TWI389534B - Single sign-on system and method and computer readable medium thereof - Google Patents

Single sign-on system and method and computer readable medium thereof Download PDF

Info

Publication number
TWI389534B
TWI389534B TW96135739A TW96135739A TWI389534B TW I389534 B TWI389534 B TW I389534B TW 96135739 A TW96135739 A TW 96135739A TW 96135739 A TW96135739 A TW 96135739A TW I389534 B TWI389534 B TW I389534B
Authority
TW
Taiwan
Prior art keywords
server
user
license
verification
network
Prior art date
Application number
TW96135739A
Other languages
Chinese (zh)
Other versions
TW200915818A (en
Inventor
Wen Shu Lai
Ding Hao Chen
Cheng Han Tsai
I Ching Li
Original Assignee
Via Tech Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Via Tech Inc filed Critical Via Tech Inc
Priority to TW96135739A priority Critical patent/TWI389534B/en
Publication of TW200915818A publication Critical patent/TW200915818A/en
Application granted granted Critical
Publication of TWI389534B publication Critical patent/TWI389534B/en

Links

Description

單一登錄系統與方法及其電腦可讀取媒體Single sign-on system and method and computer readable media

本發明係有關於一種登錄方法,且特別有關於一種跨地區之單一登錄方法與系統。The present invention relates to a login method, and in particular to a cross-region single sign-on method and system.

一般在登入不同網路伺服器時,使用者通常得重複輸入個人帳號與密碼以進行登入。參考第1圖,使用者在登入臺灣網域的伺服器後,若欲登入大陸網域的伺服器,則該使用者必須重新登入。並且,使用者需要擁有登陸臺灣網域的識別碼以及登陸大陸網域的識別碼。如果沒有登陸大陸網域的識別碼則不能訪問大陸網域的伺服器。Generally, when logging in to different web servers, the user usually has to repeatedly enter a personal account and password to log in. Referring to Figure 1, after logging in to the server of the Taiwanese domain, if the user wants to log in to the server of the mainland domain, the user must log in again. Moreover, the user needs to have an identification code for logging in to the Taiwan domain and an identification code for logging in to the mainland domain. If you do not log in to the mainland domain ID, you will not be able to access the server of the mainland domain.

換句話說,在跨國企業之單一登錄環境中,不僅跨公司身份的員工沒有單一識別碼,而且該員工需在不同網域間分別取得單一登錄授權,才能使用不同網域的資源,如此讓使用者在使用上相當不便。In other words, in a single sign-on environment for multinational companies, not only does the employee who crosses the company identity have a single identifier, but the employee needs to obtain a single login authorization between different domains to use the resources of different domains. It is quite inconvenient to use.

因此,本發明提供了一種跨地區的單一登錄方法與系統,使得使用者僅需在一網域認證伺服器上認證一次,即可使用不同網域之網路資源。Therefore, the present invention provides a cross-regional single sign-on method and system, so that a user only needs to authenticate once on a domain authentication server, and can use network resources of different domains.

基於上述目的,本發明實施例揭露了一種單一登錄方法,其適用於一單一登錄系統,其中該單一登錄系統至少包括一第一驗證伺服器與一第二驗證伺服器,該第一驗證 伺服器與該第二驗證伺服器分別與至少一第一網路伺服器與一第二網路伺服器相連接,該第一驗證伺服器與該第一網路伺服器係屬於一第一網域,而該第二驗證伺服器與該第二網路伺服器係屬於一第二網域。Based on the above, the embodiment of the present invention discloses a single sign-on method, which is applicable to a single sign-on system, where the single sign-on system includes at least a first verification server and a second verification server, the first verification. The server and the second verification server are respectively connected to the at least one first network server and the second network server, and the first verification server and the first network server belong to a first network The domain, and the second authentication server and the second network server belong to a second network domain.

該單一登錄方法包括下列步驟:根據預先定義之一使用者認證資料對一使用者執行一驗證操作,以判斷該使用者是否通過驗證,當驗證無誤時,允許該使用者登入該第一驗證伺服器,根據一工作階段產生一許可證,判斷是否收到一第一連結命令。The single login method includes the following steps: performing a verification operation on a user according to a predefined user authentication data to determine whether the user passes the verification, and when the verification is correct, allowing the user to log in to the first verification server. The device generates a license according to a working phase to determine whether a first link command is received.

當收到該第一連結命令時,則產生一連結網址參數,並且在該連結網址參數加入該第一驗證伺服器之一登入網址參數,將該登入網址參數與該使用者認證資料加入至該許可證並傳送給該第一網路伺服器以允許該使用者登入該第一網路伺服器,判斷是否收到一第二連結命令。When the first link command is received, a link URL parameter is generated, and the login URL parameter is added to the first verification server, and the login URL parameter and the user authentication data are added to the link identifier parameter. The license is transmitted to the first web server to allow the user to log in to the first web server to determine whether a second link command is received.

當收到該第二連結命令時,經由該第二驗證伺服器將該許可證傳送給該第二網路伺服器,藉由該第二網路伺服器取得該許可證中之該登入網址參數,根據該登入網址參數,利用該第一驗證伺服器並根據該許可證中包含之該使用者認證資料,於該第二網路伺服器對該使用者進行驗證,以及當該使用者驗證成功時,則允許該使用者登入該第二網路伺服器。Receiving the second connection command, transmitting the license to the second network server via the second verification server, and obtaining, by the second network server, the login URL parameter in the license According to the login URL parameter, using the first verification server and verifying the user on the second network server according to the user authentication data included in the license, and when the user is successfully authenticated When the user is allowed to log in to the second web server.

本發明實施例更揭露了一種單一登錄系統,包括一第一驗證伺服器、一第一網路伺服器、一第二驗證伺服器與一第二網路伺服器。The embodiment of the invention further discloses a single sign-on system, comprising a first verification server, a first network server, a second verification server and a second network server.

第一驗證伺服器用以根據預先定義之一使用者認證資料對該使用者執行一驗證操作,以判斷該使用者是否通過驗證,當驗證無誤時,則允許該使用者登入,並且根據一工作階段產生一許可證,判斷是否收到一第一連結命令,當收到該第一連結命令時,則產生一連結網址參數,在該連結網址參數加入該第一驗證伺服器之一登入網址參數,並且將該登入網址參數與該使用者認證資料加入至該許可證。The first verification server is configured to perform a verification operation on the user according to a predefined user authentication data to determine whether the user passes the verification, and when the verification is correct, the user is allowed to log in, and according to the work The stage generates a license to determine whether a first link command is received. When the first link command is received, a link URL parameter is generated, and the login URL parameter is added to the first authentication server. And adding the login URL parameter and the user authentication data to the license.

第一網路伺服器耦接於該第一驗證伺服器,其用以自該第一網路伺服器取得該許可證以允許該使用者登入。The first network server is coupled to the first authentication server for obtaining the license from the first network server to allow the user to log in.

第二驗證伺服器耦接於該第一驗證伺服器,其用以當該第一驗證伺服器收到一第二連結命令時取得該許可證。The second verification server is coupled to the first verification server, and is configured to obtain the license when the first verification server receives a second connection command.

第二網路伺服器耦接於該第二驗證伺服器,其用以自該第二驗證伺服器取得該許可證中之該登入網址參數,根據該登入網址參數,利用該第一驗證伺服器並根據該許可證中包含之該使用者認證資料,於該第二網路伺服器對該使用者進行驗證,以及當該使用者驗證成功時,則允許該使用者登入該第二網路伺服器。The second network server is coupled to the second verification server, configured to obtain the login URL parameter in the license from the second verification server, and use the first verification server according to the login URL parameter And authenticating the user to the second network server according to the user authentication data included in the license, and allowing the user to log in to the second network server when the user verification succeeds Device.

其中,該第一驗證伺服器與該第一網路伺服器係屬於一第一網域,而該第二驗證伺服器與該第二網路伺服器係屬於一第二網域。The first authentication server and the first network server belong to a first network domain, and the second authentication server and the second network server belong to a second network domain.

本發明實施例還揭露了一種電腦可讀取媒體,用以儲存一電腦程式以載入至一電腦系統中並且使得上述電腦系統執行一種單一登錄方法,其適用於一單一登錄系統,其 中該單一登錄系統至少包括一第一驗證伺服器與一第二驗證伺服器,該第一驗證伺服器與該第二驗證伺服器分別與至少一第一網路伺服器與一第二網路伺服器相連接,該第一驗證伺服器與該第一網路伺服器係屬於一第一網域,而該第二驗證伺服器與該第二網路伺服器係屬於一第二網域,包括下列步驟: 根據預先定義之使用者認證資料對該使用者執行一驗證操作,以判斷該使用者是否通過驗證,當驗證無誤時,則允許該使用者登入該第一驗證伺服器,根據一工作階段產生一許可證,判斷是否收到一第一連結命令。The embodiment of the invention further discloses a computer readable medium for storing a computer program to be loaded into a computer system and causing the computer system to perform a single login method, which is suitable for a single login system, The single sign-on system includes at least a first verification server and a second verification server, the first verification server and the second verification server respectively and at least a first network server and a second network The server is connected, the first verification server and the first network server belong to a first network domain, and the second verification server and the second network server belong to a second network domain. Includes the following steps: Performing a verification operation on the user according to the predefined user authentication data to determine whether the user passes the verification, and when the verification is correct, the user is allowed to log in to the first verification server, and one session is generated according to a working phase. A license to determine whether a first link command has been received.

當收到該第一連結命令時,則產生一連結網址參數,並且在該連結網址參數加入該第一驗證伺服器之一登入網址參數,將該登入網址參數與該使用者認證資料加入至該許可證並傳送給該第一網路伺服器以允許該使用者登入該第一網路伺服器,判斷是否收到一第二連結命令。When the first link command is received, a link URL parameter is generated, and the login URL parameter is added to the first verification server, and the login URL parameter and the user authentication data are added to the link identifier parameter. The license is transmitted to the first web server to allow the user to log in to the first web server to determine whether a second link command is received.

當收到該第二連結命令時,經由該第二驗證伺服器將該許可證傳送給該第二網路伺服器,藉由該第二網路伺服器取得該許可證中之該登入網址參數,根據該登入網址參數,利用該第一驗證伺服器並根據該許可證中包含之該使用者認證資料,於該第二網路伺服器對該使用者進行驗證,以及當該使用者驗證成功時,則允許該使用者登入該第二網路伺服器。Receiving the second connection command, transmitting the license to the second network server via the second verification server, and obtaining, by the second network server, the login URL parameter in the license According to the login URL parameter, using the first verification server and verifying the user on the second network server according to the user authentication data included in the license, and when the user is successfully authenticated When the user is allowed to log in to the second web server.

為了讓本發明之目的、特徵、及優點能更明顯易懂,下文特舉較佳實施例,並配合所附圖示第1圖至第2圖,做詳細之說明。本發明說明書提供不同的實施例來說明本發明不同實施方式的技術特徵。其中,實施例中的各元件之配置係為說明之用,並非用以限制本發明。且實施例中圖式標號之部分重複,係為了簡化說明,並非意指不同實施例之間的關聯性。In order to make the objects, features, and advantages of the present invention more comprehensible, the preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. The present specification provides various embodiments to illustrate the technical features of various embodiments of the present invention. The arrangement of the various elements in the embodiments is for illustrative purposes and is not intended to limit the invention. The overlapping portions of the drawings in the embodiments are for the purpose of simplifying the description and are not intended to be related to the different embodiments.

本發明實施例揭露了一種跨地區之單一登錄方法與系統。The embodiment of the invention discloses a single login method and system across regions.

本發明實施例之跨地區的單一登錄方法與系統解決了跨國企業員工之身分識別的問題,與各網域之單一登錄伺服器所載的資料同步問題,使得每一使用者僅需在所臨近區域之網域認證伺服器上登入一次,即可使用不同地區網域之資源。The cross-regional single sign-on method and system in the embodiment of the present invention solves the problem of identifying the identity of employees of multinational enterprises, and the problem of synchronizing data with the single-login server of each domain, so that each user only needs to be adjacent You can use resources from different regional domains by logging in once on the domain's domain authentication server.

第2圖係顯示本發明實施例之單一登錄系統的架構示意圖。FIG. 2 is a schematic diagram showing the architecture of a single sign-on system according to an embodiment of the present invention.

本發明實施例之單一登錄系統包括一第一驗證伺服器2100、一第二驗證伺服器2200與一使用者介面2300,且第一驗證伺服器2100與第二驗證伺服器2200分別與複數個網路伺服器2110~2130與資料庫2150及複數個網路伺服器2210~2230與資料庫2250相連接。第一驗證伺服器2100與網路伺服器2110~2130係屬於第一網域(例如台灣地區網域),而第二驗證伺服器2200與網路伺服器2210~2230係屬於第二網域(例如大陸地區網域)。要注意到,本 發明實施例之單一登錄方法與系統僅以兩個地區網域之驗證伺服器與連接之網路伺服器來做說明,但實作上不以此為限,而是根據跨國企業所設置的營業區域而定。The single sign-on system of the embodiment of the present invention includes a first verification server 2100, a second verification server 2200 and a user interface 2300, and the first verification server 2100 and the second verification server 2200 respectively and a plurality of networks. The path servers 2110~2130 and the database 2150 and the plurality of network servers 2210~2230 are connected to the database 2250. The first verification server 2100 and the network server 2110~2130 belong to the first domain (for example, the domain of Taiwan area), and the second verification server 2200 and the network server 2210~2230 belong to the second domain ( For example, the mainland area domain). Be aware that this The single sign-on method and system of the embodiment of the present invention are described by only the authentication server of the two regional domains and the connected network server, but the implementation is not limited thereto, but is based on the business set by the multinational enterprise. Depending on the region.

整合一目錄服務系統,例如,輕量型目錄存取通訊協定(Lightweight Directory Access Protocol,LDAP)、動態目錄(Active Directory,AD)...等等,以建立包含第一網域與第二網域之所屬員工即使用者的認證資料與權限設定的資料庫2150、2250,以使每位員工擁有單一身份識別碼及其使用跨地區網路資源之單一控管權。將上述認證資料與權限設定以及將網路伺服器2110~2130、2210~2230的系統識別碼(System ID)分別儲存至第一驗證伺服器2100與第二驗證伺服器2200之資料庫2150、2250中。Integrating a directory service system, for example, a Lightweight Directory Access Protocol (LDAP), an Active Directory (AD), etc., to establish a first domain and a second network The employee of the domain is the database 2150, 2250 of the user's authentication data and authority settings, so that each employee has a single identity code and a single control right to use inter-regional network resources. The above authentication data and authority settings and the system IDs of the network servers 2110~2130 and 2210~2230 are respectively stored in the databases 2150 and 2250 of the first verification server 2100 and the second verification server 2200. in.

每隔一固定時間,第一驗證伺服器2100與第二驗證伺服器2200分別將其資料庫2150、2250中的員工認證資料與權限設定傳送給對方以達到同步更新的目的。當一使用者藉由使用者介面2300登入第一驗證伺服器2100,第一驗證伺服器2100根據該使用者輸入之帳號與密碼以及其資料庫2150中儲存員工認證資料,對該使用者進行驗證,當驗證無誤,則允許該使用者登入第一驗證伺服器2100,同時開啟一使用者瀏覽介面,其中,在同一該使用者瀏覽介面上包含不同地區所對應之網路伺服器,例如台灣地區包含有員工入口網站、員工績效網站、人力招募網站,而每一網站皆連結至對應之網路伺服器以執行該些網站功能,而大陸地區在同一使用者瀏覽介面上亦有該些網站功 能與對應之網路伺服器。At a fixed time, the first verification server 2100 and the second verification server 2200 respectively transmit the employee authentication data and the authority settings in the databases 2150 and 2250 to the other party for the purpose of synchronous update. When a user logs in to the first verification server 2100 through the user interface 2300, the first verification server 2100 verifies the user according to the account and password input by the user and the employee authentication data stored in the database 2150. When the verification is correct, the user is allowed to log in to the first verification server 2100, and a user browsing interface is opened, wherein the same user browsing interface includes a network server corresponding to a different region, such as Taiwan. It includes an employee portal, an employee performance website, and a human recruitment website, and each website is linked to a corresponding web server to perform the functions of the website, and the mainland area also has the website function on the same user browsing interface. Can correspond to the corresponding web server.

在開啟該使用者瀏覽介面的同時系統內會建立一工作階段(Session),該工作階段係儲存於第一驗證伺服器與用戶端,該工作階段包含使用者資料,例如使用者帳號、密碼、使用者認證資料、權限設定...等等。根據該工作階段產生一許可證(Ticket),並將其儲存在用戶端與第一驗證伺服器2100連結之工作階段中。A session is established in the system while the user browsing interface is opened. The session is stored in the first authentication server and the client. The session includes user data, such as a user account and password. User authentication data, permission settings, etc. A license is generated according to the working phase, and is stored in the working phase of the user end connecting with the first verification server 2100.

本發明應用於跨國公司的登錄系統中,該使用者係公司员工。在其他實施例中,例如該登錄網路用於全球學術資料或者跨國銀行的登錄網路時,該使用者之身份可以做相應的調整。The present invention is applied to a login system of a multinational company, which is a company employee. In other embodiments, for example, when the login network is used for global academic materials or a multinational bank's login network, the identity of the user can be adjusted accordingly.

「許可證(Ticket)」,顧名思義與我們日常生活所使用的公車票、電影票等類似,使用者必須透過某種管道(購買或申請)取得許可證,之後即可利用此許可證來享受某種服務。同理,金鑰中心建立伺服端的許可證後,即可將許可證核發給經過認證的用戶端,用戶端稍後即可利用此許可證向伺服端要求服務(或是進行認證)。"Ticket", as the name suggests, is similar to the bus tickets, movie tickets, etc. used in our daily lives. Users must obtain a license through some kind of pipeline (purchase or application), and then they can use this license to enjoy a certain license. Kind of service. Similarly, after the key center establishes the license of the server, the license can be issued to the authenticated client, and the client can use the license to request the server (or authenticate) later.

「工作階段(Session)變數」可用來儲存及顯示使用者造訪網站期間(即,工作階段)所保有的資訊。伺服器會為每一位使用者建立個別的工作階段物件,並維持一段相當的時間或維持到該物件明確終止為止。The "Session Variable" can be used to store and display information held during the user's visit to the website (ie, the work phase). The server creates individual work phase objects for each user and maintains them for a considerable period of time or until the object is explicitly terminated.

若該使用者欲進入員工入口網站查詢個人資料,則在使用者瀏覽介面上點選該網站後,連結至網路伺服器2110以產生一連結網址參數(URL Address)例如, http://portal.via.com.tw?LoginServer=portal.viatech.com,並且在該連結網址參數加入第一驗證伺服器2100之登入網址參數以產生完整的網址,如第2圖之網址2115所示。登入網址參數包括USER_PW、HR_DEPT、SITE_GROUP、SITE_KEY、PERMISSION、SITE_LOCATION、SITE_SUB_GROUP、SSO_SERVER、IP_RANGE、USER_LOCATION...等等。If the user wants to enter the employee portal to query the personal information, after clicking the website on the user browsing interface, the web server 2110 is linked to generate a URL address (URL address), for example, Http://portal.via.com.tw? LoginServer=portal.viatech.com, and the login URL parameter of the first authentication server 2100 is added to the link URL parameter to generate a complete URL, as shown in URL 2115 of FIG. Login URL parameters include USER_PW, HR_DEPT, SITE_GROUP, SITE_KEY, PERMISSION, SITE_LOCATION, SITE_SUB_GROUP, SSO_SERVER, IP_RANGE, USER_LOCATION, and so on.

第一驗證伺服器2100產生對應該使用者資料之一工作階段識別碼(Session ID),並且將該工作階段識別碼、複數個對應所有可存取之網路伺服器的系統識別碼、一對應該使用者資料之使用者識別碼(User ID)加入到該使用者的許可證中,登入網址參數不會加入至許可證中。第一驗證伺服器2100並依據一網路金鑰加密該許可證,而非使用系統識別碼來加密,並且傳送到網路伺服器2110以進行驗證。網路伺服器2110收到加密之該許可證後,將該許可證解密,並根據該許可證中包含的資料判斷是否通過驗證,即判斷工作階段識別碼、系統識別碼與使用者識別碼是否正確,且在驗證成功後允許該使用者進入網路伺服器2110。The first verification server 2100 generates a session ID (Session ID) corresponding to the user data, and the work phase identification code, a plurality of system identification codes corresponding to all accessible network servers, and a pair The User ID of the user profile should be added to the user's license, and the login URL parameter will not be added to the license. The first authentication server 2100 encrypts the license in accordance with a network key instead of using the system identification code and transmits it to the network server 2110 for verification. After receiving the encrypted license, the network server 2110 decrypts the license, and judges whether the verification is passed according to the information contained in the license, that is, whether the work phase identification code, the system identification code, and the user identification code are determined. Correct, and allow the user to enter the web server 2110 after successful verification.

當使用者欲使用大陸地區的員工績效網站,在以往的情況中,大陸地區的驗證伺服器,如第二驗證伺服器2200,一定會要求使用者重新輸入帳號與密碼,以重新驗証使用者的適格身分,但在本發明中,使用者則僅需在同一使用者瀏覽介面上點選該網站而無需重新輸入帳號與密碼,此 時雖仍無法進入網路伺服器2220,但可直接連結至網路伺服器2220以產生另一連結網址參數,例如http://portal.via.com.cn?LoginServer=portal.viatech.com,且在此同時網路伺服器2220會接收用戶端內存之許可證以及用戶端傳送之第一驗證伺服器2100的登入網址參數。需注意到,由於在第一階段驗證過關後的許可証中所儲存之系統識別碼system ID即包含該使用者的所有可存取網路伺服器的權限,因此無需在連結至他網域時仍需增加。When the user wants to use the employee performance website in the mainland, in the past, the verification server in the mainland, such as the second verification server 2200, will definitely ask the user to re-enter the account and password to re-verify the user. Appropriate identity, but in the present invention, the user only needs to click the website on the same user browsing interface without re-entering the account and password. Although it is still unable to enter the web server 2220, it can be directly linked to the web server 2220 to generate another link URL parameter, such as http://portal.via.com.cn? LoginServer=portal.viatech.com, and at the same time, the web server 2220 receives the license of the client memory and the login URL parameter of the first authentication server 2100 transmitted by the client. It should be noted that since the system identifier system ID stored in the license after the first phase verification pass contains all the access rights of the user, it is not necessary to connect to his domain. Still need to increase.

本發明提供兩種跨區域的驗證方法,其一網路伺服器2220會依據接收到的登入網址參數找到跨區域的第一驗證伺服器2100並將許可證傳送至第一驗證伺服器2100,由第一驗證伺服器2100依據對應該網路伺服器2220的加密金鑰加密該許可證並傳回給網路伺服器2220。當網路伺服器2220收到加密的許可證後,即將該許可證解密,並根據解密之該許可證中包含的工作階段識別碼判斷是否先前通過第一驗證伺服器2100的驗證,且在驗證成功後直接允許該使用者進入網路伺服器2220查詢或更新資料。The present invention provides two cross-region verification methods. A network server 2220 finds the first verification server 2100 across the area according to the received login URL parameter and transmits the license to the first verification server 2100. The first verification server 2100 encrypts the license in accordance with the encryption key corresponding to the web server 2220 and transmits it back to the web server 2220. When the network server 2220 receives the encrypted license, the license is decrypted, and it is determined whether the verification by the first verification server 2100 is previously performed according to the work phase identification code included in the decrypted license, and is verified. After successful, the user is directly allowed to enter the web server 2220 to query or update the data.

本發明另提供之跨區域的驗證方法是由網路伺服器2220將該許可證與該登入網址參數傳送給在同一地區的第二驗證伺服器2200,該第二驗證伺服器2200會依據該登入網址參數而得知此使用者曾由第一驗證伺服器2100驗證過,於是第二驗證伺服器2200直接將該許可證傳送給第一驗證伺服器2100以確認是否該使用者曾驗證通過,第一驗證伺服器2100在接收到許可證後會對應該網路伺服 器2220的加密金鑰加密該許可證並傳回給網路伺服器2220,而其後續之解密與檢驗成功後即允許該使用者進入網路伺服器2220而無需再次輸入員工帳號與密碼。。同理,當登入其它地區網域之網路伺服器時,亦以相同方法對使用者進行驗證。The cross-region verification method provided by the present invention is to transmit the license and the login URL parameter to the second verification server 2200 in the same area by the network server 2220, and the second verification server 2200 will perform the login according to the login. The URL parameter indicates that the user has been verified by the first verification server 2100, and then the second verification server 2200 directly transmits the license to the first verification server 2100 to confirm whether the user has verified the pass, A verification server 2100 will respond to the network after receiving the license. The encryption key of the device 2220 encrypts the license and sends it back to the web server 2220, and after subsequent decryption and verification, the user is allowed to enter the web server 2220 without having to enter the employee account and password again. . Similarly, when logging in to a web server in another regional domain, the user is authenticated in the same way.

其中,當使用者關閉或登出該使用者瀏覽介面,則儲存於第一驗證伺服器與用戶端的工作階段即會被消除,在此後當使用者欲登入第一驗證伺服器時且重新開啟使用者瀏覽介面時需再重新輸入員工帳號與密碼。When the user closes or logs out the user browsing interface, the working phase stored in the first authentication server and the client is eliminated, and then the user wants to log in to the first authentication server and then restarts the user. Re-enter the employee account and password when browsing the interface.

第3圖係顯示本發明實施例之單一登錄方法的步驟流程圖,請同時參考第2圖的系統架構圖。FIG. 3 is a flow chart showing the steps of the single sign-on method according to the embodiment of the present invention. Please refer to the system architecture diagram of FIG. 2 at the same time.

每隔一固定時間,該第一驗證伺服器與該第二驗證伺服器分別將其所屬之員工認證資料與權限設定傳送給對方(步驟S301)。藉由該第一驗證伺服器取得使用者輸入資料(步驟S302),並且根據該等使用者認證資料以對一使用者執行一驗證操作,判斷該使用者是否通過驗證(步驟S303)。當驗證無誤,則允許該使用者登入該第一驗證伺服器,並且在開啟使用者瀏覽介面時產生一工作階段(步驟S304),然後根據該工作階段產生一許可證,其中該許可證並非儲存在一資料庫中(步驟S305)。At a fixed time, the first verification server and the second verification server respectively transmit the employee authentication data and the authority settings to which they belong (step S301). The user input data is obtained by the first verification server (step S302), and a verification operation is performed on a user according to the user authentication data, and it is determined whether the user passes the verification (step S303). When the verification is correct, the user is allowed to log in to the first verification server, and a working phase is generated when the user browsing interface is opened (step S304), and then a license is generated according to the working phase, wherein the license is not stored. In a database (step S305).

判斷是否收到一第一連結命令(步驟S306),例如,使用者透過一使用者介面點選第一網路伺服器。當收到該第一連結命令,則產生一連結網址參數,並且在該連結網址參數加入該第一驗證伺服器之登入網址參數(如第2圖 之網址2115所示)(步驟S307)。藉由該第一驗證伺服器產生一對應該使用者資料之工作階段識別碼(步驟S308),並且將該工作階段識別碼、一對應該第一網路伺服器之第一系統識別碼以及一對應該使用者資料之使用者識別碼加入到該許可證中(步驟S309)。根據一網路金鑰對該許可證加密,並且傳送到該第一網路伺服器(步驟S310)。It is determined whether a first link command is received (step S306). For example, the user selects the first network server through a user interface. When the first link command is received, a link URL parameter is generated, and the login URL parameter of the first verification server is added to the link URL parameter (such as FIG. 2 The URL 2115 is shown) (step S307). Generating, by the first verification server, a work phase identification code corresponding to the user data (step S308), and the work phase identification code, a pair of first system identifiers of the first network server, and a A user ID corresponding to the user profile is added to the license (step S309). The license is encrypted according to a network key and transmitted to the first web server (step S310).

當接收到該許可證,藉由該第一網路伺服器並根據該第一系統識別碼將該許可證解密,並根據該許可證中包含的資料對該使用者進行驗證(步驟S311)。判斷該使用者是否通過驗證(步驟S312),且在驗證成功後允許該使用者登入(步驟S313)。判斷是否收到一第二連結命令(步驟S314),例如,使用者透過上述使用者介面點選第二網路伺服器。當收到該第二連結命令,藉由該第一驗證伺服器將一對應該第二網路伺服器之一第二系統識別碼加入到該許可證中,並且在根據該第二系統識別碼加密該許可證後,經由該第二驗證伺服器將該許可證傳送給該第二網路伺服器(步驟S315)。當收到該許可證,藉由該第二網路伺服器並根據該第二系統識別碼將該許可證解密,以取得其中所包含之該登入網址參數(步驟S316)。根據該登入網址參數,利用該第一驗證伺服器並根據該許可證中包含的資料,於該第二網路伺服器對該使用者進行驗證(步驟S317)。判斷該使用者是否通過驗證(步驟S318),且在驗證成功後允許該使用者登入(步驟S319)。此時,該第 二網路伺服器之連結網址參數顯示如第2圖之網址2225所示。Upon receiving the license, the license is decrypted by the first network server based on the first system identifier, and the user is authenticated based on the information contained in the license (step S311). It is judged whether the user has passed the verification (step S312), and the user is allowed to log in after the verification is successful (step S313). It is determined whether a second link command is received (step S314). For example, the user selects the second network server through the user interface. Receiving the second link command, by the first verification server, adding a second system identifier of a pair of second network servers to the license, and according to the second system identifier After encrypting the license, the license is transmitted to the second network server via the second verification server (step S315). When the license is received, the license is decrypted by the second network server according to the second system identifier to obtain the login URL parameter included therein (step S316). According to the login URL parameter, the first verification server is used to verify the user on the second network server according to the information contained in the license (step S317). It is judged whether the user has passed the verification (step S318), and the user is allowed to log in after the verification is successful (step S319). At this time, the first The link URL parameter of the second web server is displayed as shown in the URL 2225 of FIG.

本發明實施例之跨地區的單一登錄方法與系統利用主動散播、共同比對與各點集中之三項原則,讓各不同網域之認證伺服器間能及時擁有最新最整齊的認證比對資料。此外,運用全球資源定位器(Uniform Resource Locator,URL)技術,讓單一網域認證後的使用者可透過伺服器的交叉檢查比對機制,不需重覆登入認證步驟,即可使用不同網域資源,如第2圖所示。The cross-regional single sign-on method and system in the embodiment of the present invention utilizes the three principles of active dissemination, common comparison and point concentration, so that the authentication servers of different domains can have the latest and most neat authentication comparison data in time. . In addition, using the Global Resource Locator (URL) technology, users with a single domain authentication can use the server's cross-checking comparison mechanism, and can use different domains without repeating the login authentication step. Resources, as shown in Figure 2.

本發明更提供一種記錄媒體,例如光碟片、磁碟片與抽取式硬碟等等,其係記錄一電腦可讀取之權限簽核程式,以便執行上述之跨地區的單一登錄方法。在此,儲存於記錄媒體上之權限簽核程式,基本上是由多數個程式碼片段所組成的,例如建立組織圖程式碼片段、簽核表單程式碼片段、設定程式碼片段、以及部署程式碼片段,並且這些程式碼片段的功能係對應到上述方法的步驟與上述系統的功能方塊圖。The present invention further provides a recording medium, such as a disc, a floppy disk, a removable hard disk, etc., which records a computer readable license signing program to perform the above-described cross-region single sign-on method. Here, the permission signing program stored on the recording medium is basically composed of a plurality of code segments, such as creating an organization chart code segment, signing a form code segment, setting a code segment, and deploying a program. Code segments, and the functions of these code segments correspond to the steps of the above method and the functional block diagram of the above system.

雖然本發明已以較佳實施例揭露如上,然其並非用以限定本發明,任何熟習此技藝者,在不脫離本發明之精神和範圍內,當可作各種之更動與潤飾,因此本發明之保護範圍當視後附之申請專利範圍所界定者為準。While the present invention has been described above by way of a preferred embodiment, it is not intended to limit the invention, and the present invention may be modified and modified without departing from the spirit and scope of the invention. The scope of protection is subject to the definition of the scope of the patent application.

2100‧‧‧第一驗證伺服器2100‧‧‧First authentication server

2110..2130‧‧‧網路伺服器2110..2130‧‧‧Web server

2115‧‧‧網址2115‧‧‧ Website

2150‧‧‧資料庫2150‧‧‧Database

2200‧‧‧第二驗證伺服2200‧‧‧Second verification servo

2210..2230‧‧‧網路伺服器2210..2230‧‧‧Web server

2225‧‧‧網址2225‧‧‧ Website

2250‧‧‧資料庫2250‧‧‧Database

2300‧‧‧使用者介面2300‧‧‧User interface

第1圖係顯示使用者登入不同網路伺服器的示意圖。Figure 1 shows a schematic diagram of a user logging into a different web server.

第2圖係顯示本發明實施例之單一登錄系統的架構示 意圖。Figure 2 is a block diagram showing the architecture of the single sign-on system of the embodiment of the present invention. intention.

第3圖係顯示本發明實施例之單一登錄方法的步驟流程圖。Figure 3 is a flow chart showing the steps of the single sign-on method of the embodiment of the present invention.

2100...第一驗證伺服器2100. . . First verification server

2110..2130...網路伺服器2110..2130. . . Web server

2115...網址2115. . . URL

2150...資料庫2150. . . database

2200...第二驗證伺服2200. . . Second verification servo

2210..2230...網路伺服器2210..2230. . . Web server

2225...網址2225. . . URL

2250...資料庫2250. . . database

2300...使用者介面2300. . . user interface

Claims (27)

一種單一登錄方法,其適用於一單一登錄系統,其中該單一登錄系統至少包括一第一驗證伺服器與一第二驗證伺服器,該第一驗證伺服器與該第二驗證伺服器分別與至少一第一網路伺服器與一第二網路伺服器相連接,該第一驗證伺服器與該第一網路伺服器係屬於一第一網域,而該第二驗證伺服器與該第二網路伺服器係屬於一第二網域,包括下列步驟:根據預先定義之一使用者認證資料對一使用者執行一驗證操作,以判斷該使用者是否通過驗證;當驗證無誤時,允許該使用者登入該第一驗證伺服器;根據一工作階段產生一許可證;判斷是否收到一第一連結命令;當收到該第一連結命令時,則產生一連結網址參數,並且在該連結網址參數加入該第一驗證伺服器之一登入網址參數;將該登入網址參數與該使用者認證資料加入至該許可證並傳送給該第一網路伺服器以允許該使用者登入該第一網路伺服器;判斷是否收到一第二連結命令;當收到該第二連結命令時,經由該第二驗證伺服器將該許可證傳送給該第二網路伺服器;藉由該第二網路伺服器取得該許可證中之該登入網址參數; 根據該登入網址參數,利用該第一驗證伺服器並根據該許可證中包含之該使用者認證資料,於該第二網路伺服器對該使用者進行驗證;以及當該使用者驗證成功時,則允許該使用者登入該第二網路伺服器。 A single sign-on method, which is applicable to a single sign-on system, wherein the single sign-on system includes at least a first verification server and a second verification server, and the first verification server and the second verification server respectively and at least a first network server is connected to a second network server, the first authentication server and the first network server belong to a first network domain, and the second authentication server and the second The second network server belongs to a second network domain, and includes the following steps: performing a verification operation on a user according to one of the predefined user authentication data to determine whether the user passes the verification; when the verification is correct, the permission is allowed. The user logs in to the first verification server; generates a license according to a working phase; determines whether a first link command is received; and when the first link command is received, generates a link URL parameter, and The link URL parameter is added to one of the first authentication server login URL parameters; the login URL parameter and the user authentication data are added to the license and transmitted to the first network The server is configured to allow the user to log in to the first network server; determine whether a second link command is received; and when the second link command is received, transmit the license to the second authentication server a second network server; obtaining, by the second network server, the login URL parameter in the license; Determining the user on the second network server according to the login URL parameter, using the first authentication server and according to the user authentication data included in the license; and when the user verification succeeds , the user is allowed to log in to the second web server. 如申請專利範圍第1項所述的單一登錄方法,其更包括在開啟一使用者瀏覽介面時產生該工作階段。 The single sign-on method as described in claim 1, further comprising generating the working phase when a user browsing interface is opened. 如申請專利範圍第2項所述的單一登錄方法,其更包括下列步驟:當在該連結網址參數加入該登入網址參數後,藉由該第一驗證伺服器產生一對應使用者輸入資料之一工作階段識別碼;以及將該工作階段識別碼、一對應該第一網路伺服器之一第一系統識別碼、一對應該使用者資料之使用者識別碼以及該登入網址參數加入到該許可證中。 The single sign-on method of claim 2, further comprising the step of: generating a corresponding user input data by the first verification server after adding the login URL parameter to the link URL parameter a work phase identification code; and adding the work phase identification code, a pair of first system identifiers that should be the first network server, a pair of user identification codes that should be user data, and the login URL parameter to the license In the card. 如申請專利範圍第3項所述的單一登錄方法,其更包括根據該第一系統識別碼對該許可證加密,並且傳送到該第一網路伺服器。 The single sign-on method of claim 3, further comprising encrypting the license according to the first system identifier and transmitting to the first network server. 如申請專利範圍第4項所述的單一登錄方法,其更包括下列步驟:當接收到該許可證,藉由該第一網路伺服器並根據該第一系統識別碼將該許可證解密;根據該許可證中包含之該使用者認證資料對該使用者進行驗證,以判斷該使用者是否通過驗證;以及 在驗證成功後允許該使用者登入該第一網路伺服器。 The single sign-on method of claim 4, further comprising the steps of: decrypting the license by the first network server and according to the first system identifier when receiving the license; Verifying the user based on the user authentication data included in the license to determine whether the user has passed verification; The user is allowed to log in to the first web server after the verification is successful. 如申請專利範圍第5項所述的單一登錄方法,其更包括下列步驟:當收到該第二連結命令時,藉由該第一驗證伺服器將一對應該第二網路伺服器之一第二系統識別碼加入到該許可證中;以及經由該第二驗證伺服器將該許可證傳送給該第二網路伺服器。 The single sign-on method according to claim 5, further comprising the step of: when receiving the second link command, by the first verification server, one of the pair of second network servers a second system identification code is added to the license; and the license is transmitted to the second network server via the second verification server. 如申請專利範圍第6項所述的單一登錄方法,其更包括當收到該許可證時,藉由該第二網路伺服器並根據該第二系統識別碼將該許可證解密,以取得其中所包含之該登入網址參數。 The single sign-on method of claim 6, further comprising: when the license is received, decrypting the license by the second network server according to the second system identifier to obtain The login URL parameter included in it. 如申請專利範圍第1項所述的單一登錄方法,其更包括該第一驗證伺服器與該第二驗證伺服器每隔一固定時間分別將其所屬之該使用者認證資料與權限設定傳送給對方。 The single sign-on method of claim 1, further comprising: the first verification server and the second verification server respectively transmitting the user authentication data and permission settings to which the user belongs to the second verification server at a fixed time. other side. 如申請專利範圍第1項所述的單一登錄方法,其中該許可證並非儲存在一資料庫中。 The single sign-on method as described in claim 1, wherein the license is not stored in a database. 一種單一登錄系統,包括:一第一驗證伺服器,其用以根據預先定義之一使用者認證資料對該使用者執行一驗證操作,以判斷該使用者是否通過驗證,當驗證無誤時,則允許該使用者登入,並且根據一工作階段產生一許可證,判斷是否收到一第一連結命令,當收到該第一連結命令時,則產生一連結網址參數, 在該連結網址參數加入該第一驗證伺服器之一登入網址參數,並且將該登入網址參數與該使用者認證資料加入至該許可證;一第一網路伺服器,耦接於該第一驗證伺服器,其用以自該第一網路伺服器取得該許可證以允許該使用者登入;一第二驗證伺服器,耦接於該第一驗證伺服器,其用以當該第一驗證伺服器收到一第二連結命令時取得該許可證;以及一第二網路伺服器,耦接於該第二驗證伺服器,其用以自該第二驗證伺服器取得該許可證中之該登入網址參數,根據該登入網址參數,利用該第一驗證伺服器並根據該許可證中包含之該使用者認證資料,於該第二網路伺服器對該使用者進行驗證,以及當該使用者驗證成功時,則允許該使用者登入該第二網路伺服器;其中,該第一驗證伺服器與該第一網路伺服器係屬於一第一網域,而該第二驗證伺服器與該第二網路伺服器係屬於一第二網域。 A single sign-on system, comprising: a first verification server, configured to perform a verification operation on the user according to a predefined user authentication data to determine whether the user passes the verification, and when the verification is correct, Allowing the user to log in, and generating a license according to a working phase, determining whether a first link command is received, and when receiving the first link command, generating a link URL parameter, Adding a login URL parameter of the first authentication server to the link URL parameter, and adding the login URL parameter and the user authentication data to the license; a first network server coupled to the first a verification server for obtaining the license from the first network server to allow the user to log in; a second verification server coupled to the first verification server for using the first The verification server obtains the license when receiving a second connection command; and a second network server coupled to the second verification server for obtaining the license from the second verification server The login URL parameter, according to the login URL parameter, using the first verification server and verifying the user on the second network server according to the user authentication data included in the license, and when When the user verification is successful, the user is allowed to log in to the second network server; wherein the first verification server and the first network server belong to a first network domain, and the second verification Server and The second part of a second network server-based domain. 如申請專利範圍第10項所述的單一登錄系統,其中,該第一驗證伺服器一使用者瀏覽介面被開啟時時產生該工作階段。 The single sign-on system of claim 10, wherein the first verification server generates the session when a user browsing interface is turned on. 如申請專利範圍第11項所述的單一登錄系統,其中,當在該連結網址參數加入該登入網址參數後,該第一驗證伺服器產生一對應一使用者輸入資料之一工作階段識 別碼,並且將該工作階段識別碼、一對應該第一網路伺服器之第一系統識別碼、一對應該使用者資料之使用者識別碼以及該登入網址參數加入到該許可證中。 The single sign-on system of claim 11, wherein, after the login URL parameter is added to the link URL parameter, the first verification server generates a work phase corresponding to a user input data. The code is added, and the work session identifier, a pair of first system identifiers that should be the first network server, a pair of user identifiers that should be user data, and the login URL parameters are added to the license. 如申請專利範圍第12項所述的單一登錄系統,其中,該第一驗證伺服器根據該第一系統識別碼對該許可證加密,並且傳送到該第一網路伺服器。 The single sign-on system of claim 12, wherein the first verification server encrypts the license according to the first system identifier and transmits the license to the first network server. 如申請專利範圍第13項所述的單一登錄系統,其中,當接收到該許可證,該第一網路伺服器根據該第一系統識別碼將該許可證解密,根據該許可證中包含之該使用者認證資料對該使用者進行驗證,以判斷該使用者是否通過驗證,以及在驗證成功後允許該使用者登入。 The single sign-on system of claim 13, wherein, upon receiving the license, the first network server decrypts the license according to the first system identifier, according to the license The user authentication data authenticates the user to determine whether the user has passed the verification and allows the user to log in after the verification is successful. 如申請專利範圍第14項所述的單一登錄系統,其中,當收到該第二連結命令時,該第一驗證伺服器將一對應該第二網路伺服器之一第二系統識別碼加入到該許可證中,並且經由該第二驗證伺服器將該許可證傳送給該第二網路伺服器。 The single sign-on system of claim 14, wherein, when the second link command is received, the first verification server adds a pair of second system identifiers corresponding to one of the second network servers Going to the license and transmitting the license to the second web server via the second authentication server. 如申請專利範圍第15項所述的單一登錄系統,其中,當收到該許可證時,該第二網路伺服器根據該第二系統識別碼將該許可證解密,以取得其中所包含之該登入網址參數。 The single sign-on system of claim 15, wherein when the license is received, the second network server decrypts the license according to the second system identifier to obtain the included The login URL parameter. 如申請專利範圍第10項所述的單一登錄系統,其中,該第一驗證伺服器與該第二驗證伺服器每隔一固定時間分別將其所屬之該使用者認證資料與權限設定傳送給對方。 The single sign-on system of claim 10, wherein the first verification server and the second verification server respectively transmit the user authentication data and permission settings to which the user belongs to each other at a fixed time. . 如申請專利範圍第10項所述的單一登錄系統,其中該許可證並非儲存在一資料庫中。 The single sign-on system of claim 10, wherein the license is not stored in a database. 一種電腦可讀取媒體,用以儲存一電腦程式以載入至一電腦系統中並且使得上述電腦系統執行一種單一登錄方法,其適用於一單一登錄系統,其中該單一登錄系統至少包括一第一驗證伺服器與一第二驗證伺服器,該第一驗證伺服器與該第二驗證伺服器分別與至少一第一網路伺服器與一第二網路伺服器相連接,該第一驗證伺服器與該第一網路伺服器係屬於一第一網域,而該第二驗證伺服器與該第二網路伺服器係屬於一第二網域,包括下列步驟:根據預先定義之使用者認證資料對該使用者執行一驗證操作,以判斷該使用者是否通過驗證;當驗證無誤,則允許該使用者登入該第一驗證伺服器;根據一工作階段產生一許可證;判斷是否收到一第一連結命令;當收到該第一連結命令時,則產生一連結網址參數,並且在該連結網址參數加入該第一驗證伺服器之一登入網址參數;將該登入網址參數與該使用者認證資料加入至該許可證並傳送給該第一網路伺服器以允許該使用者登入該第一網路伺服器;判斷是否收到一第二連結命令;當收到該第二連結命令時,經由該第二驗證伺服器將該許可證傳送給該第二網路伺服器; 藉由該第二網路伺服器取得該許可證中之該登入網址參數;根據該登入網址參數,利用該第一驗證伺服器並根據該許可證中包含之該使用者認證資料,於該第二網路伺服器對該使用者進行驗證;以及當該使用者驗證成功時,則允許該使用者登入該第二網路伺服器。 A computer readable medium for storing a computer program for loading into a computer system and causing the computer system to perform a single sign-on method, which is applicable to a single sign-on system, wherein the single sign-on system includes at least a first a verification server and a second verification server, wherein the first verification server and the second verification server are respectively connected to the at least one first network server and a second network server, the first verification server And the first network server belongs to a first network domain, and the second authentication server and the second network server belong to a second network domain, and the following steps are included: according to a predefined user The authentication data performs a verification operation on the user to determine whether the user passes the verification; when the verification is correct, the user is allowed to log in to the first verification server; a license is generated according to a working phase; a first link command; when receiving the first link command, generating a link URL parameter, and adding the first URL to the first authentication server Login URL parameter; adding the login URL parameter and the user authentication data to the first network server to allow the user to log in to the first network server; determining whether a first network server is received a second connection command; when the second connection command is received, the license is transmitted to the second network server via the second verification server; Obtaining, by the second network server, the login URL parameter in the license; using the first verification server according to the login URL parameter, and according to the user authentication data included in the license, The second network server authenticates the user; and when the user authentication is successful, the user is allowed to log in to the second network server. 如申請專利範圍第19項所述的電腦可讀取媒體,其更包括在開啟一使用者瀏覽介面時產生該工作階段。 The computer readable medium of claim 19, further comprising generating the working phase when a user browsing interface is opened. 如申請專利範圍第20項所述的電腦可讀取媒體,其更包括下列步驟:當在該連結網址參數加入該登入網址參數後,藉由該第一驗證伺服器產生一對應使用者輸入資料之一工作階段識別碼;以及將該工作階段識別碼、一對應該第一網路伺服器之一第一系統識別碼、一對應該使用者資料之使用者識別碼以及該登入網址參數加入到該許可證中。 The computer readable medium of claim 20, further comprising the step of: generating a corresponding user input data by the first verification server after adding the login URL parameter to the link URL parameter a work phase identification code; and adding the work phase identification code, a pair of first system identifiers that should be the first network server, a pair of user identification codes that should be user data, and the login URL parameter to In the license. 如申請專利範圍第21項所述的電腦可讀取媒體,其更包括根據該第一系統識別碼對該許可證加密,並且傳送到該第一網路伺服器。 The computer readable medium of claim 21, further comprising encrypting the license according to the first system identification code and transmitting to the first network server. 如申請專利範圍第22項所述的電腦可讀取媒體,其更包括下列步驟:當接收到該許可證,藉由該第一網路伺服器並根據該第一系統識別碼將該許可證解密; 根據該許可證中包含之該使用者認證資料對該使用者進行驗證,以判斷該使用者是否通過驗證;以及在驗證成功後允許該使用者登入該第一網路伺服器。 The computer readable medium of claim 22, further comprising the steps of: when the license is received, the license is obtained by the first network server and according to the first system identifier Decrypt The user is authenticated according to the user authentication data included in the license to determine whether the user passes the verification; and the user is allowed to log in to the first network server after the verification is successful. 如申請專利範圍第23項所述的電腦可讀取媒體,其更包括下列步驟:當收到該第二連結命令時,藉由該第一驗證伺服器將一對應該第二網路伺服器之一第二系統識別碼加入到該許可證中;以及經由該第二驗證伺服器將該許可證傳送給該第二網路伺服器。 The computer readable medium of claim 23, further comprising the steps of: when receiving the second connection command, by using the first verification server, the pair of second network servers One of the second system identification codes is added to the license; and the license is transmitted to the second network server via the second verification server. 如申請專利範圍第24項所述的電腦可讀取媒體,其更包括當收到該許可證時,藉由該第二網路伺服器並根據該第二系統識別碼將該許可證解密,以取得其中所包含之該登入網址參數。 The computer readable medium of claim 24, further comprising: decrypting the license by the second network server and according to the second system identifier when the license is received, To get the login URL parameters included in it. 如申請專利範圍第19項所述的電腦可讀取媒體,其更包括該第一驗證伺服器與該第二驗證伺服器每隔一固定時間分別將其所屬之該使用者認證資料與權限設定傳送給對方。 The computer readable medium according to claim 19, further comprising the first authentication server and the second verification server respectively setting the user authentication data and authority to which the second authentication server belongs. Transfer to the other party. 如申請專利範圍第19項所述的電腦可讀取媒體,其中該許可證並非儲存在一資料庫中。 The computer readable medium of claim 19, wherein the license is not stored in a database.
TW96135739A 2007-09-26 2007-09-26 Single sign-on system and method and computer readable medium thereof TWI389534B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW96135739A TWI389534B (en) 2007-09-26 2007-09-26 Single sign-on system and method and computer readable medium thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW96135739A TWI389534B (en) 2007-09-26 2007-09-26 Single sign-on system and method and computer readable medium thereof

Publications (2)

Publication Number Publication Date
TW200915818A TW200915818A (en) 2009-04-01
TWI389534B true TWI389534B (en) 2013-03-11

Family

ID=44725834

Family Applications (1)

Application Number Title Priority Date Filing Date
TW96135739A TWI389534B (en) 2007-09-26 2007-09-26 Single sign-on system and method and computer readable medium thereof

Country Status (1)

Country Link
TW (1) TWI389534B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI621961B (en) 2015-04-01 2018-04-21 群暉科技股份有限公司 Identity switching method and associated server
JP7177303B1 (en) * 2021-06-30 2022-11-22 楽天グループ株式会社 Service providing system, service providing method, and program

Also Published As

Publication number Publication date
TW200915818A (en) 2009-04-01

Similar Documents

Publication Publication Date Title
US20200228335A1 (en) Authentication system for enhancing network security
US11770261B2 (en) Digital credentials for user device authentication
US7568098B2 (en) Systems and methods for enhancing security of communication over a public network
JP5695120B2 (en) Single sign-on between systems
JP5619019B2 (en) Method, system, and computer program for authentication (secondary communication channel token-based client-server authentication with a primary authenticated communication channel)
JP4746266B2 (en) Method and system for authenticating a user for a sub-location in a network location
CN1885771B (en) Method and apparatus for establishing a secure communication session
CN100580657C (en) Distributed single sign-on service
EP2442204B1 (en) System and method for privilege delegation and control
JP4016019B2 (en) Apparatus, system, and method for providing authorized remote access to a target system
US7571311B2 (en) Scheme for sub-realms within an authentication protocol
US8438383B2 (en) User authentication system
US20020178370A1 (en) Method and apparatus for secure authentication and sensitive data management
JP2004048679A (en) Session key security protocol
JP2001326632A (en) Distribution group management system and method
JP2004509398A (en) System for establishing an audit trail for the protection of objects distributed over a network
JPH10269184A (en) Security management method for network system
KR20210095093A (en) Method for providing authentification service by using decentralized identity and server using the same
EP3185465A1 (en) A method for encrypting data and a method for decrypting data
Guo et al. Using blockchain to control access to cloud data
KR102372503B1 (en) Method for providing authentification service by using decentralized identity and server using the same
JPH05298174A (en) Remote file access system
KR101510290B1 (en) Apparatus for implementing two-factor authentication into vpn and method for operating the same
TWI389534B (en) Single sign-on system and method and computer readable medium thereof
JPH08335207A (en) Authorizing method for network user