CN112039873A - Method for accessing business system by single sign-on - Google Patents
Method for accessing business system by single sign-on Download PDFInfo
- Publication number
- CN112039873A CN112039873A CN202010882861.2A CN202010882861A CN112039873A CN 112039873 A CN112039873 A CN 112039873A CN 202010882861 A CN202010882861 A CN 202010882861A CN 112039873 A CN112039873 A CN 112039873A
- Authority
- CN
- China
- Prior art keywords
- user
- party application
- identity
- application platform
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000013475 authorization Methods 0.000 claims description 6
- 230000000977 initiatory effect Effects 0.000 claims description 5
- 230000010354 integration Effects 0.000 abstract 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
Abstract
The invention discloses a method for accessing a business system by single sign-on, and relates to the technical field of single sign-on. Aiming at a plurality of independent business systems in an enterprise, each business system uses different Identity authentication systems for login and logout, the efficiency is low and the operation is complicated, therefore, a technical scheme is provided based on a single sign-on protocol of SAML/OpenID/OAuth2, a plurality of business systems serving as service providers SP in the enterprise are connected with different third-party application platforms serving as Identity providers IDP through key Identity authentication, a trust relationship is established, one-stop and out-of-box single sign-on authentication and authorized access are realized, the technical threshold and the time cost of Identity authentication integration among the business systems in the enterprise are reduced, and a user can conveniently integrate the independent business systems.
Description
Technical Field
The invention relates to the technical field of single sign-on, in particular to a method for accessing a business system by single sign-on.
Background
Whether the Web or the mobile terminal is adopted, the mainstream third-party social application account login becomes standard configuration, the mainstream social network site can see a QQ or WeChat account login identification, and when the third-party account is used for login, the QQ or WeChat account can obtain an identity certificate of the account after login. The third party application trusts and accepts the QQ or WeChat identity credential and can directly use the credential to log in through the authentication of the third party. The existing account is bound after the website logs in by using the QQ or the WeChat account for the first time, the website can pass the identity authentication of the QQ platform, and the account logging can be correspondingly authorized through an authentication system.
For an information system environment facing the inside of an enterprise, at present, a company may have many business systems, each different business system may use different identity authentication systems, the systems are independent, an account needs to be allocated to each independent system by an employee of the company, each system needs to log in and log out independently, and the efficiency is low and tedious.
Disclosure of Invention
Aiming at the requirements and the defects of the prior art development, the invention provides a method for accessing a service system by single sign-on, single sign-on and sign-off of a plurality of independent systems are realized by the Keyloak Identity Brokering, all other third-party application platforms can authenticate the Identity of the independent service system, and repeated sign-on and sign-off are avoided.
The invention discloses a method for accessing a business system by single sign-on, which adopts the following technical scheme for solving the technical problems:
a method for accessing a business system by single sign-on is based on a single sign-on protocol, a plurality of business systems serving as service providers SP in an enterprise are connected with different third party application platforms serving as Identity providers IDP through Keyloak Identity Brokering, a trust relationship is established, and single sign-on authentication and authorized access in a one-stop mode and in a case-opening mode are achieved. Wherein the content of the first and second substances,
the key Identity broker signing represents an Identity broker intermediary service;
SP: the Service Provider is responsible for providing services of resources, and some services in the distributed network use IDP to authenticate users;
IDP: the Identity Provider, i.e. the Identity Provider, manages user Identity information and provides responsible authentication services.
Optionally, a method for accessing a service system by single sign-on includes:
1) a user accesses a certain enterprise internal business system which can be accessed only after logging in, and the business system is protected by Keycoak Identity Brokering;
2) the page jumps to a login page of the Keyloak Identity Brokering;
3) the login page of the key Identity signing displays login by using a user name and a password or other modes;
4) based on a single sign-on protocol, a user can select one of the third-party application platforms to log in;
5) the key Identity signing initiates a request to a third-party application platform selected by a user for authentication, and meanwhile, a page jumps to the selected third-party application platform;
6) the user inputs account information of the third-party application platform in an authentication page provided by the selected third-party application platform to complete identity authentication;
7) after the authentication is successful, redirecting the login page of the Keycoak Identity Brokering again, and simultaneously carrying a token in response, wherein the token enables the Keycoak Identity Brokering to trust the authentication to be completed, and the Keycoak Identity Brokering can use the token to acquire the user information from the third-party application platform;
8) after the user completes the authentication operation in the key Identity signing, redirecting the user to the service system to be accessed by the user in the step 1);
9) and the page of the business system acquires token, and the user accesses information with authority to complete the identity login of the third-party application platform to the internal business system of the enterprise.
For the above implementation process, further optionally, before performing step 8), checking whether the user information obtained from the third-party application platform is valid by using key Identity signing,
when valid, it is further checked whether the user already exists,
if the authentication request exists, the authentication is completed,
if not, the key Identity signing will create a new user: firstly, attempting to obtain a field required by creating a new user by analyzing the token obtained in the step 7), finishing user creation when the information in the field is complete, initiating a request to obtain user information to the third-party application platform by using the token if the information in the token is incomplete, popping up an authentication page of the selected third-party application platform if the obtained user information is incomplete, requiring the user to complete the information, and finally finishing the user creation;
the key Identity token will return to the user a token issued by himself, followed by step 8).
Optionally, the third-party application platform may be an instant messaging platform or a social platform, and the single sign-on protocol may be any one of SAML, OpenID, and OAuth 2.
Preferably, the related single sign-on protocol adopts SAML 2.0, and associates the existing Keyloak Identity Brokering user with the third party application platform user who specifies SAML 2.0 protocol, or associates the existing Keyloak Identity Brokering user with the third party application platform user who specifies SAML 2.0 protocol by using REST API.
Further preferably, the related single sign-on protocol adopts SAML 2.0, and the specific process of configuring the SAML 2.0 protocol on the key Identity signing is as follows:
adding a third-party application platform in Console of Keycoak Identity Brokering, and selecting a custom SAML V2.0 protocol;
setting an alias of a third-party application platform to uniquely identify the third-party application platform;
after the Hide on Login Page is started, a parameter of 'kc _ IDP _ hit' is added behind the URL, and the external IDP is automatically transferred during authentication;
setting an Authentication Flow, and selecting a first browser logic;
single Sign-On Service URL: an address to send an authentication request;
the parameters of HTTP-POST Binding Response, HTTP-POST Binding AuthnRequest and HTTP-POST Binding Logiut are set to true.
Preferably, the related single sign-on protocol adopts OpenID Connect V1.0, associates an existing key Identity signing user with a third-party application platform user specifying the OpenID Connect protocol, and sets up the same
An alias of the third party application platform,
user ID of the third party application platform: associating a User ID of the OpenID Connect third party application platform,
user name of the third-party application platform: and associating the User name of the OpenID Connect third-party application platform.
Further preferably, the related single sign-on protocol adopts OpenID Connect V1.0, and the specific process of configuring OpenID Connect V1.0 protocol on key Identity keying is as follows:
adding a third-party application platform in Console of Keycoak Identity Brokering, and selecting a self-defined OpenID ConnectV1.0 protocol;
setting an alias of a third-party application platform to uniquely identify the third-party application platform;
opening a Hide ON Login Page parameter to be 'ON', adding a 'kc _ idp _ hit' parameter after accessing a URL after opening, wherein the parameter value is an attribute value of a third-party application platform, and automatically transferring to an external third-party application platform during authentication;
setting Authentication Flow, and selecting first browser logic;
setting an authorized application system address;
setting Token acquisition address Token URL;
and opening Disable User Info, and setting a Client ID and a Client Secret, wherein the Client ID and the Client Secret are the Client registered in the third-party application platform and the Secret set by the Client.
Preferably, the related single sign-on protocol adopts OAuth2, and at this time, the existing Keyloak Identity signing user can delegate the Identity authentication to the account semi-trust object of the existing third-party application platform of the user;
the specific process of configuring OAuth2 protocol on Keycoak Identity Brokering is as follows:
adding a third-party application platform in Console of Keycoak Identity Brokering, and selecting the third-party application platform in OAuth2 protocol;
the setting of the values of the Client ID and the Client Secret is obtained from the OAuth APP created by the selected third-party Application platform, and the Application Name, Homepage access Homepage URL and Authorization callback URL values of the Authorization callback URL are set in the OAuth APP created by the selected third-party Application platform.
Compared with the prior art, the method for accessing the service system by single sign-on has the following beneficial effects:
based on the single sign-on protocol, the invention connects a plurality of business systems serving as service providers SP in an enterprise with different third-party application platforms serving as Identity providers IDP through the key Identity Brokering, establishes a trust relationship, realizes single sign-on authentication and authorized access in a one-stop mode and can be used after opening a box, particularly solves the problems of low login and logout efficiency and complexity caused by adopting different Identity authentication systems for a plurality of independent business systems in the enterprise, and avoids repeated login.
Drawings
FIG. 1 is a flow chart of an embodiment of the present invention.
Detailed Description
In order to make the technical scheme, the technical problems to be solved and the technical effects of the present invention more clearly apparent, the following technical scheme of the present invention is clearly and completely described with reference to the specific embodiments.
It should be noted that:
the key Identity broker signing represents an Identity broker intermediary service;
SP: the Service Provider is responsible for providing services of resources, and some services in the distributed network use IDP to authenticate users;
IDP: the Identity Provider, i.e. the Identity Provider, manages user Identity information and provides responsible authentication services.
The first embodiment is as follows:
the embodiment provides a method for accessing a business system through single sign-on, which is based on a single sign-on protocol, connects a plurality of business systems serving as service providers SP and different third-party application platforms serving as Identity providers IDP in an enterprise through key Identity signing, establishes a trust relationship, and realizes single sign-on authentication and authorized access in a one-stop mode and in a case-opening mode.
In the embodiment, a mail system inside an enterprise is used as a service provider SP, a QQ platform is used as an IDP, and the QQ platform adopts a SAML 2.0 protocol.
Referring to fig. 1, a method for accessing a service system by single sign-on in this embodiment includes:
1) request Resource: a User accesses a mail system SP which can be accessed only after logging in, and the mail system SP is protected by Keyloak Identity Brokering;
2) authentication Request: the page of the mail system SP jumps to a login page of the Keycoak Identity Brokering;
3) list of Identity Providers: the login page of the key Identity signing displays login by using a user name and a password or other modes;
4) select Identity Provider: based on SAML 2.0 single sign-on protocol, User selects QQ platform as IDP to log on;
5) authentication Request: the key Identity signing initiates a request to a QQ platform of a User for authentication, and meanwhile, a page jumps to the QQ platform;
6) challenge creatives/consensus: a User inputs account information of the QQ platform in an authentication page provided by the QQ platform to complete identity authentication;
7) (ii) Authentication Response: after the authentication is successful, redirecting the login page of the Keyloak Identity Brokering again, and simultaneously carrying a token in response, wherein the token allows the Keyloak Identity Brokering trust authentication to be completed, and the Keyloak Identity Brokering can use the token to acquire the User information from the QQ platform;
8) local Authentication/Identity Federation: checking whether the User information obtained from the QQ platform is valid using the key Identity signing,
if it is valid, further checking whether the User already exists,
if the authentication request exists, the authentication is completed,
if not, the key Identity signing will create a new User: firstly, attempting to acquire a token in the step 7) and analyzing to obtain a field required by creating a new User, finishing the creation of the User when the information in the field is complete, if the information in the token is incomplete, initiating a request to a QQ platform by using the token to acquire User information, if the acquired User information is incomplete at the moment, popping up an authentication page of the QQ platform, requiring the User to complete the information, and finally finishing the creation of the User;
the key Identity token will be returned to the User as a token issued by the User, and step 9) is then executed;
9) (ii) Authentication Response: after the User finishes the authentication operation in the key Identity signing, redirecting the User to the mail system SP which the User wants to access in the step 1);
10) low access to requested resource: and the page of the mail system SP acquires token, and the User accesses the information with authority to finish logging in the mail system SP by the identity of the QQ platform.
In this embodiment, the single sign-on protocol uses SAML 2.0, and SMAL2 is a security assertion markup language that can be used to authenticate and authorize users and to set assertions of user attributes, and assertions are transmitted in XML format.
In this embodiment, the single sign-on protocol uses SAML 2.0, and when the mail system is connected to the QQ platform: and associating the existing Keyloak Identity Brokering users with the QQ platform, or associating the existing Keyloak Identity Brokering users with the QQ platform by using REST API. In this process, the specific operation of configuring the SAML 2.0 protocol on the key Identity keying is as follows:
adding a QQ platform as a third-party application platform in Console of Keycoak Identity Brokering, wherein the third-party application platform is IDP and selects a custom SAML V2.0 protocol;
after the Hide on Login Page is started, a parameter of 'kc _ IDP _ hit' is added behind the URL, and the external IDP is automatically transferred during authentication;
setting an Authentication Flpw Authentication process, and selecting a first browser logic;
single Sign-On Service URL: the address where the authentication request is sent, such as http: // hosip: port/app/SAML 2/POST/SSO;
the parameters of HTTP-POST Binding Response, HTTP-POST Binding AuthnRequest and HTTP-POST Binding Logiut are set to true.
Example two:
the embodiment provides a method for accessing a business system through single sign-on, which is based on a single sign-on protocol, connects a plurality of business systems serving as service providers SP and different third-party application platforms serving as Identity providers IDP in an enterprise through key Identity signing, establishes a trust relationship, and realizes single sign-on authentication and authorized access in a one-stop mode and in a case-opening mode.
In the embodiment, an internal mail system of an enterprise is used as a service provider SP, a social network GitHub is used as an IDP, and the GitHub adopts an OAuth2 protocol.
Referring to fig. 1, a method for accessing a service system by single sign-on in this embodiment includes:
1) request Resource: a User accesses a mail system SP which can be accessed only after logging in, and the mail system SP is protected by Keyloak Identity Brokering;
2) authentication Request: the SP page of the mail system jumps to a login page of the Keycoak Identity Brokering;
3) list of Identity Providers: the login page of the key Identity signing displays login by using a user name and a password or other modes;
4) select Identity Provider: based on OAuth2 single sign-on protocol, a User selects a social network GitHub as an IDP to log in;
5) authentication Request: the key Identity signing initiates a request to GitHub of the User for authentication, and meanwhile, the page jumps to the GitHub;
6) challenge creatives/consensus: the User inputs GitHub account information in an authentication page provided by the GitHub to finish identity authentication;
7) (ii) Authentication Response: after the authentication is successful, redirecting the login page back to the Keycoak Identity Brokering again, and simultaneously carrying a token in response, wherein the token allows the Keycoak Identity Brokering to trust that the authentication is completed, and the Keycoak Identity Brokering can use the token to acquire the User information from GitHub;
8) local Authentication/Identity Federation: the User information obtained from the GitHub is checked to be valid using keytoak Identity signing,
if it is valid, further checking whether the User already exists,
if the authentication request exists, the authentication is completed,
if not, the key Identity signing will create a new User: firstly, attempting to acquire a token from the step 7) and analyzing to acquire a field required by creating a new User, finishing User creation when the information in the field is complete, if the information in the token is incomplete, initiating a request to GitHub by using the token to acquire User information, if the acquired User information is incomplete at the moment, popping up an authentication page of the GitHub, requiring the User to complete the information, and finally finishing User creation;
the key Identity token will be returned to the User as a token issued by the User, and step 9) is then executed;
9) (ii) Authentication Response: after the User finishes the authentication operation in the key Identity signing, redirecting the User to the mail system which the User wants to access in the step 1);
10) low access to requested resource: and the page of the mail system SP acquires token, and the User accesses the information with authority to finish logging in the mail system SP by the identity of GitHub.
In this embodiment, the single sign-on protocol adopts OAuth2, and the protocol allows the GitHub application to obtain the access token through a security token service, and use the access token to access the API, at this time, the user with key Identity signing may delegate the authentication to the semi-trusted object of the user with the existing GitHub account.
In this embodiment, the single sign-on protocol uses OAuth2 to connect the mail system with the GitHub. In this process, the specific operation of configuring the OAuth2 protocol on the keylog Identity signing is as follows:
adding GitHub in Console of Keycoak Identity Brokering as a third-party application platform, wherein the third-party application platform, namely IDP, selects a custom OAuth2 protocol; the values of the Client ID and the Client Secret are set and obtained from the OAuth APP created by the GitHub, and the Application Name, Homepage access Homepage URL and Authorization callback URL values of the callback URL are set in the OAuth APP created by the GitHub.
Example three:
the embodiment provides a method for accessing a business system through single sign-on, which is based on a single sign-on protocol, connects a plurality of business systems serving as service providers SP and different third-party application platforms serving as Identity providers IDP in an enterprise through key Identity signing, establishes a trust relationship, and realizes single sign-on authentication and authorized access in a one-stop mode and in a case-opening mode.
In this embodiment, an internal mail system of an enterprise is used as a service provider SP, a wechat platform is used as an IDP, and the wechat platform adopts an OpenID Connect V1.0 protocol.
Referring to fig. 1, a method for accessing a service system by single sign-on in this embodiment includes:
1) request Resource: a User accesses a mail system SP which can be accessed only after logging in, and the mail system SP is protected by Keyloak Identity Brokering;
2) authentication Request: the SP page of the mail system jumps to a login page of the Keycoak Identity Brokering;
3) list of Identity Providers: the login page of the key Identity signing displays login by using a user name and a password or other modes;
4) select Identity Provider: based on an OpenID Connect V1.0 single sign-on protocol, a User selects a WeChat platform as an IDP to log in;
5) authentication Request: the key Identity signing initiates a request to a WeChat platform of a User for authentication, and meanwhile, a page jumps to the WeChat platform;
6) challenge creatives/consensus: the User inputs account information of the WeChat platform in an authentication page provided by the WeChat platform to complete identity authentication;
7) (ii) Authentication Response: after the authentication is successful, redirecting the login page of the Keyloak Identity Brokering again, and simultaneously carrying a token in response, wherein the token allows the Keyloak Identity Brokering trust authentication to be completed, and the Keyloak Identity Brokering can use the token to acquire the User information from the WeChat platform;
8) local Authentication/Identity Federation: checking whether the User information obtained from the WeChat platform is valid or not by using the Keycoak Identity Brokering,
if it is valid, further checking whether the User already exists,
if the authentication request exists, the authentication is completed,
if not, the key Identity signing will create a new User: firstly, attempting to acquire a token in the step 7) and analyzing to obtain a field required by creating a new User, finishing the creation of the User when the information in the field is complete, if the information in the token is incomplete, initiating a request to a WeChat platform by using the token to acquire User information, and if the acquired User information is incomplete at the moment, popping up an authentication page of the WeChat platform to require the User to complete the information, and finally finishing the creation of the User;
the key Identity token will be returned to the User as a token issued by the User, and step 9) is then executed;
9) (ii) Authentication Response: after the User finishes the authentication operation in the key Identity signing, redirecting the User to the mail system which the User wants to access in the step 1);
10) low access to requested resource: and the page of the mail system SP acquires token, and the User accesses information with authority to finish logging in the mail system SP by the identity of the WeChat platform.
In this embodiment, the single sign-on protocol adopts OpenID Connect V1.0, the OpenID Connect is a simple identity layer above the OAuth 2.0 protocol, is a higher-level protocol, extends and replaces OAuth2, and the OpenID Connect is compatible with OAuth 2. OpenID Connect may be authenticated and authorized with identity.
In this embodiment, the single sign-on protocol adopts OpenID Connect V1.0, and when the connection between the mail system and the wechat platform is performed: associating the existing Keyloak Identity signing User with the WeChat platform User, and simultaneously setting the User ID of the WeChat platform: associating the User ID of the OpenID Connect WeChat platform, and setting the User name of the WeChat platform: and associating the User name of the OpenID Connect WeChat platform. In this process, the specific operation of configuring the OpenID Connect V1.0 protocol on the keylock Identity keying is as follows:
adding a WeChat platform as a third-party application platform in Console of Keyloak Identity Brokering, wherein the third-party application platform is IDP, and selecting a self-defined OpenID ConnectV1.0 protocol;
opening a Hide ON Login Page parameter to be 'ON', adding a 'kc _ IDP _ hit' parameter after accessing a URL after opening, wherein the parameter value is an attribute value of the WeChat platform, and automatically transferring to an external IDP (identity data platform), namely the WeChat platform, during authentication, for example, http: // ip: port/management/? kc _ idp _ hit ═ oid;
setting Authentication F1ow, and selecting "first browser logic";
setting an authorized application system address, Authorization URL: http: // ip: port/app/oauth/authorize;
setting Token acquisition address Token URL: http: // ip: port/app/oauth/token;
and opening Disable User Info, and setting a Client ID and a Client Secret, wherein the Client ID and the Client Secret are used for registering the Client and the Secret set by the Client on the WeChat platform.
In summary, the method for accessing the business system by single sign-on can solve the problems of low login and logout efficiency and complexity caused by adopting different identity authentication systems for a plurality of independent business systems in an enterprise, and avoids repeated login.
Based on the above embodiments of the present invention, those skilled in the art should make any improvements and modifications to the present invention without departing from the principle of the present invention, and therefore, the present invention should fall into the protection scope of the present invention.
Claims (9)
1. A method for accessing a business system by single sign-on is characterized in that based on a single sign-on protocol, a plurality of business systems serving as service providers SP in an enterprise are connected with different third-party application platforms serving as Identity providers IDP through Keyloak Identity Brokering, a trust relationship is established, and single sign-on authentication and authorized access in a one-stop mode and in a case-opening mode are realized.
2. The method for accessing a service system through single sign-on according to claim 1, wherein the specific implementation process is as follows:
1) a user accesses a certain enterprise internal business system which can be accessed only after logging in, and the business system is protected by Keycoak Identity Brokering;
2) the page jumps to a login page of the Keyloak Identity Brokering;
3) the login page of the key Identity signing displays login by using a user name and a password or other modes;
4) based on a single sign-on protocol, a user can select one of the third-party application platforms to log in;
5) the key Identity signing initiates a request to a third-party application platform selected by a user for authentication, and meanwhile, a page jumps to the selected third-party application platform;
6) the user inputs account information of the third-party application platform in an authentication page provided by the selected third-party application platform to complete identity authentication;
7) after the authentication is successful, redirecting the login page of the Keycoak Identity Brokering again, and simultaneously carrying a token in response, wherein the token enables the Keycoak Identity Brokering to trust the authentication to be completed, and the Keycoak Identity Brokering can use the token to acquire the user information from the third-party application platform;
8) after the user completes the authentication operation in the key Identity signing, redirecting the user to the service system to be accessed by the user in the step 1);
9) and the page of the business system acquires token, and the user accesses information with authority to complete the identity login of the third-party application platform to the internal business system of the enterprise.
3. The method of claim 2, wherein before step 8), the user information obtained from the third party application platform should be checked to be valid by using a key Identity publication,
when valid, it is further checked whether the user already exists,
if the authentication request exists, the authentication is completed,
if not, the key Identity signing will create a new user: firstly, attempting to obtain a field required by creating a new user by analyzing the token obtained in the step 7), finishing user creation when the information in the field is complete, initiating a request to obtain user information to the third-party application platform by using the token if the information in the token is incomplete, popping up an authentication page of the selected third-party application platform if the obtained user information is incomplete, requiring the user to complete the information, and finally finishing the user creation;
the key Identity token will return to the user a token issued by himself, followed by step 8).
4. The method of claim 1, wherein the third party application platform can be an instant messaging platform or a social platform, and the single sign-on protocol can be any one of SAML, OpenID, OAuth 2.
5. The method of claim 4, wherein the single sign-on protocol employs SAML 2.0, and associates the existing Keyloak Identity Brokering user with the third party application platform user specifying SAML 2.0 protocol, or associates the existing Keyloak Identity Brokering user with the third party application platform user specifying SAML 2.0 protocol using REST API.
6. The method of claim 5, wherein the single sign-on protocol employs SAML 2.0, and the specific process of configuring SAML 2.0 protocol on the key Identity Brokering includes:
adding a third-party application platform in Console of Keycoak Identity Brokering, and selecting a custom SAML V2.0 protocol;
setting an alias of a third-party application platform to uniquely identify the third-party application platform;
after the Hide on Login Page is started, a parameter of 'kc _ IDP _ hit' is added behind the URL, and the external IDP is automatically transferred during authentication;
setting an Authentication Flow, and selecting a first browser logic;
single Sign-On Service URL: an address to send an authentication request;
the parameters of HTTP-POST Binding Response, HTTP-POST Binding AuthnRequest and HTTP-POST Binding Logiut are set to true.
7. The method of claim 4, wherein the single sign-on protocol adopts OpenID Connect V1.0, associates an existing Keycoak Identity signing user with a third party application platform user of a specified OpenID Connect protocol, and sets up settings for the third party application platform user to access the service system through the OpenID Connect protocol
An alias of the third party application platform,
user ID of the third party application platform: associating a User ID of the OpenID Connect third party application platform,
user name of the third-party application platform: and associating the User name of the OpenID Connect third-party application platform.
8. The method for accessing the service system through the single sign-on according to claim 7, wherein the single sign-on protocol adopts an OpenID Connect V1.0, and the specific process of configuring the OpenID Connect V1.0 protocol on the keylog Identity signing is as follows:
adding a third-party application platform in Console of Keycoak Identity Brokering, and selecting a self-defined OpenID ConnectV1.0 protocol;
setting an alias of a third-party application platform to uniquely identify the third-party application platform;
opening a Hide ON Login Page parameter to be 'ON', adding a 'kc _ IDP _ hit' parameter after accessing a URL after opening, wherein the parameter value is an attribute value of a third-party application platform, and automatically transferring to an external IDP during authentication;
setting Authentication Flow, and selecting first browser logic;
setting an authorized application system address;
setting Token acquisition address Token URL;
and opening Disable User Info, and setting a Client ID and a Client Secret, wherein the Client ID and the Client Secret are the Client registered in the third-party application platform and the Secret set by the Client.
9. The method of claim 4, wherein the single sign-on protocol employs OAuth2, at this time, the existing user with Keyloak Identity Brokering can delegate authentication to the account semi-trusted object of the existing third party application platform;
the specific process of configuring OAuth2 protocol on Keycoak Identity Brokering is as follows:
adding a third-party application platform in Console of Keycoak Identity Brokering, and selecting the third-party application platform in OAuth2 protocol;
the setting of the values of the Client ID and the Client Secret is obtained from the OAuth APP created by the selected third-party Application platform, and the Application Name, Homepage access Homepage URL and Authorization callback URL values of the Authorization callback URL are set in the OAuth APP created by the selected third-party Application platform.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010882861.2A CN112039873A (en) | 2020-08-28 | 2020-08-28 | Method for accessing business system by single sign-on |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010882861.2A CN112039873A (en) | 2020-08-28 | 2020-08-28 | Method for accessing business system by single sign-on |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112039873A true CN112039873A (en) | 2020-12-04 |
Family
ID=73587272
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010882861.2A Pending CN112039873A (en) | 2020-08-28 | 2020-08-28 | Method for accessing business system by single sign-on |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112039873A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112685726A (en) * | 2021-01-20 | 2021-04-20 | 浪潮云信息技术股份公司 | Single-point authentication method based on KEYCLOAK |
| CN113395290A (en) * | 2021-06-30 | 2021-09-14 | 成都卫士通信息产业股份有限公司 | Mailbox login method and device, electronic equipment and readable storage medium |
| CN113505353A (en) * | 2021-07-09 | 2021-10-15 | 绿盟科技集团股份有限公司 | Authentication method, device, equipment and storage medium |
| CN114422258A (en) * | 2022-01-25 | 2022-04-29 | 百安居信息技术(上海)有限公司 | Single sign-on method, medium and electronic equipment based on multiple authentication protocols |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110557406A (en) * | 2019-10-08 | 2019-12-10 | 浪潮软件股份有限公司 | Method for controlling system based on role authority |
| US20200106766A1 (en) * | 2018-09-28 | 2020-04-02 | Konica Minolta Laboratory U.S.A., Inc. | Method and system for security assertion markup language (saml) service provider-initiated single sign-on |
-
2020
- 2020-08-28 CN CN202010882861.2A patent/CN112039873A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200106766A1 (en) * | 2018-09-28 | 2020-04-02 | Konica Minolta Laboratory U.S.A., Inc. | Method and system for security assertion markup language (saml) service provider-initiated single sign-on |
| CN110557406A (en) * | 2019-10-08 | 2019-12-10 | 浪潮软件股份有限公司 | Method for controlling system based on role authority |
Non-Patent Citations (2)
| Title |
|---|
| 西西的一天: "iOS Developer的全栈之路", 《简书》 * |
| 陆志刚等: "基于SAML的真单点登录框架", 《计算机系统应用》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112685726A (en) * | 2021-01-20 | 2021-04-20 | 浪潮云信息技术股份公司 | Single-point authentication method based on KEYCLOAK |
| CN113395290A (en) * | 2021-06-30 | 2021-09-14 | 成都卫士通信息产业股份有限公司 | Mailbox login method and device, electronic equipment and readable storage medium |
| CN113505353A (en) * | 2021-07-09 | 2021-10-15 | 绿盟科技集团股份有限公司 | Authentication method, device, equipment and storage medium |
| CN114422258A (en) * | 2022-01-25 | 2022-04-29 | 百安居信息技术(上海)有限公司 | Single sign-on method, medium and electronic equipment based on multiple authentication protocols |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Leiba | Oauth web authorization protocol | |
| JP4579546B2 (en) | Method and apparatus for handling user identifier in single sign-on service | |
| CA2633311C (en) | Method, apparatus and program products for custom authentication of a principal in a federation by an identity provider | |
| US9348991B2 (en) | User management of authentication tokens | |
| US9519777B2 (en) | Techniques for controlling authentication | |
| US9729514B2 (en) | Method and system of a secure access gateway | |
| US8015301B2 (en) | Policy and attribute based access to a resource | |
| CN112039873A (en) | Method for accessing business system by single sign-on | |
| US9781096B2 (en) | System and method for out-of-band application authentication | |
| US8327426B2 (en) | Single sign on with proxy services | |
| CN112995219B (en) | Single sign-on method, device, equipment and storage medium | |
| US20110041171A1 (en) | Techniques for virtual representational state transfer (rest) interfaces | |
| KR101635244B1 (en) | User-based authentication for realtime communications | |
| AU2003212723A1 (en) | Single sign-on secure service access | |
| CN111416826B (en) | System and method for safely releasing and accessing application service | |
| JP2013510351A (en) | Single sign-on for remote user sessions | |
| CN112468481A (en) | Single-page and multi-page web application identity integrated authentication method based on CAS | |
| CN111698250A (en) | Access request processing method and device, electronic equipment and computer storage medium | |
| US11533309B2 (en) | Digital signature injection for user authentication across multiple independent systems | |
| CN109962892A (en) | A kind of authentication method and client, server logging in application | |
| CN108200039B (en) | Non-perception authentication and authorization system and method based on dynamic establishment of temporary account password | |
| CN114254289A (en) | Cloud platform access method and device | |
| CN113901429A (en) | Access method and device of multi-tenant system | |
| US20230306103A1 (en) | Pre-registration of authentication devices | |
| CN109905402B (en) | SSO login method and device based on SSL VPN |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201204 |
|
| RJ01 | Rejection of invention patent application after publication |