging in the system after receiving the successful feedback information of the verification result and the unique user identifier; the third handshake process is finished, and the single sign-on process is finished;
the feedback module is also used for generating a verification result failure feedback information by the failure identification which fails in verification and the specific adaptation reason and returning the verification result failure feedback information to the application system when abnormal processing is carried out; the single sign-on process ends.
2. The intelligent enterprise portal-based single sign-on enabling system of claim 1, wherein the encryption module encrypts the session control information, the unique user id, the unique application id, the timestamp of the currently requesting server, and the random number using a symmetric encryption algorithm.
3. The system of claim 1, wherein for the BS-based application system, the address invocation and information transmission unit writes the encrypted security token, random number, and portal callback verification address into a message header of the HTTP protocol via a client programming toolkit supporting the HTTP protocol, and forms a portal system invocation request to be transmitted to the application system, so as to reduce the possibility of being intercepted and tampered by a malicious system.
4. The system of claim 1, wherein for the CS-based application system, if the portal system uses an IE browser, the address calling and information sending unit calls the CS client through a script command through a component object model of the IE browser;
if the portal system uses a Firefox browser and a Google browser, the address calling and information sending unit calls a CS client by adopting a 'network scene plug-in application programming interface' plug-in; and then forming a portal system call request by the security token, the random number and the portal system callback verification address, and transmitting the portal system call request to the CS client in a parameter mode.
5. The system of claim 3, wherein the security token, the random number, and the portal system callback authentication address are obtained in a message header of an HTTP protocol when the application system of the BS architecture receives the portal system call request.
6. The system of claim 4, wherein the CS framework application system receives the portal request, obtains the security token, the random number, and the portal system callback verification address through the client, and transmits the security token, the random number, and the portal system callback verification address to the server of the CS framework application system.
7. The system of claim 1, wherein the callback module forms the unique id of the application system when the verification message is generated, and the unique id of the application system in the registration message sent to the portal system by the registration application module is kept consistent.
8. The system for implementing single sign-on based on intelligent enterprise portal of claim 1, wherein the verification module performs validity verification on the session control information, the unique user identity, the unique application system identity, the timestamp and the random number obtained after decryption as follows:
(1) verifying whether the session control information is valid in the current portal system;
(2) verifying whether the unique identification of the application system is consistent with the unique identification of the application system returned from the verification information of the callback of the application system;
(3) and verifying the difference value between the timestamp and the current time of the portal system server, and if the difference value between the timestamp and the current time of the portal system server is greater than a preset authentication time threshold, invalidating the request.
9. The intelligent enterprise portal-based single sign-on fulfillment system as claimed in claim 8 wherein said authentication time threshold is 1500 ms.
10. The system of claim 1, wherein the feedback module feeds back information of successful verification result to the application system and deletes the security token data requested this time in the cache service module.
CN201911114504.5A 2019-11-14 2019-11-14 Single sign-on implementation system based on intelligent enterprise portal Active CN110826049B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911114504.5A CN110826049B (en) 2019-11-14 2019-11-14 Single sign-on implementation system based on intelligent enterprise portal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911114504.5A CN110826049B (en) 2019-11-14 2019-11-14 Single sign-on implementation system based on intelligent enterprise portal

Publications (2)

Publication Number Publication Date
CN110826049A true CN110826049A (en) 2020-02-21
CN110826049B CN110826049B (en) 2022-02-11

Family

ID=69555482

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911114504.5A Active CN110826049B (en) 2019-11-14 2019-11-14 Single sign-on implementation system based on intelligent enterprise portal

Country Status (1)

Country Link
CN (1) CN110826049B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112712370A (en) * 2020-12-17 2021-04-27 宝付网络科技(上海)有限公司 Method and system for monitoring appropriation of payment interface
CN112732362A (en) * 2021-01-18 2021-04-30 北京展心展力信息科技有限公司 Transnational software resource access method and device, electronic equipment and storage medium
CN113742700A (en) * 2021-11-08 2021-12-03 中国工程物理研究院计算机应用研究所 Cross-domain software system integration method based on portal
CN113805965A (en) * 2021-09-11 2021-12-17 济南浪潮数据技术有限公司 Method, device and equipment for installing external plug-in and readable medium
CN115250198A (en) * 2022-07-04 2022-10-28 四川盘谷智慧医疗科技有限公司 Information system and single sign-on integration method suitable for group type enterprises

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104378376A (en) * 2014-11-18 2015-02-25 深圳中兴网信科技有限公司 SOA-based single-point login method, authentication server and browser
US20160021097A1 (en) * 2014-07-18 2016-01-21 Avaya Inc. Facilitating network authentication
CN106790272A (en) * 2017-02-16 2017-05-31 济南浪潮高新科技投资发展有限公司 A kind of system and method for single-sign-on, a kind of application server
CN108243183A (en) * 2017-12-20 2018-07-03 北京车和家信息技术有限公司 Integrated control method, system and the computer equipment of gate system
CN109379369A (en) * 2018-11-09 2019-02-22 中国平安人寿保险股份有限公司 Single-point logging method, device, server and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160021097A1 (en) * 2014-07-18 2016-01-21 Avaya Inc. Facilitating network authentication
CN104378376A (en) * 2014-11-18 2015-02-25 深圳中兴网信科技有限公司 SOA-based single-point login method, authentication server and browser
CN106790272A (en) * 2017-02-16 2017-05-31 济南浪潮高新科技投资发展有限公司 A kind of system and method for single-sign-on, a kind of application server
CN108243183A (en) * 2017-12-20 2018-07-03 北京车和家信息技术有限公司 Integrated control method, system and the computer equipment of gate system
CN109379369A (en) * 2018-11-09 2019-02-22 中国平安人寿保险股份有限公司 Single-point logging method, device, server and storage medium

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112712370A (en) * 2020-12-17 2021-04-27 宝付网络科技(上海)有限公司 Method and system for monitoring appropriation of payment interface
CN112732362A (en) * 2021-01-18 2021-04-30 北京展心展力信息科技有限公司 Transnational software resource access method and device, electronic equipment and storage medium
CN112732362B (en) * 2021-01-18 2024-06-11 北京展心展力信息科技有限公司 Method and device for accessing nationwide software resources, electronic equipment and storage medium
CN113805965A (en) * 2021-09-11 2021-12-17 济南浪潮数据技术有限公司 Method, device and equipment for installing external plug-in and readable medium
CN113805965B (en) * 2021-09-11 2023-12-29 济南浪潮数据技术有限公司 Method, device, equipment and readable medium for installing external plug-in
CN113742700A (en) * 2021-11-08 2021-12-03 中国工程物理研究院计算机应用研究所 Cross-domain software system integration method based on portal
CN113742700B (en) * 2021-11-08 2022-03-04 中国工程物理研究院计算机应用研究所 Cross-domain software system integration method based on portal
CN115250198A (en) * 2022-07-04 2022-10-28 四川盘谷智慧医疗科技有限公司 Information system and single sign-on integration method suitable for group type enterprises

Also Published As

Publication number Publication date
CN110826049B (en) 2022-02-11

Similar Documents

Publication Publication Date Title
CN110826049B (en) Single sign-on implementation system based on intelligent enterprise portal
US10785207B2 (en) Automatic login method and device between multiple websites
US10270758B2 (en) Login method, server, and login system
CN114679293A (en) Access control method, device and storage medium based on zero trust security
WO2017028804A1 (en) Web real-time communication platform authentication and access method and device
WO2015143855A1 (en) Method, apparatus and system for accessing data resources
US20120167182A1 (en) Device independent authentication system and method
CN102638454A (en) Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol
WO2012136083A1 (en) System and method for accessing third-party applications based on cloud platform
CN112202705A (en) Digital signature verification generation and verification method and system
US10630574B2 (en) Link processing method, apparatus, and system
CN113381979B (en) Access request proxy method and proxy server
CN113742676B (en) Login management method, login management device, login management server, login management system and storage medium
CN106911684A (en) A kind of method for authenticating and system
CN110830493B (en) Single sign-on implementation method based on intelligent enterprise portal
Fett et al. Analyzing the BrowserID SSO system with primary identity providers using an expressive model of the web
US20210377224A1 (en) Secure and auditable proxy technology using trusted execution environments
CN115022047B (en) Account login method and device based on multi-cloud gateway, computer equipment and medium
CN112118238A (en) Method, device, system, equipment and storage medium for authentication login
US20240089249A1 (en) Method and system for verification of identify of a user
CN114584381A (en) Security authentication method and device based on gateway, electronic equipment and storage medium
CN113297562A (en) Authentication method, device, system, electronic equipment and storage medium
CN107395566A (en) Authentication method and device
CN104243488A (en) Login authentication method of cross-website server
CN108809927B (en) Identity authentication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant