CN113132402B

CN113132402B - Single sign-on method and system

Info

Publication number: CN113132402B
Application number: CN202110461827.2A
Authority: CN
Inventors: 徐辉; 胡良俊
Original assignee: Qianxin Technology Group Co Ltd; Secworld Information Technology Beijing Co Ltd
Current assignee: Qianxin Technology Group Co Ltd; Secworld Information Technology Beijing Co Ltd
Priority date: 2021-04-27
Filing date: 2021-04-27
Publication date: 2022-08-30
Anticipated expiration: 2041-04-27
Also published as: CN113132402A

Abstract

The embodiment of the invention provides a single sign-on method, which is applied to terminal equipment, wherein an authentication client program and a plurality of application programs are arranged in the terminal equipment, and the plurality of application programs comprise a browser and an application client program; the single sign-on method comprises the following steps: performing, by the authentication client program: intercepting an access request sent by a user through a target application program, wherein the target application program is any one of the plurality of application programs; acquiring an application token from an authentication server according to the access request; and forwarding the access request and the application token to a target server so that the target server logs in or refuses to log in. In the embodiment of the invention, the identity authentication of the C/S application and the B/S application is managed through the authentication client program and the authentication server, so that the problems that the C/S application and the B/S application cannot share identity authentication information and single sign-on cannot be realized are solved.

Description

Single sign-on method and system

Technical Field

The present invention relates to the field of computer security technologies, and in particular, to a single sign-on method, apparatus, computer device, computer readable storage medium, and single sign-on system.

Background

With the continuous development of communication technology, the internet has been incorporated into the aspects of life. Users need to access many different application systems each day, each requiring the user to follow certain security policies, such as requiring entry of a user account and password. As the number of systems accessed by users increases, users often need to remember multiple passwords in order to gain access to different application systems. To facilitate remembering, users typically simplify passwords or use the same password in multiple systems, or log passwords, all of which greatly reduce the security of system logins. Single sign-on (SS 0) technology has evolved. Single sign-on refers to that in a plurality of application systems, a user only needs to log on once to access all mutually trusted application systems.

However, the existing single sign-on technology is applied to a Web application system of a B/S (Browser/Server) architecture, which is limited to implement single sign-on identity authentication between a plurality of Web applications, and lacks a single sign-on technology capable of supporting both a C/S (Client/Server) application and a B/S application.

Disclosure of Invention

The invention aims to provide a single sign-on method, a single sign-on system, a computer device and a computer readable storage medium, which are used for solving the following problems: the existing single sign-on identity authentication cannot support C/S application and B/S application at the same time.

One aspect of the embodiments of the present invention provides a single sign-on method, which is applied to a terminal device, where the terminal device has an authentication client and multiple application programs, and the multiple application programs include a browser and an application client; the single sign-on method comprises the following steps:

performing, by the authentication client program:

intercepting an access request sent by a user through a target application program, wherein the target application program is any one of the plurality of application programs;

acquiring an application token from an authentication server according to the access request, wherein the application token is used for indicating that the user passes identity authentication and has access right; and

forwarding the access request and the application token to a target server to cause the target server to: and verifying the application token and executing a response aiming at the access request according to a verification result, wherein the response comprises the login approval or the login rejection.

Optionally, the request information includes a unique identification code associated with the terminal device; the obtaining of the application token from the authentication server according to the access request includes:

sending the request information to the authentication server to cause the authentication server to: retrieving a user authentication session associated with the unique identification code, and if the user authentication session is retrieved, determining that the user has passed identity authentication and issued the application token, and returning the application token to the authentication client program; the user authentication session is used for maintaining authentication information and identity information of the user.

sending the request information to the authentication server to cause the authentication server to: retrieving a user authentication session associated with the unique identification code, and if the user authentication session is not retrieved, determining that the user fails the identity authentication and returning an unauthenticated message to the authentication client program, wherein the unauthenticated message is used for indicating that the user fails the identity authentication, and the user authentication session is used for maintaining authentication information and identity information of the user;

receiving the unauthenticated message, and displaying a login authentication interface based on the unauthenticated message;

receiving input identity authentication information through the login authentication interface, and sending the identity authentication information to the authentication server so that the authentication server: verifying the user according to the identity authentication information, creating the user authentication session under the condition that the user authentication is successful, and returning an authentication success message to the authentication client program, wherein the authentication success message is used for indicating that the user passes the identity authentication; and

receiving the authentication success message, and reapplying the application token to an authentication server to enable the authentication server to: and under the condition that the user authentication session is established, judging that the user passes identity authentication and responds to the reapplication to issue the application token, and returning the application token to the authentication client program.

Optionally, the method further includes executing, by the authentication client program, a user offline operation:

receiving an exit operation for the user; and

in response to the logout operation, logging out the user and sending a user logout notification to the authentication server to cause the authentication server to: logging off the user authentication session, clearing the application token and sending a user offline notification to the target server to enable the target server to offline the user.

Optionally, the method further includes executing offline operation of the user through the target application program:

receiving an exit operation for the user; and

responding to the quit operation, generating a notification message for indicating that the user is offline, and sending the notification message to the target server so as to enable the target server to perform at least one of the following operations: and off-line the user, informing the authentication server to log off or update the user authentication session, and clearing the application token.

One aspect of the embodiments of the present invention further provides a single sign-on apparatus, which is applied to a terminal device, where the terminal device is internally provided with an authentication client program and a plurality of application programs, and the plurality of application programs include a browser and an application client program; the single sign-on apparatus includes:

an authentication login module, configured to perform the following operations by the authentication client:

One aspect of the embodiments of the present invention further provides a single sign-on method, which is used in an authentication server; the method comprises the following steps:

receiving request information which is sent by the terminal equipment through an authentication client program and is used for requesting an application token; the authentication client is arranged in the terminal equipment and used for intercepting an access request of a user in the terminal equipment and applying for the application token based on the access request, and the application token is used for indicating that the user passes identity authentication and has access right;

judging whether the user passes identity authentication according to the request information, and determining whether to issue the application token according to a judgment result; and

and if the user passes the identity authentication, issuing the application token, and returning the application token to the authentication client program, so that the authentication client program forwards the access request and the application token to a target server, and the target server executes login according to the access request and the application token.

Optionally, the request information includes a unique identification code associated with the terminal device; the judging whether the user passes the identity authentication according to the request information and determining whether to issue the application token according to the judging result comprises the following steps:

retrieving a user authentication session associated with the unique identification code, and if the user authentication session is retrieved, determining that the user has passed identity authentication and determining to issue the application token, the application token being bound to the user authentication session, the user authentication session being used to maintain authentication information and identity information of the user.

retrieving a user authentication session associated with the unique identification code, and if the user authentication session is not retrieved, judging that the user does not pass identity authentication and returning an unauthenticated message to the authentication client program so that the authentication client program submits identity authentication information according to the unauthenticated message; the unauthenticated message is used for indicating that the user does not pass identity authentication, and the user authentication session is used for maintaining authentication information and identity information of the user;

receiving the identity authentication information submitted by the authentication client program;

verifying the user according to the identity authentication information;

if the user verification is successful, establishing the user authentication session and returning an authentication success message to the authentication client program, so that the authentication client program applies for the application token to the authentication server again based on the authentication success message; the authentication success message is used for indicating that the user passes identity authentication; and

in response to a reapplication of the authentication client program: in a case where the user authentication session has been created, determining that the user has been authenticated and determining to issue the application token, the application token being bound to the user authentication session.

Optionally, the method further includes:

receiving a user logout notification provided by the authentication client program; and

in response to the user logout notification: logging off the user authentication session, clearing the application token, and sending a user offline notification to the target server to enable the target server to offline the user.

Optionally, the method further includes:

receiving a user offline notification provided by the target server; and

in response to the user logoff notification: logging off or updating the user authentication session, and clearing the application token.

Optionally, the user authentication session is associated with one or more application server programs in the target server, and the deregistering or updating the user authentication session includes:

if the user authentication session is associated with an application server program in the target server, the user authentication session is cancelled; or

And if the user authentication session is associated with a plurality of application server programs in the target server, and the user offline notification is obtained based on offline operation of the target application server program in the plurality of application server programs on the user, updating the user authentication session to delete the associated information of the target server application in the user authentication session.

One aspect of the embodiments of the present invention further provides a single sign-on apparatus, configured to be used in an authentication server; the device comprises:

the receiving module is used for receiving request information which is sent by the terminal equipment through the authentication client program and is used for requesting the application token; the authentication client is arranged in the terminal equipment and used for intercepting an access request of a user in the terminal equipment and applying for the application token based on the access request, and the application token is used for indicating that the user passes identity authentication and has access right;

the determining module is used for judging whether the user passes the identity authentication according to the request information and determining whether the application token is issued according to a judgment result; and

and the issuing module is used for issuing the application token and returning the application token to the authentication client program if the user passes the identity authentication so that the authentication client program can forward the access request and the application token to a target server and the target server can perform login according to the access request and the application token.

An aspect of the embodiments of the present invention further provides a computer device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the single sign-on method as described above when executing the computer program.

An aspect of the embodiments of the present invention further provides a computer-readable storage medium, including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the single sign-on method as described above when executing the computer program.

One aspect of the embodiments of the present invention further provides a single sign-on system, where the system includes a terminal device, an authentication server, and a target server; the terminal equipment is internally provided with an authentication client program and a plurality of application programs; wherein:

the terminal device is used for executing the following operations through the authentication client program: intercepting an access request sent by a user through a target application program, wherein the target application program is any one of a plurality of application programs, and the plurality of application programs comprise a browser and an application client program; sending request information for applying an application token to the authentication server, wherein the application token is used for indicating that the user passes identity authentication and has access right;

the authentication server is used for issuing the application token according to the request information and returning the application token to the authentication client program;

the terminal device is further configured to forward the access request and the application token to the target server through an authentication client program;

the target server is used for receiving the access request and the application token forwarded by the authentication client program and executing a response aiming at the access request based on the application token, wherein the response comprises the login approval or the login rejection.

Optionally, the request information includes a unique identification code associated with the terminal device;

the authentication server is further configured to: retrieving a user authentication session associated with the unique identification code, if the user authentication session is retrieved, determining that the user passes identity authentication and issues the application token, binding the application token and the user authentication session, and returning the application token to the authentication client program; the user authentication session is used for maintaining authentication information and identity information of the user.

the authentication server is further configured to: retrieving a user authentication session associated with the unique identification code, and if the user authentication session is not retrieved, determining that the user does not pass identity authentication and returning an unauthenticated message to the authentication client program; the unauthenticated message is used for indicating that the user fails to pass identity authentication, and the user authentication session is used for maintaining authentication information and identity information of the user;

the terminal device is further configured to, by the authentication client program: receiving the unauthenticated message, and displaying a login authentication interface based on the unauthenticated message; receiving input identity authentication information through the login authentication interface, and sending the identity authentication information to the authentication server;

the authentication server is further configured to: verifying the user according to the identity authentication information; if the user verification is successful, establishing the user authentication session and returning an authentication success message to the authentication client program; the authentication success message is used for indicating that the user passes identity authentication;

the terminal device is further configured to, by the authentication client program: applying for the application token again to an authentication server based on the authentication success message;

the authentication server is further configured to, in response to a reapplication of the authentication client: and under the condition that the user authentication session is established, judging that the user passes identity authentication and determines to issue the application token, binding the application token and the user authentication session, and returning the application token to the authentication client program.

Optionally, the terminal device is further configured to, by the authentication client: receiving a logout operation aiming at the user, logging out the user based on the logout operation and sending a user logout notice to the target server;

the authentication server is further configured to respond to the user logout notification and perform at least one of the following operations: logging off the user authentication session, clearing the application token, and sending a user offline notification to the target server to enable the target server to offline the user.

Optionally, the terminal device is further configured to, through the target application: receiving a quitting operation aiming at the user, responding to the quitting operation, generating a notification message for indicating that the user is offline, and sending the notification message to the target server;

the target server is further configured to: the user is offline based on the notification message, and a user offline notification is sent to the authentication server;

the authentication server, in response to the user logoff notification: logging off or updating the user authentication session, and clearing the application token.

if the user authentication session is associated with an application server program in the target server, logging off the user authentication session; or

The single sign-on method, the single sign-on device, the computer equipment, the computer readable storage medium and the single sign-on system manage the identity authentication of the browser under the C/S architecture and the application client program under the B/S architecture through the authentication client program, realize the authentication information transmission and mutual trust between the applications of two different architectures of the C/S architecture and the B/S architecture, and solve the problems that the C/S application and the B/S application cannot share the identity authentication information and cannot realize the single sign-on.

Drawings

Fig. 1 schematically shows a system architecture diagram of a single sign-on system according to a first embodiment of the present invention;

FIG. 2 is a login process in the case of user authentication failure;

FIG. 3 is a login process in the case where a user has been authenticated;

FIG. 4 is a flow chart of a user going offline through an authenticated client program;

FIG. 5 is a flow of a user going offline through a target application;

fig. 6 schematically shows a flow chart of a single sign-on method according to a second embodiment of the invention;

FIG. 7 schematically illustrates a flow chart of a single sign-on method according to a third embodiment of the invention;

FIG. 8 schematically illustrates a block diagram of a single sign-on apparatus according to a fourth embodiment of the invention;

FIG. 9 schematically illustrates a block diagram of a single sign-on apparatus, according to an embodiment of the invention; and

fig. 10 schematically shows a hardware architecture diagram of a computer device suitable for implementing the single sign-on method according to a sixth embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

It should be noted that the descriptions relating to "first", "second", etc. in the embodiments of the present invention are only for descriptive purposes and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In addition, technical solutions between various embodiments may be combined with each other, but must be realized by a person skilled in the art, and when the technical solutions are contradictory or cannot be realized, such a combination should not be considered to exist, and is not within the protection scope of the present invention.

In the description of the present invention, it should be understood that the numerical references before the steps do not identify the order of performing the steps, but merely serve to facilitate the description of the present invention and to distinguish each step, and thus should not be construed as limiting the present invention.

With respect to single sign-on technology, the inventors have appreciated that:

the existing single sign-on technology is applied to a Web application system of a B/S (Browser/Server) architecture, is limited to implement single sign-on identity authentication between a plurality of Web applications, and cannot support the single sign-on technology of different technical architectures, such as a C/S (Client/Server) application and a B/S application, at the same time.

Various embodiments are provided below, which can be used to address the single sign-on deficiencies described above.

The following are explanations of terms involved in the present invention:

and the B/S application is a web application of the B/S. A user may access a web page through a browser in his terminal to accomplish various operations. The B/S application comprises a B/S application page running on a browser of the terminal equipment and a B/S application server program running on a server (background). The user can access the B/S application server program through the B/S application page.

C/S application, which is the application of C/S architecture. The user can complete various operations through an interface provided by a client in the terminal. The B/S application comprises a C/S application client program running on the terminal equipment and a C/S application server program running on a server (background). The user can access the C/S application server program through the C/S application client program.

The invention aims to provide a scheme for simultaneously supporting identity authentication of a C/S application and a B/S application to realize single sign-on, and can solve the problems that the C/S application and the B/S application cannot share identity authentication information and cannot realize single sign-on. The principle is as follows:

and installing an authentication client program on the terminal equipment, intercepting each application access request (including B/S and C/S applications) of the user through the authentication client program, and performing identity authentication, application token application and the like on an authentication server. And if the authentication client program obtains the application token issued by the authentication server, forwarding the application token and the application access request to a target server. And the target server verifies the authentication server based on the application token, and if the verification is passed, user identity information is obtained, so that the online process of the user is completed. And if the authentication client program does not obtain the application token issued by the authentication server, the application access request is prevented.

FIG. 1 schematically shows a system architecture diagram of a single sign-on system according to an embodiment of the invention.

In an exemplary embodiment, as shown in fig. 1, the terminal device 2 may be communicatively connected to an authentication server 4 and a target server 6. The target server 6 may be a B/S application server or a C/S application server.

The terminal device 2 is provided with an application client 2B and an authentication client 2C of a browser 2A, C/S architecture in a B/S architecture. The terminal device 2 may be any type of terminal device, such as: mobile devices, tablet devices, laptop computers, virtual reality headsets, gaming devices, set-top boxes, readers, vehicle terminals, smart televisions, and the like.

The authentication client program 2C, which is a client component program of the authentication service, is used to interact with the authentication server 4 through an authentication interface. The authentication client program 2C continuously operates as a background daemon process of the terminal device 2 and interacts with the authentication server 4 on the one hand, and provides a user interface to perform login authentication interaction with a user on the other hand, and the functions are as follows: (1) flow interception: intercepting an access request (including B/S, C/S application) of a user to ensure that the access request of an application token can be sent out only after identity authentication is carried out; otherwise, the access request is refused to pass, and the access is forbidden. (2) User authentication: if the user is not authenticated, a user authentication interface interacting with the user is provided, an account and a password input by the user are received through the user authentication interface, and the account and the password are submitted to the authentication server 4, so that the user identity authentication is performed through the authentication server 4. (3) Applying for an application token: the application token is applied to the authentication server 4 so that the authentication server 4 returns the application token in case it is determined that the user is authenticated. The application token represents a token that has the right to access an application (either a C/S application or a B/S application in the target server 6). (3) And (3) logging out the user: the user actively performs logout and logout operation through the authentication client program 2C, and the authentication client program 2C informs the authentication server 4 that the user logs out and logout. (4) And (3) traffic forwarding: the access request and the application-derived application token are forwarded to the target server 6 together so that the access request reaches the target server 6.

And the authentication server 4 provides an identity authentication service to realize the core business logic of user identity authentication. The authentication server 4 maintains and maintains identity authentication information of each user. After the user passes identity authentication through one application program, the authentication server 4 records and maintains the identity authentication session information of the user so that when the user accesses the authentication server through other application programs, other application programs can acquire corresponding identity authentication information, and therefore the user can authenticate that other application programs can share the identity authentication information once, and single sign-on is achieved. The authentication server 4 mainly provides an external call restful (responsive State transfer) interface and a WebService interface, and can provide a Web management page for convenient management. The authentication server 4 may provide the following functions: (1) and (3) user identity authentication: and authenticating the account and the password submitted by the user to finish the verification of the user identity. (2) Creating and maintaining a user authentication session: and establishing and maintaining a user authentication session for the user who passes the identity authentication, and associating the user authentication session with the application token, so that the user authentication information and the user access application condition are maintained through the user authentication session in the user access process. (3) Issuing an application token: an application token is issued for application access by the authenticated user. Wherein the user authentication session comprises: account number, ID of the authentication session, validity period of the authentication session, session time, state and associated application token ID; the identity information includes: basic information such as account number, name, mailbox, telephone, state and the like; the application token information includes: application token ID, state, application identification, application address, validity period, associated authentication session ID, signature information of the authentication to the token, etc.

The authentication server 4 provides the following service interfaces: (1) a user authentication interface: receiving an account and a password submitted by the authentication client program 2C to complete user identity authentication; (2) application token application interface: receiving an application token application submitted by the authentication client program 2C, and issuing an application token for application access of an authenticated user; (3) application token validation interface: and the receiving target server 6 sends an application token verification message, and if the verification is successful, the user identity information is returned. (4) A user logout interface: and receiving the authentication client program, submitting a user logout notice by the application server, and performing user offline.

The target server 6 may include a B/S server and a C/S server. The B/S server is internally provided with a B/S application server program, the C/S server is internally provided with the B/S application server program, and the B/S application server program are used for responding to an access request sent by the terminal device 2 and returning response data, such as page data, to the terminal device 2.

The authentication server 4 and the target server 2 may be a rack server, a blade server, a tower server or a rack server (including an independent server or a server cluster composed of a plurality of servers), and the like.

Example one

With continued reference to fig. 1, a single sign-on system is provided below. The single sign-on system includes: terminal device 2, authentication server 4, target server 6. Target server 6 may include a B/S server and/or a C/S server. The authentication server 4 incorporates therein an authentication client program 2C, a plurality of application programs, and the like.

The terminal device 2 is configured to perform the following operations by authenticating a client program: intercepting an access request sent by a user through a target application program, wherein the target application program is any one of a plurality of application programs, and the plurality of application programs comprise a browser 2A and an application client program 2B; and sending request information for applying for an application token to the authentication server, wherein the application token is used for indicating that the user passes identity authentication and has access right.

The authentication server 4 is configured to issue the application token according to the request information, and return the application token to the authentication client program 2C.

The terminal device 2 is further configured to forward the access request and the application token to the target server 6 through an authentication client program 2C;

the target server 6 is configured to receive the access request and the application token forwarded by the authentication client 2C, and execute a response to the access request based on the application token, where the response includes login approval or login rejection.

The single sign-on system provided by the embodiment of the invention has the following technical advantages: the identity authentication of a browser under a C/S framework and an application client program under a B/S framework is managed through the authentication client program 2C and the authentication server 6, so that the authentication information transmission and mutual trust between the applications of the C/S framework and the B/S framework which are different in framework are realized, and the problems that the C/S application and the B/S application cannot share the identity authentication information and cannot realize single sign-on are solved.

(1) The user accesses the target server 6 for the first time through the browser 2A, the authentication client program 2C is in unified connection with the authentication server 6, and the authentication server 6 creates a user authentication session and issues an application token for the user.

(2) The user accesses the target server 6 again through the application client program 2B, and the authentication client program 2C also connects the authentication server 6 in a unified manner, and sends request information for applying for an application token to the authentication server 6. The authentication server 6 can detect the previously created user authentication session of the user according to the request information, issue an application token for the access, and realize single sign-on without letting the user input user authentication information again or the like.

In addition, the invention can also provide other alternatives to optimize the technical effect of single sign-on, which are specifically as follows:

as an example, the request information comprises a unique identification code associated with the terminal device. The authentication server 4 is further configured to: retrieving a user authentication session associated with the unique identification code, if the user authentication session is retrieved, determining that the user passes identity authentication and issues the application token, binding the application token and the user authentication session, and returning the application token to the authentication client program; the user authentication session is used for maintaining authentication information and identity information of the user. In the present embodiment, the authentication information of the user in the authentication server 6 is retrieved by the unique identification code, and it is determined whether or not the application token is issued, so that it is possible to efficiently determine whether or not the application can log in to the target server 6.

As an example, the request information comprises a unique identification code associated with the terminal device. The authentication server 4 is further configured to: retrieving a user authentication session associated with the unique identification code, and if the user authentication session is not retrieved, determining that the user does not pass identity authentication and returning an unauthenticated message to the authentication client program; the unauthenticated message is used for indicating that the user fails to pass identity authentication, and the user authentication session is used for maintaining authentication information and identity information of the user. The terminal device 2 is further configured to, by the authentication client program: receiving the unauthenticated message, and displaying a login authentication interface based on the unauthenticated message; and receiving input identity authentication information through the login authentication interface, and sending the identity authentication information to the authentication server. The authentication server 4 is further configured to: verifying the user according to the identity authentication information; if the user verification is successful, establishing the user authentication session and returning an authentication success message to the authentication client program; the authentication success message is used for indicating that the user passes identity authentication. The terminal device 2 is further configured to, by the authentication client program: and applying for the application token again to an authentication server based on the authentication success message. The authentication server 4 is further configured to: in response to a reapplication of the authentication client program: and under the condition that the user authentication session is established, judging that the user passes identity authentication and determines to issue the application token, binding the application token and the user authentication session, and returning the application token to the authentication client program. In this embodiment, the authentication information of the user in the authentication server 6 is retrieved through the unique identification code, and in a case that the user is determined to be authenticated, a user authentication session is created in the authentication server 6, where the user authentication session can be used as a basis for the user to pass the identity authentication and login, and can also be used as a basis for login of applications in other subsequent architectures, so as to improve the identity authentication efficiency and the login efficiency of each application in different architectures.

As an example: the terminal device 2 is further configured to, by the authentication client program 2C: and receiving a logout operation aiming at the user, logging out the user based on the logout operation and sending a user logout notice to the target server. The authentication server 4 is further configured to respond to the user logout notification, and perform at least one of the following operations: logging off the user authentication session, clearing the application token, and sending a user offline notification to the target server to enable the target server to offline the user. The embodiment provides a user offline scheme, which can efficiently and safely realize user offline.

As an example: the terminal device 2 is further configured to, by the target application: receiving a quit operation aiming at the user, responding to the quit operation, generating a notification message for indicating that the user is offline, and sending the notification message to the target server 6. The target server 6 is further configured to: and based on the notification message, the user is off line, and a user off line notification is sent to the authentication server 4. The authentication server 4, in response to the user offline notification: logging off or updating the user authentication session, and clearing the application token. The embodiment provides another user offline scheme, and the user offline can be efficiently and safely realized.

As an example: the user authentication session is associated with one or more application server programs in the target server, and the logging out or updating the user authentication session includes: if the user authentication session is associated with an application server program in the target server, the user authentication session is cancelled; or if the user authentication session is associated with a plurality of application server programs in the target server, and the user offline notification is obtained based on offline operation of the target application server program in the plurality of application server programs on the user, updating the user authentication session to delete the associated information of the target server application in the user authentication session. In this embodiment, authentication and login between one or more application programs in the terminal device 2 and one or more application server programs in the target server 6 can be maintained through one user authentication session, and login and maintenance efficiency is improved.

In order to make the invention more comprehensible, several specific examples are provided below.

Case 1: as shown in fig. 2, the user logs in to the target server through the target application without authentication.

S200: the terminal device 2 initiates an access request through a built-in target application program.

The target application program can be a browser 2A under a B/S architecture or an application client program 2B under a C/S architecture.

S201: the terminal device 2 intercepts the access request through a built-in authentication client program 2C to check whether the user is authenticated.

S202: the authentication client program 2C sends request information for applying for an application token to the authentication server 4 through the authentication interaction interface.

S203: the authentication server 4 receives the request information and judges whether the user passes the identity authentication according to the request information.

The request information carries a Unique Identifier, such as an IMEI (International Mobile Subscriber identity Number) of the terminal Device 2, an UDID (Unique Device Identifier), a MAC (Media Access Control Address), and the like.

Illustratively, the authentication server 4 searches whether a user authentication session associated with the unique identification code is included therein, and determines that the user has been authenticated if the user authentication session is searched, otherwise, the user has not been authenticated.

S204: if the authentication server 4 determines that the user does not pass the identity authentication, an unauthenticated message is returned to the authentication client program 2C.

S205: and the authentication client program 4 displays a login authentication interface on the terminal equipment 2 according to the unauthenticated message.

The login authentication interface comprises an account input interface, a password input interface and the like, and can also comprise a verification code input interface.

S206: the authentication client program 4 receives the input account and password through the authentication interface.

S207: the authentication client program 4 sends the account and the password to the authentication server 4, and the account and the password are used for identity verification.

S208: the authentication server 4 verifies the account and the password submitted by the authentication client program 2C.

If the verification is passed, the process proceeds to step S209.

And if the verification fails, returning error prompt information.

S209: the authentication server 4 creates a user authentication session for the user for maintaining authentication and identity information for the user.

The user authentication session may include: the authentication method comprises the steps of a user account, an Identification (ID) of the authentication session, an authentication session validity period, authentication session time, an authentication session state and an application token ID associated with the user authentication session. Wherein said user authentication session is further associated with or comprises a unique identification code of said terminal device 2.

Identity information, which may include: and basic information such as user account, name, mailbox, telephone, state and the like.

The application token information may include: an application token ID, a state, an application identification, an application address, an application token validity period, an authentication session ID associated with the application token, signature information for authenticating the application token, and the like.

S210: after the user authentication session is created, the authentication server 4 returns an authentication success message to the authentication client program 2C.

S211: after receiving the authentication success message, the authentication client program 2C applies for the application token from the authentication server 4 again.

S212: the authentication server 4 receives a reapplication of the application token by the authentication client program 2C, and in response to the reapplication: whether the user passes the identity authentication is judged,

s213: issuing the application token under the condition that the user is determined to pass identity authentication, and establishing an association relationship between the application token and the user authentication session.

Establishing an association relationship: for example, an application token ID of the application token is added to the user authentication session.

S214: the authentication server 4 returns the application token to the authentication client program 2C.

S215: and the authentication client program end 2B receives the application token and forwards the access request carrying the application token to the target server 6. The access request carrying the application token, the application token and the intercepted access request.

S216: and the target server 6 receives and analyzes the access request carrying the application token to obtain the application token.

S217: the target server 6 sends the application token to the authentication server 4 to verify the application token.

S218: the authentication server 4 performs a verification operation of the application token. If the verification is successful, step (19) is entered, otherwise, an error message is returned to the target server 6. The error information is used for indicating that the audio token fails to be verified. Wherein the verifying operation may include: verifying the token signature, validity period, etc. of the application token.

S219: the authentication server 4 retrieves a user authentication session associated with the application token, and if the user authentication session is retrieved, acquires user identity information associated with the user authentication session based on the user authentication session. Step (20) is entered.

S220: the authentication server 4 returns the user identity information to the target server 6.

S221: and the target server 6 finishes the online of the user according to the user identity information and guides the user to enter an application interface.

Case 2: as shown in fig. 3, the user logs in to the target server through the target application in the authenticated situation. "authenticated" means that the authentication server 4 creates a user authentication session with the user, and the user authentication session is in a valid state.

S300: the terminal device 2 initiates an access request through a built-in target application 2A.

S301: the terminal device 2 intercepts the access request through a built-in authentication client program 2C to check whether the user is authenticated.

S302: the authentication client program 2C sends request information for applying for an application token to the authentication server 4 through the authentication interaction interface.

S303: the authentication server 4 receives the request information, and in response to the application information: and judging whether the user authentication session associated with the unique identification code is included in the search request message or not according to the unique identification code in the request message.

S304: and if the user authentication session associated with the unique identification code is retrieved, judging that the user passes identity authentication and issues the application token, and establishing an association relationship between the application token and the user authentication session.

S305: the authentication server 4 returns the application token to the authentication client program 2C.

S306, the authentication client 2B receives the application token, and forwards the access request carrying the application token to the target server 6. The access request carrying the application token, the application token and the intercepted access request.

S307: and the target server 6 receives and analyzes the access request carrying the application token to obtain the application token.

S308: the target server 6 sends the application token to the authentication server 4 to verify the application token.

S309: the authentication server 4 performs a verification operation on the application token. If the verification is successful, the step S310 is entered, otherwise, an error message is returned to the target server 6. The error information is used for indicating that the application token fails to verify. Wherein the verifying operation may include: verifying the token signature, validity period, etc. of the application token.

S310: the authentication server 4 retrieves a user authentication session associated with the application token, and if the user authentication session is retrieved, acquires user identity information associated with the user authentication session based on the user authentication session.

S311: the authentication server 4 returns the user identity information to the target server 6.

S312: and the target server 6 finishes the online of the user according to the user identity information and guides the user to enter an application interface.

Case 3: as shown in fig. 4, the user logs off the line in the

target application

2A or 2B.

The terminal device 2 receives an exit instruction operated by the user on the GUI interface of the target application. The exit instruction comprises an instruction of exiting or closing a button triggered on the GUI interface or an instruction of exiting or closing a link.

The terminal device 2 sends the exit instruction to the target server 6.

S400: and the target server 6 logs out the user according to the exit instruction.

S401: the target server 6 clears the on-line information of the user in the target server 6 to implement the off-line of the user.

S402: the target server 6 sends a logoff notification of the user to the authentication server 4.

S403: the authentication server 6 receives the offline notification of the target server 6, and in response to the offline notification: retrieving a user authentication session for the user and clearing an application token issued to the user; and determining whether to maintain the user authentication session. The authentication server 6 determines whether the user authentication session is a plurality of application server programs, and proceeds to step S404; if not, the process proceeds to step S405.

S404: the user authentication session is associated with a plurality of application server programs. And if one application server program executes user offline, deleting the associated information of the application server program from the user authentication session, and continuously maintaining the associated information of other applications. The association information may be an identification of the application server program in the user authentication session.

S405: the user authentication session is associated with only one application server program. And if the application server program executes the user offline, logging off the user authentication session.

S406: the authentication server 6 sends a notification message indicating that the user has gone offline to the authentication client program 2C.

S407: the authentication client program 2C executes the user offline.

Case 4: as shown in fig. 5, the user logs off the line in the authentication client program 2C.

The authentication client program 2C receives an exit instruction input by the user.

The exit instruction comprises an instruction of exiting or closing a button triggered on the GUI interface or an instruction of exiting or closing a link.

S500: in response to the exit instruction, the authentication client program 2C logs out the user.

S501: a logout notification message indicating "user logout" is transmitted to the authentication server.

S502: in response to the logout notification message, the authentication server 4 logs out the user authentication session associated with the user.

S503: the authentication server 4 clears the application token issued for the user.

S504: a user offline notification is broadcast to the various applications in the target server 4.

S505: and the target server 6 logs off the user according to the user offline notification.

S506: and clearing the online information of the user to implement offline of the user.

Example two

In the present embodiment, the terminal device 2 is taken as an execution subject for description, and reference may be made to embodiment one for technical details and effects. The terminal device 2 is built-in with an authentication client program and a plurality of application programs including a browser and an application client program.

Fig. 6 schematically shows a flowchart of a single sign-on method according to a second embodiment of the invention.

As shown in fig. 6, the single sign-on method may include performing steps S600 to S604 by the authentication client program 2C, wherein:

step S600, an access request sent by a user through a target application program is intercepted, where the target application program is any one of the multiple application programs.

Step S602, obtaining an application token from an authentication server according to the access request, wherein the application token is used for indicating that the user passes identity authentication and has access right.

Step S604, forwarding the access request and the application token to a target server, so that the target server: and verifying the application token and executing a response aiming at the access request according to a verification result, wherein the response comprises login approval or login rejection.

As an example, the obtaining an application token from an authentication server according to the access request includes:

generating request information for applying for the application token in response to the access request, the request information including a unique identification code associated with the terminal device;

receiving the authentication success message, and reapplying the application token to an authentication server to enable the authentication server to: and under the condition that the user authentication session is established, judging that the user passes identity authentication, responding to the reapplication, issuing the application token, and returning the application token to the authentication client program.

As an example, the method further comprises the following steps of executing user offline operation through the authentication client program:

receiving an exit operation for the user; and

As an example, the method further comprises the step of executing user offline operation by the target application program:

receiving an exit operation for the user; and

responding to the quit operation, generating a notification message for indicating that the user is offline, and sending the notification message to the target server so as to enable the target server to perform at least one of the following operations: and off-line the user, and informing the authentication server to log off or update the user authentication session and clear the application token.

EXAMPLE III

In the present embodiment, the authentication server 4 is taken as an execution subject for description, and reference may be made to embodiment one for technical details and effects.

Fig. 7 schematically shows a flowchart of a single sign-on method according to a third embodiment of the present invention. It should be noted that the single sign-on method provided in the third embodiment will be exemplarily described below with the authentication server 4 as an execution subject.

As shown in fig. 7, the single sign-on method may include steps S700 to S704, in which:

step S700, receiving request information which is sent by the terminal equipment through the authentication client program and is used for requesting an application token; the authentication client is arranged in the terminal equipment and used for intercepting an access request of a user in the terminal equipment and applying for the application token based on the access request, and the application token is used for indicating that the user passes identity authentication and has access right;

step S702, judging whether the user passes the identity authentication according to the request information, and determining whether to issue the application token according to the judgment result; and

step S704, if the user has passed the identity authentication, issuing the application token, and returning the application token to the authentication client program, so that the authentication client program forwards the access request and the application token to a target server, so that the target server performs login according to the access request and the application token.

As an example, the request information comprises a unique identification code associated with the terminal device; the judging whether the user passes the identity authentication according to the request information and determining whether to issue the application token according to the judging result comprises the following steps:

retrieving a user authentication session associated with the unique identification code, and if the user authentication session is not retrieved, judging that the user does not pass identity authentication and returning an unauthenticated message to the authentication client program so that the authentication client program submits identity authentication information according to the unauthenticated message; the unauthenticated message is used for indicating that the user fails to pass identity authentication, and the user authentication session is used for maintaining authentication information and identity information of the user;

verifying the user according to the identity authentication information;

if the user verification is successful, establishing the user authentication session and returning an authentication success message to the authentication client program so that the authentication client program applies for the application token to the authentication server again based on the authentication success message; the authentication success message is used for indicating that the user passes identity authentication; and

As an example, it further includes:

in response to the user logoff notification: logging off the user authentication session, clearing the application token, and sending a user offline notification to the target server to enable the target server to offline the user.

As an example, it further comprises:

receiving a user offline notification provided by the target server; and

As an example, the user authentication session is associated with one or more application server programs in the target server, and the deregistering or updating the user authentication session includes:

Example four

Fig. 8 schematically illustrates a block diagram of a single sign-on apparatus according to a fourth embodiment of the invention, the single sign-on system being partitioned into program modules, one or more of which are stored in a storage medium and executed by a processor to implement the embodiments of the invention. The program modules referred to in the embodiments of the present invention refer to a series of computer program instruction segments that can perform specific functions, and the following description will specifically describe the functions of the program modules in the embodiments. The single sign-on apparatus 800 is used in the terminal device 2, and the terminal device 2 has an authentication client and a plurality of applications, including a browser and an application client, built therein.

As shown in fig. 8, the single sign-on device 800 may include an authentication sign-on module 810. Wherein:

an authentication login module 810, configured to perform the following operations by the authentication client:

Optionally, the authentication login module 810 is further configured to:

Optionally, the authentication login module 810 is further configured to

receiving the authentication success message, and reapplying the application token to an authentication server, so that the authentication server: and under the condition that the user authentication session is established, judging that the user passes identity authentication and responds to the reapplication to issue the application token, and returning the application token to the authentication client program.

Optionally, the apparatus 800 further includes a logoff module, configured to perform, by the authentication client, a user logoff operation:

receiving an exit operation for the user; and

Optionally, the apparatus 800 further includes a logoff module, configured to perform, by the target application program, a user logoff operation:

receiving an exit operation for the user; and

EXAMPLE five

Fig. 9 schematically illustrates a block diagram of a single sign-on apparatus according to a fifth embodiment of the invention, the single sign-on system being partitioned into program modules, one or more of which are stored in a storage medium and executed by a processor to implement the embodiments of the invention. The program modules referred to in the embodiments of the present invention are a series of computer program instruction segments that can perform specific functions, and the following description will specifically describe the functions of the program modules in the embodiments. The single sign-on apparatus 900 is used in the authentication server 6, and the plurality of application programs include a browser and an application client program.

As shown in fig. 9, the single sign-on apparatus 900 may include a receiving module 910, a determining module 920, and an issuing module 930. Wherein:

a receiving module 910, configured to receive request information that is sent by a terminal device through an authentication client and used for requesting an application token; the authentication client is arranged in the terminal equipment and used for intercepting an access request of a user in the terminal equipment and applying for the application token based on the access request, and the application token is used for indicating that the user passes identity authentication and has access right;

a determining module 920, configured to determine whether the user passes identity authentication according to the request information, and determine whether to issue the application token according to a determination result; and

an issuing module 930, configured to issue the application token if the user has been authenticated, and return the application token to the authentication client program, so that the authentication client program forwards the access request and the application token to a target server, so that the target server performs login according to the access request and the application token.

Optionally, the request information includes a unique identification code associated with the terminal device; the determining module 920 is further configured to:

verifying the user according to the identity authentication information;

Optionally, the system further comprises a offline module, configured to:

receiving a user offline notification provided by the target server; and

Optionally, the user authentication session is associated with one or more application server programs in the target server, and the offline module is further configured to:

EXAMPLE six

Fig. 10 schematically shows a hardware architecture diagram of a computer device 10000 suitable for implementing a single sign-on method according to a sixth embodiment of the present invention. The computer device 1000 may function as any one of the terminal device 2, the authentication server 4, and the target server 6. In this embodiment, the computer device 10000 is a device capable of automatically performing numerical calculation and/or information processing according to a preset or stored instruction. For example, the server may be a smart phone, a tablet computer, a notebook computer, a desktop computer, a rack server, a blade server, a tower server or a rack server (including an independent server or a server cluster composed of a plurality of servers), a gateway, and the like. As shown in fig. 10, computer device 10000 includes at least but is not limited to: the memory 10010, processor 10020, and network interface 10030 may be communicatively linked to each other via a system bus. Wherein:

the memory 10010 includes at least one type of computer-readable storage medium including a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. In some embodiments, the storage 10010 may be an internal storage module of the computer device 10000, such as a hard disk or a memory of the computer device 10000. In other embodiments, the memory 10010 may also be an external storage device of the computer device 10000, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), or the like, provided on the computer device 10000. Of course, the memory 10010 may also include both internal and external memory modules of the computer device 10000. In this embodiment, the memory 10010 is generally used for storing an operating system and various application software installed in the computer device 10000, such as program codes of a single sign-on method. In addition, the memory 10010 can also be used to temporarily store various types of data that have been output or are to be output.

Processor 10020 may be a Central Processing Unit (CPU), a controller, a microcontroller, a microprocessor, or other data Processing chip in some embodiments. The processor 10020 is generally configured to control overall operations of the computer device 10000, such as performing control and processing related to data interaction or communication with the computer device 10000. In this embodiment, the processor 10020 is configured to execute program codes stored in the memory 10010 or process data.

Network interface 10030 may comprise a wireless network interface or a wired network interface, and network interface 10030 is generally used to establish a communication link between computer device 10000 and other computer devices. For example, the network interface 10030 is used to connect the computer device 10000 to an external terminal through a network, establish a data transmission channel and a communication link between the computer device 10000 and the external terminal, and the like. The network may be an Intranet (Internet), the Internet (Internet), a Global System of Mobile communication (GSM), Wideband Code Division Multiple Access (WCDMA), a 4G network, a 5G network, Bluetooth (Bluetooth), Wi-Fi, or other wireless or wired network.

It should be noted that fig. 10 only illustrates a computer device having the components 10010 and 10030, but it is to be understood that not all illustrated components are required and that more or less components may be implemented instead.

In this embodiment, the single sign-on method stored in the memory 10010 can be further divided into one or more program modules, and executed by a processor (in this embodiment, the processor 10020) to implement the embodiment of the present invention.

EXAMPLE seven

The present invention also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the single sign-on method of an embodiment.

In this embodiment, the computer-readable storage medium includes a flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. In some embodiments, the computer readable storage medium may be an internal storage unit of the computer device, such as a hard disk or a memory of the computer device. In other embodiments, the computer readable storage medium may be an external storage device of the computer device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like provided on the computer device. Of course, the computer-readable storage medium may also include both internal and external storage devices of the computer device. In this embodiment, the computer-readable storage medium is generally used for storing an operating system and various types of application software installed in the computer device, for example, the program code of the single sign-on method in the embodiment, and the like. Further, the computer-readable storage medium may also be used to temporarily store various types of data that have been output or are to be output.

It will be apparent to those skilled in the art that the modules or steps of the embodiments of the invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, embodiments of the invention are not limited to any specific combination of hardware and software.

The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims

1. A single sign-on method is applied to terminal equipment, and is characterized in that an authentication client program and a plurality of application programs are arranged in the terminal equipment, and the application programs comprise a browser and an application client program; the method comprises the following steps:

performing, by the authentication client program:

forwarding the access request and the application token to a target server to cause the target server to: verifying the application token and executing a response to the access request according to a verification result, wherein the response comprises login approval or login rejection;

wherein the obtaining an application token from an authentication server according to the access request comprises:

2. The single sign-on method of claim 1, wherein obtaining the application token from the authentication server in accordance with the access request comprises:

3. The single sign-on method of claim 1 or 2, further comprising performing, by the authentication client, a user logoff operation:

receiving an exit operation for the user; and

4. The single sign-on method of claim 1 or 2, further comprising performing, by the target application, a user logoff operation:

receiving an exit operation for the user; and

5. A single sign-on device is applied to terminal equipment, and is characterized in that an authentication client program and a plurality of application programs are arranged in the terminal equipment, and the application programs comprise a browser and an application client program; the device comprises:

6. A single sign-on method for use in an authentication server, the method comprising:

receiving request information which is sent by terminal equipment through an authentication client program and used for requesting an application token; the authentication client is arranged in the terminal equipment and used for intercepting an access request of a user in the terminal equipment and applying for the application token based on the access request, and the application token is used for indicating that the user passes identity authentication and has access right;

if the user passes identity authentication, the application token is issued, and the application token is returned to the authentication client program, so that the authentication client program forwards the access request and the application token to a target server, and the target server executes login according to the access request and the application token;

the request information comprises a unique identification code associated with the terminal device;

wherein, the judging whether the user passes the identity authentication according to the request information and determining whether to issue the application token according to the judging result comprises:

verifying the user according to the identity authentication information;

7. The single sign-on method of claim 6, wherein the request information includes a unique identification code associated with the terminal device; the judging whether the user passes the identity authentication according to the request information and determining whether to issue the application token according to the judging result comprises the following steps:

8. The single sign-on method of claim 6 or 7, further comprising:

9. The single sign-on method of claim 6 or 7, further comprising:

receiving a user offline notification provided by the target server; and

10. The single sign-on method of claim 9, wherein the user authentication session is associated with one or more application server programs in the target server, and wherein the logging off or updating the user authentication session comprises:

And if the user authentication session is associated with a plurality of application server programs in the target server and the user offline notification is obtained based on offline operation of the user by the target application server program in the plurality of application server programs, updating the user authentication session to delete associated information of the target server application in the user authentication session.

11. A single sign-on apparatus for use in an authentication server, the apparatus comprising:

the issuing module is used for issuing the application token and returning the application token to the authentication client program if the user passes identity authentication, so that the authentication client program can forward the access request and the application token to a target server, and the target server can log in according to the access request and the application token;

wherein the determining module is further configured to:

verifying the user according to the identity authentication information;

12. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the computer program is configured to perform the steps of the single sign-on method of any one of claims 1 to 4 and 6 to 10.

13. A computer-readable storage medium having stored thereon a computer program executable by at least one processor to cause the at least one processor to perform the steps of the single sign-on method of any one of claims 1 to 4 and 6 to 10.

14. A single sign-on system is characterized in that the system comprises a terminal device, an authentication server and a target server; the terminal equipment is internally provided with an authentication client program and a plurality of application programs; wherein:

the target server is used for receiving the access request and the application token forwarded by the authentication client program and executing a response aiming at the access request based on the application token, wherein the response comprises login approval or login rejection;

15. The single sign-on system of claim 14, wherein the request message includes a unique identification code associated with the terminal device;

the authentication server is further configured to: retrieving a user authentication session associated with the unique identification code, and if the user authentication session is retrieved, determining that the user has passed identity authentication and issued the application token, binding the application token and the user authentication session, and returning the application token to the authentication client program; the user authentication session is used for maintaining authentication information and identity information of the user.

16. The single sign-on system of claim 14 or 15, wherein:

the terminal device is further configured to, by the authentication client program: receiving a logout operation aiming at the user, logging out the user based on the logout operation and sending a user logout notice to the target server;

17. The single sign-on system of claim 14 or 15, wherein:

the terminal device is further configured to, by the target application: receiving a quitting operation aiming at the user, responding to the quitting operation, generating a notification message for indicating that the user is offline, and sending the notification message to the target server;

18. A single sign-on system according to claim 17, wherein the user authentication session is associated with one or more application server programs in the target server, and wherein said logging off or updating the user authentication session comprises: