CN112738021A - Single sign-on method, terminal, application server, authentication server and medium - Google Patents

Single sign-on method, terminal, application server, authentication server and medium Download PDF

Info

Publication number
CN112738021A
CN112738021A CN202011413933.5A CN202011413933A CN112738021A CN 112738021 A CN112738021 A CN 112738021A CN 202011413933 A CN202011413933 A CN 202011413933A CN 112738021 A CN112738021 A CN 112738021A
Authority
CN
China
Prior art keywords
login
user terminal
application
target application
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011413933.5A
Other languages
Chinese (zh)
Other versions
CN112738021B (en
Inventor
陈云化
盖秋明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hytera Communications Corp Ltd
Original Assignee
Hytera Communications Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hytera Communications Corp Ltd filed Critical Hytera Communications Corp Ltd
Priority to CN202011413933.5A priority Critical patent/CN112738021B/en
Publication of CN112738021A publication Critical patent/CN112738021A/en
Application granted granted Critical
Publication of CN112738021B publication Critical patent/CN112738021B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Abstract

The application discloses a single sign-on method, a terminal, an application server, an authentication server and a medium. The method comprises the following steps: sending a first login request for logging in a target application to an application server, wherein the first login request carries a terminal unique identifier of a user terminal, so that the application server can prove that other applications log in the user terminal according to the first login request, and the other applications and the terminal unique identifier have a binding relationship; receiving login information returned by the application server; the login information is sent by the application server after the authentication server returns the result whether other applications log in the user terminal; and completing the login of the target application based on the login information. Through the mode, single sign-on can be accurately realized.

Description

Single sign-on method, terminal, application server, authentication server and medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a single sign-on method, a user terminal, an application server, an authentication server, and a computer storage medium.
Background
Currently, in large enterprises, with the development of application systems and information technology, users are often required to switch from one application system to another application system. When logging in to each application system, a user is required to input a user name and a password for logging in.
In the related art, Single Sign On (SSO) is used to realize automatic login in different application systems. The single sign-on means that in a plurality of application systems which are mutually trusted, a user only needs to log on one of the application systems to access all other application systems. The user does not need to log in each application system one by one, so that the login process can be simplified, and the login efficiency is improved.
Disclosure of Invention
In order to solve the above technical problem, the present application provides a single sign-on method. The method is applied to the user terminal and comprises the following steps: sending a first login request for logging in a target application to an application server, wherein the first login request carries a terminal unique identifier of a user terminal, so that the application server can prove whether other applications log in the user terminal or not to an authentication server according to the first login request, and the other applications and the terminal unique identifier have a binding relationship; receiving login information returned by the application server; the login information is sent by the application server after the authentication server returns the result whether other applications log in the user terminal; and completing the login of the target application based on the login information.
In order to solve the above technical problem, the present application provides a single sign-on method. The method is applied to an application server and comprises the following steps: receiving a first login request for logging in a target application, which is sent by a user terminal; the first login request carries a terminal unique identifier of the user terminal, and the terminal unique identifier is obtained by the user terminal through an auxiliary service installed on the user terminal; sending a first verification request for verifying whether other applications log in to the user terminal to an authentication server; the first verification request carries a terminal unique identifier, and other applications and the terminal unique identifier have a binding relationship; receiving a first authentication result which is returned by an authentication server and indicates whether other applications log in to the user terminal or not; and sending login information to the user terminal based on the first verification result so that the user terminal can complete the login of the target application based on the login information.
In order to solve the above technical problem, the present application provides a single sign-on method. The method is applied to an authentication server and comprises the following steps: receiving a first authentication request sent by an application server for authenticating whether other applications log in a user terminal; the first login request and the first verification request carry a terminal unique identifier of the user terminal, the terminal unique identifier is obtained by the user terminal through an auxiliary service installed on the user terminal, and other applications and the terminal unique identifier have a binding relationship; responding to the first verification request, and inquiring whether other applications corresponding to the terminal unique identifier are logged in; if other applications corresponding to the terminal unique identifier are logged in, sending a first verification result that the other applications are logged in to the user terminal to the application server, so that the application server responds to the first verification result to create a local session with the user terminal, and sending the logged target application interface content to the user terminal, so that the user terminal completes the login of the target application; or if no other application corresponding to the terminal unique identifier is logged in, sending a first verification result that the user terminal is logged in without other applications to the application server, so that the application server sends a first instruction redirected to a login interface of the authentication server to the user terminal in response to the first verification result, and the application server sends login interface content to the user terminal in response to the first verification result, so that the user terminal can complete the login of the target application based on the login interface/login interface content.
In order to solve the technical problem, the application provides a user terminal. The user terminal comprises a processor, a memory and a communication circuit, wherein the processor is coupled with the memory and the communication circuit and executes instructions during working so as to realize the single sign-on method by matching with the memory and the communication circuit.
In order to solve the technical problem, the application provides an application server. The application server comprises a processor, a memory and a communication circuit, wherein the processor is coupled with the memory and the communication circuit and executes instructions during working so as to realize the single sign-on method by matching with the memory and the communication circuit.
In order to solve the technical problem, the application provides an authentication server. The authentication server comprises a processor, a memory and a communication circuit, wherein the processor is coupled with the memory and the communication circuit and executes instructions during working so as to realize the single sign-on method by matching with the memory and the communication circuit.
To solve the above technical problem, the present application provides a computer storage medium. The computer storage medium stores a computer program that is executed to implement the steps of the single sign-on method as described above.
According to the method and the device, the user terminal logs in the first login request of the target application sent to the application server, and the first login request carries the terminal unique identifier of the user terminal. The application server sends a verification request carrying the unique terminal identifier to the authentication server after receiving the first login request, the authentication server inquires whether other applications bound with the unique terminal identifier log in or not according to the unique terminal identifier after receiving the verification request, and if the other applications bound with the unique terminal identifier log in, the user terminal is allowed to log in the target application. The unique terminal identification is carried in the first login request, so that the target application and the unique terminal identification are uniquely corresponding, the user terminal can accurately perform single-point login, the corresponding relation between the target application and the user terminal cannot be distinguished by the authentication server due to the fact that a plurality of user terminals exist in the same intranet, and therefore the risk caused by abnormal login of the target application can be reduced.
Drawings
FIG. 1 is a schematic diagram of an embodiment of a single sign-on system provided herein;
FIG. 2 is a schematic view illustrating an interaction flow of a single sign-on process performed by the single sign-on system provided in the present application;
FIG. 3 is a schematic flow chart diagram illustrating a first embodiment of a single sign-on method provided herein;
FIG. 4 is a schematic flow chart diagram illustrating a second embodiment of a single sign-on method provided herein;
FIG. 5 is a schematic flow chart diagram illustrating a third embodiment of a single sign-on method provided herein;
fig. 6 is a schematic structural diagram of an embodiment of a user terminal provided in the present application;
FIG. 7 is a schematic structural diagram of an embodiment of an application server provided in the present application;
fig. 8 is a schematic structural diagram of an embodiment of an authentication server provided in the present application;
FIG. 9 is a schematic structural diagram of an embodiment of a computer storage medium provided in the present application.
Detailed Description
In order to make those skilled in the art better understand the technical solution of the present invention, the single sign-on method, the user terminal, the application server, the authentication server, and the computer storage medium provided in the present application are further described in detail below with reference to the accompanying drawings and the detailed description.
Referring to fig. 1 and fig. 2, fig. 1 is a schematic structural diagram of an embodiment of a single sign-on system provided in the present application; fig. 2 is a schematic view of an interaction flow of single sign-on by the single sign-on system provided in the present application.
The single sign-on system of the present embodiment includes a user terminal 11, an application server 12, and an authentication server 13.
The user terminal 11 may be a smart phone, a computer, a portable computer, or a wearable device. The user terminal 11 has a supplementary service and at least one application running therein. The application of the user terminal 11 obtains the terminal unique identifier of the user terminal 11 through the supplementary service. Specifically, the application sends a request for obtaining the terminal unique identifier to the auxiliary service, and the auxiliary service returns the terminal unique identifier in response to the request. The terminal unique identifier is obtained by processing a hardware unique identifier of the user terminal 11, for example, performing an encryption operation on a processor serial number, a hard disk serial number, a logical disk serial number, a network card serial number, and the like to obtain the terminal unique identifier. When the user terminal 11 requests to log in the target application, the user terminal 11 generates a first login request carrying a terminal unique identifier, an application identifier and the like, and sends the first login request to the application server 12.
After receiving the first login request, the application server 12 generates a first verification request requesting verification of whether the user terminal 11 has other applications logged in, and sends the first verification request to the authentication client. The first verification request carries the terminal unique identifier and the application identifier.
After receiving the first verification request, the authentication server 13 queries whether there is another application bound to the terminal unique identifier that is already logged in through the terminal unique identifier. If other applications corresponding to the terminal unique identifier are logged in, sending a first verification result that the other applications are logged in to the user terminal 11 to the application server 12, and modifying the login state of the target application to be logged in; and if no other application corresponding to the terminal unique identifier is logged in, sending a first verification result that no other application is logged in to the user terminal 11 to the application server 12.
After receiving the first verification result returned by the authentication server 13, the application server 12 sends login information to the user terminal 11 according to the first verification result. Specifically, if the first verification result indicates that the user terminal 11 has other applications logged in, a local session created in the user terminal 11 is created, the logged-in applications of the user terminal 11 are recorded in the local session, and the logged-in target application interface content is sent to the user terminal 11; if the first verification result is that no other application is logged in the user terminal 11, the user terminal needs to log in again based on login data input by the login interface.
The specific process of the user terminal 11 logging in based on the login interface is different according to the type of the target application. If the target application is a Browser/Server (B/S) architecture, the application Server 12 sends login interface content to the user terminal 11; if the target application is a C/S (Client/Server) architecture, an instruction to redirect the login interface of the authentication Server 13 is generated, and the first instruction to redirect the login interface of the authentication Server 13 is sent to the user terminal 11. The first instruction carries an address of a login interface of the authentication server 13.
And if the user terminal 11 receives the interface content after login returned by the application server 12, rendering the interface content after login to obtain a target application interface after login. And displaying the interface after login by using the display screen, and finishing the single sign-on of the target application at the moment.
And if the user terminal 11 receives the login interface content, rendering the login interface content and displaying the login interface on the display screen. After receiving the login data input by the user based on the login interface, the user terminal 11 transmits the login data to the application server 12, so that the application server 12 requests 13 the authentication server to verify whether the login data is correct. If the application server 12 receives the result that the authentication server 13 verifies that the login data is correct, the interface content after login is sent to the user terminal 11, so that the user terminal 11 completes login.
If the user terminal 11 receives an instruction to redirect to the login interface of the authentication server 13, the address of the login interface of the authentication server 13 is accessed, and the login interface of the authentication server 13 is displayed on the display screen. The user terminal 11 receives login data input by the user based on the login interface, and transmits the login data to the authentication server 13. The application server 13 verifies the login data, and after verifying that the login data is correct, sends an authentication ticket to the user terminal 11, so that the user terminal completes login based on the authentication ticket.
In this embodiment, the first login request carries the unique terminal identifier, so that the target application and the unique terminal identifier uniquely correspond to each other, and the user terminal 11 can perform single-point login accurately, and the corresponding relationship between the target application and the user terminal 11 cannot be distinguished by the authentication server 13 due to the presence of a plurality of user terminals 11 in the same intranet, so that the risk caused by abnormal login of the target application can be reduced.
The specific login process for the single sign-on system will be described in detail in the following embodiments.
Referring to fig. 3, fig. 3 is a schematic flowchart illustrating a single sign-on method according to a first embodiment of the present application. The execution subject of the embodiment is a user terminal, and the embodiment includes the following steps:
s101: and sending a first login request for logging in the target application to the application server, wherein the first login request carries the terminal unique identifier of the user terminal.
In this embodiment, at least one application is run in the user terminal. The application running on the user terminal can be an application of a B/S architecture or an application of a C/S architecture.
In some embodiments, the terminal unique identity is obtained by an auxiliary Service (Assistant Service) running on the user terminal. The auxiliary service can read parameters of hardware equipment of the user terminal, such as a processor serial number, a hard disk serial number, a logic disk serial number or a network card serial number, and generates a terminal unique identifier based on the parameters of the hardware equipment, so that the risk that an account is stolen due to stealing of the parameters of the hardware equipment can be reduced. In a specific embodiment, a hash algorithm may be used to perform an operation on a parameter of a hardware device of the user terminal, and an output value is used as the unique terminal identifier. Of course, the terminal unique identifier may also be obtained by calculating through other algorithms, or may also be obtained by directly using a parameter of a hardware device of the user terminal as the terminal unique identifier, which is not limited in this application.
The auxiliary service opens WebSocket service which can be accessed by local application of the user terminal, the WebSocket service is bound with at least one default port, and the service for inquiring the unique identifier of the terminal is provided for the application running on the user terminal through the port. Specifically, the auxiliary service queries whether the port address is occupied by other programs before binding the port address of the user terminal, and selects binding from other ports if the port address is occupied by other programs. For example, if the 127.0.0.1:8080 port is occupied by other programs, the binding is selected from other default ports such as 127.0.0.1:9090, 127.0.0.1:8989, and the auxiliary service binds the port address until the port is not occupied by other programs. When a target application on a user terminal needs to inquire the terminal unique identifier of the user terminal, the target application sends an identifier acquiring request for acquiring the terminal unique identifier to the auxiliary service through a default port until a port returns the terminal unique identifier. Therefore, the unique terminal identification can be obtained only by the local application of the user terminal, the risk that the account is stolen due to the fact that the user terminal identification is stolen is reduced, the single sign-on safety can be improved, the corresponding relation between the unique terminal identification and the application on the user terminal can be ensured, and the possibility that the authentication server cannot identify the incidence relation between the unique terminal identification and the target application and login abnormity is caused when a plurality of user terminals are in the same local area network is reduced.
When the application on the user terminal is the application of the C/S architecture, the auxiliary service is installed together with the application when the application is installed for the first time.
When the application on the user terminal is the application of the B/S architecture, and the target application is opened through the browser, the user terminal automatically detects whether the auxiliary service is installed or not. And if the auxiliary service is not installed, sending a prompt for downloading and installing the auxiliary service to remind a user to install the auxiliary service, thereby realizing single sign-on.
And after receiving the terminal unique identifier returned by the auxiliary service, the target application on the user terminal sends a first login request for requesting to login the target application to the application server. The first login request carries the terminal unique identifier, so that the application server can ask the authentication server whether the user terminal has other applications logged in or not according to the first login request. Specifically, after receiving the first login request, the application server sends a first verification request to the authentication server, the first verification request requesting verification of whether the user terminal has other applications logged in. The first verification request carries the terminal unique identifier and the application identifier.
And after receiving the first verification request, the authentication server inquires whether other applications bound with the terminal unique identifier log in or not through the terminal unique identifier. If other applications corresponding to the terminal unique identifier are logged in, sending a first verification result that the other applications are logged in to the user terminal to the application server, and modifying the login state of the target application to be logged in; and if no other application corresponding to the unique terminal identifier is logged in, sending a first verification result that no other application is logged in to the user terminal to the application server.
S102: and receiving login information returned by the application server.
The login information is sent by the application server after the authentication server returns the result whether the other applications log in the user terminal. The login information is the content of a target application interface after login or an instruction for redirecting to a login interface of the authentication server.
Specifically, when the first verification result received by the application server indicates that the user terminal has other applications logged in, a local session with the user terminal is created, the logged-in of the user terminal is recorded in the local session, and the logged-in target application interface content is sent to the user terminal.
And when the first verification result received by the application server indicates that no other application is logged in, the user terminal needs to log in again based on login data input by the login interface. According to different types of target applications, the specific process of logging in by the user terminal based on the login interface is different: if the target application is a B/S framework, the application server sends login interface content to the user terminal; and if the target application is in a C/S architecture, the application server generates an instruction for redirecting to the login interface of the authentication server and sends the instruction for redirecting to the login interface of the authentication server to the user terminal. The instruction redirected to the login interface of the authentication server carries the address of the login interface of the authentication server.
S103: and completing the login of the target application based on the login information.
And after the user terminal receives the login information returned by the application server, the user terminal completes the login of the target application based on the login information.
And if the login information received by the user terminal is the target application interface content after login, rendering the target application interface content after login to obtain the target application interface after login. And displaying the target application interface after login by using a display screen of the user terminal, namely completing the login of the target application.
And if the login information received by the user terminal is the login interface content, rendering the login interface content, and displaying the login interface on a display screen. And after receiving login data input by the user based on the login interface, the user terminal sends the login data to the application server so that the application server requests the authentication server for a third verification request for verifying whether the login data is correct or not. The authentication server verifies the login data in response to the third verification request. And if the login data is correct, the authentication server returns a third verification result that the login data is correct to the application server. And after receiving a third verification result that the login data is correct, the application server creates a local session with the user terminal, and then sends the interface content after login to the user terminal. And the user terminal renders the content of the target application interface after login after receiving the content of the target application interface after login returned by the application server to obtain the target application interface after login, and displays the target application interface after login by using a display screen of the user terminal to finish the login of the target application on the user terminal.
And if the login information received by the user terminal is an instruction for redirecting to a login interface of the authentication server, accessing the authentication server according to the instruction, and returning the login interface content to the user terminal by the authentication server. And the user terminal renders the login interface content to obtain a login interface, and displays the login interface by using a display screen of the user terminal. The user terminal receives login data such as an account name, an account password and the like input by a user on a login interface, and sends the login data to the authentication server. After receiving the login data, the authentication server verifies the login data, if the login data is correct, a user bill is generated, and a second instruction which is redirected to the application server is sent to the user terminal, wherein the second instruction carries the authentication bill; and if the login data is incorrect, sending a prompt that the account password is wrong and the user needs to input again to the user terminal.
And after receiving a second instruction which is returned by the authentication server and carries the authentication bill, the user terminal sends a second login request for logging in the target application to the application server. And the second login request carries an authentication ticket. And after receiving the second login request, the application server sends a second verification request for verifying whether the authentication ticket is valid to the authentication server. Wherein the second validation request carries an authentication ticket. The authentication server verifies whether the authentication bill is valid, and if so, a second verification result that the authentication bill is valid is returned to the application server. And after receiving a second verification result returned by the authentication server and indicating that the authentication ticket is valid, the application server creates a local session with the user terminal, records the login state of the target application on the user terminal in the local session, and sends the login target application interface content to the user terminal. And the user terminal renders the content of the target application interface after login after receiving the content of the target application interface after login returned by the application server to obtain the target application interface after login, and displays the target application interface after login by using a display screen of the user terminal to finish the login of the target application on the user terminal.
In the embodiment, the first login request carries the terminal unique identifier, so that the target application and the terminal unique identifier are uniquely corresponding, the user terminal can accurately perform single-point login, and only the local application of the user terminal can acquire the terminal unique identifier, thereby reducing the risk that the account is stolen due to the stealing of the user terminal identifier, and improving the security of the single-point login; in addition, the corresponding relation between the terminal unique identifier and the application on the user terminal can be ensured, and the possibility that the authentication server cannot identify the incidence relation between the terminal unique identifier and the target application to cause login abnormity when a plurality of user terminals are in the same local area network is reduced.
Referring to fig. 4, fig. 4 is a flowchart illustrating a single sign-on method according to a second embodiment of the present application. The execution subject of the embodiment is an application server, and the embodiment includes the following steps:
s201: receiving a first login request for logging in a target application, wherein the first login request is sent by a user terminal and carries a terminal unique identifier of the user terminal.
This step corresponds to the description about the application server in S101, and details are not repeated.
S202: and sending a first verification request for verifying whether the user terminal has other logged applications to the authentication server, wherein the first verification request carries a terminal unique identifier.
This step corresponds to the description about the application server in S101, and details are not repeated.
S203: and receiving a first authentication result which is returned by the authentication server and indicates whether the user terminal has other logged applications.
This step corresponds to the description about the application server in S102, and details are not repeated.
S204: and sending login information to the user terminal based on the first verification result so that the user terminal can complete the login of the target application based on the login information.
This step corresponds to the description about the application server in S102 and S103, and details are not repeated.
Referring to fig. 5, fig. 5 is a schematic flowchart illustrating a single sign-on method according to a third embodiment of the present application. The execution subject of this embodiment is an authentication server, and this embodiment includes the following steps:
s301: and receiving a first authentication request sent by the application server for authenticating whether the user terminal has other logged-in applications.
This step corresponds to the description about the authentication server in S101, and details are not repeated.
S302: and responding to the first verification request, and inquiring whether other applications corresponding to the terminal unique identification are logged in.
This step corresponds to the description about the authentication server in S101, and details are not repeated.
If yes, executing S303; if not, go to step S304.
S303: and sending a first verification result that other applications log in to the user terminal to the application server, so that the application server responds to the first verification result to create a local session with the user terminal, and sending the logged-in target application interface content to the user terminal, so that the user terminal completes the login of the target application.
This step corresponds to the description about the authentication server in S101, and details are not repeated.
S304: and sending a first verification result that no other application logs in to the user terminal to the application server, so that the application server sends a first instruction redirected to a login interface of the authentication server to the user terminal in response to the first verification result, and the application server sends login interface content to the user terminal in response to the first verification result, so that the user terminal can complete the login of the target application based on the login interface/login interface content.
This step corresponds to the description about the authentication server in S103, and details are not repeated.
The present application further provides a user terminal for implementing the single sign-on method, specifically please refer to fig. 6, where fig. 6 is a schematic structural diagram of an embodiment of the user terminal provided in the present application.
The user terminal of the embodiment may be a desktop computer, a laptop computer, a smart phone, a tablet computer, a wearable device, or the like. Wherein the user terminal comprises a processor 601, a display 602 and a communication circuit 603, the processor 601 being coupled to the display 602 and the communication circuit 603.
The communication circuit 603 is configured to establish a communication connection with the application server to send a first login request to the application server or receive login information returned by the application server, the display screen 602 is configured to display a target application interface and a login interface after login and receive login data through the login interface, and the processor 601 is configured to obtain a terminal unique identifier of a user terminal, generate a first login request carrying the terminal unique identifier, and process the login information returned by the application server to complete login of a target application.
The processor 601 may be an integrated circuit chip having signal processing capabilities. The processor 601 may also be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Fig. 7 is a schematic structural diagram of an embodiment of an application server provided in the present application, specifically referring to fig. 7. In this embodiment, the application server 700 includes a processor 701, a memory 702, and communication circuitry 703, the processor 701 coupling the memory 702 and the communication circuitry 703.
The communication circuit 703 is configured to establish a communication connection with the authentication server and the user terminal to receive a first login request sent by the user terminal and carrying a terminal unique identifier of the user terminal, or send a first verification request to the authentication server to verify whether the user terminal meets a login condition, and receive a first verification result returned by the authentication server, the memory 702 is configured to store login information, the processor 701 is configured to generate a first verification request carrying the terminal unique identifier in response to the first login request, and return corresponding login information to the user terminal according to the first verification result returned by the authentication server.
The processor 701 may be an integrated circuit chip having signal processing capabilities. The processor 701 may also be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Fig. 8 is a schematic structural diagram of an embodiment of an authentication server provided in the present application, specifically referring to fig. 8. In this embodiment, the authentication server 800 includes a processor 801, a memory 802, and communication circuitry 803, the processor 801 coupling the memory 802 and the communication circuitry 803.
The communication circuit 803 is configured to establish a communication connection with an application server, so as to receive a first authentication request sent by the application server to authenticate whether the user terminal has another application logged in, where the first authentication request carries a terminal unique identifier of the user terminal, the another application has a binding relationship with the terminal unique identifier, and send a first authentication result to the application server, the memory 802 is configured to store a login state of a target application and another application bound to the terminal unique identifier, and the processor 801 is configured to query, according to the terminal unique identifier, a login state of the another application bound to the processor 801, and feed back, according to the login state of the another application, the first authentication result to the application server.
The processor 801 may be an integrated circuit chip having signal processing capabilities. The processor 801 may also be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
For the method of the above embodiment, it may exist in the form of a computer program, so that the present application provides a computer storage medium, please refer to fig. 9, and fig. 9 is a schematic structural diagram of an embodiment of the computer storage medium provided in the present application. The computer storage medium 900 of the present embodiment stores therein a computer program 901 that can be executed to implement the method in the above-described embodiments.
The computer storage medium 900 of this embodiment may be a medium that can store program instructions, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, or may also be a server that stores the program instructions, and the server may send the stored program instructions to other devices for operation, or may self-operate the stored program instructions.
In the several embodiments provided in the present application, it should be understood that the disclosed method and apparatus may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a module or a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, a network device, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only for the purpose of illustrating embodiments of the present application and is not intended to limit the scope of the present application, and all modifications of equivalent structures and equivalent processes, which are made by the contents of the specification and the drawings of the present application or are directly or indirectly applied to other related technical fields, are also included in the scope of the present application.

Claims (17)

1. A single sign-on method is applied to a user terminal, and the method comprises the following steps:
sending a first login request for logging in a target application to an application server, wherein the first login request carries a terminal unique identifier of the user terminal, so that the application server proves whether other applications log in the user terminal or not to an authentication server according to the terminal unique identifier, and the other applications and the terminal unique identifier have a binding relationship;
receiving login information returned by the application server; the login information is sent by the application server after the authentication server returns a result that whether other applications log in the user terminal or not;
and finishing the login of the target application based on the login information.
2. The method of claim 1, wherein before sending the first login request to the application server to login to the target application, the method comprises:
sending an obtaining identification request for obtaining the unique identification of the terminal to an auxiliary service; wherein the auxiliary service operates at the user terminal;
receiving a terminal unique identifier returned by the auxiliary service; wherein the terminal unique identifier is sent by the auxiliary service in response to the get identifier request.
3. The method according to claim 2, wherein before sending the request for obtaining the terminal unique identifier of the user terminal to the auxiliary service, the method comprises:
detecting whether the user terminal is provided with the auxiliary service; the auxiliary service is used for reading the terminal unique identifier;
and if the auxiliary service is not installed, sending a prompt for installing the auxiliary service.
4. The method according to claim 1, wherein whether the other application is logged in at the user terminal is determined as a result of the other application being logged in, the login information is interface content of a target application after logging in, and completing the login of the target application based on the login information comprises:
rendering the content of the target application interface after login to obtain the target application interface after login;
and displaying the target application interface after login by using a display screen of the user terminal.
5. The method according to claim 1, wherein the login information is an instruction to redirect to a login interface of the authentication server as a result of whether there is another application logged in, and the completing the login of the target application based on the login information comprises:
obtaining a login interface according to the instruction redirected to the login interface of the authentication server;
displaying the login interface by using a display screen of the user terminal;
receiving login data input by a user on the login interface;
sending the login data to the authentication server so that the authentication server authenticates the login data;
receiving an authentication bill sent by the authentication server; the authentication ticket is sent after the authentication server verifies that the login data is correct;
sending a second login request for logging in the target application to an application server, wherein the second login request carries the authentication bill, so that the application server can prove whether the authentication bill is valid or not to the authentication server according to the second login request;
receiving the content of the target application interface after logging back from the application server; the target application interface content after logging in is sent by the application server after receiving the validity of the authentication bill returned by the authentication server;
rendering the content of the target application interface after login to obtain the target application interface after login;
and displaying the target application interface after login by using a display screen of the user terminal.
6. The method according to claim 1, wherein whether the other application is logged in to the user terminal is determined as a result of the presence of the other application being logged in to the user terminal, the login information is login interface content, and completing the login of the target application based on the login information comprises:
rendering the login interface content to obtain a login interface;
displaying the login interface by using a display screen of the user terminal;
receiving login data input by a user on the login interface;
sending the login data to the application server so that the application server requests an authentication server to verify whether the login data is correct;
receiving the content of the target application interface after logging back from the application server; the target application interface content after logging in is sent by the application server after the login data returned by the authentication server are received to be correct;
rendering the content of the target application interface after login to obtain the target application interface after login;
and displaying the target application interface after login by using a display screen of the user terminal.
7. A single sign-on method, applied to an application server, the method comprising:
receiving a first login request for logging in a target application, which is sent by a user terminal; the first login request carries a terminal unique identifier of the user terminal, wherein the terminal unique identifier is obtained by the user terminal through an auxiliary service installed on the user terminal;
sending a first verification request for verifying whether the user terminal has other logged applications to an authentication server; the first verification request carries the terminal unique identifier, and the other applications and the terminal unique identifier have a binding relationship;
receiving a first authentication result returned by the authentication server whether the user terminal has other applications logged in;
and sending login information to the user terminal based on the first verification result so that the user terminal can complete the login of the target application based on the login information.
8. The method of claim 7, wherein the first verification result indicates that the user terminal has other applications logged in, the login information is target application interface content after logging in, and the sending login information to the user terminal based on the first verification result enables the user terminal to complete the login of the target application based on the login information comprises:
responding to the user terminal that other applications are logged in, and creating a local session with the user terminal;
and sending the logged target application interface content to the user terminal so that the user terminal completes the login of the target application.
9. The method of claim 7, wherein the first verification result is that no other application is logged in, the login information is an instruction to redirect to a login interface of the authentication server, and the sending login information to the user terminal based on the first verification result to enable the user terminal to complete the login of the target application based on the login information comprises:
responding to the first verification result that no other application is logged in the user terminal, and sending an instruction for redirecting to a login interface of the authentication server to the user terminal;
receiving a second login request which is sent by the user terminal and used for accessing the target application, wherein the second login request carries the authentication bill; the authentication ticket is sent by the authentication server after the authentication server verifies that the login data received based on the login interface is correct;
sending a second verification request for verifying whether the authentication ticket is valid to the authentication server;
receiving a second verification result whether the authentication ticket returned by the authentication server is valid;
and responding to the second verification result that the authentication ticket is valid, creating a local session with the user terminal, and sending the content of the target application interface after login to the user terminal so that the user terminal completes the login of the target application.
10. The method of claim 7, wherein the first verification result is that no other application is logged in, the login information is login interface content, and the sending login information to the user terminal based on the first verification result to enable the user terminal to complete the login of the target application based on the login information comprises:
responding to the first verification result that no other application is logged in the user terminal, and sending login interface content to the user terminal;
receiving login data acquired by the user terminal based on the login interface content;
sending a third verification request for verifying whether the login data is correct to the authentication server;
receiving a third verification result of whether the login data returned by the authentication server is correct or not;
and responding to the third verification result as correct, creating a local session with the user terminal, and sending the logged target application interface content to the user terminal so that the user terminal completes the login of the target application.
11. A single sign-on method, applied to an authentication server, the method comprising:
receiving a first authentication request which is sent by the application server and used for authenticating whether other applications log in to the user terminal or not; the first authentication request is sent by the application server after receiving a first login request sent by the user terminal for logging in the target application, the first login request and the first authentication request carry a terminal unique identifier of the user terminal, the terminal unique identifier is obtained by the user terminal through an auxiliary service installed on the user terminal, and the other applications and the terminal unique identifier have a binding relationship;
responding to the first verification request, and inquiring whether other applications corresponding to the terminal unique identifier are logged in;
if other applications corresponding to the terminal unique identifier are logged in, sending a first verification result that the other applications are logged in to the user terminal to the application server, so that the application server responds to the first verification result to create a local session with the user terminal, and sending logged-in target application interface content to the user terminal, so that the user terminal completes the logging in of the target applications; or
If no other application corresponding to the terminal unique identifier is logged in, sending a first verification result that no other application is logged in to the user terminal to the application server, so that the application server sends a first instruction redirected to a login interface of the authentication server to the user terminal in response to the first verification result, or the application server sends login interface content to the user terminal in response to the first verification result, so that the user terminal can complete the login of the target application based on the login interface/login interface content.
12. The method of claim 11, further comprising:
receiving login data sent by the user terminal; the login data is input to the user terminal by a user based on the login interface;
verifying whether the login data is correct;
responding to the fact that the login data are correct, recording the login state of the target application as logged in, and generating an authentication bill;
sending a second instruction redirected to the application server to the user terminal, wherein the second instruction carries the authentication bill;
receiving a second verification request sent by the application server for verifying whether the authentication ticket is valid; the second verification request is sent by the application server in response to receiving a second login request sent by the user terminal, the second login request is sent by the user terminal to the application server in response to the second instruction, and the second login request and the second verification request carry the authentication ticket;
verifying whether the authentication ticket is valid;
and responding to the validity of the authentication ticket, sending the validity of the authentication ticket to the application server as a second verification result, so that the application server creates a local session with the user terminal in response to the second verification result, and sending the logged-in target application interface content to the user terminal, so that the user terminal completes the login of the target application.
13. The method of claim 11, further comprising:
receiving a third verification request sent by the application server for verifying whether the login data is correct; the login data is sent to the application server after the user terminal receives the login data input by the user based on a login interface, and the login interface is obtained by rendering the login interface content by the user terminal;
verifying whether the login data is correct;
responding to the fact that the login data are correct, and recording the login state of the target application as logged-in;
and sending a third verification result that the login data is correct to an application server, so that the application server responds to the second verification result to create a local session with the user terminal, and sending the content of the target application interface after login to the user terminal, so that the user terminal completes the login of the target application.
14. A user terminal, comprising a processor, a display screen and a communication circuit, wherein the processor is coupled to the display screen and the communication circuit, and executes instructions in operation to implement the single sign-on method of any one of claims 1 to 6 in cooperation with the display screen and the communication circuit.
15. An application server, comprising a processor, a memory, and a communication circuit, wherein the processor is coupled to the memory and the communication circuit, and when operating, executes instructions to implement the single sign-on method of any one of claims 7 to 10 in cooperation with the memory and the communication circuit.
16. An authentication server, comprising a processor, a memory, and a communication circuit, wherein the processor is coupled to the memory and the communication circuit, and when operating, executes instructions to implement the single sign-on method of any one of claims 11 to 13 in cooperation with the memory and the communication circuit.
17. A computer storage medium storing a computer program executed to implement the steps of the single sign-on method of any one of claims 1 to 13.
CN202011413933.5A 2020-12-02 2020-12-02 Single sign-on method, terminal, application server, authentication server and medium Active CN112738021B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011413933.5A CN112738021B (en) 2020-12-02 2020-12-02 Single sign-on method, terminal, application server, authentication server and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011413933.5A CN112738021B (en) 2020-12-02 2020-12-02 Single sign-on method, terminal, application server, authentication server and medium

Publications (2)

Publication Number Publication Date
CN112738021A true CN112738021A (en) 2021-04-30
CN112738021B CN112738021B (en) 2023-10-24

Family

ID=75598174

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011413933.5A Active CN112738021B (en) 2020-12-02 2020-12-02 Single sign-on method, terminal, application server, authentication server and medium

Country Status (1)

Country Link
CN (1) CN112738021B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113378153A (en) * 2021-08-12 2021-09-10 中移(上海)信息通信科技有限公司 Authentication method, first service device, second service device and terminal device
CN114584353A (en) * 2022-02-23 2022-06-03 上海外服云信息技术有限公司 Single sign-on method for mobile terminal to access CAS
CN115412347A (en) * 2022-08-31 2022-11-29 建信金融科技有限责任公司 Device login method, device and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104301316A (en) * 2014-10-13 2015-01-21 中国电子科技集团公司第二十八研究所 Single sign-on system and implementation method thereof
CN105007280A (en) * 2015-08-05 2015-10-28 郑州悉知信息技术有限公司 Application sign-on method and device
CN108551443A (en) * 2018-03-30 2018-09-18 平安科技(深圳)有限公司 A kind of application login method, device, terminal device and storage medium
CN110278187A (en) * 2019-05-13 2019-09-24 网宿科技股份有限公司 Multiple terminals single-point logging method, system, sync server and medium
CN110727678A (en) * 2019-09-25 2020-01-24 湖南新云网科技有限公司 Method and device for binding user information and mobile terminal and storage medium
US20200213297A1 (en) * 2018-12-27 2020-07-02 Konica Minolta Laboratory U.S.A., Inc. Method and system for seamless single sign-on (sso) for native mobile-application initiated open-id connect (oidc) and security assertion markup language (saml) flows

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104301316A (en) * 2014-10-13 2015-01-21 中国电子科技集团公司第二十八研究所 Single sign-on system and implementation method thereof
CN105007280A (en) * 2015-08-05 2015-10-28 郑州悉知信息技术有限公司 Application sign-on method and device
CN108551443A (en) * 2018-03-30 2018-09-18 平安科技(深圳)有限公司 A kind of application login method, device, terminal device and storage medium
US20200213297A1 (en) * 2018-12-27 2020-07-02 Konica Minolta Laboratory U.S.A., Inc. Method and system for seamless single sign-on (sso) for native mobile-application initiated open-id connect (oidc) and security assertion markup language (saml) flows
CN110278187A (en) * 2019-05-13 2019-09-24 网宿科技股份有限公司 Multiple terminals single-point logging method, system, sync server and medium
CN110727678A (en) * 2019-09-25 2020-01-24 湖南新云网科技有限公司 Method and device for binding user information and mobile terminal and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
吴波;姜仕田;: "单点登录在电子政务内网门户中的应用研究", 计算机与数字工程, no. 04 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113378153A (en) * 2021-08-12 2021-09-10 中移(上海)信息通信科技有限公司 Authentication method, first service device, second service device and terminal device
CN114584353A (en) * 2022-02-23 2022-06-03 上海外服云信息技术有限公司 Single sign-on method for mobile terminal to access CAS
CN115412347A (en) * 2022-08-31 2022-11-29 建信金融科技有限责任公司 Device login method, device and storage medium

Also Published As

Publication number Publication date
CN112738021B (en) 2023-10-24

Similar Documents

Publication Publication Date Title
US11665200B2 (en) System and method for second factor authentication to perform services
US20200336310A1 (en) Coordinating access authorization across multiple systems at different mutual trust levels
EP2524471B1 (en) Anytime validation for verification tokens
CN112738021B (en) Single sign-on method, terminal, application server, authentication server and medium
CN113711211A (en) First-factor contactless card authentication system and method
US20110185181A1 (en) Network authentication method and device for implementing the same
US9667626B2 (en) Network authentication method and device for implementing the same
EP2690840B1 (en) Internet based security information interaction apparatus and method
US20210273794A1 (en) Method employed in user authentication system and information processing apparatus included in user authentication system
CN108335105B (en) Data processing method and related equipment
US20140172741A1 (en) Method and system for security information interaction based on internet
AU2020239994B2 (en) System and method for pre-authentication of customer support calls
CN109842616B (en) Account binding method and device and server
CN111062059B (en) Method and device for service processing
US20080046750A1 (en) Authentication method
KR20110122432A (en) Authentication system and method using smart card web server
CN112738005A (en) Access processing method, device, system, first authentication server and storage medium
KR101676719B1 (en) Method for running virtual machine, method for providing online financial service using virtualization and apparatus for performing the method
TWM583978U (en) System of using physical carrier to store digital certificate for performing online transaction
AU2015200701B2 (en) Anytime validation for verification tokens
TWI645345B (en) System, device and method for executing certificate operation on basis of token
CN117097482A (en) Remote signature authority verification method, device, storage medium and processor
CN114090996A (en) Multi-party system mutual trust authentication method and device
CN114866324A (en) Information processing method, system, device and storage medium
CN116938472A (en) Digital certificate processing method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant