US20120254429A1 - Non-Intrusive Single Sign-On Mechanism in Cloud Services - Google Patents

Non-Intrusive Single Sign-On Mechanism in Cloud Services Download PDF

Info

Publication number
US20120254429A1
US20120254429A1 US13/430,746 US201213430746A US2012254429A1 US 20120254429 A1 US20120254429 A1 US 20120254429A1 US 201213430746 A US201213430746 A US 201213430746A US 2012254429 A1 US2012254429 A1 US 2012254429A1
Authority
US
United States
Prior art keywords
domain name
session
platform server
request
service provider
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US13/430,746
Inventor
Chen Hua Feng
Kai Tang
Yun Tao Wang
Jiang Ming Zhang
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: FENG, CHEN HUA, TANG, KAI, WANG, YUN TAO, ZHANG, JIAN MING
Priority to US13/584,905 priority Critical patent/US8825855B2/en
Publication of US20120254429A1 publication Critical patent/US20120254429A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/30Managing network names, e.g. use of aliases or nicknames
    • H04L61/301Name conversion
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/146Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/563Data redirection of data network streams
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/564Enhancement of application control based on intercepted application data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/30Types of network names
    • H04L2101/33Types of network names containing protocol addresses or telephone numbers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the present invention relates to Single Sign-on, and particularly to a method and device for Single Sign-On in a cloud computing environment.
  • Single Sign-On is a popular identity authentication mechanism, which is an authentication and authorization mechanism between a plurality of application systems or services having mutual trust; Single Sign-On includes single sign-in and single sign-out.
  • FIG. 1 illustrates a system schematic diagram of a user's Single Sign-On in the prior art; in the system shown in FIG.
  • a user 102 accesses a cloud computing platform server 106 and web services 108 and 110 linked by a platform server page via his/her client browser 104 .
  • the user 102 signs in to the platform server 108 via a client browser to obtain the permission to access the platform server 108 , and accesses the web services 108 and 110 via the platform server page links.
  • the session life cycles of the user in various integrated applications are not synchronous; for example, the user accesses a network service 1 provided by a service provider SP1 and a network service 2 provided by a service provider SP2 via the cloud computing intranet platform, and then the user signs out from the sign-out interface of the intranet platform.
  • the user has signed out from the sign-out interface of the intranet platform, since he/she has not proposed a sign-out request to be accomplished from SP1 and SP2, he/she has not signed out of SP1 and SP2 actually, and the sessions between the user and SP1 and SP2 may still be valid, thus causing the session life cycles not synchronous between the user and the system platform and applications.
  • another user signs on and then accesses SP1 and SP2 he/she will access the interface of the previous user, which will confuse the other user and provide an opportunity to hackers to threaten network security.
  • the implementation of the existing Single Sign-On requires the platform and service providers to conform to a unified programming model, while in a cloud computing environment, as user's demands are becoming more and more, it is often needed to temporally add more services; if each service provider needs to be closely coupled with the platform provider, it will require enormous human and financial resources to modify their respective code to jointly build a unified programming model to implement Single Sign-On.
  • the present invention provides a method and a device for Single Sign-On.
  • a method for Single Sign-On wherein a user accesses a platform server and at least one service provider on the platform server, includes the steps of: intercepting a request sent by the user via a client browser; and extracting a domain name included in the request; determining the type of the domain name.
  • the method In response to a determination that the domain name is an original domain name of the platform server, the method generates for uniquely identifying a session between the user and the platform server; generates a new domain name of the platform server associated with the global session ID; redirects the URL in the request to a new URL including the new domain name of the platform server; and forwards the request including the new URL of the platform server to the platform server.
  • a device for Single Sign-On wherein a user accesses a platform server and at least one service provider on the platform server, includes: a request interception module configured to intercept a request sent by the user via a client browser; a domain name extracting module configured to extract a domain name included in the request; a domain name type determining module configured to determine the type of the domain name; a global session ID generating module configured to, in response to a determination by the domain type determining module that the type of the domain name is an original domain name of the platform server, generate a global session ID for uniquely identifying the session between the user and the platform server; a new domain name generating module configured to generate a new domain name of the platform server associated with the global session ID; a URL redirecting module configured to redirect the URL in the request to a new URL including the new domain name of the platform server; and a request forwarding module configured to forward the request including the new URL of the platform server to the platform server.
  • a global session ID is introduced to uniformly manage the session life cycle of the platform server and service providers.
  • FIG. 1 is a system schematic diagram of a user's Single Sign-On in the prior art
  • FIG. 2 illustrates a method for Single Sign-On according to an embodiment of the present invention
  • FIG. 3 illustrates a detailed implementation process of step S 206 in FIG. 2 ;
  • FIG. 4 illustrates a detailed implementation process of step S 208 in FIG. 2 ;
  • FIG. 5 illustrates a detailed implementation process of step S 210 in FIG. 2 ;
  • FIG. 6 illustrates a detailed implementation process of step S 212 in FIG. 2 ;
  • FIG. 7 illustrates a device 700 for Single Sign-On according to an embodiment of the present invention.
  • FIG. 8 illustrates the process of Single Sign-On according to an embodiment of the present invention.
  • the method for Single Sign-On of the present invention introduces an intermediate agent between the client browser and the platform server for intercepting all the requests sent by the user via a client browser and analyzing the intercepted requests, and generating a global session ID to manage session life cycles of the platform server and service providers to associate the domain names of the platform server and the service providers with the generated global session ID, so as to form a domain name chain associated with the global session ID to enable the session life cycles in the platform server and various applications synchronized.
  • FIG. 2 illustrates a method for Single Sign-On according to an embodiment of the present invention, wherein a user accesses a platform server and at least one service provider on the platform server, the method including: intercepting a request sent by the user via a client browser at step S 200 ; extracting the domain name included in the request at step S 202 ; determining the type of the domain name, and processing according to the type of the domain name respectively at step S 204 , wherein the type of the domain name includes: an original domain name of the platform server, an original domain name of the service provider, a new domain name of the platform server associated with a global session ID or a new domain name of the service provider associated with the global session ID.
  • the type of the domain name may be determined by utilizing information recorded in a domain name session mapping table, the information recorded in the domain name session mapping table including: a global session ID, a new domain name of the platform server associated with the global session ID, a new domain name of the service provider associated with the global session ID, state information of the session between the user and the platform server.
  • an obtained domain name is ⁇ sid1.wdp.com>, and by querying the domain name session mapping table, it is learned that the global session ID is sid1, then it can be determined that the domain name is a new domain name of the platform server associated with the global session ID; if an obtained domain name is ⁇ www.wdp.com>, it can be determined that the domain name is an original domain name of the platform server, if an obtained domain name is ⁇ sid1.sp1.com>, it can be determined that the domain name is a new domain name of the service provider sp1 associated with the global session ID; if an obtained domain name is ⁇ www.sp1.com>, it can be determined that the domain name is an original domain name of the service provider sp1.
  • processing is preformed respectively according to the determination results.
  • the request is processed and the processed request is forwarded to the platform server, and the process ends. If the results indicate the domain name type is an original domain name of a service provider, then at step S 208 the request is processed and the processed request is forwarded to the service provider, and the process ends. If the results indicate that the type of the domain name is a new domain name of the platform server associated with the global session ID, then processing is performed and the request is forwarded to the platform server at step S 210 , then the process ends. If the results indicate that the domain name type is a new domain name of a service provider associated with the global session ID, then the request is forwarded to the service provider at step S 212 , and the process ends.
  • FIGS. 3-6 illustrate the detailed implementation processes of step S 206 , step S 208 , step S 210 and step S 212 in FIG. 2 respectively, wherein FIG. 3 illustrates a detailed implementation process of step S 206 in FIG. 2 .
  • a global session ID is generated, the global session ID being used to uniquely identify the session between the user and the platform server;
  • the method generates a new domain name of the platform server associated with the global session ID.
  • the new domain name can be generated according to a predefined rule; according to an embodiment of the present invention, the predefined rule is to replace the “www” in the domain name with the new session ID.
  • FIG. 4 illustrates a detailed implementation process of step S 208 in FIG. 2 , including: at step S 2081 , in response to that the domain name is an original domain name of the at least one service provider, extracting a new domain name of the platform server associated with the global session ID; since the user accesses the service provider via a link provided by the platform server, according to FIG.
  • the original domain name of the platform server when the user requests to sign-in to the platform server, the original domain name of the platform server will be transformed to the new domain name associated with the global session ID, thus the new domain name of the platform server can be extracted from the Referer field of the request; at step S 2082 , extracting the global session ID from the new domain name of the platform server; at step S 2083 , generating a new domain name of the at least one service provider associated with the global session ID; the new domain name of the service provider can be generated according to a predefined rule, for example, if the generated global session ID is sid1, the original domain name ⁇ www.sp1.com> of the service provide SP1 is transformed to ⁇ sid1.sp1.com>; at step S 2084 , redirecting the URL accessing the at least one service provider to a new URL including the new domain name of the at least one service provider, e.g., redirecting the URL ⁇ http://www.sp1.com> to the new URL ⁇ http://sid1.s
  • FIG. 5 illustrates a detailed implementation process of step S 210 in FIG. 2 , including: at step 2101 , in response to that the domain name is a new domain name of the platform server associated with a global session ID, determining the type of the request; if the type of the request is not that of signing out of the platform server, proceeding to step S 2104 to forward the request to the platform server; if the type of the request is that of signing out of the platform server, invalidating the active and valid session between the user and the service provider associated with the global session ID, wherein it may be learned whether there is active and valid session of the service provider associated with the global session ID by querying the domain name session mapping table, e.g., it may be queried that there is an active and valid session between the user and the service providers SP1 and SP2 that is associated with the global session ID in Table 1; at step S 2103 , updating the session state information recorded in the domain name session mapping table, and modifying the state of the previously active and valid session of SP1 and SP2 as invalid; then proceeding to
  • FIG. 6 illustrates a detailed implementation process of step S 212 in FIG. 2 , including: at step 2121 , in response to that the domain name is a new domain name of the service provider associated with a global session ID, determining the type of the request; if the type of the request is that signing out of the service provider, proceeding to step S 2124 to update the state information of the session between the user and the service provider in the domain name session mapping table; and at step S 2125 , forwarding the request to the service provider; if the type of the request is accessing the service provider, further determining whether the session between the user and the platform server associated with the global session ID is invalid at step S 2122 , wherein it may be determined whether the session between the user and the platform server associated with the global session ID is invalid by querying the domain name session mapping table; if the session between the user and the platform server is invalid, proceeding to step S 2123 to transform the request to that of signing-out of the service provider; and at step S 2124 , updating the domain name session mapping table, i.
  • FIG. 7 illustrates a device 700 for Single Sign-On according to an embodiment of the present invention, including: a request interception module 702 configured to intercept a request sent by a user via a client browser; a domain name extracting module 704 configured to extract a domain name included in the request; a domain name type determining module 706 configured to determine the type of the domain name; a global session ID generating module 708 configured to, in response to that the type of the domain name is an original domain name of the platform server, generate a global session ID; a new domain name generating module 710 configured to generate a new domain name of the platform server associated with the global session ID; a URL redirecting module 712 configured to redirect the URL in the request to a new URL including the new domain name of the platform server; a request forwarding module 714 configured to forward the request re
  • the device for Single Sign-On of the present invention further includes a recording module configured to record the new domain name of the platform server, the global session ID and the state information of the session between the user and the platform server in a domain name session mapping table.
  • the device for Single Sign-On of the present invention further includes a global session ID extracting module configured to, in response to that the results indicate that the domain name is an original domain name of the at least one service provider, extract the new domain name of the platform server associated with the global session ID from the request, and extract the global session ID from the new domain name of the platform server; wherein the new domain name generating module is further configured to generate a new domain name of the at least one service provider associated with the global session ID; the URL redirecting module is further configured to redirect the URL accessing the at least one service provider to the new URL including the new domain name of the at least one service provider; the request forwarding module is further configured to forward the request including the new URL of the at least one service provider to the at least one service provider.
  • a global session ID extracting module configured to, in response to that the results indicate that the domain name is an original domain name of the at least one service provider, extract the new domain name of the platform server associated with the global session ID from the request, and extract the global session ID from the new domain name of the platform
  • the recording module is further configured to: record the new domain name of the at least one service provider, the global session ID and the state information of the session between the user and the service provider in the domain name session mapping table.
  • the device for Single Sign-On of the present invention further includes: a request type determining module configured to, in response to that the type of the domain name is a new domain name of the platform server associated with a global session ID, determine the type of the request; a session invalidating module configured to, in response to that the request type is that of signing out of the platform server, invalidate the active and valid session between the user and the service provider associated with the global session ID.
  • the recording module is further configured to: update the state information of the session between the user and the platform server and the session between the user and the service provider that are recorded in the domain name session mapping table.
  • the request type determining module is further configured to, in response to that the type of the domain name is a new domain name of a service provider associated with a global session ID, determine the type of the request; a session state querying module is further configured to, in response to that the request type is accessing a service provider, determine whether the session between the user and the platform server associated with the global session ID is invalid; the request forwarding module is further configured to, in response to that the session between the user and the platform server is invalid, transform the request into that of signing out of the service provider and forward the transformed request to the service provider.
  • the recording module is further configured to update the state information of the session between the user and the service provider recorded in the domain name session mapping table from active and valid to invalid.
  • FIG. 8 illustrates a process of Single Sign-On according to an embodiment of the present invention.
  • the user can access the resource of the platform server via his/her client browser and access network services provided by a plurality of service providers SPs through the platform server.
  • the device 800 of the present invention resides on an http server between the client browser and a web application server.
  • step S 802 the user requests to access the resource of the platform server, http://www.wdp.com, via the client browser.
  • the device 800 intercepts the request, extracts the domain name included in the request, and determines the type of the domain name, and in response to the domain name is the original domain name of the platform server, generates a global session ID ⁇ sid1> that uniquely identifies the current session, and generates a new domain name ⁇ sid1.wdp.com> of the platform server associated with the global session ID ⁇ sid1>, redirects the URL ⁇ http://www.wdp.com> to the new URL ⁇ http://sid1.wdp.com> that includes the new domain name, and forwards the user request to the http server; and records the new domain name of the platform server, the global session ID and the active and valid state of the session in the domain name session mapping table 2.
  • the http server processes the user request, and returns the response redirected to ⁇ http://sid1.wdp.com> to the client browser; according to an embodiment of the present invention, an HTTP307 response is returned to the client browser to redirect the request to ⁇ http://sid1.wdp.com>, the response being typically shown as follows:
  • step S 808 after receiving the response redirected to ⁇ http://sid1.wdp.com>, the client browser requests to access the address designated in the response, and at this time the request is typically shown as follows: GET ⁇ http://sid1.wdp.com>.
  • the device 800 intercepts the request again, analyzes the user request and extracts the domain name ⁇ sid1.wdp.com>, and by querying the domain name session mapping table 2 learns that the domain name is a new domain name of the platform server associated with the global session ID, and therefore forwards the request to the HTTP server to be transmitted to the web application server by the HTTP server.
  • step S 812 the web application server, after receiving the user request, responds thereto, returning the requested resource http://sid1.wdp.com to the client browser.
  • step S 814 assume that the user clicks a link in the page corresponding to the URL ⁇ http://sid1.wdp.com> of the platform server to request to access the network service resource ⁇ http://www.sp1.com> of the service provider SP1.
  • step S 816 intercepting the request and extracting the domain name www.sp1.com, determining that the domain name is the original domain name of the service provider sp1, extracting the new domain name ⁇ sid1.wdp.com> of the platform server from the Referer header field, since according to the HTTP protocol, the current request will include a Referer header field to indicate the source of the resource accessed by the service provider SP1, ⁇ http://www.sp1.com>. Since the webpage address corresponding to the platform server is redirected to ⁇ http://sid1.wdp.com>, a typical request is shown as follows:
  • the http server processes the user request, and returns the response redirected to ⁇ http://sid1.sp1.com> to the client browser.
  • step S 820 after receiving the response redirected to ⁇ http://sid1.sp1.com>, the client browser requests to access the address designated in the response; at this time the request is typically shown as follows: GET ⁇ http://sid1.sp1.com>.
  • the device 500 intercepts the request again, extracts the domain name ⁇ sid1.sp1.com>, and by querying the domain name session mapping table 3 learns that the domain name is a domain name associated with the global session ID, and forwards the request to the HTTP server to be transmitted to the web application server by the HTTP server.
  • step S 824 after receiving the user request, the web application server responds thereto, returning the requested resource ⁇ http://sid1.sp1.com> to the client browser.
  • step S 826 the user clicks the platform server sign-out link http://sid1.wdp.com/logout.jsp, to request to sign out of the platform server.
  • the device 800 intercepts the request, extracts the domain name ⁇ sid1.wdp.com>, determines that the domain name is a new domain name of the platform server, and further determines that the request is a request to sign out of the platform server, and by querying the domain name session mapping table 3, learns that there is an active and valid session of the service provider SP1 associated with sid1, therefore invalidates the session of SP1, and forwards the sign-out request to the HTTP server to be transmitted to the web application server by the HTTP server, and updates the session state of the platform server and SP1 in the domain mapping table 3 from active and valid to invalid to obtain Table 4.
  • step S 830 after receiving the user request, the web application server responds thereto, returning the sign-out webpage of the platform server to the client browser.
  • step S 832 the user accesses the network service resource ⁇ http://sid1.sp1.com> of the service provider SP1 by clicking the link on the platform server webpage.
  • the device 800 intercepts the request, extracts the domain name ⁇ sid1.sp1.com>, learns by querying the domain name session mapping table that the domain name is a new domain name of SP1 associated with the global session ID, and find by querying that the session of SP1 is invalid, therefore redirects the URL ⁇ http://sid1.sp1.com> requested to be accessed to the sign-out URL ⁇ http://sid1.sp1.com/logout.jsp> of the service, and forwards the sign-out request to the HTTP server to be transmitted to the web application server by the HTTP server.
  • step S 836 after receiving the user request, the web application server responds thereto, returning the sign-out page of SP1 to the client browser.
  • session synchronization between the user and the platform server as well as the service providers is uniformly managed by utilizing the global session ID; although the user only signs out from the website of the platform server, he/she actually signs out of all the active and valid service provider websites thereon. Therefore, the problems of repeated jumps to sign-out pages of different applications or forgetting to sign out of some applications will not occur, and user experience will be better and security will be enhanced.
  • the program defining the functions with respect to the present invention may be transmitted to a data storage system or computer system via various signal carrying mediums, the signal carrying mediums including but not limited to non-writable storage medium (e.g., CD-ROM), writable storage medium (e.g., floppy disk, hard disk drive, read/write CD ROM, optical medium) and communication mediums such as computer and telephone networks including Ethernet and so on. Therefore it should be appreciated that, such signal carrying mediums, when carrying or being encoded with computer readable instructions managing the method functions of the present invention, represents an alternative embodiment of the present invention.
  • the present invention may be realized in manner of hardware, software, firmware or a combination thereof.
  • the present invention may be implemented in one computer system in a centralized manner or in a distributed manner, in which different components are distributed in several interconnected computer systems. Any computer systems or other devices suitable for executing the method described herein are appropriate.
  • the present invention is implemented by means of a combination of computer software and general computer hardware, in which a computer program, when being loaded and executed, controls the computer system to execute the method of the present invention, or to constitute the system of the present invention.

Abstract

A method and apparatus for Single Sign-on, wherein the user accesses a platform server and at least one service provider on the platform server. The method includes intercepting a request sent by the user via a client browser and extracting a domain name included in the request. If the domain name is an original domain name of the platform server, a global session ID is generated for uniquely identifying a session between the user and the platform server. A new domain name of the platform server associated with the global session ID is generated and the URL in the request is redirected to a new URL including the new domain name of the platform server. The request, including the new URL of the platform server, is forwarded to the platform server.

Description

    CROSS REFERENCE TO RELATED APPLICATION
  • The present invention claims priority under 35 U.S.C. 119 from Chinese Patent Application 201110080417.X, filed Mar. 31, 2011, the entire contents of which are incorporated herein by reference.
    • BACKGROUND OF THE INVENTION
  • 1. Field of the Invention
  • The present invention relates to Single Sign-on, and particularly to a method and device for Single Sign-On in a cloud computing environment.
  • 2. Description of Related Art
  • With the improvement of information service quality provided by intranets, users' requirements for information security are becoming more and more stronger; especially in a cloud computing environment, users obtain more and more services via a cloud computing platform such as Platform as a Service (PaaS) and Software as a Service (Saas), and hope to provide a secure and unified identity authentication and authorization management service for various information service systems on the cloud computing platform. Currently, the Single Sign-On technology is a popular identity authentication mechanism, which is an authentication and authorization mechanism between a plurality of application systems or services having mutual trust; Single Sign-On includes single sign-in and single sign-out. Single Sign-On allow a user to sign-in to or sign-out of the system only once to sign-in to or sign-out of all other connected application systems or services, without need to sign-in or sign-out again. For example, a system provides a unified platform for browser users (including IE users and FireFox users) of an intranet, enabling the user to receive services provided by other information service systems on the cloud computing platform after accomplishing identity authentication on a sign-on interface of the platform without need to sign-in again. FIG. 1 illustrates a system schematic diagram of a user's Single Sign-On in the prior art; in the system shown in FIG. 1, a user 102 accesses a cloud computing platform server 106 and web services 108 and 110 linked by a platform server page via his/her client browser 104. The user 102 signs in to the platform server 108 via a client browser to obtain the permission to access the platform server 108, and accesses the web services 108 and 110 via the platform server page links.
  • In the conventional Single Sign-On technology, the session life cycles of the user in various integrated applications are not synchronous; for example, the user accesses a network service 1 provided by a service provider SP1 and a network service 2 provided by a service provider SP2 via the cloud computing intranet platform, and then the user signs out from the sign-out interface of the intranet platform. Although the user has signed out from the sign-out interface of the intranet platform, since he/she has not proposed a sign-out request to be accomplished from SP1 and SP2, he/she has not signed out of SP1 and SP2 actually, and the sessions between the user and SP1 and SP2 may still be valid, thus causing the session life cycles not synchronous between the user and the system platform and applications. At this time, if another user signs on and then accesses SP1 and SP2, he/she will access the interface of the previous user, which will confuse the other user and provide an opportunity to hackers to threaten network security.
  • In addition, the implementation of the existing Single Sign-On requires the platform and service providers to conform to a unified programming model, while in a cloud computing environment, as user's demands are becoming more and more, it is often needed to temporally add more services; if each service provider needs to be closely coupled with the platform provider, it will require enormous human and financial resources to modify their respective code to jointly build a unified programming model to implement Single Sign-On.
  • Therefore, it is needed to provide to service providers and the platform a Single Sign-On method which is light-weighted, loosely coupled and non-intrusive, and make session life cycles between the platform and service providers synchronized.
    • SUMMARY OF THE INVENTION
  • The present invention provides a method and a device for Single Sign-On.
  • According a first aspect of the present invention, a method for Single Sign-On, wherein a user accesses a platform server and at least one service provider on the platform server, includes the steps of: intercepting a request sent by the user via a client browser; and extracting a domain name included in the request; determining the type of the domain name. In response to a determination that the domain name is an original domain name of the platform server, the method generates for uniquely identifying a session between the user and the platform server; generates a new domain name of the platform server associated with the global session ID; redirects the URL in the request to a new URL including the new domain name of the platform server; and forwards the request including the new URL of the platform server to the platform server.
  • According to another aspect of the present invention, a device for Single Sign-On, wherein a user accesses a platform server and at least one service provider on the platform server, includes: a request interception module configured to intercept a request sent by the user via a client browser; a domain name extracting module configured to extract a domain name included in the request; a domain name type determining module configured to determine the type of the domain name; a global session ID generating module configured to, in response to a determination by the domain type determining module that the type of the domain name is an original domain name of the platform server, generate a global session ID for uniquely identifying the session between the user and the platform server; a new domain name generating module configured to generate a new domain name of the platform server associated with the global session ID; a URL redirecting module configured to redirect the URL in the request to a new URL including the new domain name of the platform server; and a request forwarding module configured to forward the request including the new URL of the platform server to the platform server.
  • By employing the method and device of the present invention, a global session ID is introduced to uniformly manage the session life cycle of the platform server and service providers.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The present invention itself, and preferred embodiments and objectives and advantages thereof will be better understood by referring to the following detailed description of exemplary embodiments in conjunction with the accompanying drawings, in which:
  • FIG. 1 is a system schematic diagram of a user's Single Sign-On in the prior art;
  • FIG. 2 illustrates a method for Single Sign-On according to an embodiment of the present invention;
  • FIG. 3 illustrates a detailed implementation process of step S206 in FIG. 2;
  • FIG. 4 illustrates a detailed implementation process of step S208 in FIG. 2;
  • FIG. 5 illustrates a detailed implementation process of step S210 in FIG. 2;
  • FIG. 6 illustrates a detailed implementation process of step S212 in FIG. 2;
  • FIG. 7 illustrates a device 700 for Single Sign-On according to an embodiment of the present invention; and
  • FIG. 8 illustrates the process of Single Sign-On according to an embodiment of the present invention.
    •  DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • The following description presents a method and device for Single Sign-On according to embodiments of the present invention in conjunction with the accompanying drawings, through which the objects and advantages of the present invention will be better understood.
  • The method for Single Sign-On of the present invention introduces an intermediate agent between the client browser and the platform server for intercepting all the requests sent by the user via a client browser and analyzing the intercepted requests, and generating a global session ID to manage session life cycles of the platform server and service providers to associate the domain names of the platform server and the service providers with the generated global session ID, so as to form a domain name chain associated with the global session ID to enable the session life cycles in the platform server and various applications synchronized.
  • FIG. 2 illustrates a method for Single Sign-On according to an embodiment of the present invention, wherein a user accesses a platform server and at least one service provider on the platform server, the method including: intercepting a request sent by the user via a client browser at step S200; extracting the domain name included in the request at step S202; determining the type of the domain name, and processing according to the type of the domain name respectively at step S204, wherein the type of the domain name includes: an original domain name of the platform server, an original domain name of the service provider, a new domain name of the platform server associated with a global session ID or a new domain name of the service provider associated with the global session ID. According to an embodiment of the present invention, the type of the domain name may be determined by utilizing information recorded in a domain name session mapping table, the information recorded in the domain name session mapping table including: a global session ID, a new domain name of the platform server associated with the global session ID, a new domain name of the service provider associated with the global session ID, state information of the session between the user and the platform server. For example, if an obtained domain name is <sid1.wdp.com>, and by querying the domain name session mapping table, it is learned that the global session ID is sid1, then it can be determined that the domain name is a new domain name of the platform server associated with the global session ID; if an obtained domain name is <www.wdp.com>, it can be determined that the domain name is an original domain name of the platform server, if an obtained domain name is <sid1.sp1.com>, it can be determined that the domain name is a new domain name of the service provider sp1 associated with the global session ID; if an obtained domain name is <www.sp1.com>, it can be determined that the domain name is an original domain name of the service provider sp1. Next, processing is preformed respectively according to the determination results.
  • If the results indicate that the type of the domain name is an original domain name of the platform server, then at step S206 the request is processed and the processed request is forwarded to the platform server, and the process ends. If the results indicate the domain name type is an original domain name of a service provider, then at step S208 the request is processed and the processed request is forwarded to the service provider, and the process ends. If the results indicate that the type of the domain name is a new domain name of the platform server associated with the global session ID, then processing is performed and the request is forwarded to the platform server at step S210, then the process ends. If the results indicate that the domain name type is a new domain name of a service provider associated with the global session ID, then the request is forwarded to the service provider at step S212, and the process ends.
  • FIGS. 3-6 illustrate the detailed implementation processes of step S206, step S208, step S210 and step S212 in FIG. 2 respectively, wherein FIG. 3 illustrates a detailed implementation process of step S206 in FIG. 2. :As shown at step S2061, in response to a determination that the domain name is an original domain name of the platform server, a global session ID is generated, the global session ID being used to uniquely identify the session between the user and the platform server; at step S2062, the method generates a new domain name of the platform server associated with the global session ID. The new domain name can be generated according to a predefined rule; according to an embodiment of the present invention, the predefined rule is to replace the “www” in the domain name with the new session ID. Thus, if the generated global session ID is sid1, the original domain name <www.wdp.com> will be transformed into <sid1.wdp.com>; those skilled in the art will appreciate that the example is not a limitation, based on which there may be a plurality of variant implementations to associate the domain name with the global session ID. At step S2063, the URL in the request is redirected to a new URL including the new domain name of the platform server, e.g., the URL http://www.wdp.com is redirected to the new URL <http://sid1.wdp.com> including the new domain name; at step S2064, forwarding the request redirected to the new URL to the platform server; at step S2065, recording the new domain name, the global session ID and the state information of the session between the user and the platform server in the domain name session mapping table, and the process ends. Table 1 illustrates an example of the domain name session mapping table.
  • TABLE 1
    Domain name Global session ID Session active state
    sid1.wdp.com sid1 active and valid
    sid1.sp1.com sid1 active and valid
    sid1.sp2.com sid1 active and valid
  • FIG. 4 illustrates a detailed implementation process of step S208 in FIG. 2, including: at step S2081, in response to that the domain name is an original domain name of the at least one service provider, extracting a new domain name of the platform server associated with the global session ID; since the user accesses the service provider via a link provided by the platform server, according to FIG. 3 of the present invention, when the user requests to sign-in to the platform server, the original domain name of the platform server will be transformed to the new domain name associated with the global session ID, thus the new domain name of the platform server can be extracted from the Referer field of the request; at step S2082, extracting the global session ID from the new domain name of the platform server; at step S2083, generating a new domain name of the at least one service provider associated with the global session ID; the new domain name of the service provider can be generated according to a predefined rule, for example, if the generated global session ID is sid1, the original domain name <www.sp1.com> of the service provide SP1 is transformed to <sid1.sp1.com>; at step S2084, redirecting the URL accessing the at least one service provider to a new URL including the new domain name of the at least one service provider, e.g., redirecting the URL <http://www.sp1.com> to the new URL <http://sid1.sp1.com> including the new domain name; at step S2085, forwarding the request including the new URL accessing the at least one service provider to the at least one service provider. According to an embodiment of the present invention, the process further includes recording the new domain name of the service provider, as well as the state information of the session between the user and the service provider in the domain name session mapping table, as shown in Table 1.
  • FIG. 5 illustrates a detailed implementation process of step S210 in FIG. 2, including: at step 2101, in response to that the domain name is a new domain name of the platform server associated with a global session ID, determining the type of the request; if the type of the request is not that of signing out of the platform server, proceeding to step S2104 to forward the request to the platform server; if the type of the request is that of signing out of the platform server, invalidating the active and valid session between the user and the service provider associated with the global session ID, wherein it may be learned whether there is active and valid session of the service provider associated with the global session ID by querying the domain name session mapping table, e.g., it may be queried that there is an active and valid session between the user and the service providers SP1 and SP2 that is associated with the global session ID in Table 1; at step S2103, updating the session state information recorded in the domain name session mapping table, and modifying the state of the previously active and valid session of SP1 and SP2 as invalid; then proceeding to step S2104 to forward the request to the platform server.
  • FIG. 6 illustrates a detailed implementation process of step S212 in FIG. 2, including: at step 2121, in response to that the domain name is a new domain name of the service provider associated with a global session ID, determining the type of the request; if the type of the request is that signing out of the service provider, proceeding to step S2124 to update the state information of the session between the user and the service provider in the domain name session mapping table; and at step S2125, forwarding the request to the service provider; if the type of the request is accessing the service provider, further determining whether the session between the user and the platform server associated with the global session ID is invalid at step S2122, wherein it may be determined whether the session between the user and the platform server associated with the global session ID is invalid by querying the domain name session mapping table; if the session between the user and the platform server is invalid, proceeding to step S2123 to transform the request to that of signing-out of the service provider; and at step S2124, updating the domain name session mapping table, i.e., changing the active and valid state information of the session between the user and the service provider to invalid; proceeding to step S2125 to forward the transformed request to the service provider; if the session between the user and the platform server is active and valid, proceeding to step S2125 to forward the request to the service provider.
  • The present invention provides a device for Single Sign-On base on the same inventive concept, wherein a user accesses the platform server and accesses at least one service provider on the platform server via Single Sign-On. FIG. 7 illustrates a device 700 for Single Sign-On according to an embodiment of the present invention, including: a request interception module 702 configured to intercept a request sent by a user via a client browser; a domain name extracting module 704 configured to extract a domain name included in the request; a domain name type determining module 706 configured to determine the type of the domain name; a global session ID generating module 708 configured to, in response to that the type of the domain name is an original domain name of the platform server, generate a global session ID; a new domain name generating module 710 configured to generate a new domain name of the platform server associated with the global session ID; a URL redirecting module 712 configured to redirect the URL in the request to a new URL including the new domain name of the platform server; a request forwarding module 714 configured to forward the request redirected to the new URL to the platform server.
  • According to an embodiment of the present invention, the device for Single Sign-On of the present invention further includes a recording module configured to record the new domain name of the platform server, the global session ID and the state information of the session between the user and the platform server in a domain name session mapping table.
  • According to an embodiment of the present invention, the device for Single Sign-On of the present invention further includes a global session ID extracting module configured to, in response to that the results indicate that the domain name is an original domain name of the at least one service provider, extract the new domain name of the platform server associated with the global session ID from the request, and extract the global session ID from the new domain name of the platform server; wherein the new domain name generating module is further configured to generate a new domain name of the at least one service provider associated with the global session ID; the URL redirecting module is further configured to redirect the URL accessing the at least one service provider to the new URL including the new domain name of the at least one service provider; the request forwarding module is further configured to forward the request including the new URL of the at least one service provider to the at least one service provider.
  • According to an embodiment of the present invention, the recording module is further configured to: record the new domain name of the at least one service provider, the global session ID and the state information of the session between the user and the service provider in the domain name session mapping table.
  • According to an embodiment of the present invention, the device for Single Sign-On of the present invention further includes: a request type determining module configured to, in response to that the type of the domain name is a new domain name of the platform server associated with a global session ID, determine the type of the request; a session invalidating module configured to, in response to that the request type is that of signing out of the platform server, invalidate the active and valid session between the user and the service provider associated with the global session ID.
  • According to embodiment of the present invention, the recording module is further configured to: update the state information of the session between the user and the platform server and the session between the user and the service provider that are recorded in the domain name session mapping table.
  • According to an embodiment of the present invention, the request type determining module is further configured to, in response to that the type of the domain name is a new domain name of a service provider associated with a global session ID, determine the type of the request; a session state querying module is further configured to, in response to that the request type is accessing a service provider, determine whether the session between the user and the platform server associated with the global session ID is invalid; the request forwarding module is further configured to, in response to that the session between the user and the platform server is invalid, transform the request into that of signing out of the service provider and forward the transformed request to the service provider.
  • According to an embodiment of the present invention, the recording module is further configured to update the state information of the session between the user and the service provider recorded in the domain name session mapping table from active and valid to invalid.
  • FIG. 8 illustrates a process of Single Sign-On according to an embodiment of the present invention. The applicant emphasizes that the embodiment is only for illustrative purpose and should not be construed as limitation to the protection scope of the present invention. In FIG. 8, the user can access the resource of the platform server via his/her client browser and access network services provided by a plurality of service providers SPs through the platform server. The device 800 of the present invention resides on an http server between the client browser and a web application server.
  • At step S802, the user requests to access the resource of the platform server, http://www.wdp.com, via the client browser.
  • At step S804, according to an embodiment of the present invention, the device 800 intercepts the request, extracts the domain name included in the request, and determines the type of the domain name, and in response to the domain name is the original domain name of the platform server, generates a global session ID <sid1> that uniquely identifies the current session, and generates a new domain name <sid1.wdp.com> of the platform server associated with the global session ID <sid1>, redirects the URL <http://www.wdp.com> to the new URL <http://sid1.wdp.com> that includes the new domain name, and forwards the user request to the http server; and records the new domain name of the platform server, the global session ID and the active and valid state of the session in the domain name session mapping table 2.
  • TABLE 2
    Domain name Global session ID Session active state
    sid1.wdp.com sid1 Active and valid
  • At step S806, the http server processes the user request, and returns the response redirected to <http://sid1.wdp.com> to the client browser; according to an embodiment of the present invention, an HTTP307 response is returned to the client browser to redirect the request to <http://sid1.wdp.com>, the response being typically shown as follows:
  • HTTP 307 Temporary Redirect
  • Location: <http://sid1.wdp.com>
  • At step S808, after receiving the response redirected to <http://sid1.wdp.com>, the client browser requests to access the address designated in the response, and at this time the request is typically shown as follows: GET<http://sid1.wdp.com>.
  • At step S810, at this time, the device 800 intercepts the request again, analyzes the user request and extracts the domain name <sid1.wdp.com>, and by querying the domain name session mapping table 2 learns that the domain name is a new domain name of the platform server associated with the global session ID, and therefore forwards the request to the HTTP server to be transmitted to the web application server by the HTTP server.
  • At step S812, the web application server, after receiving the user request, responds thereto, returning the requested resource http://sid1.wdp.com to the client browser.
  • At step S814, assume that the user clicks a link in the page corresponding to the URL <http://sid1.wdp.com> of the platform server to request to access the network service resource <http://www.sp1.com> of the service provider SP1.
  • At step S816, intercepting the request and extracting the domain name www.sp1.com, determining that the domain name is the original domain name of the service provider sp1, extracting the new domain name <sid1.wdp.com> of the platform server from the Referer header field, since according to the HTTP protocol, the current request will include a Referer header field to indicate the source of the resource accessed by the service provider SP1, <http://www.sp1.com>. Since the webpage address corresponding to the platform server is redirected to <http://sid1.wdp.com>, a typical request is shown as follows:
  • GET <http://www.sp1.com>
  • Referer: <http://sid1.wdp.com>
  • Extracting the global session ID <sid1> from the new domain name <sid1.wdp.com> of the platform server, generating the new domain name <sid1.sp1.com> of the service provider SP1, and redirecting the URL <http://www.sp1.com> of the service provider SP1 to <http://sid1.sp1.com>, and forwarding the user request to the HTTP server, and recording the new domain name of the service provider SP1, the global session ID and the active and valid state of the session in the domain name session mapping table 3.
  • TABLE 3
    Active state of
    Domain name Global session ID session
    sid1.wdp.com sid1 Active and valid
    sid1.sp1.com sid1 Active and valid
  • At step S818, the http server processes the user request, and returns the response redirected to <http://sid1.sp1.com> to the client browser.
  • At step S820, after receiving the response redirected to <http://sid1.sp1.com>, the client browser requests to access the address designated in the response; at this time the request is typically shown as follows: GET <http://sid1.sp1.com>.
  • At step S822, the device 500 intercepts the request again, extracts the domain name <sid1.sp1.com>, and by querying the domain name session mapping table 3 learns that the domain name is a domain name associated with the global session ID, and forwards the request to the HTTP server to be transmitted to the web application server by the HTTP server.
  • At step S824, after receiving the user request, the web application server responds thereto, returning the requested resource <http://sid1.sp1.com> to the client browser.
  • At step S826, the user clicks the platform server sign-out link http://sid1.wdp.com/logout.jsp, to request to sign out of the platform server.
  • At step S528, the device 800 intercepts the request, extracts the domain name <sid1.wdp.com>, determines that the domain name is a new domain name of the platform server, and further determines that the request is a request to sign out of the platform server, and by querying the domain name session mapping table 3, learns that there is an active and valid session of the service provider SP1 associated with sid1, therefore invalidates the session of SP1, and forwards the sign-out request to the HTTP server to be transmitted to the web application server by the HTTP server, and updates the session state of the platform server and SP1 in the domain mapping table 3 from active and valid to invalid to obtain Table 4.
  • TABLE 4
    Domain name Global session ID Session active state
    sid1.wdp.com sid1 invalid
    sid1.sp1.com sid1 invalid
  • At step S830, after receiving the user request, the web application server responds thereto, returning the sign-out webpage of the platform server to the client browser.
  • At step S832, the user accesses the network service resource <http://sid1.sp1.com> of the service provider SP1 by clicking the link on the platform server webpage.
  • At Step S834, the device 800 intercepts the request, extracts the domain name <sid1.sp1.com>, learns by querying the domain name session mapping table that the domain name is a new domain name of SP1 associated with the global session ID, and find by querying that the session of SP1 is invalid, therefore redirects the URL <http://sid1.sp1.com> requested to be accessed to the sign-out URL <http://sid1.sp1.com/logout.jsp> of the service, and forwards the sign-out request to the HTTP server to be transmitted to the web application server by the HTTP server.
  • At step S836, after receiving the user request, the web application server responds thereto, returning the sign-out page of SP1 to the client browser.
  • Thus, session synchronization between the user and the platform server as well as the service providers is uniformly managed by utilizing the global session ID; although the user only signs out from the website of the platform server, he/she actually signs out of all the active and valid service provider websites thereon. Therefore, the problems of repeated jumps to sign-out pages of different applications or forgetting to sign out of some applications will not occur, and user experience will be better and security will be enhanced.
  • At least some aspects of the present invention may be alternatively implemented by a program product. The program defining the functions with respect to the present invention may be transmitted to a data storage system or computer system via various signal carrying mediums, the signal carrying mediums including but not limited to non-writable storage medium (e.g., CD-ROM), writable storage medium (e.g., floppy disk, hard disk drive, read/write CD ROM, optical medium) and communication mediums such as computer and telephone networks including Ethernet and so on. Therefore it should be appreciated that, such signal carrying mediums, when carrying or being encoded with computer readable instructions managing the method functions of the present invention, represents an alternative embodiment of the present invention. The present invention may be realized in manner of hardware, software, firmware or a combination thereof. The present invention may be implemented in one computer system in a centralized manner or in a distributed manner, in which different components are distributed in several interconnected computer systems. Any computer systems or other devices suitable for executing the method described herein are appropriate. Preferably, the present invention is implemented by means of a combination of computer software and general computer hardware, in which a computer program, when being loaded and executed, controls the computer system to execute the method of the present invention, or to constitute the system of the present invention.
  • Descriptions of the preferred embodiments of the present invention are presented above for the purpose of illustration. The above description of the preferred embodiments is neither exhaustive, nor intended to limit the present invention to the disclosed explicit form; obviously in view of the above teachings, many modifications and variations are possible. Such modifications and variations, which are obvious to those skilled in the art, are within the scope of the present invention defined by the appended claims.

Claims (16)

1. A method for Single Sign-On, wherein a user accesses a platform server and at least one service provider on the platform server, the method comprising:
intercepting a request sent by the user via a client browser;
extracting a domain name included in the request;
determining the type of the domain name;
in response to a determination that the type of the domain name is an original domain name of the platform server, generating a global session ID for uniquely identifying a session between the user and the platform server;
generating a new domain name of the platform server associated with the global session ID;
redirecting the URL in the request to a new URL including the new domain name of the platform server;
forwarding the request including the new URL of the platform server to the platform server.
2. The method of claim 1, further comprising:
recording the new domain name of the platform server, the global session ID and state information of the session between the user and the platform server in a domain name session mapping table.
3. The method of claim 2, further comprising:
in response to a determination that the type of the domain name is an original domain name of the at least one service provider, extracting the new domain name of the platform server associated with the global session ID from the request;
extracting the global session ID from the new domain name of the platform server;
generating a new domain name of the at least one service provider associated with the global session ID;
redirecting the URL accessing the at least one service provider to a new URL including the new domain name of the at least one service provider;
forwarding the request including the new URL of the at least one service provider to the at least one service provider.
4. The method of claim 3, further comprising:
recording the new domain name of the at least one service provider and state information of the session between the user and the service provider in the domain name session mapping table.
5. The method of claim 2, further comprising:
in response to a determination that the type of the domain name is a new domain name of the platform server associated with the global session ID, determining the request type;
in response to a determination that the request type is that of signing out of the platform server, invalidating the active and valid session between the user and the service provider associated with the global session ID.
6. The method of claim 5, further comprising:
updating the state information of the session between the user and the platform server and that between the user and the service provider recorded in the domain name session mapping table.
7. The method of claim 2, further comprising:
in response to a determination that the type of the domain name is a new domain name of a service provider associated with the global session ID, determining the request type;
in response to a determination that the request type is accessing the service provider, determining whether the session between the user and the platform server associated with the global session ID is invalid;
in response to a determination that the session between the user and platform server is invalid, transforming the request into that of signing out of the service provider; and
forwarding the transformed request to the service provider.
8. The method of claim 7, further comprising:
updating the state information of the session between the user and the service provider that is recorded in the domain name session mapping table from active and valid to invalid.
9. A device for Single Sign-On, wherein a user accesses a platform server and at least one service provider on the platform server, the device comprising:
a request interception module configured to intercept a request sent by the user via a client browser;
a domain name extracting module configured to extract a domain name included in the request;
a domain name type determining module configured to determine the type of the domain name;
a global session ID generating module configured to, in response to a determination by the domain type determining module that the type of the domain name is an original domain name of the platform server, generate a global session ID for uniquely identifying the session between the user and the platform server;
a new domain name generating module configured to generate a new domain name of the platform server associated with the global session ID;
a URL redirecting module configured to redirect the URL in the request to a new URL including the new domain name of the platform server; and
a request forwarding module configured to forward the request including the new URL of the platform server to the platform server.
10. The device of claim 9, further comprising:
a recording module configured to record the new domain name of the platform server, the global session ID and state information of the session between the user and the platform server in a domain name session mapping table.
11. The device of claim 10, further comprising:
a global session ID extracting module configured to, in response to a determination by the domain type determining module that the type of the domain name is an original domain name of the at least one service provider, extracting the new domain name of the platform server associated with the global session ID from the request, and extracting the global session ID from the new domain name of the platform server;
wherein, the new domain name generating module is further configured to generate a new domain name of the at least one service provider associated with the global session ID;
the URL redirecting module is further configured to redirect the URL accessing the at least one service provider to a new URL including the new domain name of the at least one service provider; and
the request forwarding module is further configured to forward the request including the new URL of the at least one service provider to the at least one service provider.
12. The device of claim 11, wherein the recording module is further configured to:
record the new domain name of the at least one service provider, the global session ID and the state information of the session between the user and the service provider in the domain name session mapping table.
13. The device of claim 10, further comprising:
a request type determining module configured to determine the request type, in response to a determination by the domain type determining module that the type of the domain name is a new domain name of the platform server associated with the global session ID; and
a session invalidating module configured, in response to a determination by the request type determining module that the request type is signing out of the platform server, to invalidate the active and valid session between the user and the service provider associated with global session ID.
14. The device of claim 13, wherein the recording module is further configured to:
update the state information of the session between the user and the platform server and the session between the user and the service provider recorded in the domain name session mapping table.
15. The device of claim 10, wherein
the request type determining module is further configured to determine the request type, in response to a determination by the domain type determining module that the type of the domain name is a new domain name of the service provider associated with the global session ID;
a session state querying module is further configured to respond to that a determination by the request type determining module that the request type is that of accessing the service provider, to determine whether the session between the user and the platform server associated with the global session ID is invalid; and
the request forwarding module is further configured to respond to a determination that the session between the user and the platform server is invalid, to transform the request into that of signing out of the service provider and forward the transformed request to the service provider.
16. The device of claim 15, wherein the recording module is further configured to:
update the state information of the session between the user and the service provider recorded in the domain name session mapping table from active and valid to invalid.
US13/430,746 2011-03-31 2012-03-27 Non-Intrusive Single Sign-On Mechanism in Cloud Services Abandoned US20120254429A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/584,905 US8825855B2 (en) 2011-03-31 2012-08-14 Non-intrusive single sign-on mechanism in cloud services

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110080417.XA CN102739603B (en) 2011-03-31 2011-03-31 The method and apparatus of single-sign-on
CN201110080417.X 2011-03-31

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US13/584,905 Continuation US8825855B2 (en) 2011-03-31 2012-08-14 Non-intrusive single sign-on mechanism in cloud services

Publications (1)

Publication Number Publication Date
US20120254429A1 true US20120254429A1 (en) 2012-10-04

Family

ID=46928798

Family Applications (2)

Application Number Title Priority Date Filing Date
US13/430,746 Abandoned US20120254429A1 (en) 2011-03-31 2012-03-27 Non-Intrusive Single Sign-On Mechanism in Cloud Services
US13/584,905 Expired - Fee Related US8825855B2 (en) 2011-03-31 2012-08-14 Non-intrusive single sign-on mechanism in cloud services

Family Applications After (1)

Application Number Title Priority Date Filing Date
US13/584,905 Expired - Fee Related US8825855B2 (en) 2011-03-31 2012-08-14 Non-intrusive single sign-on mechanism in cloud services

Country Status (2)

Country Link
US (2) US20120254429A1 (en)
CN (1) CN102739603B (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103618612A (en) * 2013-12-04 2014-03-05 中国联合网络通信集团有限公司 Method and device for achieving single sign on of applications in terminal
US20150304272A1 (en) * 2012-07-30 2015-10-22 Beijing Wangmi Online Network Co., Ltd. Network accessing method, application server and system
CN105635178A (en) * 2016-02-26 2016-06-01 北京奇虎科技有限公司 Blocking network access method and device for ensuring safety
US20160315940A1 (en) * 2013-07-02 2016-10-27 Open Text S.A. System and method for controlling access
US20170093737A1 (en) * 2015-09-28 2017-03-30 Arris Enterprises Llc Domain name system response spoofing at customer premise equipment device
CN107277049A (en) * 2017-07-27 2017-10-20 郑州云海信息技术有限公司 The access method and device of a kind of application system
CN108134806A (en) * 2018-03-13 2018-06-08 北京信安世纪科技股份有限公司 A kind of method and system of Single Sign Out
CN108200107A (en) * 2018-03-30 2018-06-22 浙江网新恒天软件有限公司 A kind of method that single-sign-on is realized in multi-domain environment
US20190012454A1 (en) * 2015-12-09 2019-01-10 Amazon Technologies, Inc. Validating sign-out implementation for identity federation
US20190373043A1 (en) * 2018-06-04 2019-12-05 Instart Logic, Inc. Third-party ad acceleration
CN111935151A (en) * 2020-08-11 2020-11-13 广州太平洋电脑信息咨询有限公司 Cross-domain unified login method and device
CN113194099A (en) * 2021-04-30 2021-07-30 网宿科技股份有限公司 Data proxy method and proxy server
US20210374119A1 (en) * 2020-05-26 2021-12-02 Fujitsu Limited Data update apparatus and data update method
US11297034B2 (en) * 2017-10-17 2022-04-05 Servicenow, Inc. Deployment of a custom address to a remotely managed computational instance
US11347825B2 (en) * 2016-03-07 2022-05-31 Advanced New Technologies Co., Ltd. Service execution method and device
US20220210145A1 (en) * 2020-12-30 2022-06-30 Open Text Holdings, Inc. Systems and methods for identity and access management with extended trust
US20230177096A1 (en) * 2021-12-06 2023-06-08 AO Kaspersky Lab System and method for providing content to a user

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8694659B1 (en) * 2010-04-06 2014-04-08 Symantec Corporation Systems and methods for enhancing domain-name-server responses
US10176335B2 (en) 2012-03-20 2019-01-08 Microsoft Technology Licensing, Llc Identity services for organizations transparently hosted in the cloud
US9268931B2 (en) * 2012-06-12 2016-02-23 Microsoft Technology Licensing, Llc Gate keeper cookie
CN103002060A (en) * 2012-12-31 2013-03-27 无锡城市云计算中心有限公司 Method and device for user request transmission used for cloud computing environment
CN104618449B (en) * 2014-12-31 2018-02-16 北京神州绿盟信息安全科技股份有限公司 A kind of method and device for realizing web single-sign-ons
US9398017B1 (en) * 2015-05-01 2016-07-19 Parallels IP Holdings GmbH Isolation of objects representng server resources in browser using iframes
CN104954894B (en) * 2015-06-26 2019-03-26 网宿科技股份有限公司 A kind of video flow bootstrap technique, device and a kind of electronic equipment
CN105072123B (en) * 2015-08-21 2018-06-19 广州博鳌纵横网络科技有限公司 A kind of single sign-on under cluster environment exits method and system
CN106487938B (en) * 2015-08-24 2019-11-26 南京中兴软件有限责任公司 The retransmission method and device of domain name
US10749854B2 (en) 2015-11-12 2020-08-18 Microsoft Technology Licensing, Llc Single sign-on identity management between local and remote systems
CN107223329B (en) * 2016-11-02 2018-10-12 达闼科技(北京)有限公司 A kind of dns resolution method, apparatus and network system
CN107040543B (en) * 2017-04-26 2020-08-04 埃摩森网络科技(上海)有限公司 Single sign-on method, terminal and storage medium
CN108989359A (en) * 2018-10-12 2018-12-11 苏州创旅天下信息技术有限公司 Method for verifying login and system, the readable storage medium storing program for executing and terminal of server cluster
US11550891B2 (en) 2019-06-19 2023-01-10 Preventice Solutions, Inc. Login token management
CN111343189A (en) * 2020-03-05 2020-06-26 安徽科大国创软件科技有限公司 Method for realizing unified login of multiple existing web systems
CN115022047B (en) * 2022-06-02 2024-04-19 鸬鹚科技(深圳)有限公司 Account login method and device based on multi-cloud gateway, computer equipment and medium

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6243816B1 (en) * 1998-04-30 2001-06-05 International Business Machines Corporation Single sign-on (SSO) mechanism personal key manager
US20030163737A1 (en) * 2002-02-26 2003-08-28 James Roskind Simple secure login with multiple-authentication providers
US20050015490A1 (en) * 2003-07-16 2005-01-20 Saare John E. System and method for single-sign-on access to a resource via a portal server
WO2005069823A2 (en) * 2004-01-15 2005-08-04 Jun Song Centralized transactional security audit for enterprise systems
US20050198501A1 (en) * 2004-03-02 2005-09-08 Dmitry Andreev System and method of providing credentials in a network
US7010582B1 (en) * 2000-06-26 2006-03-07 Entrust Limited Systems and methods providing interactions between multiple servers and an end use device
US20060064502A1 (en) * 2004-09-22 2006-03-23 Transaxtions Llc Using Popular IDs To Sign On Creating A Single ID for Access
JP2006252418A (en) * 2005-03-14 2006-09-21 Nec Corp Single sign-on cooperation method using authentication information, system thereof, mediation server, operation method, and operation program
US20060218625A1 (en) * 2005-03-25 2006-09-28 Sbc Knowledge Ventures, L.P. System and method of locating identity providers in a data network
US20070294752A1 (en) * 2006-06-01 2007-12-20 Novell, Inc. Single sign on with proxy services
US20080021997A1 (en) * 2006-07-21 2008-01-24 Hinton Heather M Method and system for identity provider migration using federated single-sign-on operation
US7509672B1 (en) * 2004-04-01 2009-03-24 Compuware Corporation Cross-platform single sign-on data sharing
US20090292800A1 (en) * 2002-10-04 2009-11-26 International Business Machines Corporation Method and apparatus for enabling associated portlets of a web portlet to collaborate for synchronized content display
US20110154464A1 (en) * 2009-12-23 2011-06-23 Puneet Agarwal Systems and methods for intercepting and automatically filling in forms by the appliance for single-sign on
US8255984B1 (en) * 2009-07-01 2012-08-28 Quest Software, Inc. Single sign-on system for shared resource environments

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100247951B1 (en) 1997-04-11 2000-03-15 윤종용 Program modification method of PDA
US6567974B1 (en) 2000-02-25 2003-05-20 Sun Microsystems, Inc. Small memory footprint system and method for separating applications within a single virtual machine
US7219154B2 (en) 2002-12-31 2007-05-15 International Business Machines Corporation Method and system for consolidated sign-off in a heterogeneous federated environment
WO2005015794A1 (en) * 2003-07-14 2005-02-17 Sony Corporation Communication method
US20050027713A1 (en) * 2003-08-01 2005-02-03 Kim Cameron Administrative reset of multiple passwords
US7587721B2 (en) 2004-05-20 2009-09-08 Sap Ag Sharing objects in runtime systems
KR20060067732A (en) 2004-12-15 2006-06-20 한국전자통신연구원 Method of service logout in single sign on service using federated identity
US20060218628A1 (en) 2005-03-22 2006-09-28 Hinton Heather M Method and system for enhanced federated single logout
US20070039043A1 (en) 2005-08-11 2007-02-15 Sbc Knowledge Ventures L.P. Distributed global log off for a single sign-on account
JP2007066265A (en) 2005-09-02 2007-03-15 Hitachi Ltd Computer device and virtual machine providing method
JP2008219266A (en) * 2007-03-01 2008-09-18 Ntt Docomo Inc Network access authentication system, authentication key generation server, authentication key distribution server, terminal device, and access management server
US8244907B2 (en) 2007-10-16 2012-08-14 International Business Machines Corporation Browser-based logoff from distributed and federated environments
US9342364B2 (en) * 2008-04-09 2016-05-17 International Business Machines Corporation Workflow managed composite applications
US8099768B2 (en) 2008-09-18 2012-01-17 Oracle America, Inc. Method and system for multi-protocol single logout
CN101997903B (en) * 2009-08-27 2013-09-25 国际商业机器公司 Method and system for processing hypertext transfer protocol request

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6243816B1 (en) * 1998-04-30 2001-06-05 International Business Machines Corporation Single sign-on (SSO) mechanism personal key manager
US7010582B1 (en) * 2000-06-26 2006-03-07 Entrust Limited Systems and methods providing interactions between multiple servers and an end use device
US20030163737A1 (en) * 2002-02-26 2003-08-28 James Roskind Simple secure login with multiple-authentication providers
US20090292800A1 (en) * 2002-10-04 2009-11-26 International Business Machines Corporation Method and apparatus for enabling associated portlets of a web portlet to collaborate for synchronized content display
US20050015490A1 (en) * 2003-07-16 2005-01-20 Saare John E. System and method for single-sign-on access to a resource via a portal server
WO2005069823A2 (en) * 2004-01-15 2005-08-04 Jun Song Centralized transactional security audit for enterprise systems
US20050198501A1 (en) * 2004-03-02 2005-09-08 Dmitry Andreev System and method of providing credentials in a network
US7509672B1 (en) * 2004-04-01 2009-03-24 Compuware Corporation Cross-platform single sign-on data sharing
US20060064502A1 (en) * 2004-09-22 2006-03-23 Transaxtions Llc Using Popular IDs To Sign On Creating A Single ID for Access
JP2006252418A (en) * 2005-03-14 2006-09-21 Nec Corp Single sign-on cooperation method using authentication information, system thereof, mediation server, operation method, and operation program
US20060218625A1 (en) * 2005-03-25 2006-09-28 Sbc Knowledge Ventures, L.P. System and method of locating identity providers in a data network
US20070294752A1 (en) * 2006-06-01 2007-12-20 Novell, Inc. Single sign on with proxy services
US20080021997A1 (en) * 2006-07-21 2008-01-24 Hinton Heather M Method and system for identity provider migration using federated single-sign-on operation
US8255984B1 (en) * 2009-07-01 2012-08-28 Quest Software, Inc. Single sign-on system for shared resource environments
US20110154464A1 (en) * 2009-12-23 2011-06-23 Puneet Agarwal Systems and methods for intercepting and automatically filling in forms by the appliance for single-sign on

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150304272A1 (en) * 2012-07-30 2015-10-22 Beijing Wangmi Online Network Co., Ltd. Network accessing method, application server and system
US20160315940A1 (en) * 2013-07-02 2016-10-27 Open Text S.A. System and method for controlling access
US10154035B2 (en) * 2013-07-02 2018-12-11 Open Text Sa Ulc System and method for controlling access
CN103618612A (en) * 2013-12-04 2014-03-05 中国联合网络通信集团有限公司 Method and device for achieving single sign on of applications in terminal
US20170093737A1 (en) * 2015-09-28 2017-03-30 Arris Enterprises Llc Domain name system response spoofing at customer premise equipment device
US11082353B2 (en) * 2015-09-28 2021-08-03 Arris Enterprises Llc Domain name system response spoofing at customer premise equipment device
US20190012454A1 (en) * 2015-12-09 2019-01-10 Amazon Technologies, Inc. Validating sign-out implementation for identity federation
US10803164B2 (en) * 2015-12-09 2020-10-13 Amazon Technologies, Inc. Validating sign-out implementation for identity federation
CN105635178A (en) * 2016-02-26 2016-06-01 北京奇虎科技有限公司 Blocking network access method and device for ensuring safety
US11755679B2 (en) 2016-03-07 2023-09-12 Advanced New Technologies Co., Ltd. Service execution method and device
US11347825B2 (en) * 2016-03-07 2022-05-31 Advanced New Technologies Co., Ltd. Service execution method and device
CN107277049A (en) * 2017-07-27 2017-10-20 郑州云海信息技术有限公司 The access method and device of a kind of application system
US11601392B2 (en) 2017-10-17 2023-03-07 Servicenow, Inc. Deployment of a custom address to a remotely managed computational instance
US11297034B2 (en) * 2017-10-17 2022-04-05 Servicenow, Inc. Deployment of a custom address to a remotely managed computational instance
CN108134806A (en) * 2018-03-13 2018-06-08 北京信安世纪科技股份有限公司 A kind of method and system of Single Sign Out
CN108200107A (en) * 2018-03-30 2018-06-22 浙江网新恒天软件有限公司 A kind of method that single-sign-on is realized in multi-domain environment
US10938879B2 (en) * 2018-06-04 2021-03-02 Akamai Technologies, Inc. Third-party Ad acceleration
US20190373043A1 (en) * 2018-06-04 2019-12-05 Instart Logic, Inc. Third-party ad acceleration
US20210374119A1 (en) * 2020-05-26 2021-12-02 Fujitsu Limited Data update apparatus and data update method
CN111935151A (en) * 2020-08-11 2020-11-13 广州太平洋电脑信息咨询有限公司 Cross-domain unified login method and device
US20220210145A1 (en) * 2020-12-30 2022-06-30 Open Text Holdings, Inc. Systems and methods for identity and access management with extended trust
CN113194099A (en) * 2021-04-30 2021-07-30 网宿科技股份有限公司 Data proxy method and proxy server
US20230177096A1 (en) * 2021-12-06 2023-06-08 AO Kaspersky Lab System and method for providing content to a user
US11768902B2 (en) * 2021-12-06 2023-09-26 AO Kaspersky Lab System and method for providing content to a user

Also Published As

Publication number Publication date
CN102739603A (en) 2012-10-17
US20120311167A1 (en) 2012-12-06
CN102739603B (en) 2015-10-21
US8825855B2 (en) 2014-09-02

Similar Documents

Publication Publication Date Title
US8825855B2 (en) Non-intrusive single sign-on mechanism in cloud services
CN109587133B (en) Single sign-on system and method
CN109639687B (en) Systems, methods, and media for providing cloud-based identity and access management
AU2009222468B2 (en) Segregating anonymous access to dynamic content on a web server, with cached logons
EP3202117B1 (en) Using credentials stored in different directories to access a common endpoint
US8838792B2 (en) Identity provider instance discovery
US9596122B2 (en) Identity provider discovery service using a publish-subscribe model
JP5357246B2 (en) System, method and program product for integrated authentication
US11394703B2 (en) Methods for facilitating federated single sign-on (SSO) for internal web applications and devices thereof
US20080010287A1 (en) Method and system for distributed retrieval of data objects using tagged artifacts within federated protocol operations
US20100049790A1 (en) Virtual Identity System and Method for Web Services
US20200099685A1 (en) Systems, methods, and apparatuses for logging in to an external website from a cloud based computing environment
US20130212665A1 (en) Signing off from multiple domains accessible using single sign-on
JP6449993B2 (en) Single sign-on system and single sign-on method
US20150149530A1 (en) Redirecting Access Requests to an Authorized Server System for a Cloud Service
MX2011003223A (en) Service provider access.
US20100042742A1 (en) On-deck detection for a web site
CN114902612A (en) Edge network based account protection service
US8713088B2 (en) Identifying users of remote sessions
US8291479B2 (en) Method, hardware product, and computer program product for optimizing security in the context of credential transformation services
JP2000106552A (en) Authentication method
US20100287600A1 (en) Assigning User Requests of Different Types or Protocols to a User by Trust Association Interceptors
US11575761B2 (en) Method and system for propagating data between different domains in a privacy focused way
CN114244607A (en) Single sign-on method, system, device, medium, and program
Kumar et al. An Improved Single Sign-On Mechanism by Enhancing the Functionality of Reverse Proxy

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:FENG, CHEN HUA;TANG, KAI;WANG, YUN TAO;AND OTHERS;REEL/FRAME:027931/0822

Effective date: 20120323

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO PAY ISSUE FEE