CN117407844A - Method and system for authorizing single sign-on based on user attribute and role - Google Patents
Method and system for authorizing single sign-on based on user attribute and role Download PDFInfo
- Publication number
- CN117407844A CN117407844A CN202311144918.9A CN202311144918A CN117407844A CN 117407844 A CN117407844 A CN 117407844A CN 202311144918 A CN202311144918 A CN 202311144918A CN 117407844 A CN117407844 A CN 117407844A
- Authority
- CN
- China
- Prior art keywords
- user
- authorization
- authentication
- module
- single sign
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000013475 authorization Methods 0.000 claims abstract description 70
- 230000008520 organization Effects 0.000 claims description 7
- 238000012795 verification Methods 0.000 claims description 6
- 230000008859 change Effects 0.000 claims description 4
- 230000008569 process Effects 0.000 claims description 4
- 238000004140 cleaning Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/21—Design, administration or maintenance of databases
- G06F16/215—Improving data quality; Data cleansing, e.g. de-duplication, removing invalid entries or correcting typographical errors
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/22—Indexing; Data structures therefor; Storage structures
- G06F16/2228—Indexing structures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/23—Updating
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/28—Databases characterised by their database models, e.g. relational or object models
- G06F16/284—Relational databases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/41—User authentication where a single sign-on provides access to a plurality of computers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The invention discloses a method and a system for authorizing single sign-on based on user attributes and roles, wherein the method comprises the following steps: s1: creating a custom authorization policy; s2: creating unified user information to realize dynamic authorization; s3: and uniformly carrying out login authentication on the user. The system comprises a display layer, an authentication layer, a service layer and an access layer, wherein the display layer comprises a front-end service system module, and the authentication layer comprises a single sign-on module and a permission authentication module; the service layer comprises an authorization rule module and a user authorization module; the access layer comprises an identity source module and an authentication source module; the base layer includes a distributed micro-services framework platform. By the method and the method for authorizing single sign-on based on the user attribute and the role, the user access right and the policy are dynamically configured according to the user attribute user-defined authorization policy, unified management of user accounts and unified management of application systems are realized, a centralized authentication sign-on function is provided, and the difficulty of enterprise employee account management and application system management is reduced.
Description
Technical Field
The invention relates to the field of software information, in particular to a method and a system for authorizing single sign-on based on user attributes and roles.
Background
Along with the continuous improvement of enterprise informatization level, more and more information systems are established to meet the business demands of enterprises, but the information systems are mutually related and independent and have own user management and authentication management modules, so that users need to frequently switch accounts and passwords when accessing different systems, great inconvenience is caused to the users, and the problem of system security is easily caused by password leakage. Meanwhile, when a user is newly added, complex authorization operations are often required in a plurality of information systems.
Disclosure of Invention
The invention aims to provide a single sign-on method and system based on user attribute and role authorization, aiming at the problems of low working efficiency caused by complex user authorization and manual authorization.
A method for authorizing single sign-on based on user attribute and role includes the steps:
s1: creating a custom authorization policy;
s2: creating unified user information to realize dynamic authorization;
s3: and uniformly carrying out login authentication on the user.
Further, a method for authorizing single sign-on based on user attributes and roles, the step S1 includes the following specific steps:
the server side configures and self-defines various authorization strategies according to the user attributes;
the user attributes comprise formal staff and informal staff;
the authorization policy comprises a user role, application system access rights, resource access rights and user organization rights.
Further, a method for authorizing single sign-on based on user attributes and roles, the step S2 includes the following sub-steps:
s21: the server receives or registers user information;
s22: after data cleaning and processing, the user information is stored in a relational database and a catalog database;
s23: the database realizes unified management of user account numbers and ensures consistency of user data of the storage end and the server end;
s24: after obtaining the user information, the server side judges whether the user attribute accords with the rule according to the authorization strategy;
s25: the server dynamically establishes an authorization relation between a user and an application system and stores the authorization relation in a management database;
s26: the server converts the roles, resources and access strategies corresponding to the users into user authority attribute information, updates the user authority attribute information to the user cache, and realizes dynamic authorization of the users.
Further, a method for authorizing single sign-on based on user attributes and roles, the step S21 includes the following specific steps:
the server receives user information from an identity source;
the server receives user information from an authentication source;
the server registers the user information manually.
Further, a method for authorizing single sign-on based on user attributes and roles, the step S23 includes the following specific steps:
when the user information in the identity source is changed, the server acquires the changed user information and synchronously updates the user information stored in the server;
when the user information in the identity source is unchanged, the server does not perform the change synchronization operation.
Further, a method for authorizing single sign-on based on user attributes and roles, the step S3 includes the following sub-steps:
s31: the authentication end provides a unified login interface for each registered application system;
s32: the client initiates a login request to the authentication end through the browser, and initiates a single sign-on request through entering a user name and a password;
s33: the authentication end queries the user name and the password from the user cache and checks the user name and the password with the information input by the user:
if the verification is correct, the token state is updated, and the user information is returned to the callback address of the application system, so that the login authentication process is completed;
if the verification is wrong, the authentication end returns a user name or password error of the text box of the browser.
A system for authorizing single sign-on based on user attribute and role comprises a display layer, an authentication layer, a service layer, an access layer and a base layer;
the display layer comprises a front-end service system module;
the authentication layer comprises a single sign-on module and a permission authentication module;
the service layer comprises an authorization rule module and a user authorization module;
the access layer comprises an identity source module and an authentication source module;
the base layer comprises a distributed micro-service framework platform;
the front-end service system module functions are that a user performs operation feedback to a server through a front-end page;
the single sign-on module is used for inputting a user name and a password for single sign-on;
the authority authentication module function is used for judging the user authority according to an authorization strategy;
the authorization rule module functions are used for dividing authorization rules according to user roles, application system access rights, resource access rights and user organization rights of an authorization policy;
the user authorization module converts user authority attribute information for the server and updates the user authority attribute information to a user cache so as to realize dynamic authorization of the user;
the identity source module is used for storing the identity information source of the user;
the authentication module functions to store the authentication information source of the user;
the distributed micro-service framework platform is used for realizing a system framework through a back-end code platform and a front-end webpage.
The invention has the beneficial effects that: by the method for authorizing single sign-on based on the user attribute and the role, the user access right and the policy are dynamically configured according to the user attribute user-defined authorization policy, unified management of user accounts and unified management of application systems are realized, and meanwhile, a centralized authentication sign-on function is provided, so that the difficulty of enterprise employee account management and application system management is greatly reduced.
Drawings
Fig. 1 is a system configuration diagram of the present invention.
Fig. 2 is a flow chart of step S1 of the present invention.
Fig. 3 is a flow chart of step S2 of the present invention.
Fig. 4 is a flow chart of step S3 of the present invention.
Detailed Description
For a clearer understanding of technical features, objects, and effects of the present invention, a specific embodiment of the present invention will be described with reference to the accompanying drawings.
As shown in figure 1, the system for authorizing single sign-on based on user attributes and roles comprises a display layer, an authentication layer, a service layer, an access layer and a base layer;
the display layer comprises a front-end service system module;
the authentication layer comprises a single sign-on module and a permission authentication module;
the service layer comprises an authorization rule module and a user authorization module;
the access layer comprises an identity source module and an authentication source module;
the base layer comprises a distributed micro-service framework platform;
the front-end service system module functions are that a user performs operation feedback to a server through a front-end page;
the single sign-on module is used for inputting a user name and a password for single sign-on;
the authority authentication module function is used for judging the user authority according to an authorization strategy;
the authorization rule module functions are used for dividing authorization rules according to user roles, application system access rights, resource access rights and user organization rights of an authorization policy;
the user authorization module converts user authority attribute information for the server and updates the user authority attribute information to a user cache so as to realize dynamic authorization of the user;
the identity source module is used for storing the identity information source of the user;
the authentication module functions to store the authentication information source of the user;
the distributed micro-service framework platform is used for realizing a system framework through a back-end code platform and a front-end webpage.
A method for authorizing single sign-on based on user attribute and role includes the steps:
s1: creating a custom authorization policy;
s2: creating unified user information to realize dynamic authorization;
s3: and uniformly carrying out login authentication on the user.
As shown in fig. 2, a method for authorizing single sign-on based on user attributes and roles, wherein the step S1 includes the following specific steps:
the server side configures and self-defines various authorization strategies according to the user attributes;
the user attributes comprise formal staff and informal staff;
the authorization policy comprises a user role, application system access rights, resource access rights and user organization rights.
As shown in fig. 3, a method for authorizing single sign-on based on user attributes and roles, the step S2 includes the following sub-steps:
s21: the server receives or registers user information;
s22: after data cleaning and processing, the user information is stored in a relational database and a catalog database;
s23: the database realizes unified management of user account numbers and ensures consistency of user data of the storage end and the server end;
s24: after obtaining the user information, the server side judges whether the user attribute accords with the rule according to the authorization strategy;
s25: the server dynamically establishes an authorization relation between a user and an application system and stores the authorization relation in a management database;
s26: the server converts the roles, resources and access strategies corresponding to the users into user authority attribute information, updates the user authority attribute information to the user cache, and realizes dynamic authorization of the users.
Further, a method for authorizing single sign-on based on user attributes and roles, the step S21 includes the following specific steps:
the server receives user information from an identity source;
the server receives user information from an authentication source;
the server registers the user information manually.
Further, a method for authorizing single sign-on based on user attributes and roles, the step S23 includes the following specific steps:
when the user information in the identity source is changed, the server acquires the changed user information and synchronously updates the user information stored in the server;
when the user information in the identity source is unchanged, the server does not perform the change synchronization operation.
As shown in fig. 4, a method for authorizing single sign-on based on user attributes and roles, the step S3 includes the following sub-steps:
s31: the authentication end provides a unified login interface for each registered application system;
s32: the client initiates a login request to the authentication end through the browser, and initiates a single sign-on request through entering a user name and a password;
s33: the authentication end queries the user name and the password from the user cache and checks the user name and the password with the information input by the user:
if the verification is correct, the token state is updated, and the user information is returned to the callback address of the application system, so that the login authentication process is completed;
if the verification is wrong, the authentication end returns a user name or password error of the text box of the browser.
Example 1: the method for realizing the user attribute and role authorization single sign-on comprises the following steps:
1. the server side configures a plurality of authorization strategies for the formal staff according to the user attributes:
user roles: a customer service part main pipe;
application system access rights: a customer service part;
resource access rights: all staff of the customer service department;
user organization rights: there are.
2. The server receives user information from an identity source as a customer service part manager and stores the user information in a relational database and a directory database.
3. When a customer service part in an identity source manages the change of a user role into a customer service part member, a server acquires the changed user role information and synchronously updates the user information stored by the server.
4. After the user information is obtained, the server side judges whether the user is a formal employee according to the authorization policy.
5. The server dynamically establishes the authorization relation between the user and the application system and stores the authorization relation in the management database.
6. The server converts the roles, resources and access strategies corresponding to the users into user authority attribute information, updates the user authority attribute information to the user cache, and realizes dynamic authorization of the users.
7. The authentication end provides a unified login interface for each registered application system, the client initiates a login request to the authentication end through a browser, and initiates a single sign-on request through entering a user name and a password:
user name: zhangsan;
and (3) a password: zhangsan123.
8. The authentication end queries the user name and the password from the user cache and checks the user name and the password with the information input by the user;
and verifying, updating the token state, and returning the user information to a callback address of the application system to finish the login authentication process.
According to the scheme, through a method and a system for authorizing single sign-on based on user attributes and roles, an authorization strategy of user attributes is used, whether the user attributes accord with the authorization strategy or not is dynamically judged when a user is maintained, and application authorization, resource authorization and role authorization on the user are completed; the method solves the problem of confusion caused by frequent authorization, increases the work efficiency of an administrator, and provides good customer experience for the operation and maintenance of the software system.
The foregoing has shown and described the basic principles and main features of the present invention and the advantages of the present invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and that the above embodiments and descriptions are merely illustrative of the principles of the present invention, and various changes and modifications may be made without departing from the spirit and scope of the invention, which is defined in the appended claims. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (7)
1. A method for authorizing single sign-on based on user attribute and role is characterized by comprising the following steps:
s1: creating a custom authorization policy;
s2: creating unified user information to realize dynamic authorization;
s3: and uniformly carrying out login authentication on the user.
2. The method for authorizing single sign-on based on user attributes and roles according to claim 1, wherein said step S1 comprises the following specific steps:
the server side configures and self-defines various authorization strategies according to the user attributes;
the user attributes comprise formal staff and informal staff;
the authorization policy comprises a user role, application system access rights, resource access rights and user organization rights.
3. A method for authorizing single sign-on based on user attributes and roles as claimed in claim 1, wherein said step S2 comprises the sub-steps of:
s21: the server receives or registers user information;
s22: after data cleaning and processing, the user information is stored in a relational database and a catalog database;
s23: the database realizes unified management of user account numbers and ensures consistency of user data of the storage end and the server end;
s24: after obtaining the user information, the server side judges whether the user attribute accords with the rule according to the authorization strategy;
s25: the server dynamically establishes an authorization relation between a user and an application system and stores the authorization relation in a management database;
s26: the server converts the roles, resources and access strategies corresponding to the users into user authority attribute information, updates the user authority attribute information to the user cache, and realizes dynamic authorization of the users.
4. A method for authorizing single sign-on based on user attributes and roles as claimed in claim 3, wherein said step S21 comprises the specific steps of:
the server receives user information from an identity source;
the server receives user information from an authentication source;
the server registers the user information manually.
5. A method for authorizing single sign-on based on user attributes and roles as claimed in claim 3, wherein said step S23 comprises the specific steps of:
when the user information in the identity source is changed, the server acquires the changed user information and synchronously updates the user information stored in the server;
when the user information in the identity source is unchanged, the server does not perform the change synchronization operation.
6. A method for authorizing single sign-on based on user attributes and roles as claimed in claim 1, wherein said step S3 comprises the sub-steps of:
s31: the authentication end provides a unified login interface for each registered application system;
s32: the client initiates a login request to the authentication end through the browser, and initiates a single sign-on request through entering a user name and a password;
s33: the authentication end queries the user name and the password from the user cache and checks the user name and the password with the information input by the user:
if the verification is correct, the token state is updated, and the user information is returned to the callback address of the application system, so that the login authentication process is completed;
if the verification is wrong, the authentication end returns a user name or password error of the text box of the browser.
7. The system for authorizing single sign-on based on the user attribute and the role is characterized by comprising a display layer, an authentication layer, a service layer, an access layer and a base layer;
the display layer comprises a front-end service system module;
the authentication layer comprises a single sign-on module and a permission authentication module;
the service layer comprises an authorization rule module and a user authorization module;
the access layer comprises an identity source module and an authentication source module;
the base layer comprises a distributed micro-service framework platform;
the front-end service system module functions are that a user performs operation feedback to a server through a front-end page;
the single sign-on module is used for inputting a user name and a password for single sign-on;
the authority authentication module function is used for judging the user authority according to an authorization strategy;
the authorization rule module functions are used for dividing authorization rules according to user roles, application system access rights, resource access rights and user organization rights of an authorization policy;
the user authorization module converts user authority attribute information for the server and updates the user authority attribute information to a user cache so as to realize dynamic authorization of the user;
the identity source module is used for storing the identity information source of the user;
the authentication module functions to store the authentication information source of the user;
the distributed micro-service framework platform is used for realizing a system framework through a back-end code platform and a front-end webpage.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311144918.9A CN117407844A (en) | 2023-09-06 | 2023-09-06 | Method and system for authorizing single sign-on based on user attribute and role |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311144918.9A CN117407844A (en) | 2023-09-06 | 2023-09-06 | Method and system for authorizing single sign-on based on user attribute and role |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117407844A true CN117407844A (en) | 2024-01-16 |
Family
ID=89487792
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311144918.9A Pending CN117407844A (en) | 2023-09-06 | 2023-09-06 | Method and system for authorizing single sign-on based on user attribute and role |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117407844A (en) |
-
2023
- 2023-09-06 CN CN202311144918.9A patent/CN117407844A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11153294B2 (en) | Background authentication refresh | |
| CN107395779B (en) | Authentication of domain events | |
| US8375113B2 (en) | Employing wrapper profiles | |
| US7114037B2 (en) | Employing local data stores to maintain data during workflows | |
| US10616230B2 (en) | Managing authorization tokens for calling third-party vendors | |
| US7380271B2 (en) | Grouped access control list actions | |
| US20060074894A1 (en) | Multi-language support for enterprise identity and access management | |
| US11601414B2 (en) | Contact consolidation across multiple services | |
| US20050060572A1 (en) | System and method for managing access entitlements in a computing network | |
| US20070136291A1 (en) | Access control for elements in a database object | |
| KR101975614B1 (en) | Automating cloud service reconnections | |
| US8745088B2 (en) | System and method of performing risk analysis using a portal | |
| US9077704B2 (en) | Multiple authentication support in a shared environment | |
| SG181621A1 (en) | Unified user login for co-location facilities | |
| US20070174283A1 (en) | System and method for managing access control list of computer systems | |
| US8560514B2 (en) | Adaptive routing of resource requests for multiple back-end systems | |
| US11425132B2 (en) | Cross-domain authentication in a multi-entity database system | |
| CN111611561B (en) | Edge-hierarchical-user-oriented unified management and control method for authentication and authorization | |
| CN111159689A (en) | Method and system for supporting unified user management of multiple systems | |
| CN117407844A (en) | Method and system for authorizing single sign-on based on user attribute and role | |
| US20120110011A1 (en) | Managing application access on a computing device | |
| US9985992B1 (en) | Entitlement system and method | |
| US20230403265A1 (en) | Cloud-based secrets management credential store | |
| EP4229530A1 (en) | Privacy manager for connected tv and over-the-top applications | |
| Gupta | Security-efficient identity management using service provisioning (markup language) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |