CN1933483A - System and method for network accession utilizing single clicking single pointing - Google Patents
System and method for network accession utilizing single clicking single pointing Download PDFInfo
- Publication number
- CN1933483A CN1933483A CN 200510110839 CN200510110839A CN1933483A CN 1933483 A CN1933483 A CN 1933483A CN 200510110839 CN200510110839 CN 200510110839 CN 200510110839 A CN200510110839 A CN 200510110839A CN 1933483 A CN1933483 A CN 1933483A
- Authority
- CN
- China
- Prior art keywords
- user
- network application
- customer service
- administrative center
- cpa
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims description 21
- 238000012795 verification Methods 0.000 claims description 11
- 235000014510 cooky Nutrition 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000010295 mobile communication Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
A user management and certification system of network application comprises user terminal, user identification/ ZP subsystem, network application server CPa, user service management center of network application server CPa, user service management center of nationwide and user service management center of the user. It is featured as allowing trustful network application system or network application certifying system to check user information by using user identification / ZP subsystem to switch on interface.
Description
Technical field
The invention belongs to network application system user management technical field, be specifically related to a kind of authentification of user management system of network application,, realize " (AAA) differentiates, authorizes, charges " with clicking single-point logging method.
Background technology
The technology that various accesses internet is arranged on the current internet network is as dial up on the telephone (employing ppp protocol), broadband emulation dialing (adopting PPPoE agreement, Ethernet to insert).When Virtual network operator provides the Internet service, all need to do user's login, carry out " (AAA) differentiates, authorizes, charges ".Above access technology uses radius protocol to carry out user's login mostly, realizes " (AAA) differentiates, authorizes, charges ".
During the diverse network application system of user on internet usage, must carry out authentication at different different user's name and the user ciphers of network application system input, the user must keep many cover user names simultaneously firmly in mind and claim and user cipher; Even the user's name of some network application system is identical with user cipher, the user also must repeatedly import user's name and user cipher, carries out authentication respectively by each network application system.(Single SignOn, SSO) platform proposes in order to address the above problem single-sign-on.The single-sign-on platform can be simplified the use flow process, and the user only need login once, and promptly once unified user's name and the user cipher of input just can repeatedly use a plurality of application systems.Simple, the most direct implementation method of SSO is based on Cookie, generates session tokens (Session Token) according to user name and session related information, returns browser as the Cookie of Web browser.During the different network application system of user capture later on, this application server detects information such as user name according to the information among this Cookie.The user name pattern of the input of network application single-point logging method, the regulation of each network application operator all is not quite similar.
The shortcoming that existing network is used single-point logging method is that network application single-point logging method and network entry method are discrete, causes the authentification of user management (differentiate, authorize, charge) of Virtual network operator and network application operator complicated numerous and disorderly.And the user still will remember different user's names, user cipher and login method form, and the user will do twice login at least when access network and use network application, complex operation, under equipment and environment that move, the input information inconvenience, very inconvenience especially.
Summary of the invention
The object of the present invention is to provide a kind of authentification of user management system and method for high-efficient simple, behind user's logging in network, only need single to click (1click) startup network application software and just can carry out the login of network application automatically, and accomplish single-sign-on (Single Sign On).
For achieving the above object, the solution that the present invention adopts is: the system and method for single-sign-on is clicked in a kind of network application, and the native system framework comprises user terminal, user ID/IP subsystem, the affiliated customer service administrative center of network application server CPa, CPa, national customer service administrative center and the affiliated customer service administrative center of user.User ID/IP subsystem is the subsystem/equipment that records user totem information and institute's IP address allocated information in the network entry system, and it opens interface, allows the network application system or the network application Verification System verification user profile of trusting; Network application server is used to the user that the disparate networks application service is provided; The affiliated customer service administrative center of customer service administrative center, national customer service administrative center and user is each user of a certain ground domain identifier and network application server according to ldap protocol authority data institutional framework under the CPa.
The method of single-sign-on is clicked in network application, may further comprise the steps:
A. the network application software on the user click terminal equipment sends the network application server CPa of network application logging request to a network application service provider, contains terminal equipment IP address in the content of logging request packet, i.e. the source address of logging request;
B. network application server CPa adds that with the terminal equipment source address information in the logging request packet of receiving the service identification of this application service constitutes the customer service authentication request;
C. be set after this authentication request is received by customer service administrative center under the CPa of service this network application server CPa, promptly with the source address in this request to user ID/IP subsystem inquiring user sign;
D. user ID/IP subsystem customer service administrative center under CPa returns the user ID of this source address correspondence;
Customer service administrative center judges that according to the ground domain information in the user ID this user is the user of one's respective area, then goes to step I under the e.CPa; If this user is not the user of one's respective area, then sends and confirm the user ID request to national customer service administrative center;
F. national customer service administrative center should confirm that the user ID request was forwarded to the request of user's affiliated area customer service administrative center and confirms;
G. user's affiliated area customer service administrative center returns to national customer service administrative center and confirms the user ID request results;
H. national customer service administrative center customer service administrative center under CPa returns and confirms the user ID request results;
If i. the user conforms with the service management rule, then begin to authorize, charge, and generate the session identification of forming by user ID and service identification (Session Token) of customer service management usefulness, return network application server CPa;
J. network application server CPa returns this session identification (Session Token) to subscriber terminal equipment, is used for the operation of user network application software;
K. then carry out " (AAA) differentiates, authorizes, charges " if the network application software on the later user click terminal equipment is visited another network application, accomplish single-sign-on (Single Sign On) according to the user ID in the session identification (Session Token) of last time application.
Beneficial effect of the present invention: it is a kind of network application user authentication administrative system and method for high-efficient simple, can simplify the user management complexity greatly, makes things convenient for operator to concentrate and differentiates, authorizes, charges.Simultaneously, behind user's logging in network, only need single to click (1click) and start network application software etc. and just can carry out the login of network application automatically, and accomplish single-sign-on (Single Sign On), be user-friendly to.
Description of drawings
Fig. 1 is the figure of data organizational structure of the present invention;
Fig. 2 is a method flow diagram of the present invention;
Fig. 3 is that system and method typical case of the present invention implements figure;
Fig. 4 is the concrete enforcement figure of honeycomb mobile communication network of the present invention;
Fig. 5 is the concrete enforcement figure of fixedly access of the present invention internet;
Fig. 6 is the concrete enforcement figure of IPv6 of the present invention and mobile IP v 6 net.
Among the figure, 1. user terminal; 2. user ID/IP subsystem; 3. network application server CPa; 4.CPa affiliated customer service administrative center; 5. national customer service administrative center; 6. customer service administrative center under the user.
Embodiment
The invention will be further described below in conjunction with drawings and Examples.
Fig. 1 is the figure of data organizational structure of the present invention.Among Fig. 1, according to the ldap protocol standard, each user of unique identification and network application server, for example: the sign of certain network application server is OU=CPa, OU=Game, DC=Sh, DC=ChinaMobile, DC=Com, DC=Cn, wherein DC=Sh is the region under the user; Certain user's sign is CN=user a, OU=z, and DC=Gd, DC=ChinaMobile, DC=Com, DC=Cn, wherein DC=Gd is the region under the network application server CPa.For the form of unified user login name, the present invention adopts ldap protocol authority data institutional framework, and the user just can unify to adopt the form of similar username@sh.chinamobile.com.cn to carry out network entry like this.
From Fig. 2, Fig. 3 as seen, system architecture comprises user terminal 1, user ID/IP subsystem 2, the affiliated customer service administrative center 4 of network application server CPa 3, CPa, national customer service administrative center 5 and the affiliated customer service administrative center 6 of user.User ID/IP subsystem 2 is the subsystem/equipment that records user totem information and institute's IP address allocated information in the network entry system, and it opens interface, allows the network application system or the network application Verification System verification user profile of trusting; Network application server CPa 3 is used to the user that the network application service is provided; The affiliated customer service administrative center 6 of customer service administrative center 4, national customer service administrative center 5 and user is according to ldap protocol authority data institutional framework under the CPa, is the equipment of each user of a certain district management and network application server.
The login method that single-node login system is clicked in above-mentioned network application may further comprise the steps:
A. the network application software on user click terminal 1 equipment, send the network application server CPa 3 of network application logging request to a network application service provider, contain terminal equipment IP address in the content of logging request packet, i.e. the source address of logging request;
B. network application server CPa 3 adds that with the 1 equipment sources address information of the terminal in the logging request packet of receiving the service identification of this application service constitutes the customer service authentication request;
C. be set after this authentication request is received by customer service administrative center 4 under the CPa of service this network application server CPa 3, promptly with the source address in this request to user ID/IP subsystem 2 inquiring users sign;
D. user ID/IP subsystem 2 customer service administrative center 4 under CPa returns the user ID of this source address correspondence;
Customer service administrative center 4 judges that according to the ground domain information in the user ID this user is the user of one's respective area, then goes to step I under the e.CPa; If this user is not the user of one's respective area, then sends and confirm the user ID request to national customer service administrative center 5;
F. national customer service administrative center 5 should confirm that the user ID request was forwarded to 6 requests of user's affiliated area customer service administrative center and confirms;
G. user's affiliated area customer service administrative center 6 returns to national customer service administrative center 5 and confirms the user ID request results;
H. national customer service administrative center 5 customer service administrative center 4 under CPa returns and confirms the user ID request results;
If i. the user conforms with the service management rule, then begin to authorize, charge, and generate the session identification of forming by user ID and service identification (Session Token) of customer service management usefulness, return network application server CPa 3;
J. network application server CPa 3 returns this session identification (Session Token) to user terminal 1 equipment, is used for the operation of user network application software;
K. then carry out " (AAA) differentiates, authorizes, charges " if the network application software on later user click terminal (1) equipment is visited another network application, accomplish single-sign-on (Single Sign On) according to the user ID in the session identification (Session Token) of last time application.
Fig. 4 is embodiment 1, the concrete enforcement figure of honeycomb mobile communication network of the present invention.
The concrete enforcement of the present invention in honeycomb mobile communication network such as GSM/GPRS, 3G is exactly GGSN (GatewayGPRS Support Node), and open network application system or the network application Verification System that allows to trust investigated the user terminal telephone number information.Be that GGSN is equivalent to the user ID/IP subsystem 2 among Fig. 2 or Fig. 3,, click single-sign-on by above-mentioned steps except that above-mentioned user ID described in single-sign-on step c and the d/IP subsystem 2 of clicking is changed into the GGSN.
Fig. 5 is embodiment 2, and the present invention is at the fixing concrete enforcement figure that inserts the internet.
The present invention is exactly radius server, network access server (NAS) subsystem or long-range BAS Broadband Access Server (BRAS) subsystem open interface in the fixing concrete enforcement that inserts in the Internet network diagram, allows the network application system or the network application Verification System verification user that trust to login the user ID that the internet is used.Be that RADIUS/NAS/BRAS is equivalent to the user ID/IP subsystem 2 among Fig. 2 or Fig. 3,, click single-sign-on by above-mentioned steps except that above-mentioned user ID described in single-sign-on step c and the d/IP subsystem 2 of clicking is changed into the RADIUS/NAS/BRAS.
Fig. 6 is embodiment 3, and the present invention is at the concrete enforcement figure of IPv6 and mobile IP v 6 net
The IPv6 address of terminal equipment is provided by network insertion service provider in the IPv6 network.If a certain internet access carrier all adopts stateless to dispose automatically, then need when opening a certain terminal, note the user name of this IPv6 address correspondence, set up a user name/IP address ldap database.If adopt state configuration is arranged, then before the IPv6 Dynamic Host Configuration Protocol server of being responsible for address assignment distributes the address, also carry out the user and " differentiate, authorize, charge ", set up the IPv6AAA subsystem.
Home agent in the mobile IP v 6 net (home agent) subsystem has affiliated user ID and the Home Address of Mobile Host, Care-of-Address information.
The application of method of the present invention in IPv6 and mobile IP v 6 network is exactly home agent (home agent) subsystem open interface in user name/IP address ldap database, IPv6AAA subsystem or the mobile IP v 6 net, and the network application system or the network application Verification System verification user login that allow to trust are linked into the user ID that the IPv6 internet is used.Be that IPv6 AAA/User-IP LDAP/Home Agent is equivalent to the user ID/IP subsystem 2 among Fig. 2 or Fig. 3, except that above-mentioned user ID described in single-sign-on step c and the d/IP subsystem 2 of clicking is changed into the IPv6 AAA/User-IP LDAP/Home Agent, click single-sign-on by above-mentioned steps.
Claims (2)
1. the system and method for single-sign-on is clicked in a network application, system architecture comprises user terminal (1), user ID/IP subsystem (2), network application server CPa (3), customer service administrative center (4) under the CPa, customer service administrative center (6) under whole nation customer service administrative center (5) and the user, it is characterized in that: described user ID/IP subsystem (2) is the subsystem/equipment that records user totem information and institute's IP address allocated information in the network entry system, it opens interface, allows the network application system or the network application Verification System verification user profile of trusting; The affiliated customer service administrative center (6) of customer service administrative center (4), national customer service administrative center (5) and user is according to ldap protocol authority data institutional framework under the described CPa, is the equipment of each user of a certain district management and network application server.
2. the system and method for single-sign-on is clicked in a kind of network application according to claim 1, it is characterized in that described system clicks single-point logging method and may further comprise the steps:
A. the network application software on user click terminal (1) equipment, send the network application server CPa (3) of network application logging request to a network application service provider, contain terminal equipment IP address in the content of logging request packet, i.e. the source address of logging request;
B. network application server CPa (3) adds that with terminal (1) the equipment sources address information in the logging request packet of receiving the service identification of this application service constitutes the customer service authentication request;
C. be set after customer service administrative center (4) receives this authentication request under the CPa of service this network application server CPa (3), promptly with the source address in this request to user ID/IP subsystem (2) inquiring user sign;
D. user ID/IP subsystem (2) customer service administrative center (4) under CPa returns the user ID of this source address correspondence;
Customer service administrative center (4) judges that according to the ground domain information in the user ID this user is the user of one's respective area, then goes to step I under the e.CPa; If this user is not the user of one's respective area, then sends and confirm the user ID request to national customer service administrative center (5);
F. national customer service administrative center (5) should confirm that the user ID request was forwarded to user's affiliated area customer service administrative center (6) request and confirms;
G. user's affiliated area customer service administrative center (6) returns to national customer service administrative center (5) and confirms the user ID request results;
H. national customer service administrative center (5) customer service administrative center (4) under CPa returns and confirms the user ID request results;
If i. the user conforms with the service management rule, then begin to authorize, charge, and generate the session identification of forming by user ID and service identification (Session Token) of customer service management usefulness, return network application server CPa (3);
J. network application server CPa (3) returns this session identification (Session Token) to user terminal (1) equipment, is used for the operation of user network application software;
K. then carry out " (AAA) differentiates, authorizes, charges " if the network application software on later user click terminal (1) equipment is visited another network application, accomplish single-sign-on (Single Sign On) according to the user ID in the session identification (Session Token) of last time application.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101108391A CN100534094C (en) | 2005-11-28 | 2005-11-28 | System and method for network accession utilizing single clicking single pointing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101108391A CN100534094C (en) | 2005-11-28 | 2005-11-28 | System and method for network accession utilizing single clicking single pointing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1933483A true CN1933483A (en) | 2007-03-21 |
| CN100534094C CN100534094C (en) | 2009-08-26 |
Family
ID=37879099
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005101108391A Expired - Fee Related CN100534094C (en) | 2005-11-28 | 2005-11-28 | System and method for network accession utilizing single clicking single pointing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100534094C (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102710621A (en) * | 2012-05-22 | 2012-10-03 | 中兴通讯股份有限公司 | User authentication method and system |
| CN104283852A (en) * | 2013-07-08 | 2015-01-14 | 中国电信股份有限公司 | Mobile application single-sign-on authentication method, system, client side and server side |
| CN106656566A (en) * | 2016-11-18 | 2017-05-10 | 上海斐讯数据通信技术有限公司 | LDAP based authentication networking management method and system of third-party data source |
| CN109542587A (en) * | 2018-11-26 | 2019-03-29 | 郑州云海信息技术有限公司 | A kind of virtual machine access method, device and computer equipment |
| CN110765445A (en) * | 2019-10-08 | 2020-02-07 | 中国建设银行股份有限公司 | Method and device for processing request |
-
2005
- 2005-11-28 CN CNB2005101108391A patent/CN100534094C/en not_active Expired - Fee Related
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102710621A (en) * | 2012-05-22 | 2012-10-03 | 中兴通讯股份有限公司 | User authentication method and system |
| CN102710621B (en) * | 2012-05-22 | 2016-06-08 | 中兴通讯股份有限公司 | A kind of user authentication method and system |
| CN104283852A (en) * | 2013-07-08 | 2015-01-14 | 中国电信股份有限公司 | Mobile application single-sign-on authentication method, system, client side and server side |
| CN106656566A (en) * | 2016-11-18 | 2017-05-10 | 上海斐讯数据通信技术有限公司 | LDAP based authentication networking management method and system of third-party data source |
| CN106656566B (en) * | 2016-11-18 | 2020-06-05 | 上海斐讯数据通信技术有限公司 | Third-party data source authentication network-accessing management method based on LDAP protocol |
| CN109542587A (en) * | 2018-11-26 | 2019-03-29 | 郑州云海信息技术有限公司 | A kind of virtual machine access method, device and computer equipment |
| CN110765445A (en) * | 2019-10-08 | 2020-02-07 | 中国建设银行股份有限公司 | Method and device for processing request |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100534094C (en) | 2009-08-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6427170B1 (en) | Integrated IP address management | |
| JP4195450B2 (en) | Single sign-on method for packet radio network users roaming multi-country operator networks | |
| CA2457368C (en) | A server, system and method for providing access to a public network through an internal network of a multi-system operator | |
| US20010028636A1 (en) | Method and apparatus for mapping an IP address to an MSISDN number within a service network | |
| US20060195893A1 (en) | Apparatus and method for a single sign-on authentication through a non-trusted access network | |
| US20030171112A1 (en) | Generic wlan architecture | |
| CN1534921A (en) | Method of public authentication and authorization between independent netowrks | |
| CN101110847B (en) | Method, device and system for obtaining medium access control address | |
| CA2469026A1 (en) | System and method for providing subscription content services to mobile devices | |
| US7173933B1 (en) | System and method for providing source awareness in a network environment | |
| CN1713629A (en) | Realization of user login name and IP address binding | |
| CN1578487A (en) | Method for mobile terminal switching in packet network | |
| CN1933483A (en) | System and method for network accession utilizing single clicking single pointing | |
| CN1647451A (en) | Monitoring of information in a network environment | |
| CN1845600A (en) | Method and system for realizing user key arrangement in mobile broadcast television service | |
| CN101355489B (en) | User management method based on dynamic host configuration protocol prefix proxy | |
| Aboba et al. | Review of Roaming Implementations | |
| CN1795656A (en) | Secure traffic redirection in a mobile communication system | |
| CN1176540C (en) | Method for realizing switch in with mixed multiple users'types in Ethernet network switch in devices | |
| CN1309213C (en) | Network access anthentication method for improving network management performance | |
| CN1947455A (en) | Supporting a network behind a wireless station | |
| CN1505345A (en) | A method for accessing user forced access identification server | |
| US7353405B2 (en) | Method and systems for sharing network access capacities across internet service providers | |
| CN1190036C (en) | Method and system for inquiry of user identification in mobile communication system | |
| CN100337444C (en) | A method for redirecting packet data gateway in wireless LAN |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: SHANGHAI SUTENG INFORMATION SCIENCE CO., LTD. Free format text: FORMER OWNER: WANG WEIWEI Effective date: 20091002 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20091002 Address after: Room 1, building 66, Lane 401, Huayuan Road, Shanghai, Hongkou District Patentee after: Shanghai Suteng Information Science & Technology Co., Ltd. Address before: Room 137, No. 99, Lane 2503, Tam Tam Road, Shanghai, Putuo District Patentee before: Wang Weixun |
|
| ASS | Succession or assignment of patent right |
Owner name: WANG WEIXUN Free format text: FORMER OWNER: SHANGHAI SUTENG INFORMATION SCIENCE + TECHNOLOGY CO., LTD. Effective date: 20150807 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20150807 Address after: 200061 room 137, No. 99, Lane 2503, Tam Tam Road, Putuo District, Shanghai Patentee after: Wang Weixun Address before: 200081 room 1, building 66, Lane 401, Huayuan Road, Shanghai, Hongkou District Patentee before: Shanghai Suteng Information Science & Technology Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090826 Termination date: 20161128 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |