CN112182544A - Single sign-on method, device, computing equipment and computer readable storage medium - Google Patents
Single sign-on method, device, computing equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN112182544A CN112182544A CN202011004427.0A CN202011004427A CN112182544A CN 112182544 A CN112182544 A CN 112182544A CN 202011004427 A CN202011004427 A CN 202011004427A CN 112182544 A CN112182544 A CN 112182544A
- Authority
- CN
- China
- Prior art keywords
- application program
- application
- single sign
- security level
- enhanced authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/41—User authentication where a single sign-on provides access to a plurality of computers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
- G06F21/335—User authentication using certificates for accessing specific resources, e.g. using Kerberos tickets
Abstract
The embodiment of the invention relates to the technical field of single sign-on, and discloses a single sign-on method, a single sign-on device, computing equipment and a computer readable storage medium. The method comprises the following steps: receiving a skip request for skipping to a second application program, which is sent by a first application program, and sending enhanced authentication information to the first application program so that the first application program completes enhanced authentication; if the first application program finishes the enhanced authentication, returning a root bill to the first application program so that the first application program obtains the same security level as the second application program; receiving a jump request for jumping to a third application program sent by the first application program within preset time, wherein the security level of the third application program is equal to that of the second application program; and sending user login information to the third application program to complete the single sign-on of the user to the third application program. Through the mode, the embodiment of the invention can solve the problem that the single sign-on process is inconvenient.
Description
Technical Field
The embodiment of the invention relates to the technical field of single sign-on, in particular to a single sign-on method, a single sign-on device, a computing device and a computer readable storage medium.
Background
Currently, single sign-on is a popular means of login. Single sign-on refers to the ability to directly access multiple applications associated with a logged-on application by logging on to an application without having to repeatedly log on.
In the related art, a security level and an authentication validity period may be set for a downstream application. Generally, different security levels correspond to different authentication modes, and the authentication process is more complicated when the security level is higher. If the security level of the downstream application is higher than that of the current application, the downstream application can be logged in only by performing enhanced authentication on the current application, and the current application can repeatedly access the downstream application for many times within the validity period of the enhanced authentication; when the validity period of the enhanced authentication is exceeded, the current application needs to perform the enhanced authentication again to access the downstream application. However, in the process of implementing the embodiment of the present invention, the inventor finds that, when there are a plurality of downstream applications with the same security level, after the current application completes the enhanced authentication and performs the single sign-on operation on a certain downstream application, the enhanced authentication is still required to perform the single sign-on operation on other downstream applications, which seriously affects the user experience.
Disclosure of Invention
In view of the foregoing problems, embodiments of the present invention provide a single sign-on method, an apparatus, a computing device, and a computer-readable storage medium, which are used to solve the problem in the prior art that a single sign-on process is not convenient.
According to an aspect of the embodiments of the present invention, there is provided a single sign-on method, including:
sending enhanced authentication information to a first application program according to a jump request sent by the first application program and jumping to a second application program so that the first application program completes enhanced authentication;
if the first application program finishes the enhanced authentication, returning a root bill to the first application program so that the first application program obtains the same security level as the second application program;
receiving a jump request for jumping to a third application program sent by the first application program within a preset time, wherein the security level of the third application program is equal to that of the second application program;
and sending user login information to the third application program to complete the single sign-on of the user to the third application program.
In an alternative mode, the preset time is a validity period of the same security level acquired by the first application program as the second application program.
In an optional manner, before sending enhanced authentication information to the first application to cause the first application to complete enhanced authentication, the method includes:
acquiring the security level of the first application program and the security level of the second application program;
judging whether the security level of the first application program is smaller than that of the second application program;
and if the security level of the first application program is less than that of the second application program, executing the step of sending enhanced authentication information to the first application program so as to enable the first application program to complete enhanced authentication.
In an optional manner, before the sending of the user login information to the third application to complete the single login of the user to the third application, the method includes:
sending a random string to the first application program according to the jump request for jumping to a third application program so that the first application program sends the random string to the third application program;
and receiving the random string sent by the third application program, and acquiring the user login information according to the random string sent by the third application program.
In an optional manner, before the sending the random string to the first application, the method further includes:
encrypting user login information and identification information of the third application program through a first dynamic password to generate a random string; the user login information comprises a user name, or the user login information comprises the user name and a user login state.
In an optional manner, the obtaining the user login information according to the random string sent by the third application includes:
decrypting the random string sent by the third application program through a second dynamic password, and acquiring the user login information according to the decrypted random string;
the second dynamic password is the same as the first dynamic password within a preset time interval and is different from the first dynamic password outside the preset time interval.
In an alternative, the root ticket is JSON Web Token.
According to another aspect of the embodiments of the present invention, there is provided a single sign-on apparatus, including:
the enhanced authentication information sending module is used for sending enhanced authentication information to the first application program according to a jump request for jumping to a second application program, which is sent by the first application program, so that the first application program completes enhanced authentication;
a root bill returning module, configured to return a root bill to the first application program to enable the first application program to obtain a security level the same as that of the second application program if the first application program completes the enhanced authentication;
the skip request receiving module is used for receiving a skip request which is sent by the first application program and skips to a third application program within a preset time, wherein the security level of the third application program is equal to that of the second application program;
and the user login information sending module is used for sending user login information to the third application program so as to complete the single sign-on of the user to the third application program.
According to another aspect of embodiments of the present invention, there is provided a computing device including: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation of the single sign-on method.
According to another aspect of the embodiments of the present invention, there is provided a computer-readable storage medium having at least one executable instruction stored therein, which when executed on a single sign-on device/apparatus, causes the single sign-on device/apparatus to perform the operations of the single sign-on method described above.
According to the embodiment of the invention, according to a jump request for jumping to a second application program, which is sent by a first application program, enhanced authentication information is sent to the first application program so that the first application program completes enhanced authentication, and if the first application program completes enhanced authentication, a root bill is returned to the first application program so that the first application program obtains the same security level as the second application program; when a jump request of jumping to any other application program with the same security level as the second application program, which is sent by the first application program, is received within a preset time, user information can be sent to the application program needing to jump so as to complete single sign-on of the user on the application program needing to jump, and in the process, the first application program does not need to perform enhanced authentication again. Therefore, the embodiment of the invention realizes the sharing of the authentication modes of the application programs with the same security level, so that the single sign-on process can ensure the security and is very convenient and fast.
The foregoing description is only an overview of the technical solutions of the embodiments of the present invention, and the embodiments of the present invention can be implemented according to the content of the description in order to make the technical means of the embodiments of the present invention more clearly understood, and the detailed description of the present invention is provided below in order to make the foregoing and other objects, features, and advantages of the embodiments of the present invention more clearly understandable.
Drawings
The drawings are only for purposes of illustrating embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a schematic flow chart illustrating a single sign-on method according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating a single sign-on method according to another embodiment of the invention;
fig. 3 is a schematic structural diagram of a single sign-on apparatus according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a computing device provided in an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein.
FIG. 1 illustrates a flow chart of an embodiment of the single sign-on method of the present invention, as performed by a computing device. In embodiments of the present invention, the memory space of the computing device has stored therein executable instructions that may cause the processor to perform a single sign-on method. As shown in fig. 1, the method comprises the steps of:
step 120: and sending enhanced authentication information to the first application program according to a jump request for jumping to a second application program, which is sent by the first application program, so that the first application program completes enhanced authentication.
The first application program and the second application program may be any application program. In one embodiment, the first application and the second application are associated by a unified authentication system, which may be, for example, a unified authentication platform of an enterprise, and the first application and the second application may be, for example, applications having an out-of-use functionality attribute within the enterprise. The method of the embodiment of the invention is executed by the unified authentication system. The first application program is provided with a hyperlink of the second application program, and when a user triggers the hyperlink of the second application program on the first application program, the first application program can send a jump request for jumping to the second application program to the unified authentication system. Generally, different applications have different security levels, and the different security levels correspond to different authentication methods. For example, some applications with lower security level can successfully log in through the authentication mode of account password, while some applications with higher security level can successfully log in through the authentication mode of face recognition or voice recognition. The enhanced authentication is login authentication which is required to be completed by an application program with a lower security level when the application program with the lower security level requests single login from an application program with a higher security level.
In an optional manner of the embodiment of the present invention, step 120 may further include the following steps:
step 121: and acquiring the security level of the first application program and the security level of the second application program according to a jump request for jumping to the second application program, which is sent by the first application program.
Wherein the jump request to jump to the second application may include the root ticket of the first application and the application ID of the second application. In one embodiment, the security level of the first application may be obtained according to a root ticket of the first application, and the security level of the second application may be obtained according to an application ID of the second application. The root bill of the first application program is generated according to the user login information, when the user logs in the first application program through the unified authentication system, the unified authentication system acquires the user login information, generates the root bill according to the user login information, and returns the user login information and the root bill to the first application program.
Step 122: and judging whether the security level of the first application program is smaller than that of the second application program.
The security level of the first application program and the security level of the second application program can be compared according to the obtained security level of the first application program and the obtained security level of the second application program, and whether the security level of the first application program is smaller than the security level of the second application program or not is judged according to a comparison result.
Step 123: and if the security level of the first application program is less than that of the second application program, sending enhanced authentication information to the first application program to enable the first application program to complete enhanced authentication.
And if the security level of the first application program is judged to be smaller than that of the second application program, sending enhanced authentication information to the first application program so as to enable the first application program to complete enhanced authentication. The enhanced authentication information is generated according to the authentication mode of the first application program and the authentication mode of the second application program. In one embodiment, if the authentication method of the first application is account password and the authentication method of the second application is account password and face recognition, the enhanced authentication information may be face recognition, for example. The first application program can prompt the user to perform identity authentication according to the content of the enhanced authentication information so as to complete the enhanced authentication process.
Step 140: and if the first application program finishes the enhanced authentication, returning a root bill to the first application program so that the first application program obtains the same security level as the second application program.
And if the first application program finishes the enhanced authentication, returning the root bill to the first application program. The root ticket returned to the first application is a new root ticket generated from the enhanced authentication completed by the first application. By returning a new root ticket to the first application, the first application may acquire the same security level as the second application. The first application program can realize single sign-on for the second application program through the returned new root bill.
In one embodiment, the root ticket is JSON Web Token. The JSON Web Token is an open standard based on JSON and can transfer statements among network application environments. The declaration of JSON Web Token is typically used to communicate authenticated user identity information between an identity provider and a service provider to facilitate retrieval of resources from a resource server. The JSON Web Token can be used for authentication directly or after being encrypted.
Step 160: and receiving a jump request for jumping to a third application program sent by the first application program within preset time, wherein the security level of the third application program is equal to that of the second application program.
The first application program can trigger jump to the third application program according to a user request, and send a jump request for jumping to the third application program. The security level of the third application is equal to the security level of the second application and greater than the security level of the first application.
In a preferred implementation manner of the embodiment of the present invention, the preset time is a validity period of the same security level obtained by the first application program as that of the second application program. The first application has the same security level as the second application within the validity period; outside the validity period, the security level of the first application is no longer equal to the security level of the second application, but is restored to the security level of the initial state of the first application.
Step 180: and sending user login information to the third application program to complete the single sign-on of the user to the third application program.
The user login information can be acquired according to a jump request sent by the first application program and jumped to the third application program, and the acquired user login information is sent to the third application program to complete single sign-on of the user to the third application program. The third application program can complete the single sign-on of the user to the third application program according to the received user sign-on information. Further, user login information and a root ticket may be sent to the third application program, so that the third application program may complete the single sign-on process according to the received user login information and the received root ticket.
In the embodiment of the invention, according to a jump request for jumping to a second application program, which is sent by a first application program, enhanced authentication information is sent to the first application program so that the first application program completes enhanced authentication, and if the first application program completes enhanced authentication, a root bill is returned to the first application program so that the first application program obtains the same security level as the second application program; when a jump request of jumping to any other application program with the same security level as the second application program, which is sent by the first application program, is received within a preset time, user information can be sent to the application program needing to jump so as to complete single sign-on of the user on the application program needing to jump, and in the process, the first application program does not need to perform enhanced authentication again. Therefore, the embodiment of the invention realizes the sharing of the authentication modes of the application programs with the same security level, so that the single sign-on process can ensure the security and is very convenient and fast.
FIG. 2 illustrates a flow diagram of another embodiment of the single sign-on method of the present invention, as performed by a computing device. In embodiments of the present invention, the memory space of the computing device has stored therein executable instructions that may cause the processor to perform a single sign-on method. As shown in fig. 2, this embodiment is different from the above embodiment in that, before the step 180 sends the user login information to the third application to complete the single login of the user to the third application, the single login method further includes:
step 171: and sending a random string to the first application program according to the jump request for jumping to the third application program so that the first application program sends the random string to the third application program.
The random string may be generated according to a skip request for skipping to a third application program, which is sent by the first application program and received within a preset time, and the generated random string is sent to the first application program, so that the first application program sends the random string to the third application program after receiving the random string. After a jump request for jumping to a third application program sent by a first application program is received, whether the jump request for jumping to the third application program is legal or not can be judged, and if the jump request for jumping to the third application program is judged to be legal, a step of sending a random string to the first application program is executed, so that a forged jump request is prevented from being received, and the safety of a single sign-on process is improved.
In a preferred implementation manner of the embodiment of the present invention, the user login information and the identification information of the third application program may be obtained according to a jump request for jumping to the third application program, which is sent by the first application program, and the user login information and the identification information of the third application program may be encrypted by the first dynamic password to generate a random string, and then the step of sending the random string to the first application program so that the first application program sends the random string to the third application program is executed. The user login information may include a user name, or the user login information may include a user name and a user login status.
Step 172: and receiving the random string sent by the third application program, and acquiring the user login information according to the random string sent by the third application program.
After receiving the random string sent by the first application program, the third application program sends the received random string to the unified authentication system so as to request the unified authentication system for user login information; after receiving the random string sent by the third application program, the unified authentication system can obtain the user login information according to the random string sent by the third application program. The unified authentication system can also judge whether the user login information requested by the third application program is legal or not according to the random string sent by the third application program, and if the user login information requested by the third application program is judged to be legal, the step 180 of sending the user login information to the third application program is executed, so that the safety of the single sign-on process is improved.
In a preferred implementation manner of the embodiment of the present invention, the random string sent by the third application program may be decrypted by the second dynamic password, and the user login information is obtained according to the decrypted random string. The second dynamic password may be the same as the first dynamic password so that the second dynamic password may successfully decrypt the random string sent by the third application. Furthermore, a preset time interval can be set, and within the preset time interval, the first dynamic password is the same as the second dynamic password, so that the unified authentication system can successfully decrypt the random string sent by the third application program; outside the preset time interval, the first dynamic password is different from the second dynamic password, so that the unified authentication system cannot decrypt the random string sent by the third application program. By setting the preset time interval, the time interval of the random string encryption and decryption can be limited within the range of the preset time interval, and the safety risk caused by overlong time interval of the random string encryption and decryption is prevented.
In the embodiment of the invention, according to a jump request for jumping to a third application program, user login information and identification information of the third application program can be encrypted through a first dynamic password to generate a random string, and then the random string is sent to the first application program so that the first application program sends the random string to the third application program; and after receiving the random string sent by the third application program, decrypting the random string sent by the third application program through the second dynamic password, and acquiring user login information according to the decrypted random string. Therefore, the first dynamic password and the second dynamic password are used for encrypting and decrypting the random string respectively, the safety of the transmission process of the random string can be ensured, and the safety of the single sign-on process is improved.
Fig. 3 is a schematic structural diagram of an embodiment of the single sign-on apparatus of the present invention. As shown in fig. 3, the single sign-on apparatus 300 includes: an enhanced authentication information transmitting module 310, a root ticket returning module 320, a skip request receiving module 330 and a user login information transmitting module 340.
An enhanced authentication information sending module 310, configured to send enhanced authentication information to a first application program according to a skip request sent by the first application program to skip to a second application program, so that the first application program completes enhanced authentication;
a root ticket returning module 320, configured to return a root ticket to the first application program to enable the first application program to obtain the same security level as the second application program if the first application program completes the enhanced authentication;
a skip request receiving module 330, configured to receive, within a preset time, a skip request for skipping to a third application program, where a security level of the third application program is equal to a security level of the second application program;
the user login information sending module 340 is configured to send user login information to the third application program to complete single sign-on of the user to the third application program.
In an alternative manner, the preset time in the skip request receiving module 330 is a validity period of the same security level obtained by the first application program as the second application program.
In an optional manner, the enhanced authentication information sending module 310 is configured to, before sending the enhanced authentication information to the first application to make the first application complete the enhanced authentication:
acquiring the security level of the first application program and the security level of the second application program;
judging whether the security level of the first application program is smaller than that of the second application program;
and if the security level of the first application program is less than that of the second application program, executing the step of sending enhanced authentication information to the first application program so as to enable the first application program to complete enhanced authentication.
In an optional manner, the apparatus 300 further includes a login information obtaining module 350. The login information obtaining module 350 is configured to, before the user login information sending module 340 performs the step of sending the user login information to the third application to complete the single-point login of the user to the third application:
sending a random string to the first application program according to the jump request for jumping to a third application program so that the first application program sends the random string to the third application program;
and receiving the random string sent by the third application program, and acquiring the user login information according to the random string sent by the third application program.
In an optional manner, the login information obtaining module 350 is configured to, before the sending of the random string to the first application:
encrypting user login information and identification information of the third application program through a first dynamic password to generate a random string; the user login information comprises a user name, or the user login information comprises the user name and a user login state.
In an optional manner, the login information obtaining module 350 is configured to:
decrypting the random string sent by the third application program through a second dynamic password, and acquiring the user login information according to the decrypted random string; the second dynamic password is the same as the first dynamic password.
In an alternative manner, the root ticket returned by root ticket returning module 320 to the first application is JSON Web Token.
In the embodiment of the present invention, the enhanced authentication information sending module may send enhanced authentication information to the first application program according to a skip request sent by the first application program to skip to the second application program, so that the first application program completes the enhanced authentication; the root bill returning module can return the root bill to the first application program after the first application program completes the enhanced authentication so that the first application program obtains the same security level as the second application program; the skip request receiving module may receive a skip request for skipping to a third application program with the same security level as the second application program, which is sent by the first application program, within a preset time, and the user login information sending module may send user login information to the third application program according to the skip request for skipping to the third application program, which is received by the skip request receiving module, so as to complete single sign-on of the user to the third application program. It can be seen that, in the embodiment of the present invention, after the first application program obtains the security level that is the same as the security level of the second application program, the single sign-on of the third application program that has the same security level as the second application program can be implemented without enhancing the authentication, which not only can ensure the security of the single sign-on process, but also can make the single sign-on process very simple and convenient.
Fig. 4 is a schematic structural diagram of an embodiment of a computing device according to the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the computing device. For example, the computing device may be a server that installs the unified authentication system.
As shown in fig. 4, the computing device may include: a processor (processor)402, a Communications Interface 404, a memory 406, and a Communications bus 408.
Wherein: the processor 402, communication interface 404, and memory 406 communicate with each other via a communication bus 408. A communication interface 404 for communicating with network elements of other devices, such as clients or other servers. The processor 402, configured to execute the program 410, may specifically perform the relevant steps in the embodiment of the single sign-on method described above.
In particular, program 410 may include program code comprising computer-executable instructions.
The processor 402 may be a central processing unit CPU or an application Specific Integrated circuit asic or one or more Integrated circuits configured to implement embodiments of the present invention. The computing device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 406 for storing a program 410. Memory 406 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 410 may be specifically invoked by the processor 402 to cause the computing device to perform the following operations:
sending enhanced authentication information to a first application program according to a jump request sent by the first application program and jumping to a second application program so that the first application program completes enhanced authentication;
if the first application program finishes the enhanced authentication, returning a root bill to the first application program so that the first application program obtains the same security level as the second application program;
receiving a jump request for jumping to a third application program sent by the first application program within a preset time, wherein the security level of the third application program is equal to that of the second application program;
and sending user login information to the third application program to complete the single sign-on of the user to the third application program.
In an alternative, the root ticket is JSON Web Token.
In an alternative mode, the preset time is a validity period of the same security level acquired by the first application program as the second application program.
In an alternative approach, before a computing device performs an operation of sending enhanced authentication information to the first application to cause the first application to complete enhanced authentication, the following operations are performed:
acquiring the security level of the first application program and the security level of the second application program;
judging whether the security level of the first application program is smaller than that of the second application program;
and if the security level of the first application program is less than that of the second application program, executing the step of sending enhanced authentication information to the first application program so as to enable the first application program to complete enhanced authentication.
In an alternative, the program 410 is invoked by the processor 402 to cause the computing device, prior to performing the operation of sending user login information to the third application to complete the user single-sign-on of the third application, to perform the following operations:
sending a random string to the first application program according to the jump request for jumping to a third application program so that the first application program sends the random string to the third application program;
and receiving the random string sent by the third application program, and acquiring the user login information according to the random string sent by the third application program.
In an alternative approach, the computing device performs the following operations prior to performing the operation of sending the random string to the first application:
encrypting user login information and identification information of the third application program through a first dynamic password to generate a random string; the user login information comprises a user name, or the user login information comprises the user name and a user login state.
In an alternative, the program 410 may be specifically invoked by the processor 402 to cause the computing device to perform the following operations:
decrypting the random string sent by the third application program through a second dynamic password, and acquiring the user login information according to the decrypted random string; the second dynamic password is the same as the first dynamic password.
In embodiments of the present invention, a program stored in a memory of a computing device may be called by a processor to cause the computing device to perform the steps in the single sign-on method embodiments. Sending enhanced authentication information to the first application program according to a jump request sent by the first application program and jumping to the second application program so that the first application program completes enhanced authentication; if the first application program finishes the enhanced authentication, returning a root bill to the first application program so that the first application program obtains the same security level as the second application program; and receiving a jump request sent by the first application program and jumping to a third application program with the same security level as the second application program within preset time, and sending user login information to the third application program according to the jump request jumping to the third application program so as to complete single sign-on of the user to the third application program. It can be seen that the single sign-on process can satisfy both the security and the convenience of the sign-on process by executing the relevant steps in the single sign-on method embodiment through the computing device.
An embodiment of the present invention provides a computer-readable storage medium, where the storage medium stores at least one executable instruction, and when the executable instruction is executed on a single sign-on device/apparatus, the single sign-on device/apparatus executes a single sign-on method in any of the above method embodiments.
Embodiments of the present invention provide a computer program that can be invoked by a processor to enable a computing device to execute a single sign-on method in any of the above method embodiments.
Embodiments of the present invention provide a computer program product comprising a computer program stored on a computer-readable storage medium, the computer program comprising program instructions that, when run on a computer, cause the computer to perform a single sign-on method of any of the above method embodiments.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specified otherwise.
Claims (10)
1. A method of single sign-on, the method comprising:
sending enhanced authentication information to a first application program according to a jump request sent by the first application program and jumping to a second application program so that the first application program completes enhanced authentication;
if the first application program finishes the enhanced authentication, returning a root bill to the first application program so that the first application program obtains the same security level as the second application program;
receiving a jump request for jumping to a third application program sent by the first application program within a preset time, wherein the security level of the third application program is equal to that of the second application program;
and sending user login information to the third application program to complete the single sign-on of the user to the third application program.
2. The method according to claim 1, wherein the preset time is a validity period of the same security level obtained by the first application as the second application.
3. The method of claim 1 or 2, wherein before sending enhanced authentication information to the first application to cause the first application to complete enhanced authentication, the method comprises:
acquiring the security level of the first application program and the security level of the second application program;
judging whether the security level of the first application program is smaller than that of the second application program;
and if the security level of the first application program is less than that of the second application program, executing the step of sending enhanced authentication information to the first application program so as to enable the first application program to complete enhanced authentication.
4. The method according to claim 1 or 2, wherein before said sending user login information to said third application to complete single sign-on of said user to said third application, said method comprises:
sending a random string to the first application program according to the jump request for jumping to a third application program so that the first application program sends the random string to the third application program;
and receiving the random string sent by the third application program, and acquiring the user login information according to the random string sent by the third application program.
5. The method of claim 4, wherein prior to said sending a random string to the first application, the method further comprises:
encrypting user login information and identification information of the third application program through a first dynamic password to generate a random string; the user login information comprises a user name, or the user login information comprises the user name and a user login state.
6. The method of claim 5, wherein the obtaining the user login information according to the random string sent by the third application comprises:
decrypting the random string sent by the third application program through a second dynamic password, and acquiring the user login information according to the decrypted random string;
the second dynamic password is the same as the first dynamic password within a preset time interval and is different from the first dynamic password outside the preset time interval.
7. The method of claim 1, wherein the root ticket is JSON Web Token.
8. A single sign-on apparatus, the apparatus comprising:
the enhanced authentication information sending module is used for sending enhanced authentication information to the first application program according to a jump request for jumping to a second application program, which is sent by the first application program, so that the first application program completes enhanced authentication;
a root bill returning module, configured to return a root bill to the first application program to enable the first application program to obtain a security level the same as that of the second application program if the first application program completes the enhanced authentication;
the skip request receiving module is used for receiving a skip request which is sent by the first application program and skips to a third application program within a preset time, wherein the security level of the third application program is equal to that of the second application program;
and the user login information sending module is used for sending user login information to the third application program so as to complete the single sign-on of the user to the third application program.
9. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform the operations of the single sign-on method of any one of claims 1-7.
10. A computer-readable storage medium having stored therein at least one executable instruction which, when run on a single sign-on device/apparatus, causes the single sign-on device/apparatus to perform the operations of the single sign-on method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011004427.0A CN112182544A (en) | 2020-09-22 | 2020-09-22 | Single sign-on method, device, computing equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011004427.0A CN112182544A (en) | 2020-09-22 | 2020-09-22 | Single sign-on method, device, computing equipment and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112182544A true CN112182544A (en) | 2021-01-05 |
Family
ID=73955827
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011004427.0A Pending CN112182544A (en) | 2020-09-22 | 2020-09-22 | Single sign-on method, device, computing equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112182544A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090292927A1 (en) * | 2008-05-23 | 2009-11-26 | Hsbc Technologies Inc. | Methods and systems for single sign on with dynamic authentication levels |
| CN103501344A (en) * | 2013-10-10 | 2014-01-08 | 从兴技术有限公司 | Method and system for realizing single sign-on of plurality of applications |
| CN109388937A (en) * | 2018-11-05 | 2019-02-26 | 用友网络科技股份有限公司 | A kind of single-point logging method and login system of multiple-factor authentication |
| CN111342964A (en) * | 2020-05-15 | 2020-06-26 | 深圳竹云科技有限公司 | Single sign-on method, device and system |
-
2020
- 2020-09-22 CN CN202011004427.0A patent/CN112182544A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090292927A1 (en) * | 2008-05-23 | 2009-11-26 | Hsbc Technologies Inc. | Methods and systems for single sign on with dynamic authentication levels |
| CN103501344A (en) * | 2013-10-10 | 2014-01-08 | 从兴技术有限公司 | Method and system for realizing single sign-on of plurality of applications |
| CN109388937A (en) * | 2018-11-05 | 2019-02-26 | 用友网络科技股份有限公司 | A kind of single-point logging method and login system of multiple-factor authentication |
| CN111342964A (en) * | 2020-05-15 | 2020-06-26 | 深圳竹云科技有限公司 | Single sign-on method, device and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3488590B1 (en) | Securing ordered resource access | |
| CN112019493B (en) | Identity authentication method, identity authentication device, computer equipment and medium | |
| US8832857B2 (en) | Unsecured asset detection via correlated authentication anomalies | |
| US9507927B2 (en) | Dynamic identity switching | |
| US10419431B2 (en) | Preventing cross-site request forgery using environment fingerprints of a client device | |
| CN110784450A (en) | Single sign-on method and device based on browser | |
| US11770385B2 (en) | Systems and methods for malicious client detection through property analysis | |
| CN112491776B (en) | Security authentication method and related equipment | |
| EP3614643B1 (en) | Oauth2 saml token service | |
| EP3468128B1 (en) | Method and device for preventing server from being attacked | |
| US20150180850A1 (en) | Method and system to provide additional security mechanism for packaged web applications | |
| CN111342964B (en) | Single sign-on method, device and system | |
| CN110069909A (en) | It is a kind of to exempt from the close method and device for logging in third party system | |
| US9866587B2 (en) | Identifying suspicious activity in a load test | |
| CN116484338A (en) | Database access method and device | |
| CN114978752A (en) | Weak password detection method and device, electronic equipment and computer readable storage medium | |
| CN117251837A (en) | System access method and device, electronic equipment and storage medium | |
| CN108965335B (en) | Method for preventing malicious access to login interface, electronic device and computer medium | |
| CN113935008B (en) | User authentication method, device, electronic equipment and computer readable storage medium | |
| CN112182544A (en) | Single sign-on method, device, computing equipment and computer readable storage medium | |
| CN111191202B (en) | Single sign-on method, device and system for mobile application | |
| CN113691485B (en) | Micro-service platform access method and related device thereof | |
| EP3036674B1 (en) | Proof of possession for web browser cookie based security tokens | |
| CN112653676A (en) | Identity authentication method and equipment of cross-authentication system | |
| CN115102782B (en) | Authentication method and device of client, storage medium and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210105 |
|
| RJ01 | Rejection of invention patent application after publication |