CN117201167A - Single sign-on method, device, system, electronic equipment and storage medium - Google Patents

Single sign-on method, device, system, electronic equipment and storage medium Download PDF

Info

Publication number
CN117201167A
CN117201167A CN202311282688.2A CN202311282688A CN117201167A CN 117201167 A CN117201167 A CN 117201167A CN 202311282688 A CN202311282688 A CN 202311282688A CN 117201167 A CN117201167 A CN 117201167A
Authority
CN
China
Prior art keywords
application
login page
client
unified authentication
authentication system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311282688.2A
Other languages
Chinese (zh)
Inventor
雷公武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dt Dream Technology Co Ltd
Original Assignee
Hangzhou Dt Dream Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dt Dream Technology Co Ltd filed Critical Hangzhou Dt Dream Technology Co Ltd
Priority to CN202311282688.2A priority Critical patent/CN117201167A/en
Publication of CN117201167A publication Critical patent/CN117201167A/en
Pending legal-status Critical Current

Links

Abstract

The present specification provides a single sign-on method applied to a unified authentication system that interfaces a plurality of application systems supporting single sign-on, the method comprising: receiving a first redirection access request aiming at a unified authentication system and sent by a client; the first redirection access request is a redirection access request corresponding to an access request initiated by the client for a target application system of the plurality of application systems; and responding to the first redirection access request, returning a first URL address of an application login page corresponding to the target application system to the client so that the client accesses the application login page corresponding to the target application system based on the first URL address, and initiating single sign-on for a plurality of application systems to the unified authentication system based on the application login page. When the client accesses the application system, the user can finish logging on the login page corresponding to the application system, so that the user can feel the personalized login page, and the user experience is improved.

Description

Single sign-on method, device, system, electronic equipment and storage medium
Technical Field
One or more embodiments of the present disclosure relate to the field of authentication technologies, and in particular, to a single sign-on method, apparatus, system, electronic device, and storage medium.
Background
Single Sign-on (SSO) refers to a one-time authenticated login by a user to access multiple interrelated systems, applications, software, or services without the need to repeatedly enter user information. Single sign-on may be achieved through a unified authentication system. The unified authentication system is a system for centrally managing user identity authentication and authorization, and grants access rights to a client when using a plurality of application systems. In the scene that the same user possibly accesses a plurality of application systems, repeated input of user information in each application system by the user can be avoided through single sign-on, so that the access efficiency is improved.
When a client accesses any application system supporting single sign-on, which is in butt joint with a unified authentication system, a login page is needed to be logged in, and the login page is usually the login page of the unified authentication system and cannot provide personalized login pages corresponding to different application systems for users.
Disclosure of Invention
The application provides a single sign-on method, which is applied to a unified authentication system, wherein the unified authentication system is in butt joint with a plurality of application systems supporting single sign-on, and the method comprises the following steps:
receiving a first redirection access request aiming at the unified authentication system and sent by a client; the first redirection access request is a redirection access request corresponding to an access request initiated by the client for a target application system of the plurality of application systems;
And responding to the first redirection access request, returning a first URL address of an application login page corresponding to the target application system to the client so that the client accesses the application login page corresponding to the target application system based on the first URL address, and initiating single sign-on for the plurality of application systems to the unified authentication system based on the application login page.
The application provides a single sign-on method, which is applied to a client, wherein the client is used for accessing any application system in a plurality of application systems which are in butt joint with a unified authentication system and support single sign-on, and the method comprises the following steps:
initiating a first redirected access request to the unified authentication system; the first redirection access request is a redirection access request corresponding to an access request initiated by the client and aimed at a target application system in the application systems;
and receiving a first URL address of an application login page corresponding to the target application system returned by the unified authentication system, accessing the application login page corresponding to the target application system based on the first URL address, and initiating single sign-on for the plurality of application systems to the unified authentication system based on the application login page.
The application also provides a single sign-on system, comprising:
the unified authentication subsystem is used for receiving a first redirection access request which is sent by the client and aims at the unified authentication system; the first redirection access request is a redirection access request corresponding to an access request initiated by the client for a target application system of the plurality of application systems;
the unified authentication subsystem is further configured to return, to the client, a first URL address of an application login page corresponding to the target application system in response to the first redirection access request, so that the client accesses the application login page corresponding to the target application system based on the first URL address, and initiates single sign-on for the multiple application systems to the unified authentication system based on the application login page;
a client subsystem for accessing any one of a plurality of application systems supporting single sign-on that interface with a unified authentication system, for initiating a first redirected access request to the unified authentication system; the first redirection access request is a redirection access request corresponding to an access request initiated by the client and aimed at a target application system in the application systems;
The client subsystem is further configured to receive a first URL address of an application login page corresponding to the target application system returned by the unified authentication system, access the application login page corresponding to the target application system based on the first URL address, and initiate single sign-on for the multiple application systems to the unified authentication system based on the application login page.
The application also provides a single sign-on device applied to a unified authentication system, wherein the unified authentication system is in butt joint with a plurality of application systems supporting single sign-on, and the device comprises:
the receiving unit is used for receiving a first redirection access request which is sent by the client and aims at the unified authentication system; the first redirection access request is a redirection access request corresponding to an access request initiated by the client for a target application system of the plurality of application systems;
and the return unit is used for responding to the first redirection access request, returning a first URL address of an application login page corresponding to the target application system to the client so that the client accesses the application login page corresponding to the target application system based on the first URL address, and initiating single sign-on for the plurality of application systems to the unified authentication system based on the application login page.
The application also provides a single sign-on device applied to a client for accessing any one of a plurality of application systems supporting single sign-on, which are in butt joint with a unified authentication system, the device comprises:
a sending unit, configured to initiate a first redirection access request for the unified authentication system to the unified authentication system; the first redirection access request is a redirection access request corresponding to an access request initiated by the client and aimed at a target application system in the application systems;
the receiving unit is used for receiving a first URL address of an application login page corresponding to the target application system returned by the unified authentication system, accessing the application login page corresponding to the target application system based on the first URL address, and initiating single sign-on for the plurality of application systems to the unified authentication system based on the application login page.
The application also provides a single sign-on system, which comprises a client, an application system and a unified authentication system; the unified authentication system is in butt joint with a plurality of application systems supporting single sign-on;
The client is used for sending a first redirection access request to the unified authentication system; the first redirection access request is a redirection access request corresponding to an access request initiated by the client for a target application system of the plurality of application systems;
the unified authentication system is used for responding to the first redirection access request and returning a first URL address of an application login page corresponding to the target application system to the client;
the client is further used for accessing an application login page corresponding to the target application system based on the first URL address and initiating single sign-on for the plurality of application systems to the unified authentication system based on the application login page.
The application also provides electronic equipment, which comprises a communication interface, a processor, a memory and a bus, wherein the communication interface, the processor and the memory are mutually connected through the bus;
the memory stores machine readable instructions and the processor performs the method by invoking the machine readable instructions.
The present application also provides a machine-readable storage medium storing machine-readable instructions that, when invoked and executed by a processor, implement the above-described methods.
Through the above embodiment, after the unified authentication system receives the first redirection access request for the unified authentication system sent by the client, the first URL address of the application login page corresponding to the target application system may be returned to the client, so that the client accesses the application login page corresponding to the target application system based on the first URL address, and initiates single sign-on for the multiple application systems to the unified authentication system based on the application login page. Accordingly, when accessing a plurality of application systems supporting single sign-on, compared with the case that a client initiates single sign-on for the plurality of application systems based on the same login page of a unified authentication system, the client can initiate single sign-on for the plurality of application systems for the unified authentication system based on the application login pages respectively corresponding to the application systems, thereby providing personalized login pages of the application systems for users, avoiding singleness of the login pages and improving user experience.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings that are needed in the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present disclosure, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a single sign-on system architecture according to an exemplary embodiment;
FIG. 2 is a flow chart of a single sign-on method according to an exemplary embodiment;
FIG. 3 is a schematic diagram of a registration login page shown in an exemplary embodiment;
FIG. 4 is a schematic diagram of another registration login page shown in an exemplary embodiment;
FIG. 5 is a multi-party interaction schematic of a single sign-on method shown in an exemplary embodiment;
FIG. 6 is a multi-party interaction schematic diagram of another single sign-on method shown in an exemplary embodiment;
FIG. 7 is a flow chart illustrating another single sign-on method in accordance with an exemplary embodiment;
FIG. 8 is a hardware block diagram of an electronic device in which a single sign-on device is located, as shown in an exemplary embodiment;
FIG. 9 is a block diagram of a single sign-on device shown in an exemplary embodiment;
fig. 10 is a block diagram of another single sign-on device shown in an exemplary embodiment.
Detailed Description
In order to make the technical solutions in the present specification better understood by those skilled in the art, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only some embodiments of the present specification, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are intended to be within the scope of the present disclosure.
It should be noted that: in other embodiments, the steps of the corresponding method are not necessarily performed in the order shown and described in this specification. In some other embodiments, the method may include more or fewer steps than described in this specification. Furthermore, individual steps described in this specification, in other embodiments, may be described as being split into multiple steps; while various steps described in this specification may be combined into a single step in other embodiments.
Single Sign-on (SSO) refers to a one-time authenticated login by a user to access multiple interrelated systems, applications, software, or services without the need to repeatedly enter user information. Single sign-on is typically implemented by a unified authentication system, which is a system that centrally manages user identity authentication and authorization. The unified authentication system stores credentials and provides a unified identity authentication interface that verifies the identity of the client, granting the client access rights when using multiple application systems by assigning unique identity tokens to the client. The single sign-on can improve the operation convenience and the working efficiency of the user corresponding to the client when accessing a plurality of application systems, and simultaneously lighten the management burden of the application systems.
When a client accesses any application system supporting single sign-on, which is in butt joint with a unified authentication system, a login page is needed to be logged in, and the login page is usually the login page of the unified authentication system. After any application system in the application systems supporting single sign-on finishes logging in, the client can access other application systems supporting single sign-on without inputting user information for each application system.
It can be seen that in the embodiments shown above, the login page of the application system supporting single sign-on typically uses the login page of the unified authentication system, and it is not possible to provide the user with a personalized login page corresponding to a different application system.
In view of this, the present disclosure aims to propose a single sign-on method, that is, a technical scheme that, when a client accesses an application system supporting single sign-on, the client does not need to complete single sign-on a login page of a unified authentication system, but can access an application login page corresponding to a target application system and complete single sign-on the page.
In the specification, in order to enable a client to see a personalized interface corresponding to an application system when accessing the application system, user experience is improved. When a user accesses a target application system which is wanted to be used through a client, the target application system is set not to jump to a login page of a unified authentication system, the client accesses an application login page corresponding to the target application system, and single-point login for a plurality of application systems is initiated to the unified authentication system based on the application login page.
Based on the technical concept, the present disclosure proposes a single sign-on method applied to a unified authentication system, where the unified authentication system interfaces with a plurality of application systems supporting single sign-on, the method includes:
receiving a first redirection access request aiming at the unified authentication system and sent by a client; the first redirection access request is a redirection access request corresponding to an access request initiated by the client for a target application system of the plurality of application systems;
and responding to the first redirection access request, returning a first URL address of an application login page corresponding to the target application system to the client so that the client accesses the application login page corresponding to the target application system based on the first URL address, and initiating single sign-on for the plurality of application systems to the unified authentication system based on the application login page.
For example, referring to fig. 1, fig. 1 is a schematic diagram of a single sign-on system architecture according to an exemplary embodiment. The system architecture comprises: a client 101, a target application system 102, a unified authentication system 103. When the client 101 accesses the target application system 102 supporting the single sign-on function, the target application system 102 does not jump to a login page of the unified authentication system 103, but returns an instruction redirected to the unified authentication system 103 to the client 101, and after receiving an access request of the client 101, the unified authentication system 103 returns a first URL address of an application login page corresponding to the target application system 102 to the client 101, so that the client 101 accesses the application login page corresponding to the target application system 102 based on the first URL address, and initiates single sign-on for the multiple application systems to the unified authentication system based on the application login page.
The application system supporting single sign-on refers to an application system which is in butt joint with the single sign-on system.
Therefore, in the technical scheme in the specification, after the unified authentication system receives the first redirection access request sent by the client for the unified authentication system, the first URL address of the application login page corresponding to the target application system may be returned to the client, so that the client accesses the application login page corresponding to the target application system based on the first URL address, and initiates single sign-on for the multiple application systems for the unified authentication system based on the application login page. Accordingly, when accessing a plurality of application systems supporting single sign-on, compared with the case that a client initiates single sign-on for the plurality of application systems based on the same login page of a unified authentication system, the client can initiate single sign-on for the plurality of application systems for the unified authentication system based on the application login pages respectively corresponding to the application systems, thereby providing personalized login pages of the application systems for users, avoiding singleness of the login pages and improving user experience.
The present application is described below with reference to specific embodiments and specific application scenarios.
Referring to fig. 2, fig. 2 is a flow chart illustrating a single sign-on method according to an exemplary embodiment. The method can be applied to a unified authentication system which is in butt joint with a plurality of application systems supporting single sign-on, and the method can execute the following steps:
step 202: receiving a first redirection access request aiming at the unified authentication system and sent by a client; the first redirected access request is a redirected access request corresponding to an access request initiated by the client for a target application system of the plurality of application systems.
For example, as shown in fig. 1, after receiving an access request of the client 101, the target application system 102 returns a message redirected to the unified authentication system 103 to the client 101, so that the client 101 sends the redirected access request to the unified authentication system 103. The unified authentication system 103 receives a redirected access request sent by the client 101 for the unified authentication system 103, where the redirected access request is a redirected access request corresponding to an access request initiated by the client 101 for a target application system 102 in the plurality of application systems.
The client is a device and an application program in various forms, such as a browser, a mobile phone, a computer and the like, which can access an application system supporting single sign-on. An application system refers to a software system designed and developed for a particular field, industry, or task, and can provide client access and use. The target application system is the application system that the client wants to access. The unified authentication system is a system for centralized management and identity authentication service providing, and provides a unified identity authentication and authorization mechanism, so that a user can access a plurality of application systems only by logging in once. The specific form of the client, the specific type of the application system, and the application type of the unified authentication system are not limited in this specification.
Step 204: and responding to the first redirection access request, returning a first URL address of an application login page corresponding to the target application system to the client so that the client accesses the application login page corresponding to the target application system based on the first URL address, and initiating single sign-on for the plurality of application systems to the unified authentication system based on the application login page.
For example, as shown in fig. 1, the client 101 redirects authentication information to the unified authentication system 103. The unified authentication system 103 returns a first URL address of an application login page corresponding to the target application system 102 to the client 101 in response to the redirected access request of the client 101, so that the client 101 accesses the application login page corresponding to the target application system 102 based on the first URL address, and initiates single sign-on for a plurality of application systems to the unified authentication system 103 based on the application login page.
When the application login page is an interface for inputting user information to verify identity when the client accesses the application system. When a client opens an application that requires login, the user is typically presented with a login page first. Redirecting access request refers to forwarding a user's request from one URL address to another URL address in a web application. When the client sends an access request to the server, the server may process the request according to specific conditions or rules and return a redirect response telling the client to send the request to the new URL address. The URL address is an address for identifying and locating resources on the internet.
Embodiment one: in order to provide a personalized login page for a client when accessing an application system supporting a single sign-on function and performing the single sign-on function, a corresponding login page needs to be additionally registered for each application system, so that the client accesses the login page corresponding to each application system when performing single sign-on for each application system.
In one embodiment shown, the plurality of application systems each register a first application login page on the unified authentication system; the application login page corresponding to the target application system is a first application login page registered by the target application system on the unified authentication system.
For example, referring to fig. 3, fig. 3 is a schematic diagram of a registration login page according to an exemplary embodiment. As shown in fig. 3, outside the login page 31 of the unified authentication system, the login page 32 is additionally developed for the application system 1, and the login page 33 is additionally developed for the application system 2. The login page 31, the login page 32 and the login page 33 of the unified authentication system all interact with the unique back-end service 34.
The first application login page is an application login page registered for each application system in the unified authentication system. Additional development of the landing page for each application requires additional development of a landing page service for each application, each landing page service containing static resources and proxy servers for the landing page that is additionally developed for each application. The proxy server is used to forward the static resources to the backend service. Single sign-on can be applied to various application systems, mainly application systems requiring user identity authentication and authorization for access. Depending on the type of application system supporting single sign-on, the application system may be an enterprise-level application system, a Web application system, a mobile application system, a cloud computing application system, a industry-specific application system, or the like. The display mode of the login page of the application system during single sign-on can be various modes such as a pop-up new window, an embedded page, a floating window and the like, and the specific type of the application system and the display mode of the login page of the application system during single sign-on are not limited in the specification.
In one embodiment, to avoid that the login page is too single, a personalized login page corresponding to each of the different application systems may be developed, and the returning, to the client, the first URL address of the application login page corresponding to the target application system includes:
searching the first application login page registered by the target application system on the unified authentication system, and returning the first URL address of the searched first application login page to the client.
For example, as shown in fig. 1, the unified authentication system 103 searches for the first URL address of the application login page corresponding to the target application system 102 according to the authentication information, and returns the first URL address of the application login page corresponding to the target application system 102 to the client 101.
Wherein the authentication information includes at least one of: application identification of the target application system, and URL address of the target application system. The application identification of the target application system is used to indicate the identity of the target application system. The URL address of the target application system is used to indicate the access address of the target application system.
In one embodiment, in order to facilitate the unified authentication system to find a login page corresponding to an application system, the plurality of application systems respectively register front-end services for maintaining first application login pages corresponding to the plurality of application systems on the unified authentication system; the unified authentication system maintains the mapping relation between the URL addresses of the front-end services registered by the plurality of application systems on the unified authentication system and the application identifiers of the plurality of application systems; the first redirection access request carries an application identifier of the target application system;
The responding to the first redirection access request returns a first URL address of an application login page corresponding to the target application system to the client, and the method comprises the following steps:
responding to the first redirection access request, and searching a URL address of a front-end service mapped by the application identifier of the target application system according to the application identifier of the target application system carried by the first redirection access request;
and returning the searched URL address of the front-end service to the client as the first URL address.
For example, as shown in fig. 1, in response to a redirection access request (i.e., a first redirection access request) that carries authentication information (i.e., an application identifier of a target application system) sent by a client 101, the unified authentication system 103 searches, according to an application identifier of the target application system 102 carried by the first redirection access request, a URL address of a front-end service mapped by the application identifier of the target application system 102; and returns the found URL address of the front-end service to the client 101 as the first URL address of the application login page corresponding to the target application system 102.
The unified authentication system adopts a CS architecture and comprises a front-end service and a back-end service. The unified authentication system may use a configuration file (e.g., JSON or XML) to save the mapping between the URL address of the application system and the application identification. Each application system is configured with a unique application identification and a corresponding front-end service URL address. In addition, the unified authentication system may also use a database to store application registration information, the database table containing a mapping between application identifications and URL addresses. When receiving the request, the unified authentication system queries the database to obtain the corresponding URL address. Alternatively, to increase the access speed, the unified authentication system may use a cache to store registration information of the application system. When receiving the request, the unified authentication system first checks the cache to obtain the URL address, and if not present in the cache, obtains and updates the cache from the configuration file or database. The present specification does not limit the storage method of the mapping relation in the unified authentication system.
In the illustrated embodiment, in order to avoid affecting the functions of the back-end services corresponding to the login page services when the back-end services corresponding to the unified authentication system are modified, a new add-in service is required to decouple different back-end services, and thus, each login page service corresponds to one back-end service.
For example, referring to fig. 4, fig. 4 is a schematic diagram of another registration login page shown in an exemplary embodiment. As shown in fig. 4, the login page 31, the login page 32, and the login page 33 of the unified authentication system belong to the front end. In addition to the login page of the unified authentication system, the application system 1 additionally develops a back-end service 41 corresponding to the login page 32, and the application system 2 additionally develops a back-end service 42 corresponding to the login page 33. The backend service 43 of the unified authentication system stores user information such as a user name and a password, and information on whether or not the application system is registered. The back-end service 43 of the unified authentication system stores user information such as user names and passwords registered and deregistered by the application system 1 and the application system 2, and the back-end service 41 stores user information such as user names and passwords registered and deregistered by the application system 2. The back-end service 41 and the back-end service 42 perform data interaction with the back-end service 43 of the unified authentication system, and can perform tasks such as storing user information and calling back-end service verification, notifying the back-end service 43 of the unified authentication system of an address, and the like.
Wherein the front end is the presentation layer of the user interface and the back end is the layer that handles business logic and data storage. Front-end refers to the portion of a user that directly interacts with on a browser or mobile device. Front-end development includes creating user interfaces, exposing data, and interacting with users. The backend refers to the portion of the application program that is responsible for handling business logic and data storage. Backend development typically involves writing server-side code, handling requests and responses for data. Front-end and back-end interactions refer to the process of data and information exchange between the front-end and the back-end. The front end sends a request to the back end, and the back end processes the request and generates corresponding response data to return to the front end.
In one embodiment, to enhance the security of the user token acquisition mode, the unified authentication system maintains a temporary authorization code generation system, wherein the temporary authorization code is an intermediate credential for acquiring the user token; the method further comprises the steps of:
receiving user information sent by an application login page corresponding to the target application system, and checking the user information; the client receives user information input by a user and sends the user information to an application login page corresponding to the target application system;
If the user information passes the verification, generating a temporary authorization code, and returning the generated temporary authorization code to the client;
receiving a user token request instruction carrying the temporary authorization code sent by the client; and acquiring the user token according to the temporary authorization code, and returning the user token to the client.
For example, as shown in fig. 1, the unified authentication system 103 receives user information sent by a front-end page service (i.e., an application login page corresponding to a target application system) and verifies the received user information, and if the user information passes the verification, the unified authentication system 103 generates a temporary authorization code and returns the URL address of the target application system 102 to the front-end page service. The client 101 accesses the target application system 102 with the temporary authorization code, so that the target application system 102 sends a message for acquiring the user token to the unified authentication system 103 with the temporary authorization code. The unified authentication system 103 returns the user token to the target application system 102 based on the received temporary authorization code to cause the target application system 102 to receive the token and return the token to the client 101.
The checking of the user information means checking and verifying the received user information to ensure that the user information is legal and effective. The temporary authorization code is an intermediate certificate generated in the process of obtaining the user token, is a temporary and single-time effective authorization code, plays a role in connecting the user information check and the user token obtaining, and enhances the security of the user token obtaining mode. The user Token is also called a login Token (Token) and comprises a user account name and a password. The Token is generated at the server side by the following steps: registering in the application page, requesting authentication from the registered user information to the server, and returning Token to the application page after the server authentication is successful. The application page can carry Token to enjoy service when the client makes a service request to the server.
After receiving the user information, the front-end page service cannot identify whether the user information is registered or not, and needs to rely on a unified authentication system to check whether the user information is registered or not.
In one embodiment shown, to assist the front-end page service in verifying whether the received user information is registered, the unified authentication system maintains a login interface for verifying the user information;
the receiving the user information sent by the application login page corresponding to the target application system and verifying the user information comprises the following steps:
receiving user information sent by an application login page corresponding to the target application system and a login interface calling request aiming at the user information; the login interface call request is sent after the user information is acquired for an application login page corresponding to the target application system;
and calling the login interface to check whether the user information is correct.
For example, as shown in fig. 1, the unified authentication system 103 receives user information sent by a front-end page service (i.e., an application login page corresponding to a target application system) and a login interface call request based on the user information, where the login interface call request is sent after the application login page corresponding to the target application system 102 obtains the user information. The unified authentication system 103 invokes a login interface to verify the received user information.
Where a call interface refers to a process of using a specific syntax and parameters in programming to obtain the required data or perform related operations by sending a request to another software component or system. The user information includes a user name and password, a mobile phone number and password, a mailbox and password, and the like, and the specific form of the user information is not limited in this specification.
When the front-end service is not available, the client needs to be ensured to log in on a login page of the original unified authentication system when accessing an application system supporting the single sign-on function.
In one embodiment, in order to ensure that a client can log in on a login page of an original unified authentication system when accessing an application system supporting a single sign-on function when a front-end service is not available, the unified authentication system maintains a check interface for detecting whether the front-end service is available; before returning the first URL address of the application login page corresponding to the target application system to the client, the method further includes:
invoking the checking interface to detect whether front-end service for maintaining an application login page corresponding to the target application system is available;
And if the front-end service for maintaining the application login page corresponding to the target application system is unavailable, returning a second URL address of the application login page corresponding to the unified authentication system to the client so that the client accesses the authentication login page corresponding to the unified authentication system based on the second URL address, and initiating single sign-on for the plurality of application systems to the unified authentication system according to the authentication login page.
For example, as shown in fig. 1, the unified authentication system 103 searches a first URL address of a corresponding application login page according to authentication information, if the corresponding application login page is found to be unavailable, returns a second URL address of the application login page corresponding to the unified authentication system 103 to the client 101, so that the client 101 accesses an authentication login page corresponding to the unified authentication system 103 based on the second URL address, and initiates single sign-on for a plurality of application systems to the unified authentication system 103 according to the authentication login page.
In one embodiment shown, the front-end service is a service developed in a micro-service architecture mode for flexible adjustment of the front-end service architecture on demand.
To assist those skilled in the art in better understanding the first embodiment, the first embodiment is described below with reference to fig. 5.
Referring to fig. 5, fig. 5 is a schematic diagram illustrating a multi-party interaction of a single sign-on method according to an exemplary embodiment. As shown in fig. 5, in step 503, the unified authentication system receives a first redirected access request sent by the client for the unified authentication system, where the request is a redirected access request corresponding to the access request initiated by the client for the target application system in the plurality of application systems in step 501. In response to the first redirection access request, the unified authentication system returns a first URL address of an application login page corresponding to the target application system to the client in step 505, so that the client performs single sign-on based on the first URL address.
Wherein, the first URL address returned by the unified authentication system is obtained by the unified authentication system searching the first application login page registered by the target application system on the unified authentication system in step 504. If, in step 504, the unified authentication system finds that the first application login page registered by the target application system on the unified authentication system is not available, then, in step 505, the second URL address of the application login page corresponding to the unified authentication system is returned to the client as the first URL address.
In step 509, the unified authentication system receives the user information and the login interface call request sent by the front-end page service, where the user information is obtained by receiving, by the client, the user information input by the user and sending the user information to the front-end page service in step 508. In step 510, the unified authentication system verifies the user information and after the verification is passed, returns a temporary authorization code to the front-end page service in step 511 to cause the front-end page service to send the temporary authorization code to the client.
In step 514, the unified authentication system receives a user token request instruction carrying a temporary authorization code sent by the target application system. The temporary authorization code of the target application system is obtained in step 513 by the target application system receiving an access request carrying the temporary authorization code sent by the client.
The unified authentication system returns the user token acquired from the received temporary authorization code to the target application system in step 515, and the target application system returns the user token to the client in step 516.
Embodiment two: in addition to the above embodiment of providing the personalized page corresponding to the application system when the client accesses the application system supporting the single sign-on function, in order to make the style transition of the login page natural, when the client accesses the application system supporting the single sign-on function, the login page of the application system itself may be provided for single sign-on use.
In one embodiment shown, in order to implement single sign-on the login page of the application system itself, the application login page corresponding to the target application system is a second application login page of the target application system; the first redirection access request carries authentication information of the target application system;
the returning, to the client, the first URL address of the application login page corresponding to the target application system includes:
authenticating the authentication information of the target application system to obtain an authentication result of the target application system;
and determining the first URL address as the URL address of a second application login page of the target application system, and returning the first URL address and an authentication result of the target application system to the client.
For example, as shown in fig. 1, the unified authentication system 103 receives a first redirected access request carrying authentication information of the target application system 102 sent by the client 101, and uses a URL address of a second application login page of the target application system 102 as a first URL address, and an authentication result of the unified authentication system 103 for the target application system 102 is returned to the client 101.
The second application login page is an application login page configured in each application system, namely an original application login page of each application system in the related art. The authentication result of the unified authentication system aiming at the target application system is an application identifier obtained after the unified authentication system authenticates the authentication information of the target application system.
In order to verify whether the user information received by the client is registered or not and enhance the security of the process of acquiring the registered user information by the client, it is necessary to verify the user information received by the client by a unified authentication system and generate a temporary authorization code for exchanging the user information after the verification is passed.
In one embodiment, after returning the first URL address and the authentication result of the target application system to the client, in order to verify whether the user information received by the client is registered and enhance the security of the registered user information, the method further includes:
receiving user information sent by the target application system, and checking the user information; the user information sent by the target application system is the user information sent by the client to the target application system;
If the user information passes the verification, returning a verification result of the user information to the target application system so that the target application system generates a temporary authorization code for exchanging the user information and returns the temporary authorization code to the client;
and receiving a temporary authorization code sent by the client, exchanging the user information from the target application system according to the temporary authorization code, authenticating based on the user information, and returning an authentication result to the client so that the client accesses the target application system based on the authentication result.
For example, as shown in FIG. 1, client 101 sends user information to target application system 102. The unified authentication system 103 receives the user information sent by the target application system 102 and verifies the user information. The user information is obtained by inputting information by a user on an application login page corresponding to the target application system 102 displayed on the client 101, and the client 101 may send the obtained user information to the target application system 102. If the user information passes the verification, the unified authentication system 103 transmits a verification success result to the target application system 102, and the target application system 102 generates a temporary authorization code for exchanging the user information and returns the temporary authorization code to the client 101. The unified authentication system 103 receives the temporary authorization code sent by the client 101, acquires user information according to the temporary authorization code, and returns the user information to the client 101.
In the present specification, the process of obtaining the user information according to the temporary authorization code may directly obtain the user information according to the temporary authorization code, or may obtain the user token according to the temporary authorization code, and then obtain the user information according to the user token. The manner of acquiring the user information is not limited in this specification.
In one embodiment, in order for the unified authentication system to obtain the user information according to the temporary authorization code, the receiving the temporary authorization code sent by the client and exchanging the user information from the target application system according to the temporary authorization code includes:
receiving a second redirection access request which is sent by the client and aims at the unified authentication system; the second redirected access request carries the temporary authorization code;
responding to the second redirection access request, and sending a user information request instruction carrying the temporary authorization code to the target application system so as to enable the target application system to return the user information based on the temporary authorization code;
and receiving the user information sent by the target application system.
For example, as shown in fig. 1, the unified authentication system 103 receives a redirected access request (i.e., a second redirected access request) for the unified authentication system 103, which is sent by the client 101 and carries a temporary authorization code, and the unified authentication system 103 sends an instruction for acquiring user information according to the temporary authorization code to the target application system 102, and receives the user information sent by the target application system 102.
To assist those skilled in the art in better understanding the second embodiment, the second embodiment is described below with reference to fig. 6.
Referring to fig. 6, fig. 6 is a schematic diagram of multi-party interactions of another single sign-on method according to an exemplary embodiment. As shown in fig. 6, in step 603, the unified authentication system receives a first redirected access request sent by the client for the unified authentication system, where the request is a redirected access request corresponding to the access request initiated by the client for the target application system in the plurality of application systems in step 601. In response to the first redirection access request, the unified authentication system returns a first URL address of an application login page corresponding to the target application system to the client in step 605, so that the client performs single sign-on based on the first URL address.
The first URL address returned by the unified authentication system is determined by the unified authentication system in step 604 that the first URL address is obtained by the URL address of the second application login page of the target application system, and in step 604, the unified authentication system authenticates the authentication information carried by the first redirected access request in step 603, so as to obtain an authentication result of the target application system. In step 605, the unified authentication system returns the first URL address to the client and also returns the authentication result to the target application system.
In step 605, the unified authentication system receives user information sent by the target application system, where the user information is obtained by the client receiving user input information on the user page in step 604. In step 606, the unified authentication system verifies the user information and after the verification is passed, returns a verification result to the target application system in step 607, so that the target application system generates a temporary authorization code in step 608 and returns the temporary authorization code to the client in step 609.
The unified authentication system receives the temporary authorization code transmitted from the client in step 610, and transmits a message for acquiring user information according to the temporary authorization code to the target application system in step 611. In step 612, the unified authentication system obtains the user information returned by the target application system, and performs authentication based on the user information. In step 614, the unified authentication system returns an authentication result to the client so that the client accesses the target application system based on the authentication result in step 615.
Referring to fig. 7, fig. 7 is a flow chart illustrating another single sign-on method according to an exemplary embodiment. The method can be applied to a client for accessing any application system of a plurality of application systems supporting single sign-on that are interfaced with a unified authentication system. The method may perform the steps of:
Step 702: initiating a first redirected access request to the unified authentication system; the first redirection access request is a redirection access request corresponding to an access request initiated by the client and aiming at a target application system in the application systems.
Step 704: and receiving a first URL address of an application login page corresponding to the target application system returned by the unified authentication system, accessing the application login page corresponding to the target application system based on the first URL address, and initiating single sign-on for the plurality of application systems to the unified authentication system based on the application login page.
In this specification, the specific implementation of steps 702-704 is similar to that of steps 202-204, and will not be repeated here.
In the above embodiment, when the user accesses the target application system to be used through the client, the target application system is set not to jump to the login page of the unified authentication system, but the client accesses the application login page corresponding to the target application system, and single sign-on for a plurality of application systems is initiated to the unified authentication system based on the application login page, so that the user can see the personalized interface corresponding to the application system, and the user experience is improved.
In one embodiment shown, the plurality of application systems each register a first application login page on the unified authentication system; the application login page corresponding to the target application system is a first application login page registered by the target application system on the unified authentication system.
In one embodiment, the receiving the first URL address of the application login page corresponding to the target application system returned by the unified authentication system includes:
receiving a first URL address of the first application login page returned by the unified authentication system; the first URL address of the first application login page is obtained by searching the first application login page registered by the target application system on the unified authentication system for the unified authentication system.
In one embodiment shown, the plurality of application systems respectively register front-end services for maintaining first application login pages corresponding to the plurality of application systems on the unified authentication system; the unified authentication system maintains the mapping relation between the URL addresses of the front-end services registered by the plurality of application systems on the unified authentication system and the application identifiers of the plurality of application systems; the first redirection access request carries an application identifier of the target application system;
The receiving the first URL address of the application login page corresponding to the target application system returned by the unified authentication system includes:
receiving the URL address of the front-end service searched and returned by the unified authentication system; and the uniform authentication system searches the URL address of the front-end service mapped by the application identifier of the target application system according to the application identifier of the target application system carried by the first redirection access request by taking the URL address of the front-end service as the first URL address.
In one embodiment shown, the unified authentication system maintains a temporary authorization code generation system, the temporary authorization code being an intermediate credential for obtaining a user token; the method further comprises the steps of:
receiving user input user information and sending the user information to an application login page corresponding to the target application system, so that the application login page corresponding to the target application system sends the user information to the unified authentication system, and the unified authentication system checks the user information;
if the user information passes the verification, receiving the temporary authorization code returned by the unified authentication system; the temporary authorization code is generated by the unified authentication system after the user information passes the verification;
And sending a user token request instruction carrying the temporary authorization code to the unified authentication system, and receiving the user token returned by the unified authentication system.
After receiving the user information, the front-end page service cannot identify whether the user information is registered or not, and needs to rely on a unified authentication system to check whether the user information is registered or not.
In one embodiment shown, the unified authentication system maintains a login interface for verifying user information;
and sending the user information to the unified authentication system by using an application login page corresponding to the target application system so that the unified authentication system can verify the user information, wherein the method comprises the following steps:
and enabling an application login page corresponding to the target application system to send the user information and a login interface calling request aiming at the user information to the unified authentication system, so that the unified authentication system calls the login interface and checks whether the user information is correct or not.
In one embodiment shown, the unified authentication system maintains a check interface that detects whether the front-end service is available; before receiving the first URL address of the application login page corresponding to the target application system returned by the unified authentication system, the method further includes:
Receiving a second URL address of an application login page corresponding to the unified authentication system returned by the unified authentication system; the second URL address of the application login page corresponding to the unified authentication system is called by the unified authentication system to the check interface, and the front-end service for maintaining the application login page corresponding to the target application system is returned when the front-end service is not available;
accessing an authentication login page corresponding to the unified authentication system based on the second URL address, and initiating single sign-on for the plurality of application systems to the unified authentication system according to the authentication login page.
In one embodiment shown, the front-end service is a service developed using a micro-service architecture model.
In addition to the above embodiment of providing the personalized page corresponding to the application system when the client accesses the application system supporting the single sign-on function, in order to make the style transition of the login page natural, when the client accesses the application system supporting the single sign-on function, the login page of the application system itself may be provided for single sign-on use.
In one embodiment shown, the application login page corresponding to the target application system is a second application login page of the target application system; the first redirection access request carries authentication information of the target application system;
The receiving the first URL address of the application login page corresponding to the target application system returned by the unified authentication system includes:
receiving a URL address of a second application login page of the target application system returned by the unified authentication system and an authentication result of the unified authentication system for the target application system;
the first URL address is the URL address of a second application login page of the target application system; and the authentication result of the unified authentication system aiming at the target application system is obtained by authentication of the unified authentication system aiming at the authentication information of the target application system.
In one embodiment, the method further comprises, after receiving the URL address of the second application login page of the target application system returned by the unified authentication system and the authentication result of the unified authentication system for the target application system, the steps of:
receiving user input user information and sending the user information to the target application system, so that the target application system sends the user information to a unified authentication system, and the unified authentication system verifies the user information;
If the user information passes the verification, receiving a temporary authorization code returned by the target application system; after the user information passes the verification, the temporary authorization code is generated by the target application system and used for exchanging the user information;
and sending the temporary authorization code to the unified authentication system, and receiving the user information returned by the unified authentication system according to the temporary authorization code.
In one embodiment, the sending the temporary authorization code to the unified authentication system, receiving the user information returned by the unified authentication system according to the temporary authorization code, includes:
sending a second redirection access request carrying a temporary authorization code to the unified authentication system so that the unified authentication system sends a user information request instruction carrying the temporary authorization code to the target application system and receives the user information returned by the target application system according to the temporary authorization code;
and receiving the user information sent by the unified authentication system.
Corresponding to the embodiment of the single sign-on method described above, the present disclosure also provides an embodiment of a single sign-on system.
The single sign-on system comprises a client, an application system and a unified authentication system; the unified authentication system is in butt joint with a plurality of application systems supporting single sign-on;
the client is used for sending a first redirection access request to the unified authentication system; the first redirection access request is a redirection access request corresponding to an access request initiated by the client for a target application system of the plurality of application systems;
the unified authentication system is used for responding to the first redirection access request and returning a first URL address of an application login page corresponding to the target application system to the client;
the client is further used for accessing an application login page corresponding to the target application system based on the first URL address and initiating single sign-on for the plurality of application systems to the unified authentication system based on the application login page.
Corresponding to the embodiments of the single sign-on method and the single sign-on system described above, the present specification also provides an embodiment of a single sign-on device.
Referring to fig. 8, fig. 8 is a hardware configuration diagram of an electronic device in which a single sign-on device is located in an exemplary embodiment. At the hardware level, the device includes a processor 802, an internal bus 804, a network interface 806, memory 808, and non-volatile storage 810, although other hardware requirements are possible. One or more embodiments of the present description may be implemented in a software-based manner, such as by the processor 802 reading a corresponding computer program from the non-volatile memory 810 into the memory 808 and then running. Of course, in addition to software implementation, one or more embodiments of the present disclosure do not exclude other implementation manners, such as a logic device or a combination of software and hardware, etc., that is, the execution subject of the following processing flow is not limited to each logic unit, but may also be hardware or a logic device.
Referring to fig. 9, fig. 9 is a block diagram of a single sign-on device according to an exemplary embodiment. The single sign-on device 900 may be applied to an electronic device as shown in fig. 8, so as to implement the technical solution of the present specification. The apparatus 900 is applied to a unified authentication system that interfaces multiple application systems supporting single sign-on, the apparatus 900 may include:
a receiving unit 902, configured to receive a first redirection access request sent by a client for the unified authentication system; the first redirection access request is a redirection access request corresponding to an access request initiated by the client for a target application system of the plurality of application systems;
and the sending unit 904 is configured to return, to the client, a first URL address of an application login page corresponding to the target application system in response to the first redirection access request, so that the client accesses the application login page corresponding to the target application system based on the first URL address, and initiates single sign-on for the multiple application systems to the unified authentication system based on the application login page.
In this embodiment, the plurality of application systems respectively register a first application login page on the unified authentication system; the application login page corresponding to the target application system is a first application login page registered by the target application system on the unified authentication system.
In this embodiment, the transmitting unit includes:
a first searching subunit, configured to search the first application login page registered by the target application system on the unified authentication system;
and the first sending subunit is used for returning the searched first URL address of the first application login page to the client.
In this embodiment, the plurality of application systems respectively register front-end services for maintaining first application login pages corresponding to the plurality of application systems on the unified authentication system; the unified authentication system maintains the mapping relation between the URL addresses of the front-end services registered by the plurality of application systems on the unified authentication system and the application identifiers of the plurality of application systems; the first redirection access request carries an application identifier of the target application system;
the transmitting unit includes:
The second searching subunit is used for responding to the first redirection access request and searching the URL address of the front-end service mapped by the application identifier of the target application system according to the application identifier of the target application system carried by the first redirection access request;
and the second sending subunit is used for returning the searched URL address of the front-end service to the client as the first URL address.
In this embodiment, the unified authentication system maintains a temporary authorization code generation system, where the temporary authorization code is an intermediate credential for obtaining a user token; the apparatus further comprises:
the verification unit is used for receiving the user information sent by the application login page corresponding to the target application system and verifying the user information; the client receives user information input by a user and sends the user information to an application login page corresponding to the target application system;
the generation unit is used for generating a temporary authorization code if the user information passes the verification and returning the generated temporary authorization code to the client;
the receiving unit is further configured to receive a user token request instruction carrying the temporary authorization code sent by the client;
The sending unit is further configured to obtain the user token according to the temporary authorization code, and return the user token to the client.
In this embodiment, the unified authentication system maintains a login interface for checking user information;
the verification unit comprises:
the first receiving subunit is used for receiving user information sent by an application login page corresponding to the target application system and a login interface calling request aiming at the user information; the login interface call request is sent after the user information is acquired for an application login page corresponding to the target application system;
and the first calling subunit is used for calling the login interface and checking whether the user information is correct.
In this embodiment, the unified authentication system maintains a check interface that detects whether the front-end service is available;
the transmitting unit further includes:
the second calling subunit is used for calling the checking interface to detect whether the front-end service for maintaining the application login page corresponding to the target application system is available or not;
and the third sending subunit is used for returning a second URL address of the application login page corresponding to the unified authentication system to the client if the front-end service for maintaining the application login page corresponding to the target application system is unavailable, so that the client accesses the authentication login page corresponding to the unified authentication system based on the second URL address, and initiates single-point login for the plurality of application systems to the unified authentication system according to the authentication login page.
In this embodiment, the front-end service is a service developed in a micro-service architecture mode.
In this embodiment, the application login page corresponding to the target application system is a second application login page of the target application system; the first redirection access request carries authentication information of the target application system;
the transmitting unit includes:
the first authentication subunit is used for authenticating the authentication information of the target application system to obtain an authentication result of the target application system;
and the fourth sending subunit is used for determining the first URL address as the URL address of the second application login page of the target application system and returning the first URL address and the authentication result of the target application system to the client.
In this embodiment, the transmitting unit further includes:
the second receiving subunit is used for receiving the user information sent by the target application system and checking the user information; the user information sent by the target application system is the user information sent by the client to the target application system;
a fifth sending subunit, configured to, if the user information passes the verification, return a verification result for the user information to the target application system, so that the target application system generates a temporary authorization code for exchanging the user information and returns the temporary authorization code to the client;
And the second authentication subunit is used for receiving the temporary authorization code sent by the client, exchanging the user information from the target application system according to the temporary authorization code, authenticating based on the user information, and returning an authentication result to the client so that the client accesses the target application system based on the authentication result.
In this embodiment, the second authentication subunit is specifically configured to:
receiving a second redirection access request which is sent by the client and aims at the unified authentication system; the second redirected access request carries the temporary authorization code;
responding to the second redirection access request, and sending a user information request instruction carrying the temporary authorization code to the target application system so as to enable the target application system to return the user information based on the temporary authorization code;
and receiving the user information sent by the target application system.
Referring to fig. 10, fig. 10 is a block diagram of another single sign-on device in accordance with an exemplary embodiment. The single sign-on device 1000 may be applied to an electronic device as shown in fig. 8 to implement the technical solution of the present specification. The apparatus 1000 is applied to a client for accessing any application system of a plurality of application systems supporting single sign-on that interface with a unified authentication system, the apparatus 1000 comprising:
A sending unit 1002, configured to initiate a first redirected access request for the unified authentication system to the unified authentication system; the first redirection access request is a redirection access request corresponding to an access request initiated by the client and aimed at a target application system in the application systems;
and the receiving unit 1004 is configured to receive a first URL address of an application login page corresponding to the target application system returned by the unified authentication system, access the application login page corresponding to the target application system based on the first URL address, and initiate single sign-on for the multiple application systems to the unified authentication system based on the application login page.
In this embodiment, the plurality of application systems respectively register a first application login page on the unified authentication system; the application login page corresponding to the target application system is a first application login page registered by the target application system on the unified authentication system.
In this embodiment, the receiving unit includes:
the first receiving subunit is used for receiving a first URL address of the first application login page returned by the unified authentication system; the first URL address of the first application login page is obtained by searching the first application login page registered by the target application system on the unified authentication system for the unified authentication system.
In this embodiment, the plurality of application systems respectively register front-end services for maintaining first application login pages corresponding to the plurality of application systems on the unified authentication system; the unified authentication system maintains the mapping relation between the URL addresses of the front-end services registered by the plurality of application systems on the unified authentication system and the application identifiers of the plurality of application systems; the first redirection access request carries an application identifier of the target application system;
in this embodiment, the receiving unit includes:
the second receiving subunit is used for receiving the URL address of the front-end service searched and returned by the unified authentication system; and the uniform authentication system searches the URL address of the front-end service mapped by the application identifier of the target application system according to the application identifier of the target application system carried by the first redirection access request by taking the URL address of the front-end service as the first URL address.
In this embodiment, the unified authentication system maintains a temporary authorization code generation system, where the temporary authorization code is an intermediate credential for obtaining a user token; the apparatus further comprises:
The forwarding unit is used for receiving user input user information and sending the user information to an application login page corresponding to the target application system, so that the application login page corresponding to the target application system sends the user information to the unified authentication system, and the unified authentication system verifies the user information;
the receiving unit is further configured to receive the temporary authorization code returned by the unified authentication system if the user information passes the verification; the temporary authorization code is generated by the unified authentication system after the user information passes the verification;
the sending unit is further configured to send a user token request instruction carrying the temporary authorization code to the unified authentication system, and receive the user token returned by the unified authentication system.
In this embodiment, the unified authentication system maintains a login interface for checking user information;
the forwarding unit is configured to receive user input user information and send the user information to an application login page corresponding to the target application system, so that the application login page corresponding to the target application system sends the user information and a login interface call request for the user information to the unified authentication system, and further the unified authentication system calls the login interface and verifies whether the user information is correct.
In this embodiment, the unified authentication system maintains a check interface that detects whether the front-end service is available; the receiving unit further includes:
the third receiving subunit is used for receiving a second URL address of an application login page corresponding to the unified authentication system, which is returned by the unified authentication system; the second URL address of the application login page corresponding to the unified authentication system is called by the unified authentication system to the check interface, and the front-end service for maintaining the application login page corresponding to the target application system is returned when the front-end service is not available;
and the login subunit is used for accessing an authentication login page corresponding to the unified authentication system based on the second URL address and initiating single sign-on for the plurality of application systems to the unified authentication system according to the authentication login page.
In this embodiment, the front-end service is a service developed in a micro-service architecture mode.
In this embodiment, the application login page corresponding to the target application system is a second application login page of the target application system; the first redirection access request carries authentication information of the target application system;
The receiving unit includes:
a fourth receiving subunit, configured to determine that the first URL address is a URL address of a second application login page of the target application system, and receive the first URL address returned by the unified authentication system and an authentication result of the target application system; the authentication result of the target application system is obtained by authenticating the authentication information of the target application system by the unified authentication system.
In this embodiment, the receiving unit further includes:
a fifth receiving subunit, configured to receive user input user information and send the user information to the target application system, so that the target application system sends the user information to a unified authentication system, so that the unified authentication system verifies the user information;
a sixth receiving subunit, configured to receive a temporary authorization code returned by the target application system if the user information passes the verification; after the user information passes the verification, the temporary authorization code is generated by the target application system and used for exchanging the user information;
the first sending subunit is used for sending the temporary authorization code to the unified authentication system so that the unified authentication system can exchange the user information from the target application system according to the temporary authorization code, authenticate based on the user information and return an authentication result;
And the seventh receiving subunit is used for receiving the authentication result returned by the unified authentication system.
In this embodiment, the first transmitting subunit is specifically configured to:
sending a second redirected access request for the unified authentication system to the unified authentication system; and the second redirection access request carries the temporary authorization code, so that the unified authentication system sends a user information request instruction carrying the temporary authorization code to the target application system, and receives the user information returned by the target application system according to the temporary authorization code.
The implementation process of the functions and roles of each unit in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are illustrative only, in that the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purposes of the present description. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The embodiment of the disclosure also proposes an electronic device, including:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to implement the method of any of the embodiments described above.
Embodiments of the present disclosure also provide a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method of any of the embodiments described above.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.
In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, read only compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, quantum memory, graphene-based storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by the computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
The user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or fully authorized by each party, and the collection, use and processing of related data is required to comply with the relevant laws and regulations and standards of the relevant country and region, and is provided with corresponding operation entries for the user to select authorization or rejection.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
The terminology used in the one or more embodiments of the specification is for the purpose of describing particular embodiments only and is not intended to be limiting of the one or more embodiments of the specification. As used in this specification, one or more embodiments and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in one or more embodiments of the present description to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The foregoing description of the preferred embodiment(s) is (are) merely intended to illustrate the embodiment(s) of the present invention, and it is not intended to limit the embodiment(s) of the present invention to the particular embodiment(s) described.

Claims (10)

1. A single sign-on method for use with a unified authentication system interfacing a plurality of application systems supporting single sign-on, the method comprising:
receiving a first redirection access request aiming at the unified authentication system and sent by a client; the first redirection access request is a redirection access request corresponding to an access request initiated by the client for a target application system of the plurality of application systems;
and responding to the first redirection access request, returning a first URL address of an application login page corresponding to the target application system to the client so that the client accesses the application login page corresponding to the target application system based on the first URL address, and initiating single sign-on for the plurality of application systems to the unified authentication system based on the application login page.
2. The method of claim 1, wherein the plurality of application systems each register a first application login page on the unified authentication system; the application login page corresponding to the target application system is a first application login page registered by the target application system on the unified authentication system.
3. The method of claim 1, wherein the application login page corresponding to the target application system is a second application login page of the target application system; the first redirection access request carries authentication information of the target application system;
the returning, to the client, the first URL address of the application login page corresponding to the target application system includes:
authenticating the authentication information of the target application system to obtain an authentication result of the target application system;
and determining the first URL address as the URL address of a second application login page of the target application system, and returning the first URL address and an authentication result of the target application system to the client.
4. A single sign-on method, applied to a client for accessing any one of a plurality of application systems supporting single sign-on that interface with a unified authentication system, the method comprising:
Initiating a first redirected access request to the unified authentication system; the first redirection access request is a redirection access request corresponding to an access request initiated by the client and aimed at a target application system in the application systems;
and receiving a first URL address of an application login page corresponding to the target application system returned by the unified authentication system, accessing the application login page corresponding to the target application system based on the first URL address, and initiating single sign-on for the plurality of application systems to the unified authentication system based on the application login page.
5. The method of claim 4, wherein the plurality of application systems each register a first application login page on the unified authentication system; the application login page corresponding to the target application system is a first application login page registered by the target application system on the unified authentication system.
6. A single sign-on system, the system comprising a client, an application system and a unified authentication system; the unified authentication system is in butt joint with a plurality of application systems supporting single sign-on;
The client is used for sending a first redirection access request to the unified authentication system; the first redirection access request is a redirection access request corresponding to an access request initiated by the client for a target application system of the plurality of application systems;
the unified authentication system is used for responding to the first redirection access request and returning a first URL address of an application login page corresponding to the target application system to the client;
the client is further used for accessing an application login page corresponding to the target application system based on the first URL address and initiating single sign-on for the plurality of application systems to the unified authentication system based on the application login page.
7. A single sign-on device for use with a unified authentication system interfacing a plurality of application systems supporting single sign-on, the device comprising:
the receiving unit is used for receiving a first redirection access request which is sent by the client and aims at the unified authentication system; the first redirection access request is a redirection access request corresponding to an access request initiated by the client for a target application system of the plurality of application systems;
And the return unit is used for responding to the first redirection access request, returning a first URL address of an application login page corresponding to the target application system to the client so that the client accesses the application login page corresponding to the target application system based on the first URL address, and initiating single sign-on for the plurality of application systems to the unified authentication system based on the application login page.
8. A single sign-on device for use with a client for accessing any of a plurality of application systems supporting single sign-on that interface with a unified authentication system, the device comprising:
a sending unit, configured to initiate a first redirection access request for the unified authentication system to the unified authentication system; the first redirection access request is a redirection access request corresponding to an access request initiated by the client and aimed at a target application system in the application systems;
the receiving unit is used for receiving a first URL address of an application login page corresponding to the target application system returned by the unified authentication system, accessing the application login page corresponding to the target application system based on the first URL address, and initiating single sign-on for the plurality of application systems to the unified authentication system based on the application login page.
9. An electronic device comprises a communication interface, a processor, a memory and a bus, wherein the communication interface, the processor and the memory are connected with each other through the bus;
the memory stores machine readable instructions, and the processor performs the method of any of claims 1-5 by invoking the machine readable instructions.
10. A machine-readable storage medium storing machine-readable instructions which, when invoked and executed by a processor, implement the method of any one of claims 1-5.
CN202311282688.2A 2023-09-28 2023-09-28 Single sign-on method, device, system, electronic equipment and storage medium Pending CN117201167A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311282688.2A CN117201167A (en) 2023-09-28 2023-09-28 Single sign-on method, device, system, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311282688.2A CN117201167A (en) 2023-09-28 2023-09-28 Single sign-on method, device, system, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117201167A true CN117201167A (en) 2023-12-08

Family

ID=88992393

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311282688.2A Pending CN117201167A (en) 2023-09-28 2023-09-28 Single sign-on method, device, system, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117201167A (en)

Similar Documents

Publication Publication Date Title
US10887313B2 (en) Systems and methods for controlling sign-on to web applications
JP5651112B2 (en) Form entry and automatic password generation using digital ID
US9391998B2 (en) Extended OAuth architecture supporting multiple types of consent based on multiple scopes and contextual information
CN112564916A (en) Access client authentication system applied to micro-service architecture
CN107948203A (en) A kind of container login method, application server, system and storage medium
US11599623B2 (en) Global identity for use in a hybrid cloud network architecture
US8370908B2 (en) Decreasing login latency
AU2019413371B2 (en) Token management layer for automating authentication during communication channel interactions
US9342667B2 (en) Extended OAuth architecture
CN112492028B (en) Cloud desktop login method and device, electronic equipment and storage medium
JP2018516417A (en) Payment method, apparatus and system
US10972444B1 (en) Mapping account information
CN110447033B (en) Authentication based on client access restrictions
US10650153B2 (en) Electronic document access validation
CN112653673B (en) Multi-factor authentication method and system based on single sign-on
CN116484338A (en) Database access method and device
CN117201167A (en) Single sign-on method, device, system, electronic equipment and storage medium
CN115525880A (en) Method, device, equipment and medium for providing SAAS service facing multi-tenant
CN114091077A (en) Authentication method, device, equipment and storage medium
CN114338130A (en) Information processing method, device, server and storage medium
EP3513316A1 (en) Personalized search environment
US20100125666A1 (en) Service facade design and implementation
CN117135228A (en) Interface submitting method and device, electronic equipment and readable storage medium
EP4141712A1 (en) Method and system for access authorisation
CN112751844A (en) Portal authentication method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination