CN115632805A - Single sign-on method based on unified user management - Google Patents
Single sign-on method based on unified user management Download PDFInfo
- Publication number
- CN115632805A CN115632805A CN202211053034.8A CN202211053034A CN115632805A CN 115632805 A CN115632805 A CN 115632805A CN 202211053034 A CN202211053034 A CN 202211053034A CN 115632805 A CN115632805 A CN 115632805A
- Authority
- CN
- China
- Prior art keywords
- user
- uums
- application system
- token
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention relates to a single sign-on method based on unified user management, when a user accesses the front end of an application system to carry out identity verification, the application system sends a target url and redirects the user access to a login page provided by a UUMS, and meanwhile, an agreed authorization code and a state are attached; the user selects whether to give authorization to the application system on a login page provided by the UUMS, and if the user gives authorization, the user access is redirected to the rear end of the application system after the UUMS authentication server passes the verification; the rear end of the application system calls a token generation interface provided by the UUMS to generate a token according to the authorization code and the state; calling a token analysis interface provided by the UUMS according to the generated token to acquire login user information; and storing the token and the user information in the session. The method can greatly improve the development efficiency of developers and obviously reduce the research and development cost of enterprises.
Description
Technical Field
The invention relates to the technical field of informatization, in particular to a single sign-on method based on unified user management.
Background
With the continuous development of informatization construction, more and more application systems of enterprises are provided, each application system generally has independent user information and login management functions, the format, naming and storage modes of the user information are diversified, and the forms of login interfaces are also diversified. When a user needs to use a plurality of application systems, the problems of user information synchronization and login by inputting user names and passwords for a plurality of times are brought. The user information synchronization can increase the complexity of the system and the management cost; inputting the user name and the password for many times can lead the user to log in repeatedly.
Disclosure of Invention
Aiming at the technical problems in the prior art, the invention provides a single sign-on method based on unified user management.
The technical scheme for solving the technical problems is as follows: a single sign-on method based on unified user management comprises the following steps:
when a user accesses the front end of the application system to perform identity authentication, the application system sends a target url and redirects the user access to a login page provided by the UUMS, and an agreed authorization code and a state are attached;
the user selects whether to give authorization to the application system on a login page provided by the UUMS, and if the user gives authorization, the user access is redirected to the rear end of the application system after the UUMS authentication server passes the verification;
the rear end of the application system calls a token generation interface provided by the UUMS to generate a token according to the authorization code and the state; calling a token analysis interface provided by the UUMS according to the generated token to acquire login user information; and storing the token and the user information in the session.
Further, the method also comprises that when the front end accesses other interfaces of the back end, the back end judges whether the user logs in according to the session, if so, the user can normally access, otherwise, the user is refused to access.
Further, the method further comprises: configuring user related information in a unified user management system UUMS by a user; and (4) importing an API jar package provided by the UUMS into the application system by a developer, and configuring login information.
Further, the user configures user-related information in a unified user management system UUMS, including:
newly establishing organization mechanism information including organization names to which the users belong;
user information under a new organization comprises an affiliated organization, a user name, a password and a default role;
newly building a role, and endowing the role to a user;
newly building an application, configuring a newly added application system, including an application name and an access address of the application, and simultaneously generating a unique identification code, a secret key and an authenticated public key of the application;
and establishing new authority, and configuring the authority of a certain organization for accessing the application system.
Further, configuring login information includes configuring the following parameters: UUMS Server Url, client id, client secret key, public key of application authentication and organization name.
Further, the sending and redirecting of the target url to the login page provided by the UUMS by the application system includes: the user accesses the client of the application system, the application system calls an interface for acquiring the redirection URI provided by the UUMS, and sends a URI for applying authentication to the UUMS authentication server; the URI applying for authentication comprises the following parameters: client id, authorization type, redirection URI, authority range, current state of client.
Further, after the UUMS authentication server verifies, redirecting the user access to the application service backend, including:
the UUMS authentication server guides a user to a 'redirect URI' which is specified in advance by an application system client through the redirect URI callback application service, and an authorization code is attached at the same time.
Further, when the application system rear end calls a token analysis interface provided by the UUMS according to the generated token to acquire login user information, a request of the token is applied to the UUMS authentication server, wherein the request comprises the following parameters: a used authorization mode, an application system client ID, a client key, a redirect URI, an authorization code.
The beneficial effects of the invention are: after the method and the system are implemented, developers only need to access an API (application program interface) provided by the UUMS according to a specified development rule; the method has the advantages that simple business training is carried out on common related business personnel, the business personnel can maintain and manage user information in the UUMS, development efficiency of developers is greatly improved, and enterprise research and development cost is remarkably reduced.
Drawings
Fig. 1 is a flowchart illustrating a single sign-on method based on unified user management according to an embodiment of the present invention.
Detailed Description
The principles and features of this invention are described below in conjunction with the following drawings, which are set forth by way of illustration only and are not intended to limit the scope of the invention.
As shown in fig. 1, an embodiment of the present invention provides a single sign-on method based on unified user management, including the following steps:
s1, configuring user related information in a unified user management system UUMS by a user. The method comprises the following steps:
1) And the organization mechanism information to which the new user belongs comprises an organization name (organization name).
2) And user information under the newly-built organization comprises the affiliated organization, a user name, a password and a default role. (New users can also register in the application system that they want to use, as they do in UUMS)
3) And establishing a role and endowing the role to the user.
4) Newly building an application, configuring a newly added application system, including an application name (applicationName) and an access address of the application, and generating a unique identifier (clientId), a secret key (clientSecret) and an authenticated public key (publicKey) of the application at this time.
5) And establishing new authority, and configuring the authority of a certain organization capable of accessing the application.
6) And a third party provider is newly established, and after configuration, login can be performed through a third party, so that the third party providers such as WeChat and nailing are supported. (this step is an optional operation)
And (4) importing an API jar package provided by the UUMS into the application system by a developer, and configuring login information. The method comprises the following steps of:
s2, when the user accesses the front end of the application system to perform identity verification, the application system sends a target url and redirects the user access to a login page provided by the UUMS, and meanwhile, an agreed authorization code and a state are attached.
The user accesses the client of the application system, and the application system calls an interface provided by the UUMS for acquiring the redirection URI and sends a URI for applying authentication to the UUMS authentication server;
the URI that applies for authentication includes the parameters shown in the following table.
Reference is made to the following example:
https://localhost:8000/login/oauth/authorizeclient_id={clientId}&response_type=code&redirect_uri={redirectUri}&scope=read&state={applicationName}。
s3, the user selects whether to give authorization to the application system on a login page provided by the UUMS, and if the user gives authorization, the user access is redirected to the back end of the application system after the UUMS authentication server passes the verification.
After the UUMS authentication server passes the verification, the method redirects the user access to the back end of the application system, and comprises the following steps: the UUMS authentication server leads a user to a 'redirect URI' appointed by an application system client in advance through a redirect URI callback application service, and is attached with an authorization code.
The application system client calls an interface at the back end of the application system through the redirection URI, and parameters contained in the interface are shown in the following table.
Reference is made to the following example:
https://client.example.com/callbackcode={code}&state={applicationName}
s4, the rear end of the application system calls a token generation interface provided by the UUMS to generate a token according to the authorization code and the state; calling a token analysis interface provided by the UUMS according to the generated token to acquire login user information; and storing the token and the user information in the session.
And when the application system rear end calls a token analysis interface provided by the UUMS to acquire login user information according to the generated token, applying a token request to the UUMS authentication server, wherein parameters included in the request are shown in the following table.
Reference is made to the following example:
https://localhost:8000/api/login/oauth/access_tokengrant_type=authorization_code&client_id={clientId}&client_secret={clientSecret}&redirect_uri=http://localhost:8000/login/oauth/authorize
and S5, when the front end accesses other interfaces of the rear end, the rear end judges whether the user logs in or not according to the session, if so, the user can normally access, otherwise, the user refuses to access.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (8)
1. A single sign-on method based on unified user management is characterized by comprising the following steps:
when a user accesses the front end of the application system for identity verification, the application system sends a target url and redirects the user access to a login page provided by the UUMS, and an agreed authorization code and a state are attached;
the user selects whether to give authorization to the application system on a login page provided by the UUMS, and if the user gives authorization, the user access is redirected to the rear end of the application system after the UUMS authentication server passes the verification;
the application system rear end calls a token generation interface provided by the UUMS according to the authorization code and the state to generate a token; calling a token analysis interface provided by the UUMS according to the generated token to acquire login user information; and storing the token and the user information in the session.
2. The method of claim 1, further comprising, when the front end accesses other interfaces of the back end, the back end determining whether the user logs in according to the session, if so, then the user can access normally, otherwise, the user is denied access.
3. The method of claim 1, further comprising: configuring user related information in a unified user management system UUMS by a user; and (4) importing an API jar package provided by the UUMS into the application system by a developer, and configuring login information.
4. The method of claim 3, wherein the configuring the user-related information in the unified user management system UUMS by the user comprises:
newly establishing organization mechanism information including an organization name to which the user belongs;
user information under a new organization comprises an organization, a user name, a password and a default role;
establishing a role and assigning the role to a user;
newly building an application, configuring a newly added application system, including an application name and an access address of the application, and simultaneously generating a unique identification code, a secret key and an authenticated public key of the application;
and establishing new authority, and configuring the authority of a certain organization for accessing the application system.
5. The method of claim 3, wherein configuring the login information comprises configuring the following parameters: UUMS Server Url, client id, client secret key, public key of application authentication and organization name.
6. The method of claim 1, wherein the application system sending the target url and redirecting to a UUMS-provided login page comprises: the user accesses the client of the application system, and the application system calls an interface provided by the UUMS for acquiring the redirection URI and sends a URI for applying authentication to the UUMS authentication server; the URI applying for authentication comprises the following parameters: client id, authorization type, redirection URI, authority range and current state of the client.
7. The method of claim 1, wherein redirecting user access to the application service backend after verification by the UUMS authentication server comprises:
the UUMS authentication server guides a user to a 'redirect URI' which is specified in advance by an application system client through the redirect URI callback application service, and an authorization code is attached at the same time.
8. The method of claim 1, wherein when the application system backend calls a token parsing interface provided by the UUMS according to the generated token to obtain the login user information, the application system backend applies for a request for the token from the UUMS authentication server, where the request includes the following parameters: a used authorization mode, an application system client ID, a client key, a redirect URI, an authorization code.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211053034.8A CN115632805A (en) | 2022-08-31 | 2022-08-31 | Single sign-on method based on unified user management |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211053034.8A CN115632805A (en) | 2022-08-31 | 2022-08-31 | Single sign-on method based on unified user management |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115632805A true CN115632805A (en) | 2023-01-20 |
Family
ID=84903210
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211053034.8A Pending CN115632805A (en) | 2022-08-31 | 2022-08-31 | Single sign-on method based on unified user management |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115632805A (en) |
-
2022
- 2022-08-31 CN CN202211053034.8A patent/CN115632805A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20240333701A1 (en) | Secure authentication for accessing remote resources | |
| US9787664B1 (en) | Methods systems and articles of manufacture for implementing user access to remote resources | |
| RU2580400C2 (en) | Method for authentication of peripheral device user, peripheral device and system for authentication of peripheral device user | |
| US11196739B2 (en) | Authorization activation | |
| US8782411B2 (en) | System and method of extending oauth server(s) with third party authentication/authorization | |
| US8978100B2 (en) | Policy-based authentication | |
| US8775586B2 (en) | Granting privileges and sharing resources in a telecommunications system | |
| US7860883B2 (en) | Method and system for distributed retrieval of data objects within multi-protocol profiles in federated environments | |
| US8474017B2 (en) | Identity management and single sign-on in a heterogeneous composite service scenario | |
| US10305882B2 (en) | Using a service-provider password to simulate F-SSO functionality | |
| EP2156306B1 (en) | Method and system for pre-authenticated calling for voice applications | |
| US7860882B2 (en) | Method and system for distributed retrieval of data objects using tagged artifacts within federated protocol operations | |
| US10148522B2 (en) | Extension of authorization framework | |
| EP3723341A1 (en) | Single sign-on for unmanaged mobile devices | |
| US20100281530A1 (en) | Authentication arrangement | |
| CN112995219B (en) | Single sign-on method, device, equipment and storage medium | |
| CN110032842B (en) | Method and system for simultaneously supporting single sign-on and third party sign-on | |
| WO2011115984A2 (en) | Pluggable token provider model to implement authentication across multiple web services | |
| KR20190134135A (en) | Service providing method based on cloud platform and system thereof | |
| CN111034149A (en) | System and method for single ID service based on block chain | |
| CN113411324B (en) | Method and system for realizing login authentication based on CAS and third-party server | |
| CN109274699A (en) | Method for authenticating, device, server and storage medium | |
| CN115632805A (en) | Single sign-on method based on unified user management | |
| CN111723347B (en) | Identity authentication method, identity authentication device, electronic equipment and storage medium | |
| CN114338078A (en) | CS client login method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |