CN112398799A - Single sign-on method, device and system - Google Patents

Single sign-on method, device and system Download PDF

Info

Publication number
CN112398799A
CN112398799A CN201910764781.4A CN201910764781A CN112398799A CN 112398799 A CN112398799 A CN 112398799A CN 201910764781 A CN201910764781 A CN 201910764781A CN 112398799 A CN112398799 A CN 112398799A
Authority
CN
China
Prior art keywords
certificate
terminal equipment
verification
single sign
application server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910764781.4A
Other languages
Chinese (zh)
Inventor
许建东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Gridsum Technology Co Ltd
Original Assignee
Beijing Gridsum Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Gridsum Technology Co Ltd filed Critical Beijing Gridsum Technology Co Ltd
Priority to CN201910764781.4A priority Critical patent/CN112398799A/en
Priority to PCT/CN2020/097895 priority patent/WO2021031689A1/en
Publication of CN112398799A publication Critical patent/CN112398799A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2133Verifying human interaction, e.g., Captcha
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The embodiment of the invention provides a single sign-on method, a single sign-on device and a single sign-on system, relates to the technical field of network security, and is used for improving the security of data of an application server in SSO. The method comprises the following steps: receiving a login request sent by terminal equipment; the login request carries a certificate of the terminal equipment and is used for requesting to acquire a login certificate for logging in the SSO of the single sign-on system; sending a first verification request to the blockchain network, wherein the first verification request is used for requesting the blockchain network to verify whether the certificate is valid according to the verification of the certificate; receiving a first verification response sent by a block chain network; and under the condition that the first verification response indication certificate is valid, sending a login certificate to the terminal equipment, and writing access authority corresponding to the login certificate into the blockchain network according to the authority information of the terminal equipment. The embodiment of the invention is used for carrying out security verification on the terminal equipment accessing the application server in the SSO system.

Description

Single sign-on method, device and system
Technical Field
The invention relates to the technical field of network security, in particular to a single sign-on method, a single sign-on device and a single sign-on system.
Background
An enterprise company or organization often has a plurality of application servers, and for the purposes of improving the efficiency of users or employees, simplifying management, and the like, the enterprise or organization generally deploys a Single Sign On (SSO) system, and through the deployment of the SSO system, users can access all mutually trusted application servers only by logging On once.
With the evolution of network hackers in the ability and means to steal user credentials (e.g., account numbers and passwords), login protection becomes increasingly unreliable; moreover, after the user credential stolen by the attacker logs in any application server in the SSO, the attacker can acquire data in all application servers mutually trusting with the application server, so that compared with a conventional application server, the data security of the application server in the SSO is lower. For the security of data of an application server in SSO, it is proposed in the prior art to replace the original username and password mechanism with a certificate-based user identification mechanism at the time of authentication, which is more secure than the original simple username and password mechanism, but is very challenging for small companies or organizations. In addition, even if a user identification mechanism based on the certificate is adopted, an attacker can forge a root certificate and further forge a user certificate, so that even if the user identification mechanism based on the certificate is adopted to replace a user name and a password mechanism during identity authentication of an application server in the SSO, the application server in the SSO still can be accessed by the attacker, and further data leakage is caused.
Disclosure of Invention
In view of this, embodiments of the present invention provide a single sign-on method, apparatus, and system, which are used to improve the security of data of an application server in an SSO.
In order to achieve the above object, the embodiments of the present invention provide the following technical solutions:
in a first aspect, an embodiment of the present invention provides a single sign-on method, which is applied to an identity authentication server, and the method includes:
receiving a login request sent by terminal equipment; the login request carries a certificate of the terminal equipment and is used for requesting to obtain a login certificate for logging in the SSO of the single sign-on system;
sending a first verification request to a blockchain network, wherein the first verification request is used for requesting the blockchain network to verify whether the certificate is valid according to the verification of the certificate;
receiving a first verification response sent by the blockchain network;
and under the condition that the first verification response indicates that the certificate is valid, sending the login certificate to the terminal equipment, and writing access authority corresponding to the login certificate into the block chain network according to authority information of the terminal equipment.
As an optional implementation manner of the embodiment of the present invention, before sending the first authentication request to the blockchain network, the method further includes:
receiving a registration request sent by the terminal equipment, wherein the registration request carries user data;
generating the certificate according to the user profile and the authority information;
and sending the certificate to the terminal equipment, and writing the verification of the certificate into the block chain network.
As an optional implementation manner in this embodiment of the present invention, after sending the certificate to the terminal device and writing the verification of the certificate in the blockchain network, the method further includes: and deleting the certificate generated according to the user profile and the authority information.
As an optional implementation manner of the embodiment of the present invention, the method further includes:
sending prompt information to the terminal equipment under the condition that the first verification response indicates that the certificate is invalid;
and the prompt information is used for prompting that the certificate of the terminal equipment is invalid.
In a second aspect, an embodiment of the present invention provides a single sign-on method, which is applied to a target application server in a single sign-on system SSO, and the method includes:
receiving an access request sent by terminal equipment, wherein the access request carries a login certificate;
sending a second verification request to a blockchain network, wherein the second verification request is used for requesting the blockchain network to verify whether the terminal equipment has the authority of accessing the target application server according to the access authority corresponding to the login certificate;
receiving a second verification response sent by the blockchain network;
and in the case that the second verification response indicates that the terminal equipment has the authority of accessing the target application server, allowing the terminal equipment to access.
As an optional implementation manner of the embodiment of the present invention, the method further includes:
and under the condition that the second verification response indicates that the terminal equipment does not have the authority of accessing the target application server, the terminal equipment is refused to access.
In a third aspect, an embodiment of the present invention provides a single sign-on apparatus, applied to an identity authentication server, including:
the receiving unit is used for receiving a login request sent by the terminal equipment; the login request carries a certificate of the terminal equipment and is used for requesting to obtain a login certificate for logging in the SSO of the single sign-on system;
a sending unit, configured to send a first verification request to a blockchain network, where the first verification request is used to request the blockchain network to verify whether the certificate is valid according to verification of the certificate;
the receiving unit is further configured to receive a first verification response sent by the blockchain network;
the sending unit is further configured to send the login credential to the terminal device when the first authentication response indicates that the certificate is valid;
and the writing unit is used for writing the access authority corresponding to the login certificate into the block chain network according to the authority information of the terminal equipment under the condition that the first verification response indicates that the certificate is valid.
As an optional implementation manner of the embodiment of the present invention, the single sign-on apparatus further includes: a certificate generation unit;
the receiving unit is further configured to receive a registration request sent by the terminal device before the sending unit sends the first verification request to the blockchain network, where the registration request carries user data;
the certificate generating unit is used for generating the certificate according to the user profile and the authority information;
the sending unit is further configured to send the certificate to the terminal device;
the writing unit is further configured to write the verification of the certificate into the blockchain network.
As an optional implementation manner of the embodiment of the present invention, the single sign-on apparatus further includes:
and the deleting unit is used for deleting the certificate generated according to the user profile and the authority information after the sending unit sends the certificate to the terminal equipment and the writing unit writes the verification of the certificate into the block chain network.
As an optional implementation manner of the embodiment of the present invention, the sending unit is further configured to send a prompt message to the terminal device when the first verification response indicates that the certificate is invalid;
and the prompt information is used for prompting that the certificate of the terminal equipment is invalid.
In a fourth aspect, an embodiment of the present invention provides a single sign-on apparatus, which is applied to an application server, where the application server is an application server in a single sign-on system SSO, and the single sign-on apparatus includes:
the terminal equipment comprises a receiving unit, a sending unit and a receiving unit, wherein the receiving unit is used for receiving an access request sent by the terminal equipment, and the access request carries a login certificate;
a sending unit, configured to send a second authentication request to a blockchain network, where the second authentication request is used to request the blockchain network to authenticate, according to an access right corresponding to the login credential, whether the terminal device has a right to access the application server;
the receiving unit is further configured to receive a second verification response sent by the blockchain network;
the processing unit is configured to allow the terminal device to access the application server if the second verification response indicates that the terminal device has the right to access the application server.
As an optional implementation manner of the embodiment of the present invention, the processing unit is further configured to deny the terminal device from accessing under a condition that the second verification response indicates that the terminal device does not have an authority to access the application server.
In a fifth aspect, an embodiment of the present invention provides an identity authentication server, including: a memory for storing a computer program and a processor; the processor is configured to execute the single sign-on method of the first aspect or any embodiment of the first aspect when the computer program is invoked.
In a sixth aspect, an embodiment of the present invention provides an application server, including: a memory for storing a computer program and a processor; the processor is configured to execute the single sign-on method according to any of the second embodiments of the first aspect or the second aspect when the computer program is invoked.
In a seventh aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the single sign-on method according to the first aspect, the second aspect, or any implementation manner of the first aspect, or any implementation manner of the second aspect.
In an eighth aspect, an embodiment of the present invention provides a single sign-on system, including: at least one of the single sign-on apparatus of any one of the third aspect or the third aspect, the single sign-on apparatus of any one of the fourth aspect or the fourth aspect, the identity authentication server of the fifth aspect, and the application server of the sixth aspect.
According to the single sign-on method provided by the embodiment of the invention, when the identity authentication server receives the sign-on request sent by the terminal equipment, firstly, a request is sent to the blockchain network to verify whether the certificate is valid, and only under the condition that the received first verification response indicates that the certificate is valid, the sign-on certificate is sent to the terminal equipment, so that the embodiment of the invention can firstly verify the validity of the certificate of the terminal equipment through the blockchain network when the terminal equipment logs in the SSO, and the safety of data of an application server in the SSO is improved in the aspect of identity authentication; in addition, in the case that the first verification response indicates that the certificate is valid, the authentication server may further write an access right corresponding to the login credential to the blockchain network according to the right information of the terminal device, when the terminal device logs in the SSO through the login credential and wants to access a target application server in the SSO, the target application server may send, to the blockchain network, a second verification request for requesting the blockchain network to verify whether the terminal device has a right to access the target application server according to the access right corresponding to the login credential, and only in the case that the second verification response indicates that the terminal device has a right to access the target application server, the terminal device is allowed to access, so the embodiment of the present invention may also allow the terminal device to access the application server in the SSO, the data security of the application server in the SSO is improved from the aspect of user authority; that is, the embodiment of the present invention can improve the security of the data of the application server in the SSO from both the identity authentication and the user right, and therefore, compared with the prior art, the embodiment of the present invention can improve the security of the data of the application server in the SSO.
Drawings
Fig. 1 is a schematic structural diagram of a single sign-on system according to an embodiment of the present invention;
fig. 2 is an interaction flow diagram of a single sign-on method according to an embodiment of the present invention;
fig. 3 is a structural diagram of a single sign-on apparatus according to an embodiment of the present invention;
fig. 4 is a schematic hardware structure diagram of an identity authentication server according to an embodiment of the present invention;
fig. 5 is a structural diagram of a single sign-on apparatus according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a hardware structure of an application server according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship; in the formula, the character "/" indicates that the preceding and following related objects are in a relationship of "division". The term "plurality" herein means two or more, unless otherwise specified.
For the convenience of clearly describing the technical solutions of the embodiments of the present invention, in the embodiments of the present invention, the terms "first" and "second" are used to distinguish the same items or similar items with basically the same functions or actions, and those skilled in the art can understand that the terms "first" and "second" are not limited to the quantity and execution order.
In the embodiments of the present invention, words such as "exemplary" or "for example" are used to mean serving as examples, illustrations or descriptions. Any embodiment or design described as "exemplary" or "e.g.," an embodiment of the present invention is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion. In the embodiments of the present invention, the meaning of "a plurality" means two or more unless otherwise specified.
First, a system architecture applied by the single sign-on method provided by the embodiment of the present invention is explained below.
Referring to fig. 1, a single sign-on system provided in an embodiment of the present invention includes: at least one terminal device (shown in fig. 1 by way of example to include one terminal device 11), an SSO system 12 (shown in fig. 5 by way of example to include an application server 121, an application server 122, an application server 123, an application server 124, and an application server 125 in the SSO system 12), an authentication server 13, and a blockchain network 14.
The terminal device 11 and the identity authentication server 13 may perform wired communication or wireless communication, and the terminal device 11 and each application server of the SSO system 12 may perform wired communication or wireless communication; each application server in the SSO system 12 can perform wired or wireless communication with the blockchain network 14, and the identity authentication server 13 can also perform wired or wireless communication with the blockchain network 14.
The terminal device 11 in the embodiment of the present invention may be a mobile phone, a tablet computer, a notebook computer, a Personal Computer (PC), an ultra-mobile personal computer (UMPC), a netbook, a Personal Digital Assistant (PDA), a smart watch, a smart bracelet, or the like, or may be other types of electronic devices, which is not limited in the embodiment of the present invention. In order to facilitate understanding of those skilled in the art, the terminal device 11 is illustrated as a PC in the drawings.
An embodiment of the present invention provides a single sign-on method, and referring to fig. 2, in the single sign-on method provided in the embodiment of the present invention, each device in the single sign-on system respectively executes the following steps:
and S11, the terminal equipment sends a login request to the identity authentication server.
Correspondingly, the identity authentication server receives a login request sent by the terminal equipment.
And the login request carries a certificate of the terminal equipment and is used for requesting to acquire a login certificate of the login SSO.
S12, the identity authentication server sends a first verification request to the blockchain network.
Correspondingly, the blockchain network receives a first verification request sent by the identity authentication server.
Wherein the first authentication request is used for requesting the blockchain network to authenticate whether the certificate is valid according to the verification of the certificate.
S13, the block chain network sends a first verification response to the identity authentication server.
Correspondingly, the identity authentication server receives a first verification response sent by the blockchain network.
Wherein the first authentication response is used to indicate that the certificate is valid or that the certificate is invalid.
When the first verification response indicates that the certificate is valid, the following steps S14 and S14 are performed.
S14, the identity authentication server sends the login credentials to the terminal equipment.
Correspondingly, the terminal equipment receives the login certificate sent by the identity authentication server.
And S15, the identity authentication server writes the access authority corresponding to the login certificate into the block chain network according to the authority information of the terminal equipment.
Correspondingly, the block chain network receives the access authority which is written by the identity authentication server and corresponds to the login certificate.
Optionally, the method for acquiring the authority information of the terminal device by the identity authentication server may be: the method comprises the steps of establishing a Lightweight Directory Access Protocol (LDAP), storing data (including authority information of the terminal device) of the terminal device in the LDAP, and reading the authority information of the terminal device from the LDAP when the authority information of the terminal device needs to be acquired.
To the above step S14, the authentication server completes authentication of the terminal device. In the process that the authentication server authenticates the identity of the terminal device, the authentication server sends the certificate of the terminal device to the blockchain network and receives the authentication result of the blockchain network, and determines whether to send the login certificate to the terminal device according to the authentication result of the blockchain network, so that the embodiment can prevent a network attacker from forging a root certificate and forging a user certificate for login, and further improve the security of data in the application server in the SSO.
S16, the terminal device sends an access request to the target application server in the SSO.
Correspondingly, the target application server receives the access request sent by the terminal equipment.
Wherein the access request carries a login credential.
S17, the target application server sends a second authentication request to the blockchain network.
Correspondingly, the blockchain network receives a second verification request sent by the target application server.
And the second verification request is used for requesting the blockchain network to verify whether the terminal equipment has the authority of accessing the target application server according to the access authority corresponding to the login certificate.
And S18, the block chain network sends a second verification response to the target application server.
Correspondingly, the target application server receives a second verification response sent by the blockchain network.
Wherein the second verification response is used for indicating that the terminal device has the authority of accessing the target application server or the terminal device does not have the authority of accessing the target application server.
In case the second authentication response indicates that the terminal device has the right to access the target application server, the following step S19 is performed.
And S19, allowing the terminal equipment to access by the target application server.
Through the above steps S15 to S19, the target application server completes the verification of the access right of the terminal device. In the process of verifying the access permission of the terminal device by the target application server, the target application sends the second verification request to the blockchain network, and determines whether the terminal device is allowed to access according to the second verification response sent by the blockchain network, so that the embodiment can prevent a network attacker from tampering the access permission of the terminal device, and further data leakage is caused, and therefore the embodiment of the invention can further improve the security of data in the application server in the SSO.
According to the single sign-on method provided by the embodiment of the invention, when the identity authentication server receives the sign-on request sent by the terminal equipment, firstly, a request is sent to the blockchain network to verify whether the certificate is valid, and only under the condition that the received first verification response indicates that the certificate is valid, the sign-on certificate is sent to the terminal equipment, so that the embodiment of the invention can firstly verify the validity of the certificate of the terminal equipment through the blockchain network when the terminal equipment logs in the SSO, and the safety of data of an application server in the SSO is improved in the aspect of identity authentication; in addition, in the case that the first verification response indicates that the certificate is valid, the authentication server may further write an access right corresponding to the login credential to the blockchain network according to the right information of the terminal device, when the terminal device logs in the SSO through the login credential and wants to access a target application server in the SSO, the target application server may send, to the blockchain network, a second verification request for requesting the blockchain network to verify whether the terminal device has a right to access the target application server according to the access right corresponding to the login credential, and only in the case that the second verification response indicates that the terminal device has a right to access the target application server, the terminal device is allowed to access, so the embodiment of the present invention may also allow the terminal device to access the application server in the SSO, the data security of the application server in the SSO is improved from the aspect of user authority; that is, the embodiment of the present invention can improve the security of the data of the application server in the SSO from both the identity authentication and the user right, and therefore, compared with the prior art, the embodiment of the present invention can improve the security of the data of the application server in the SSO.
As an optional implementation manner of the embodiment of the present invention, before the step S12 (where the identity authentication server sends the first verification request to the blockchain network), the single sign-on method provided by the embodiment of the present invention further includes the following steps a to c.
Step a, the identity authentication server receives a registration request sent by the terminal equipment.
Wherein, the registration request carries the user data.
Illustratively, the user profile may include information such as the user's username, identification code, etc.
And b, the identity authentication server generates the certificate according to the user data and the authority information.
It should be noted that, the obtaining manner of the authority information may be: the identity authentication server is configured for the terminal equipment according to the user data; the following steps can be also included: the terminal equipment carries permission request information in the registration request, the identity authentication server verifies the permission request information carried in the registration request, and the permission request item passing verification is used as the permission information.
When the terminal device carries the permission request information in the registration request, the identity authentication server verifies the permission request information carried in the registration request, and the permission request item passing the verification is used as the permission information, the permission request information carried in the registration request sent by the terminal device and the permission information can be the same or different. For example: the authority request information carried in the registration request sent by the terminal equipment comprises: the access application server a, the access application server B, and the access application server C, and the authority information when the identity authentication server generates the certificate may include: the rights to access application server a, application server B, and application server C may also include: the right to access application server a and application server B, but not application server C.
And c, the identity authentication server sends the certificate to the terminal equipment and writes the verification of the certificate into the block chain network.
Correspondingly, the terminal equipment receives the certificate sent by the identity authentication server, and the block chain network receives the written certificate verification.
Since the authentication server needs to write a verification of the certificate to the blockchain network, the authentication server first needs to generate a verification of the certificate. The embodiment of the invention does not limit the algorithm for generating the certificate verification.
According to the function of the identity authentication server in the single sign-on method, the identity authentication server provided by the embodiment of the invention can be composed of the following modules:
the account management module has the main functions of:
establishing an LDAP system to store user data;
establishing a user registration and auditing mechanism, allowing the user to register online and auditing the user;
establishing a user management mechanism, allowing a user administrator to add, delete, modify and check the user, and notifying the user by using a mail or the like;
and establishing a user authority management mechanism to allow an administrator to manage the authority of the user for accessing the related system.
The certificate management module has the main functions of:
for generating a certificate from the user profile data;
calculating the verification of the certificate and writing the verification into a block chain network;
generating a unique link of a user download certificate and sending the unique link to the terminal equipment;
and establishing a certificate management mechanism, and allowing an administrator to revoke and renew the certificate.
Identity authentication module, the main function includes:
when the terminal equipment downloads the certificate according to the unique link request, the certificate is sent to the terminal equipment;
when a terminal and equipment login requests, a certificate carried by the terminal equipment is analyzed;
after filling the certificate information according to a specified data structure, initiating a certificate verification request to a blockchain network;
after the certificate is successfully verified, acquiring authority information from an LDAP system, and then writing access authority into a block chain network;
and after the certificate is successfully verified, returning the login certificate to the terminal equipment.
As an optional implementation manner in the embodiment of the present invention, after sending the certificate to the terminal device in step c, the single sign-on method provided in the embodiment of the present invention further includes:
and the identity authentication server deletes the certificate generated according to the user data and the authority information.
After the identity authentication server sends the certificate to the terminal equipment, the certificate generated according to the user data and the authority information is deleted, so that a network attacker can be prevented from invading the identity authentication server to obtain the certificate of the terminal equipment, and the embodiment can further improve the data security of the application server in the SSO.
As an optional implementation manner in this embodiment of the present invention, in a case that the first authentication response indicates that the certificate is invalid, the single sign-on method provided in this embodiment of the present invention further includes:
the identity authentication server sends prompt information to the terminal equipment;
and the prompt information is used for prompting that the certificate of the terminal equipment is invalid.
As an optional implementation manner in the embodiment of the present invention, in a case that the second verification response indicates that the terminal device does not have the right to access the target application server, the single sign-on method provided in the embodiment of the present invention further includes:
and the target application server refuses the access of the terminal equipment.
According to the method, the terminal device and the like can be divided into the functional modules. For example, the functional blocks may be divided for the respective functions, or two or more functions may be integrated into one block. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation.
In the case of using an integrated unit, fig. 3 shows a schematic structural diagram of a single sign-on apparatus applied to an identity authentication server in the above embodiment, where the single sign-on apparatus 300 includes:
a receiving unit 31, configured to receive a login request sent by a terminal device; the login request carries a certificate of the terminal equipment and is used for requesting to obtain a login certificate for logging in the SSO of the single sign-on system;
a sending unit 32, configured to send a first verification request to a blockchain network, where the first verification request is used to request the blockchain network to verify whether the certificate is valid according to verification of the certificate;
the receiving unit 31 is further configured to receive a first verification response sent by the blockchain network;
the sending unit 32 is further configured to send the login credential to the terminal device if the first authentication response indicates that the certificate is valid;
a writing unit 33, configured to write, according to the authority information of the terminal device, the access authority corresponding to the login credential to the block chain network under the condition that the first verification response indicates that the certificate is valid.
Referring to fig. 3, as an alternative embodiment of the present invention, the single sign-on apparatus 300 further includes: a certificate generation unit 34;
the receiving unit 31 is further configured to receive a registration request sent by the terminal device before the sending unit sends the first verification request to the blockchain network, where the registration request carries user data;
the certificate generating unit 34 is configured to generate the certificate according to the user profile and the authority information;
the sending unit 32 is further configured to send the certificate to the terminal device;
the writing unit 33 is further configured to write the verification of the certificate to the blockchain network.
Referring to fig. 3, as an alternative embodiment of the present invention, the single sign-on apparatus 300 further includes:
a deleting unit 35, configured to delete the certificate generated according to the user profile and the authority information after the sending unit sends the certificate to the terminal device and the writing unit writes the verification of the certificate into the blockchain network.
As an optional implementation manner of the embodiment of the present invention, the sending unit 32 is further configured to send a prompt message to the terminal device when the first verification response indicates that the certificate is invalid;
and the prompt information is used for prompting that the certificate of the terminal equipment is invalid.
In the case of an integrated unit, fig. 4 shows a schematic structural diagram of a single sign-on apparatus applied to an application server in an SSO in the above embodiment, where the single sign-on apparatus 400 includes:
a receiving unit 41, configured to receive an access request sent by a terminal device, where the access request carries a login credential;
a sending unit 42, configured to send a second authentication request to the blockchain network, where the second authentication request is used to request the blockchain network to verify whether the terminal device has an authority to access the application server according to the access authority corresponding to the login credential;
the receiving unit 41 is further configured to receive a second verification response sent by the blockchain network;
the processing unit 43 is configured to allow the terminal device to access the application server if the second verification response indicates that the terminal device has the right to access the application server.
As an optional implementation manner of the embodiment of the present invention, the processing unit 43 is further configured to deny the terminal device from accessing under the condition that the second verification response indicates that the terminal device does not have the authority to access the application server.
Since the single sign-on device applied to the identity authentication server and the single sign-on device applied to the application server provided by the embodiments of the present invention can execute the single sign-on method provided by the above embodiments, technical effects similar to those of the above embodiments can be achieved, and details are not described here.
Based on the same inventive concept, the embodiment of the invention also provides an identity authentication server. Fig. 5 is a schematic structural diagram of an identity authentication server according to an embodiment of the present invention, and as shown in fig. 5, the identity authentication server according to the embodiment includes: a memory 51 and a processor 52, the memory 51 being for storing computer programs; the processor 52 is configured to execute the steps performed by the identity authentication server in the single sign-on method according to the above-mentioned method embodiments when the computer program is called.
Based on the same inventive concept, the embodiment of the invention also provides an application server in the SSO. Fig. 6 is a schematic structural diagram of an application server according to an embodiment of the present invention, and as shown in fig. 6, the application server according to the embodiment includes: a memory 61 and a processor 62, the memory 61 being for storing computer programs; the processor 62 is configured to execute the steps performed by the application server in the single sign-on method according to the above-mentioned method embodiments when the computer program is called.
The identity authentication server and the application server provided in this embodiment may execute the single sign-on method provided in the above method embodiment, and the implementation principle and the technical effect are similar, which are not described herein again.
The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the single sign-on method described in the above method embodiment is implemented.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media having computer-usable program code embodied in the medium.
The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer readable media include both permanent and non-permanent, removable and non-removable storage media. Storage media may implement information storage by any method or technology, and the information may be computer-readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (12)

1. A single sign-on method is applied to an identity authentication server, and is characterized by comprising the following steps:
receiving a login request sent by terminal equipment; the login request carries a certificate of the terminal equipment and is used for requesting to obtain a login certificate for logging in the SSO of the single sign-on system;
sending a first verification request to a blockchain network, wherein the first verification request is used for requesting the blockchain network to verify whether the certificate is valid according to the verification of the certificate;
receiving a first verification response sent by the blockchain network;
and under the condition that the first verification response indicates that the certificate is valid, sending the login certificate to the terminal equipment, and writing access authority corresponding to the login certificate into the block chain network according to authority information of the terminal equipment.
2. The method of claim 1, wherein prior to sending the first authentication request to the blockchain network, the method further comprises:
receiving a registration request sent by the terminal equipment, wherein the registration request carries user data;
generating the certificate according to the user profile and the authority information;
and sending the certificate to the terminal equipment, and writing the verification of the certificate into the block chain network.
3. The method of claim 2, wherein after sending the certificate to the terminal device and writing the verification of the certificate to the blockchain network, the method further comprises: and deleting the certificate generated according to the user profile and the authority information.
4. The method according to any one of claims 1-3, further comprising:
sending prompt information to the terminal equipment under the condition that the first verification response indicates that the certificate is invalid;
and the prompt information is used for prompting that the certificate of the terminal equipment is invalid.
5. A single sign-on method is applied to a target application server in a single sign-on system (SSO), and is characterized by comprising the following steps:
receiving an access request sent by terminal equipment, wherein the access request carries a login certificate;
sending a second verification request to a blockchain network, wherein the second verification request is used for requesting the blockchain network to verify whether the terminal equipment has the authority of accessing the target application server according to the access authority corresponding to the login certificate;
receiving a second verification response sent by the blockchain network;
and in the case that the second verification response indicates that the terminal equipment has the authority of accessing the target application server, allowing the terminal equipment to access.
6. The method of claim 5, further comprising:
and under the condition that the second verification response indicates that the terminal equipment does not have the authority of accessing the target application server, the terminal equipment is refused to access.
7. A single sign-on device is applied to an identity authentication server and is characterized by comprising:
the receiving unit is used for receiving a login request sent by the terminal equipment; the login request carries a certificate of the terminal equipment and is used for requesting to obtain a login certificate for logging in the SSO of the single sign-on system;
a sending unit, configured to send a first verification request to a blockchain network, where the first verification request is used to request the blockchain network to verify whether the certificate is valid according to verification of the certificate;
the receiving unit is further configured to receive a first verification response sent by the blockchain network;
the sending unit is further configured to send the login credential to the terminal device when the first authentication response indicates that the certificate is valid;
and the writing unit is used for writing the access authority corresponding to the login certificate into the block chain network according to the authority information of the terminal equipment under the condition that the first verification response indicates that the certificate is valid.
8. A single sign-on device is applied to an application server, and is characterized in that the application server is an application server in a single sign-on system (SSO), and the single sign-on device comprises:
the terminal equipment comprises a receiving unit, a sending unit and a receiving unit, wherein the receiving unit is used for receiving an access request sent by the terminal equipment, and the access request carries a login certificate;
a sending unit, configured to send a second authentication request to a blockchain network, where the second authentication request is used to request the blockchain network to authenticate, according to an access right corresponding to the login credential, whether the terminal device has a right to access the application server;
the receiving unit is further configured to receive a second verification response sent by the blockchain network;
the processing unit is configured to allow the terminal device to access the application server if the second verification response indicates that the terminal device has the right to access the application server.
9. An identity authentication server, comprising: a memory for storing a computer program and a processor; the processor is adapted to perform the single sign-on method of any of claims 1-5 when invoking the computer program.
10. An application server, comprising: a memory for storing a computer program and a processor; the processor is adapted to perform the single sign-on method of claim 6 or 7 when the computer program is invoked.
11. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, implements the single sign-on method of any one of claims 1 to 6.
12. A single sign-on system, comprising: at least one of the single sign-on apparatus of claim 7, the single sign-on apparatus of claim 8, the identity authentication server of claim 9, and the application server of claim 10.
CN201910764781.4A 2019-08-19 2019-08-19 Single sign-on method, device and system Pending CN112398799A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201910764781.4A CN112398799A (en) 2019-08-19 2019-08-19 Single sign-on method, device and system
PCT/CN2020/097895 WO2021031689A1 (en) 2019-08-19 2020-06-24 Single sign-on method, device, and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910764781.4A CN112398799A (en) 2019-08-19 2019-08-19 Single sign-on method, device and system

Publications (1)

Publication Number Publication Date
CN112398799A true CN112398799A (en) 2021-02-23

Family

ID=74603399

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910764781.4A Pending CN112398799A (en) 2019-08-19 2019-08-19 Single sign-on method, device and system

Country Status (2)

Country Link
CN (1) CN112398799A (en)
WO (1) WO2021031689A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113420282A (en) * 2021-06-12 2021-09-21 济南浪潮数据技术有限公司 Cross-site single sign-on method and device
CN117544379A (en) * 2023-11-22 2024-02-09 北京京东方技术开发有限公司 User data transmission method and device, electronic equipment and storage medium

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115250186B (en) * 2021-04-12 2024-04-16 顺丰科技有限公司 Network connection authentication method, device, computer equipment and storage medium
CN113794716B (en) * 2021-09-14 2023-06-06 中钞信用卡产业发展有限公司杭州区块链技术研究院 Network access authentication method, device and equipment for terminal equipment and readable storage medium
CN114567509B (en) * 2022-03-18 2024-04-30 上海派拉软件股份有限公司 Web application access system and method
CN116028915B (en) * 2023-03-29 2023-08-04 江苏智云天工科技有限公司 Single-point authentication method, system and medium for user access

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108173850A (en) * 2017-12-28 2018-06-15 杭州趣链科技有限公司 A kind of identity authorization system and identity identifying method based on block chain intelligence contract
US10102526B1 (en) * 2017-03-31 2018-10-16 Vijay K. Madisetti Method and system for blockchain-based combined identity, ownership, integrity and custody management
US20190163896A1 (en) * 2017-11-28 2019-05-30 American Express Travel Related Services Company, Inc. Single Sign-On Solution Using Blockchain
CN109936569A (en) * 2019-02-21 2019-06-25 领信智链(北京)科技有限公司 A kind of decentralization digital identity login management system based on ether mill block chain

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10628566B2 (en) * 2017-11-20 2020-04-21 International Business Machines Corporation Authentication using delegated identities
CN109639711A (en) * 2018-12-29 2019-04-16 成都康赛信息技术有限公司 A kind of Distributed C AS authentication method based on privately owned chain session id
CN109889503B (en) * 2019-01-22 2022-02-22 平安科技(深圳)有限公司 Identity management method based on block chain, electronic device and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10102526B1 (en) * 2017-03-31 2018-10-16 Vijay K. Madisetti Method and system for blockchain-based combined identity, ownership, integrity and custody management
US20190163896A1 (en) * 2017-11-28 2019-05-30 American Express Travel Related Services Company, Inc. Single Sign-On Solution Using Blockchain
CN108173850A (en) * 2017-12-28 2018-06-15 杭州趣链科技有限公司 A kind of identity authorization system and identity identifying method based on block chain intelligence contract
CN109936569A (en) * 2019-02-21 2019-06-25 领信智链(北京)科技有限公司 A kind of decentralization digital identity login management system based on ether mill block chain

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113420282A (en) * 2021-06-12 2021-09-21 济南浪潮数据技术有限公司 Cross-site single sign-on method and device
CN117544379A (en) * 2023-11-22 2024-02-09 北京京东方技术开发有限公司 User data transmission method and device, electronic equipment and storage medium
CN117544379B (en) * 2023-11-22 2024-06-07 北京京东方技术开发有限公司 User data transmission method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
WO2021031689A1 (en) 2021-02-25

Similar Documents

Publication Publication Date Title
CN110915183B (en) Block chain authentication via hard/soft token validation
EP3207661B1 (en) Identity infrastructure as a service
US9264232B2 (en) Cryptographic device that binds an additional authentication factor to multiple identities
CN112398799A (en) Single sign-on method, device and system
EP3061027B1 (en) Verifying the security of a remote server
Grosse et al. Authentication at scale
US8839395B2 (en) Single sign-on between applications
JP2022545627A (en) Decentralized data authentication
CN112491881A (en) Cross-platform single sign-on method, system, electronic equipment and storage medium
US20170104748A1 (en) System and method for managing network access with a certificate having soft expiration
Alnahari et al. Authentication of IoT device and IoT server using security key
Schwarz et al. Feido: Recoverable FIDO2 tokens using electronic ids
CN105379176B (en) System and method for verifying the request of SCEP certificate registration
CN109802927B (en) Security service providing method and device
Binu et al. A mobile based remote user authentication scheme without verifier table for cloud based services
US11570163B2 (en) User authentication system
US20180007039A1 (en) Virtual smart cards with audit capability
Ponnusamy et al. Two-factor human authentication for mobile applications
US11977620B2 (en) Attestation of application identity for inter-app communications
CN112822007B (en) User authentication method, device and equipment
Kyrillidis et al. A smart card web server in the web of things
Tamrakar et al. On rehoming the electronic id to TEEs
Schwarz et al. FeIDo: Recoverable FIDO2 Tokens Using Electronic IDs (Extended Version)
Hammoudeh et al. Enhancing Security Using E-Authentication System
CN116629855A (en) Data access method, application information configuration method, related device and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210223

RJ01 Rejection of invention patent application after publication