CN116170234B - Single sign-on method and system based on virtual account authentication - Google Patents

Single sign-on method and system based on virtual account authentication Download PDF

Info

Publication number
CN116170234B
CN116170234B CN202310436590.1A CN202310436590A CN116170234B CN 116170234 B CN116170234 B CN 116170234B CN 202310436590 A CN202310436590 A CN 202310436590A CN 116170234 B CN116170234 B CN 116170234B
Authority
CN
China
Prior art keywords
service system
authentication
virtual
accessed
token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310436590.1A
Other languages
Chinese (zh)
Other versions
CN116170234A (en
Inventor
许晓伟
林锋
董芸
王西刚
尹鹏
王晓博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Capitek Co ltd
Original Assignee
Beijing Capitek Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Capitek Co ltd filed Critical Beijing Capitek Co ltd
Priority to CN202310436590.1A priority Critical patent/CN116170234B/en
Publication of CN116170234A publication Critical patent/CN116170234A/en
Application granted granted Critical
Publication of CN116170234B publication Critical patent/CN116170234B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Abstract

The invention belongs to the technical field of software development, and provides a single sign-on method and a system based on virtual account authentication, wherein the method comprises the following steps: judging whether the current user logs in the service system to be accessed to carry out login confirmation; when the current user is confirmed not to log in the service system to be accessed, acquiring a global token from the virtual authentication management system for virtual account authentication by the virtual authentication management system; returning the generated global token and the service system authentication code to the virtual portal page when the virtual authentication management system is successfully logged in, and jumping to the service system access page; automatically performing multiple rounds of interaction with the back-end service of the virtual authentication management system through the back-end service of the service system to be accessed so as to execute authentication code verification and generate a sub-token; and performing login authentication to allow the current user to access the data resource of the business system to be accessed. The invention can effectively and quickly complete global authentication and realize a more optimized single sign-on method.

Description

Single sign-on method and system based on virtual account authentication
Technical Field
The invention relates to the technical field of software development, in particular to a single sign-on method and system based on virtual account authentication.
Background
With the rapid development of information technology and network technology, more and more application systems are in the enterprise and independent of each other. Each system needs to log in separately, identify the identity of the user and conduct authority control, so that the user is inconvenient to use, and the management cost is high. Conventional single sign-on solutions solve this problem by uniformly storing, maintaining, managing user information of all application systems based on a uniform user management system (Unified user management system, UUMS) and using a OAUTH (OpenAuthorization) protocol with a uniform authentication. However, when a large number of application systems need to be docked, global carding, planning and integration are required to be performed on the user authority information of each application system, and in the face of each system deployed and operated in different time dimensions, the cost of development time, system docking, planning management and the like consumed by enterprises using the traditional single sign-on scheme is very high, and particularly in a very short time, the existing multiple independent service systems cannot be rapidly integrated to perform single sign-on.
Accordingly, there is a need to provide a new single sign-on implementation that is more suitable for fast integration of enterprise applications to address the above-mentioned problems.
Disclosure of Invention
The invention aims to provide a single sign-on method, a system, electronic equipment and a readable medium based on virtual account authentication, which are used for solving the technical problems that in the prior art, each application system needs to independently sign on, identify user identity and conduct authority management and control, so that users are inconvenient to use and high in management cost, when a large number of service systems need to be in butt joint, the traditional single sign-on scheme is long in research and development time and high in research and development cost, and particularly in a very short time, the existing multiple independent service systems cannot be quickly integrated to realize single sign-on and the like. The technical problems to be solved by the invention are realized by the following technical scheme.
The first aspect of the present invention provides a single sign-on method based on virtual account authentication, comprising: receiving an API call request initiated by a current user on a service system access page, and judging whether the current user logs in a service system to be accessed or not so as to carry out login confirmation; when the current user is confirmed to be not logged in the service system to be accessed, acquiring a global token from a virtual authentication management system for virtual account authentication by the virtual authentication management system, wherein the method specifically comprises the steps of automatically jumping to a virtual portal page for the current user to log in to finish global authentication; returning the generated global token and the service system authentication code to the virtual portal page when the virtual authentication management system is successfully logged in, storing the global token in the page, and carrying the generated global token and the service system authentication code to jump to a service system access page in a browser; when monitoring that the API call is carried out by carrying the global token and the service system authentication code, the back-end service of the service system to be accessed and the back-end service of the virtual authentication management system automatically perform multiple rounds of interaction to execute authentication code verification and generate a sub-token, and the method specifically comprises the following steps: generating a sub-token based on the session identifier returned by the service system to be accessed, returning the generated sub-token to the back end of the service system to be accessed, and simultaneously sending the sub-token to the service system access page; and when receiving an API call request initiated by the sub-token, carrying out login authentication to allow the current user to access data resources of the service system to be accessed.
According to an alternative embodiment, the back-end service of the service system to be accessed automatically performs multiple rounds of interaction with the back-end service of the virtual authentication management system, including: carrying out authentication code verification based on a service system authentication code, wherein when monitoring that an API call is carried out by carrying a global token and the service system authentication code, request interception is carried out on a back-end service of a service system to be accessed, the service system authentication code is confirmed, and then an authentication code verification request is initiated to the back-end service of the virtual authentication management system; and the back-end service of the virtual authentication management system confirms whether the service system authentication code is legal or not by adopting configuration information of a hierarchical authority strategy, and initiates a login authentication request to the service system to be accessed so as to acquire a session identifier responded by the service system to be accessed.
According to an alternative implementation mode, the back-end service of the virtual authentication management system generates a sub-token by adopting the acquired session identifier, authentication success time and authentication response code, and returns the sub-token as response information to the service system to be accessed.
According to an alternative embodiment, creating a hierarchical authority policy built in the virtual authentication management system specifically includes: generating a key value mapping list of the relation between the virtual account number and the login account number information of each service system in the form of a configuration file, wherein key data in the key value mapping list comprises a login account number and a password of a virtual portal, and value data in the key value mapping list comprises a service system identifier, an address of a login interface, a service system account number and a password; matching the configuration information of the created hierarchical authority policy with a service system authentication code to finish virtual account authentication, and finishing login authentication of the service system to be accessed in a matching way to acquire a session identifier responded by the request to be accessed.
According to an alternative embodiment, when the current user is confirmed not to log in the service system to be accessed, the back-end service of the virtual authentication management system generates and stores a global token, and generates a service system authentication code at the same time, so that the generated global token and the service system authentication code are returned to the virtual portal page as response information of the acquisition request.
According to an alternative embodiment, the virtual portal page stores the global token in a browser and carries the service system authentication code to be redirected to a front page of the service system to be accessed.
According to an alternative embodiment, when the current user is confirmed to be logged in to the service system to be accessed, verifying the global token through the virtual authentication management system, and generating a service system authentication code to be used as a verification credential for generating the sub-token; returning the generated service system authentication code to the virtual portal page so as to carry the service system authentication to carry out API call; and when the carrying service system authentication code is monitored to carry out API call, the service system to be accessed automatically carries out multi-round interaction with the back end of the virtual authentication management system so as to execute authentication code verification and generate a sub-token.
According to an optional implementation manner, the front-end page of the service system to be accessed receives the sub-token sent by the virtual authentication management system and stores the sub-token in the browser, the sub-token is carried in the browser, the sub-token is automatically jumped to a relevant page of the service to be accessed, and the sub-token is used for login authentication.
According to an alternative embodiment, the automatically jumping to a virtual portal page for the current user to perform a login operation to complete global authentication includes: and automatically jumping to a virtual portal page, and providing an operable page for displaying a login form for the current user to fill in a virtual authentication account, a password and a login click button to complete global authentication.
The second aspect of the present invention provides a single sign-on system based on virtual account authentication, which uses the single sign-on method based on virtual account authentication of the first aspect of the present invention to access data resources, the single sign-on system includes: the receiving and processing module is used for receiving an API call request initiated by a current user on a service system access page and judging whether the current user logs in the service system to be accessed or not so as to carry out login confirmation; the first authentication module acquires a global token from the virtual authentication management system to be used for virtual account authentication by the virtual authentication management system when the current user is confirmed to be not logged in to the service system to be accessed, and specifically comprises the steps of automatically jumping to a virtual portal page to be used for logging in by the current user so as to finish global authentication; the generation storage module returns the generated global token and the service system authentication code to the virtual portal page when the virtual authentication management system is successfully logged in, stores the global token in the page, and jumps to the service system access page in the browser with the generated global token and the service system authentication code; the interaction processing module automatically performs multi-round interaction between the back-end service of the service system to be accessed and the back-end service of the virtual authentication management system to perform authentication code verification and generate a sub-token when monitoring that the API call is performed by carrying the global token and the service system authentication code, and specifically comprises the following steps: generating a sub-token based on the session identifier returned by the service system to be accessed, returning the generated sub-token to the rear end of the service system to be accessed, and simultaneously sending the sub-token to the service system access page; and the access module is used for carrying out login authentication to allow the current user to access data resources of the service system to be accessed when receiving the API call request initiated by the sub-token.
A third aspect of the present invention provides an electronic apparatus, comprising: one or more processors; a storage means for storing one or more programs; the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of the first aspect of the present invention.
A fourth aspect of the invention provides a computer readable medium having stored thereon a computer program, characterized in that the computer program, when executed by a processor, implements the method according to the first aspect of the invention.
The embodiment of the invention has the following advantages:
compared with the prior art, the single sign-on method of the invention realizes the management of virtual account numbers and virtual account number authentication in the virtual authentication management system and obtains a global token for the virtual authentication management system to carry out virtual account number authentication by creating a set of virtual authentication management system which is different from the traditional single sign-on realization method and using a built-in front-end user authentication unit and a hierarchical authority policy configuration module thereof, thereby effectively and quickly completing global authentication and realizing a more optimized single sign-on method; the back-end service of the service system to be accessed and the back-end service of the virtual authentication management system automatically perform multi-round interaction to execute authentication code verification, generate a sub-token and issue to a service system access page (namely, a front-end page of the system to be accessed) to be identical to login authentication of each service system, so that single-point login scene requirements meeting a standard protocol can be further and effectively realized in a very short time on the premise that each service system keeps the authentication management independence of each user right, and the service integration scene requirements of users can be effectively and timely met.
In addition, the virtual authentication management system cooperates with the secondary user authentication units of each service system, and reads and uses the service system login information matched with the service system identification, links the secondary user authentication units of the service system, and sends the generated sub-tokens to the front-end system for users to use each service function, so that global authentication can be more effectively and more quickly completed; the global token and the service system sub-token penetrate through the whole single sign-on authentication flow, and the service system can issue the sub-token only after the virtual authentication management system verifies the issued authentication code, so that the single sign-on scene requirement meeting the standard protocol can be further and effectively realized on the premise that each service system keeps the authentication management independence of the user rights.
Drawings
FIG. 1 is a flow chart of steps of an example of a virtual account number authentication-based single sign-on method of the present invention;
FIG. 2 is a schematic diagram of a framework for applying an example of the single sign-on method of FIG. 1;
FIG. 3 is a timing diagram of an example of applying the single sign-on method of FIG. 1;
FIG. 4 is a schematic diagram of an example of a virtual account login system in a virtual account authentication-based single sign-on method of the present invention;
FIG. 5 is a flow chart of steps of an example of a multi-round interaction process in a virtual account number authentication-based single sign-on method of the present invention;
FIG. 6 is a schematic diagram of a framework for applying another example of the single sign-on method of FIG. 1;
FIG. 7 is a schematic diagram of a framework of an example of a virtual account number authentication based single sign-on system in accordance with the present invention;
FIG. 8 is a schematic structural view of an embodiment of an electronic device according to the present invention;
fig. 9 is a schematic diagram of an embodiment of a computer readable medium according to the present invention.
Detailed Description
It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other. The invention will be described in detail below with reference to the drawings in connection with embodiments.
In view of the above problems, the present invention proposes a single sign-on method, by creating a set of virtual authentication management systems different from the conventional single sign-on implementation method, and using a pre-user authentication unit and a hierarchical authority policy configuration module built in the virtual authentication management system, management of virtual account numbers and virtual account number authentication are achieved only in the virtual authentication management system, and a global token is obtained for the virtual authentication management system to perform virtual account number authentication, so that global authentication can be effectively and quickly completed, and a more optimized single sign-on method can be achieved.
In addition, the invention creates a set of virtual authentication management system to realize the service provided by each service node in the single sign-on process without unified authority management on the user metadata of each service system.
The following describes the present invention in detail with reference to fig. 1 to 6.
FIG. 1 is a flow chart of steps of an example of a virtual account number authentication-based single sign-on method of the present invention. Fig. 2 is a schematic diagram of a framework for applying an example of the single sign-on method of fig. 1. Fig. 3 is a schematic diagram of an example of applying the single sign-on method of fig. 1.
In the application scenario of fig. 2, the system specifically includes a user, a browser, a virtual authentication management system and a plurality of service systems (specifically includes a service system a and a service system b..service systems N, N are positive integers and are determined according to specific actual service scenarios), where the virtual authentication management system includes a pre-user authentication unit and a hierarchical authority policy configuration module (corresponding to the hierarchical authority policy in fig. 2), and the pre-user authentication unit performs login authentication on the virtual account; the hierarchical authority policy configuration module is configured to configure and form a corresponding list (in this example, a key value mapping list, i.e. a KV mapping list) of relationships between the virtual account numbers and the login account numbers of the service systems. Specifically, the first-level user authentication (i.e. authentication performed by the corresponding pre-user authentication unit) is completed through hierarchical authority policy configuration, and the second-level user authentication is completed by matching with a plurality of service systems. The invention creates a set of virtual authentication management system to realize the services provided by each service node in the single sign-on process, so as to realize the single sign-on of the application scene of the rapid integration of a plurality of independent business systems more rapidly and effectively.
In the present invention, the virtual authentication management system is a virtual authentication management system with separated front end and back end, for example, a virtual portal system (including a virtual portal page in detail) is constructed by adopting a vue +elementui framework, a login form of a virtual account is provided, and a back end micro service login interface of the virtual authentication management system is docked, that is, the back end service of the virtual authentication management system is specifically a micro service, and includes a plurality of login interfaces docked with each service system.
The overall process of the present invention will be described below with reference to specific examples.
Firstly, in step S101, an API call request initiated by a current user on a service system access page is received, and it is determined whether the current user logs in the service system to be accessed to perform login confirmation.
In a specific embodiment, in an application scenario (see in particular fig. 3) where a current user wants to access the service system 01, an API call request initiated by the current user on a service access page is received, for example, the obtained API call request of the current user is http:// service1/user-details. The service system comprises a service system 01 and a service system 02, wherein the service system 01 comprises a back-end API system, and the service system 02 comprises a back-end API system. The service system 01 intercepts the API call request, for example, through a pre-filter, and verifies whether a global token, a session identifier, and the like exist in the API call request to determine whether the current user logs in the service system 01 (i.e., the service system to be accessed).
And then judging whether the current user logs in the service system to be accessed or not so as to carry out login confirmation.
For example, the service system 01 determines whether the current user logs in to the service system to be accessed (i.e., the service system 01) to complete login confirmation.
Specifically, when the current user is confirmed not to log in the service system to be accessed, the service system to be accessed returns an error code, and returns a request that the current user completes login authentication of a virtual authentication management system (including a back-end API system) first, and then accesses the service system to be accessed. And judging whether the global token is acquired or not when confirming that the current user logs in the business system to be accessed. The global token is, for example, "fb9fb54737cd4479ba272f0b75f144ee".
It should be noted that the foregoing is merely illustrative of the present invention and is not to be construed as limiting thereof.
The processing procedure of the current user not logging in the service system to be accessed will be specifically described in connection with step S102.
In step S102, when it is confirmed that the current user does not log in the service system to be accessed, a global token is obtained from the virtual authentication management system for the virtual authentication management system to perform virtual account authentication, which specifically includes automatically jumping to a virtual portal page for the current user to log in, so as to complete global authentication.
Specifically, when the current user is confirmed not to log in the service system to be accessed, the current user receives response information of completing login authentication of the virtual authentication management system. The current user acquires a global token from the virtual authentication management system, specifically, an acquisition request such as 'GET http:// sso-server/login' is sent to the virtual authentication management system, and the virtual authentication management system judges whether the current user logs in the virtual authentication management system.
It should be noted that, the virtual authentication management system in step S102, that is, the virtual authentication management system shown in fig. 2, specifically includes a pre-user authentication unit and a hierarchical authority policy configuration module corresponding to the virtual portal page. And the front-end user authentication unit performs login authentication on the virtual account. The hierarchical authority policy configuration module is configured and configured to configure and form a corresponding list of relationships between the virtual account number and the login account numbers of each service system, for example, a key value mapping list (i.e., a KV mapping list).
Specifically, the virtual authentication management system is internally provided with a hierarchical authority policy, that is, the back-end service of the virtual authentication management system further comprises the hierarchical authority policy, and specifically, login related attributes of each service system to be integrated are configured through a hierarchical authority policy configuration module (using, for example, yml files). For creating the hierarchical authority policy built in the virtual authentication management system, a key value mapping list is specifically generated according to the relation between the virtual account number and the login account number information of each service system in the form of a configuration file shown in fig. 4, key data in the key value mapping list comprises a login account number (for example, admin) of a virtual portal, a password (for example, admin), and value data in the key value mapping list comprises a service system identifier (for example, e48c190a77, b32d 190467), an address (for example, http:/×) of a login interface, a service system account number (for example, admin, zhangshan) and a password (for example, admin).
As can be seen from fig. 4, one virtual account corresponds to a policy, and one virtual account corresponds to a login information list. Specifically, for example, the virtual account number z1 corresponds to the policy 1, and the virtual account number z1 corresponds to one login information list 1 (specifically, the login information list 1 of each service system); the virtual account z2 corresponds to the policy 2 (specifically, the login information list 2 of each service system), the virtual account zn corresponds to the policy M, and the virtual account zn corresponds to the login information list N. Preferably, the corresponding relationship between the virtual account number and the login account number of each service system is M: n, and form a relational mapping list, for example, a key value mapping list (i.e. KV mapping list), specifically a many-to-many, one-to-many, many-to-one mapping list.
In an embodiment, when the current user is confirmed to not log in the service system to be accessed, the back-end service of the virtual authentication management system generates and stores a global token, and generates a service system authentication code at the same time, so that the generated global token and the service system authentication code are returned to the virtual portal page as response information of the acquisition request.
Specifically, the backend service of the virtual authentication management system provides a virtual account authentication interface and generates a global token.
Optionally, the interaction process between the virtual portal page and the backend service of the virtual authentication management system further comprises an interaction process between the current user and the virtual portal (i.e. browser) that can be operated by input. Specifically, when the current user is judged not to log in the virtual authentication management system, an error code or response information of the current user is returned, for example, and the current user automatically jumps to a virtual portal page (for example, POST: http:// sso-server/login) of the virtual authentication management system so as to carry out login operation on the current user to complete global authentication. For example, the current user is provided with an operable page displaying a login form for the user to enter or populate a virtual authentication account, password, and login click button, and click on the login button to login to complete global authentication (i.e., corresponding to the "login authentication" shown in fig. 3).
It should be noted that the foregoing is merely illustrative of the present invention and is not to be construed as limiting thereof.
Next, in step S103, when the virtual authentication management system is successfully logged in, the generated global token and the service system authentication code are returned to the virtual portal page, the global token is stored in the page, and the generated global token and the service system authentication code are carried to jump to the service system access page in the browser.
Specifically, when the back-end service of the virtual authentication management system confirms that the virtual authentication management system is successfully logged in, the back-end service of the virtual authentication management system returns the generated global token and service system authentication code to the virtual portal page.
The virtual portal page then stores the global token in a browser and redirects the service system authentication code to a front page of the service system to be accessed (i.e., a service system access page).
Preferably, the virtual authentication management system provides the ability to access global tokens in a browser (e.g., localtorage).
And jumping the generated global token and the service system authentication code to a service system access page (namely a front page of a service system to be accessed) in a browser (particularly a virtual portal page), and further initiating an API call request.
It should be noted that the foregoing is merely illustrative of the present invention and is not to be construed as limiting thereof.
Next, in step S104, when it is monitored that the API call is performed by carrying the global token and the service system authentication code, the back-end service of the service system to be accessed and the back-end service of the virtual authentication management system automatically perform multiple rounds of interaction to perform authentication code verification and generate a sub-token, which specifically includes: and generating a sub-token based on the session identifier returned by the service system to be accessed, returning the generated sub-token to the back end of the service system to be accessed, and simultaneously sending the sub-token to the service system access page, wherein the sub-token is stored through a browser localtrack.
Optionally, the service system to be accessed monitors an API call request carrying a global token and a service system authentication code, and when monitoring that the API call (i.e. the API call request) is performed by the service system authentication code carrying the global token, the back-end service of the service system to be accessed and the back-end service of the virtual authentication management system automatically perform multiple interactions.
Fig. 5 is a flowchart illustrating steps of an example of a multi-round interaction procedure in the virtual account number authentication-based single sign-on method of the present invention.
Specifically, as shown in fig. 5, the multi-round interaction process specifically includes the following steps.
Step S501, authentication code verification is performed based on the service system authentication code.
Specifically, when monitoring that the API call is carried with the global token and the service system authentication code, request interception is carried out on the back-end service of the service system to be accessed, the service system authentication code is confirmed, and then an authentication code verification request is initiated to the back-end service of the virtual authentication management system.
The back-end service of the virtual authentication management system adopts configuration information of a hierarchical authority policy to confirm whether the service system authentication code is legal or not, and initiates a login authentication request (specifically corresponding to the "initiating a login authentication request to a service system when the authentication code is successfully verified") to the service system to be accessed so as to obtain a session identifier responded by the service system to be accessed, for example, a sub-session management module in the service system is used for generating the session identifier, and the session identifier generated by the service system is returned to the back end of the virtual authentication management system (corresponding to the "return session identifier" in fig. 3).
Step S502: and generating a sub-token based on the session identifier, and returning the generated sub-token to the service system to be accessed as response information.
In an alternative embodiment, the back-end service of the virtual authentication management system generates a sub-token by using the acquired session identifier, authentication success time and authentication response code, and returns the sub-token as response information to the service system to be accessed (corresponding to the "return generated sub-token" in fig. 3), specifically, the back-end service of the service system to be accessed.
Specifically, the back-end service of the virtual authentication management system matches the configuration information of the created hierarchical authority policy with a service system authentication code to finish virtual account authentication, and cooperates with finishing login authentication of the service system to be accessed to acquire a session identifier responded by the request to be accessed.
It should be noted that the foregoing is merely illustrative of the present invention and is not to be construed as limiting thereof.
Next, in step S105, when receiving the API call request initiated by the sub-token, login authentication is performed to allow the current user to access the data resource of the service system to be accessed.
Specifically, the front end page of the service system to be accessed (i.e. the service system access page) receives the sub-token sent by the virtual authentication management system and stores the sub-token in the browser, the sub-token is carried in the browser, the sub-token is automatically jumped to the relevant page of the service to be accessed, the sub-token is used for login authentication, for example, when the login authentication passes, response information such as 200 is responded, and the initiated API call is authorized to be used.
For example, when the back-end service of the service system to be accessed receives the initiated API call request, the session identifier is used for verifying the sub-token to finish login authentication, and when the authentication is passed, the completion of the login authentication of the service system to be accessed is indicated to perform data resource access. And when the verification is not passed, the login authentication of the service system to be accessed is not completed, and inaccessible or other error information is returned.
In another example, when the current user is confirmed to be logged in the service system to be accessed, the logged-in response information is returned to the front-end page of the service system to be accessed. Then, an acquisition request, such as "GET http:/sso-server/login" is sent to the front page of the virtual authentication management system, which determines whether the current user is logged into the virtual authentication management system.
And when judging that the current user does not log in the virtual authentication management system, returning an error code or response information of the current user, and automatically jumping to a virtual portal page of the virtual authentication management system to enable the current user to log in to finish global authentication. For example, the user may be provided with an operable page displaying a login form for the user to enter or fill in a virtual authentication account, a password, and a login click button, and click the login button to log in to complete the global authentication. The global token is verified by the virtual authentication management system, and a service system authentication code is generated to be used as a verification credential for generating the sub-token. Returning the generated service system authentication code to the virtual portal page so as to carry the service system authentication to carry out API call; and when monitoring that the carried service system authentication code performs API call, automatically performing multi-round interaction between the back-end service of the service system to be accessed and the back-end service of the virtual authentication management system to perform authentication code verification and generate a sub-token.
Next, step S103, step S104, and step S105 are performed. Since the contents of step S103, step S104, and step S105 in this example are substantially the same as those of step S103, step S104, and step S105 shown in fig. 1, the description of the same portions is omitted.
In yet another example, each service system further includes a user management function module, which still retains and uses the existing rights framework and login authentication procedure, and is used as a "secondary user authentication unit" of the present invention (see fig. 6 in particular), and is responsible for receiving an authentication call notification from the virtual authentication management system, and actually executing the procedure of service system user login authentication.
Specifically, the virtual authentication management system uses a built-in pre-user authentication unit and a hierarchical authority policy configuration module to realize that management of virtual account numbers and virtual account number authentication are completed in the virtual authentication management system only and obtain a global token. The virtual authentication management system cooperates with the secondary user authentication units of the service systems, and reads and uses the service system login information matched with the service system identification to link the secondary user authentication units of the service systems, and sends the generated sub-tokens to the front end of the service systems for each user to use each service function and access data resources.
It should be noted that the steps of the present invention follow oauth2.0 protocol, and the authorization mode follows a simplified authorization mode. In addition, the front-end user authentication unit of the virtual authentication management system is used for performing login authentication on the virtual account. In the whole flow, the virtual account information is authenticated prior to the account of the service system and is located in a different authentication system.
The foregoing is illustrative only and is not to be construed as limiting the invention.
Compared with the prior art, the single sign-on method of the invention realizes the management of virtual account numbers and virtual account number authentication in the virtual authentication management system and obtains a global token for the virtual authentication management system to perform virtual account number authentication by creating a set of virtual authentication management system different from the traditional single sign-on realization method and using a built-in front user authentication unit and a hierarchical authority policy configuration module thereof, thereby being capable of effectively and rapidly completing global authentication; the back-end service of the service system to be accessed and the back-end service of the virtual authentication management system automatically perform multi-round interaction to execute authentication code verification, generate a sub-token and issue to a service system access page (namely, a front-end page of the service system to be accessed) to be identical to the login authentication of each service system, so that the single-point login scene requirement meeting a standard protocol can be further and effectively realized in a very short time on the premise that each service system keeps the authentication management independence of each user authority, and the service integration scene requirement of a user can be effectively and timely met.
In addition, the virtual authentication management system cooperates with the secondary user authentication units of each service system, and reads and uses the service system login information matched with the service system identification, links the secondary user authentication units of the service system, and sends the generated sub-tokens to the front-end system for users to use each service function, so that global authentication can be more effectively and more quickly completed; the global token and the service system sub-token penetrate through the whole single sign-on authentication flow, and the service system can issue the sub-token only after the virtual authentication management system verifies the issued authentication code, so that the single sign-on scene requirement meeting the standard protocol can be further and effectively realized on the premise that each service system keeps the authentication management independence of the user rights.
The following are system embodiments of the present invention that may be used to perform method embodiments of the present invention. For details not disclosed in the system embodiments of the present invention, please refer to the method embodiments of the present invention.
Fig. 7 is a schematic diagram of the structure of an example of a single sign-on system based on virtual account number authentication according to the present invention.
Referring to fig. 7, a second aspect of the present disclosure provides a single sign-on system 600 based on virtual account number authentication, which uses the single sign-on method based on virtual account number authentication of the present invention to invoke a data resource, where the single sign-on system 600 includes a receiving processing module 610, a first authentication module 620, a generating storage module 630, an interaction processing module 640, and an access module 650.
Specifically, the receiving processing module 610 is configured to receive an API call request initiated by a current user on a service system access page, and determine whether the current user logs in the service system to be accessed to perform login confirmation; when the first authentication module 620 confirms that the current user does not log in the service system to be accessed, the first authentication module acquires a global token from the virtual authentication management system for the virtual authentication management system to perform virtual account authentication, and specifically includes automatically jumping to a virtual portal page for the current user to log in to complete global authentication; the generation storage module 630 returns the generated global token and the service system authentication code to the virtual portal page when the virtual authentication management system is successfully logged in, stores the global token in the page, and jumps to the service system access page in the browser with the generated global token and the service system authentication code; when the interaction processing module 640 monitors that the global token and the service system authentication code are carried for carrying out API call, the back-end service of the service system to be accessed and the back-end service of the virtual authentication management system automatically carry out multi-round interaction so as to execute authentication code verification and generate a sub-token, and the method specifically comprises the following steps: generating a sub-token based on the session identifier returned by the service system to be accessed, returning the generated sub-token to the back end of the service system to be accessed, and simultaneously sending the sub-token to the service system access page; the access module 650 performs login authentication to allow the current user to access the data resource of the service system to be accessed when receiving the API call request initiated by the sub-token.
In an optional implementation manner, the back-end service of the service system to be accessed and the back-end service of the virtual authentication management system automatically perform multiple rounds of interaction, including: carrying out authentication code verification based on a service system authentication code, wherein when monitoring that an API call is carried out by carrying a global token and the service system authentication code, a request interception is carried out at the rear end of a service system to be accessed, the service system authentication code is confirmed, and then an authentication code verification request is initiated to the rear end of the virtual authentication management system; and the back end of the virtual authentication management system confirms whether the service system authentication code is legal or not by adopting configuration information of a hierarchical authority strategy, and initiates a login authentication request to the service system to be accessed so as to acquire a session identifier responded by the service system to be accessed.
In an optional implementation manner, the back end of the virtual authentication management system generates a sub-token by adopting the acquired session identifier, authentication success time and authentication response code, and returns the sub-token as response information to the service system to be accessed.
In an optional embodiment, creating a hierarchical authority policy built in the virtual authentication management system specifically includes: generating a key value mapping list of the relation between the virtual account number and the login account number information of each service system in the form of a configuration file, wherein key data in the key value mapping list comprises login information of a virtual portal, and value data in the key value mapping list comprises service system identifiers, addresses of login interfaces, service system accounts and passwords; matching the configuration information of the created hierarchical authority policy with a service system authentication code to finish virtual account authentication, and finishing login authentication of the service system to be accessed in a matching way to acquire a session identifier responded by the request to be accessed.
In an optional embodiment, when the current user is confirmed to not log in the service system to be accessed, the back-end service of the virtual authentication management system generates and stores a global token, and generates a service system authentication code at the same time, so that the generated global token and the service system authentication code are returned to the virtual portal page as response information of the acquisition request.
And then, the virtual portal page stores the global token into a browser and carries the service system authentication code to redirect to a front page of a service system to be accessed.
In an alternative embodiment, when the current user is confirmed to be logged in to the service system to be accessed, verifying the global token through the virtual authentication management system, and generating a service system authentication code to be used as a verification credential for generating the sub-token; and returning the generated service system authentication code to the virtual portal page so as to carry the service system authentication to carry out API call.
Specifically, when monitoring that the carried service system authentication code makes an API call, the service system to be accessed automatically performs multiple rounds of interaction with the back end of the virtual authentication management system to perform authentication code verification and generate a sub-token.
In an optional implementation manner, the front-end page of the service system to be accessed receives the sub-token sent by the virtual authentication management system and stores the sub-token in the browser, and the sub-token is carried in the browser to automatically jump to the relevant page of the service to be accessed, and the sub-token is used for login authentication.
In an optional embodiment, the automatically jumping to a virtual portal page for the current user to log in to complete global authentication includes: and automatically jumping to a virtual portal page, and providing an operable page for displaying a login form for the current user to fill in a virtual authentication account, a password and a login click button to complete global authentication.
Note that, since the single sign-on method in the present embodiment is substantially the same as the single sign-on method in the above embodiment, the description of the same portions is omitted.
Compared with the prior art, the single sign-on system of the invention realizes the management of virtual account numbers and virtual account number authentication in the virtual authentication management system and obtains a global token for the virtual authentication management system to perform virtual account number authentication by creating a set of virtual authentication management system different from the traditional single sign-on realization method and using a built-in front user authentication unit and a hierarchical authority policy configuration module thereof, thereby being capable of effectively and rapidly completing global authentication; the back-end service of the service system to be accessed and the back-end service of the virtual authentication management system automatically perform multi-round interaction to execute authentication code verification, generate a sub-token and issue to a service system access page (namely, a front-end page of the service system to be accessed) to be identical to the login authentication of each service system, so that the single-point login scene requirement meeting a standard protocol can be further and effectively realized in a very short time on the premise that each service system keeps the authentication management independence of each user authority, and the service integration scene requirement of a user can be effectively and timely met.
In addition, the virtual authentication management system cooperates with the secondary user authentication units of each service system, and reads and uses the service system login information matched with the service system identification, links the secondary user authentication units of the service system, and sends the generated sub-tokens to the front-end system for users to use each service function, so that global authentication can be more effectively and more quickly completed; the global token and the service system sub-token penetrate through the whole single sign-on authentication flow, and the service system can issue the sub-token only after the virtual authentication management system verifies the issued authentication code, so that the single sign-on scene requirement meeting the standard protocol can be further and effectively realized on the premise that each service system keeps the authentication management independence of the user rights.
Fig. 8 is a schematic structural view of an embodiment of an electronic device according to the present invention.
As shown in fig. 8, the electronic device is in the form of a general purpose computing device. The processor may be one or a plurality of processors and work cooperatively. The invention does not exclude that the distributed processing is performed, i.e. the processor may be distributed among different physical devices. The electronic device of the present invention is not limited to a single entity, but may be a sum of a plurality of entity devices.
The memory stores a computer executable program, typically machine readable code. The computer readable program may be executable by the processor to enable an electronic device to perform the method, or at least some of the steps of the method, of the present invention.
The memory includes volatile memory, such as Random Access Memory (RAM) and/or cache memory, and may be non-volatile memory, such as Read Only Memory (ROM).
Optionally, in this embodiment, the electronic device further includes an I/O interface, which is used for exchanging data between the electronic device and an external device. The I/O interface may be a bus representing one or more of several types of bus structures, including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
It should be understood that the electronic device shown in fig. 8 is only one example of the present invention, and the electronic device of the present invention may further include elements or components not shown in the above examples. For example, some electronic devices further include a display unit such as a display screen, and some electronic devices further include a man-machine interaction element such as a button, a keyboard, and the like. The electronic device may be considered as covered by the invention as long as the electronic device is capable of executing a computer readable program in a memory for carrying out the method or at least part of the steps of the method.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, as shown in fig. 9, the technical solution according to the embodiment of the present invention may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and includes several commands to cause a computing device (may be a personal computer, a server, or a network device, etc.) to perform the above-described method according to the embodiment of the present invention.
The software product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a data signal propagated in baseband or as part of a carrier wave, with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. The readable storage medium can also be any readable medium that can communicate, propagate, or transport the program for use by or in connection with the command execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The computer-readable medium carries one or more programs, which when executed by one of the devices, cause the computer-readable medium to implement the data interaction methods of the present disclosure.
Those skilled in the art will appreciate that the modules may be distributed throughout several devices as described in the embodiments, and that corresponding variations may be implemented in one or more devices that are unique to the embodiments. The modules of the above embodiments may be combined into one module, or may be further split into a plurality of sub-modules.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and which includes several commands to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The exemplary embodiments of the present invention have been particularly shown and described above. It is to be understood that this invention is not limited to the precise arrangements, instrumentalities and instrumentalities described herein; on the contrary, the invention is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (8)

1. The single sign-on method based on virtual account number authentication is characterized by comprising the following steps:
receiving an API call request initiated by a current user on a service system access page, and judging whether the current user logs in a service system to be accessed or not so as to carry out login confirmation;
when the current user is confirmed to not log in the service system to be accessed, an acquisition request is sent to acquire a global token from a virtual authentication management system for virtual account authentication by the virtual authentication management system, and the method specifically comprises the steps that when the virtual authentication management system returns an error code based on the acquisition request, the virtual authentication management system returns to request the current user to complete login authentication of the virtual authentication management system, then the current user accesses the service system to be accessed, and the current user automatically jumps to a virtual portal page to log in based on the acquisition request return error code, so that the current user can log in to complete the global authentication;
Returning the generated global token and the service system authentication code to the virtual portal page when the virtual authentication management system is successfully logged in, storing the global token in the page, and carrying the generated global token and the service system authentication code to jump to a service system access page in a browser;
when the service system access page monitors that an API call initiated to the service system to be accessed carries a global token and a service system authentication code, the back-end service of the service system to be accessed and the back-end service of the virtual authentication management system automatically perform multiple rounds of interaction to execute authentication code verification and generate a sub-token, and the method specifically comprises the following steps:
based on a service system authentication code, executing authentication code verification, performing API request interception on a back-end service of a service system to be accessed and confirming the service system authentication code, then initiating an authentication code verification request to the back-end service of a virtual authentication management system, confirming whether the service system authentication code is legal or not by adopting configuration information of a hierarchical authority strategy through the back-end service of the virtual authentication management system, and initiating a login authentication request to the service system to be accessed when the authentication code verification is successful so as to acquire a session identifier responded by the service system to be accessed;
Generating a sub-token based on the session identifier returned by the service system to be accessed, returning the generated sub-token to the back end of the service system to be accessed, simultaneously sending the sub-token to a service system access page, and storing the sub-token by the service system access page;
when the service system access page receives an API call request initiated by the sub-token, login authentication of the service system to be accessed is performed to allow the current user to access the data resource of the service system to be accessed.
2. The single sign-on method of claim 1, wherein,
and the back-end service of the virtual authentication management system generates a sub-token by adopting the session identifier, the authentication success time and the authentication response code responded by the service system to be accessed, and returns the sub-token as response information to the service system to be accessed.
3. The single sign-on method of claim 1, wherein,
the method for creating the hierarchical authority strategy built in the virtual authentication management system specifically comprises the following steps:
generating a key value mapping list of the relation between the virtual account number and the login account number information of each service system in the form of a configuration file, wherein key data in the key value mapping list comprises a login account number and a password of a virtual portal, and value data in the key value mapping list comprises a service system identifier, an address of a login interface, a service system account number and a password;
Matching the configuration information of the created hierarchical authority policy with a service system authentication code to finish virtual account authentication, and finishing login authentication of the service system to be accessed in a matching way to acquire a session identifier responded by the request to be accessed.
4. The single sign-on method of claim 1, wherein,
when the current user is confirmed to not log in the service system to be accessed, the back-end service of the virtual authentication management system generates a global token and generates a service system authentication code at the same time, the generated global token and the service system authentication code are used as response information of an acquisition request to be returned to a virtual portal page, and the virtual portal page stores the global token into a browser.
5. The single sign-on method of claim 4, wherein,
and the virtual portal page stores the global token into a browser and carries the service system authentication code to redirect the global token to a front-end page of a service system to be accessed.
6. The single sign-on method of claim 1, wherein,
and the front-end page of the service system to be accessed receives the sub-token sent by the virtual authentication management system and stores the sub-token in the browser, and the sub-token is carried in the browser to automatically jump to the relevant page of the service to be accessed, and the sub-token is used for login authentication.
7. The single sign-on method of claim 1, wherein the automatically jumping to a virtual portal page for the current user to perform a sign-on operation to complete global authentication comprises:
and automatically jumping to a virtual portal page, and providing an operable page for displaying a login form for the current user to fill in a virtual authentication account, a password and a login click button to complete global authentication.
8. A virtual account number authentication-based single sign-on system for data resource access using the virtual account number authentication-based single sign-on method according to any one of claims 1 to 7, characterized in that the single sign-on system comprises:
the receiving and processing module is used for receiving an API call request initiated by a current user on a service system access page and judging whether the current user logs in the service system to be accessed or not so as to carry out login confirmation;
the first authentication module acquires a global token from the virtual authentication management system for virtual account authentication by the virtual authentication management system when the current user is confirmed to be not logged in the service system to be accessed, and specifically comprises the steps that when the virtual authentication management system returns an error code based on the acquisition request, the virtual authentication management system returns to request the current user to complete login authentication of the virtual authentication management system first, then the current user accesses the service system to be accessed, and automatically jumps to a virtual portal page based on the acquisition request return error code for the current user to log in, so that global authentication is completed;
The generation storage module returns the generated global token and the service system authentication code to the virtual portal page when the virtual authentication management system is successfully logged in, stores the global token in the page, and jumps to the service system access page in the browser with the generated global token and the service system authentication code;
the interaction processing module automatically performs multiple rounds of interaction between the back-end service of the service system to be accessed and the back-end service of the virtual authentication management system to perform authentication code verification and generate a sub-token when the service system access page monitors that the API call initiated to the service system to be accessed carries the global token and the service system authentication code, and specifically comprises the following steps: based on a service system authentication code, executing authentication code verification, performing API request interception on a back-end service of a service system to be accessed and confirming the service system authentication code, then initiating an authentication code verification request to the back-end service of a virtual authentication management system, confirming whether the service system authentication code is legal or not by adopting configuration information of a hierarchical authority strategy through the back-end service of the virtual authentication management system, and initiating a login authentication request to the service system to be accessed when the authentication code verification is successful so as to acquire a session identifier responded by the service system to be accessed; the sub-token is generated based on the session identifier returned by the service system to be accessed, the generated sub-token is returned to the back end of the service system to be accessed, and is simultaneously sent to the service system access page, and the sub-token is stored by the service system access page;
And the access module is used for carrying out login authentication of the service system to be accessed so as to allow the current user to access the data resource of the service system to be accessed when the service system access page receives the API call request initiated by the sub-token.
CN202310436590.1A 2023-04-23 2023-04-23 Single sign-on method and system based on virtual account authentication Active CN116170234B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310436590.1A CN116170234B (en) 2023-04-23 2023-04-23 Single sign-on method and system based on virtual account authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310436590.1A CN116170234B (en) 2023-04-23 2023-04-23 Single sign-on method and system based on virtual account authentication

Publications (2)

Publication Number Publication Date
CN116170234A CN116170234A (en) 2023-05-26
CN116170234B true CN116170234B (en) 2023-07-14

Family

ID=86418575

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310436590.1A Active CN116170234B (en) 2023-04-23 2023-04-23 Single sign-on method and system based on virtual account authentication

Country Status (1)

Country Link
CN (1) CN116170234B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103188295A (en) * 2011-12-28 2013-07-03 上海格尔软件股份有限公司 WEB single sign-on method completely transparent to user and application
CN109005159A (en) * 2018-07-03 2018-12-14 中国联合网络通信集团有限公司 The data processing method and certificate server of terminal access system server
CN109347864A (en) * 2018-11-22 2019-02-15 杭州迪普科技股份有限公司 Single-point logging method and device based on Virtual Private Network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7596804B2 (en) * 2002-07-02 2009-09-29 Aol Llc Seamless cross-site user authentication status detection and automatic login

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103188295A (en) * 2011-12-28 2013-07-03 上海格尔软件股份有限公司 WEB single sign-on method completely transparent to user and application
CN109005159A (en) * 2018-07-03 2018-12-14 中国联合网络通信集团有限公司 The data processing method and certificate server of terminal access system server
CN109347864A (en) * 2018-11-22 2019-02-15 杭州迪普科技股份有限公司 Single-point logging method and device based on Virtual Private Network

Also Published As

Publication number Publication date
CN116170234A (en) 2023-05-26

Similar Documents

Publication Publication Date Title
US11736469B2 (en) Single sign-on enabled OAuth token
US10880292B2 (en) Seamless transition between WEB and API resource access
CN111556006B (en) Third-party application system login method, device, terminal and SSO service platform
US11190501B2 (en) Hybrid single sign-on for software applications and services using classic and modern identity providers
US8955037B2 (en) Access management architecture
US7571473B1 (en) Identity management system and method
US9111086B2 (en) Secure management of user rights during accessing of external systems
US9088562B2 (en) Using service request ticket for multi-factor authentication
CN112583834B (en) Method and device for single sign-on through gateway
US10826886B2 (en) Techniques for authentication using push notifications
CN111475795A (en) Method and device for unified authentication and authorization facing to multiple applications
CN113746811A (en) Login method, device, equipment and readable storage medium
US20220255914A1 (en) Identity information linking
CN110691089A (en) Authentication method applied to cloud service, computer equipment and storage medium
CN112016074A (en) Reverse authorization login method, device and medium
CN116170234B (en) Single sign-on method and system based on virtual account authentication
US10735399B2 (en) System, service providing apparatus, control method for system, and storage medium
CN110310118B (en) User information verification method, device, equipment and medium based on block chain
CN115834252B (en) Service access method and system
CN113742676B (en) Login management method, login management device, login management server, login management system and storage medium
CN113067706B (en) Service identification system and method, storage medium, and electronic device
TWI768307B (en) Open source software integration approach
US20230308432A1 (en) Authenticating and authorizing api calls with multiple factors
CN115622804A (en) Processing method of security access, security access method and computer system
CN115001808A (en) Domain user login method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant