CN110944021A - Method and system for campus unified authentication and single sign-on - Google Patents

Method and system for campus unified authentication and single sign-on Download PDF

Info

Publication number
CN110944021A
CN110944021A CN201911411263.0A CN201911411263A CN110944021A CN 110944021 A CN110944021 A CN 110944021A CN 201911411263 A CN201911411263 A CN 201911411263A CN 110944021 A CN110944021 A CN 110944021A
Authority
CN
China
Prior art keywords
authentication
single sign
campus
login information
authorization
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201911411263.0A
Other languages
Chinese (zh)
Inventor
汪忠国
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Anhui Institute of Information Engineering
Original Assignee
Anhui Institute of Information Engineering
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Anhui Institute of Information Engineering filed Critical Anhui Institute of Information Engineering
Priority to CN201911411263.0A priority Critical patent/CN110944021A/en
Publication of CN110944021A publication Critical patent/CN110944021A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services
    • G06Q50/20Education

Abstract

The embodiment of the invention provides a campus unified authentication and single sign-on method and a campus unified authentication and single sign-on system, wherein the campus unified authentication and single sign-on method comprises the following steps: acquiring user login information; performing first authentication on the user login information; authorizing the user under the condition that the first authentication is passed; and caching the user login information. The method solves the problems that in the prior art, students and teachers are required to memorize a large number of accounts and passwords for different website applications, the operation is very inconvenient, and the data security cannot be guaranteed.

Description

Method and system for campus unified authentication and single sign-on
Technical Field
The invention relates to the technical field of information security, in particular to a campus unified authentication and single sign-on method and system.
Background
With the rapid development of the information age, the smart campus engineering of each college and university is continuously promoted, so that a campus-based application system is endless, students and teachers are required to remember a large number of accounts and passwords for different website applications, the operation is very inconvenient, and the data security is not guaranteed.
Therefore, the present invention provides a method and a system for providing an open authorization manner for authentication during use, ensuring data security of the system, and implementing single sign-on campus unified authentication and single sign-on.
Disclosure of Invention
Aiming at the technical problems, the invention aims to solve the problems that in the prior art, students and teachers are required to memorize a large number of accounts and passwords for different website applications, the operation is very inconvenient, and the data security is not ensured, so that the method and the system can provide open authorization mode authentication in the use process, ensure the data security of the system, and realize the campus unified authentication and single sign-on of single sign-on.
In order to achieve the above object, an embodiment of the present invention provides a campus unified authentication and single sign-on method, where the method includes:
acquiring user login information;
performing first authentication on the user login information;
authorizing the user under the condition that the first authentication is passed;
and caching the user login information.
Preferably, the authorization uses the OAUTH protocol.
Preferably, the authorization comprises the steps of:
the application program applies for a request token from the service provider, and the service provider returns the request token to the application program after passing the verification;
the application program uses the request token to redirect the browser to the service provider for login authentication and authorization;
exchanging the authorization token for an ATOK from a service provider;
and utilizing the ATOK as a token to access the protected resource.
Preferably, the first authentication employs a Central Authentication Service (CAS).
Preferably, the caching the user login information comprises the following steps:
creating a text file;
storing the user login information in the text file; wherein the content of the first and second substances,
the text file is in an encrypted state.
The invention also provides a campus unified authentication and single sign-on system, which comprises:
the information acquisition module is used for acquiring user login information;
the authentication module is used for carrying out primary authentication on the user login information;
the authorization module is used for authorizing the user under the condition that the first authentication is passed;
and the cache module is used for caching the user login information which is successfully logged in.
Preferably, the authorization module OAUTH protocol.
Preferably, the authentication module employs a Central Authentication Service (CAS)
Preferably, the user login information cached in the caching module is in an encrypted state.
The present invention also provides a machine-readable storage medium, on which a program is stored, the program being executed to perform the method for unified campus authentication and single sign-on according to any one of the above-mentioned methods.
Through the technical scheme, the campus unified authentication and single sign-on method provided by the invention has the beneficial effects that: the authentication of an open authorization mode can be provided, the data security of the system is guaranteed, and the single sign-on is realized; the method and the device solve the problems that in the prior art, students and teachers are required to remember a large number of accounts and passwords for different website applications, operation is very inconvenient, and data security cannot be guaranteed.
Additional features and advantages of embodiments of the invention will be set forth in the detailed description which follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the embodiments of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the embodiments of the invention without limiting the embodiments of the invention. In the drawings:
FIG. 1 is a flow chart of a method for unified campus authentication and single sign-on provided in a preferred embodiment of the present invention;
fig. 2 is a block diagram of a campus unified authentication and single sign-on system provided in a preferred embodiment of the present invention.
Detailed Description
The following detailed description of embodiments of the invention refers to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating embodiments of the invention, are given by way of illustration and explanation only, not limitation.
Method embodiment
The invention provides a campus unified authentication and single sign-on method, which comprises the following steps:
acquiring user login information;
performing first authentication on the user login information;
authorizing the user under the condition that the first authentication is passed;
and caching the user login information.
In a preferred embodiment of the invention, the authorization uses the OAUTH protocol.
In a preferred embodiment of the invention, the authorization comprises the following steps:
the application program applies for a request token from the service provider, and the service provider returns the request token to the application program after passing the verification;
the application program uses the request token to redirect the browser to the service provider for login authentication and authorization;
exchanging the authorization token for an ATOK from a service provider;
and utilizing the ATOK as a token to access the protected resource.
In a preferred embodiment of the invention, the first authentication employs a Central Authentication Service (CAS).
In a preferred embodiment of the present invention, the caching the user login information includes the following steps:
creating a text file;
storing the user login information in the text file; wherein the content of the first and second substances,
the text file is in an encrypted state.
The principle of the campus unified authentication and single sign-on method provided by the invention is specifically described as follows:
the Central Authentication Service (CAS) is an open source project initiated by yale university to implement SSO, and provides reliable authentication service for application systems. The CAS consists of three parts, namely a user, a CAS authentication center and an application system, and the CAS is very suitable for being introduced into a unified authentication platform of the smart campus as can be easily seen from the three parts.
First, the CAS is divided into a server and a client. The server is a single sign-on server, and the client is various application programs.
An application program firstly needs to initiate first authentication, and directly transfers to a login interface of a single sign-on server during login. The user inputs the school number and the password in the login interface of the single sign-on server.
The single-point server authenticates the learning number and the password, and after the authentication is passed, the single-point login server and the application program perform an authorization mechanism, namely, an OAuth protocol to be described later.
After authorization is complete, the CAS redirects the page back to the application, at which point the application successfully completes the login function. The single sign-on server then creates a Cookie on the client, which is encrypted and stores the information about the user's login.
At this point, the user enters another application system, and the single sign-on client installed in these applications is still redirected to the CAS server. However, at this time, the CAS server automatically searches for the Cookie, logs in according to the information stored in the Cookie, and redirects the application system by the CAS after the authentication is successful, thereby realizing the idea of one-time login and all access.
OAuth is an authorization framework that provides a secure, simple, and open solution for authorization of user resources that allows third party applications or clients to obtain limited access to user account information on HTTP services. OAuth works by delegating user authentication to a service hosting a user account and authorizing a client to access the user account. In conclusion, OAuth can provide an authorization process for smart campus applications; wherein the content of the first and second substances,
the OAuth authorization procedure is as follows:
firstly, an application applies for a request token from a service provider, and the service provider returns the request token to the application after passing verification. This step is transparent to the user as it relates to account security.
In the second step, the application uses the request token to redirect the browser to the service provider for login authentication and authorization. The service provider verifies the request token and displays the third party data back to the user, and the user chooses to approve or reject the authorization. If the user agrees to authorization, the authorization token is issued and the user is directed to the registration address of the current application. Before the step is started from redirection to the guiding back of the registered address, the application party does not participate in the user identity verification and authorization process, and the fact that a third party cannot obtain the real account password of the user is guaranteed.
Third, the authorization token is exchanged for the ATOK from the service provider. The third party application needs to initiate a request at the server and exchange the account number and the password and the token of the previous step for the ATOK. If the first two steps are to have the service provider authenticate the application and the user, respectively, then this step is for the user and the service provider to authenticate the third party application again. Because the user browser redirects the results of the second step to the third step.
And fourthly, using the ATOK as a token to access the protected resource. Many times, the permissions are of various types, and the atak includes an authorization credential of a certain user to a certain application, and specifically, the atak corresponds to a set of a series of permissions given by the user when authorizing. Therefore, in this step, in addition to checking the validity of the atak, the service provider needs to determine whether the atak has sufficient authority to perform the protected operation.
The unified authentication system adopts OAuth2.0 protocol as third party application for authorization support, and adopts CAS as OAuth Provider in the protocol to complete Ticket issuing and management. The OAuth implementation in CAS is described below from the application request and the implementation of the associated controller.
The CAS authentication service, as a server in OAuth, is mainly responsible for the following tasks: request processing, socket management and third-party application information management. Storing the basic information of the third-party application by using a non-relational database, and performing maintenance work by a client of the system; the operation related to OAuth in the CAS authentication service is realized by means of Servlet, and the system realizes the whole process of the protocol by intercepting an application request and calling a related controller to perform service operation related to the request; authorization-related Ticket is implemented using the method in single sign-on. The ID of Service Ticket is used as the Authentication Code,
the ID of the Ticker gradting Ticker is used as an Access Token value, and the original structure is directly utilized to reduce the coupling degree of the system.
In conclusion, the campus unified authentication and single sign-on method provided by the invention can provide authentication in an open authorization mode, ensure the data security of the system and realize single sign-on; the method and the device solve the problems that in the prior art, students and teachers are required to remember a large number of accounts and passwords for different website applications, operation is very inconvenient, and data security cannot be guaranteed.
Device embodiment
As shown in fig. 2, the present invention further provides a campus unified authentication and single sign-on system, which is characterized in that the system includes:
the information acquisition module 1 is used for acquiring user login information;
the authentication module 2 is used for carrying out primary authentication on the user login information;
the authorization module 3 is used for authorizing the user under the condition that the first authentication is passed;
and the cache module 4 is used for caching the user login information which is successfully logged in.
In a preferred embodiment of the invention, the authorization module OAUTH protocol.
In a preferred embodiment of the invention, the authentication module 3 employs a Central Authentication Service (CAS)
In a preferred embodiment of the present invention, the user login information cached in the caching module 4 is in an encrypted state.
In the above scheme, the structure and the adopted technology of the specific implementation of the open authorization may also be different according to different scenes in the third-party application, but the authentication process of oauth2.0 is the same, and all the processes need to sequentially send the requests to the server according to the above-mentioned sequence of the three requests to implement the authorization authentication process, and obtain the required Access Token. In any case, the following attributes need to be configured in the configuration file of the application:
clientID: the third party applies the record ID registered in the database of the unified authentication system;
secret: a key value of a third party application;
authority _ url: the application system applies for the address to be accessed by the Autothenticationcode;
access _ token _ url: the application system exchanges the request address of the Access Token through the code;
profile _ url: the user information requests an address.
The single sign-on is an important part of the construction of the smart campus, students and teachers can use the numbers of students and employees in a unified manner without memorizing a large number of accounts and passwords, and one-time sign-on and all access can be realized. And after the improvement, the authority management and the safety of the user information resources are guaranteed. The smart campus light point login method aiming at CAS improvement mainly has the following advantages:
opening: CAS and OAuth are open source projects that any software developer can use conveniently.
Safety: the single sign-on of the CAS ensures the safety of the user resources of the client, and the OAuth ensures the safety of the user resources of the server.
The method is simple: CAS and OAuth are technically simple, easy to use, and very easy to understand and use.
An embodiment of the present invention further provides a machine-readable storage medium, on which a program is stored, where the program, when executed, implements the method for unified campus authentication and single sign-on described above.
Although the embodiments of the present invention have been described in detail with reference to the accompanying drawings, the embodiments of the present invention are not limited to the details of the above embodiments, and various simple modifications can be made to the technical solutions of the embodiments of the present invention within the technical idea of the embodiments of the present invention, and the simple modifications all belong to the protection scope of the embodiments of the present invention.
It should be noted that the various features described in the above embodiments may be combined in any suitable manner without departing from the scope of the invention. In order to avoid unnecessary repetition, the embodiments of the present invention do not describe every possible combination.
Those skilled in the art will understand that all or part of the steps in the method according to the above embodiments may be implemented by a program, which is stored in a storage medium and includes several instructions to enable a single chip, a chip, or a processor (processor) to execute all or part of the steps in the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In addition, any combination of various different implementation manners of the embodiments of the present invention is also possible, and the embodiments of the present invention should be considered as disclosed in the embodiments of the present invention as long as the combination does not depart from the spirit of the embodiments of the present invention.

Claims (10)

1. A campus unified authentication and single sign-on method is characterized by comprising the following steps:
acquiring user login information;
performing first authentication on the user login information;
authorizing the user under the condition that the first authentication is passed;
and caching the user login information.
2. The method of unified campus authentication and single sign-on according to claim 1, wherein said authorization uses OAUTH protocol.
3. The method for campus unified authentication and single sign-on according to claim 2, wherein said authorization comprises the steps of:
the application program applies for a request token from the service provider, and the service provider returns the request token to the application program after passing the verification;
the application program uses the request token to redirect the browser to the service provider for login authentication and authorization;
exchanging the authorization token for an ATOK from a service provider;
and utilizing the ATOK as a token to access the protected resource.
4. The method of unified campus authentication and single sign-on according to claim 1, wherein the first authentication employs a Central Authentication Service (CAS).
5. The method of unified campus authentication and single sign-on according to claim 1, wherein said caching of said user login information comprises the steps of:
creating a text file;
storing the user login information in the text file; wherein the content of the first and second substances,
the text file is in an encrypted state.
6. A campus unified authentication and single sign-on system, the system comprising:
the information acquisition module is used for acquiring user login information;
the authentication module is used for carrying out primary authentication on the user login information;
the authorization module is used for authorizing the user under the condition that the first authentication is passed;
and the cache module is used for caching the user login information which is successfully logged in.
7. The system for campus unified authentication and single sign-on according to claim 6, wherein said authorization module OAUTH protocol.
8. The system for campus unified authentication and single sign-on according to claim 6, wherein said authentication module employs a Central Authentication Service (CAS).
9. The system of claim 6, wherein the user login information cached in the caching module is encrypted.
10. A machine readable storage medium having stored thereon a program which when executed performs a method for campus unified authentication and single sign-on as claimed in any one of claims 1 to 5.
CN201911411263.0A 2019-12-31 2019-12-31 Method and system for campus unified authentication and single sign-on Withdrawn CN110944021A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911411263.0A CN110944021A (en) 2019-12-31 2019-12-31 Method and system for campus unified authentication and single sign-on

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911411263.0A CN110944021A (en) 2019-12-31 2019-12-31 Method and system for campus unified authentication and single sign-on

Publications (1)

Publication Number Publication Date
CN110944021A true CN110944021A (en) 2020-03-31

Family

ID=69913872

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911411263.0A Withdrawn CN110944021A (en) 2019-12-31 2019-12-31 Method and system for campus unified authentication and single sign-on

Country Status (1)

Country Link
CN (1) CN110944021A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112380522A (en) * 2020-11-11 2021-02-19 深圳供电局有限公司 Management system and method for integrated service mobile application
CN112540917A (en) * 2020-12-03 2021-03-23 北京航天云路有限公司 Automatic login method for realizing automatic test based on token authentication mechanism
CN112995219A (en) * 2021-05-06 2021-06-18 四川省明厚天信息技术股份有限公司 Single sign-on method, device, equipment and storage medium

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112380522A (en) * 2020-11-11 2021-02-19 深圳供电局有限公司 Management system and method for integrated service mobile application
CN112540917A (en) * 2020-12-03 2021-03-23 北京航天云路有限公司 Automatic login method for realizing automatic test based on token authentication mechanism
CN112995219A (en) * 2021-05-06 2021-06-18 四川省明厚天信息技术股份有限公司 Single sign-on method, device, equipment and storage medium
CN112995219B (en) * 2021-05-06 2021-08-20 四川省明厚天信息技术股份有限公司 Single sign-on method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
US10728235B2 (en) System and method for mobile single sign-on integration
US11704393B2 (en) Self-owned authentication and identity framework
US10764286B2 (en) System and method for proxying federated authentication protocols
WO2017028804A1 (en) Web real-time communication platform authentication and access method and device
EP3308525B1 (en) Single sign-on for unmanaged mobile devices
US9722984B2 (en) Proximity-based authentication
JP6170158B2 (en) Mobile multi single sign-on authentication
US20190199707A1 (en) Using a service-provider password to simulate f-sso functionality
CA2633311C (en) Method, apparatus and program products for custom authentication of a principal in a federation by an identity provider
CN109981561A (en) Monomer architecture system moves to the user authen method of micro services framework
EP3455762B1 (en) Unified vpn and identity based authentication to cloud-based services
US20190306148A1 (en) Method for oauth service through blockchain network, and terminal and server using the same
KR101451359B1 (en) User account recovery
JP2015535984A5 (en)
US20180089407A1 (en) Voice authentication within messaging systems
CN110944021A (en) Method and system for campus unified authentication and single sign-on
CN109388937B (en) Single sign-on method and sign-on system for multi-factor identity authentication
CN109672675A (en) A kind of WEB authentication method of the cryptographic service middleware based on OAuth2.0
CN106559384A (en) A kind of utilization public number realizes the method and device for logging in
CN111147525A (en) Authentication method, system, server and storage medium based on API gateway
Gordin et al. Moving forward passwordless authentication: challenges and implementations for the private cloud
CN103856942A (en) Single sign-on method and device for smart phone operating system
US20230315830A1 (en) Web-based authentication for desktop applications
CN115190483B (en) Method and device for accessing network
Ni An improved Java-based single sign-on solution

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20200331