CN114697137A

CN114697137A - Application program login method, device, equipment and storage medium

Info

Publication number: CN114697137A
Application number: CN202210504335.1A
Authority: CN
Inventors: 蔡金培; 陈华海; 闫立志; 林国养; 陈德锋; 吴猛
Original assignee: China Construction Bank Corp
Current assignee: China Construction Bank Corp
Priority date: 2022-05-10
Filing date: 2022-05-10
Publication date: 2022-07-01
Anticipated expiration: 2042-05-10
Also published as: CN114697137B

Abstract

The application belongs to the field of data processing, and particularly relates to a login method, device, equipment and storage medium of an application program. The login method of the application program comprises the following steps: under the condition that the terminal equipment logs in a first application program corresponding to a first tenant identity authentication server, responding to a single sign-on instruction facing a second application program corresponding to a second tenant identity authentication server, and sending a single sign-on request to the first tenant identity authentication server; receiving a single-point token sent by a first tenant identity authentication server; sending a single-point token to a second tenant identity authentication server; receiving a second login token sent by a second tenant identity authentication server; a session for the second application is established based on the second login token. Therefore, the purpose of single sign-on of application programs corresponding to different tenant identity authentication servers can be achieved.

Description

Application program login method, device, equipment and storage medium

Technical Field

The present application relates to the field of data processing, and in particular, to a login method, device, apparatus, and storage medium for an application.

Background

Single Sign On (SSO) refers to that a user can access all mutually trusted application systems only by logging On once in a plurality of application systems. At present, when single sign-on is realized, a user can realize single sign-on through a centralized single-point token only by accessing application systems of the same identity authentication server, and for application systems accessing different identity authentication servers, single sign-on of the user cannot be realized.

Therefore, in the related art, when single sign-on is implemented, there is a problem that a user cannot perform single sign-on for application systems accessing different identity authentication servers.

Disclosure of Invention

The embodiment of the application provides a login method, a login device, an application program equipment and a storage medium of an application program, and aims to solve the problem that a user cannot perform single login for application systems accessing different identity authentication servers when single login is realized in the related art.

In a first aspect, an embodiment of the present application provides a login method for an application, which is applied to a terminal device, and the login method for the application includes: under the condition that the terminal device logs in a first application program corresponding to a first tenant identity authentication server, responding to a single sign-on instruction facing a second application program corresponding to a second tenant identity authentication server, and sending a single sign-on request to the first tenant identity authentication server, wherein the single sign-on request is used for requesting the single sign-on of the second application program; receiving a single-point token sent by a first tenant identity authentication server, wherein the single-point token is used for applying for a second login token of a second application program, and the second login token is used for establishing a session of the second application program; sending a single-point token to a second tenant identity authentication server; receiving a second login token sent by a second tenant identity authentication server; a session for the second application is established based on the second login token.

In a possible implementation manner, before sending the single sign-on request to the first tenant identity authentication server, the sign-on method further includes: responding to successful login of the first application program, and sending login success information to the first tenant identity authentication server; receiving a first login token sent by a first tenant identity authentication server, wherein the first login token is used for establishing a session of a first application program; a session for the first application is established based on the first login token.

In a second aspect, an embodiment of the present application provides a login method for an application, which is applied to a first tenant identity authentication server, and the login method for the application includes: under the condition that the terminal equipment logs in a first application program corresponding to a first tenant identity authentication server, acquiring a single sign-on request sent by the terminal equipment, wherein the single sign-on request is used for requesting single sign-on of a second application program corresponding to a second tenant identity authentication server; responding to the single sign-on request, and generating a single sign-on token, wherein the single sign-on token is used for applying for a second sign-on token of a second application program, and the second sign-on token is used for establishing a session of the second application program; and sending the single point token to the terminal equipment.

In one possible embodiment, the single-point token includes signature data of a first tenant authentication server and verification data of a second tenant authentication server, and the generating of the single-point token includes: generating signature data of the first tenant identity authentication server by adopting a private key of the first tenant identity authentication server; and generating verification data of the second tenant identity authentication server by adopting the public key certificate of the second tenant identity authentication server.

In a possible embodiment, before generating the verification data of the second tenant identity authentication server by using the public key certificate of the second tenant identity authentication server, the login method further includes: sending cross-tenant single sign-on configuration information to a multi-tenant identity authentication server, wherein the cross-tenant single sign-on configuration information is used for requesting authorization for cross-tenant single sign-on; receiving authorized cross-tenant single sign-on information sent by a multi-tenant identity authentication server; and acquiring the public key certificate of the second tenant identity authentication server based on the authorized cross-tenant single sign-on information.

In a possible implementation, before generating the single-point token, the login method further includes: under the condition that the first tenant identity authentication server is successfully registered, generating a private key and a public key of the first tenant identity authentication server according to tenant information of a tenant corresponding to the first tenant identity authentication server; based on the public key, sending an application request of a public key certificate to a digital certificate certification authority; and acquiring the public key certificate sent by the digital certificate certification authority.

In a third aspect, an embodiment of the present application provides a login method for an application, which is applied to a second tenant identity authentication server, and the login method for the application includes: the method comprises the steps that a single-point token sent by a terminal device is obtained, the single-point token is generated by a first tenant identity authentication server in response to a single-point login request sent by the terminal device under the condition that the terminal device logs in a first application program corresponding to the first tenant identity authentication server, the single-point login request is used for requesting single-point login of a second application program corresponding to a second tenant identity authentication server, the single-point token is used for applying for a second login token of the second application program corresponding to the second tenant identity authentication server, and the second login token is used for establishing a session of the second application program; analyzing the single-point token to obtain analysis data of the single-point token; verifying the single-point token according to the analysis data; under the condition that the single-point token is successfully verified, generating a second login token; and sending the second login token to the terminal equipment.

In one possible implementation, the parsing data includes a number of the first tenant identity authentication server, signature data of the first tenant identity authentication server, and verification data of the second tenant identity authentication server, and the verifying the single-point token according to the parsing data includes: acquiring a public key certificate of the first tenant identity authentication server according to the number of the first tenant identity authentication server; verifying the signature data by adopting a public key certificate of the first tenant identity authentication server, and determining whether the single-point token is sent by the first tenant identity authentication server; if the single-point token is sent by the first tenant identity authentication server, the private key of the second tenant identity authentication server is adopted to decrypt the verification data, and whether the single-point token is sent to the second tenant identity authentication server is determined; and if the single-point token is sent to the second tenant identity authentication server, the single-point token is successfully verified.

In one possible embodiment, decrypting the verification data by using the private key of the second tenant authentication server to determine whether the single-point token is sent to the second tenant authentication server includes: sending cross-tenant single sign-on configuration information to a multi-tenant identity authentication server, wherein the cross-tenant single sign-on configuration information is used for requesting authorization for cross-tenant single sign-on; and under the condition of receiving the authorization cross-tenant single sign-on information sent by the multi-tenant identity authentication server, decrypting the verification data by using the private key of the second tenant identity authentication server, and determining whether the single-point token is sent to the second tenant identity authentication server.

In one possible embodiment, the parsing data further includes timestamp data, and validating the single-point token according to the parsing data includes: determining whether the time of currently receiving the single-point token is within an allowed time window of the single-point token according to the timestamp data; and if the time of currently receiving the single-point token is within the allowed time window of the single-point token, the single-point token is successfully verified.

In a fourth aspect, an embodiment of the present application provides an apparatus for logging in an application, where the apparatus is applied to a terminal device, and the apparatus for logging in an application includes: the terminal equipment comprises a first sending module, a second sending module and a first sending module, wherein the first sending module is used for responding to a single sign-on instruction facing a second application program corresponding to a second tenant identity authentication server under the condition that the terminal equipment logs in the first application program corresponding to the first tenant identity authentication server and sending a single sign-on request to the first tenant identity authentication server, and the single sign-on request is used for requesting the single sign-on of the second application program; the first receiving module is used for receiving a single-point token sent by a first tenant identity authentication server, the single-point token is used for applying for a second login token of a second application program, and the second login token is used for establishing a session of the second application program; the second sending module is used for sending the single-point token to the second tenant identity authentication server; the second receiving module is used for receiving a second login token sent by a second tenant identity authentication server; an establishing module for establishing a session of the second application based on the second login token.

In a fifth aspect, an embodiment of the present application provides a login apparatus for an application, where the login apparatus is applied to a first tenant identity authentication server, and the login apparatus for the application includes: the system comprises a first acquisition module, a second acquisition module and a first processing module, wherein the first acquisition module is used for acquiring a single sign-on request sent by the terminal equipment under the condition that the terminal equipment logs in a first application program corresponding to a first tenant identity authentication server, and the single sign-on request is used for requesting single sign-on of a second application program corresponding to a second tenant identity authentication server; the first generation module is used for responding to the single sign-on request and generating a single sign-on token, wherein the single sign-on token is used for applying for a second sign-on token of a second application program, and the second sign-on token is used for establishing a session of the second application program; and the third sending module is used for sending the single-point token to the terminal equipment.

In a sixth aspect, an embodiment of the present application provides an apparatus for logging in an application, where the apparatus is applied to a second tenant identity authentication server, and the apparatus for logging in an application includes: the single sign-on request is used for requesting the single sign-on of a second application program corresponding to a second tenant identity authentication server, the single sign-on token is used for applying for a second sign-on token of the second application program corresponding to the second tenant identity authentication server, and the second sign-on token is used for establishing a session of the second application program; the analysis module is used for analyzing the single-point token to obtain analysis data of the single-point token; the verification module is used for verifying the single-point token according to the analysis data; the second generation module is used for generating a second login token under the condition that the single-point token is successfully verified; and the fourth sending module is used for sending the second login token to the terminal equipment.

In a seventh aspect, an embodiment of the present application provides a terminal device, including: a processor, a memory, an interactive interface; the memory is for storing executable instructions executable by the processor, the processor being configured to perform the login method of the application program of the first aspect via execution of the executable instructions.

In an eighth aspect, an embodiment of the present application provides a server, including: a processor, a memory, an interactive interface; the memory is for storing executable instructions executable by the processor, the processor being configured to perform the login method of the application program of the second or third aspect via execution of the executable instructions.

In a ninth aspect, an embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements a login method for an application program of any one of the first to third aspects.

In a tenth aspect, an embodiment of the present application provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program implements the login method of the application program in any one of the first to third aspects.

In the application program login method, apparatus, device, and storage medium provided in this embodiment of the present application, when a first application program corresponding to a first tenant identity authentication server has already logged in, if a session needs to be established on a second application program corresponding to a second tenant identity authentication server, a terminal device may send a single sign-on request to the first tenant identity authentication server in response to a single sign-on instruction of the second application program, so that the first tenant identity authentication server may generate a single sign-on token in response to the single sign-on request and send the single sign-on token to the terminal device, the terminal device forwards the single sign-on token to the second tenant identity authentication server after receiving the single sign-on token, the second tenant identity authentication server verifies the single sign-on token after receiving the single sign-on token, and if the single sign-on token is successfully verified, and generating a login token for establishing the session of the second application program, and sending the login token to the terminal device, wherein the terminal device can establish the session on the second application program through the login token after acquiring the login token, so that the single sign-on of the cross-tenant application program can be realized only by logging in the first application program once.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments or related technologies of the present application, the drawings needed to be used in the description of the embodiments or related technologies are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.

Fig. 1 is a schematic structural diagram of a login system of an application program according to an embodiment of the present application;

fig. 2 is a flowchart of a first embodiment of a login method for an application program according to an embodiment of the present application;

fig. 3 is a flowchart of a second embodiment of a login method for an application program according to the present application;

fig. 4 is a flowchart of a third embodiment of a login method for an application program according to the present application;

fig. 5 is a schematic structural diagram of a first embodiment of a login device of an application program according to the present application;

fig. 6 is a schematic structural diagram of a second embodiment of a login device of an application program according to the present application;

fig. 7 is a schematic structural diagram of a third embodiment of a login device of an application program according to the present application;

fig. 8 is a schematic structural diagram of a terminal device according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of a server according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments that can be made by one skilled in the art based on the embodiments in the present application in light of the present disclosure are within the scope of the present application.

The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the above-described drawings (if any) are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

The terms referred to in the present application are explained first below.

The user: refers to a natural person who logs into a particular application.

A tenant: a tenant may include a plurality of users.

The multi-tenant identity authentication server: the identity authentication server defined in the application is externally presented to provide SAAS multi-tenant identity authentication service and support multi-tenant user management, identity authentication and single sign-on.

The tenant identity authentication server: the identity authentication server of a specific tenant comprises a user management module, an identity authentication module, a single sign-on module and an interface. Each tenant has its own independent identity authentication server, but identity authentication servers of different tenants can be created using a unified standard template.

Cross-tenant single sign-on: between tenant identity authentication servers with different identity authentication services and user name passwords, the logged-on application program can jump in a single point without re-inputting the user name passwords.

Certificate Authority (CA): that is, the authority that issues the digital certificate, which may also be referred to as a digital certificate authority, is an authority responsible for issuing and managing the digital certificate, and is a trusted third party in the e-commerce transaction, which is responsible for verifying the validity of the public key in the public key hierarchy.

In the related art provided in the background art, at least the following technical problems exist:

at present, because a centralized identity authentication server is used for uniformly managing user information, a user password, a login token and a single-point token, all accessed application programs share one set of service, and the requirement that each tenant independently manages the user information and the password information under a multi-tenant scene is difficult to support. Moreover, when single sign-on is implemented, a user can implement single sign-on through a centralized single token only when accessing application systems of the same identity authentication server, and for application systems accessing different identity authentication servers, single sign-on of the user cannot be implemented. Therefore, in the related art, when single sign-on is implemented, there is a problem that a user cannot perform single sign-on for application systems accessing different identity authentication servers.

In order to solve the above problems, the present application provides a method for logging in an application program, wherein a first application program accesses a first tenant identity authentication server, a second application program accesses a second tenant identity authentication server, after the first application program successfully logs in, a terminal device may send a single sign-on request to the first tenant identity authentication server after responding to a single sign-on instruction of the second application program, the first tenant identity authentication server generates a single sign-on token, the terminal device forwards the single sign-on token to the second tenant identity authentication server, the second tenant identity authentication server verifies the single sign-on token, if the single sign-on token is successfully verified, the second identity authentication server may generate a login token for establishing a session of the second application program, and send the login token to the terminal device, after the terminal device acquires the login token, a session on the second application can be established through the login token, so that the single-point login of the cross-tenant application can be realized only by logging in the first application once.

In one embodiment, the login method of the application program may be applied in an application scenario. Fig. 1 is a schematic structural diagram of a login system of an application program according to an embodiment of the present application, and as shown in fig. 1, in this scenario, the login system of the application program may include an access service, a first tenant identity authentication server, a second tenant identity authentication server, a third tenant identity authentication server, and a multi-tenant identity authentication server.

In the above scenario, a plurality of application programs in fig. 1 are shown as application 1, application 2, application 3, application 4, application 5, and application 6, where application 1 and application 2 access a first tenant identity authentication server through an access service, application 3 and application 4 access a second tenant identity authentication server through an access service, application 5 and application 6 access a third tenant identity authentication server through an access service, each tenant identity authentication server may include a user management module, a single sign-on service, and an identity authentication module, where the user management module is used to manage a user in a tenant, the single sign-on service is used to implement single sign-on, and the identity authentication module is used to authenticate the identity of the user and the application program.

In the above scenario, the multi-tenant identity authentication server may further include a tenant management module, a single sign-on service, and a certificate authority, where the tenant management module may be configured to manage multiple tenant identity authentication servers, the single sign-on service may be configured to implement single sign-on of the same tenant or across tenants, and the certificate authority may be configured to issue and manage digital certificates.

With reference to the above scenario, the following describes in detail a technical solution of the login method of the application program provided in the present application through several specific embodiments.

Fig. 2 is a flowchart of a first embodiment of a login method for an application program according to an embodiment of the present application, and as shown in fig. 2, the method is applied to a terminal device, and includes the following steps:

s201: and under the condition that the terminal equipment logs in a first application program corresponding to the first tenant identity authentication server, responding to a single sign-on instruction facing a second application program corresponding to the second tenant identity authentication server, and sending a single sign-on request to the first tenant identity authentication server.

In this step, the single sign-on request is for requesting single sign-on to the second application.

In the scheme, a user in a tenant corresponding to a first tenant identity authentication server can successfully log in a first application program through a user name and a password on a terminal device, and after the first application program successfully logs in, if the user wants to log in a second application program, the user name and the password do not need to be input again, but a single sign-on instruction can be sent out through the second application program, and after the terminal device responds to the single sign-on instruction facing the second application program, a single sign-on request is sent to the first tenant identity authentication server to request for single sign-on of the second application program.

In the above scheme, the application program may also be referred to as a tenant application, and one tenant identity authentication server may access multiple application programs to support login and single sign-on thereof.

In the above solution, when the first tenant identity authentication server and the second tenant identity authentication server are established, they may be established using a unified specification.

S202: and receiving the single-point token sent by the first tenant identity authentication server.

In this step, the single-point token is used to apply for a second logon token for the second application, which is used to establish a session for the second application.

In the above scheme, after the first tenant identity authentication server receives the single sign-on request sent by the terminal device, the single sign-on request may be responded to generate the single sign-on token, and the single sign-on token may be sent to the terminal device. The second application program in the terminal equipment can intercept and acquire the single-point token.

In the above scheme, the first tenant identity authentication server may encrypt the generated single-point token using a public key certificate of the second tenant identity authentication server, where the format of the encrypted single-point token is a predefined format, and then send the encrypted single-point token to the terminal device.

In the scheme, the single-point token is effective in a short time window, and the single-point token contains all information required by single sign-on, such as plaintext data, source tenant signature data, target tenant verification data and the like; the second login token may be a token obtained from the second tenant identity authentication server after the user logs in the second application program, and has a longer timeliness, and is used for maintaining a session on the second application program, and the like.

S203: and sending the single-point token to a second tenant identity authentication server.

In this step, after receiving the single-point token sent by the first tenant authentication server, the terminal device may forward the single-point token to the second tenant authentication server.

In the above scheme, after receiving the single-point token, the second tenant identity authentication server may decrypt the single-point token using the private key of the second tenant identity authentication server, and then verify the single-point token. If the single-point token is verified by the second tenant identity authentication server, a second login token can be generated, and the second login token is sent to the terminal device.

S204: and receiving a second login token sent by the second tenant identity authentication server.

S205: a session for the second application is established based on the second login token.

In this step, after receiving the second login token sent by the second tenant identity authentication server, the terminal device may save the second login token through the second application program, and establish a session of the user on the second application program through the second login token.

In the login method for the application program provided in this embodiment, when the terminal device has logged in the first application program corresponding to the first tenant identity authentication server, if a session needs to be established on the second application program corresponding to the second tenant identity authentication server, the terminal device may send a single sign-on request to the first tenant identity authentication server in response to a single sign-on instruction of the second application program; then the terminal equipment can receive the single-point token sent by the first tenant identity authentication server and forward the single-point token to the second tenant identity authentication server for verification; and then receiving a second login token sent by the second tenant identity authentication server, and establishing a session on the second application program through the second login token. Therefore, the user only needs to log in the first application once, and single sign-on of the second application across tenants can be realized, so that a session on the second application is established.

In one embodiment, before sending the single sign-on request to the first tenant identity authentication server, the sign-on method further includes: responding to successful login of the first application program, and sending login success information to the first tenant identity authentication server; receiving a first login token sent by a first tenant identity authentication server, wherein the first login token is used for establishing a session of a first application program; a session for the first application is established based on the first login token.

In the scheme, after a user successfully logs in a first application program through a user name and a password, a terminal device can send login success information to a first tenant identity authentication server to inform the first tenant identity authentication server that the first application program has successfully logged in, the first tenant identity authentication server can generate a first login token and send the first login token to the terminal device after determining that the first application program has successfully logged in, and the terminal device can establish a session of the user on the first application program according to the first login token after receiving the first login token.

Fig. 3 is a flowchart of a second embodiment of a login method of an application program according to an embodiment of the present application, and as shown in fig. 3, the method is applied to a first tenant identity authentication server, and includes the following steps:

s301: and under the condition that the terminal equipment logs in a first application program corresponding to the first tenant identity authentication server, acquiring a single sign-on request sent by the terminal equipment.

In this step, the single sign-on request is used to request a single sign-on to a second application program corresponding to the second tenant identity authentication server.

In the above scheme, a user in a tenant corresponding to the first tenant identity authentication server may successfully log in the first application program through a user name and a password on the terminal device, and after the first application program successfully logs in, if the user wants to log in the second application program, the user name and the password may not be input again, but a single sign-on instruction may be issued through the second application program, and after the terminal device responds to the single sign-on instruction facing the second application program, the terminal device may send a single sign-on request to the first tenant identity authentication server to request for single sign-on of the second application program.

S302: a single-sign-on request is responded to, and a single-point token is generated.

In the above solution, after receiving the single sign-on request sent by the terminal device, the first tenant identity authentication server determines that the user wants to establish a session on the second application program, and therefore, the first tenant identity authentication server may generate a single sign-on token to apply for the second sign-on token from the second tenant identity authentication server.

S303: and sending the single point token to the terminal equipment.

In this step, after the first tenant identity authentication server generates the single-point token, the single-point token may be encrypted by using the public key certificate of the second tenant identity authentication server, and the format of the encrypted single-point token is a predefined format, and then the encrypted single-point token may be sent to the terminal device.

In the scheme, the single-point token in the predefined format is used, so that data processing between different tenant identity authentication servers is simpler and more convenient.

In one embodiment, the single-point token includes signature data of a first tenant identity authentication server and verification data of a second tenant identity authentication server, and the single-point token is generated and includes: generating signature data of the first tenant identity authentication server by adopting a private key of the first tenant identity authentication server; and generating verification data of the second tenant identity authentication server by adopting the public key certificate of the second tenant identity authentication server.

In the scheme, the single-point token is sent by the first tenant identity authentication server, so that the first tenant identity authentication server can be a source tenant identity authentication server of the single-point token, and the single-point token needs to be sent to the second tenant identity authentication server, and therefore the second tenant identity authentication server can be a target tenant identity authentication server of the single-point token.

In the above scheme, the single-point token includes signature data of the first tenant identity authentication server and verification data of the second tenant identity authentication server, so that when the single-point token is generated by the first tenant identity authentication server, the signature data of the first tenant identity authentication server can be generated by using a private key of the first tenant identity authentication server, and the verification data of the second tenant identity authentication server can be generated by using a public key certificate of the second tenant identity authentication server.

In the above solution, the single-point token further includes plaintext data in addition to the signature data of the first tenant identity authentication server and the verification data of the second tenant identity authentication server, where the plaintext data includes an ID of the source tenant identity authentication server, an ID of the target tenant identity authentication server, a source user ID, a random character string, and timestamp data. The ID of the source tenant identity authentication server may be source tenant identification information, such as AA; the ID of the target tenant identity authentication server may be target tenant identity information, for example, BB; the source user ID may be an ID of a user who needs single sign-on in the source tenant identity authentication server, and may generally be relatively fixed information, such as a user account name or a user mobile phone number; the random character string can be a 32-bit-length random character string and is used for ensuring the difference of different single-point tokens; the timestamp data may be the time when the first tenant identity authentication server generates the single-point token, and include year, month, day, hour, minute and second information, for example, the timestamp data may be 20211215120530, and the timestamp data may be used to determine the validity period of the single-point token, for example, an allowed validity period window may be within 5 seconds from the start of the timestamp in general, and the timestamp data may be used to limit the single-point token to be available only for a short time.

In the above scheme, the single-point token may further include digest data, and the digest data may be a result of performing a hash calculation on plaintext data using a specified digest algorithm, and is only process data.

In the foregoing solution, the signature data of the first tenant identity authentication server may be data obtained by digitally signing the digest data at the first tenant identity authentication server side using the private key of the first tenant identity authentication server (that is, data obtained by encrypting the digest data using the private key of the first tenant identity authentication server). The signature data of the first tenant identity authentication server may be used to ensure that the single sign-on token is generated by the first tenant identity authentication server, so as to confirm that the single sign-on operation is authorized by the first tenant identity authentication server, and that the single sign-on token data is not tampered with.

In the above scheme, the verification data of the second tenant identity authentication server may be data obtained by encrypting the digest data at the first tenant identity authentication server side using the public key certificate of the second tenant identity authentication server, and the like, and may be used to support the second tenant identity authentication server to verify single sign-on. The verification data of the second tenant identity authentication server can be decrypted and verified only by using the private key of the second tenant identity authentication server, so that the second tenant identity authentication server can be confirmed to be a real object allowed by the single-point token.

In the above scheme, the first tenant identity authentication server may generate plaintext data while generating signature data of the first tenant identity authentication server and verification data of the second tenant identity authentication server, so as to obtain the single-point token, and after encrypting the single-point token with the public key certificate of the second tenant identity authentication server, the single-point token is sent to the terminal device.

In one embodiment, before generating the verification data of the second tenant identity authentication server by using the public key certificate of the second tenant identity authentication server, the login method further includes: sending cross-tenant single sign-on configuration information to a multi-tenant identity authentication server, wherein the cross-tenant single sign-on configuration information is used for requesting authorization for cross-tenant single sign-on; receiving authorized cross-tenant single sign-on information sent by a multi-tenant identity authentication server; and acquiring the public key certificate of the second tenant identity authentication server based on the authorized cross-tenant single sign-on information.

In the scheme, before the first tenant identity authentication server adopts the public key certificate of the second tenant identity authentication server to generate the verification data of the second tenant identity authentication server, the public key certificate of the second tenant identity authentication server needs to be acquired under the condition that the multi-tenant identity authentication server authorizes single sign-on, so that the single sign-on of the second application program of the cross-tenant is realized. Therefore, the first tenant identity authentication server can submit the cross-tenant single sign-on configuration information to the multi-tenant identity authentication server, so that the multi-tenant identity authentication server can conveniently determine whether the cross-tenant single sign-on is authorized. After the multi-tenant identity authentication server authorizes cross-tenant single sign-on, a public key certificate of a second tenant identity authentication server issued by a CA can be acquired.

In the above scheme, other tenant identity authentication servers established according to the unified specification may also obtain the public key certificate through the CA.

In the above scheme, the multi-tenant identity authentication server may receive the public key certificate of another tenant identity authentication server authorized to perform single sign-on across tenants, and may periodically update the public key certificate.

In the above solution, the multi-tenant identity authentication server logically includes identity authentication services of multiple tenant identity authentication servers (which may be regarded as sub-tenant identity authentication servers of the multi-tenant identity authentication server), a common access service, a common single sign-on service, a CA module, and the like. When a new tenant applies for the identity authentication service, the unified standard template mirror image can be used to establish an independent application program and data service.

In the above scheme, the application services and application data (user data, password data, single-point token data, and the like) between different tenant identity authentication servers are independent and isolated from each other, and cannot be directly accessed, but can be accessed only through a public interface.

In one embodiment, before generating the single point token, the login method further comprises: under the condition that the first tenant identity authentication server is successfully registered, generating a private key and a public key of the first tenant identity authentication server according to tenant information of a tenant corresponding to the first tenant identity authentication server; based on the public key, sending an application request of a public key certificate to a digital certificate certification authority; and acquiring the public key certificate sent by the digital certificate certification authority.

In this scheme, the first tenant identity authentication server needs to be successfully registered before the first tenant identity authentication server generates the single point token. Then, the first tenant identity authentication server can generate a private key and a public key (a public key and private key pair) of the first tenant identity authentication server according to tenant information, the private key can be stored by the first tenant identity authentication server, the public key can be used for generating a P10 certificate request, and the P10 certificate request can include ID information of the tenant; the first tenant identity authentication server can submit the P10 certificate request to the CA and the multi-tenant identity authentication server, the multi-tenant identity authentication server performs manual verification and approval on the P10 certificate request, and calls the CA to issue a public key certificate of the first tenant identity authentication server after the request passes the verification; and then the first tenant identity authentication server receives the public key certificate issued by the CA.

In the above scheme, the first tenant identity authentication server may also download other accessed public key certificates of the tenant identity authentication server established by the unified specification.

In the above solution, similarly, the private key, the public key, and the public key certificate of the second tenant identity authentication server may also be obtained in this manner.

Fig. 4 is a flowchart of a third embodiment of a login method of an application program according to an embodiment of the present application, and as shown in fig. 4, the method is applied to a second tenant identity authentication server, and includes the following steps:

s401: and acquiring the single-point token sent by the terminal equipment.

In this step, the single sign-on token is generated by the first tenant identity authentication server in response to a single sign-on request sent by the terminal device when the terminal device has logged in the first application corresponding to the first tenant identity authentication server, the single sign-on request is used to request a single sign-on to a second application corresponding to a second tenant identity authentication server, the single sign-on token is used to apply for a second sign-on token of the second application corresponding to the second tenant identity authentication server, and the second sign-on token is used to establish a session of the second application.

In the above scheme, after the first tenant identity authentication server generates the single point token, the single point token is sent to the terminal device, and after the terminal device receives the single point token sent by the first tenant identity authentication server, the single point token is forwarded to the second tenant identity authentication server.

S402: and analyzing the single-point token to obtain analysis data of the single-point token.

In this step, the single-point token is sent by the first tenant identity authentication server, so the first tenant identity authentication server may be a source tenant identity authentication server of the single-point token, and the single-point token needs to be sent to the second tenant identity authentication server, and thus the second tenant identity authentication server may be a target tenant identity authentication server of the single-point token.

In the above scheme, after the single-point token is generated by the first tenant identity authentication server, the public key certificate of the second tenant identity authentication server is used for encryption, so that after the second tenant identity authentication server receives the single-point token, the second tenant identity authentication server can decrypt the single-point token by using its own private key, thereby obtaining the analysis data. The analysis data, that is, each piece of data obtained by decrypting the single-point token, may include: plaintext data (the ID of a source tenant identity authentication server, the ID of a target tenant identity authentication server, the ID of a source user, a random character string and timestamp data) + signature data of a first tenant identity authentication server + verification data of a second tenant identity authentication server.

S403: and verifying the single-point token according to the analysis data.

In this step, after the parsed data is obtained, each piece of data included in the parsed data may be verified, respectively, so as to verify the one-point token.

If the verification of each section of data in the analyzed data is successful, determining that the verification of the single-point token is successful; and if the verification of a certain section of data in the analyzed data is not successful, determining that the single-point token is not successfully verified.

S404: in case the single point token authentication is successful, a second logon token is generated.

In this step, if the single-point token is successfully verified, the second tenant identity authentication server determines that the user needs to log in the second application, and therefore, the second tenant identity authentication server may generate a second login token to facilitate establishment of a session on the second application.

S405: and sending the second login token to the terminal equipment.

In one embodiment, the parsing data includes a number of the first tenant authentication server, signature data of the first tenant authentication server, and verification data of the second tenant authentication server, and the verifying the single-point token according to the parsing data includes: acquiring a public key certificate of the first tenant identity authentication server according to the number of the first tenant identity authentication server; verifying the signature data by adopting a public key certificate of the first tenant identity authentication server, and determining whether the single-point token is sent by the first tenant identity authentication server; if the single-point token is sent by the first tenant identity authentication server, the private key of the second tenant identity authentication server is adopted to decrypt the verification data, and whether the single-point token is sent to the second tenant identity authentication server is determined; and if the single-point token is sent to the second tenant identity authentication server, the single-point token is successfully verified.

In the scheme, when the second tenant identity authentication server verifies the single-point token according to the analysis data, the ID of the source tenant identity authentication server in the analysis data, that is, the ID of the first tenant identity authentication server, may be checked first, and the public key certificate of the first tenant identity authentication server is searched; then, using the public key certificate of the first tenant identity authentication server to verify whether the source of the single-point token is the first tenant identity authentication server or not; if the source of the single-point token is the first tenant identity authentication server, decrypting verification data of the second tenant identity authentication server by using a private key of the second tenant identity authentication server to determine whether the target of the single-point token is the second tenant identity authentication server; and if the single-point token aims at the second tenant identity authentication server, determining that the single-point token is successfully verified.

In the above scheme, after the single-point token is determined to be targeted to the second tenant identity authentication server, whether the source user ID in the analysis data exists or not can be verified, and if the source user ID in the analysis data does not exist, a newly added registered user can be prompted.

In the above solution, it may be further determined whether the single-point token is issued to the second tenant identity authentication server by verifying the ID of the target tenant identity authentication server in the parsed data.

In the above scheme, when the second tenant identity authentication server searches for the public key certificate of the first tenant identity authentication server, if the public key certificate of the first tenant identity authentication server is missing, the second tenant identity authentication server needs to download the public key certificate.

In one embodiment, decrypting the verification data using the private key of the second tenant authentication server to determine whether the single point token is sent to the second tenant authentication server includes: sending cross-tenant single sign-on configuration information to a multi-tenant identity authentication server, wherein the cross-tenant single sign-on configuration information is used for requesting authorization for cross-tenant single sign-on; and under the condition of receiving the authorization cross-tenant single sign-on information sent by the multi-tenant identity authentication server, decrypting the verification data by using the private key of the second tenant identity authentication server, and determining whether the single-point token is sent to the second tenant identity authentication server.

In the scheme, the target tenant identity authentication server is different from the source tenant identity authentication server, and the target tenant identity authentication server needs to send cross-tenant single sign-on configuration information to the multi-tenant identity authentication server to confirm whether the multi-tenant identity authentication server allows cross-tenant single sign-on, if the multi-tenant identity authentication server allows the cross-tenant single sign-on, the single sign-on can be continued, and if the multi-tenant identity authentication server does not allow the cross-tenant single sign-on, the single sign-on is rejected. If the multi-tenant identity authentication server allows authorization of cross-tenant single sign-on, the second tenant identity authentication server can decrypt verification data by adopting a private key of the second tenant identity authentication server, and therefore whether the single-point token is sent to the second tenant identity authentication server or not is determined.

In one embodiment, the parsing data further includes timestamp data, validating the single-point token according to the parsing data, including: determining whether the time of currently receiving the single-point token is within an allowed time window of the single-point token according to the timestamp data; and if the time of currently receiving the single-point token is within the allowed time window of the single-point token, the single-point token is successfully verified.

In this scheme, the timestamp data may be the time when the first tenant identity authentication server generates the single point token, and includes year, month, day, hour, minute and second information, and the timestamp data may be used to determine the validity period of the single point token, for example, an allowable validity period window may be within 5 seconds from the start of the timestamp in general, and the timestamp data may be used to limit that the single point token is only available in a short time.

In the above scheme, the second tenant identity authentication server may verify the timestamp data in the parsed data, and determine whether the time when the second tenant identity authentication server receives the single point token is within an allowed validity window of the timestamp data; if the time that the second tenant identity authentication server receives the single-point token is within the valid period window allowed by the timestamp data, the single-point token is successfully verified, and if the time that the second tenant identity authentication server receives the single-point token is not within the valid period window allowed by the timestamp data, the single-point token is failed to be verified, so that the success rate of single sign-on of the cross-tenant application program is improved.

In an embodiment, the technical scheme provided by the application can realize single sign-on of an application program in a tenant besides single sign-on of a cross-tenant application program.

In this scenario, different applications in the first tenant identity authentication server (for distinguishing from the aforementioned single sign-on across tenant application, a third application and a fourth application are used here) are taken as an example.

In the above scheme, the user may first log in the third application program by using a username and a password, and after successful login, the terminal device may obtain a login token of the third application program sent by the first tenant identity authentication server, and establish a session of the user on the third application program; if the user wants to log in the fourth application program, the user sends a single sign-on instruction through the fourth application program, and the terminal equipment sends a single sign-on request to the first tenant identity authentication server after responding to the single sign-on instruction; after responding to the single sign-on request, the first tenant identity authentication server generates a single-point token (the method for generating the single-point token may refer to the method in the foregoing single-point sign-on embodiment of the cross-tenant application), and sends the single-point token to the terminal device; after the terminal device receives the single-point token, the fourth application program intercepts the single-point token, and the terminal device sends the single-point token to the first tenant identity authentication server through the fourth application program for verification (the verification method of the single-point token by the first tenant identity authentication server can refer to the corresponding method in the single-point login embodiment of the cross-tenant application program); after the first tenant identity authentication server successfully verifies the single-point token, a login token of a fourth application program is generated, and the login token of the fourth application program is sent to the terminal equipment; the terminal device, after receiving the login token of the fourth application, may establish a session at the fourth application using the login token of the fourth application.

The login method for the application program provided by this embodiment can realize single-point login of the application program between different tenant identity authentication servers on the premise that different tenant identity authentication servers are isolated based on a digital certificate, a predefined login token encrypted by using the digital certificate, a single-point token and the like, thereby supporting quick single-point login of a cross-tenant application program; meanwhile, the single sign-on verification mechanism based on the digital certificate also ensures the safety of the single sign-on process; in addition, for the generation and verification of the single-point token, the data of the single-point token is not depended on, the single-point token contains necessary information such as an ID (identity) of a source tenant, an ID of a target tenant, an ID of a source user, timestamp data and the like, the single-point token can be stored locally, and online verification services required by single-point login are reduced; in addition, under a multi-tenant scene, tenants corresponding to each tenant identity authentication server may be independent, user information, user passwords and the like independently managed by each tenant identity authentication server are reserved, and personal data security is guaranteed; and moreover, a single sign-on mechanism with the application programs of other tenant identity authentication servers is supported, the application programs of other tenant identity authentication servers are supported to quickly create users and perform single sign-on, and the quick popularization of the service can be realized.

In general, the technical scheme provided by the application is a technical scheme capable of realizing single sign-on of the application program in the tenant and realizing single sign-on of the application program across tenants.

The embodiment of the application also provides a login device of the application program, which is applied to terminal equipment. Fig. 5 is a schematic structural diagram of a first embodiment of a login apparatus for an application according to an embodiment of the present application, and as shown in fig. 5, the login apparatus 500 for an application includes:

a first sending module 501, configured to, in a case that a terminal device has logged in a first application program corresponding to a first tenant identity authentication server, send a single sign-on request to the first tenant identity authentication server in response to a single sign-on instruction facing a second application program corresponding to a second tenant identity authentication server, where the single sign-on request is used to request a single sign-on of the second application program;

a first receiving module 502, configured to receive a single-point token sent by a first tenant identity authentication server, where the single-point token is used to apply for a second login token of a second application, and the second login token is used to establish a session of the second application;

a second sending module 503, configured to send the single-point token to the second tenant identity authentication server;

a second receiving module 504, configured to receive a second login token sent by a second tenant identity authentication server;

an establishing module 505 for establishing a session of the second application based on the second login token.

Optionally, the login apparatus 500 of the application further includes a first processing module (not shown), where the first processing module is specifically configured to: before sending a single sign-on request to a first tenant identity authentication server, responding to successful sign-on of a first application program, and sending sign-on success information to the first tenant identity authentication server; receiving a first login token sent by a first tenant identity authentication server, wherein the first login token is used for establishing a session of a first application program; a session for the first application is established based on the first login token.

The login apparatus of the application program provided in this embodiment is used to execute the technical solution of the login method of the application program applied to the terminal device in the foregoing method embodiments, and the implementation principle and the technical effect are similar, which are not described herein again.

The embodiment of the application also provides a login device of the application program, which is applied to the first tenant identity authentication server. Fig. 6 is a schematic structural diagram of a second embodiment of a login apparatus for an application program according to the embodiment of the present application, and as shown in fig. 6, the login apparatus 600 for an application program includes:

a first obtaining module 601, configured to obtain a single sign-on request sent by a terminal device when the terminal device has already logged in a first application corresponding to a first tenant identity authentication server, where the single sign-on request is used to request to single sign-on a second application corresponding to a second tenant identity authentication server;

a first generating module 602, configured to generate a single-point token in response to the single-point login request, where the single-point token is used to apply for a second login token of a second application, and the second login token is used to establish a session of the second application;

a third sending module 603, configured to send the single-point token to the terminal device.

Optionally, the single-point token includes signature data of the first tenant identity authentication server and verification data of the second tenant identity authentication server, and the first generating module 602 is further specifically configured to: generating signature data of the first tenant identity authentication server by adopting a private key of the first tenant identity authentication server; and generating verification data of the second tenant identity authentication server by adopting the public key certificate of the second tenant identity authentication server.

Optionally, the login apparatus 600 of the application further includes a second processing module (not shown), where the second processing module is specifically configured to: sending cross-tenant single sign-on configuration information to the multi-tenant identity authentication server before generating verification data of the second tenant identity authentication server by adopting a public key certificate of the second tenant identity authentication server, wherein the cross-tenant single sign-on configuration information is used for requesting authorization for cross-tenant single sign-on; receiving authorized cross-tenant single sign-on information sent by a multi-tenant identity authentication server; and acquiring the public key certificate of the second tenant identity authentication server based on the authorized cross-tenant single sign-on information.

Optionally, the login apparatus 600 of the application further includes a third processing module (not shown), where the third processing module is specifically configured to: under the condition that the first tenant identity authentication server is successfully registered, generating a private key and a public key of the first tenant identity authentication server according to tenant information of a tenant corresponding to the first tenant identity authentication server; based on the public key, sending an application request of a public key certificate to a digital certificate certification authority; and acquiring the public key certificate sent by the digital certificate certification authority.

The login device of the application program provided in this embodiment is used to execute the technical solution of the login method of the application program applied to the first tenant identity authentication server in the foregoing method embodiments, and the implementation principle and the technical effect are similar, which are not described herein again.

The embodiment of the application also provides a login device of the application program, which is applied to a second tenant identity authentication server. Fig. 7 is a schematic structural diagram of a third embodiment of an application login apparatus according to an embodiment of the present application, and as shown in fig. 7, the application login apparatus 700 includes:

a second obtaining module 701, configured to obtain a single-point token sent by a terminal device, where the single-point token is generated by the first tenant identity authentication server in response to a single-point login request sent by the terminal device when the terminal device has logged in a first application corresponding to the first tenant identity authentication server, the single-point login request is used to request a single-point login to a second application corresponding to a second tenant identity authentication server, the single-point token is used to apply for a second login token of the second application corresponding to the second tenant identity authentication server, and the second login token is used to establish a session of the second application;

the analysis module 702 is configured to analyze the single-point token to obtain analysis data of the single-point token;

a verification module 703, configured to verify the single-point token according to the analysis data;

a second generating module 704, configured to generate a second login token if the single-point token is successfully verified;

a fourth sending module 705, configured to send the second login token to the terminal device.

Optionally, the analysis data includes a number of the first tenant identity authentication server, signature data of the first tenant identity authentication server, and verification data of the second tenant identity authentication server, and the verification module 703 is specifically configured to: acquiring a public key certificate of the first tenant identity authentication server according to the number of the first tenant identity authentication server; verifying the signature data by adopting a public key certificate of the first tenant identity authentication server, and determining whether the single-point token is sent by the first tenant identity authentication server; if the single-point token is sent by the first tenant identity authentication server, the private key of the second tenant identity authentication server is adopted to decrypt the verification data, and whether the single-point token is sent to the second tenant identity authentication server is determined; and if the single-point token is sent to the second tenant identity authentication server, the single-point token is successfully verified.

Optionally, when the verification module 703 decrypts the verification data by using the private key of the second tenant identity authentication server, and determines whether the single-point token is sent to the second tenant identity authentication server, the verification module is further specifically configured to: sending cross-tenant single sign-on configuration information to a multi-tenant identity authentication server, wherein the cross-tenant single sign-on configuration information is used for requesting authorization for cross-tenant single sign-on; and under the condition of receiving the authorization cross-tenant single sign-on information sent by the multi-tenant identity authentication server, decrypting the verification data by using the private key of the second tenant identity authentication server, and determining whether the single-point token is sent to the second tenant identity authentication server.

Optionally, the analysis data further includes timestamp data, and the verification module 703 is further specifically configured to: determining whether the time of currently receiving the single-point token is within an allowed time window of the single-point token according to the timestamp data; and if the time of currently receiving the single-point token is within the allowed time window of the single-point token, the single-point token is successfully verified.

The login device of the application program provided in this embodiment is used to execute the technical solution of the login method of the application program applied to the second tenant identity authentication server in the foregoing method embodiments, and the implementation principle and the technical effect are similar, which are not described herein again.

Fig. 8 is a schematic structural diagram of a terminal device provided in an embodiment of the present application, and as shown in fig. 8, the terminal device 800 includes:

processor 811, memory 812, interactive interface 813;

the memory 812 is used for storing executable instructions executable by the processor 811, and the processor 811 is configured to execute, via executing the executable instructions, the technical solution of the login method applied to the application program of the terminal device provided by the foregoing method embodiment.

In the terminal device, the memory 812, the processor 811 and the interaction interface 813 are electrically connected directly or indirectly to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines, such as a bus. The memory 812 stores therein computer-executable instructions for implementing a login method of an application program applied to the terminal device, including at least one software functional module that can be stored in the memory in the form of software or firmware, and the processor 811 executes various functional applications and data processing by running the software programs and modules stored in the memory 812.

Fig. 9 is a schematic structural diagram of a server provided in the embodiment of the present application, and the server may be provided as a computer, for example. Referring to fig. 9, the server 900 includes a processing component 901 that further includes one or more processors and memory resources, represented by memory 902, for storing instructions, such as application programs, that are executable by the processing component 901. The application programs stored in memory 902 may include one or more modules that each correspond to a set of instructions. Furthermore, the processing component 901 is configured to execute instructions to perform any of the above-described method embodiments.

The server 900 may also include a power component 903, the power component 903 configured to perform power management of the server 900, a wired or wireless network interface 904 configured to connect the server 900 to a network, and an input/output (I/O) interface 905. The server 900 may operate based on an operating system stored in memory 902, such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, or the like.

The Memory may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory is used for storing programs, and the processor executes the programs after receiving the execution instructions. Further, the software programs and modules within the aforementioned memories may also include an operating system, which may include various software components and/or drivers for managing system tasks (e.g., memory management, storage device control, power management, etc.), and may communicate with various hardware or software components to provide an operating environment for other software components.

The processor may be an integrated circuit chip having signal processing capabilities. The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

The embodiment of the present application further provides a computer-readable storage medium, where the computer-readable storage medium includes a program, and the program is used, when executed by a processor, to implement a technical solution of a login method of an application program provided in the method embodiment.

The embodiment of the present application further provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program is used to implement the technical solution of the login method of the application program provided in the method embodiment.

Those of ordinary skill in the art will understand that: all or a portion of the steps of implementing the above-described method embodiments may be performed by hardware associated with program instructions. The program may be stored in a computer-readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.

Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.

Claims

1. A login method of an application program is applied to a terminal device, and the login method comprises the following steps:

under the condition that the terminal equipment logs in a first application program corresponding to a first tenant identity authentication server, responding to a single sign-on instruction facing a second application program corresponding to a second tenant identity authentication server, and sending a single sign-on request to the first tenant identity authentication server, wherein the single sign-on request is used for requesting single sign-on of the second application program;

receiving a single-point token sent by the first tenant identity authentication server, wherein the single-point token is used for applying for a second login token of the second application program, and the second login token is used for establishing a session of the second application program;

sending the single-point token to the second tenant identity authentication server;

receiving the second login token sent by the second tenant identity authentication server;

establishing a session for the second application based on the second login token.

2. The login method according to claim 1, wherein before sending the single sign-on request to the first tenant identity authentication server, the login method further comprises:

responding to the successful login of the first application program, and sending login success information to the first tenant identity authentication server;

receiving a first login token sent by the first tenant identity authentication server, wherein the first login token is used for establishing a session of the first application program;

establishing a session for the first application based on the first login token.

3. A login method of an application program is applied to a first tenant identity authentication server, and comprises the following steps:

under the condition that the terminal equipment logs in a first application program corresponding to the first tenant identity authentication server, acquiring a single sign-on request sent by the terminal equipment, wherein the single sign-on request is used for requesting single sign-on of a second application program corresponding to a second tenant identity authentication server;

responding to the single sign-on request, and generating a single sign-on token, wherein the single sign-on token is used for applying for a second sign-on token of the second application program, and the second sign-on token is used for establishing a session of the second application program;

and sending the single-point token to the terminal equipment.

4. The login method according to claim 3, wherein the single-point token comprises signature data of the first tenant authentication server and verification data of the second tenant authentication server, and the generating of the single-point token comprises:

generating signature data of the first tenant identity authentication server by adopting a private key of the first tenant identity authentication server;

and generating verification data of the second tenant identity authentication server by adopting the public key certificate of the second tenant identity authentication server.

5. The login method according to claim 4, wherein before generating the verification data of the second tenant authentication server by using the public key certificate of the second tenant authentication server, the login method further comprises:

sending cross-tenant single sign-on configuration information to a multi-tenant identity authentication server, wherein the cross-tenant single sign-on configuration information is used for requesting authorization for cross-tenant single sign-on;

receiving authorized cross-tenant single sign-on information sent by the multi-tenant identity authentication server;

and acquiring the public key certificate of the second tenant identity authentication server based on the authorized cross-tenant single sign-on information.

6. A login method according to any one of claims 3 to 5, wherein before the generation of the single point token, the login method further comprises:

under the condition that the first tenant identity authentication server is successfully registered, generating a private key and a public key of the first tenant identity authentication server according to tenant information of a tenant corresponding to the first tenant identity authentication server;

based on the public key, sending an application request of a public key certificate to a digital certificate certification authority;

and acquiring the public key certificate sent by the digital certificate certification authority.

7. A login method of an application program is applied to a second tenant identity authentication server, and comprises the following steps:

the method comprises the steps that a single-point token sent by a terminal device is obtained, the single-point token is generated by a first tenant identity authentication server in response to a single-point login request sent by the terminal device under the condition that the terminal device logs in a first application program corresponding to the first tenant identity authentication server, the single-point login request is used for requesting single-point login of a second application program corresponding to a second tenant identity authentication server, the single-point token is used for applying for a second login token of the second application program corresponding to the second tenant identity authentication server, and the second login token is used for establishing a session of the second application program;

analyzing the single-point token to obtain analysis data of the single-point token;

verifying the single-point token according to the analysis data;

generating the second login token under the condition that the single-point token is successfully verified;

and sending the second login token to the terminal equipment.

8. The login method according to claim 7, wherein the parsed data includes a number of a first tenant identity authentication server, signature data of the first tenant identity authentication server, and verification data of the second tenant identity authentication server, and the verifying the single point token according to the parsed data includes:

acquiring a public key certificate of the first tenant identity authentication server according to the number of the first tenant identity authentication server;

verifying the signature data by adopting a public key certificate of the first tenant identity authentication server, and determining whether the single-point token is sent by the first tenant identity authentication server;

if the single-point token is sent by the first tenant identity authentication server, decrypting the verification data by using a private key of the second tenant identity authentication server to determine whether the single-point token is sent to the second tenant identity authentication server;

and if the single-point token is sent to the second tenant identity authentication server, the single-point token is successfully verified.

9. The login method according to claim 8, wherein the decrypting the verification data with the private key of the second tenant identity authentication server to determine whether the single point token is sent to the second tenant identity authentication server comprises:

and under the condition of receiving the authorization cross-tenant single sign-on information sent by the multi-tenant identity authentication server, decrypting the verification data by adopting a private key of the second tenant identity authentication server, and determining whether the single-point token is sent to the second tenant identity authentication server.

10. Login method according to claim 8 or 9, wherein the parsed data further comprises timestamp data, wherein the verifying the single point token according to the parsed data comprises:

determining whether the time of currently receiving the single-point token is within a time window allowed by the single-point token according to the timestamp data;

and if the time of currently receiving the single-point token is within the allowed time window of the single-point token, the single-point token is successfully verified.

11. An application login device, applied to a terminal device, the application login device comprising:

the terminal equipment comprises a first sending module, a second sending module and a first sending module, wherein the first sending module is used for responding to a single sign-on instruction facing a second application program corresponding to a second tenant identity authentication server and sending a single sign-on request to the first tenant identity authentication server under the condition that the terminal equipment logs in a first application program corresponding to the first tenant identity authentication server, and the single sign-on request is used for requesting single sign-on of the second application program;

a first receiving module, configured to receive a single-point token sent by the first tenant identity authentication server, where the single-point token is used to apply for a second login token of the second application, and the second login token is used to establish a session of the second application;

the second sending module is used for sending the single-point token to the second tenant identity authentication server;

a second receiving module, configured to receive the second login token sent by the second tenant identity authentication server;

an establishing module for establishing a session of the second application based on the second login token.

12. A login device of an application program is applied to a first tenant identity authentication server, and the login device of the application program comprises:

the system comprises a first obtaining module, a second obtaining module and a third obtaining module, wherein the first obtaining module is used for obtaining a single sign-on request sent by a terminal device under the condition that the terminal device logs in a first application program corresponding to a first tenant identity authentication server, and the single sign-on request is used for requesting single sign-on of a second application program corresponding to a second tenant identity authentication server;

a first generation module, configured to generate a single-point token in response to the single-point login request, where the single-point token is used to apply for a second login token of the second application, and the second login token is used to establish a session of the second application;

and the third sending module is used for sending the single-point token to the terminal equipment.

13. A login device of an application program is applied to a second tenant identity authentication server, and the login device of the application program comprises:

the single sign-on request is used for requesting single sign-on of a second application program corresponding to a second tenant identity authentication server, the single sign-on token is used for applying for a second sign-on token of the second application program corresponding to the second tenant identity authentication server, and the second sign-on token is used for establishing a session of the second application program;

the analysis module is used for analyzing the single-point token to obtain analysis data of the single-point token;

the verification module is used for verifying the single-point token according to the analysis data;

the second generation module is used for generating the second login token under the condition that the single-point token is successfully verified;

and the fourth sending module is used for sending the second login token to the terminal equipment.

14. A terminal device, comprising:

a processor, a memory, an interactive interface;

the memory is for storing executable instructions executable by the processor, the processor being configured to perform a login method of an application program of claim 1 or 2 via execution of the executable instructions.

15. A server, comprising:

a processor, a memory, an interactive interface;

the memory is for storing executable instructions executable by the processor, the processor being configured to perform a login method for an application program of any one of claims 3 to 10 via execution of the executable instructions.

16. A readable storage medium on which a computer program is stored, the computer program, when being executed by a processor, implementing a login method for an application program according to any one of claims 1 to 10.