CN114510701A - Single sign-on method, device, equipment and storage medium - Google Patents

Single sign-on method, device, equipment and storage medium Download PDF

Info

Publication number
CN114510701A
CN114510701A CN202210076471.5A CN202210076471A CN114510701A CN 114510701 A CN114510701 A CN 114510701A CN 202210076471 A CN202210076471 A CN 202210076471A CN 114510701 A CN114510701 A CN 114510701A
Authority
CN
China
Prior art keywords
login
identity information
application
target
single sign
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210076471.5A
Other languages
Chinese (zh)
Inventor
荀浩
杨志杰
蔡少锋
邹佳
李锦体
黄树亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Yami Intelligent Information Technology Co ltd
Foshan Haitian Flavoring and Food Co Ltd
Original Assignee
Guangdong Yami Intelligent Information Technology Co ltd
Foshan Haitian Flavoring and Food Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Yami Intelligent Information Technology Co ltd, Foshan Haitian Flavoring and Food Co Ltd filed Critical Guangdong Yami Intelligent Information Technology Co ltd
Priority to CN202210076471.5A priority Critical patent/CN114510701A/en
Publication of CN114510701A publication Critical patent/CN114510701A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords

Abstract

The application discloses a single sign-on method, a single sign-on device and a single sign-on storage medium, wherein a first sign-on request for logging in a target system application is obtained, and the first sign-on request carries first identity information and second identity information of a target user; verifying the first identity information; if the first identity information is successfully verified, sending a calculation request carrying second identity information to the multi-application login processing terminal, and receiving a target characteristic value generated when the multi-application login processing terminal responds to the calculation request; sending a verification request carrying a target characteristic value to a multi-party security computing end, and receiving a login judgment value generated when the multi-party security computing end responds to the verification request; and if the login judgment value meets the preset login condition, generating a user login certificate, and sending the user login certificate to the target system application. The security problems such as password leakage and the like caused by the fact that the single sign-on system directly obtains the independent passwords applied by each system are avoided, and the privacy security of the user is improved.

Description

Single sign-on method, device, equipment and storage medium
Technical Field
The present application relates to the field of application security technologies, and in particular, to a single sign-on method, apparatus, device, and storage medium.
Background
Currently, the single sign-on mode used by an enterprise multi-application platform mainly includes a single sign-on system based on authentication among multiple applications, a single sign-on based on a unified sign-on system, and a single sign-on method based on a block chain.
The single sign-on system based on the authentication among the multiple applications completes the login process by providing the parent application with the authentication credential after login to the child application and storing the authentication credential in the cookie or session. But storing user login credentials in a cookie or session may result in leakage of user identity information. The single sign-on method based on the unified login system constructs independent single sign-on applications or single sign-on systems in an enterprise multi-application platform, and other applications forward login requests to the single sign-on systems for processing during login. The single sign-on method based on the block chain is characterized in that identity authentication information of a user is stored in blocks of multiple applications of the whole system, and a distributed block chain system is constructed by using the single sign-on system and login modules in the multiple applications, but all information in the whole block chain is shared by the multiple applications, so that the problem of user privacy disclosure in an enterprise multi-application platform can be caused.
Disclosure of Invention
The application provides a single sign-on method, a single sign-on device and a storage medium, which are used for solving the technical problem that the privacy security of a user is low in the current single sign-on method.
In order to solve the above technical problem, an embodiment of the present application provides a single sign-on method, which is applied to a single sign-on server, where the single sign-on server is in communication connection with a multi-application login processing end, a multi-party secure computing end, and multiple system applications, and the method includes:
acquiring a first login request for logging in a target system application, wherein the first login request carries first identity information and second identity information of a target user;
verifying the first identity information;
if the first identity information is successfully verified, sending a calculation request carrying second identity information to the multi-application login processing terminal, and receiving a target characteristic value generated when the multi-application login processing terminal responds to the calculation request;
sending a verification request carrying a target characteristic value to a multi-party security computing end, and receiving a login judgment value generated when the multi-party security computing end responds to the verification request;
and if the login judgment value meets the preset login condition, generating a user login certificate, and sending the user login certificate to the target system application, wherein the user login certificate is used for login verification of the target system application.
In the embodiment, double identity authentication is performed through the first identity information and the second identity information, so that the login security is improved; the verification process of the second identity information is realized by interaction based on the single sign-on server, the multi-application sign-on processing end and the multi-party security computing end, so that the security problems of password leakage and the like caused by the fact that the single sign-on system directly obtains independent passwords of all system applications are avoided, and the single sign-on server, the multi-application sign-on processing end and the multi-party security computing end interact by adopting the characteristic values and the sign-on judgment values, so that the condition of password leakage caused by the interaction process is avoided, and the privacy security of the user is further improved. Meanwhile, the single sign-on server, the multi-application sign-on processing end and the multi-party security computing end exist independently, and maintenance is facilitated.
In an embodiment, if the first identity information is successfully verified, sending a calculation request carrying the second identity information to the multi-application login processing terminal, and receiving a target characteristic value generated when the multi-application login processing terminal responds to the calculation request includes:
if the first identity information is successfully verified, determining a login-capable application list of the target user;
sending a calculation request to a multi-application login processing terminal, wherein the calculation request carries second identity information and a login-capable application list;
and receiving a target characteristic value returned by the multi-application login processing terminal, wherein the target characteristic value is a first characteristic value of the second identity information and a second characteristic value of the registrable application list generated when the multi-application login processing terminal responds to the calculation request.
Optionally, the second characteristic value includes a second characteristic value of a plurality of system applications that can be registered in the application list, and the preset identity information of the system applications is randomly stored in the preset database.
In an embodiment, sending a verification request carrying a target feature value to a multi-party secure computation end, and receiving a login judgment value generated when the multi-party secure computation end responds to the verification request includes:
sending a verification request carrying a target characteristic value to a multi-party security computing end, wherein the target characteristic value comprises a first characteristic value of second identity information and a second characteristic value of a login-capable application list;
and receiving a login judgment value returned by the multi-party security computing end, matching the first characteristic value with the second characteristic value when the multi-party security computing end responds to the verification request, and generating the login judgment value according to the matching result.
In an embodiment, after generating a user login credential and sending the user login credential to the target system application if the login determination value satisfies the preset login condition, the method further includes:
the method comprises the steps that a loggable application list of a target user, a user login certificate, authorization time of the user login certificate and first identity information are used as data items, unique identification information generated randomly is used as a data header, and the target user login certificate is generated;
and storing the target user login credentials into a preset database.
In an embodiment, after storing the target user login credentials in the preset database, the method further includes:
acquiring a second login request for logging in a target system application, wherein the second login request carries first identity information of a target user;
if the first identity information is successfully verified, determining the certificate validity period of the user login certificate according to the authorization time in the target user login certificate;
and if the current login time of the second login request is within the validity period of the certificate, logging in the target system application according to the user login certificate.
In an embodiment, after storing the target user login credentials in the preset database, the method further includes:
and if the login request is acquired, deleting the target user login credentials in the preset database.
In a second aspect, an embodiment of the present application provides a single sign-on apparatus, which is configured at a single sign-on server, where the single sign-on server is communicatively connected to a multi-application login processing end, a multi-party secure computing end, and multiple system applications, and the apparatus includes:
the system comprises an acquisition module, a processing module and a display module, wherein the acquisition module is used for acquiring a first login request for logging in a target system application, and the first login request carries first identity information and second identity information of a target user;
the verification module is used for verifying the first identity information;
the first sending module is used for sending a calculation request carrying second identity information to the multi-application login processing terminal if the first identity information is successfully verified, and receiving a target characteristic value generated when the multi-application login processing terminal responds to the calculation request;
the second sending module is used for sending a verification request carrying a target characteristic value to the multi-party security computing end and receiving a login judgment value generated when the multi-party security computing end responds to the verification request;
and the generating module is used for generating a user login credential and sending the user login credential to the target system application if the login judgment value meets the preset login condition, wherein the user login credential is used for the target system application to perform login verification.
In a third aspect, an embodiment of the present application provides a computer device, including a processor and a memory, where the memory is used to store a computer program, and the computer program, when executed by the processor, implements the single sign-on method according to the first aspect.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium, which stores a computer program, and the computer program, when executed by a processor, implements the single sign-on method according to the first aspect.
Please refer to the relevant description of the first aspect for the beneficial effects of the second to fourth aspects, which are not repeated herein.
Drawings
Fig. 1 is a schematic flowchart of a single sign-on method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a single sign-on system according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a single sign-on apparatus according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described clearly and completely with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
As described in the related art, the current single sign-on method has a technical problem of low user privacy security. Therefore, the embodiment of the application provides a single sign-on method, a single sign-on device, a single sign-on apparatus and a single sign-on storage medium, wherein dual identity authentication is performed through the first identity information and the second identity information, so that the sign-on security is improved; the verification process of the second identity information is realized by interaction based on the single sign-on server, the multi-application sign-on processing end and the multi-party security computing end, so that the security problems of password leakage and the like caused by the fact that the single sign-on system directly obtains independent passwords of all system applications are avoided, and the single sign-on server, the multi-application sign-on processing end and the multi-party security computing end interact by adopting the characteristic values and the sign-on judgment values, so that the condition of password leakage caused by the interaction process is avoided, and the privacy security of the user is further improved. Meanwhile, the single sign-on server, the multi-application sign-on processing end and the multi-party security computing end exist independently, and maintenance is facilitated.
Referring to fig. 1, fig. 1 is a schematic flowchart illustrating a single sign-on method according to an embodiment of the present disclosure. The single sign-on method can be applied to a single sign-on server, the single sign-on server can be a computer device such as a notebook computer, a desktop computer, a physical server and a cloud server, and the single sign-on server is in communication connection with a multi-application sign-on processing end, a multi-party safety computing end and a plurality of system applications.
Optionally, fig. 2 shows a schematic structural diagram of a single sign-on system provided in an embodiment of the present application, where the single sign-on system includes an interaction layer, an application service layer, a multi-party secure computing layer, and a data storage layer, the interaction layer includes a multi-application sign-on client and a single sign-on client, the application service layer includes a multi-application sign-on processing end and a single sign-on server, the multi-party secure computing layer includes a multi-party secure computing end, and the data storage layer includes a preset database. It is understood that the system architecture diagram of fig. 2 is used as an example only, and that in other embodiments, more or fewer components than those shown may be included, and are not described in detail herein.
The multi-application login client is used for interacting with the user to acquire second identity information input by the user; the single sign-on client is used for interacting with the user to collect first identity information input by the user; the multi-application login processing end is used for interacting with other components and performing login verification on second identity information of a user or a target user login certificate, and the single-point login service end is used for interacting with other components and performing login verification on first identity information of the user; the multi-party security computing end is used for computing, comparing and verifying the second identity information; the preset database is used for storing data including but not limited to a login-capable application list, target user login credentials and the like.
Optionally, the user sets first preset identity information through the single sign-on client, stores the first preset identity information in the single sign-on server, sets a plurality of second preset identity information through the multi-application sign-on client, and stores the second preset identity information in the multi-application sign-on processing end; and storing the multi-application list registered by the user in a preset database in a form of a login application list.
Optionally, the application layers of the single sign-on system are connected in a flat manner through a switch to realize communication interaction.
As shown in fig. 1, the single sign-on method of the present embodiment includes steps S101 to S105, which are detailed as follows:
step S101, a first login request for logging in a target system application is obtained, wherein the first login request carries first identity information and second identity information of a target user.
In the step, a user sends a first login request to a multi-application login server through a multi-application login client, whether the user has a target user login certificate is inquired, if yes, the user directly logs in a target system application, if not, the first login request is forwarded to a single-point login server, and the single-point login server acquires the first login request.
The first identity information is used for verifying whether the target user has the login authority of the single sign-on server, for example, whether the target user is an enterprise user is verified, and if so, the target user passes the login verification of the single sign-on server. The second identity information is used for verifying the login authority of the target system application.
Optionally, the first identity information and the second identity information may be information such as a character password, a gesture password, a biometric password, and a dynamic password.
Optionally, the second identity information corresponding to each system application is different from each other.
And step S102, verifying the first identity information.
In this step, the first identity information is compared and matched with the first preset identity information, if the first identity information is matched with the first preset identity information, the verification is successful, otherwise, the verification fails.
Step S103, if the first identity information is successfully verified, sending a calculation request carrying the second identity information to the multi-application login processing terminal, and receiving a target characteristic value generated when the multi-application login processing terminal responds to the calculation request.
In this step, the target feature value includes a first feature value and a second feature value. Alternatively, the target feature value may be a token value.
The first characteristic value of the second identity information and the second characteristic value of each second preset identity information are calculated through the multi-application login processing terminal, so that the identity information is encrypted at the multi-application login processing terminal, a single-point login server does not need to acquire passwords of all system applications personally, and the privacy security of a user is guaranteed.
Step S104, sending a verification request carrying the target characteristic value to the multi-party security computation end, and receiving a login judgment value generated when the multi-party security computation end responds to the verification request.
In this step, the first characteristic value of the second identity information and the second characteristic value of each second preset identity information are compared and matched through the multi-party security computing terminal, so that any system application can be logged in by adopting any application password, meanwhile, the characteristic values are compared and matched, and a login judgment value is returned, so that the multi-party security computing terminal cannot know the target system application which a target user needs to log in, and the privacy security of the user is further improved.
Step S105, if the login judgment value meets the preset login condition, generating a user login credential, and sending the user login credential to the target system application, wherein the user login credential is used for login verification of the target system application.
In this step, for example, if the registration determination value is 1, registration is possible, and if the registration determination value is 0, registration is not possible. The user login credential may be generated based on the authorization time, the first identity information, the login decision value, and the like.
In an embodiment, on the basis of the embodiment shown in fig. 1, the step S103 includes:
if the first identity information is successfully verified, determining a login-capable application list of the target user;
sending the calculation request to the multi-application login processing terminal, wherein the calculation request carries the second identity information and the login-capable application list;
and receiving the target characteristic value returned by the multi-application login processing terminal, wherein the target characteristic value is a first characteristic value of the second identity information and a second characteristic value of the logable application list generated when the multi-application login processing terminal responds to the calculation request.
In this embodiment, the loggable application list includes a plurality of system applications registered by the target user, and the second identity information and second preset identity information of each system application are encrypted through the multi-application login processing terminal according to a preset encryption mode to generate corresponding token values respectively.
Optionally, the second characteristic value includes second characteristic values of a plurality of system applications of the loggable application list, and the preset identity information of the system applications is randomly stored in a preset database.
In this optional embodiment, the preset identity information (i.e., the second preset identity information) of the system application may be stored in different databases, that is, there is no corresponding relationship between the second preset identity information stored in the preset database and the system application, so that other people cannot know the second preset identity information of each system application from the preset database, thereby ensuring that other people cannot know which target system application the target user logs in, and improving the privacy security of the user.
In an embodiment, on the basis of the embodiment shown in fig. 1, the step S104 includes:
sending a verification request carrying a target characteristic value to the multi-party security computing terminal, wherein the target characteristic value comprises a first characteristic value of the second identity information and a second characteristic value of the loggable application list;
and receiving the login judgment value returned by the multi-party security computing end, wherein the login judgment value is generated by matching the first characteristic value with the second characteristic value and generating a login judgment value according to a matching result when the multi-party security computing end responds to the verification request.
In this embodiment, for example, the second eigenvalue of each system application is compared with the first eigenvalue of the second identity information in an equal manner, if there is an equality, a positive number registration judgment value is returned, otherwise, a negative number registration judgment value is returned.
In an embodiment, on the basis of the embodiment shown in fig. 1, after the step S105, the method further includes:
taking the loggable application list of the target user, the user login certificate, the authorization time of the user login certificate and the first identity information as data items, and taking the randomly generated unique identification information as a data header to generate a target user login certificate;
and storing the target user login credentials to a preset database.
In this embodiment, after the single sign-on server confirms and determines, the loggable application list, the authorization time, the user login credentials, the first type of identity information are used as data items, the randomly generated non-repetitive ID is used as a data header, and the two are used as a target user login credential and stored in the database. The single sign-on server and the multi-application sign-on processing end have reading authority, and the multi-party security computing end only has writing authority.
Optionally, after storing the target user login credential in a preset database, the method further includes:
acquiring a second login request for logging in the target system application, wherein the second login request carries first identity information of the target user;
if the first identity information is successfully verified, determining the certificate validity period of the user login certificate according to the authorization time in the target user login certificate;
and if the current login time of the second login request is within the validity period of the certificate, logging in the target system application according to the user login certificate.
In this optional embodiment, when logging in the target system application within the validity period of the credential, the multi-application login processing end queries the login credential of the target user, and the user can be allowed to access by confirming the first-type identity request of the user.
Optionally, after storing the target user login credential in a preset database, the method further includes: and if the login request is acquired, deleting the target user login credentials in the preset database.
It should be noted that, in the embodiment of the present application, the single sign-on server, the multi-party secure computing terminal, and the multi-application sign-on processing terminal perform the single sign-on interactively, which can prevent the single sign-on server from directly obtaining the independent passwords of each application, and avoid the situation that the passwords of multiple system applications are leaked due to the security leakage of the single sign-on server, and meanwhile, a user can set the independent passwords for different system applications, so as to realize that any system is logged in by using any password, and there is no password leakage. Furthermore, the single sign-on server, the multi-party security computing terminal and the multi-application sign-on processing terminal exist independently, so that the system is simple in structure and convenient for subsequent maintenance; and the increase of the user amount and the application amount does not influence the calculation performance of the multi-party security calculation end and the processing performance of the login request, after the login is completed, the login stage is kept without repeated redundant calculation, the login credentials are inquired, and the performance is efficient and simple.
In order to execute the single sign-on method corresponding to the method embodiment, corresponding functions and technical effects are realized. Referring to fig. 3, fig. 3 is a block diagram illustrating a single sign-on apparatus according to an embodiment of the present disclosure. For convenience of description, only a part related to the present embodiment is shown, where the single sign-on apparatus provided in the embodiment of the present application is configured on a single sign-on server, and the single sign-on server is communicatively connected with a multi-application login processing end, a multi-party secure computing end, and a plurality of system applications, the apparatus includes:
an obtaining module 301, configured to obtain a first login request for logging in a target system application, where the first login request carries first identity information and second identity information of a target user;
a verification module 302, configured to verify the first identity information;
a first sending module 303, configured to send, if the first identity information is successfully verified, a calculation request carrying the second identity information to the multi-application login processing end, and receive a target feature value generated when the multi-application login processing end responds to the calculation request;
a second sending module 304, configured to send a verification request carrying the target feature value to the multiparty security computing end, and receive a login determination value generated when the multiparty security computing end responds to the verification request;
a generating module 305, configured to generate a user login credential if the login determination value meets a preset login condition, and send the user login credential to the target system application, where the user login credential is used for login verification of the target system application.
In one embodiment, the first sending module 303 includes:
a determining unit, configured to determine a loggable application list of the target user if the first identity information is successfully verified;
a first sending unit, configured to send the computation request to the multi-application login processing end, where the computation request carries the second identity information and the loggable application list;
a first receiving unit, configured to receive the target feature value returned by the multi-application login processing end, where the target feature value is a first feature value of the second identity information and a second feature value of the registrable application list generated when the multi-application login processing end responds to the calculation request.
Optionally, the second characteristic value includes second characteristic values of a plurality of system applications of the loggable application list, and the preset identity information of the system applications is randomly stored in a preset database.
In an embodiment, the second sending module 304 includes:
a second sending unit, configured to send a verification request carrying a target feature value to the multiparty security computing end, where the target feature value includes a first feature value of the second identity information and a second feature value of the logable application list;
and the second receiving unit is used for receiving the login judgment value returned by the multi-party security computing end, and the login judgment value is generated by matching the first characteristic value with the second characteristic value and generating a login judgment value according to a matching result when the multi-party security computing end responds to the verification request.
In one embodiment, the apparatus further comprises:
the second generation module is used for generating a target user login certificate by taking the login-capable application list of the target user, the user login certificate, the authorization time of the user login certificate and the first identity information as data items and taking the randomly generated unique identification information as a data header;
and the storage module is used for storing the target user login credentials to a preset database.
In one embodiment, the apparatus further comprises:
the second acquisition module is used for acquiring a second login request for logging in the target system application, wherein the second login request carries the first identity information of the target user;
the determining module is used for determining the certificate validity period of the user login certificate according to the authorization time in the target user login certificate if the first identity information is successfully verified;
and the login module is used for logging in the target system application according to the user login certificate if the current login time of the second login request is within the validity period of the certificate.
In one embodiment, the apparatus further comprises:
and the deleting module is used for deleting the target user login credentials in the preset database if the logout request is obtained.
The single sign-on device can implement the single sign-on method of the above method embodiment. The alternatives in the above-described method embodiments are also applicable to this embodiment and will not be described in detail here. The rest of the embodiments of the present application may refer to the contents of the above method embodiments, and in this embodiment, details are not described again.
Fig. 4 is a schematic structural diagram of a computer device according to an embodiment of the present application. As shown in fig. 4, the computer device 4 of this embodiment includes: at least one processor 40 (only one shown in fig. 4), a memory 41, and a computer program 42 stored in the memory 41 and executable on the at least one processor 40, the processor 40 implementing the steps of any of the method embodiments described above when executing the computer program 42.
The computer device 4 may be a notebook computer, a desktop computer, a physical server, a cloud server, or other computing devices. The computer device may include, but is not limited to, a processor 40, a memory 41. Those skilled in the art will appreciate that fig. 4 is merely an example of the computer device 4 and does not constitute a limitation of the computer device 4, and may include more or less components than those shown, or combine certain components, or different components, such as input output devices, network access devices, etc.
The Processor 40 may be a Central Processing Unit (CPU), and the Processor 40 may be other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 41 may in some embodiments be an internal storage unit of the computer device 4, such as a hard disk or a memory of the computer device 4. The memory 41 may also be an external storage device of the computer device 4 in other embodiments, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the computer device 4. Further, the memory 41 may also include both an internal storage unit and an external storage device of the computer device 4. The memory 41 is used for storing an operating system, an application program, a BootLoader (BootLoader), data, and other programs, such as program codes of the computer program. The memory 41 may also be used to temporarily store data that has been output or is to be output.
In addition, an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the computer program implements the steps in any of the method embodiments described above.
The embodiments of the present application provide a computer program product, which when executed on a computer device, enables the computer device to implement the steps in the above method embodiments.
In several embodiments provided herein, it will be understood that each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a terminal device to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above-mentioned embodiments are further detailed to explain the objects, technical solutions and advantages of the present application, and it should be understood that the above-mentioned embodiments are only examples of the present application and are not intended to limit the scope of the present application. It should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the application as defined by the appended claims.

Claims (10)

1. A single sign-on method is applied to a single sign-on server side which is in communication connection with a multi-application login processing side, a multi-party secure computing side and a plurality of system applications, and comprises the following steps:
acquiring a first login request for logging in a target system application, wherein the first login request carries first identity information and second identity information of a target user;
verifying the first identity information;
if the first identity information is successfully verified, sending a calculation request carrying the second identity information to the multi-application login processing terminal, and receiving a target characteristic value generated when the multi-application login processing terminal responds to the calculation request;
sending a verification request carrying the target characteristic value to the multi-party security computing end, and receiving a login judgment value generated when the multi-party security computing end responds to the verification request;
and if the login judgment value meets the preset login condition, generating a user login credential, and sending the user login credential to the target system application, wherein the user login credential is used for login verification of the target system application.
2. The single sign-on method of claim 1, wherein the sending a calculation request carrying the second identity information to the multi-application login processing end and receiving a target feature value generated by the multi-application login processing end in response to the calculation request, if the first identity information is successfully verified, comprises:
if the first identity information is successfully verified, determining a login-capable application list of the target user;
sending the calculation request to the multi-application login processing terminal, wherein the calculation request carries the second identity information and the login-capable application list;
and receiving the target characteristic value returned by the multi-application login processing terminal, wherein the target characteristic value is a first characteristic value of the second identity information and a second characteristic value of the logable application list generated when the multi-application login processing terminal responds to the calculation request.
3. The single sign-on method of claim 2, wherein the second characteristic value comprises a second characteristic value of a plurality of system applications of the list of registrable applications, and the predetermined identity information of the system applications is randomly stored in a predetermined database.
4. The single sign-on method of claim 1, wherein the sending the authentication request carrying the target characteristic value to the multi-party secure computing end and receiving the login judgment value generated by the multi-party secure computing end in response to the authentication request comprises:
sending a verification request carrying a target characteristic value to the multi-party security computing terminal, wherein the target characteristic value comprises a first characteristic value of the second identity information and a second characteristic value of the logable application list;
and receiving the login judgment value returned by the multi-party security computing end, wherein the login judgment value is generated by matching the first characteristic value with the second characteristic value and generating a login judgment value according to a matching result when the multi-party security computing end responds to the verification request.
5. The single sign-on method of any one of claims 1 to 4, wherein after generating a user login credential and sending the user login credential to the target system application if the login determination value satisfies a preset login condition, the method further comprises:
taking the loggable application list of the target user, the user login certificate, the authorization time of the user login certificate and the first identity information as data items, and taking the randomly generated unique identification information as a data header to generate a target user login certificate;
and storing the target user login credentials to a preset database.
6. The single sign-on method of claim 5, wherein storing the target user login credentials in a predetermined database further comprises:
acquiring a second login request for logging in the target system application, wherein the second login request carries first identity information of the target user;
if the first identity information is successfully verified, determining the certificate validity period of the user login certificate according to the authorization time in the target user login certificate;
and if the current login time of the second login request is within the validity period of the certificate, logging in the target system application according to the user login certificate.
7. The single sign-on method of claim 5, wherein storing the target user login credentials in a predetermined database further comprises:
and if the login request is acquired, deleting the target user login credentials in the preset database.
8. A single sign-on device is characterized by being erected on a single sign-on server side, wherein the single sign-on server side is in communication connection with a multi-application sign-on processing side, a multi-party safety computing side and a plurality of system applications, and the device comprises:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a first login request for logging in a target system application, and the first login request carries first identity information and second identity information of a target user;
the verification module is used for verifying the first identity information;
a first sending module, configured to send a calculation request carrying the second identity information to the multi-application login processing terminal if the first identity information is successfully verified, and receive a target feature value generated when the multi-application login processing terminal responds to the calculation request;
a second sending module, configured to send a verification request carrying the target feature value to the multiparty security computing end, and receive a login determination value generated when the multiparty security computing end responds to the verification request;
and the generating module is used for generating a user login credential and sending the user login credential to the target system application if the login judgment value meets a preset login condition, wherein the user login credential is used for login verification of the target system application.
9. A computer device comprising a processor and a memory for storing a computer program which, when executed by the processor, implements the single sign-on method of any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that it stores a computer program which, when executed by a processor, implements the single sign-on method of any one of claims 1 to 7.
CN202210076471.5A 2022-01-21 2022-01-21 Single sign-on method, device, equipment and storage medium Pending CN114510701A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210076471.5A CN114510701A (en) 2022-01-21 2022-01-21 Single sign-on method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210076471.5A CN114510701A (en) 2022-01-21 2022-01-21 Single sign-on method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114510701A true CN114510701A (en) 2022-05-17

Family

ID=81550650

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210076471.5A Pending CN114510701A (en) 2022-01-21 2022-01-21 Single sign-on method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114510701A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115150141A (en) * 2022-06-22 2022-10-04 青岛海信网络科技股份有限公司 Single sign-on method and single management equipment
CN115250204A (en) * 2022-09-22 2022-10-28 四川蜀天信息技术有限公司 Method and system for centralized processing login authentication

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115150141A (en) * 2022-06-22 2022-10-04 青岛海信网络科技股份有限公司 Single sign-on method and single management equipment
CN115150141B (en) * 2022-06-22 2024-03-08 青岛海信网络科技股份有限公司 Single sign-on method and single point management equipment
CN115250204A (en) * 2022-09-22 2022-10-28 四川蜀天信息技术有限公司 Method and system for centralized processing login authentication

Similar Documents

Publication Publication Date Title
US11936788B1 (en) Distributed ledger system for identity data storage and access control
US10735182B2 (en) Apparatus, system, and methods for a blockchain identity translator
US11963006B2 (en) Secure mobile initiated authentication
CN111756753B (en) Authority verification method and system
US20200236147A1 (en) Brokered authentication with risk sharing
US8856892B2 (en) Interactive authentication
US8955082B2 (en) Authenticating using cloud authentication
US10601814B2 (en) System and method for temporary password management
US8627424B1 (en) Device bound OTP generation
US8412928B1 (en) One-time password authentication employing local testing of candidate passwords from one-time password server
US8800003B2 (en) Trusted device-specific authentication
KR20190127676A (en) Authentication method and blockchain-based authentication data processing method and device
CN110177124B (en) Identity authentication method based on block chain and related equipment
CN112651011B (en) Login verification method, device and equipment for operation and maintenance system and computer storage medium
CN103259663A (en) User unified authentication method in cloud computing environment
US20120084844A1 (en) Federation credential reset
US8650405B1 (en) Authentication using dynamic, client information based PIN
CN110768967A (en) Service authorization method, device, equipment and system
CN105577835B (en) Cross-platform single sign-on system based on cloud computing
US20140053251A1 (en) User account recovery
US10397207B1 (en) Automatic credential rotation
CN114510701A (en) Single sign-on method, device, equipment and storage medium
CN110447033B (en) Authentication based on client access restrictions
CN112231366B (en) Enterprise credit report query method, device and system based on block chain
CN114021103A (en) Single sign-on method, device, terminal and storage medium based on identity authentication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination