CN111342964B - Single sign-on method, device and system - Google Patents

Single sign-on method, device and system Download PDF

Info

Publication number
CN111342964B
CN111342964B CN202010414182.2A CN202010414182A CN111342964B CN 111342964 B CN111342964 B CN 111342964B CN 202010414182 A CN202010414182 A CN 202010414182A CN 111342964 B CN111342964 B CN 111342964B
Authority
CN
China
Prior art keywords
dynamic password
random string
unified authentication
authentication system
user information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010414182.2A
Other languages
Chinese (zh)
Other versions
CN111342964A (en
Inventor
张智
戴立伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Zhuyun Technology Co ltd
Original Assignee
Shenzhen Bamboocloud Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Bamboocloud Technology Co ltd filed Critical Shenzhen Bamboocloud Technology Co ltd
Priority to CN202010414182.2A priority Critical patent/CN111342964B/en
Publication of CN111342964A publication Critical patent/CN111342964A/en
Application granted granted Critical
Publication of CN111342964B publication Critical patent/CN111342964B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention relates to the technical field of single sign-on, and discloses a single sign-on method, a single sign-on device and a single sign-on system. Wherein, the method comprises the following steps: when a random string generation request sent by a first application system is received, a first dynamic password and a user identifier are generated, wherein the random string generation request comprises user information and a root bill generated by the user information; encrypting user information and user identification through a first dynamic password to generate a random string; storing the user identification and the root bill into a database; sending a random string to a first application system; when a random string sent by a second application system is received, a second dynamic password is generated, and the random string is decrypted through the second dynamic password to obtain user information and a user identifier; acquiring a root bill from a database according to the user identifier; and returning the user information and the root bill to the second application system to complete the single sign-on of the second application system. Through the mode, the embodiment of the invention can improve the security of single sign-on.

Description

Single sign-on method, device and system
Technical Field
The embodiment of the invention relates to the technical field of single sign-on, in particular to a single sign-on method, a single sign-on device and a single sign-on system.
Background
Single Sign On (SSO) refers to that a user can access all mutually trusted application systems only by logging On once in a plurality of application systems. For example, when a bean is played, there is no need to additionally register a server of an application such as bean FM, bean book, bean movie, bean diary, etc., and all applications can be accessed by registering a bean once.
The current single sign-on mode generally transmits a bill when an application jumps to realize bill sharing, and although encryption is performed when the bill is transmitted, all applications share the same secret key, so that the security is not high.
Disclosure of Invention
An object of the embodiments of the present invention is to provide a method, an apparatus, and a system for single sign-on, which can improve the security of single sign-on.
According to a first aspect of the embodiments of the present invention, there is provided a single sign-on method, including: the unified authentication system receives a random string generation request sent by the first application system and generates a first dynamic password and a user identifier, wherein the random string generation request comprises user information and a root bill, and the root bill is generated according to the user information; the unified authentication system generates a request according to a random string, and encrypts the user information and the user identification through the first dynamic password to generate a random string; the unified authentication system correspondingly stores the user identification and the root bill to a database; the unified authentication system sends the random string to the first application system so that the first application system sends the random string to a second application system; when the random string sent by a second application system is received, the unified authentication system generates a second dynamic password, and when the second dynamic password is the same as the first dynamic password, the random string is decrypted through the second dynamic password so as to obtain the user information and the user identifier; the unified authentication system acquires the root bill from the database according to the user identification; and the unified authentication system returns the user information and the root bill to the second application system so as to complete the single sign-on of the second application system.
In an alternative manner, the random string generation request includes second application jump information; before the generating a request according to a random string, encrypting the user information and the user identifier by the first dynamic password to generate a random string, the method further includes: and determining target information according to the second application jump information, and taking the target information as the user information.
In an optional manner, the encrypting the user information and the user identifier by using the first dynamic password to generate the random string specifically includes: and encrypting the user information, the user identification and the current encryption time through the first dynamic password to generate the random string.
In an optional manner, the generating the first dynamic password specifically includes: acquiring current encryption time; generating the first dynamic password according to the current encryption time, a preset fixed key and a preset encryption algorithm;
the generating the second dynamic password specifically includes: acquiring current decryption time; generating the second dynamic password according to the current decryption time, the preset fixed key and the preset encryption algorithm; wherein the preset encryption algorithm comprises: and if the time interval between the current encryption time and the current decryption time is within a preset time interval range, the generated first dynamic password and the second dynamic password are the same.
In an optional manner, the predetermined fixed key is stored in the unified authentication system after being split.
In an alternative, the user identification is a unique identification code.
In an optional manner, before the unified authentication system receives the random string generation request sent by the first application system, the method further includes: encrypting login information including the user information by a root ticket key to generate the root ticket.
In an optional manner, before the unified authentication system returns the user information and the root ticket to the second application system, the method further includes: and the unified authentication system verifies the root bill according to the root bill key, and if the root bill passes the verification, the unified authentication system returns the user information and the root bill to the second application system.
According to a second aspect of the embodiments of the present invention, there is provided a single sign-on apparatus, including: a request receiving module, configured to receive, by the unified authentication system, a random string generation request sent by the first application system, and generate a first dynamic password and a user identifier, where the random string generation request includes the user information and the root ticket, and the root ticket is generated according to the user information; the encryption module is used for generating a request by the unified authentication system according to a random string and encrypting the user information and the user identification through the first dynamic password so as to generate a random string; the storage module is used for correspondingly storing the user identification and the root bill into a database by the unified authentication system; a sending module, configured to send the random string to the first application system by the unified authentication system, so that the first application system sends the random string to a second application system; the decryption module is used for generating a second dynamic password by the unified authentication system when the random string sent by the second application system is received, and decrypting the random string through the second dynamic password when the second dynamic password is the same as the first dynamic password so as to obtain the user information and the user identifier; the root bill acquisition module is used for acquiring the root bill from the database by the unified authentication system according to the user identifier; and the root bill sending module is used for returning the user information and the root bill to the second application system by the unified authentication system so as to complete the single sign-on of the second application system.
According to a third aspect of the embodiments of the present invention, there is provided a single sign-on system, including a unified authentication system, the unified authentication system including: a processor and a memory, the memory being configured to store at least one executable instruction, the processor executing the executable instruction when the unified authentication system is running, causing the processor to perform the operations of the single sign-on method as described above.
According to a fourth aspect of embodiments of the present invention, there is provided a computer-readable storage medium having stored therein at least one executable instruction for causing a processor to perform the steps according to the single sign-on method as described above.
The embodiment of the invention generates a root bill according to login information including user information when logging in a first application system through a unified authentication system, receives a random string generation request sent by the first application system, generates a first dynamic password and a user identification, encrypts the user information and the user identification through the first dynamic password to generate a random string, correspondingly stores the user identification and the root bill in a database, sends the random string to the first application system to enable the first application system to send the random string to a second application system, generates a second dynamic password when receiving the random string sent by the second application system, decrypts the random string through the second dynamic password to obtain the user information and the user identification when the second dynamic password is the same as the first dynamic password, obtains the root bill from the database according to the user identification, the user information and the root bill are returned to the second application system to complete single sign-on of the second application system, and the transmission safety of the root bill can be ensured when the application of the single sign-on skips, so that the safety of the single sign-on can be improved.
The foregoing description is only an overview of the technical solutions of the embodiments of the present invention, and the embodiments of the present invention can be implemented according to the content of the description in order to make the technical means of the embodiments of the present invention more clearly understood, and the detailed description of the present invention is provided below in order to make the foregoing and other objects, features, and advantages of the embodiments of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a schematic structural diagram illustrating a single sign-on system according to an embodiment of the present invention;
fig. 2 is a schematic flow chart illustrating a single sign-on method according to an embodiment of the present invention;
fig. 3 is a schematic flow chart illustrating a single sign-on method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a single sign-on apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of the unified authentication system according to the embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
The current single sign-on mode generally transmits a bill when an application jumps to realize bill sharing, and although encryption is performed when the bill is transmitted, all applications share the same secret key, so that the security is not high.
Based on this, embodiments of the present invention provide a single sign-on method, apparatus, and device, which can improve the security of single sign-on.
Specifically, the embodiments of the present invention will be further explained below with reference to the drawings.
It should be understood that the following examples are provided by way of illustration and are not intended to limit the invention in any way to the particular embodiment disclosed.
Fig. 1 shows a schematic structural diagram of a single sign-on system according to an embodiment of the present invention. As shown in fig. 1, the single sign-on system 10 includes: unified authentication system 11, first application system 12 and second application system 13. The first application system 12 and the second application system 13 communicate with the unified authentication system 11, respectively.
The unified authentication system 11 may be a unified login platform of an enterprise, where the enterprise has a plurality of accessible applications (e.g., a first application and a second application), the first application system 12 may be a background server of the first application, and the second application system 13 may be a background server of the second application. The user may log in to the first application through the unified authentication system 11, may log in to the second application through the unified authentication system 11, may jump from the first application to the second application, or may jump from the second application to the first application.
Fig. 2 is a flowchart illustrating a single sign-on method according to an embodiment of the present invention. The single sign-on method can be applied to the unified authentication system in fig. 1. As shown in fig. 2, the single sign-on method includes:
step 210, the unified authentication system receives a random string generation request sent by the first application system, and generates a first dynamic password and a user identifier, wherein the random string generation request includes user information and a root ticket.
Wherein the root ticket is generated according to the user information. Prior to step 210, the method further comprises: step 201, the unified authentication system generates a root bill according to login information including user information. When a user logs in the first application system through the unified authentication system, the unified authentication system acquires login information including user information, generates a root bill according to the login information, and returns the user information and the root bill to the first application system.
Wherein, the root ticket may be jwt (json web token). The JWT is an encryption string containing a signature and carrying user related information, when a page request verifies a login interface, a request head carries the JWT string to a back-end service, the back-end verifies through matching of the signature encryption string to ensure that the information is not tampered, and if the verification is passed, the JWT is regarded as a reliable request and data is normally returned. In this embodiment, the generating the root ticket according to the login information including the user information may specifically be: the login information including the user information is encrypted by a root ticket key to generate a root ticket. The root ticket key may be preset for encrypting the login information.
The login information includes one or more kinds of information such as user information and login time. The user information may include a user account or a user name. In some embodiments, the user information may also include a login password. When a user wants to access the first application, the user jumps to the unified authentication system from the first application, the user logs in the unified authentication system, after the user inputs user information, the unified authentication system authenticates the user information, generates a root bill by the login information such as the user information and returns the root bill to the first application system, the first application system sends the root bill to the unified authentication system for verification, and after the verification is passed, the login of the first application is completed.
After the unified authentication system generates the root bill, the unified authentication system sends the root bill and the user information to the first application system. The unified authentication system returns user information for logging in the first application to the first application system, and the user information can be recorded as a primary account. When the user has only one account, the user can log in the first application and the second application through the primary account; when the user has a plurality of accounts, the user can log in the first application through the primary account and log in the second application through the sub-account.
In step 210, when the user wishes to jump from the first application to the second application, the user triggers a jump request for the second application, and after the first application system receives the jump request, the first application system sends a random string generation request to the unified authentication system. Wherein the random string generation request includes user information and a root ticket. When the unified authentication system receives the random string generation request, the unified authentication system verifies the root bill contained in the random string generation request, and only after the verification is successful, the step of generating the first dynamic password and the user identification is executed, so that a person can be prevented from jumping by using a forged account.
The generating of the first dynamic password and the user identifier may specifically include:
step 211, obtaining the current encryption time;
the current encryption time refers to the time when the unified authentication system generates the first dynamic password.
Step 212, generating a first dynamic password according to the current encryption time, the preset fixed key and the preset encryption algorithm.
The preset fixed key is preset, and in order to increase the concealment, the preset fixed key is stored in the unified authentication system after being split, and the character string is not directly stored. For example, the predetermined fixed key is written in the code in a byte split manner, and assuming that the predetermined fixed key is 521, the predetermined fixed key is written in the code as follows:
charr szInitKey [512 ];/definition
szInitKey [0] = (char)0x 99;/assign value to 0 th byte
szInitKey [1] = (char)0x 01;/assign value to byte 1
szInitKey [511] = (char)0x 02// assign value to 511 th byte
The preset encryption algorithm may be a Time-based One-Time password (TOTP) algorithm, which is an algorithm for calculating a One-Time password from a shared key and a current Time. In this embodiment, the first dynamic password is calculated using a TOTP algorithm according to the current encryption time and the preset fixed key. In such a TOTP algorithm, the generated dynamic password is consistent for a certain time.
Step 213, generating a user identification.
The user Identifier is a Unique Identifier (UUID). The user identity can be generated in Java by uuid. And the user identification and the root bill are in one-to-one correspondence, namely only one user identification of one root bill corresponds to the root bill.
Step 220, the unified authentication system generates a request according to the random string, and encrypts the user information and the user identifier through the first dynamic password to generate a random string.
Wherein the AES algorithm may be used to encrypt the user information and the user identification with the first dynamic password. Of course, in some other embodiments, other algorithms may also be used, and this embodiment does not limit this.
In some embodiments, since there is still a small probability that the user information and the user identifier will be repeated, in order to ensure the uniqueness of the random string, step 220 may further be: and encrypting the user information, the user identification and the current encryption time through the first dynamic password to generate a random string.
In some embodiments, when the user has multiple accounts, the user may use different accounts in different applications, and before step 220, the method may further include: step 202, determining target information according to the second application jump information, and using the target information as user information.
In step 202, the target information determined by the unified authentication system is user information for logging in the second application, and may be recorded as a sub-account. For example, if the account number used by the user in the first application is zhangsan and the account number used by the user in the second application is zhangsan1, the account number of the jump destination application needs to be determined before the jump.
And the corresponding relation between each application and the user account is stored in the unified authentication system. The second application skip information is information for instructing to skip to the second application, and may include, for example, identification information of the second application, so that the unified authentication system may acquire user information, that is, target information, used in the second application according to the second application skip information, thereby taking the target information as the user information. For example, if the account used by the user in the first application is zhangsan (primary account), and the account used by the second application is zhangsan1 (secondary account), when the unified authentication system obtains that the jump-destination application is the second application, the unified authentication system searches the account (i.e., target information) used by the user in the second application according to the corresponding relationship between each application and the user account, so as to use the target information as the user information, that is, the user information is zhangsan 1.
Step 230, the unified authentication system correspondingly stores the user identifier and the root ticket into the database.
Because the user identification and the root bill are in one-to-one correspondence, the unified authentication system can correspondingly store the user identification and the root bill. The database can be Redis, and the unified authentication system can store random _ sso: uuid as a key and a root bill as a value in Redis.
Step 240, the unified authentication system sends the random string to the first application system, so that the first application system sends the random string to the second application system.
After generating the random string, the unified authentication system sends the random string to the first application system to cause the first application system to pass the random string to the second application system. The first application system can directly send the random string to the second application system, and the random string can also be sent to the second application system through a third party.
And step 250, when the random string sent by the second application system is received, the unified authentication system generates a second dynamic password, and when the second dynamic password is the same as the first dynamic password, the random string is decrypted through the second dynamic password to obtain the user information and the user identification.
When the second application system receives the random string, the second application system sends the random string to the unified authentication system to request the unified authentication system for the required login information.
The generating of the second dynamic password may specifically include:
step 251, the current decryption time is obtained.
The current decryption time refers to the time when the unified authentication system generates the second dynamic password.
Step 252, a second dynamic password is generated according to the current decryption time, the preset fixed key and the preset encryption algorithm.
And the preset fixed key and the preset encryption algorithm used for generating the second dynamic password are the same as the preset fixed key and the preset encryption algorithm used for generating the first dynamic password. Then in step 252 a second dynamic password is calculated using the TOTP algorithm based on the current decryption time and the preset fixed key. Since in the TOTP algorithm, the dynamic password generated within a certain time is consistent. Therefore, if the time interval between the current encryption time and the current decryption time is within the preset time interval range set by the preset encryption algorithm, the generated first dynamic password is the same as the generated second dynamic password; and if the time interval between the current encryption time and the current decryption time exceeds the preset time interval range set by the preset encryption algorithm, the generated first dynamic password is different from the generated second dynamic password. Alternatively, the preset time interval range set by the preset encryption algorithm may be 30 seconds.
And after the second dynamic password is generated, the unified authentication system decrypts the random string through the second dynamic password, if the second dynamic password is the same as the first dynamic password, the user information and the user identifier are obtained through decryption, and the unified authentication system obtains the user information and the user identifier in the random string sent by the second application system. If the user only has the primary account number, the user information including the primary account number is obtained through decryption, and if the user has the primary account number and the sub-account number and logs in the second application through the sub-account number, the user information including the sub-account number is obtained through decryption.
And step 260, the unified authentication system acquires the root bill from the database according to the user identification.
When the unified authentication system takes random _ sso: uuid as a key and stores the root note as a value in Redis, after the unified authentication system obtains the user identifier uuid, the unified authentication system finds the corresponding key from random _ sso: uuid to Redis, and if the key exists, the root note in the value corresponding to the key is taken out, so that the root note is obtained.
And 270, returning the user information and the root bill to the second application system by the unified authentication system so as to complete the single sign-on of the second application system.
Before step 270, the method may further include: the unified authentication system verifies the root ticket according to the root ticket key, and if the root ticket passes the verification, step 270 is executed. When the root bill is generated, the root bill can be verified according to the root bill key by encrypting the root bill key, if the information obtained by decrypting the root bill through the root bill key is the same as the information before encrypting through the root bill key, the root bill passes verification, and the unified authentication system returns the user information and the root bill to the second application system.
In this embodiment, after the second application system obtains the user information and the root ticket returned by the unified authentication system, the second application system generates a ticket of the cost application according to the user information and the root ticket, thereby completing single sign-on.
The embodiment of the invention generates a root bill according to login information including user information when logging in a first application system through a unified authentication system, receives a random string generation request sent by the first application system, generates a first dynamic password and a user identification, encrypts the user information and the user identification through the first dynamic password to generate a random string, correspondingly stores the user identification and the root bill in a database, sends the random string to the first application system to enable the first application system to send the random string to a second application system, generates a second dynamic password when receiving the random string sent by the second application system, decrypts the random string through the second dynamic password to obtain the user information and the user identification when the second dynamic password is the same as the first dynamic password, obtains the root bill from the database according to the user identification, the user information and the root bill are returned to the second application system to complete single sign-on of the second application system, and the transmission safety of the root bill can be ensured when the application of the single sign-on skips, so that the safety of the single sign-on can be improved.
Fig. 3 is a flowchart illustrating a single sign-on method according to an embodiment of the present invention. The single sign-on method can be applied to the single sign-on system in fig. 1. As shown in fig. 3, the single sign-on method includes:
step 301, a user inputs a primary account and a password in the unified authentication system to log in a first application through the unified authentication system.
For example, the primary account number input by the user in the unified authentication system is zhangsan.
Step 302, the unified authentication system obtains login information including a primary account, and returns the primary account and the root bill to the first application system after generating the root bill according to the login information.
And 303, the first application system sends the root bill to the unified authentication system, the unified authentication system verifies the root bill sent by the first application system, and after the root bill passes the verification, the first application is logged in to complete the verification.
And 304, when the user triggers a jump request aiming at the second application, the first application system receives the jump request, generates a random string generation request according to the jump information of the second application, the primary account number and the root bill contained in the jump request, and sends the random string generation request to the unified authentication system.
And 305, when the unified authentication system receives a random string generation request sent by the first application system, verifying a root bill in the random string generation request, after the verification is successful, determining target information according to the second application skip information and the primary account number, and taking the target information as user information.
For example, if a sub-account (i.e., target information) of the second application is determined among the sub-accounts associated with the primary account, and the determined target information is zhangsan1, zhangsan1 is used as the user information.
And step 306, the unified authentication system acquires the current encryption time and generates a first dynamic password according to the current encryption time, the preset fixed key and the preset encryption algorithm.
And 307, generating the user identification by the unified authentication system, and storing the user identification into Redis by taking random _ sso: uuid as a key and the root bill as a value.
Step 308, the unified authentication system encrypts the user information, the user identifier and the current encryption time through the first dynamic password to generate a random string.
Step 309, the unified authentication system sends the random string to the first application system.
Step 310, the first application system transmits the random string to the second application system, so that the second application system sends the random string to the unified authentication system.
And 311, when the random string is received, the unified authentication system acquires the current decryption time, and generates a second dynamic password according to the current decryption time, the preset fixed key and the preset encryption algorithm.
And step 312, when the second dynamic password is the same as the first dynamic password, the unified authentication system decrypts the random string sent by the second application system through the second dynamic password to obtain the user information and the user identifier.
And 313, finding the corresponding key from random _ sso: uuid to Redis by the unified authentication system, and if the key exists, taking out the root bill in the value corresponding to the key.
And step 314, the unified authentication system returns the user information and the root ticket to the second application system, so that the second application system completes the login of the second application according to the user information and the root ticket.
The embodiment of the invention generates a root bill according to login information including user information when logging in a first application system through a unified authentication system, receives a random string generation request sent by the first application system, generates a first dynamic password and a user identification, encrypts the user information and the user identification through the first dynamic password to generate a random string, correspondingly stores the user identification and the root bill in a database, sends the random string to the first application system to enable the first application system to send the random string to a second application system, generates a second dynamic password when receiving the random string sent by the second application system, decrypts the random string through the second dynamic password to obtain the user information and the user identification when the second dynamic password is the same as the first dynamic password, obtains the root bill from the database according to the user identification, the user information and the root bill are returned to the second application system to complete single sign-on of the second application system, and the transmission safety of the root bill can be ensured when the application of the single sign-on skips, so that the safety of the single sign-on can be improved.
Fig. 4 is a schematic structural diagram of a single sign-on apparatus according to an embodiment of the present invention. As shown in fig. 4, the apparatus 400 includes: a request receiving module 410, an encryption module 420, a storage module 430, a sending module 440, a decryption module 450, a root ticket acquiring module 460, a root ticket sending module 470.
The request receiving module 410 is configured to receive, by the unified authentication system, a random string generation request sent by the first application system, and generate a first dynamic password and a user identifier, where the random string generation request includes user information and a root ticket, and the root ticket is generated according to the user information; the encryption module 420 is configured to encrypt the user information and the user identifier by using the first dynamic password to generate a random string according to a request generated by the unified authentication system according to the random string; the storage module 430 is configured to correspondingly store the user identifier and the root ticket in a database by the unified authentication system; the sending module 440 is configured to send the random string to the first application system by the unified authentication system, so that the first application system sends the random string to a second application system; the decryption module 450 is configured to, when receiving the random string sent by a second application system, generate a second dynamic password by the unified authentication system, and when the second dynamic password is the same as the first dynamic password, decrypt the random string through the second dynamic password to obtain the user information and the user identifier; the root bill acquiring module 460 is configured to acquire, by the unified authentication system, the root bill from the database according to the user identifier; the root ticket sending module 470 is configured to the unified authentication system return the user information and the root ticket to the second application system, so as to complete single sign-on of the second application system.
In an alternative manner, the random string generation request includes second application jump information; the encryption module 420 is further configured to: and determining target information according to the second application jump information, and taking the target information as the user information.
In an optional manner, the encryption module 420 is specifically configured to: and encrypting the determined user information, the user identification and the current encryption time through the first dynamic password to generate the random string.
In an optional manner, the encryption module 420 is further specifically configured to: acquiring current encryption time; generating the first dynamic password according to the current encryption time, a preset fixed key and a preset encryption algorithm; the decryption module 450 is specifically configured to: acquiring current decryption time; generating the second dynamic password according to the current decryption time, the preset fixed key and the preset encryption algorithm; wherein the preset encryption algorithm comprises: and if the time interval between the current encryption time and the current decryption time is within a preset time interval range, the generated first dynamic password and the second dynamic password are the same.
In an optional manner, the predetermined fixed key is stored in the unified authentication system after being split.
In an alternative, the user identification is a unique identification code.
In an optional manner, the apparatus further comprises: and a root bill generation module. The root note generating module is specifically configured to: encrypting login information including the user information by a root ticket key to generate the root ticket.
In an optional manner, the apparatus further comprises: and a verification module. And the verification module is used for verifying the root bill according to the root bill key, and if the root bill passes the verification, executing the step that the unified authentication system returns the user information and the root bill to the second application system.
It should be noted that the single sign-on apparatus provided in the embodiments of the present invention is an apparatus capable of executing the single sign-on method, and all embodiments based on the single sign-on method are applicable to the apparatus and can achieve the same or similar beneficial effects.
The embodiment of the invention generates a root bill according to login information including user information when logging in a first application system through a unified authentication system, receives a random string generation request sent by the first application system, generates a first dynamic password and a user identification, encrypts the user information and the user identification through the first dynamic password to generate a random string, correspondingly stores the user identification and the root bill in a database, sends the random string to the first application system to enable the first application system to send the random string to a second application system, generates a second dynamic password when receiving the random string sent by the second application system, decrypts the random string through the second dynamic password to obtain the user information and the user identification when the second dynamic password is the same as the first dynamic password, obtains the root bill from the database according to the user identification, the user information and the root bill are returned to the second application system to complete single sign-on of the second application system, and the transmission safety of the root bill can be ensured when the application of the single sign-on skips, so that the safety of the single sign-on can be improved.
An embodiment of the present invention provides a computer-readable storage medium, where at least one executable instruction is stored in the storage medium, and the executable instruction causes a processor to execute the single sign-on method in any of the above method embodiments.
Embodiments of the present invention provide a computer program product comprising a computer program stored on a computer storage medium, the computer program comprising program instructions that, when executed by a computer, cause the computer to perform a single sign-on method of any of the above method embodiments.
Fig. 5 is a schematic structural diagram of the unified authentication system according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the unified authentication system.
Wherein, unified authentication system includes: a processor and a memory. The memory is configured to store at least one executable instruction, and when the unified authentication system is running, the processor executes the executable instruction to cause the processor to perform the steps of the single sign-on method according to any of the above-mentioned method embodiments.
Optionally, as shown in fig. 5, the unified authentication system may include: a processor (processor)502, a Communications Interface 504, a memory 506, and a communication bus 508.
Wherein: the processor 502, communication interface 504, and memory 506 communicate with one another via a communication bus 508. A communication interface 504 for communicating with a network element of the first application system, the second application system or other servers, etc. The processor 502 is configured to execute the program 510, and may specifically execute the single sign-on method in any of the above-described method embodiments.
In particular, program 510 may include program code that includes computer operating instructions.
The processor 502 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement an embodiment of the invention. The cloud server comprises one or more processors, which can be processors of the same type, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 506 for storing a program 510. The memory 506 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The embodiment of the invention generates a root bill according to login information including user information when logging in a first application system through a unified authentication system, receives a random string generation request sent by the first application system, generates a first dynamic password and a user identification, encrypts the user information and the user identification through the first dynamic password to generate a random string, correspondingly stores the user identification and the root bill in a database, sends the random string to the first application system to enable the first application system to send the random string to a second application system, generates a second dynamic password when receiving the random string sent by the second application system, decrypts the random string through the second dynamic password to obtain the user information and the user identification when the second dynamic password is the same as the first dynamic password, obtains the root bill from the database according to the user identification, the user information and the root bill are returned to the second application system to complete single sign-on of the second application system, and the transmission safety of the root bill can be ensured when the application of the single sign-on skips, so that the safety of the single sign-on can be improved.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specified otherwise.

Claims (10)

1. A single sign-on method, comprising:
the unified authentication system receives a random string generation request sent by a first application system and generates a first dynamic password and a user identifier, wherein the random string generation request comprises user information and a root bill, and the root bill is generated according to the user information;
the unified authentication system generates a request according to a random string, and encrypts the user information and the user identification through the first dynamic password to generate a random string;
the unified authentication system correspondingly stores the user identification and the root bill to a database;
the unified authentication system sends the random string to the first application system so that the first application system sends the random string to a second application system;
when the random string sent by the second application system is received, the unified authentication system generates a second dynamic password, and when the second dynamic password is the same as the first dynamic password, the random string is decrypted through the second dynamic password so as to obtain the user information and the user identifier;
the unified authentication system acquires the root bill from the database according to the user identification;
and the unified authentication system returns the user information and the root bill to the second application system so as to complete the single sign-on of the second application system.
2. The method of claim 1, wherein the random string generation request includes second application jump information;
before the generating a request according to a random string, encrypting the user information and the user identifier by the first dynamic password to generate a random string, the method further includes:
and determining target information according to the second application jump information, and taking the target information as the user information.
3. The method according to claim 2, wherein the encrypting the user information and the user identifier with the first dynamic password to generate the random string comprises:
and encrypting the user information, the user identification and the current encryption time through the first dynamic password to generate the random string.
4. The method of claim 1, wherein the generating the first dynamic password specifically comprises:
acquiring current encryption time;
generating the first dynamic password according to the current encryption time, a preset fixed key and a preset encryption algorithm;
the generating the second dynamic password specifically includes:
acquiring current decryption time;
generating the second dynamic password according to the current decryption time, the preset fixed key and the preset encryption algorithm;
wherein the preset encryption algorithm comprises: and if the time interval between the current encryption time and the current decryption time is within a preset time interval range, the generated first dynamic password and the second dynamic password are the same.
5. The method according to claim 4, wherein the predetermined fixed key is stored in the unified authentication system after being split.
6. The method according to any of claims 1-5, wherein before the unified authentication system receives the random string generation request sent by the first application system, the method further comprises:
encrypting login information including the user information by a root ticket key to generate the root ticket.
7. The method of claim 6, wherein before the unified authentication system returns the user information and the root ticket to the second application system, the method further comprises:
and the unified authentication system verifies the root bill according to the root bill key, and if the root bill passes the verification, the unified authentication system returns the user information and the root bill to the second application system.
8. A single sign-on device, comprising:
the request receiving module is used for receiving a random string generation request sent by a first application system by a unified authentication system and generating a first dynamic password and a user identifier, wherein the random string generation request comprises user information and a root bill, and the root bill is generated according to the user information;
the encryption module is used for generating a request by the unified authentication system according to a random string and encrypting the user information and the user identification through the first dynamic password so as to generate a random string;
the storage module is used for correspondingly storing the user identification and the root bill into a database by the unified authentication system;
a sending module, configured to send the random string to the first application system by the unified authentication system, so that the first application system sends the random string to a second application system;
the decryption module is used for generating a second dynamic password by the unified authentication system when the random string sent by the second application system is received, and decrypting the random string through the second dynamic password when the second dynamic password is the same as the first dynamic password so as to obtain the user information and the user identifier;
the root bill acquisition module is used for acquiring the root bill from the database by the unified authentication system according to the user identifier;
and the root bill sending module is used for returning the user information and the root bill to the second application system by the unified authentication system so as to complete the single sign-on of the second application system.
9. A single sign-on system is characterized by comprising a unified authentication system;
the unified authentication system includes: a processor and a memory, the memory storing at least one executable instruction, the processor executing the executable instruction when the unified authentication system is running to cause the processor to perform the operations of the single sign-on method of any of claims 1-7.
10. A computer-readable storage medium having stored thereon at least one executable instruction for causing a processor to perform the steps of the single sign-on method of any one of claims 1 to 7.
CN202010414182.2A 2020-05-15 2020-05-15 Single sign-on method, device and system Active CN111342964B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010414182.2A CN111342964B (en) 2020-05-15 2020-05-15 Single sign-on method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010414182.2A CN111342964B (en) 2020-05-15 2020-05-15 Single sign-on method, device and system

Publications (2)

Publication Number Publication Date
CN111342964A CN111342964A (en) 2020-06-26
CN111342964B true CN111342964B (en) 2020-08-11

Family

ID=71186563

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010414182.2A Active CN111342964B (en) 2020-05-15 2020-05-15 Single sign-on method, device and system

Country Status (1)

Country Link
CN (1) CN111342964B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112182544A (en) * 2020-09-22 2021-01-05 深圳竹云科技有限公司 Single sign-on method, device, computing equipment and computer readable storage medium
CN115189975B (en) * 2022-09-14 2022-12-27 中化现代农业有限公司 Login method, login device, electronic equipment and storage medium
CN116049802B (en) * 2023-03-31 2023-07-18 深圳竹云科技股份有限公司 Application single sign-on method, system, computer equipment and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101207482A (en) * 2007-12-13 2008-06-25 深圳市戴文科技有限公司 System and method for implementation of single login
CN106101160A (en) * 2016-08-26 2016-11-09 北京恒华伟业科技股份有限公司 A kind of system login method and device
CN106230594A (en) * 2016-07-22 2016-12-14 浪潮通用软件有限公司 A kind of method carrying out user authentication based on dynamic password
CN107294916A (en) * 2016-03-31 2017-10-24 北京神州泰岳软件股份有限公司 Single-point logging method, single-sign-on terminal and single-node login system
CN109040030A (en) * 2018-07-17 2018-12-18 北京奇安信科技有限公司 Single-point logging method and system
CN109587147A (en) * 2018-12-11 2019-04-05 咪咕文化科技有限公司 A kind of single-node login system, method, server and storage medium
US10541995B1 (en) * 2019-07-23 2020-01-21 Capital One Services, Llc First factor contactless card authentication system and method

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105450413B (en) * 2014-08-19 2019-04-19 阿里巴巴集团控股有限公司 A kind of setting method of password, device and system
CN110493202B (en) * 2019-07-29 2021-11-02 深圳壹账通智能科技有限公司 Login token generation and verification method and device and server

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101207482A (en) * 2007-12-13 2008-06-25 深圳市戴文科技有限公司 System and method for implementation of single login
CN107294916A (en) * 2016-03-31 2017-10-24 北京神州泰岳软件股份有限公司 Single-point logging method, single-sign-on terminal and single-node login system
CN106230594A (en) * 2016-07-22 2016-12-14 浪潮通用软件有限公司 A kind of method carrying out user authentication based on dynamic password
CN106101160A (en) * 2016-08-26 2016-11-09 北京恒华伟业科技股份有限公司 A kind of system login method and device
CN109040030A (en) * 2018-07-17 2018-12-18 北京奇安信科技有限公司 Single-point logging method and system
CN109587147A (en) * 2018-12-11 2019-04-05 咪咕文化科技有限公司 A kind of single-node login system, method, server and storage medium
US10541995B1 (en) * 2019-07-23 2020-01-21 Capital One Services, Llc First factor contactless card authentication system and method

Also Published As

Publication number Publication date
CN111342964A (en) 2020-06-26

Similar Documents

Publication Publication Date Title
CN109961292B (en) Block chain verification code application method, equipment and storage medium
CN108322469B (en) Information processing system, method and apparatus
US9288201B2 (en) Disconnected credential validation using pre-fetched service tickets
CN112019493B (en) Identity authentication method, identity authentication device, computer equipment and medium
CN111342964B (en) Single sign-on method, device and system
CN112491881B (en) Cross-platform single sign-on method, system, electronic equipment and storage medium
US20070127723A1 (en) Server pool Kerberos authentication scheme
CN112333198A (en) Secure cross-domain login method, system and server
US20160381001A1 (en) Method and apparatus for identity authentication between systems
CN111625829A (en) Application activation method and device based on trusted execution environment
US20180300507A1 (en) Method and server for authenticating and verifying file
CN112202705A (en) Digital signature verification generation and verification method and system
US8650405B1 (en) Authentication using dynamic, client information based PIN
US8977857B1 (en) System and method for granting access to protected information on a remote server
CN110535884B (en) Method, device and storage medium for cross-enterprise inter-system access control
KR102137122B1 (en) Security check method, device, terminal and server
CN112165382B (en) Software authorization method and device, authorization server side and terminal equipment
CN106992859B (en) Bastion machine private key management method and device
US20100241865A1 (en) One-Time Password System Capable of Defending Against Phishing Attacks
EP3552131A1 (en) Password security
CN116458117A (en) Secure digital signatures
CN110798322B (en) Operation request method, device, storage medium and processor
CN113505353A (en) Authentication method, device, equipment and storage medium
JP6081857B2 (en) Authentication system and authentication method
US8910260B2 (en) System and method for real time secure image based key generation using partial polygons assembled into a master composite image

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 518000 East, 3rd floor, incubation building, China Academy of science and technology, 009 Gaoxin South 1st Road, Nanshan District, Shenzhen City, Guangdong Province

Patentee after: Shenzhen Zhuyun Technology Co.,Ltd.

Address before: 518000 East, 3rd floor, incubation building, China Academy of science and technology, 009 Gaoxin South 1st Road, Nanshan District, Shenzhen City, Guangdong Province

Patentee before: SHENZHEN BAMBOOCLOUD TECHNOLOGY CO.,LTD.

CP02 Change in the address of a patent holder
CP02 Change in the address of a patent holder

Address after: 518000 4001, Block D, Building 1, Chuangzhi Yuncheng Lot 1, Liuxian Avenue, Xili Community, Xili Street, Nanshan District, Shenzhen, Guangdong

Patentee after: Shenzhen Zhuyun Technology Co.,Ltd.

Address before: 518000 East, 3rd floor, incubation building, China Academy of science and technology, 009 Gaoxin South 1st Road, Nanshan District, Shenzhen City, Guangdong Province

Patentee before: Shenzhen Zhuyun Technology Co.,Ltd.