CN114697137B

CN114697137B - Application program login method, device, equipment and storage medium

Info

Publication number: CN114697137B
Application number: CN202210504335.1A
Authority: CN
Inventors: 蔡金培; 陈华海; 闫立志; 林国养; 陈德锋; 吴猛
Original assignee: China Construction Bank Corp
Current assignee: China Construction Bank Corp
Priority date: 2022-05-10
Filing date: 2022-05-10
Publication date: 2024-05-10
Anticipated expiration: 2042-05-10
Also published as: CN114697137A

Abstract

The application belongs to the field of data processing, and particularly relates to a login method, device and equipment of an application program and a storage medium. The login method of the application program comprises the following steps: under the condition that the terminal equipment logs in a first application program corresponding to a first tenant identity authentication server, a single sign-on instruction of a second application program corresponding to a second tenant identity authentication server is responded, and a single sign-on request is sent to the first tenant identity authentication server; receiving a single-point token sent by a first tenant identity authentication server; sending a single point token to a second tenant identity authentication server; receiving a second login token sent by a second tenant identity authentication server; a session of the second application is established based on the second login token. Therefore, the purpose of single sign-on of application programs corresponding to different tenant identity authentication servers can be achieved.

Description

Application program login method, device, equipment and storage medium

Technical Field

The present application relates to the field of data processing, and in particular, to a method, an apparatus, a device, and a storage medium for logging in an application program.

Background

Single sign-On (SINGLE SIGN On, abbreviated as SSO) refers to the fact that among multiple application systems, a user only needs to log in once to access all mutually trusted application systems. At present, when single sign-on is realized, a user can realize single sign-on through a centralized single point token only when the application systems of the same identity authentication server are accessed, and for the application systems of different identity authentication servers, the single sign-on of the user cannot be realized.

Therefore, in the related art, when implementing single sign-on, there is a problem that a user cannot single sign-on for an application system accessing different identity authentication servers.

Disclosure of Invention

The embodiment of the application provides a login method, a login device, login equipment and a storage medium of an application program, which are used for solving the problem that a user cannot perform single sign-on application systems accessed to different identity authentication servers when single sign-on is realized in the related technology.

In a first aspect, an embodiment of the present application provides a login method of an application, applied to a terminal device, where the login method of the application includes: under the condition that the terminal equipment logs in a first application program corresponding to a first tenant identity authentication server, a single sign-on request is sent to the first tenant identity authentication server in response to a single sign-on instruction of a second application program corresponding to a second tenant identity authentication server, wherein the single sign-on request is used for requesting the single sign-on of the second application program; receiving a single point token sent by a first tenant identity authentication server, wherein the single point token is used for applying for a second login token of a second application program, and the second login token is used for establishing a session of the second application program; sending a single point token to a second tenant identity authentication server; receiving a second login token sent by a second tenant identity authentication server; a session of the second application is established based on the second login token.

In one possible implementation manner, before sending the single sign-on request to the first tenant identity authentication server, the sign-on method further includes: responding to successful login of the first application program, and sending login success information to a first tenant identity authentication server; receiving a first login token sent by a first tenant identity authentication server, wherein the first login token is used for establishing a session of a first application program; a session of the first application is established based on the first login token.

In a second aspect, an embodiment of the present application provides a login method of an application program, which is applied to a first tenant identity authentication server, where the login method of the application program includes: under the condition that the terminal equipment logs in a first application program corresponding to a first tenant identity authentication server, acquiring a single sign-on request sent by the terminal equipment, wherein the single sign-on request is used for requesting a second application program corresponding to a second tenant identity authentication server; responding to the single sign-on request, generating a single sign-on token, wherein the single sign-on token is used for applying for a second sign-on token of a second application program, and the second sign-on token is used for establishing a session of the second application program; and sending the single-point token to the terminal equipment.

In one possible implementation, the single point token includes signature data of the first tenant identity authentication server and verification data of the second tenant identity authentication server, and generating the single point token includes: generating signature data of the first tenant identity authentication server by adopting a private key of the first tenant identity authentication server; and generating verification data of the second tenant identity authentication server by adopting the public key certificate of the second tenant identity authentication server.

In one possible implementation manner, before generating verification data of the second tenant identity authentication server by using the public key certificate of the second tenant identity authentication server, the login method further includes: transmitting cross-tenant single sign-on configuration information to a multi-tenant identity authentication server, wherein the cross-tenant single sign-on configuration information is used for requesting authorization of cross-tenant single sign-on; receiving authorized cross-tenant single sign-on information sent by a multi-tenant identity authentication server; and acquiring a public key certificate of the second tenant identity authentication server based on the authorized cross-tenant single sign-on information.

In one possible implementation, before generating the single point token, the login method further includes: under the condition that the first tenant identity authentication server is successfully registered, generating a private key and a public key of the first tenant identity authentication server according to tenant information of the tenant corresponding to the first tenant identity authentication server; based on the public key, sending an application request of a public key certificate to a digital certificate certification authority; and obtaining a public key certificate sent by the digital certificate certification authority.

In a third aspect, an embodiment of the present application provides a login method of an application program, which is applied to a second tenant identity authentication server, where the login method of the application program includes: acquiring a single point token sent by a terminal device, wherein the single point token is generated by the first tenant identity authentication server in response to a single point login request sent by the terminal device when the terminal device logs in a first application program corresponding to the first tenant identity authentication server, the single point login request is used for requesting a second application program corresponding to a second tenant identity authentication server, the single point token is used for applying for a second login token of the second application program corresponding to the second tenant identity authentication server, and the second login token is used for establishing a session of the second application program; analyzing the single-point token to obtain analysis data of the single-point token; verifying the single point token according to the analysis data; generating a second login token under the condition that the single-point token is successfully verified; and sending the second login token to the terminal equipment.

In one possible embodiment, the parsing data includes a number of the first tenant identity authentication server, signature data of the first tenant identity authentication server, and verification data of the second tenant identity authentication server, verifying the single point token according to the parsing data, including: acquiring a public key certificate of the first tenant identity authentication server according to the number of the first tenant identity authentication server; verifying the signature data by adopting a public key certificate of the first tenant identity authentication server, and determining whether the single-point token is sent by the first tenant identity authentication server; if the single point token is sent by the first tenant identity authentication server, decrypting the verification data by adopting the private key of the second tenant identity authentication server, and determining whether the single point token is sent to the second tenant identity authentication server; if the single point token is sent to the second tenant identity authentication server, the single point token is successfully verified.

In one possible implementation, decrypting the verification data using the private key of the second tenant identity authentication server, determining whether the single point token is sent to the second tenant identity authentication server includes: transmitting cross-tenant single sign-on configuration information to a multi-tenant identity authentication server, wherein the cross-tenant single sign-on configuration information is used for requesting authorization of cross-tenant single sign-on; under the condition that authorized cross-tenant single sign-on information sent by the multi-tenant identity authentication server is received, decrypting verification data by adopting a private key of the second tenant identity authentication server, and determining whether the single point token is sent to the second tenant identity authentication server.

In one possible embodiment, the parsing data further includes time stamp data, verifying the single point token from the parsing data, including: determining whether the current time of receiving the single point token is within a time window allowed by the single point token according to the time stamp data; if the current time of receiving the single point token is within the allowed time window of the single point token, the single point token is successfully verified.

In a fourth aspect, an embodiment of the present application provides a login device for an application, which is applied to a terminal device, where the login device for the application includes: the first sending module is used for responding to a single sign-on instruction facing a second application program corresponding to a second tenant identity authentication server under the condition that the terminal equipment logs in the first application program corresponding to the first tenant identity authentication server, and sending a single sign-on request to the first tenant identity authentication server, wherein the single sign-on request is used for requesting the single sign-on of the second application program; the first receiving module is used for receiving the single-point token sent by the first tenant identity authentication server, wherein the single-point token is used for applying for a second login token of the second application program, and the second login token is used for establishing a session of the second application program; the second sending module is used for sending the single-point token to the second tenant identity authentication server; the second receiving module is used for receiving a second login token sent by a second tenant identity authentication server; and the establishing module is used for establishing the session of the second application program based on the second login token.

In a fifth aspect, an embodiment of the present application provides a login device for an application program, which is applied to a first tenant identity authentication server, where the login device for the application program includes: the first acquisition module is used for acquiring a single sign-on request sent by the terminal equipment under the condition that the terminal equipment logs in a first application program corresponding to a first tenant identity authentication server, wherein the single sign-on request is used for requesting a second application program corresponding to a second tenant identity authentication server; the first generation module is used for responding to the single sign-on request, generating a single point token, wherein the single point token is used for applying for a second sign-on token of the second application program, and the second sign-on token is used for establishing a session of the second application program; and the third sending module is used for sending the single-point token to the terminal equipment.

In a sixth aspect, an embodiment of the present application provides a login device for an application program, which is applied to a second tenant identity authentication server, where the login device for the application program includes: the second acquisition module is used for acquiring a single-point token sent by the terminal equipment, wherein the single-point token is generated by the first tenant identity authentication server in response to a single-point login request sent by the terminal equipment when the terminal equipment logs in a first application program corresponding to the first tenant identity authentication server, the single-point login request is used for requesting a second application program corresponding to a second tenant identity authentication server, the single-point token is used for applying for a second login token of the second application program corresponding to the second tenant identity authentication server, and the second login token is used for establishing a session of the second application program; the analysis module is used for analyzing the single-point token to obtain analysis data of the single-point token; the verification module is used for verifying the single-point token according to the analysis data; the second generation module is used for generating a second login token under the condition that the single-point token is successfully verified; and the fourth sending module is used for sending the second login token to the terminal equipment.

In a seventh aspect, an embodiment of the present application provides a terminal device, including: a processor, a memory, and an interactive interface; the memory is for storing executable instructions executable by a processor configured to perform the login method of the application of the first aspect via execution of the executable instructions.

In an eighth aspect, an embodiment of the present application provides a server, including: a processor, a memory, and an interactive interface; the memory is for storing executable instructions executable by a processor configured to perform the logging method of the application of the second or third aspect via execution of the executable instructions.

In a ninth aspect, an embodiment of the present application provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the login method of the application of any one of the first to third aspects.

In a tenth aspect, embodiments of the present application provide a computer program product comprising a computer program which when executed by a processor implements the method of logging in an application program of any one of the first to third aspects.

According to the login method, the device, the equipment and the storage medium of the application program, under the condition that the first application program corresponding to the first tenant identity authentication server is logged in, if a session on the second application program corresponding to the second tenant identity authentication server needs to be established, the terminal equipment can respond to a single sign-on instruction of the second application program and send a single sign-on request to the first tenant identity authentication server, so that the first tenant identity authentication server can respond to the single sign-on request to generate the single sign-on token and send the single sign-on token to the terminal equipment, the terminal equipment forwards the single sign-on token to the second tenant identity authentication server after receiving the single sign-on token, the second tenant identity authentication server verifies the single sign-on token after receiving the single sign-on token, if the single sign-on token is verified successfully, a login token for establishing the session of the second application program is generated, and the terminal equipment can establish the session on the second application program through the single sign-on token after acquiring the single sign-on token, and therefore the application program can be realized by the terminal equipment only once.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the related art, the drawings that are required to be used in the embodiments or the related technical descriptions will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings may be obtained according to the drawings without inventive effort to those skilled in the art.

FIG. 1 is a schematic diagram of a login system of an application according to an embodiment of the present application;

FIG. 2 is a flowchart of a first embodiment of a login method of an application according to an embodiment of the present application;

FIG. 3 is a flowchart of a second embodiment of a login method of an application according to an embodiment of the present application;

fig. 4 is a flowchart of a third embodiment of a login method of an application program according to an embodiment of the present application;

Fig. 5 is a schematic structural diagram of a first embodiment of a login device for an application according to an embodiment of the present application;

Fig. 6 is a schematic structural diagram of a second embodiment of a login device for an application program according to an embodiment of the present application;

Fig. 7 is a schematic structural diagram of a third embodiment of a login device for an application according to the embodiment of the present application;

fig. 8 is a schematic structural diagram of a terminal device according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of a server according to an embodiment of the present application.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which are made by a person skilled in the art based on the embodiments of the application in light of the present disclosure, are intended to be within the scope of the application.

The terms "first," "second," "third," "fourth" and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

The terms involved in the present application will be explained first.

The user: refers to the natural person logging into a particular application.

Tenant: referring to a certain organization, etc., a tenant may include a plurality of users.

A multi-tenant authentication server: the identity authentication server defined in the application externally presents as a multi-tenant identity authentication service providing SAAS, and supports multi-tenant user management, identity authentication and single sign-on.

Tenant identity authentication server: the identity authentication server of a specific tenant comprises a corresponding module and an interface for user management, identity authentication and single sign-on. Each tenant has its own independent authentication server, but the authentication servers of different tenants may be created using a unified standard template.

Cross-tenant single sign-on: the logged-in application program can single-point jump among tenant identity authentication servers with different identity authentication services and user name passwords without re-inputting the user name passwords.

Certificate authority (CERTIFICATE AUTHORITY, abbreviated as CA): the authority issuing the digital certificate, which may also be called as a digital certificate certification authority, is an authority responsible for issuing and managing the digital certificate, and serves as a trusted third party in electronic commerce transactions to assume responsibility for verifying the legitimacy of the public key in the public key system.

In the related art provided in the background art, at least the following technical problems exist:

At present, because a centralized identity authentication server is used for centralized deployment, user information, user passwords, login tokens and single-point tokens are managed in a unified way, all accessed application programs share one set of service, and the requirement that each tenant independently manages the user information and the password information in a multi-tenant scene is difficult to support. In addition, when implementing single sign-on, a user can only implement single sign-on through a centralized single point token only between application systems accessing the same identity authentication server, and for application systems accessing different identity authentication servers, single sign-on of the user cannot be implemented. Therefore, in the related art, when implementing single sign-on, there is a problem that a user cannot single sign-on for an application system accessing different identity authentication servers.

In view of the above problems, the present application provides a login method for an application program, a first application program accesses a first tenant identity authentication server, a second application program accesses a second tenant identity authentication server, after the first application program successfully logs in, a terminal device may send a single sign-on request to the first tenant identity authentication server after responding to a single sign-on instruction of the second application program, the first tenant identity authentication server generates a single sign-on token, and the terminal device forwards the single sign-on token to the second tenant identity authentication server, the second tenant identity authentication server verifies the single sign-on token, if the single sign-on token is verified successfully, the second tenant identity authentication server may generate a login token for establishing a session of the second application program, and send the login token to the terminal device, and after the terminal device acquires the login token, the terminal device may establish a session on the second application program through the login token, thereby only once logging in the first application program, and realizing a single sign-on across the tenants of the application program.

In one embodiment, the login method of the application program may be applied in an application scenario. Fig. 1 is a schematic structural diagram of a login system of an application program according to an embodiment of the present application, as shown in fig. 1, in this scenario, the login system of the application program may include an access service, a first tenant identity authentication server, a second tenant identity authentication server, a third tenant identity authentication server, and a multi-tenant identity authentication server.

In the above scenario, the multiple application programs in fig. 1 are shown as application 1, application 2, application 3, application 4, application 5, and application 6, where application 1 and application 2 access the first tenant identity authentication server through an access service, application 3 and application 4 access the second tenant identity authentication server through an access service, and application 5 and application 6 access the third tenant identity authentication server through an access service, where each tenant identity authentication server may include a user management module, a single sign-on service, and an identity authentication module, where the user management module is used to manage users in tenants, the single sign-on service is used to implement single sign-on, and the identity authentication module is used to authenticate identities of the users and the application programs.

In the above scenario, the multi-tenant identity authentication server may further include a tenant management module, a single sign-on service, and a certificate authority, where the tenant management module may be used to manage multiple tenant identity authentication servers, the single sign-on service may be used to implement single sign-on with or across tenants, and the certificate authority may be used to issue and manage digital certificates.

In combination with the above scenario, the following details of the technical solution of the login method of the application program provided by the present application are described through several specific embodiments.

Fig. 2 is a flowchart of an embodiment one of a login method of an application program provided in an embodiment of the present application, where, as shown in fig. 2, the method is applied to a terminal device, and the method includes the following steps:

S201: and under the condition that the terminal equipment logs in a first application program corresponding to the first tenant identity authentication server, responding to a single sign-on instruction of a second application program corresponding to a second tenant identity authentication server, and sending a single sign-on request to the first tenant identity authentication server.

In this step, a single sign-on request is used to request a single sign-on second application.

In the scheme, a user in a tenant corresponding to the first tenant identity authentication server can successfully log in a first application program through a user name and a password on a terminal device, after the first application program successfully logs in, if the user wants to log in a second application program, the user does not need to input the user name and the password again, but can send a single sign-on instruction through the second application program, and after responding to the single sign-on instruction facing the second application program, the terminal device sends a single sign-on request to the first tenant identity authentication server to request the single sign-on of the second application program.

In the above scheme, the application program may also be called a tenant application, and one tenant identity authentication server may access multiple application programs to support login and single sign-on.

In the above scheme, the first tenant identity authentication server and the second tenant identity authentication server may be established using a unified specification when being established.

S202: and receiving the single-point token sent by the first tenant identity authentication server.

In this step, the single point token is used to apply for a second login token of a second application, which is used to establish a session of the second application.

In the above scheme, after the first tenant identity authentication server receives the single sign-on request sent by the terminal device, the single sign-on request may be responded, a single point token is generated, and the single point token is sent to the terminal device. A second application in the terminal device may intercept the acquisition of the single point token.

In the above scheme, the first tenant identity authentication server may encrypt the generated single point token using the public key certificate of the second tenant identity authentication server, the format of the encrypted single point token is a predefined format, and then the encrypted single point token is sent to the terminal device.

In the scheme, the single point token is effective in a shorter time window, and the single point token contains all information required by single point login, such as plaintext data, source tenant signature data, target tenant verification data and the like; the second login token can be a token acquired from the second tenant identity authentication server after the user logs in the second application program, and has long timeliness and is used for maintaining the session and the like on the second application program.

S203: and sending the single-point token to a second tenant identity authentication server.

In this step, after receiving the single point token sent by the first tenant identity authentication server, the terminal device may forward the single point token to the second tenant identity authentication server.

In the above scheme, after receiving the single point token, the second tenant identity authentication server may decrypt the single point token using the private key of the second tenant identity authentication server, and then verify the single point token. If the second tenant identity authentication server verifies the single point token, a second login token can be generated, and the second login token is sent to the terminal device.

S204: and receiving a second login token sent by a second tenant identity authentication server.

S205: a session of the second application is established based on the second login token.

In this step, after receiving the second login token sent by the second tenant identity authentication server, the terminal device may save the second login token through the second application program, and establish a session of the user on the second application program through the second login token.

In the login method of the application program provided in the embodiment, if a session on a second application program corresponding to a second tenant identity authentication server needs to be established under the condition that the terminal device has logged in to the first application program corresponding to the first tenant identity authentication server, the terminal device may respond to a single sign-on instruction of the second application program and send a single sign-on request to the first tenant identity authentication server; then the terminal equipment can receive the single-point token sent by the first tenant identity authentication server, and forward the single-point token to the second tenant identity authentication server for verification; and then receiving a second login token sent by the second tenant identity authentication server, and establishing a session on the second application program through the second login token. Therefore, the user can realize single sign-on of the second application program of the cross-tenant application program only by logging in the first application program once, so that the session on the second application program is established.

In one embodiment, before sending the single sign-on request to the first tenant identity authentication server, the sign-on method further includes: responding to successful login of the first application program, and sending login success information to a first tenant identity authentication server; receiving a first login token sent by a first tenant identity authentication server, wherein the first login token is used for establishing a session of a first application program; a session of the first application is established based on the first login token.

In the scheme, after a user successfully logs in a first application program through a user name and a password, the terminal equipment can send login success information to the first tenant identity authentication server so as to inform the first tenant identity authentication server that the first application program is successfully logged in, the first tenant identity authentication server can generate a first login token and send the first login token to the terminal equipment after determining that the first application program is successfully logged in, and the terminal equipment can establish a session of the user on the first application program according to the first login token after receiving the first login token.

Fig. 3 is a flowchart of a second embodiment of a login method of an application program provided in an embodiment of the present application, where, as shown in fig. 3, the method is applied to a first tenant identity authentication server, and the method includes the following steps:

S301: and under the condition that the terminal equipment logs in a first application program corresponding to the first tenant identity authentication server, acquiring a single sign-on request sent by the terminal equipment.

In this step, the single sign-on request is used to request a second application corresponding to a single sign-on second tenant identity authentication server.

In the above scheme, a user in a tenant corresponding to the first tenant identity authentication server can successfully log in the first application program through a user name and a password on the terminal device, and after the first application program successfully logs in, if the user wants to log in the second application program, the user does not need to input the user name and the password again, but can send a single sign-on instruction through the second application program, and after responding to the single sign-on instruction facing the second application program, the terminal device sends a single sign-on request to the first tenant identity authentication server to request the single sign-on of the second application program.

S302: in response to the single sign-on request, a single point token is generated.

In the above scheme, after receiving the single sign-on request sent by the terminal device, the first tenant identity authentication server determines that the user wants to establish a session on the second application program, so the first tenant identity authentication server may generate a single point token to apply for the second sign-on token to the second tenant identity authentication server.

S303: and sending the single-point token to the terminal equipment.

In this step, after the first tenant identity authentication server generates the single point token, the single point token may be encrypted by using the public key certificate of the second tenant identity authentication server, the format of the encrypted single point token is a predefined format, and then the encrypted single point token may be sent to the terminal device.

In the scheme, the single-point token with the predefined format can enable data processing among different tenant identity authentication servers to be simpler and more convenient.

In one embodiment, the single point token includes signature data of the first tenant identity authentication server and verification data of the second tenant identity authentication server, generating the single point token includes: generating signature data of the first tenant identity authentication server by adopting a private key of the first tenant identity authentication server; and generating verification data of the second tenant identity authentication server by adopting the public key certificate of the second tenant identity authentication server.

In this scheme, the single point token is sent by the first tenant identity authentication server, so the first tenant identity authentication server may be a source tenant identity authentication server of the single point token, and the single point token needs to be sent to the second tenant identity authentication server, so the second tenant identity authentication server may be a target tenant identity authentication server of the single point token.

In the above scheme, the single point token includes the signature data of the first tenant identity authentication server and the verification data of the second tenant identity authentication server, so when the first tenant identity authentication server generates the single point token, the private key of the first tenant identity authentication server can be adopted to generate the signature data of the first tenant identity authentication server, and the public key certificate of the second tenant identity authentication server can be adopted to generate the verification data of the second tenant identity authentication server.

In the above scheme, the single point token includes plaintext data in addition to signature data of the first tenant identity authentication server and verification data of the second tenant identity authentication server, where the plaintext data includes an ID of the source tenant identity authentication server, an ID of the target tenant identity authentication server, a source user ID, a random string, and time stamp data. The ID of the source tenant identity authentication server may be source tenant identification information, for example, AA; the ID of the target tenant identity authentication server may be information indicating the target tenant, for example, BB; the source user ID may be an ID of a user requiring single sign-on in the source tenant identity authentication server, and may generally be relatively fixed information, for example, a user account name or a user mobile phone number; the random character string can be a random character string with the length of 32 bits and is used for ensuring the difference of different single-point tokens; the time stamp data may be a time of the first tenant identity authentication server generating the single point token, and includes year, month, day, time, and second information, for example, the time stamp data may be 20211215120530, and the time stamp data may be used to determine a validity period of the single point token, for example, a validity period window allowed in general may be less than 5 seconds from a time stamp, and the time stamp data may be used to limit that the single point token is available only for a short time.

In the above scheme, the single point token may further include digest data, where the digest data may be the result of hash computation on plaintext data using a specified digest algorithm, and is only process data.

In the above scheme, the signature data of the first tenant identity authentication server may be data obtained by digitally signing the summary data using a private key of the first tenant identity authentication server at the first tenant identity authentication server (that is, data obtained by encrypting the summary data using the private key of the first tenant identity authentication server). The signature data of the first tenant identity authentication server may be used to ensure that the single point token is generated by the first tenant identity authentication server to confirm that the first tenant identity authentication server authorizes the single point login operation, and that the single point login token data is not tampered with.

In the above scheme, the verification data of the second tenant identity authentication server may be data obtained by encrypting the summary data with a public key certificate of the second tenant identity authentication server at the first tenant identity authentication server, and may be used to support the second tenant identity authentication server to verify single sign-on. The verification data of the second tenant identity authentication server can be decrypted and verified only by the second tenant identity authentication server by using the private key of the second tenant identity authentication server, so that the second tenant identity authentication server can be confirmed to be a real object allowed by the single point token.

In the above scheme, the first tenant identity authentication server may generate plaintext data while generating signature data of the first tenant identity authentication server and verification data of the second tenant identity authentication server, so as to obtain a single point token, and send the single point token to the terminal device after encrypting the single point token using a public key certificate of the second tenant identity authentication server.

In one embodiment, the login method further includes, before generating verification data of the second tenant identity authentication server by using a public key certificate of the second tenant identity authentication server: transmitting cross-tenant single sign-on configuration information to a multi-tenant identity authentication server, wherein the cross-tenant single sign-on configuration information is used for requesting authorization of cross-tenant single sign-on; receiving authorized cross-tenant single sign-on information sent by a multi-tenant identity authentication server; and acquiring a public key certificate of the second tenant identity authentication server based on the authorized cross-tenant single sign-on information.

In the scheme, before the first tenant identity authentication server adopts the public key certificate of the second tenant identity authentication server to generate verification data of the second tenant identity authentication server, the public key certificate of the second tenant identity authentication server is acquired under the condition that the multi-tenant identity authentication server authorizes single sign-on, so that single sign-on of a second application program crossing tenants is realized. Thus, the first tenant identity authentication server may submit cross-tenant single sign-on configuration information to the multi-tenant identity authentication server in order for the multi-tenant identity authentication server to decide whether to authorize cross-tenant single sign-on. After the multi-tenant authentication server authorizes the cross-tenant single sign-on, the public key certificate of the second tenant authentication server issued by the CA can be obtained.

In the above scheme, other tenant identity authentication servers established according to the unified specification can also acquire the public key certificate through the CA.

In the above scheme, the multi-tenant identity authentication server may receive public key certificates of other tenant identity authentication servers authorized to perform single sign-on across tenants, and may update the public key certificates periodically.

In the above-described scheme, the multi-tenant authentication server logically includes the authentication services of a plurality of tenant authentication servers (which may be regarded as sub-tenant authentication servers of the multi-tenant authentication server), as well as a public access service, a public single sign-on service, a CA module, and the like. When a new tenant applies for identity authentication service, a unified standard template mirror image can be used to newly establish independent application programs and data services.

In the scheme, application services and application data (user data, password data, single-point token data and the like) among the identity authentication servers of different tenants are independent and isolated from each other and cannot be directly accessed, and can only be accessed through a public interface.

In one embodiment, before generating the single point token, the login method further comprises: under the condition that the first tenant identity authentication server is successfully registered, generating a private key and a public key of the first tenant identity authentication server according to tenant information of the tenant corresponding to the first tenant identity authentication server; based on the public key, sending an application request of a public key certificate to a digital certificate certification authority; and obtaining a public key certificate sent by the digital certificate certification authority.

In this scheme, the first tenant identity authentication server needs to be successfully registered before the first tenant identity authentication server generates the single point token. Then the first tenant identity authentication server can generate a private key and a public key (public key private key pair) of the first tenant identity authentication server according to tenant information, the private key can be automatically saved by the first tenant identity authentication server, the public key can be used for generating a P10 certificate request, and the P10 certificate request can contain tenant ID information; the first tenant identity authentication server can submit the P10 certificate request to the CA and the multi-tenant identity authentication server, and the multi-tenant identity authentication server performs manual verification and approval on the P10 certificate request and calls the CA to issue a public key certificate of the first tenant identity authentication server after passing; the first tenant identity authentication server then receives the public key certificate issued by the CA.

In the above scheme, the first tenant identity authentication server may further download public key certificates of other accessed tenant identity authentication servers established with a unified specification.

In the above scheme, similarly, the private key, the public key and the public key certificate of the second tenant identity authentication server can also be obtained in this way.

Fig. 4 is a flowchart of a third embodiment of a login method of an application program provided by the embodiment of the present application, where, as shown in fig. 4, the method is applied to a second tenant identity authentication server, and the method includes the following steps:

S401: and acquiring the single-point token sent by the terminal equipment.

In the step, the single point token is generated by the first tenant identity authentication server in response to a single point login request sent by the terminal device when the terminal device has logged in to a first application program corresponding to the first tenant identity authentication server, the single point login request is used for requesting a second application program corresponding to a second tenant identity authentication server to be single-logged in, the single point token is used for applying for a second login token of the second application program corresponding to the second tenant identity authentication server, and the second login token is used for establishing a session of the second application program.

In the above scheme, after the first tenant identity authentication server generates the single point token, the single point token is sent to the terminal device, and after receiving the single point token sent by the first tenant identity authentication server, the terminal device forwards the single point token to the second tenant identity authentication server.

S402: and analyzing the single-point token to obtain analysis data of the single-point token.

In this step, the single point token is sent by the first tenant identity authentication server, so the first tenant identity authentication server may be a source tenant identity authentication server of the single point token, and the single point token needs to be sent to the second tenant identity authentication server, so the second tenant identity authentication server may be a target tenant identity authentication server of the single point token.

In the above scheme, since the first tenant identity authentication server encrypts the single point token by using the public key certificate of the second tenant identity authentication server after generating the single point token, the second tenant identity authentication server can decrypt the single point token by using its own private key after receiving the single point token, thereby obtaining the analysis data. The parsing data, that is, each piece of data obtained by decrypting the single point token, may include: plaintext data (ID of source tenant identity authentication server, ID of target tenant identity authentication server, source user ID, random string and time stamp data) +signature data of first tenant identity authentication server+verification data of second tenant identity authentication server.

S403: and verifying the single point token according to the analysis data.

In this step, after the parsed data is obtained, each piece of data included in the parsed data may be separately verified, thereby verifying the single point token.

If each segment of data in the analysis data is successfully verified, determining that the single-point token is successfully verified; if the verification of a certain section of data in the analysis data is unsuccessful, the single-point token is determined to be unsuccessful.

S404: and generating a second login token under the condition that the single-point token is successfully verified.

In this step, the single point token verification is successful, and the second tenant identity authentication server determines that the user needs to log in to the second application, so the second tenant identity authentication server may generate a second login token to facilitate establishment of a session on the second application.

S405: and sending the second login token to the terminal equipment.

In one embodiment, the parsing data includes a number of the first tenant identity authentication server, signature data of the first tenant identity authentication server, and verification data of the second tenant identity authentication server, verifying the single point token according to the parsing data, including: acquiring a public key certificate of the first tenant identity authentication server according to the number of the first tenant identity authentication server; verifying the signature data by adopting a public key certificate of the first tenant identity authentication server, and determining whether the single-point token is sent by the first tenant identity authentication server; if the single point token is sent by the first tenant identity authentication server, decrypting the verification data by adopting the private key of the second tenant identity authentication server, and determining whether the single point token is sent to the second tenant identity authentication server; if the single point token is sent to the second tenant identity authentication server, the single point token is successfully verified.

In the scheme, when the second tenant identity authentication server verifies the single-point token according to the analysis data, the ID of the source tenant identity authentication server in the analysis data, namely the ID of the first tenant identity authentication server, can be checked first, and a public key certificate of the first tenant identity authentication server is searched; then, signature data of the first tenant identity authentication server is used for certifying the public key of the first tenant identity authentication server, and whether the source of the single-point token is the first tenant identity authentication server is confirmed; if the source of the single-point token is the first tenant identity authentication server, decrypting the verification data of the second tenant identity authentication server by using the private key of the second tenant identity authentication server, and confirming whether the target of the single-point token is the second tenant identity authentication server or not; if the target of the single point token is the second tenant identity authentication server, the single point token is determined to be successfully verified.

In the above scheme, after determining that the target of the single point token is the second tenant identity authentication server, it may further verify whether the source user ID in the analysis data exists, and if the source user ID in the analysis data does not exist, may prompt a newly added registered user.

In the above scheme, it may also be determined whether the single point token is issued to the second tenant identity authentication server by verifying the ID of the target tenant identity authentication server in the parsed data.

In the above scheme, when the second tenant identity authentication server searches the public key certificate of the first tenant identity authentication server, if the public key certificate of the first tenant identity authentication server is missing, downloading is needed.

In one embodiment, decrypting the verification data using the private key of the second tenant identity authentication server, determining whether the single point token is sent to the second tenant identity authentication server, includes: transmitting cross-tenant single sign-on configuration information to a multi-tenant identity authentication server, wherein the cross-tenant single sign-on configuration information is used for requesting authorization of cross-tenant single sign-on; under the condition that authorized cross-tenant single sign-on information sent by the multi-tenant identity authentication server is received, decrypting verification data by adopting a private key of the second tenant identity authentication server, and determining whether the single point token is sent to the second tenant identity authentication server.

In the scheme, the target tenant identity authentication server is different from the source tenant identity authentication server, the target tenant identity authentication server needs to send cross-tenant single sign-on configuration information to the multi-tenant identity authentication server to confirm whether the multi-tenant identity authentication server allows authorization of cross-tenant single sign-on, single sign-on can be continued if allowed, and single sign-on is refused if not allowed. If the multi-tenant authentication server allows authorization for single sign-on across tenants, the second tenant authentication server may decrypt the verification data using its own private key to determine if the single point token is sent to the second tenant authentication server.

In one embodiment, the parsed data further includes timestamp data, verifying the single point token from the parsed data, including: determining whether the current time of receiving the single point token is within a time window allowed by the single point token according to the time stamp data; if the current time of receiving the single point token is within the allowed time window of the single point token, the single point token is successfully verified.

In this scheme, the time stamp data may be the time of the first tenant identity authentication server generating the single point token, including the information of time of year, month, day, and time of second, and the time stamp data may be used to determine the validity period of the single point token, for example, the allowed validity period window may be within 5 seconds from the time stamp in general, and the time stamp data may be used to limit the availability of the single point token only for a short time.

In the above scheme, the second tenant identity authentication server may verify the timestamp data in the analysis data, and determine whether the time when the second tenant identity authentication server receives the single point token is within a validity period window allowed by the timestamp data; if the time of the second tenant identity authentication server receiving the single point token is within the valid period window allowed by the time stamp data, the single point token is successfully verified, and if the time of the second tenant identity authentication server receiving the single point token is not within the valid period window allowed by the time stamp data, the single point token fails to verify, so that the success rate of single point login of the cross-tenant application program is improved.

In one embodiment, the technical scheme provided by the application not only can realize single sign-on of the application program of the cross-tenant, but also can realize single sign-on of the application program of the tenant.

In this scenario, taking as an example the different applications in the first tenant identity authentication server (the third application and the fourth application are used here for the purpose of single sign-on distinction across tenant applications as described above).

In the above scheme, the user can log in the third application program by using the user name password, and after successful login, the terminal device can acquire the login token of the third application program sent by the first tenant identity authentication server, and establish the session of the user on the third application program; if the user wants to log in the fourth application program, the user sends a single sign-on instruction through the fourth application program, and the terminal equipment sends a single sign-on request to the first tenant identity authentication server after responding to the single sign-on instruction; the first tenant identity authentication server generates a single point token after responding to the single point login request (the method for generating the single point token can refer to the corresponding method in the single point login embodiment of the cross-tenant application program), and sends the single point token to the terminal device; after receiving the single point token, the terminal equipment intercepts the single point token by the fourth application program, and sends the single point token to the first tenant identity authentication server for verification through the fourth application program (the verification method of the first tenant identity authentication server for the single point token can refer to the corresponding method in the single point login embodiment of the cross-tenant application program); after the single-point token is successfully verified, the first tenant identity authentication server generates a login token of a fourth application program and sends the login token of the fourth application program to the terminal equipment; after receiving the login token of the fourth application, the terminal device may establish a session with the fourth application using the login token of the fourth application.

The login method of the application program provided by the embodiment can realize single sign-on of the application program among different tenant identity authentication servers on the premise of isolation of the different tenant identity authentication servers based on the digital certificate, a predefined login token encrypted by the digital certificate, a single point token and the like, so that quick single sign-on of the cross-tenant application program is supported; meanwhile, the single sign-on verification mechanism based on the digital certificate also ensures the security of the single sign-on process; in addition, for the generation and verification of the single point token, the data of the single point token is not dependent on the grounding, the single point token contains necessary information such as a source tenant identity authentication server ID, a target tenant identity authentication server ID, a source user ID, timestamp data and the like, and the single point token can be locally stored, so that the online verification service required by single point login is reduced; in addition, under the multi-tenant scene, tenants corresponding to the identity authentication servers of all tenants can be independent, so that user information, user passwords and the like independently managed by the identity authentication servers of all tenants are reserved, and personal data safety is ensured; and a mechanism for supporting single sign-on with application programs of other tenant identity authentication servers supports quick new user establishment and single sign-on of the application programs of the other tenant identity authentication servers by virtue of the mechanism, and can also realize quick popularization of services.

In general, the technical scheme provided by the application is a technical scheme capable of realizing single sign-on of application programs in tenants and realizing single sign-on of application programs across tenants.

The embodiment of the application also provides a login device of the application program, which is applied to the terminal equipment. Fig. 5 is a schematic structural diagram of a first embodiment of an application login device according to an embodiment of the present application, and as shown in fig. 5, an application login device 500 includes:

A first sending module 501, configured to, when the terminal device has logged in to a first application corresponding to a first tenant identity authentication server, send a single sign-on request to the first tenant identity authentication server in response to a single sign-on instruction for a second application corresponding to a second tenant identity authentication server, where the single sign-on request is used to request the single sign-on second application;

the first receiving module 502 is configured to receive a single point token sent by the first tenant identity authentication server, where the single point token is used to apply for a second login token of the second application program, and the second login token is used to establish a session of the second application program;

a second sending module 503, configured to send a single point token to a second tenant identity authentication server;

A second receiving module 504, configured to receive a second login token sent by a second tenant identity authentication server;

An establishment module 505 is configured to establish a session of the second application program based on the second login token.

Optionally, the login device 500 of the application further comprises a first processing module (not shown), and the first processing module is specifically configured to: before a single sign-on request is sent to a first tenant identity authentication server, responding to successful sign-on of a first application program, and sending sign-on success information to the first tenant identity authentication server; receiving a first login token sent by a first tenant identity authentication server, wherein the first login token is used for establishing a session of a first application program; a session of the first application is established based on the first login token.

The login device for an application program provided in this embodiment is configured to execute the technical scheme of the login method for an application program applied to a terminal device in the foregoing method embodiment, and its implementation principle and technical effects are similar, and are not described herein again.

The embodiment of the application also provides a login device of the application program, which is applied to the first tenant identity authentication server. Fig. 6 is a schematic structural diagram of a second embodiment of an application login device according to an embodiment of the present application, and as shown in fig. 6, an application login device 600 includes:

The first obtaining module 601 is configured to obtain a single sign-on request sent by a terminal device, where the terminal device has logged in a first application corresponding to a first tenant identity authentication server, and the single sign-on request is used to request a second application corresponding to a second tenant identity authentication server;

A first generation module 602, configured to generate a single point token in response to a single sign-on request, where the single point token is used to apply for a second sign-on token of a second application program, and the second sign-on token is used to establish a session of the second application program;

And the third sending module 603 is configured to send the single point token to the terminal device.

Optionally, the single point token includes signature data of the first tenant identity authentication server and verification data of the second tenant identity authentication server, and the first generation module 602 is further specifically configured to: generating signature data of the first tenant identity authentication server by adopting a private key of the first tenant identity authentication server; and generating verification data of the second tenant identity authentication server by adopting the public key certificate of the second tenant identity authentication server.

Optionally, the login device 600 of the application further comprises a second processing module (not shown), which is specifically configured to: transmitting cross-tenant single sign-on configuration information to the multi-tenant identity authentication server before generating verification data of the second tenant identity authentication server by adopting a public key certificate of the second tenant identity authentication server, wherein the cross-tenant single sign-on configuration information is used for requesting authorization of cross-tenant single sign-on; receiving authorized cross-tenant single sign-on information sent by a multi-tenant identity authentication server; and acquiring a public key certificate of the second tenant identity authentication server based on the authorized cross-tenant single sign-on information.

Optionally, the login device 600 of the application further comprises a third processing module (not shown), and the third processing module is specifically configured to: under the condition that the first tenant identity authentication server is successfully registered, generating a private key and a public key of the first tenant identity authentication server according to tenant information of the tenant corresponding to the first tenant identity authentication server; based on the public key, sending an application request of a public key certificate to a digital certificate certification authority; and obtaining a public key certificate sent by the digital certificate certification authority.

The login device for an application program provided in this embodiment is configured to execute the technical scheme of the login method for an application program applied to the first tenant identity authentication server in the foregoing method embodiment, and its implementation principle and technical effects are similar and are not described herein again.

The embodiment of the application also provides a login device of the application program, which is applied to the second tenant identity authentication server. Fig. 7 is a schematic structural diagram of a third embodiment of an application login device according to an embodiment of the present application, and as shown in fig. 7, an application login device 700 includes:

The second obtaining module 701 is configured to obtain a single point token sent by the terminal device, where the single point token is generated by the first tenant identity authentication server in response to a single point login request sent by the terminal device when the terminal device has logged in to a first application program corresponding to the first tenant identity authentication server, the single point login request is used to request a second application program corresponding to a second tenant identity authentication server, and the single point token is used to apply for a second login token of the second application program corresponding to the second tenant identity authentication server, where the second login token is used to establish a session of the second application program;

the parsing module 702 is configured to parse the single-point token to obtain parsed data of the single-point token;

a verification module 703, configured to verify the single point token according to the parsed data;

A second generating module 704, configured to generate a second login token if the single point token is successfully verified;

A fourth sending module 705, configured to send the second login token to the terminal device.

Optionally, the analysis data includes a number of the first tenant identity authentication server, signature data of the first tenant identity authentication server, and verification data of the second tenant identity authentication server, and the verification module 703 is specifically configured to: acquiring a public key certificate of the first tenant identity authentication server according to the number of the first tenant identity authentication server; verifying the signature data by adopting a public key certificate of the first tenant identity authentication server, and determining whether the single-point token is sent by the first tenant identity authentication server; if the single point token is sent by the first tenant identity authentication server, decrypting the verification data by adopting the private key of the second tenant identity authentication server, and determining whether the single point token is sent to the second tenant identity authentication server; if the single point token is sent to the second tenant identity authentication server, the single point token is successfully verified.

Optionally, when decrypting the verification data using the private key of the second tenant identity authentication server, the verification module 703 is further specifically configured to: transmitting cross-tenant single sign-on configuration information to a multi-tenant identity authentication server, wherein the cross-tenant single sign-on configuration information is used for requesting authorization of cross-tenant single sign-on; under the condition that authorized cross-tenant single sign-on information sent by the multi-tenant identity authentication server is received, decrypting verification data by adopting a private key of the second tenant identity authentication server, and determining whether the single point token is sent to the second tenant identity authentication server.

Optionally, the parsing data further includes timestamp data, and the verification module 703 is further specifically configured to: determining whether the current time of receiving the single point token is within a time window allowed by the single point token according to the time stamp data; if the current time of receiving the single point token is within the allowed time window of the single point token, the single point token is successfully verified.

The login device for an application program provided in this embodiment is configured to execute the technical scheme of the login method for an application program applied to a second tenant identity authentication server in the foregoing method embodiment, and its implementation principle and technical effects are similar and are not described herein again.

The embodiment of the present application further provides a terminal device, fig. 8 is a schematic structural diagram of a terminal device provided in the embodiment of the present application, as shown in fig. 8, where the terminal device 800 includes:

A processor 811, a memory 812, an interaction interface 813;

The memory 812 is configured to store executable instructions executable by the processor 811, and the processor 811 is configured to execute the technical solution of the login method applied to the application program of the terminal device provided in the foregoing method embodiment via executing the executable instructions.

In the above terminal device, the memory 812, the processor 811 and the interaction interface 813 are electrically connected directly or indirectly to enable transmission or interaction of data. For example, the elements may be electrically connected to each other via one or more communication buses or signal lines, such as through a bus connection. The memory 812 stores therein computer-executable instructions for implementing a login method for application programs applied to the terminal device, including at least one software function module which may be stored in the memory in the form of software or firmware, and the processor 811 performs various function applications and data processing by running the software programs and modules stored in the memory 812.

The embodiment of the present application further provides a server, and fig. 9 is a schematic structural diagram of a server according to the embodiment of the present application, and the server may be provided as a computer, for example. Referring to fig. 9, a server 900 includes a processing component 901 that further includes one or more processors and memory resources represented by memory 902 for storing instructions, such as applications, executable by the processing component 901. The application program stored in the memory 902 may include one or more modules each corresponding to a set of instructions. Further, the processing component 901 is configured to execute instructions to perform any of the method embodiments described above.

The server 900 may also include a power component 903, the power component 903 configured to perform power management of the server 900, a wired or wireless network interface 904 configured to connect the server 900 to a network, and an input output (I/O) interface 905. The server 900 may operate based on an operating system stored in memory 902, such as Windows Server, mac OS XTM, unixTM, linuxTM, freeBSDTM, or the like.

The Memory may be, but is not limited to, random access Memory (Random Access Memory, abbreviated as RAM), read Only Memory (ROM), programmable Read Only Memory (Programmable Read-Only Memory, abbreviated as PROM), erasable Read Only Memory (Erasable Programmable Read-Only Memory, abbreviated as EPROM), electrically erasable Read Only Memory (Electric Erasable Programmable Read-Only Memory, abbreviated as EEPROM), etc. The memory is used for storing a program, and the processor executes the program after receiving the execution instruction. Further, the software programs and modules within the memory may also include an operating system, which may include various software components and/or drivers for managing system tasks (e.g., memory management, storage device control, power management, etc.), and may communicate with various hardware or software components to provide an operating environment for other software components.

The processor may be an integrated circuit chip with signal processing capabilities. The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, abbreviated as CPU), a network processor (Network Processor, abbreviated as NP), and the like. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium comprises a program which is used for realizing the technical scheme of the login method of the application program provided in the method embodiment when being executed by a processor.

The embodiment of the application also provides a computer program product, which comprises a computer program, wherein the computer program is used for realizing the technical scheme of the login method of the application program provided in the method embodiment when being executed by a processor.

Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the method embodiments described above may be performed by hardware associated with program instructions. The foregoing program may be stored in a computer readable storage medium. The program, when executed, performs steps including the method embodiments described above; and the aforementioned storage medium includes: various media that can store program code, such as ROM, RAM, magnetic or optical disks.

Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the application.

Claims

1. A login method of an application program, which is applied to a terminal device, the login method comprising:

under the condition that the terminal equipment logs in a first application program corresponding to a first tenant identity authentication server, responding to a single sign-on instruction of a second application program corresponding to a second tenant identity authentication server, and sending a single sign-on request to the first tenant identity authentication server, wherein the single sign-on request is used for requesting the single sign-on of the second application program;

receiving a single point token sent by the first tenant identity authentication server, wherein the single point token is used for applying for a second login token of the second application program, and the second login token is used for establishing a session of the second application program;

Sending the single point token to the second tenant identity authentication server;

receiving the second login token sent by the second tenant identity authentication server;

establishing a session of the second application based on the second login token;

The single-point token comprises signature data of the first tenant identity authentication server and verification data of the second tenant identity authentication server, the signature data of the first tenant identity authentication server is generated by the first tenant identity authentication server through a private key of the first tenant identity authentication server, and the verification data of the second tenant identity authentication server is generated by the first tenant identity authentication server through a public key certificate of the second tenant identity authentication server; the public key certificate of the second tenant identity authentication server is that the first tenant identity authentication server sends cross-tenant single-sign-on configuration information for requesting to authorize cross-tenant single-sign-on to a multi-tenant identity authentication server, receives the authorized cross-tenant single-sign-on information sent by the multi-tenant identity authentication server, and is acquired based on the authorized cross-tenant single-sign-on information;

the second tenant identity authentication server generates the second login token and sends the second login token to the terminal equipment under the condition that the single point token is successfully verified; the verification includes: the second tenant identity authentication server acquires a public key certificate of the first tenant identity authentication server according to the number of the first tenant identity authentication server, verifies the signature data by adopting the public key certificate of the first tenant identity authentication server, determines whether the single point token is sent by the first tenant identity authentication server, decrypts the verification data by adopting a private key of the second tenant identity authentication server if the single point token is sent by the first tenant identity authentication server, and determines whether the single point token is sent to the second tenant identity authentication server, if the single point token is sent to the second tenant identity authentication server, the single point token verification is successful.

2. The login method according to claim 1, wherein before the sending the single sign-on request to the first tenant identity authentication server, the login method further comprises:

responding to successful login of the first application program, and sending login success information to the first tenant identity authentication server;

receiving a first login token sent by the first tenant identity authentication server, wherein the first login token is used for establishing a session of the first application program;

a session of the first application is established based on the first login token.

3. The utility model provides a login method of application program, which is characterized in that the login method is applied to a first tenant identity authentication server, and comprises the following steps:

acquiring a single sign-on request sent by terminal equipment under the condition that the terminal equipment logs in a first application program corresponding to the first tenant identity authentication server, wherein the single sign-on request is used for requesting a second application program corresponding to a second tenant identity authentication server;

generating a single point token in response to the single point login request, wherein the single point token is used for applying for a second login token of the second application program, and the second login token is used for establishing a session of the second application program;

sending the single point token to the terminal equipment;

The terminal equipment sends the single-point token to the second tenant identity authentication server, receives the second login token sent by the second tenant identity authentication server, and establishes a session of the second application program based on the second login token;

The single point token includes signature data of the first tenant identity authentication server and verification data of the second tenant identity authentication server, and the generating the single point token includes: generating signature data of the first tenant identity authentication server by adopting a private key of the first tenant identity authentication server; generating verification data of the second tenant identity authentication server by adopting a public key certificate of the second tenant identity authentication server;

The login method further comprises the steps of: transmitting cross-tenant single sign-on configuration information to a multi-tenant identity authentication server, wherein the cross-tenant single sign-on configuration information is used for requesting authorization of cross-tenant single sign-on; receiving authorized cross-tenant single sign-on information sent by the multi-tenant identity authentication server; acquiring a public key certificate of the second tenant identity authentication server based on the authorized cross-tenant single sign-on information;

4. A login method according to claim 3 wherein prior to said generating a single point token, said login method further comprises:

Under the condition that the first tenant identity authentication server is successfully registered, generating a private key and a public key of the first tenant identity authentication server according to tenant information of a tenant corresponding to the first tenant identity authentication server;

Based on the public key, sending an application request of a public key certificate to a digital certificate certification authority;

And obtaining a public key certificate sent by the digital certificate certification authority.

5. The login method of the application program is characterized by being applied to a second tenant identity authentication server, and comprises the following steps:

Acquiring a single point token sent by a terminal device, wherein the single point token is generated by the first tenant identity authentication server in response to a single point login request sent by the terminal device and sent to the terminal device when the terminal device logs in a first application program corresponding to the first tenant identity authentication server, the single point login request is used for requesting a second application program corresponding to a second tenant identity authentication server, the single point token is used for applying for a second login token of the second application program corresponding to the second tenant identity authentication server, and the second login token is used for establishing a session of the second application program;

Analyzing the single-point token to obtain analysis data of the single-point token;

Verifying the single point token according to the analysis data;

generating the second login token under the condition that the single-point token is successfully verified;

sending the second login token to the terminal equipment, and establishing a session of the second application program by the terminal equipment based on the second login token;

the parsing data includes a number of a first tenant identity authentication server, signature data of the first tenant identity authentication server, and verification data of the second tenant identity authentication server, and the verifying the single point token according to the parsing data includes: acquiring a public key certificate of the first tenant identity authentication server according to the number of the first tenant identity authentication server; verifying the signature data by adopting a public key certificate of the first tenant identity authentication server, and determining whether the single-point token is sent by the first tenant identity authentication server; if the single point token is sent by the first tenant identity authentication server, decrypting the verification data by adopting a private key of the second tenant identity authentication server, and determining whether the single point token is sent to the second tenant identity authentication server; and if the single-point token is sent to the second tenant identity authentication server, the single-point token is successfully verified.

6. The login method of claim 5 wherein said decrypting the verification data with the private key of the second tenant identity server determines whether the single point token is sent to the second tenant identity server, comprising:

Transmitting cross-tenant single sign-on configuration information to a multi-tenant identity authentication server, wherein the cross-tenant single sign-on configuration information is used for requesting authorization of cross-tenant single sign-on;

And under the condition that authorized cross-tenant single sign-on information sent by the multi-tenant identity authentication server is received, decrypting the verification data by adopting a private key of the second tenant identity authentication server, and determining whether the single-point token is sent to the second tenant identity authentication server.

7. The login method according to claim 5 or 6, wherein the parsed data further includes timestamp data, and wherein verifying the single point token from the parsed data comprises:

Determining whether the current time of receiving the single point token is within a time window allowed by the single point token or not according to the timestamp data;

And if the current time of receiving the single point token is within the allowed time window of the single point token, the single point token is successfully verified.

8. A login device for an application program, which is applied to a terminal device, the login device for an application program comprising:

the first sending module is used for responding to a single sign-on instruction of a second application program corresponding to a second tenant identity authentication server under the condition that the terminal equipment logs in the first application program corresponding to the first tenant identity authentication server, and sending a single sign-on request to the first tenant identity authentication server, wherein the single sign-on request is used for requesting the single sign-on of the second application program;

The first receiving module is used for receiving a single-point token sent by the first tenant identity authentication server, wherein the single-point token is used for applying for a second login token of the second application program, and the second login token is used for establishing a session of the second application program;

The second sending module is used for sending the single-point token to the second tenant identity authentication server;

the second receiving module is used for receiving the second login token sent by the second tenant identity authentication server;

an establishing module, configured to establish a session of the second application program based on the second login token;

9. A login device for an application program, applied to a first tenant identity authentication server, the login device for the application program comprising:

The first acquisition module is used for acquiring a single sign-on request sent by the terminal equipment under the condition that the terminal equipment logs in a first application program corresponding to the first tenant identity authentication server, wherein the single sign-on request is used for requesting a second application program corresponding to a second tenant identity authentication server;

The first generation module is used for responding to the single sign-on request and generating a single point token, wherein the single point token is used for applying for a second sign-on token of the second application program, and the second sign-on token is used for establishing a session of the second application program;

a third sending module, configured to send the single point token to the terminal device;

The first tenant identity authentication server is configured to: transmitting cross-tenant single sign-on configuration information to a multi-tenant identity authentication server, wherein the cross-tenant single sign-on configuration information is used for requesting authorization of cross-tenant single sign-on; receiving authorized cross-tenant single sign-on information sent by the multi-tenant identity authentication server; acquiring a public key certificate of the second tenant identity authentication server based on the authorized cross-tenant single sign-on information;

10. A login device for an application program, applied to a second tenant identity authentication server, the login device for an application program comprising:

The second acquisition module is used for acquiring a single-point token sent by the terminal equipment, wherein the single-point token is a second login token of a second application program corresponding to a second tenant identity authentication server, and the second login token is used for establishing a session of the second application program;

the analysis module is used for analyzing the single-point token to obtain analysis data of the single-point token;

the verification module is used for verifying the single-point token according to the analysis data;

the second generation module is used for generating the second login token under the condition that the single-point token is successfully verified;

a fourth sending module, configured to send the second login token to the terminal device, where the terminal device establishes a session of the second application program based on the second login token;

11. A terminal device, comprising:

The processor, the memory, the interactive interface;

The memory is configured to store executable instructions executable by the processor, the processor being configured to perform the method of logging in an application of claim 1 or 2 via execution of the executable instructions.

12. A server, comprising:

The processor, the memory, the interactive interface;

The memory is for storing executable instructions executable by the processor, the processor being configured to perform the method of logging in an application of any one of claims 3 to 7 via execution of the executable instructions.

13. A readable storage medium having stored thereon a computer program, which when executed by a processor implements the method of logging in an application program according to any of claims 1 to 7.