WO2012171419A1 - Single sign-on method and system - Google Patents

Single sign-on method and system Download PDF

Info

Publication number
WO2012171419A1
WO2012171419A1 PCT/CN2012/074931 CN2012074931W WO2012171419A1 WO 2012171419 A1 WO2012171419 A1 WO 2012171419A1 CN 2012074931 W CN2012074931 W CN 2012074931W WO 2012171419 A1 WO2012171419 A1 WO 2012171419A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
server
string
single sign
secret
Prior art date
Application number
PCT/CN2012/074931
Other languages
French (fr)
Chinese (zh)
Inventor
牛国扬
陈琼春
王阳
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2012171419A1 publication Critical patent/WO2012171419A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations

Definitions

  • the present invention relates to the field of communications, and in particular, to a single sign-on method and system. Background technique
  • Single sign-on is part of identity management. It refers to the same user accessing protected resources in different applications on the same server. It only needs to log in once, that is, through the security verification in one application, and then access the protected resources in other applications. When you re-login verification, you no longer need to.
  • OA office automation
  • financial management systems file management systems
  • information query systems and the like.
  • These application systems serve the information construction of enterprises and bring good benefits to enterprises.
  • users are not convenient when using these applications.
  • the user name and user password must be entered for authentication, and the application system is different.
  • the user account is different.
  • the user must also bear in mind multiple user names and user passwords. This can be effectively solved by using the single sign-on method.
  • the existing single sign-on method requires one or more independent systems to be used as a single sign-on server.
  • a related embodiment of the present invention provides a single sign-on method, where the method includes: After the user logs in, the client generates a secret message according to the time string, the random code, and the shared key shared with the server, and sends the time string, the random code, and the secret file to the server;
  • the server generates a verification string according to the received time string, random code and shared key to authenticate the user, and processes the login request of the user according to the authentication result.
  • the authenticating the user and processing the login request of the user according to the authentication result includes:
  • the authentication succeeds and the user is allowed to log in. If the two are different, the authentication fails, and the user is not allowed to log in.
  • the method further comprises: saving the secret document.
  • the method further includes: determining whether the time string exceeds a preset time range; if exceeded, not allowing the user to log in; if not, executing the ratio For the verification string and secret text.
  • the server determines that the time string does not exceed a preset time range, and before performing the comparison verification string and the secret document, the method further includes:
  • the local history data is found, and when the secret document does not exist, the verification string and the secret document are compared.
  • the related embodiment of the present invention further provides a single sign-on system, where the system includes: a client and a server;
  • the client is configured to generate a secret message according to a time string, a random code, and a shared key shared with the server after the user logs in, and send the time string, the random code, and the secret file to the server;
  • the server is configured to generate an authentication string according to the received time string, the random code and the shared key, to authenticate the user, and process the login request of the user according to the authentication result.
  • the server is provided with an authentication module, which is configured to compare the verification string and the secret document. If the two are the same, the authentication is successful, and the user is allowed to log in; if the two are different, the authentication fails, and the authentication is not allowed. User login.
  • the server further includes: a saving module, configured to save the secret file.
  • the server further includes:
  • the determining module is configured to determine whether the time string exceeds a preset time range; if it is exceeded, the user is not allowed to log in; if not, the comparison string and the secret file are performed.
  • the server further includes:
  • the lookup module is configured to look up the local history data, and when the secret file does not exist, perform the comparison of the verification string and the secret document.
  • a single sign-on method and system provided by the related embodiments of the present invention do not require the support of a single sign-on server. After successfully logging in to the client, the user can directly log in to the server without re-entering the user name and password.
  • Single sign-on is simple to implement, and can quickly implement single sign-on functions that meet various requirements, is not prone to errors, and has low cost.
  • FIG. 1 is a schematic flow chart of an embodiment of a single sign-on method according to the present invention.
  • FIG. 2 is a schematic flowchart of authentication in an embodiment of a single sign-on method according to the present invention
  • FIG. 3 is a schematic flowchart of still another embodiment of a single sign-on method according to the present invention.
  • FIG. 4 is a schematic flowchart of still another embodiment of a single sign-on method according to the present invention.
  • FIG. 5 is a schematic structural diagram of an embodiment of a single sign-on system according to the present invention.
  • FIG. 6 is a schematic structural diagram of a server in an embodiment of a single sign-on system according to the present invention
  • FIG. 7 is a schematic structural diagram of another embodiment of a single sign-on system according to the present invention.
  • FIG. 8 is a schematic structural diagram of still another embodiment of a single sign-on system according to the present invention. detailed description
  • Step S101 After the user logs in, the client generates a secret message according to the time string, the random code, and the shared key shared by the server, and sends the time string, the random code, and the secret file to the server;
  • the client can generate a time string according to the current time.
  • the format of the time string can be "year, month, day, hour, minute, and second".
  • the format can include four digits, two months, two digits, and two digits.
  • the second and second seconds the main role of the time string is to avoid the expired request; the client can also randomly generate a random code, the random code is a string, in this embodiment, the random code can be four in length
  • the main function of the bit, random code is to avoid generating duplicate secrets and prevent the "legitimate registrant" from being judged as "illegal registrant".
  • a shared key is preset between the client and the server.
  • the shared key is a string. The longer the length, the more secure the system. In this embodiment, the shared key can be a string longer than 12. .
  • the shared key is not transmitted between systems and is only used for identity insurance.
  • an encryption algorithm is used to generate a secret file according to the time string, the random code, and the shared key.
  • the encryption algorithm may be a non-reversible algorithm such as MD5, and send the time string, the random code, and the generated secret file. To the server.
  • Step S102 The server generates a verification string according to the received time string, the random code, and the shared key, to authenticate the user, and processes the login request of the user according to the authentication result.
  • the server After receiving the time string, the random code and the secret file sent by the client, the server generates an insurance certificate string according to the time string, the random code and the shared key, and the encryption algorithm may be a non-reversible algorithm such as MD5.
  • the generated verification string authenticates the user, and the server processes the user's login request according to the result of the authentication, and determines whether the user is allowed to log in.
  • step S102 includes: Step S1021, comparing the verification string and the secret file, if the two are the same, the authentication is successful, and the user is allowed to log in; if the two are different , the authentication fails, and the user is not allowed to log in.
  • the secret file generated by the encryption algorithm in the client is compared with the verification string generated by the same encryption algorithm in the server to determine whether the two are the same. If the authentication is successful, the user may be allowed to log in to the server. ; If different, the authentication fails, and the user is not allowed to log in to the server.
  • the random code, and the same shared key preset between the client and the server respectively generate a secret and a verification string for the logged-in system and the system to be logged, by comparing the secrets It is the same as the verification string to determine whether to allow the user to log in to the server, which makes the single sign-on authentication simple and fast, and improves the security of the registrant's legality judgment.
  • step S102 further includes:
  • Step S1022 Save the secret file.
  • the secret file sent by the client is saved in the secret file database, and is used to determine whether the user login request is an "illegal interceptor" when the user login request is received next time.
  • the historical data in the secret database will increase with time. In order to save system resources and improve system performance, these historical data need to be cleaned regularly. In this embodiment, it can be configured to clean up historical data one day ago.
  • the method further includes:
  • Step S103 The server determines whether the time string exceeds a preset time range; if it is exceeded, the user is not allowed to log in; if not, the verification string and the secret file are compared.
  • the client After receiving the time string sent by the client, it may determine whether the time string exceeds the time range according to the preset time range, thereby determining whether the user login request sent by the client is expired.
  • the set time range is 1 day, that is, the time string included in the authentication request sent by the logged-in system is a valid notification within 1 day. If the time string does not exceed the set time range, the secret message sent by the client and the verification string generated by the server are executed, and whether the user is allowed to log in to the server is determined according to whether the two are the same.
  • the method further includes:
  • Step S104 Search local history data, and if the secret file does not exist, perform the comparison verification string and the secret document.
  • the time string When it is checked that the time string is valid, it is necessary to find out whether the secret file exists in the local history data saved in the secret database of the server. If it exists, it indicates that the user login request has been used, and may be sent by the interceptor. Therefore, it can be judged that the authentication fails; if the ciphertext does not exist in the local history data, the ciphertext sent by the client and the verification string generated by the server are executed, and whether the user is allowed to log in to the server according to whether the two are the same or not .
  • the system includes: a client and a server;
  • a client configured to generate a secret message according to a time string, a random code, and a shared key shared with the server after the user logs in, and send the time string, the random code, and the secret file to the server;
  • the server is configured to generate a verification string according to the received time string, the random code, and the shared key, to authenticate the user, and process the login request of the user according to the authentication result.
  • the client can generate a time string according to the current time of the logged-in system.
  • the format of the time string can be "year, month, day, hour, minute, and second".
  • the format can include four years, two months, two days. , two-digit, two-digit and two-digit seconds, the main role of the time string is to avoid expired requests;
  • the client can also randomly generate a random code, and the random code is a string.
  • the length of the random code can be four bits.
  • the main function of the random code is to avoid generating duplicate secrets and prevent "legal login”. "It is judged as "illegal registrant".
  • a shared key is preset between the client and the server.
  • the shared key is a string. The longer the length, the more secure the system. In this embodiment, the shared key can be a string longer than 12. .
  • the shared key is not transmitted between systems and is only used for identity insurance.
  • the client After the user successfully logs in to the client, the client generates a secret file based on the time string, random code, and shared key.
  • the encryption algorithm can be a non-reversible algorithm such as MD5, and the time string, random code, and generated secret file. Sent to the server.
  • the server After receiving the time string, random code, and secret file sent by the client, the server generates an insurance certificate string according to the time string, the random code, and the shared key, and the encryption algorithm may be a non-reversible algorithm such as MD5, and the server end.
  • the user is authenticated according to the generated verification string, and the user login request is processed according to the authentication result, and it is determined whether the user is allowed to log in.
  • the single sign-on system provided by the invention does not require the support of the single sign-on server. After successfully logging in to the client, the user can directly log in to the server without re-entering the user name and password, which makes the single sign-on implementation simple. It can quickly realize the single sign-on function that meets various requirements, is not easy to make mistakes, and has low cost.
  • the server includes: an authentication module 10, configured to compare the verification string and the secret file, if the two are the same, the authentication succeeds, and the user is allowed. Login; if the two are different, the authentication fails, and the user is not allowed to log in.
  • the authentication module 10 compares the secret file generated by the encryption algorithm in the client with the risk string generated by the same encryption algorithm in the server, and determines whether the two are the same. If the same, the authentication succeeds, and the permission is allowed. The user logs in to the server; if it is different, the authentication fails, and the user is not allowed to log in to the server.
  • the server further includes:
  • the saving module 20 is configured to save the secret file.
  • the saving module 20 After authenticating the user and logging in to the server, the saving module 20 saves the secret sent by the client to the secret database.
  • the secret database is used to determine whether the user login request is an impersonation request sent by the "illegal interceptor" when the server receives the user login request.
  • the historical data in the secret database will increase with time. In order to save system resources and improve system performance, these historical data need to be cleaned regularly. In this embodiment, it can be configured to clean up historical data one day ago.
  • the server further includes: a determining module 30, configured to determine whether the time string exceeds a preset time range; if exceeded, the user is not allowed to log in. If not exceeded, perform the comparison of the verification string and the secret document.
  • the determining module 30 can determine whether the time string exceeds the time range according to the preset time range, so as to determine whether the user login request sent by the client is an expired request.
  • the settable time range is 1 day, that is, the time string included in the authentication request sent by the logged-in system is a valid notification within 1 day. If the time string does not exceed the set time range, the ciphertext sent by the client and the verification string generated by the server are executed, and whether the user is allowed to log in to the server is determined according to whether the two are the same.
  • the server further includes: a searching module 40, configured to search for local historical data, and if the secret file does not exist, perform comparison on the verification string. And secret text.
  • a searching module 40 configured to search for local historical data, and if the secret file does not exist, perform comparison on the verification string. And secret text.
  • the search module 40 When it is checked that the time string is valid, the search module 40 needs to find out whether the secret file exists in the local history data saved in the secret database of the server. If it exists, the user logs in. The recorded request has been used, and may be sent by the interceptor. Therefore, the authentication may be judged to be unsuccessful; if the secret file does not exist in the local historical data, the secret message sent by the client and the verification string generated by the server are executed. According to whether the two are the same, determine whether the user is allowed to log in to the server.

Abstract

Disclosed is a single sign-on method, comprising: a client end generating a ciphertext according to a time string, a random code and a shared key shared with a server end after a user has signed on, and sending the time string, the random code and the ciphertext to the server end; the server end generating a verification string according to the received time string, random code and shared key, performing authentication on the user, and processing the sign-on request of the user according to the authentication result. A corresponding system is also provided. The operation of the single sign-on method and system provided in the present invention does not require support from a single sign-on server, making single sign-on simple to implement, malfunctions rare and costs relatively low.

Description

单点登录方法及系统 技术领域  Single sign-on method and system
本发明涉及到通信领域, 特别涉及到一种单点登录方法及系统。 背景技术  The present invention relates to the field of communications, and in particular, to a single sign-on method and system. Background technique
单点登录是身份管理中的一部分, 是指访问同一服务器不同应用中的 受保护资源的同一用户, 只需要登录一次, 即通过一个应用中的安全验证 后, 再访问其他应用中的受保护资源时, 不再需要重新登录验证。  Single sign-on is part of identity management. It refers to the same user accessing protected resources in different applications on the same server. It only needs to log in once, that is, through the security verification in one application, and then access the protected resources in other applications. When you re-login verification, you no longer need to.
目前的企业应用环境中,往往有很多的应用系统,如办公自动化(OA ) 系统, 财务管理系统, 档案管理系统, 信息查询系统等等。 这些应用系统 服务于企业的信息化建设, 为企业带来了很好的效益。 但是, 用户在使用 这些应用系统时, 并不方便。 用户每次使用系统, 都必须输入用户名称和 用户密码, 进行身份验证, 而且应用系统不同, 用户账号就不同, 用户必 须同时牢记多套用户名称和用户密码, 使用单点登录方法可有效解决这一 问题, 现有的单点登录方法需要独立的一个或多个系统做单点登录服务器, 用户登录时通过将用户的登录信息和用户信息库对比进行登录认证, 认证 成功后生成认证标志返还给用户。 但是这种利用独立的单点登录服务器来 验证用户的登录信息, 实施起来比较复杂, 无法适应当前快速实施的要求, 容易出错, 且成本较高。 发明内容  In the current enterprise application environment, there are often many application systems, such as office automation (OA) systems, financial management systems, file management systems, information query systems, and the like. These application systems serve the information construction of enterprises and bring good benefits to enterprises. However, users are not convenient when using these applications. Each time the user uses the system, the user name and user password must be entered for authentication, and the application system is different. The user account is different. The user must also bear in mind multiple user names and user passwords. This can be effectively solved by using the single sign-on method. As a problem, the existing single sign-on method requires one or more independent systems to be used as a single sign-on server. When the user logs in, the login information of the user is compared with the user information database for login authentication. After the authentication succeeds, the authentication mark is returned to the server. user. However, the use of an independent single sign-on server to verify the user's login information is complicated to implement, cannot adapt to the current rapid implementation requirements, is prone to errors, and is costly. Summary of the invention
本发明相关实施例提供了一种单点登录方法及系统, 其运行不需要单 点登陆服务器的支持, 使得单点登录实施简单, 不容易出错, 且成本较低。  Related embodiments of the present invention provide a single sign-on method and system, which do not require the support of a single sign-on server, which makes single sign-on implementation simple, error-prone, and low in cost.
本发明相关实施例提供了一种单点登录方法, 该方法包括: 客户端在用户登录后根据时间串、 随机码和与服务端共享的共享密钥 生成秘文, 并将时间串、 随机码和秘文发送给服务端; A related embodiment of the present invention provides a single sign-on method, where the method includes: After the user logs in, the client generates a secret message according to the time string, the random code, and the shared key shared with the server, and sends the time string, the random code, and the secret file to the server;
服务端根据接收到的所述时间串、 随机码和共享密钥生成验证串, 以 对用户进行鉴权, 并根据鉴权结果处理用户的登录请求。  The server generates a verification string according to the received time string, random code and shared key to authenticate the user, and processes the login request of the user according to the authentication result.
优选地, 所述对用户进行鉴权, 并根据鉴权结果处理用户的登录请求 包括:  Preferably, the authenticating the user and processing the login request of the user according to the authentication result includes:
比对所述验证串和秘文, 若两者相同, 则鉴权成功, 允许用户登录; 若两者不同, 则鉴权失败, 不允许用户登录。  If the two are the same, the authentication succeeds and the user is allowed to log in. If the two are different, the authentication fails, and the user is not allowed to log in.
优选地, 在允许用户登录之后, 该方法还包括: 保存所述秘文。  Preferably, after allowing the user to log in, the method further comprises: saving the secret document.
优选地, 所述服务端在执行对用户进行鉴权之前, 该方法还包括: 判断所述时间串是否超出预设的时间范围; 若超出, 则不允许用户登 录; 若未超出, 则执行比对所述验证串和秘文。  Preferably, before the server performs authentication on the user, the method further includes: determining whether the time string exceeds a preset time range; if exceeded, not allowing the user to log in; if not, executing the ratio For the verification string and secret text.
优选地, 所述服务端判断所述时间串未超出预设的时间范围, 执行比 对验证串和秘文之前, 该方法还包括:  Preferably, the server determines that the time string does not exceed a preset time range, and before performing the comparison verification string and the secret document, the method further includes:
查找本地历史数据, 当其中不存在所述秘文时, 执行比对所述验证串 和秘文。  The local history data is found, and when the secret document does not exist, the verification string and the secret document are compared.
本发明相关实施例还提供了一种单点登录系统, 该系统包括: 客户端 和服务端; 其中,  The related embodiment of the present invention further provides a single sign-on system, where the system includes: a client and a server;
客户端, 设置为在用户登录后根据时间串、 随机码和与服务端共享的 共享密钥生成秘文, 并将时间串、 随机码和秘文发送给服务端;  The client is configured to generate a secret message according to a time string, a random code, and a shared key shared with the server after the user logs in, and send the time string, the random code, and the secret file to the server;
服务端, 设置为根据接收到的所述时间串、 随机码和共享密钥生成验 证串, 以对用户进行鉴权, 并根据鉴权结果处理用户的登录请求。  The server is configured to generate an authentication string according to the received time string, the random code and the shared key, to authenticate the user, and process the login request of the user according to the authentication result.
优选地, 所述服务端设有鉴权模块, 设置为比对所述验证串和秘文, 若两者相同, 则鉴权成功, 允许用户登录; 若两者不同, 则鉴权失败, 不 允许用户登录。 优选地, 所述服务端还包括: 保存模块, 设置为保存所述秘文。 Preferably, the server is provided with an authentication module, which is configured to compare the verification string and the secret document. If the two are the same, the authentication is successful, and the user is allowed to log in; if the two are different, the authentication fails, and the authentication is not allowed. User login. Preferably, the server further includes: a saving module, configured to save the secret file.
优选地, 所述服务端还包括:  Preferably, the server further includes:
判断模块, 设置为判断所述时间串是否超出预设的时间范围; 若超出, 则不允许用户登录; 若未超出, 则执行比对所述验证串和秘文。  The determining module is configured to determine whether the time string exceeds a preset time range; if it is exceeded, the user is not allowed to log in; if not, the comparison string and the secret file are performed.
优选地, 所述服务端还包括:  Preferably, the server further includes:
查找模块, 设置为查找本地历史数据, 当其中不存在所述秘文时, 执 行比对所述验证串和秘文。  The lookup module is configured to look up the local history data, and when the secret file does not exist, perform the comparison of the verification string and the secret document.
本发明相关实施例提供的一种单点登录方法和系统, 其运行不需要单 点登陆服务器的支持, 用户在成功登录客户端后, 不需要重新录入用户名 和密码便可直接登录服务端, 使得单点登录实施简单, 可以快速实现满足 各种不同要求的单点登录功能, 不容易出错, 且成本较低。 附图说明  A single sign-on method and system provided by the related embodiments of the present invention do not require the support of a single sign-on server. After successfully logging in to the client, the user can directly log in to the server without re-entering the user name and password. Single sign-on is simple to implement, and can quickly implement single sign-on functions that meet various requirements, is not prone to errors, and has low cost. DRAWINGS
图 1为本发明单点登录方法一实施例的流程示意图;  1 is a schematic flow chart of an embodiment of a single sign-on method according to the present invention;
图 2为本发明单点登录方法一实施例中鉴权的流程示意图;  2 is a schematic flowchart of authentication in an embodiment of a single sign-on method according to the present invention;
图 3为本发明单点登录方法又一实施例的流程示意图;  3 is a schematic flowchart of still another embodiment of a single sign-on method according to the present invention;
图 4为本发明单点登录方法再一实施例的流程示意图;  4 is a schematic flowchart of still another embodiment of a single sign-on method according to the present invention;
图 5为本发明单点登录系统一实施例的结构示意图;  FIG. 5 is a schematic structural diagram of an embodiment of a single sign-on system according to the present invention; FIG.
图 6为本发明单点登录系统一实施例中服务端的结构示意图; 图 7为本发明单点登录系统又一实施例的结构示意图;  6 is a schematic structural diagram of a server in an embodiment of a single sign-on system according to the present invention; FIG. 7 is a schematic structural diagram of another embodiment of a single sign-on system according to the present invention;
图 8为本发明单点登录系统再一实施例的结构示意图。 具体实施方式  FIG. 8 is a schematic structural diagram of still another embodiment of a single sign-on system according to the present invention. detailed description
应当理解, 此处所描述的具体实施例仅仅用以解释本发明, 并不用于 限定本发明。  It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
参照图 1 ,提出本发明单点登录方法一实施例, 该方法包括以下几个步 驟: Referring to FIG. 1, an embodiment of a single sign-on method of the present invention is proposed. The method includes the following steps. Step:
步驟 S101 , 客户端在用户登录后根据时间串、 随机码和与服务端共享 的共享密钥生成秘文, 并将时间串、 随机码和秘文发送给服务端;  Step S101: After the user logs in, the client generates a secret message according to the time string, the random code, and the shared key shared by the server, and sends the time string, the random code, and the secret file to the server;
客户端在用户登录后, 可根据当前时间生成一时间串, 该时间串的格 式可为 "年月日时分秒", 格式中可包括四位年、 二位月、 二位日、 二位时、 二位分和二位秒, 时间串的主要作用是避免过期请求; 客户端还可随机生 成一随机码, 该随机码为一字符串, 本实施例中, 该随机码的长度可为四 位, 随机码的主要作用是避免生成重复的秘文, 防止把 "合法登录者" 判 断为 "非法登录者"。  After the user logs in, the client can generate a time string according to the current time. The format of the time string can be "year, month, day, hour, minute, and second". The format can include four digits, two months, two digits, and two digits. The second and second seconds, the main role of the time string is to avoid the expired request; the client can also randomly generate a random code, the random code is a string, in this embodiment, the random code can be four in length The main function of the bit, random code is to avoid generating duplicate secrets and prevent the "legitimate registrant" from being judged as "illegal registrant".
在客户端和服务端之间预设一相同的共享密钥, 该共享密钥为一字符 串, 其长度越长系统越安全, 本实施例中, 共享密钥可为长度大于 12的字 符串。 共享密钥不在系统间传输, 只用于身份险证。  A shared key is preset between the client and the server. The shared key is a string. The longer the length, the more secure the system. In this embodiment, the shared key can be a string longer than 12. . The shared key is not transmitted between systems and is only used for identity insurance.
在用户成功登录客户端后, 根据时间串、 随机码和共享密钥, 采用加 密算法生成一秘文, 该加密算法可为 MD5等非可逆算法, 并将时间串、 随 机码和所生成的秘文发送给服务端。  After the user successfully logs in to the client, an encryption algorithm is used to generate a secret file according to the time string, the random code, and the shared key. The encryption algorithm may be a non-reversible algorithm such as MD5, and send the time string, the random code, and the generated secret file. To the server.
步驟 S102, 服务端根据接收到的所述时间串、 随机码和共享密钥生成 验证串, 以对用户进行鉴权, 并根据鉴权结果处理用户的登录请求。  Step S102: The server generates a verification string according to the received time string, the random code, and the shared key, to authenticate the user, and processes the login request of the user according to the authentication result.
接收到客户端发送的时间串、 随机码和秘文后, 服务端根据时间串、 随机码和共享密钥, 采用加密算法生成一险证串, 该加密算法可为 MD5等 非可逆算法, 根据所生成的验证串对用户进行鉴权, 服务端会根据鉴权的 结果处理用户的登录请求, 判断是否允许用户登录。  After receiving the time string, the random code and the secret file sent by the client, the server generates an insurance certificate string according to the time string, the random code and the shared key, and the encryption algorithm may be a non-reversible algorithm such as MD5. The generated verification string authenticates the user, and the server processes the user's login request according to the result of the authentication, and determines whether the user is allowed to log in.
本发明提供的一种单点登录方法, 其运行不需要单点登陆服务器的支 持, 用户在成功登录客户端后, 不需要重新录入用户名和密码便可直接登 录服务端, 使得单点登录实施简单, 可以快速实现满足各种不同要求的单 点登录功能, 不容易出错, 且成本较低。 参照图 2, 在本发明单点登录方法一实施例中, 步驟 S102包括: 步驟 S1021 , 比对所述验证串和秘文, 若两者相同, 则鉴权成功, 允许 用户登录; 若两者不同, 则鉴权失败, 不允许用户登录。 The invention provides a single sign-on method, which does not require the support of a single sign-on server. After successfully logging in to the client, the user can directly log in to the server without re-entering the user name and password, which makes the single sign-on implementation simple. It can quickly realize the single sign-on function that meets various requirements, is not easy to make mistakes, and has low cost. Referring to FIG. 2, in an embodiment of the single sign-on method of the present invention, step S102 includes: Step S1021, comparing the verification string and the secret file, if the two are the same, the authentication is successful, and the user is allowed to log in; if the two are different , the authentication fails, and the user is not allowed to log in.
将客户端中经过加密算法所生成的秘文与服务端中经过相同的加密算 法所生成的验证串进行比对, 判断两者是否相同, 如相同, 则鉴权成功, 可允许用户登录该服务端; 如不同, 则鉴权失败, 不允许用户登录该服务 端。  The secret file generated by the encryption algorithm in the client is compared with the verification string generated by the same encryption algorithm in the server to determine whether the two are the same. If the authentication is successful, the user may be allowed to log in to the server. ; If different, the authentication fails, and the user is not allowed to log in to the server.
采用相同的加密算法, 根据时间串、 随机码和在客户端与服务端之间 预设的相同的共享密钥, 分别对已登录系统和待登录系统生成一秘文和一 验证串, 通过对比秘文和验证串是否相同, 来判断是否允许用户登录服务 端, 使得单点登录的身份验证简单、 快捷, 并可提高登录者合法性判断的 安全性。  Using the same encryption algorithm, according to the time string, the random code, and the same shared key preset between the client and the server, respectively generate a secret and a verification string for the logged-in system and the system to be logged, by comparing the secrets It is the same as the verification string to determine whether to allow the user to log in to the server, which makes the single sign-on authentication simple and fast, and improves the security of the registrant's legality judgment.
在上述实施例中, 步驟 S102还包括:  In the above embodiment, step S102 further includes:
步驟 S1022, 保存所述秘文。  Step S1022: Save the secret file.
当对用户进行鉴权成功, 并登录服务端后, 将客户端所发送的秘文保 存至秘文数据库中, 用于下次接收到用户登录请求时, 判断该用户登录请 求是否为 "非法截获者" 所发送的冒名请求。 秘文数据库中的历史数据会 随时间不断增加, 为了节约系统资源, 提高系统性能, 需要定期对这些历 史数据进行清理, 在本实施例中, 可配置为清理 1天之前的历史数据。  After the user is authenticated successfully and logs in to the server, the secret file sent by the client is saved in the secret file database, and is used to determine whether the user login request is an "illegal interceptor" when the user login request is received next time. The impersonation request sent. The historical data in the secret database will increase with time. In order to save system resources and improve system performance, these historical data need to be cleaned regularly. In this embodiment, it can be configured to clean up historical data one day ago.
参照图 3 , 提出本发明单点登录方法又一实施例, 该方法在步驟 S101 之后还包括:  Referring to FIG. 3, another embodiment of the single sign-on method of the present invention is proposed. After the step S101, the method further includes:
步驟 S103 ,服务端判断所述时间串是否超出预设的时间范围; 若超出, 则不允许用户登录; 若未超出, 则执行比对所述验证串和秘文。  Step S103: The server determines whether the time string exceeds a preset time range; if it is exceeded, the user is not allowed to log in; if not, the verification string and the secret file are compared.
接收到客户端发送的时间串后, 可根据预设的时间范围, 判断时间串 是否超出该时间范围, 以此来判断客户端发送的用户登录请求是否为过期 请求。 在本实施例中, 可设定时间范围为 1 天, 即已登录系统所发送的鉴 权请求中所包括的时间串在 1 天之内则为有效通知。 如时间串没有超出所 设定的时间范围, 则执行比对客户端发送的秘文及服务端所生成的验证串, 根据两者是否相同, 判断是否允许用户登录服务端。 After receiving the time string sent by the client, it may determine whether the time string exceeds the time range according to the preset time range, thereby determining whether the user login request sent by the client is expired. Request. In this embodiment, the set time range is 1 day, that is, the time string included in the authentication request sent by the logged-in system is a valid notification within 1 day. If the time string does not exceed the set time range, the secret message sent by the client and the verification string generated by the server are executed, and whether the user is allowed to log in to the server is determined according to whether the two are the same.
参照图 4, 提出本发明单点登录方法再一实施例, 该方法在步驟 S101 之后还包括:  Referring to FIG. 4, another embodiment of the single sign-on method of the present invention is proposed. After the step S101, the method further includes:
步驟 S104, 查找本地历史数据, 如果其中不存在所述秘文, 则执行比 对所述验证串和秘文。  Step S104: Search local history data, and if the secret file does not exist, perform the comparison verification string and the secret document.
当检查出时间串有效时, 便需要在服务端的秘文数据库中所保存的本 地历史数据中查找是否存在该秘文, 如存在, 则说明该用户登录请求已经 被使用过, 有可能是拦截者发送的, 因此, 可判断鉴权失败; 如本地历史 数据中不存在该秘文, 则执行比对客户端发送的秘文及服务端所生成的验 证串, 根据两者是否相同, 判断是否允许用户登录服务端。  When it is checked that the time string is valid, it is necessary to find out whether the secret file exists in the local history data saved in the secret database of the server. If it exists, it indicates that the user login request has been used, and may be sent by the interceptor. Therefore, it can be judged that the authentication fails; if the ciphertext does not exist in the local history data, the ciphertext sent by the client and the verification string generated by the server are executed, and whether the user is allowed to log in to the server according to whether the two are the same or not .
通过根据设定的时间范围判断时间串的有效性, 并在本地历史数据中 查找秘文是否存在, 便可判断鉴权是否失败, 进一步提高了登录鉴权的快 捷性, 并进一步保证了对登录者身份验证的安全性。  By judging the validity of the time string according to the set time range, and finding out whether the secret document exists in the local historical data, it can determine whether the authentication fails, further improving the quickness of login authentication, and further ensuring the login to the registrant. The security of authentication.
参照图 5, 提出本发明单点登录系统一实施例, 该系统包括: 客户端、 服务端; 其中,  Referring to FIG. 5, an embodiment of the single sign-on system of the present invention is provided. The system includes: a client and a server;
客户端, 用于在用户登录后根据时间串、 随机码和与服务端共享的共 享密钥生成秘文, 并将时间串、 随机码和秘文发送给服务端;  a client, configured to generate a secret message according to a time string, a random code, and a shared key shared with the server after the user logs in, and send the time string, the random code, and the secret file to the server;
服务端, 用于根据接收到的所述时间串、 随机码和共享密钥生成验证 串, 以对用户进行鉴权, 并根据鉴权结果处理用户的登录请求。  The server is configured to generate a verification string according to the received time string, the random code, and the shared key, to authenticate the user, and process the login request of the user according to the authentication result.
客户端在用户登录后, 可根据已登录系统的当前时间生成一时间串, 该时间串的格式可为 "年月日时分秒", 格式中可包括四位年、 二位月、 二 位日、 二位时、 二位分和二位秒, 时间串的主要作用是避免过期请求; 客 户端还可随机生成一随机码, 该随机码为一字符串, 本实施例中, 该随机 码的长度可为四位, 随机码的主要作用是避免生成重复的秘文, 防止把 "合 法登录者" 判断为 "非法登录者"。 After the user logs in, the client can generate a time string according to the current time of the logged-in system. The format of the time string can be "year, month, day, hour, minute, and second". The format can include four years, two months, two days. , two-digit, two-digit and two-digit seconds, the main role of the time string is to avoid expired requests; The client can also randomly generate a random code, and the random code is a string. In this embodiment, the length of the random code can be four bits. The main function of the random code is to avoid generating duplicate secrets and prevent "legal login". "It is judged as "illegal registrant".
在客户端和服务端之间预设一相同的共享密钥, 该共享密钥为一字符 串, 其长度越长系统越安全, 本实施例中, 共享密钥可为长度大于 12的字 符串。 共享密钥不在系统间传输, 只用于身份险证。  A shared key is preset between the client and the server. The shared key is a string. The longer the length, the more secure the system. In this embodiment, the shared key can be a string longer than 12. . The shared key is not transmitted between systems and is only used for identity insurance.
在用户成功登录客户端后, 客户端根据时间串、 随机码和共享密钥, 采用加密算法生成一秘文,加密算法可为 MD5等非可逆算法,并将时间串、 随机码和所生成的秘文发送给服务端。  After the user successfully logs in to the client, the client generates a secret file based on the time string, random code, and shared key. The encryption algorithm can be a non-reversible algorithm such as MD5, and the time string, random code, and generated secret file. Sent to the server.
服务端接收到客户端发送的时间串、 随机码和秘文后, 根据时间串、 随机码和共享密钥, 采用加密算法生成一险证串, 该加密算法可为 MD5等 非可逆算法, 服务端根据所生成的验证串对用户进行鉴权, 并根据鉴权结 果处理用户登录请求, 判断是否允许用户登录。  After receiving the time string, random code, and secret file sent by the client, the server generates an insurance certificate string according to the time string, the random code, and the shared key, and the encryption algorithm may be a non-reversible algorithm such as MD5, and the server end. The user is authenticated according to the generated verification string, and the user login request is processed according to the authentication result, and it is determined whether the user is allowed to log in.
本发明提供的一种单点登录系统, 其运行不需要单点登陆服务器的支 持, 用户在成功登录客户端后, 不需要重新录入用户名和密码便可直接登 录服务端, 使得单点登录实施简单, 可以快速实现满足各种不同要求的单 点登录功能, 不容易出错, 且成本较低。  The single sign-on system provided by the invention does not require the support of the single sign-on server. After successfully logging in to the client, the user can directly log in to the server without re-entering the user name and password, which makes the single sign-on implementation simple. It can quickly realize the single sign-on function that meets various requirements, is not easy to make mistakes, and has low cost.
参照图 6, 在本发明单点登录系统一实施例中, 所述服务端包括: 鉴权模块 10, 用于比对所述验证串和秘文, 若两者相同, 则鉴权成功, 允许用户登录; 若两者不同, 则鉴权失败, 不允许用户登录。  Referring to FIG. 6, in an embodiment of the single sign-on system of the present invention, the server includes: an authentication module 10, configured to compare the verification string and the secret file, if the two are the same, the authentication succeeds, and the user is allowed. Login; if the two are different, the authentication fails, and the user is not allowed to log in.
鉴权模块 10将客户端中经过加密算法所生成的秘文与服务端中经过相 同的加密算法所生成的险证串进行比对, 判断两者是否相同, 如相同, 则 鉴权成功, 可允许用户登录服务端; 如不同, 则鉴权失败, 不允许用户登 录服务端。  The authentication module 10 compares the secret file generated by the encryption algorithm in the client with the risk string generated by the same encryption algorithm in the server, and determines whether the two are the same. If the same, the authentication succeeds, and the permission is allowed. The user logs in to the server; if it is different, the authentication fails, and the user is not allowed to log in to the server.
采用相同的加密算法, 根据时间串、 随机码和在客户端与服务端之间 预设的相同的共享密钥, 并经过同样的加密算法分别生成秘文和验证串, 通过对比秘文和验证串是否相同, 来判断是否允许用户登录服务端, 使得 单点登录的身份验证简单、 快捷, 并可提高登录者合法性判断的安全性。 Use the same encryption algorithm, based on time series, random code, and between client and server The same shared key is preset, and the same encryption algorithm is used to generate the secret file and the verification string respectively. By comparing the secret document and the verification string, it is determined whether the user is allowed to log in to the server, so that the identity verification of the single sign-on is simple and fast. , and can improve the security of the registrant's legality judgment.
在上述实施例中, 所述服务端还包括:  In the above embodiment, the server further includes:
保存模块 20, 用于保存所述秘文。  The saving module 20 is configured to save the secret file.
当对用户鉴权成功, 并登录服务端后, 保存模块 20将客户端所发送的 秘文保存至秘文数据库中。 该秘文数据库用于当服务端接收到用户登录请 求时, 判断该用户登录请求是否为 "非法截获者" 所发送的冒名请求。 秘 文数据库中的历史数据会随时间不断增加, 为了节约系统资源, 提高系统 性能, 需要定期对这些历史数据进行清理, 在本实施例中, 可配置为清理 1 天之前的历史数据。  After authenticating the user and logging in to the server, the saving module 20 saves the secret sent by the client to the secret database. The secret database is used to determine whether the user login request is an impersonation request sent by the "illegal interceptor" when the server receives the user login request. The historical data in the secret database will increase with time. In order to save system resources and improve system performance, these historical data need to be cleaned regularly. In this embodiment, it can be configured to clean up historical data one day ago.
参照图 7, 提出本发明单点登录系统又一实施例, 所述服务端还包括: 判断模块 30, 用于判断所述时间串是否超出预设的时间范围; 若超出, 则不允许用户登录; 若未超出, 则执行比对所述验证串和秘文。  Referring to FIG. 7, another embodiment of the single sign-on system of the present invention is provided. The server further includes: a determining module 30, configured to determine whether the time string exceeds a preset time range; if exceeded, the user is not allowed to log in. If not exceeded, perform the comparison of the verification string and the secret document.
接收到客户端发送的时间串后, 判断模块 30可根据预设的时间范围, 判断时间串是否超出该时间范围, 以此来判断客户端发送的用户登录请求 是否为过期请求。 在本实施例中, 可设定时间范围为 1 天, 即已登录系统 所发送的鉴权请求中所包括的时间串在 1 天之内则为有效通知。 如时间串 没有超出所设定的时间范围, 则执行比对客户端发送的秘文及服务端所生 成的验证串, 根据两者是否相同, 判断是否允许用户登录服务端。  After receiving the time string sent by the client, the determining module 30 can determine whether the time string exceeds the time range according to the preset time range, so as to determine whether the user login request sent by the client is an expired request. In this embodiment, the settable time range is 1 day, that is, the time string included in the authentication request sent by the logged-in system is a valid notification within 1 day. If the time string does not exceed the set time range, the ciphertext sent by the client and the verification string generated by the server are executed, and whether the user is allowed to log in to the server is determined according to whether the two are the same.
参照图 8, 提出本发明单点登录系统再一实施例, 所述服务端还包括: 查找模块 40, 用于查找本地历史数据, 如果其中不存在所述秘文, 则 执行比对所述验证串和秘文。  Referring to FIG. 8, another embodiment of the single sign-on system of the present invention is provided. The server further includes: a searching module 40, configured to search for local historical data, and if the secret file does not exist, perform comparison on the verification string. And secret text.
当检查出时间串有效时, 查找模块 40便需要在服务端的秘文数据库中 所保存的本地历史数据中查找是否存在该秘文, 如存在, 则说明该用户登 录请求已经被使用过, 有可能是拦截者发送的, 因此, 可判断鉴权失败; 如本地历史数据中不存在该秘文, 则执行比对客户端发送的秘文及服务端 所生成的验证串, 根据两者是否相同, 判断是否允许用户登录服务端。 When it is checked that the time string is valid, the search module 40 needs to find out whether the secret file exists in the local history data saved in the secret database of the server. If it exists, the user logs in. The recorded request has been used, and may be sent by the interceptor. Therefore, the authentication may be judged to be unsuccessful; if the secret file does not exist in the local historical data, the secret message sent by the client and the verification string generated by the server are executed. According to whether the two are the same, determine whether the user is allowed to log in to the server.
通过根据设定的时间范围判断时间串的有效性, 并在本地历史数据中 查找秘文是否存在, 便可判断鉴权是否失败, 进一步提高了登录鉴权的快 捷性, 并进一步保证了对登录者身份验证的安全性。  By judging the validity of the time string according to the set time range, and finding out whether the secret document exists in the local historical data, it can determine whether the authentication fails, further improving the quickness of login authentication, and further ensuring the login to the registrant. The security of authentication.
以上所述仅为本发明的优选实施例, 并非因此限制本发明的专利范围 , 凡是利用本发明说明书及附图内容所作的等效结构或等效流程变换, 或直 接或间接运用在其他相关的技术领域, 均同理包括在本发明的专利保护范 围。  The above description is only the preferred embodiment of the present invention, and is not intended to limit the scope of the invention, and the equivalent structure or equivalent flow transformation made by the specification and the drawings of the present invention may be directly or indirectly applied to other related The technical field is equally included in the scope of patent protection of the present invention.

Claims

1、 一种单点登录方法, 其中, 该方法包括: A single sign-on method, wherein the method comprises:
客户端在用户登录后根据时间串、 随机码和与服务端共享的共享密钥 生成秘文, 并将时间串、 随机码和秘文发送给服务端;  After the user logs in, the client generates a secret message according to the time string, the random code, and the shared key shared with the server, and sends the time string, the random code, and the secret file to the server;
服务端根据接收到的所述时间串、 随机码和共享密钥生成验证串, 以 对用户进行鉴权, 并根据鉴权结果处理用户的登录请求。  The server generates a verification string according to the received time string, random code and shared key to authenticate the user, and processes the login request of the user according to the authentication result.
2、 如权利要求 1所述的单点登录方法, 其中, 所述对用户进行鉴权, 并根据鉴权结果处理用户的登录请求包括:  2. The single sign-on method according to claim 1, wherein the authenticating the user and processing the login request of the user according to the authentication result comprises:
比对所述验证串和秘文, 若两者相同, 则鉴权成功, 允许用户登录; 若两者不同, 则鉴权失败, 不允许用户登录。  If the two are the same, the authentication succeeds and the user is allowed to log in. If the two are different, the authentication fails, and the user is not allowed to log in.
3、 如权利要求 2所述的单点登录方法, 其中, 在允许用户登录之后, 该方法还包括: 保存所述秘文。  3. The single sign-on method according to claim 2, wherein after allowing the user to log in, the method further comprises: saving the secret document.
4、 如权利要求 3所述的单点登录方法, 其中, 所述服务端在执行对用 户进行鉴权之前, 该方法还包括:  The method of the single sign-on method according to claim 3, wherein the method further includes: before the server performs authentication on the user, the method further includes:
判断所述时间串是否超出预设的时间范围; 若超出, 则不允许用户登 录; 若未超出, 则执行比对所述验证串和秘文。  Determining whether the time string exceeds a preset time range; if it is exceeded, the user is not allowed to log in; if not, performing the comparison of the verification string and the secret document.
5、 如权利要求 4所述的单点登录方法, 其中, 所述服务端判断所述时 间串未超出预设的时间范围, 执行比对验证串和秘文之前, 该方法还包括: 查找本地历史数据, 当其中不存在所述秘文时, 执行比对所述验证串 和秘文。  The single sign-on method according to claim 4, wherein the server determines that the time string does not exceed a preset time range, and before performing the comparison verification string and the secret file, the method further includes: searching for a local history Data, when the secret document does not exist, performing the comparison verification string and the secret document.
6、 一种单点登录系统, 其中, 该系统包括: 客户端和服务端; 其中, 客户端, 设置为在用户登录后根据时间串、 随机码和与服务端共享的 共享密钥生成秘文, 并将时间串、 随机码和秘文发送给服务端;  A single sign-on system, where the system includes: a client and a server; wherein, the client is configured to generate a secret message according to a time string, a random code, and a shared key shared with the server after the user logs in, And sending the time string, random code and secret text to the server;
服务端, 设置为根据接收到的所述时间串、 随机码和共享密钥生成验 证串, 以对用户进行鉴权, 并根据鉴权结果处理用户的登录请求。 The server is configured to generate a verification string according to the received time string, the random code and the shared key, to authenticate the user, and process the login request of the user according to the authentication result.
7、 如权利要求 6所述的单点登录系统, 其中, 所述服务端设有鉴权模 块, 设置为比对所述验证串和秘文, 若两者相同, 则鉴权成功, 允许用户 登录; 若两者不同, 则鉴权失败, 不允许用户登录。 The single sign-on system according to claim 6, wherein the server is provided with an authentication module, which is configured to compare the verification string and the secret file. If the two are the same, the authentication is successful, and the user is allowed to log in. If the two are different, the authentication fails and the user is not allowed to log in.
8、 如权利要求 7所述的单点登录系统, 其中, 所述服务端还包括: 保存模块, 设置为保存所述秘文。  The single sign-on system according to claim 7, wherein the server further comprises: a saving module, configured to save the secret file.
9、 如权利要求 8所述的单点登录系统, 其中, 所述服务端还包括: 判断模块, 设置为判断所述时间串是否超出预设的时间范围; 若超出, 则不允许用户登录; 若未超出, 则执行比对所述验证串和秘文。  The single sign-on system according to claim 8, wherein the server further includes: a determining module, configured to determine whether the time string exceeds a preset time range; if exceeded, the user is not allowed to log in; If not exceeded, the verification string and the secret document are compared.
10、 如权利要求 9所述的单点登录系统, 其中, 所述服务端还包括: 查找模块, 设置为查找本地历史数据, 当其中不存在所述秘文时, 执 行比对所述验证串和秘文。  The single sign-on system according to claim 9, wherein the server further includes: a lookup module configured to search for local history data, and when the secret file does not exist, perform comparison on the verification string and Secret text.
PCT/CN2012/074931 2011-06-16 2012-04-28 Single sign-on method and system WO2012171419A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2011101628762A CN102263784A (en) 2011-06-16 2011-06-16 SSO (signal sign on) method and system
CN201110162876.2 2011-06-16

Publications (1)

Publication Number Publication Date
WO2012171419A1 true WO2012171419A1 (en) 2012-12-20

Family

ID=45010238

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/074931 WO2012171419A1 (en) 2011-06-16 2012-04-28 Single sign-on method and system

Country Status (2)

Country Link
CN (1) CN102263784A (en)
WO (1) WO2012171419A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110912857A (en) * 2018-09-17 2020-03-24 福建天泉教育科技有限公司 Method and storage medium for sharing login between mobile applications

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102263784A (en) * 2011-06-16 2011-11-30 中兴通讯股份有限公司 SSO (signal sign on) method and system
CN103684790B (en) * 2013-12-17 2017-08-11 北京邮电大学 Verification method and system based on historical data
CN106375297A (en) * 2016-08-30 2017-02-01 湖南奥科网络技术股份有限公司 Concrete production system
CN106850864B (en) * 2017-04-18 2020-03-03 北京京东尚科信息技术有限公司 Method and device applied to web server login
CN107888611B (en) * 2017-11-29 2020-10-02 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) Communication method and device
CN112335211B (en) * 2018-08-14 2022-12-27 深圳迈瑞生物医疗电子股份有限公司 Software login method, device, server and storage medium of in-vitro diagnosis device
CN113783867B (en) * 2021-09-07 2023-07-25 福建天泉教育科技有限公司 Authentication request method and terminal

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1547343A (en) * 2003-12-17 2004-11-17 上海市高级人民法院 A Single Sign On method based on digital certificate
CN101350718A (en) * 2008-09-05 2009-01-21 清华大学 Method for protecting play content authority range base on user identification module
CN101651666A (en) * 2008-08-14 2010-02-17 中兴通讯股份有限公司 Method and device for identity authentication and single sign-on based on virtual private network
CN101938473A (en) * 2010-08-24 2011-01-05 北京易恒信认证科技有限公司 Single-point login system and single-point login method
CN102263784A (en) * 2011-06-16 2011-11-30 中兴通讯股份有限公司 SSO (signal sign on) method and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100586066C (en) * 2006-06-26 2010-01-27 北京金山软件有限公司 System and method for realizing single-point login
US8707409B2 (en) * 2006-08-22 2014-04-22 Interdigital Technology Corporation Method and apparatus for providing trusted single sign-on access to applications and internet-based services

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1547343A (en) * 2003-12-17 2004-11-17 上海市高级人民法院 A Single Sign On method based on digital certificate
CN101651666A (en) * 2008-08-14 2010-02-17 中兴通讯股份有限公司 Method and device for identity authentication and single sign-on based on virtual private network
CN101350718A (en) * 2008-09-05 2009-01-21 清华大学 Method for protecting play content authority range base on user identification module
CN101938473A (en) * 2010-08-24 2011-01-05 北京易恒信认证科技有限公司 Single-point login system and single-point login method
CN102263784A (en) * 2011-06-16 2011-11-30 中兴通讯股份有限公司 SSO (signal sign on) method and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110912857A (en) * 2018-09-17 2020-03-24 福建天泉教育科技有限公司 Method and storage medium for sharing login between mobile applications
CN110912857B (en) * 2018-09-17 2022-07-26 福建天泉教育科技有限公司 Method and storage medium for sharing login between mobile applications

Also Published As

Publication number Publication date
CN102263784A (en) 2011-11-30

Similar Documents

Publication Publication Date Title
US20210314312A1 (en) System and method for transferring device identifying information
JP6170158B2 (en) Mobile multi single sign-on authentication
JP5344716B2 (en) Secure remote startup, boot, and login methods, systems, and programs from a mobile device to a computer
WO2012171419A1 (en) Single sign-on method and system
US9736131B2 (en) Secure login for subscriber devices
US7257836B1 (en) Security link management in dynamic networks
CN110149328B (en) Interface authentication method, device, equipment and computer readable storage medium
JP2015535984A5 (en)
CN109756446B (en) Access method and system for vehicle-mounted equipment
CN111783075A (en) Authority management method, device and medium based on secret key and electronic equipment
WO2006122461A1 (en) A method for implementing the unified authentication
WO2007059112A2 (en) Secure, transparent and continuous synchronization of access credentials in an arbitrary third party system
WO2016155220A1 (en) Single sign-on method, system and terminal
CN112231366B (en) Enterprise credit report query method, device and system based on block chain
US9954853B2 (en) Network security
US20150328119A1 (en) Method of treating hair
US20220237282A1 (en) Decentralized password vault
US11251951B2 (en) Remote authentication for accessing on-premises network devices
CN114301617A (en) Identity authentication method and device for multi-cloud application gateway, computer equipment and medium
JP7100561B2 (en) Authentication system, authentication server and authentication method
JPWO2020166066A1 (en) Token protection methods, authorization systems, devices, and program recording media
US11502840B2 (en) Password management system and method
CN112671762A (en) Login authentication method and system for realizing brute force prevention based on workload certification
KR20100031169A (en) Method of verifying and protecting secure information using ticket
JP2017146596A (en) System and method for transferring information in equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12800826

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12800826

Country of ref document: EP

Kind code of ref document: A1