CN117574349A

CN117574349A - Single sign-on authentication method and device, electronic equipment and storage medium

Info

Publication number: CN117574349A
Application number: CN202311503775.6A
Authority: CN
Inventors: 刘小熊; 黄伟湘; 石聪慧; 温喆; 熊舸
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Internet Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Internet Co Ltd
Priority date: 2023-11-10
Filing date: 2023-11-10
Publication date: 2024-02-20

Abstract

The application provides a single sign-on authentication method, a single sign-on authentication device, electronic equipment and a storage medium, wherein the single sign-on authentication method comprises the following steps: after receiving a login authentication request, which is sent by a terminal device and comprises a security level, a first signature, a first user identifier and a first relation index of the first application associated with the first user identifier, of a first application to be jumped, determining an authentication policy based on the security level of the first application under the condition that the first signature is checked successfully, checking the first relation index and the first user identifier to determine an authentication result by using the authentication policy and an association relation corresponding to the first application in a login registry, and sending the authentication result to the terminal device. Thereby improving the reliability of single sign-on authentication and expanding the application scenario of the single sign-on authentication method.

Description

Single sign-on authentication method and device, electronic equipment and storage medium

Technical Field

The present disclosure relates to the field of communications technologies, and in particular, to a single sign-on authentication method, a single sign-on authentication device, an electronic device, and a storage medium.

Background

After a single sign-on technology supports to sign on one application in a plurality of mutually trusted applications, when other applications except the application are sign-on, the application can sign-on other applications without inputting information such as account passwords of the other applications.

In the prior art, when a target user initiates a login request to a second application at a first application, current first login information of the first application is converted into second login information of the target user at the second application according to a pre-stored account mapping relation, so that the second application can conveniently authenticate the second login information. After the authentication is successful, the second application can be successfully logged in. However, if the first application is successfully logged in by an attack, a chain reaction may result, and all applications are compromised. Thus, a reliable single sign-on authentication method continues.

Disclosure of Invention

The present application aims to solve, at least to some extent, one of the technical problems in the related art.

Therefore, the application provides a single sign-on authentication method, a single sign-on authentication device, an electronic device and a storage medium, so that the reliability of single sign-on authentication is improved.

To achieve the above object, an embodiment of a first aspect of the present application provides a single sign-on authentication method, which is executed by a SIM card, including:

receiving a login authentication request of a first application to be jumped, wherein the login authentication request comprises a first signature, a first user identifier and a first relation index of the first application associated with the first user identifier;

Under the condition that the signature verification of the first signature is successful, determining an authentication strategy based on the security level of the first application;

verifying the first relation index and the first user identification by using an authentication strategy and an association relation corresponding to the first application in the login registry to determine an authentication result;

and sending the authentication result to the terminal equipment.

To achieve the above object, an embodiment of a second aspect of the present application provides a single sign-on authentication method, which is executed by a terminal device, including:

determining whether the first application is logged in or not in response to the second application triggering the jump to the first application;

under the condition that the first application is not logged in, a login authentication request is sent to the SIM card, wherein the login authentication request comprises a first signature, a first user identifier and a relation index of the first application associated with the first user identifier;

receiving an authentication result which is sent by the SIM card and used for checking the first relation index and the first user identification according to the security level of the first application;

and determining whether to log in the first application according to the authentication result.

To achieve the above object, an embodiment of a third aspect of the present application provides a single sign-on authentication device, which is applied to a SIM card side, and includes:

the receiving and transmitting module is used for receiving a login authentication request of a first application to be skipped, which is sent by the terminal equipment, wherein the login authentication request comprises a first signature, a first user identifier and a first relation index of the first application associated with the first user identifier;

The determining module is used for determining an authentication strategy based on the security level of the first application under the condition that the first signature is checked successfully;

the verification module is used for verifying the first relation index and the first user identifier to determine an authentication result by using the authentication strategy and the association relation corresponding to the first application in the login registry;

and the receiving and transmitting module is used for transmitting the authentication result to the terminal equipment.

To achieve the above object, an embodiment of a fourth aspect of the present application provides a single sign-on authentication device, applied to a terminal device side, including:

the confirmation module is used for responding to the triggering of the second application to jump to the first application and determining whether the first application is logged in;

the receiving and transmitting module is used for sending a login authentication request to the SIM card under the condition that the first application is not logged in, wherein the login authentication request comprises a first signature, a first user identifier and a relation index of the first application associated with the first user identifier;

the receiving and transmitting module is used for receiving an authentication result which is sent by the SIM card and used for checking the first relation index and the first user identification according to the security level of the first application;

and the processing module is used for determining whether to log in the first application according to the authentication result.

To achieve the above object, an embodiment of a fifth aspect of the present application provides an electronic device, including:

at least one processor; and

a memory communicatively coupled to the at least one processor; wherein,

the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the methods of the embodiments described above.

To achieve the above object, an embodiment of a sixth aspect of the present application proposes a computer-readable storage medium storing computer instructions, wherein the computer instructions are for causing a computer to perform the method according to the above embodiment.

After receiving a login authentication request, which is sent by a terminal device and comprises a first signature, a first user identifier and a first relation index of the first application to be skipped, of the first application, determining an authentication strategy based on the security level of the first application under the condition that the first signature is checked successfully, checking the first relation index and the first user identifier to determine an authentication result by using the authentication strategy and the association relation corresponding to the first application in a login registry, and sending the authentication result to the terminal device. Therefore, based on the association relation corresponding to the first application in the login registry stored by the SIM card, the authentication result is checked and determined by the first relation index and the first user identification, the attacked login request can be effectively identified, and different authentication strategies are determined based on different security levels of the first application, so that the authentication capability is expanded. Thereby improving the reliability of single sign-on authentication and expanding the application scenario of the single sign-on authentication method.

Additional aspects and advantages of the application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the application.

Drawings

The foregoing and/or additional aspects and advantages of the present application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings, in which:

fig. 1 is a flow chart of a single sign-on authentication method according to an embodiment of the present application;

fig. 2 is a flowchart of another single sign-on authentication method according to an embodiment of the present application;

fig. 3 is a flowchart of another single sign-on authentication method according to an embodiment of the present application;

fig. 4 is a flowchart of another single sign-on authentication method according to an embodiment of the present application;

fig. 5 is an interaction schematic diagram of a single sign-on authentication method according to an embodiment of the present application;

FIG. 6 is an interactive schematic diagram of another single sign-on authentication method according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of a single sign-on authentication device according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of another single sign-on authentication device according to an embodiment of the present application.

Detailed Description

Embodiments of the present application are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are exemplary and intended for the purpose of explaining the present application and are not to be construed as limiting the present application.

The following describes a single sign-on authentication method, a single sign-on authentication device, an electronic device and a storage medium according to embodiments of the present application with reference to the accompanying drawings.

The single sign-on authentication method of the embodiment of the present application is performed by a single sign-on authentication device (hereinafter referred to as authentication device) provided by the embodiment of the present application, where the device is integrated in a subscriber identity module (Subscriber Identity Module, SIM) card or a terminal device, so as to improve reliability of single sign-on authentication.

In the application, the first application and the second application may include corresponding client programs and server programs, and information such as accounts, relationship indexes, association relationships, user rights, security levels and the like related to the first application and the second application may be stored in the corresponding client or server. Thus, the client can request the inquiry from the server to acquire the information. For example, when the information related to the first application is stored in the corresponding server, the client may send an information acquisition request to the server to acquire a first relationship index of the first application associated with the first user identifier.

Fig. 1 is a flowchart of a single sign-on authentication method according to an embodiment of the present application.

As shown in fig. 1, the single sign-on authentication method is performed by a SIM card, and includes the following steps:

step 101, receiving a login authentication request of a first application to be skipped, which is sent by a terminal device, wherein the login authentication request comprises a first signature, a first user identifier and a first relation index of the first application associated with the first user identifier.

The first user identifier is a user identifier corresponding to a login account of the second application when the second application triggers the login of the first application, and the user identifier can be any information used for uniquely identifying the user, such as a mobile phone number.

In the application, after a user successfully logs in a second application in a terminal device in an account number and password mode, or in an SIM authentication mode, or in a short message authentication mode, the user can click to jump to the connection of a first application to trigger to log in the first application. The terminal device may confirm whether the user has logged into the first application based on the information recorded in the cookie. In case the first application is not logged in, the terminal device may query a first relationship index of the first application determining the first user identity association. Then, the first user identifier, a first relationship index of a first application associated with the first user identifier, and the like can be encrypted by using a public key corresponding to the SIM card to generate a first signature. Then, a login authentication request of the first application is generated based on the first signature, the first user identification and a first relation index of the first application associated with the first user identification, and the login authentication request is sent to the SIM card. Thus, the SIM card will receive a login authentication request for the first application.

In addition, after the user successfully logs in the second application, the second application sends a first authorization Token which is authorized by the second application to the terminal equipment. Thereafter, a second application may be logged in based on the Token without entering a password.

Alternatively, the second application may jump to the first application carrying the first authorization token. Thus, the terminal device may configure the first authorization token in the login authentication request when the first application authenticates the login request of the second application. Therefore, after receiving the login authentication request, the SIM card can analyze the login authentication request to acquire a first authorization token.

Optionally, the terminal device may further obtain a preset security level of the first application from the system, and configure the security level in the authentication request to be logged in. Therefore, after the SIM card receives the login authentication request, the login authentication request can be analyzed to obtain the security level of the first application, and the accuracy of the determined security level of the first application is ensured.

Step 102, in the case that the signature verification of the first signature is successful, determining an authentication policy based on the security level of the first application.

In the method, the first signature can be decrypted and checked by using the private key stored in the SIM card so as to ensure the safety of authentication. In addition, authentication policies corresponding to different security levels can be set in the SIM card system in advance. Then, under the condition that the first signature is checked successfully, the authentication strategy corresponding to the security level can be inquired and determined so as to realize that different authentication strategies are executed on login authentication requests applied to different security levels. Thereby meeting the requirements of different application scenes. And in the case that the verification of the first signature fails, it may be determined that the login authentication request fails to authenticate.

Alternatively, the security level may be the importance of the application. Under the condition that the first signature is checked successfully, the security level can be compared with a preset threshold value. And under the condition that the security level is greater than or equal to a preset threshold value, determining the authentication policy as a high-security authentication policy. And under the condition that the security level is smaller than a preset threshold value, determining the authentication policy to be a quick authentication policy.

In addition, when the login authentication request includes the security level of the first application, the login authentication request may be analyzed to obtain the security level of the first application. Alternatively, the security level of the first application may be registered in the SIM card in advance, and then the security level of the first application may be determined by querying.

And step 103, checking the first relation index and the first user identification to determine an authentication result by using the authentication strategy and the association relation corresponding to the first application in the login registry.

In this application, in order to implement single sign-on, first, the first application and the second application need to be registered for single sign-on. The specific registration process is as follows: the user may set a target user identifier, a target application identifier, and/or a target role identifier in a single sign-on system client deployed in the terminal device. When a user triggers a registration control in the client, the client can generate a registration request based on the user identifier, the target application identifier and/or the target role identifier and send the registration request to the SIM card. After receiving the registration request, the SIM card generates a target relationship index corresponding to the association relationship among the target user identifier, the target application identifier and/or the target role identifier under the condition that the association relationship among the target user identifier, the target application identifier and/or the target role identifier is not registered, and sends the target relationship index to the terminal equipment. And simultaneously storing the target relation index, the target user identification, the target application identification and/or the target role identification in the login registry in an associated mode. Thus, association of users, applications, and/or roles is achieved.

The target application identifier may be any information for uniquely determining the target application, such as a name of the target application, and the target application may be the first application or the second application. The target user identifier is a user identifier set in the single sign-on system client by the user during registration. The target role identifier is role information, such as a common employee, a manager and the like, of a target user identifier, wherein the role information corresponds to the user in the target application. The target role identifier is used to authenticate the user rights to login to the first application.

In the application, under the condition that the authentication policy is a high-security authentication policy, authentication reference information sent by a second application may be received, where the authentication reference information includes a second user identifier, a second relationship index of a first application associated with the second user identifier, a third relationship index of the second application associated with the second user identifier, a second signature, and a second authorization token of the second application, and the second application is an application triggering to log in the first application, and then authentication is successful under the conditions that the second signature is successful in checking, the second user identifier is the same as the first user identifier, the second relationship index is the same as the first relationship index, the second authorization token is the same as the first authorization token, and the login registry includes the first relationship index and the third relationship index; and if the second signature fails to check, or the second user identifier is different from the first user identifier, or the second relation index is different from the first relation index, or the second authorization token is different from the first authorization token, and the login registry does not contain the first relation index or the third relation index, the authentication fails.

Under the condition that the authentication policy is a quick authentication policy, inquiring and acquiring a third user identifier and an application identifier which are associated with a first relation index in a login registry; under the condition that the third user identification is the same as the first user identification and the application identification is the application identification of the first application, the authentication is successful; the authentication fails in case the first application identity is not contained in the login registry, or the third user identity is different from the first user identity, or the application identity is not an application identity of the first application.

It will be appreciated that the first user identification or the first relationship index may be tampered with when an attack is logged onto the first application. The first relationship index and the first user identification are different from the corresponding association relationship in the login registry. Therefore, based on the association relation in the login registry in the SIM card, the attacked login request can be effectively identified.

And step 104, sending the authentication result to the terminal equipment.

In the application, the authentication result may be sent to the terminal device, so as to indicate whether the terminal device executes a subsequent process of logging in the first application.

Optionally, in case of successful authentication, a personal identification code (Personal Identification Number, PIN) code window is popped up to display prompt information for jumping to the first application. The hint information may include a first application identifier and a second application identifier. After the user inputs the PIN code and confirms, the SIM card can receive the confirmation information corresponding to the prompt information. The confirmation information contains a PIN code entered by the user. And when the PIN code is confirmed to be correctly input, the authentication result can be sent to the terminal equipment. Therefore, login burst and chain burst are avoided, and the reliability and safety of login authentication are further improved.

In the method, after receiving a login authentication request, which is sent by a terminal device and includes a first signature, a first user identifier and a first relation index of the first application to be skipped, of the first application, under the condition that the first signature is checked successfully, an authentication policy is determined based on a security level of the first application, so that an authentication result is determined by checking the first relation index and the first user identifier by using the authentication policy and an association relation corresponding to the first application in a login registry, and the authentication result is sent to the terminal device. Therefore, based on the association relation corresponding to the first application in the login registry stored by the SIM card, the authentication result is checked and determined by the first relation index and the first user identification, the attacked login request can be effectively identified, and different authentication strategies are determined based on different security levels of the first application, so that the authentication capability is expanded. Thereby improving the reliability of single sign-on authentication and expanding the application scenario of the single sign-on authentication method.

Fig. 2 is a flowchart of a single sign-on authentication method according to an embodiment of the present application.

As shown in fig. 2, the single sign-on authentication method is performed by a SIM card, and includes the following steps:

Step 201, receiving a login authentication request of a first application to be skipped sent by a terminal device, wherein the login authentication request comprises a first signature, a first user identifier, a first relation index of the first application associated with the first user identifier, and a first authorization token of a second application.

Step 202, in case of successful verification of the first signature, determining an authentication policy based on the security level of the first application.

In this application, the specific implementation process of step 201 to step 202 may be referred to the detailed description of any embodiment of the present application, and will not be repeated herein.

Step 203, receiving authentication reference information of a second application sent by the terminal device under the condition that the authentication policy is a high security authentication policy, wherein the authentication reference information includes a second user identifier, a second relationship index of a first application associated with the second user identifier, a third relationship index of a second application associated with the second user identifier, a second signature, and a second authorization token of the second application, and the second application is an application triggering login to the first application.

In the application, when the authentication policy is a high security authentication policy, the terminal device sends a login authentication request to the SIM card, or before receiving an authentication result sent by the SIM card and verifying the first relationship index and the first user identifier according to the security level, the first application may send login confirmation information to the second application. After receiving the login confirmation information, the second application can send authentication reference information to the SIM card through the terminal equipment, wherein the authentication reference information comprises a second user identifier, a second relation index of a first application associated with the second user identifier, a third relation index of a second application associated with the second user identifier, a second signature and a second authorization token of the second application. Thus, the SIM card can acquire the authentication reference information.

Optionally, when the security level is a preset level and the authentication policy corresponding to the preset level is a high security authentication policy, the second application may send authentication reference information to the SIM card when triggering the jump to the first application. Thus, the SIM card can acquire the authentication reference information. The SIM card can determine whether the second application triggers the login of the first application based on the authentication reference information, and verify the validity of the login authentication request.

The second user identifier is a user identifier corresponding to the current login account of the second application. The second authorization token is an authorization token for the second application to currently log into the account. The second signature is generated by encrypting the second user identifier, a second relation index of the first application associated with the second user identifier, a third relation index of the second application associated with the second user identifier, a second authorization token and the like by the terminal equipment through a public key corresponding to the SIM card. The second relationship index of the first application associated with the second user identification and the third relationship index of the second application associated with the second user identification can be obtained through inquiry.

Step 204, authentication is successful when the second signature is successful, the second user identifier is the same as the first user identifier, the second relationship index is the same as the first relationship index, the second authorization token is the same as the first authorization token, and the login registry contains the first relationship index and the third relationship index.

In the method, the second signature can be decrypted and checked by using the private key stored in the SIM card so as to ensure the safety of authentication. And comparing the second user identification with the first user identification to verify the user. And comparing the second relation index with the first relation index to verify the application to be jumped. And under the condition that the second user identification is the same as the first user identification and the second relation index is the same as the first relation index, determining that the second application truly triggers the login of the first application. And determining whether the login registry contains the first relationship index and the third relationship index. When the login registry includes the first relationship index and the third relationship index, the first application and the second application are described as being registered in the SIM card by single sign-on, and the first application and the second application are determined to be legal logins. The second authorization token is compared with the first authorization token to ensure that the second application can jump directly to the first application.

Therefore, the authentication is successful when the second signature verification is successful, the second user identifier is the same as the first user identifier, the second relationship index is the same as the first relationship index, the second authorization token is the same as the first authorization token, and the login registry contains the first relationship index and the third relationship index.

Optionally, a third user identifier and an application identifier associated with the first relationship index in the login registry may also be determined. And under the conditions that the second signature verification is successful, the second user identification is the same as the first user identification, the second relation index is the same as the first relation index, the second authorization token is the same as the first authorization token, the login registry contains the first relation index and the third relation index, the third user identification is the same as the first user identification, and the application identification is the application identification of the first application, the authentication is successful. Thereby further improving the reliability and security of single sign-on authentication.

Therefore, when verifying whether the second application truly triggers the login of the first application, the validity of the login of the first application and the second application is verified, and the two-way authentication of the first application and the second application is realized, so that the security and the reliability of single sign-on authentication are improved.

In step 205, authentication fails when the second signature fails to check, or the second user identifier is different from the first user identifier, or the second relationship index is different from the first relationship index, or the second authorization token is different from the first authorization token, and the login registry does not contain the first relationship index or the third relationship index.

And step 206, sending the authentication result to the terminal equipment.

In this application, the specific implementation process of step 206 may be referred to in any embodiment of the present application, and will not be described herein.

In the application, after receiving a login authentication request, which is sent by a terminal device and is to be skipped, of a first application and comprises a first signature, a first user identifier, a first relation index of the first application and a first authorization token of a second application, when the first signature is successful, an authentication policy is determined based on a first application security level, then, when the authentication policy is a high security authentication policy, a second relation index, which is sent by a second application through the terminal device and comprises a second user identifier, the first application and is associated with the second user identifier, a third relation index, which is associated with the second user identifier, of the second application, a second signature, and authentication reference information of a second authorization token of the second application, and when the second signature is successful, the second user identifier is identical to the first user identifier, the second relation index is identical to the first relation index, the second authorization token is identical to the first authorization token, the first relation index and the third relation index are included in a login registry, and when the second signature is successful, or the second signature is failed, or the second relation index is not identical to the first relation index, the second relation index is identical to the first relation index or the second relation index is not included in the first registration index. Therefore, when verifying whether the second application truly triggers the login of the first application, the validity of the login of the first application and the second application is verified, the two-way authentication of the first application and the second application based on the SIM card is realized, and the safe interconnection and intercommunication between the first application and the second application are supported. Therefore, the safety, the reliability and the convenience of single sign-on are improved.

Fig. 3 is a flowchart of a single sign-on authentication method according to an embodiment of the present application.

As shown in fig. 3, the single sign-on authentication method is performed by a SIM card, and includes the following steps:

step 301, receiving a login authentication request of a first application to be skipped sent by a terminal device, where the login authentication request includes a first signature, a first user identifier, and a first relationship index of the first application associated with the first user identifier.

In step 302, in case the verification of the first signature is successful, an authentication policy is determined based on the security level of the first application.

In this application, the specific implementation process of step 301 to step 302 may be referred to the detailed description of any embodiment of the present application, and will not be described herein again.

Step 303, under the condition that the authentication policy is a fast authentication policy, inquiring and obtaining a third user identifier and an application identifier associated with the first relation index in the login registry.

In the application, under the condition that the authentication policy is a fast authentication policy, the login registry can be queried based on the first relationship index, and the third user identifier and the application identifier associated with the first relationship index can be obtained. And verifying the login authentication request according to the third user identifier and the application identifier.

Step 304, in the case that the third user identifier is the same as the first user identifier and the application identifier is the application identifier of the first application, authentication is successful.

In the application, under the condition that the third user identifier is the same as the first user identifier and the application identifier is the application identifier of the first application, the user corresponding to the first user identifier is described to be registered in the SIM card for the second application, and authentication success is determined.

In step 305, authentication fails in the case that the login registry does not contain the first relationship index, or the third user identification is different from the first user identification, or the application identification is not the application identification of the first application.

In the application, when the login registry does not contain the first relation index, or the third user identifier is different from the first user identifier, or the application identifier is not the application identifier of the first application, it is indicated that the user corresponding to the first user identifier does not log in and register with the second application in the SIM card, and authentication failure is determined.

Optionally, the login authentication request may further include a first role identifier associated with the first user identifier. And the second role identification related to the first relation index in the login registry can be inquired and obtained, and the first role identification and the second role identification are compared. And under the condition that the first role identifier is the same as the second role identifier, determining that the user authority authentication requested by logging in the first application passes. To prevent the user rights from being tampered with. Thereby further improving the reliability of single sign-on authentication.

And step 306, sending the authentication result to the terminal equipment.

In this application, the specific implementation process of step 306 may be referred to the detailed description of any embodiment of the present application, which is not repeated here.

In the application, under the condition that the authentication policy is a quick authentication policy, inquiring and acquiring a third user identifier and an application identifier associated with a first relation index in a login registry, if the third user identifier is the same as the first user identifier and the application identifier is the application identifier of the first application, authentication is successful, and if the login registry does not contain the first relation index or the third user identifier is different from the first user identifier or the application identifier is not the application identifier of the first application, authentication fails. Therefore, the quick authentication based on the SIM card is realized, and the safety, reliability and efficiency of single sign-on authentication are improved.

Fig. 4 is a flowchart of a single sign-on authentication method according to an embodiment of the present application.

As shown in fig. 4, the single sign-on authentication method is performed by a terminal device, and includes the following steps:

step 401, determining whether the first application is logged in or not in response to the second application triggering the jump to the first application.

In the application, after a user successfully logs in a second application in a terminal device in an account number and password mode, or in an SIM authentication mode, or in a short message authentication mode, the user can click to jump to the connection of a first application to trigger to log in the first application. The terminal device may confirm whether the user has logged into the first application based on the information recorded in the cookie.

Alternatively, the second application may jump to the first application carrying the first authorization token. Therefore, the first application can acquire the first authorization token so that the subsequent first application can directly jump back to the second application, and interconnection and intercommunication between the second application and the first application are realized.

In this application, in order to implement single sign-on, the first application and the second application need to be registered in advance for single sign-on. The specific registration process is as follows: the user may set a target user identifier, a target application identifier, and/or a target role identifier in a single sign-on system client deployed in the terminal device. When a user triggers a registration control in the client, the client can generate a registration request based on the user identification and the target application identification and send the registration request to the SIM card. After receiving the registration request, the SIM card generates a target relationship index corresponding to the association relationship among the target user identifier, the target application identifier and/or the target role identifier under the condition that the association relationship among the target user identifier, the target application identifier and/or the target role identifier is not registered, and sends the target relationship index to the terminal equipment. Therefore, the terminal equipment can acquire the target relation index corresponding to the registration relation among the target user identification, the target application identification and/or the target user roles, and store the target relation index in association with the target user identification, the target application identification and/or the target user roles.

The target application identifier may be any information for uniquely determining the target application, such as a name of the target application, and the target application may be the first application or the second application. The target user identifier is a user identifier set in the single sign-on system client by the user during registration. The target role identifier is role information, such as a common employee, a manager and the like, of a target user identifier, wherein the role information corresponds to the user in the target application.

Step 402, sending a login authentication request to the SIM card when the first application is not logged in, where the login authentication request includes a first signature, a first user identifier, and a relationship index of the first application associated with the first user identifier.

In the application, the terminal device may query a first relationship index of a first application for determining association of a first user identifier. Then, the first user identifier, a first relationship index of a first application associated with the first user identifier, and the like can be encrypted by using a public key corresponding to the SIM card to generate a first signature. Then, a login authentication request of the first application is generated based on the security level of the first application, the first signature, the first user identification and a first relation index of the first application associated with the first user identification, and the login authentication request is sent to the SIM card.

Optionally, when the first application authenticates the login request of the second application, the first authorization token may be configured in the login authentication request, so that the correctness of the first authorization token is checked by the SIM card. Thereby improving the reliability of single sign-on.

Optionally, the terminal device may obtain a preset security level of the first application from the system, so as to facilitate subsequent login authentication processing based on an authentication policy corresponding to the security level. Meanwhile, the security level can be configured in the login authentication request and sent to the SIM card, so that the SIM card can accurately determine the security level of the first application.

Step 403, receiving an authentication result sent by the SIM card and used for verifying the first relationship index and the first user identifier according to the security level of the first application.

In the application, after receiving a login authentication request, the SIM card determines an authentication policy based on a security level under the condition that the first signature is checked successfully. And then, checking the first relation index and the first user identification by using the authentication strategy and the association relation corresponding to the first application in the login registry to determine an authentication result, and sending the authentication result to the terminal equipment. Therefore, the terminal equipment can receive the authentication result corresponding to the login authentication request sent by the SIM card.

Optionally, in the case that the security level of the first application is a preset level, the authentication policy corresponding to the preset level is a high security authentication policy. The first application may send login confirmation information to the second application while sending a login authentication request to the SIM card or before receiving an authentication result sent by the SIM card to verify the first relationship index and the first user identifier according to the security level. After receiving the login confirmation information, the second application can send authentication reference information to the SIM card through the terminal equipment, wherein the authentication reference information comprises a second user identifier, a second relation index of a first application associated with the second user identifier, a third relation index of a second application associated with the second user identifier, a second signature and a second authorization token of the second application.

Optionally, when the security level of the first application is a preset level, the second application may send authentication reference information to the SIM card through the terminal device when the second application triggers to jump to the first application. The SIM card can determine whether the second application triggers the login of the first application based on the authentication reference information, and verify the validity of the login authentication request.

Step 404, determining whether to log in the first application according to the authentication result.

In the application, under the condition that authentication is successful, the subsequent login processing of the first application is executed. In case of authentication failure, the login page is jumped to.

In the method, whether the first application is logged in or not is determined in response to triggering of the first application by the second application, a login authentication request comprising a first signature, a first user identifier and a relation index of the first application associated with the first user identifier is sent to the SIM card under the condition that the first application is logged in, and then an authentication result which is sent by the SIM card and is used for checking the first relation index and the first user identifier according to the security level of the first application is received, so that whether the first application is logged in or not is determined according to the authentication result. Therefore, the authentication result is determined by checking the first relation index and the first user identification based on the SIM card, the login request based on the attacked can be effectively identified, different authentication strategies are determined based on different security levels of the first application, and the authentication capability is expanded. Thereby improving the reliability of single sign-on authentication and expanding the application scenario of the single sign-on authentication method.

Fig. 5 is an interaction schematic diagram of single sign-on authentication according to an embodiment of the present application. As shown in fig. 5, the steps are as follows:

(1) And responding to the second application (system A) to trigger the jump to the first application (system B), and sending a login authentication request to the SIM card by the terminal equipment with the first user identification (phone number), the cookie of the A system or the first authorization token Atoken 1.

The login authentication request message sent to the SIM card by the system B is:

sendB＝BSystemID1+phone1+Atoken1+Sign(BSystemID1+phone1+Atoken1)

wherein BSSTEMID 1 is a first relational index of a first application associated with the first user identity, and Sign (BSSTEMID1+phon1+Atoken 1) is a first signature generated based on BSSTEMID 1, phon1, atoken 1.

(2) When the security level of the first application is a preset level and the authentication policy corresponding to the preset level is a high-security authentication policy, the terminal equipment synchronously requests authentication reference information to the system A to the super SIM card.

The login confirmation information sent to the system A by the system B is:

reqB＝BSystemID1+phone1+Atoken1+Sign(BSystemID1+phone1+Atoken1)

(3) After receiving login confirmation information of the system B, the system A sends a second user identification phone2 corresponding to a current login account of the system A, a third relation index ASSTEMID 1 of the system A related to the second user identification, a current Token (namely a second authorization Token Atoken 2) of the system A, and a BSSTEMID 2 of a target application, which is related to the second user identification and is currently requested to jump, to the SIM card through the terminal equipment, and stores the BSSTEMID into the super SIM card;

Authentication reference information sent to the SIM card by system a:

sendA＝ASystemID1+phone2+Atoken2+BSystemID2+Sign(ASystemID1+pho ne2+Atoken2+BSystemID2)

wherein Sign (asysteid1+phon2+atoken2+bsysteid2) is the second signature.

(4) After receiving the information of the system A and the system B, the SIM card carries out signature verification and analysis to confirm whether the login authentication request of the system B is legal or not, and if the login of the system B triggered by the system A is legal, the authentication success result is returned to the terminal equipment. If the authentication is illegal or the system A does not trigger the login of the system B, returning an authentication failure result to the terminal equipment.

The request validity judging process comprises the following steps: the signature Sign is checked to confirm whether the system set (i.e., the login registry) contains BSystemID1 and ASystemID1. If the verification passes and both BSSTEMID 1 and ASSTEMID 1 are included in the system set, the request is determined to be legal. If the verification signature does not pass or either of the BSystemID1 and the ASystemID1 is not included in the system set, the request is determined to be illegal.

Judging process of whether the login of the system B triggered by the system A is performed: it was verified whether BSystemID2 and BSSystem ID1, phone2 and phone1, atoken2 and Atoken1 in sendB and sendA agree. If the login of the system B is consistent, determining the login of the system B triggered by the system A. If any pair of inconsistencies exists, the system A is determined to not trigger the login of the system B.

(5) If (4) analysis authentication fails, the system B logs in without passing, and jumps to a login page. If the authentication is successful, the SIM card pops up a PIN code window to display the identification (such as the application name) of the system A and the identification of the system B, so that the user can confirm whether to log in or not for the second time. If the PIN code is confirmed to be successful, a successful authentication result is returned to the terminal equipment, the subsequent login processing of the system B is instructed to be executed, session, cookie is set, and the bidirectional login authentication of the AB system is completed.

Fig. 6 is an interactive schematic diagram of another single sign-on authentication according to an embodiment of the present application. As shown in fig. 6, the steps are as follows:

(1) System a (second application) adjusts the URL of access system B (first application) and directs the URL to an address that system B has authorized;

(2) After clicking the authorized URL address on the system A, the user sends a login request to the system B, and triggers the login authentication request flow of the system B.

The login request includes a first user identifier phone1, a first user role1, an address for applying access permission to jump back, and an ICCID of the SIM card, where the information may be obtained from a systemcollection in the super SIM card. If the related information of the system B does not exist in the SystemCollect in the SIM card, the current mobile phone number is obtained through number acquisition and is used as a first user identification to be sent to the system B.

(3) After receiving the login request, the system B confirms that the system B is not logged in, the security level corresponding to the system B is a second level, the authentication policy corresponding to the second level is a quick authentication policy, and sends a login authentication request to the SIM card to authenticate the login request of the system A. After authentication is successful, the request authority is confirmed.

sendB＝BSystemID1+phone1+Atoken1+Sign(BSystemID1+phone1+Atoken1)

The SIM card queries the login registry to determine a second user identification phone2 and a second user role roll 2 associated with BSSTEMID 1. And under the condition that the phone2 is confirmed to be the same as the phone1, and the role1 is the same as the role2, the user corresponding to the first user identification is indicated to be registered in the SIM card by using the first user role aiming at the first application, and the authentication is successful.

If the BSSTEMID 1 is not included in the login registry, authentication fails. Or if the login registry does not contain BStemID 1, acquiring the mobile phone number corresponding to the SIM card based on the base station number acquisition, and feeding the mobile phone number back to the system B as a second user identification.

And the system B inquires and determines whether the user corresponding to the second user identifier exists in the system. And under the condition that the user corresponding to the second user identifier exists, acquiring a second user role associated with the second user identifier, so that the second user identifier and the second role are implicitly built in the super SIM card, and logging in the system B.

After the login request authentication of the system A is successful, the system B further confirms the request authority of the user, and when the request authority of the system A does not exceed the corresponding authority range of the second user role in the system B, the authority authentication is passed. For example, after the login request for the system a is successfully authenticated, the system B may obtain the second user role2 associated with the BSystemID1 from the SIM card. Then, inquiring to determine the authority range corresponding to the role2. In the system A, the request authority is within the authority range, and the authority authentication is passed. In the case that the request authority of the system a is outside the authority range, authority authentication is not passed.

(4) And after the system B receives the authentication, issuing a Token for accessing the system B for the system A to finish the system login of the system B.

In order to achieve the above embodiment, the present application further provides a single sign-on authentication device.

Fig. 7 is a schematic structural diagram of a single sign-on authentication device according to an embodiment of the present application.

As shown in fig. 7, the single sign-on authentication device is applied to a SIM card side and includes a transceiver module 710, a determining module 720, and a checking module 730.

The transceiver module 710 is configured to receive a login authentication request of a first application to be skipped sent by a terminal device, where the login authentication request includes a first signature, a first user identifier, and a first relationship index of the first application associated with the first user identifier;

a determining module 720, configured to determine an authentication policy based on the security level of the first application if the signature verification is successful;

the verification module 730 is configured to verify the first relationship index and the first user identifier by using the authentication policy and the association relationship corresponding to the first application in the login registry to determine an authentication result;

the transceiver module 710 is configured to send the authentication result to the terminal device.

Further, in a possible implementation manner of the embodiment of the present application, the login authentication request further includes a first authorization token of the second application, where the authentication policy is a high security authentication policy, the verification module 730 is configured to:

receiving authentication reference information of a second application sent by a terminal device, wherein the authentication reference information comprises a second user identifier, a second relation index of a first application associated with the second user identifier, a third relation index of a second application associated with the second user identifier, a second signature and a second authorization token of the second application, and the second application is an application triggering login of the first application;

Under the conditions that the second signature verification is successful, the second user identifier is the same as the first user identifier, the second relation index is the same as the first relation index, the second authorization token is the same as the first authorization token, and the login registry contains the first relation index and the third relation index, the authentication is successful;

and if the second signature fails to check, or the second user identifier is different from the first user identifier, or the second relation index is different from the first relation index, or the second authorization token is different from the first authorization token, and the login registry does not contain the first relation index or the third relation index, the authentication fails.

Further, in a possible implementation manner of the embodiment of the present application, in the case where the authentication policy is a fast authentication policy, the verification module 730 is configured to:

inquiring and acquiring a third user identifier and an application identifier associated with the first relation index in the login registry;

under the condition that the third user identification is the same as the first user identification and the application identification is the application identification of the first application, the authentication is successful;

if the login registry does not contain the first relationship index, or if the third user identifier is different from the first user identifier, or if the application identifier is not the application identifier of the first application, authentication fails.

Further, in one possible implementation manner of the embodiment of the present application, the transceiver module 710 is configured to:

under the condition that authentication is successful, popping up a personal identification password PIN code window to display prompt information of jumping to the first application;

and after receiving the confirmation information corresponding to the prompt information, sending the authentication result to the terminal equipment.

Further, in a possible implementation manner of the embodiment of the present application, the method further includes a registration module, configured to:

receiving a registration request of a target application sent by terminal equipment, wherein the target application is a first application or a second application, and the registration request comprises a target user identifier, a target application identifier and/or a target user role;

determining whether the association relationship among the target user identification, the target application identification and/or the target user roles is registered or not;

generating a target relation index under the condition of unregistering, transmitting the target relation index to the terminal equipment, and storing the target relation index, the target user identification, the target application identification and/or the target user role association in a login registry, wherein the target role identification is used for authenticating the user authority of the login first application.

It should be noted that the foregoing explanation of the embodiment of the single sign-on authentication method performed by the SIM card is also applicable to the single sign-on authentication device applied to the SIM card side in this embodiment, and will not be repeated here.

Fig. 8 is a schematic structural diagram of a single sign-on authentication device according to an embodiment of the present application.

As shown in fig. 8, the single sign-on authentication device is applied to a terminal device side and includes a confirmation module 810, a transceiver module 820, and a processing module 830.

A confirmation module 810 for determining whether the first application is logged in, in response to the second application triggering the jump to the first application;

the transceiver module 820 is configured to send a login authentication request to the SIM card when the first application is not logged in, where the login authentication request includes a first signature, a first user identifier, and a relationship index of the first application associated with the first user identifier;

the transceiver module 820 is configured to receive an authentication result sent by the SIM card and used for verifying the first relationship index and the first user identifier according to the security level of the first application;

and a processing module 830, configured to determine whether to log in the first application according to the authentication result.

Further, in one possible implementation manner of the embodiment of the present application, the login authentication request further includes a first authorization token of the second application, and the transceiver module 820 is further configured to:

And triggering the second application to send authentication reference information to the SIM card under the condition that the security level of the first application is a preset level, wherein the authentication reference information comprises a second user identifier, a second relation index of the first application associated with the second user identifier, a third relation index of the second application associated with the second user identifier, a second signature and a second authorization token of the second application.

responding to the target application to trigger registration of login authentication, and sending a registration request of the target application to the SIM card, wherein the target application is a first application or a second application, and the registration request comprises a target user identifier, a target application identifier and/or a target user role;

and receiving a target user identifier, a target application identifier and/or a target relationship index corresponding to the registration relationship among the target user roles, which are sent by the SIM card.

It should be noted that the foregoing explanation of the embodiment of the single sign-on authentication method performed by the terminal device is also applicable to the single sign-on authentication device applied to the terminal device side of this embodiment, and will not be repeated herein.

In order to achieve the above embodiments, the present application further proposes an electronic device including: a processor, and a memory communicatively coupled to the processor; the memory stores computer-executable instructions; the processor executes the computer-executable instructions stored in the memory to implement the methods provided by the previous embodiments.

In order to implement the above-mentioned embodiments, the present application also proposes a computer-readable storage medium in which computer-executable instructions are stored, which when executed by a processor are adapted to implement the methods provided by the foregoing embodiments.

The processes of collecting, storing, using, processing, transmitting, providing, disclosing and the like of the personal information of the user related in the application all accord with the regulations of related laws and regulations, and do not violate the popular public order.

It should be noted that personal information from users should be collected for legitimate and reasonable uses and not shared or sold outside of these legitimate uses. In addition, such collection/sharing should be performed after receiving user informed consent, including but not limited to informing the user to read user agreements/user notifications and signing agreements/authorizations including authorization-related user information before the user uses the functionality. In addition, any necessary steps are taken to safeguard and ensure access to such personal information data and to ensure that other persons having access to the personal information data adhere to their privacy policies and procedures.

The present application contemplates embodiments that may provide a user with selective prevention of use or access to personal information data. That is, the present application contemplates that hardware and/or software may be provided to prevent or block access to such personal information data. Once personal information data is no longer needed, risk can be minimized by limiting data collection and deleting data. In addition, personal identification is removed from such personal information, as applicable, to protect the privacy of the user.

In the foregoing descriptions of embodiments, descriptions of the terms "one embodiment," "some embodiments," "example," "particular example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.

Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present application, the meaning of "plurality" is at least two, such as two, three, etc., unless explicitly defined otherwise.

Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and additional implementations are included within the scope of the preferred embodiment of the present application in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the embodiments of the present application.

Logic and/or steps represented in the flowcharts or otherwise described herein, e.g., a ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.

It is to be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. As with the other embodiments, if implemented in hardware, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.

Those of ordinary skill in the art will appreciate that all or a portion of the steps carried out in the method of the above-described embodiments may be implemented by a program to instruct related hardware, where the program may be stored in a computer readable storage medium, and where the program, when executed, includes one or a combination of the steps of the method embodiments.

In addition, each functional unit in each embodiment of the present application may be integrated in one processing module, or each unit may exist alone physically, or two or more units may be integrated in one module. The integrated modules may be implemented in hardware or in software functional modules. The integrated modules may also be stored in a computer readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product.

The above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, or the like. Although embodiments of the present application have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the application, and that variations, modifications, alternatives, and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the application.

Claims

1. A single sign-on authentication method performed by a SIM card, the method comprising:

receiving a login authentication request of a first application to be jumped sent by a terminal device, wherein the login authentication request comprises a first signature, a first user identifier and a first relation index of the first application associated with the first user identifier;

determining an authentication policy based on the security level of the first application if the first signature is verified;

verifying the first relation index and the first user identification by using the authentication strategy and the association relation corresponding to the first application in the login registry to determine an authentication result;

and sending the authentication result to the terminal equipment.

2. The method of claim 1, wherein the login authentication request further includes a first authorization token of a second application, and wherein, in the case that the authentication policy is a high security authentication policy, verifying the first relationship index and the first user identifier to determine an authentication result using the authentication policy and an association relationship corresponding to the first application in a login registry includes:

Receiving authentication reference information of a second application sent by terminal equipment, wherein the authentication reference information comprises a second user identifier, a second relation index of a first application associated with the second user identifier, a third relation index of a second application associated with the second user identifier, a second signature and a second authorization token of the second application, and the second application is an application triggering login of the first application;

under the conditions that the second signature verification is successful, the second user identifier is the same as the first user identifier, the second relation index is the same as the first relation index, the second authorization token is the same as the first authorization token, and the login registry contains the first relation index and the third relation index, authentication is successful;

and if the second signature verification fails, or the second user identifier is different from the first user identifier, or the second relation index is different from the first relation index, or the second authorization token is different from the first authorization token, or the login registry does not contain the first relation index or the third relation index, authentication fails.

3. The method of claim 1, wherein, in the case where the authentication policy is a fast authentication policy, the verifying the first relationship index and the first user identifier to determine an authentication result using the authentication policy and an association relationship corresponding to the first application in the login registry includes:

if the third user identification is the same as the first user identification and the application identification is the application identification of the first application, the authentication is successful;

and if the login registry does not contain the first relation index, or the third user identification is different from the first user identification, or the application identification is not the application identification of the first application, authentication fails.

4. A method according to any one of claims 1-3, said sending said authentication result to said terminal device comprising:

under the condition that authentication is successful, a PIN code window is popped up to display prompt information for jumping to the first application;

5. The method as recited in claim 1, further comprising:

determining whether the target user identifier, the target application identifier and/or the association relationship among the target user roles is registered or not;

generating a target relation index under the condition of unregistering, sending the target relation index to the terminal equipment, and storing the target relation index, the target user identification, the target application identification and/or the target user role association in the login registry, wherein the target role identification is used for authenticating the user authority for logging in the first application.

6. A single sign-on authentication method performed by a terminal device, the method comprising:

determining whether a first application is logged in or not in response to a second application triggering a jump to the first application;

sending a login authentication request to a SIM card under the condition that the first application is not logged in, wherein the login authentication request comprises a first signature, a first user identifier and a relation index of the first application associated with the first user identifier;

7. The method of claim 6, wherein the login authentication request further includes a first authorization token for the second application, and before receiving the authentication result sent by the SIM card to verify the first relationship index and the first user identification according to the security level, further includes:

8. The method as recited in claim 6, further comprising:

And receiving the target user identification, the target application identification and/or a target relationship index corresponding to the registration relationship among the target user roles, which are sent by the SIM card.

9. A single sign-on authentication device, for use on a SIM card side, the device comprising:

the verification module is used for verifying the first relation index and the first user identifier to determine an authentication result by utilizing the authentication strategy and the association relation corresponding to the first application in the login registry;

10. A single sign-on authentication apparatus, characterized in that it is applied to a terminal device side, the apparatus comprising:

the receiving and transmitting module is used for receiving an authentication result which is sent by the SIM card and used for checking the first relation index and the first user identifier according to the security level of the first application;

11. An electronic device, comprising: a processor, and a memory communicatively coupled to the processor;

the memory stores computer-executable instructions;

the processor executes computer-executable instructions stored in the memory to implement the method of any one of claims 1-5 or to implement the method of any one of claims 6-8.

12. A computer readable storage medium having stored therein computer executable instructions for implementing the method of any of claims 1-5 or the method of any of claims 6-8 when executed by a processor.