CN111988275A - Single sign-on method, single sign-on server cluster and electronic equipment - Google Patents
Single sign-on method, single sign-on server cluster and electronic equipment Download PDFInfo
- Publication number
- CN111988275A CN111988275A CN202010680941.XA CN202010680941A CN111988275A CN 111988275 A CN111988275 A CN 111988275A CN 202010680941 A CN202010680941 A CN 202010680941A CN 111988275 A CN111988275 A CN 111988275A
- Authority
- CN
- China
- Prior art keywords
- user
- single sign
- token
- application
- temporary key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 230000009191 jumping Effects 0.000 claims abstract description 13
- 238000013475 authorization Methods 0.000 claims description 17
- 230000003993 interaction Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0637—Modes of operation, e.g. cipher block chaining [CBC], electronic codebook [ECB] or Galois/counter mode [GCM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The application provides a single sign-on method, a single sign-on server cluster and an electronic device, wherein the method comprises the following steps: receiving a user authentication request containing user information sent by a user; based on the user authentication request, each single sign-on server in the multiple single sign-on servers encrypts user information according to a first preset encryption rule; if the user information is valid, obtaining a token, encrypting the token through a second preset encryption rule in each single sign-on server in a plurality of single sign-on servers, sending a temporary key corresponding to the encrypted token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system to a user, receiving a login instruction sent by the user, jumping to a new label according to the login instruction, receiving an instruction of requesting to obtain the token from the temporary key, and determining whether the application systems needing to be logged in complete logging in.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a single sign-on method, a single sign-on server cluster, and an electronic device.
Background
At present, with the increasingly wide application based On networks and the increasingly abundant service types in different fields, it becomes more and more important to use a Single Sign On (SSO) system, for short, that is, a user can access all mutually trusted cross-domain application systems only by logging On once.
In the prior art, on one hand, a single sign-on server is used in the single sign-on system and method, the provided concurrency is limited, and under the condition of large concurrency, the data synchronization delay is large due to large data interaction amount. On the other hand, since the login is only required once, all authorized application systems can access, which may cause some important information to be leaked.
Disclosure of Invention
The present application aims to provide a single sign-on method, a single sign-on server cluster and an electronic device, so as to overcome the technical defects that the concurrency of a single sign-on server is limited and a greater security risk exists.
In a first aspect, an embodiment of the present application provides a single sign-on method, where the method includes: receiving a user authentication request containing user information sent by a user; based on the user authentication request, each single sign-on server in the multiple single sign-on servers encrypts user information according to a first preset encryption rule, and compares the encrypted user information with user identity information in an authentication authorization database to judge whether the user information is valid; if the user information is valid, obtaining a token, encrypting the token through a second preset encryption rule in each single sign-on server in a plurality of single sign-on servers, and sending a temporary key corresponding to the encrypted token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system to the user, wherein the temporary key is used for caching the encrypted token with the user name as the key in a cache space for the user; and receiving a login instruction sent by a user, jumping to a new label according to the login instruction, receiving a temporary key request to acquire the instruction of the token, and determining whether the application systems needing to be logged in complete the login.
With reference to the first aspect, in a first possible implementation manner, after obtaining the token if the user information is valid, the method further includes: the expiration duration of the token is set.
With reference to the first aspect, in a second possible implementation manner, comparing the encrypted user information with the user identity information in the authentication authorization database to determine whether the user information is valid includes: and searching a trust certificate mapped by the user information in an authentication authorization database according to the encrypted user information, and sending an authentication success message to each single sign-on server in the multiple single sign-on servers, or else sending an authentication failure message to each single sign-on server in the multiple single sign-on servers.
With reference to the first aspect, in a third possible implementation manner, the second preset encryption rule in each single sign-on server of the multiple single sign-on servers is an AES-CBC algorithm.
With reference to the first aspect, in a fourth possible implementation manner, receiving a login instruction sent by a user, after jumping to a new tag according to the login instruction, receiving an instruction of a temporary key request to acquire a token, and determining whether a plurality of application systems that need to be logged in complete login includes: receiving a login instruction, wherein the login instruction comprises: the temporary key, the identifier corresponding to each application system and the access address corresponding to the new label, wherein the identifier corresponding to each application system is an application code of each application system; jumping to a page corresponding to the new label according to the access address corresponding to the new label in the login instruction; and receiving an instruction of a temporary key request for obtaining the token, and determining whether the multiple application systems needing to be logged in complete the login.
In a second aspect, an embodiment of the present application provides a single sign-on method, where the method includes: a user sends a user authentication request containing user information, and a temporary key corresponding to a token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system are obtained based on the user authentication request; displaying the application list to a user, clicking and determining a system name of an application system to be logged in by the user, and then generating a login instruction, wherein the login instruction comprises a temporary key, an identifier corresponding to each application system and an access address corresponding to a new label; and requesting the user to obtain the token by using the temporary key, and determining that the multiple application systems needing to be logged in complete the login if the user successfully obtains the token.
In a third aspect, an embodiment of the present application provides a single sign-on server cluster, where the single sign-on server cluster includes a plurality of single sign-on servers, and the single sign-on server cluster is configured to: receiving a user authentication request containing user information sent by a user; based on a user authentication request, each single sign-on server in a plurality of single sign-on servers encrypts user information according to a first preset encryption rule, and compares the encrypted user information with user identity information in an authentication authorization database to judge whether the user information is valid; if the user information is valid, obtaining a token, encrypting the token through a second preset encryption rule in each single sign-on server in a plurality of single sign-on servers, and sending a temporary key corresponding to the encrypted token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system to the user, wherein the temporary key is used for caching the encrypted token with the user name as the key in a cache space for the user; and receiving a login instruction sent by a user, jumping to a new label according to the login instruction, receiving an instruction of a temporary key request for obtaining a token, and determining whether a plurality of application systems needing to be logged in complete the login.
In a fourth aspect, an embodiment of the present application provides an electronic device, where the electronic device includes: the first processing module is used for sending a user authentication request containing user information by a user, and acquiring a temporary key corresponding to the token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system based on the user authentication request; the second processing module is used for displaying the application list to the user, and the user clicks the system name of the application system needing to be logged in and generates a login instruction after determining the system name, wherein the login instruction comprises a temporary key, an identifier corresponding to each application system and an access address corresponding to a new label; and the third processing module is used for requesting the user to acquire the token by using the temporary key, and determining that the multiple application systems needing to be logged in complete the login if the user successfully acquires the token.
The invention has the beneficial effects that: according to the technical scheme provided by the embodiment of the invention, a single sign-on server cluster is introduced, and the feasibility of processing a large amount of concurrent data interaction based on a cluster technology is provided; and the user information in the user authentication request is encrypted based on the first preset encryption rule, and the token is encrypted based on the second preset encryption rule, so that malicious interception or attack is not easy to occur, and the safety of using the single sign-on method can be improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of a single sign-on method according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of another single sign-on method according to an embodiment of the present disclosure;
fig. 3 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
In an embodiment of the present application, the single sign-on method is applied to a single sign-on server cluster, where the single sign-on server cluster includes a plurality of single sign-on servers, and each single sign-on server in the plurality of single sign-on servers executes the following operations: receiving a user authentication request containing user information sent by a user; based on a user authentication request, each single sign-on server in a plurality of single sign-on servers encrypts user information according to a first preset encryption rule, and compares the encrypted user information with user identity information in an authentication authorization database to judge whether the user information is valid; if the user information is valid, obtaining a token, encrypting the token through a second preset encryption rule in each single sign-on server in a plurality of single sign-on servers, and sending a temporary key corresponding to the encrypted token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system to the user, wherein the temporary key is used for caching the encrypted token with the user name as the key in a cache space for the user; and receiving a login instruction sent by a user, jumping to a new label according to the login instruction, receiving an instruction of a temporary key request for obtaining a token, and determining whether a plurality of application systems needing to be logged in complete the login.
Referring to fig. 1, fig. 1 is a schematic flowchart illustrating a single sign-on method according to an embodiment of the present disclosure. The single sign-on method includes step S11, step S12, step S13, and step S14.
Step S11: receiving a user authentication request containing user information sent by a user;
step S12: based on the user authentication request, each single sign-on server in the multiple single sign-on servers encrypts user information according to a first preset encryption rule, and compares the encrypted user information with user identity information in an authentication authorization database to judge whether the user information is valid;
step 13, if the user information is valid, obtaining a token, encrypting the token through a second preset encryption rule in each single sign-on server in a plurality of single sign-on servers, and sending a temporary key corresponding to the encrypted token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system to the user, wherein the temporary key caches the encrypted token with the user name as key in a cache space for the user;
step S14: and receiving a login instruction sent by a user, jumping to a new label according to the login instruction, receiving a temporary key request to acquire the instruction of the token, and determining whether the application systems needing to be logged in complete the login.
Step S11: and receiving a user authentication request which is sent by a user and contains user information.
The user sends a user authentication request carrying user information to the single sign-on server cluster, and the single sign-on server cluster receives the user authentication request. The user information may include a user account and a user login password.
Step S12: based on the user authentication request, each single sign-on server in the multiple single sign-on servers encrypts user information according to a first preset encryption rule, and compares the encrypted user information with user identity information in an authentication authorization database to judge whether the user information is valid.
The cluster of the single sign-on servers receives the user authentication request, and can firstly judge whether the current state of the user authentication request is 'first access', namely the user is not logged in for the target application system, in other words, the user accesses the target application system for the first time, if the judgment result is yes, each single sign-on server in the multiple single sign-on servers encrypts user information according to a first preset encryption rule, and compares the encrypted user information with the user identity information in the authentication authorization database to judge whether the user information is valid.
In detail, according to the encrypted user information, finding a trust certificate mapped by the user information in an authentication authorization database, and sending an authentication success message to each single sign-on server in the multiple single sign-on servers, otherwise, sending an authentication failure message to each single sign-on server in the multiple single sign-on servers. The login authentication can check whether the identity information of the target user carried by the access request is legal or not.
The user identity information table is one or more pre-established data tables and is used for storing the corresponding relation between a user account and a user login password, a user can send a registration request to the single sign-on server cluster through a client in advance, the registration request can comprise the user account and the user login password of the user, and after the user registration success is detected, the single sign-on server cluster can store the user name and the password of the user to the user registration table. Or, the single sign-on server cluster can directly obtain each user account and user sign-on password input by each user through the human-computer interaction interface, and store the corresponding relationship between each user account and each user sign-on password in the user identity information table. Only if the trust certificate mapped with the user information is found in the authentication authorization database, it can be shown that the user information is valid, so that the user information which is not authenticated cannot perform the related operations after step S13 and step S13, and the security of single sign-on is ensured.
And step 13, if the user information is valid, obtaining a token, encrypting the token through a second preset encryption rule in each single sign-on server in the multiple single sign-on servers, and sending a temporary key corresponding to the encrypted token, an application list consisting of system names of multiple application systems and a webpage access address corresponding to each application system to the user, wherein the temporary key caches the encrypted token with the user name as the key in a cache space for the user.
When the user information is authenticated by the authentication authorization database, the user information is valid and can be trustworthy. When the user information is valid, a token is obtained. Because the application system authorized by the user can perform login-free operation when the token is taken, the token is encrypted by using the second preset encryption rule in each single sign-on server in the plurality of single sign-on servers, so that the security of the token is improved, and the whole single sign-on operation is safer.
In detail, after the token is obtained, the expiration time of one token is set, and after the token is generated, the token is valid within the expiration time and can be carried for authentication; if the time period from the generation of the token to the carrying of the token is longer than the expiration time period, the token will be invalid.
When the token is encrypted by using the second preset encryption rule in each single sign-on server of the multiple single sign-on servers, the second preset encryption rule may be an AES-CBC algorithm, and may also be an HMACSHA 256.
And caching the token and generating a temporary key. The cache mode may be a Redis cache or a Memcache cache, and in the embodiment of the present application, a Redis cache is adopted. And sending the temporary key corresponding to the encrypted token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system to the user. Skipping can be performed according to the webpage access address corresponding to each application system, and a new label page is entered.
Each application system may provide different business services. Each application system may be deployed in different application servers, or may be deployed in the same application server, and the deployment manner of the multiple application systems is not limited in the present invention.
Each application system in the multiple application systems may adopt a front-end and back-end separation architecture, and a data processing process of the application system adopting the architecture may be as follows: through the interaction between the front end and the client, the front end can acquire the data stored in the back end and return the acquired data to the client. Therefore, the front end and the rear end are clearly divided, the data decoupling of the application system is realized by the application, and the system performance is improved.
The user may establish a communication connection with multiple application systems through the client, for example, the user may log in and/or request service data from multiple application systems through the client, and the client may be a mobile phone, a tablet, a personal computer, or the like.
Step S14: and receiving a login instruction sent by a user, jumping to a new label according to the login instruction, receiving a temporary key request to acquire the instruction of the token, and determining whether the application systems needing to be logged in complete the login.
After receiving a temporary key corresponding to the encrypted token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system, which are sent by the single sign-on server cluster, the user generates a sign-on instruction and sends the login instruction to the single sign-on server cluster.
In detail, the login instruction includes: the temporary key, an identifier corresponding to each application system, and an access address corresponding to the new tag, wherein the identifier corresponding to each application system encodes an application of each application system. The single sign-on server cluster receives a sign-on instruction sent by a user, jumps to a new label according to the sign-on instruction, receives a temporary key request to acquire a token instruction, and determines whether a plurality of application systems needing to be logged in complete the login.
Referring to fig. 2, another single sign-on method provided in the embodiment of the present application includes: step S21, step S22, and step S23.
Step S21: a user sends a user authentication request containing user information, and a temporary key corresponding to a token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system are obtained based on the user authentication request;
step S22: displaying the application list to a user, clicking and determining a system name of an application system to be logged in by the user, and then generating a login instruction, wherein the login instruction comprises a temporary key, an identifier corresponding to each application system and an access address corresponding to a new label;
step S23: and requesting the user to obtain the token by using the temporary key, and determining that the multiple application systems needing to be logged in complete the login if the user successfully obtains the token.
Step S21: the user sends a user authentication request containing user information, and based on the user authentication request, a temporary key corresponding to the token, an application list composed of system names of a plurality of application systems, and a webpage access address corresponding to each application system are obtained.
In detail, a user sends a user authentication request containing user information to the single sign-on server cluster through a client, and the user information is authenticated through an authentication authorization database, and receives a temporary key corresponding to a token, an application list composed of system names of a plurality of application systems and a webpage access address corresponding to each application system, which are sent by the single sign-on server cluster.
Step S22: and displaying the application list to a user, clicking the system name of the application system needing to be logged in by the user, determining, and generating a login instruction, wherein the login instruction comprises a temporary key, an identifier corresponding to each application system and an access address corresponding to the new label.
In detail, the client may install a browser, and the browser may display a login page, which may provide a login button. The client receives an application list consisting of system names of a plurality of application systems and displays the application list to a user, the user can click the name of the application system needing to be logged in according to actual requirements, after the system name of at least one application system is clicked and determined, the user can add a temporary key and an identifier corresponding to each application system to an access address corresponding to a new label and then jump when the user clicks a determination button. The user clicks a login button, and the single sign-on server cluster can determine that a login instruction is detected after the login button is clicked.
Step S23: and requesting the user to obtain the token by using the temporary key, and determining that the multiple application systems needing to be logged in complete the login if the user successfully obtains the token.
If the login command generated by the client includes a temporary key, the temporary key may be used to request multiple application systems to obtain the token. And comparing the temporary key representing the token transmitted by the client with the token in the Redis cache, if the temporary key is the same as the token, releasing the temporary key, and if the temporary key is different from the token, rejecting the temporary key, namely, if the comparison result is the same, the multiple application systems finish login, and the multiple application systems fail to login.
As will be described in detail below, referring to fig. 3, the electronic device 100 includes:
the first processing module 110 is configured to send a user authentication request including user information by a user, and obtain a temporary key corresponding to the token, an application list composed of system names of multiple application systems, and a web access address corresponding to each application system based on the user authentication request;
the second processing module 120 is configured to display the application list to the user, and after the user clicks the system name of the application system to be logged in and determines that the system name is the same, generate a login instruction, where the login instruction includes a temporary key, an identifier corresponding to each application system, and an access address corresponding to a new tag;
the third processing module 130 is configured to request the user to obtain the token by using the temporary key, and determine that the multiple application systems that need to log in complete the login if the user successfully obtains the token.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the system, the user equipment and the module described above may refer to corresponding processes in the foregoing method embodiments, and are not described herein again.
To sum up, the embodiment of the present application provides a single sign-on method, which includes: receiving a user authentication request containing user information sent by a user; based on the user authentication request, each single sign-on server in the multiple single sign-on servers encrypts user information according to a first preset encryption rule, and compares the encrypted user information with user identity information in an authentication authorization database to judge whether the user information is valid; if the user information is valid, obtaining a token, encrypting the token through a second preset encryption rule in each single sign-on server in a plurality of single sign-on servers, and sending a temporary key corresponding to the encrypted token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system to the user, wherein the temporary key is used for caching the encrypted token with the user name as the key in a cache space for the user; and receiving a login instruction sent by a user, jumping to a new label according to the login instruction, receiving a temporary key request to acquire the instruction of the token, and determining whether the application systems needing to be logged in complete the login.
According to the technical scheme provided by the embodiment of the invention, a single sign-on server cluster is introduced, and the feasibility of processing a large amount of concurrent data interaction based on a cluster technology is provided; and the user information in the user authentication request is encrypted based on the first preset encryption rule, and the token is encrypted based on the second preset encryption rule, so that malicious interception or attack is not easy to occur, and the safety of using the single sign-on method can be improved.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (8)
1. A method of single sign-on, the method comprising:
receiving a user authentication request containing user information sent by a user;
based on the user authentication request, each single sign-on server in the multiple single sign-on servers encrypts the user information according to a first preset encryption rule, and compares the encrypted user information with user identity information in an authentication authorization database to judge whether the user information is valid;
if the user information is valid, obtaining a token, encrypting the token through a second preset encryption rule in each single sign-on server in a plurality of single sign-on servers, and sending a temporary key corresponding to the encrypted token, an application list composed of system names of a plurality of application systems and a webpage access address corresponding to each application system to the user, wherein the temporary key caches the encrypted token with the user name as key in a cache space for the user;
and receiving a login instruction sent by the user, jumping to a new label according to the login instruction, receiving an instruction of the temporary key request for obtaining the token, and determining whether the application systems needing to be logged in complete the login.
2. The single sign-on method of claim 1, wherein after obtaining the token if the user information is valid, the method further comprises:
and setting the expiration time of the token.
3. The single sign-on method of claim 1, wherein the comparing the encrypted user information with user identity information in an authentication and authorization database to determine whether the user information is valid comprises:
and searching a trust certificate mapped by the user information in the authentication authorization database according to the encrypted user information, and sending an authentication success message to each single sign-on server in the single sign-on servers, otherwise, sending an authentication failure message to each single sign-on server in the single sign-on servers.
4. The single sign-on method of claim 1, wherein the second predetermined encryption rule in each of the plurality of single sign-on servers is an AES-CBC algorithm.
5. The single sign-on method according to claim 1, wherein the receiving a login instruction sent by the user, after jumping to a new tag according to the login instruction, receiving an instruction of the temporary key requesting to obtain the token, and determining whether the multiple application systems that need to log on complete the login comprises:
receiving the login instruction, wherein the login instruction comprises: the temporary key, an identifier corresponding to each of the application systems, and an access address corresponding to a new tag, wherein the identifier corresponding to each of the application systems encodes an application code for each of the application systems;
jumping to a page corresponding to the new label according to the access address corresponding to the new label in the login instruction;
and receiving an instruction of the temporary key request for obtaining the token, and determining whether the application systems needing to be logged in complete the login.
6. A method of single sign-on, the method comprising:
a user sends a user authentication request containing user information, and a temporary key corresponding to a token, an application list composed of system names of a plurality of application systems and a webpage access address corresponding to each application system are obtained based on the user authentication request;
displaying the application list to the user, clicking a system name of the application system needing to be logged in by the user, determining the system name, and generating a login instruction, wherein the login instruction comprises the temporary key, an identifier corresponding to each application system and an access address corresponding to a new label;
and requesting the user to acquire the token by using the temporary key, and determining that the application systems needing to be logged in complete the login if the user successfully acquires the token.
7. A single sign-on server cluster comprising a plurality of single sign-on servers, the single sign-on server cluster configured to:
receiving a user authentication request containing user information sent by a user;
based on the user authentication request, each single sign-on server in the multiple single sign-on servers encrypts the user information according to a first preset encryption rule, and compares the encrypted user information with user identity information in an authentication authorization database to judge whether the user information is valid;
if the user information is valid, obtaining a token, encrypting the token through a second preset encryption rule in each single sign-on server in a plurality of single sign-on servers, and sending a temporary key corresponding to the encrypted token, an application list composed of system names of a plurality of application systems and a webpage access address corresponding to each application system to the user, wherein the temporary key caches the encrypted token with the user name as key in a cache space for the user;
and receiving a login instruction sent by the user, jumping to a new label according to the login instruction, receiving an instruction of the temporary key request for obtaining the token, and determining whether the application systems needing to be logged in complete the login.
8. An electronic device, characterized in that the electronic device comprises:
the system comprises a first processing module, a second processing module and a third processing module, wherein the first processing module is used for sending a user authentication request containing user information by a user, and acquiring a temporary key corresponding to a token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system based on the user authentication request;
the second processing module is used for displaying the application list to the user, and the user clicks the system name of the application system needing to be logged in and generates a login instruction after determining the system name, wherein the login instruction comprises the temporary key, the identifier corresponding to each application system and the access address corresponding to the new label;
and the third processing module is used for requesting the user to acquire the token by using the temporary key, and determining that the application systems needing to be logged in complete the login if the user successfully acquires the token.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010680941.XA CN111988275A (en) | 2020-07-15 | 2020-07-15 | Single sign-on method, single sign-on server cluster and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010680941.XA CN111988275A (en) | 2020-07-15 | 2020-07-15 | Single sign-on method, single sign-on server cluster and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111988275A true CN111988275A (en) | 2020-11-24 |
Family
ID=73438674
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010680941.XA Pending CN111988275A (en) | 2020-07-15 | 2020-07-15 | Single sign-on method, single sign-on server cluster and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111988275A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112613022A (en) * | 2020-12-25 | 2021-04-06 | 航天信息股份有限公司 | Method and system for user single sign-on service system |
| CN112714166A (en) * | 2020-12-22 | 2021-04-27 | 新华三大数据技术有限公司 | Multi-cluster management method and device for distributed storage system |
| CN112769826A (en) * | 2021-01-08 | 2021-05-07 | 深信服科技股份有限公司 | Information processing method, device, equipment and storage medium |
| CN112887284A (en) * | 2021-01-14 | 2021-06-01 | 北京电解智科技有限公司 | Access authentication method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102111410A (en) * | 2011-01-13 | 2011-06-29 | 中国科学院软件研究所 | Agent-based single sign on (SSO) method and system |
| CN103188248A (en) * | 2011-12-31 | 2013-07-03 | 卓望数码技术(深圳)有限公司 | Identity authentication system and method based on single sign-on |
| CN103227799A (en) * | 2013-05-13 | 2013-07-31 | 山东临沂烟草有限公司 | Implementing method of unified user management and single sign-on platform based on multiple application systems |
| CN103634269A (en) * | 2012-08-21 | 2014-03-12 | 中国银联股份有限公司 | A single sign-on system and a method |
| US8713658B1 (en) * | 2012-05-25 | 2014-04-29 | Graphon Corporation | System for and method of providing single sign-on (SSO) capability in an application publishing environment |
-
2020
- 2020-07-15 CN CN202010680941.XA patent/CN111988275A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102111410A (en) * | 2011-01-13 | 2011-06-29 | 中国科学院软件研究所 | Agent-based single sign on (SSO) method and system |
| CN103188248A (en) * | 2011-12-31 | 2013-07-03 | 卓望数码技术(深圳)有限公司 | Identity authentication system and method based on single sign-on |
| US8713658B1 (en) * | 2012-05-25 | 2014-04-29 | Graphon Corporation | System for and method of providing single sign-on (SSO) capability in an application publishing environment |
| US20140143847A1 (en) * | 2012-05-25 | 2014-05-22 | Graphon Corporation | System for and method of providing single sign-on (sso) capability in an application publishing environment |
| CN103634269A (en) * | 2012-08-21 | 2014-03-12 | 中国银联股份有限公司 | A single sign-on system and a method |
| CN103227799A (en) * | 2013-05-13 | 2013-07-31 | 山东临沂烟草有限公司 | Implementing method of unified user management and single sign-on platform based on multiple application systems |
Non-Patent Citations (1)
| Title |
|---|
| 梁志罡: "基于Web_service的混合架构单点登录的设计", 《计算机应用》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112714166A (en) * | 2020-12-22 | 2021-04-27 | 新华三大数据技术有限公司 | Multi-cluster management method and device for distributed storage system |
| CN112714166B (en) * | 2020-12-22 | 2022-03-29 | 新华三大数据技术有限公司 | Multi-cluster management method and device for distributed storage system |
| CN112613022A (en) * | 2020-12-25 | 2021-04-06 | 航天信息股份有限公司 | Method and system for user single sign-on service system |
| CN112769826A (en) * | 2021-01-08 | 2021-05-07 | 深信服科技股份有限公司 | Information processing method, device, equipment and storage medium |
| CN112887284A (en) * | 2021-01-14 | 2021-06-01 | 北京电解智科技有限公司 | Access authentication method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9473568B2 (en) | Detecting code injections through cryptographic methods | |
| US10270758B2 (en) | Login method, server, and login system | |
| CN108322461B (en) | Method, system, device, equipment and medium for automatically logging in application program | |
| US8484480B2 (en) | Transmitting information using virtual input layout | |
| CN106330850B (en) | Security verification method based on biological characteristics, client and server | |
| US6629246B1 (en) | Single sign-on for a network system that includes multiple separately-controlled restricted access resources | |
| CN111988275A (en) | Single sign-on method, single sign-on server cluster and electronic equipment | |
| CN100544361C (en) | The method and apparatus that is used for managing session identifiers | |
| US5586260A (en) | Method and apparatus for authenticating a client to a server in computer systems which support different security mechanisms | |
| CN101997685B (en) | Single sign-on method, single sign-on system and associated equipment | |
| US8375425B2 (en) | Password expiration based on vulnerability detection | |
| CN108259502A (en) | For obtaining the identification method of interface access rights, server-side and storage medium | |
| KR20210095093A (en) | Method for providing authentification service by using decentralized identity and server using the same | |
| US20160044508A1 (en) | Method for providing application service | |
| US20090183246A1 (en) | Universal multi-factor authentication | |
| CN113742676B (en) | Login management method, login management device, login management server, login management system and storage medium | |
| CN103812651A (en) | Password authentication method, device and system | |
| CN101902329A (en) | Method and device for single sign on | |
| CN109726578B (en) | Dynamic two-dimensional code anti-counterfeiting solution | |
| CN112118238A (en) | Method, device, system, equipment and storage medium for authentication login | |
| KR102372503B1 (en) | Method for providing authentification service by using decentralized identity and server using the same | |
| CN112929388B (en) | Network identity cross-device application rapid authentication method and system, and user agent device | |
| KR101803535B1 (en) | Single Sign-On Service Authentication Method Using One-Time-Token | |
| US20100250607A1 (en) | Personal information management apparatus and personal information management method | |
| CN116032627A (en) | Unified authentication and authorization method and device based on micro-service architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201124 |
|
| RJ01 | Rejection of invention patent application after publication |