WO2018036314A1 - Procédé et appareil d'authentification unique, et support de stockage - Google Patents

Procédé et appareil d'authentification unique, et support de stockage Download PDF

Info

Publication number
WO2018036314A1
WO2018036314A1 PCT/CN2017/093653 CN2017093653W WO2018036314A1 WO 2018036314 A1 WO2018036314 A1 WO 2018036314A1 CN 2017093653 W CN2017093653 W CN 2017093653W WO 2018036314 A1 WO2018036314 A1 WO 2018036314A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
identifier
service system
mapping relationship
authentication
Prior art date
Application number
PCT/CN2017/093653
Other languages
English (en)
Chinese (zh)
Inventor
陈波
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2018036314A1 publication Critical patent/WO2018036314A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a single sign-on authentication method and apparatus, and a storage medium.
  • SSO Single Sign On
  • Single Sign On is a situation in which a multi-service system coexists. After a user logs in, they do not need to log in to other business systems. That is to say, one login of the user can get all other systems. Trust. Single sign-on is used very frequently on large websites. For example, a website like Facebook has hundreds of sub-business systems behind the website. Users can work with dozens of sub-business systems in one operation or transaction. If each sub-service system requires user authentication, not only the user experience is poor, but also the logic of repeated authentication and authorization of each subsystem is very complicated.
  • the current single sign-on method is to send the token information to the client after the SSO authentication system checks the validity of the login information of the user.
  • the client carries the token information when the user accesses other service systems.
  • the token information is submitted to the SSO certification system for authentication.
  • the business system checks the validity of the server of the SSO authentication system. Therefore, in the scenario of high concurrent access, the load on the SSO authentication system server is too high, and the service system service is caused. The response speed of the device is greatly reduced, resulting in a very poor user experience. Therefore, it is necessary to provide a new single sign-on method to improve the verification efficiency of single sign-on and the access speed of the service server.
  • the embodiment of the invention provides a single sign-on authentication method and device, and a storage medium, which solves the problem that the SSO authentication system has high load and affects the response speed of the service system server in the prior art.
  • a method for single sign-on authentication including:
  • the user login identifier in the service system access request is verified by using a mapping relationship between the user login identifier and the user identity identifier stored in the cache system corresponding to the service system. After the verification is passed, the service system is controlled to establish a session with the user terminal based on the user identity corresponding to the user login identifier.
  • the mapping relationship is that the SSO authentication system authenticates the login request of the client. And establishing a mapping relationship between the user identity corresponding to the user end and the user login identifier, and storing the information in the cache system.
  • the method before the detecting, by the user, that the service system access request sent by the user end carries the user login identifier, the method further includes:
  • controlling the service system and the client based on the user identity Conduct a conversation.
  • the method further includes:
  • the service system access request does not detect the user login identifier
  • the user terminal is redirected to the SSO authentication system, so that the SSO authentication system sends the user identity identifier to the user terminal.
  • Login request for authentication If the service system access request does not detect the user login identifier, the user terminal is redirected to the SSO authentication system, so that the SSO authentication system sends the user identity identifier to the user terminal. Login request for authentication.
  • the user login authentication identifier in the access request of the service system is verified by using a mapping relationship between the user login identifier and the user identity identifier stored in the cache system corresponding to the service system, including:
  • the user system is controlled to establish a session with the user terminal based on the user identity corresponding to the user login identifier, including:
  • the service system When it is determined that the service system obtains the user identity identifier and the timestamp information corresponding to the user login identifier;
  • the service system Determining, according to the timestamp information, whether the user login identifier is timed out, and if not timeout, the service system establishes a session with the user end according to the user identity identifier, and simultaneously updates the timestamp information to a current time;
  • the initial time of the timestamp information is stored in the cache system by the SSO authentication system after the authentication request of the user end is passed.
  • the method further includes:
  • the service system After establishing a session with the user end, the service system stores its corresponding system identifier in a corresponding mapping relationship of the cache system;
  • the system identifier corresponding to the service system in the mapping relationship is deleted when it is detected that the session with the client is timed out, closed, or the service system is restarted.
  • the method further includes:
  • the cache system is used to detect whether the mapping relationship still has a system identifier of another service system, and when not present, the mapping relationship is deleted from the cache system.
  • the cache system is a distributed cache system.
  • a single sign-on authentication apparatus for use in a service system, where the apparatus includes:
  • the first detecting unit is configured to detect whether the service system access request sent by the user end carries the user login identifier; wherein the user login identifier is a login that carries the user identity identifier sent by the single sign-on SSO authentication system to the user end. After the authentication is requested, it is generated and fed back to the user terminal;
  • the processing unit is configured to: when the user login identifier is detected, use a mapping relationship between the user login identifier and the user identity identifier stored in the cache system corresponding to the service system, and the user login identifier in the service system access request Performing verification, after the verification is passed, controlling the service system to establish a session with the user end based on the user identity corresponding to the user login identifier;
  • the mapping relationship is that after the SSO authentication system authenticates the login request of the user end, the mapping between the user identity corresponding to the user end and the user login identifier is stored in the cache system.
  • the device further includes a second detecting unit, configured to: detect, by the first detecting unit, whether the service system access request sent by the user end carries the user login identifier, and detect the service system access request sent by the user end. Whether to carry the user identity;
  • the processing unit is further configured to redirect the user end to the SSO authentication system when the user login identifier is not detected in the service system access request, so as to facilitate the SSO authentication system.
  • the login request carrying the user identity sent by the client is authenticated.
  • processing unit is further configured to:
  • the initial time of the timestamp information is stored in the cache system by the SSO authentication system after the authentication request of the user end is passed.
  • the processing unit is further configured to: after establishing a session with the user end, store the system identifier corresponding to the service system in a corresponding mapping relationship of the cache system;
  • the device further includes a third detecting unit, configured to detect a session situation between the service system and the user end, and a restart condition of the service system;
  • the processing unit is further configured to: when the third detecting unit detects a timeout with the client, closes, or detects that the service system is restarted, the system corresponding to the service system in the mapping relationship The logo is deleted.
  • the processing unit is further configured to: after deleting the system identifier corresponding to the service system in the mapping relationship, use the cache system to detect whether the mapping relationship still has a system identifier of another service system, when If not present, then the mapping relationship is from the cache Deleted in the system.
  • a single sign-on authentication apparatus comprising: a processor and a memory for storing a computer program executable on a processor, wherein the processor is configured to run the computer At the time of the program, the steps of the method described above are performed.
  • a computer readable storage medium having stored thereon is a computer program, wherein the computer program is executed by a processor to implement the steps of the above method.
  • the single sign-on authentication method and device and the storage medium provided by the embodiments of the present invention store the verification information such as the user login identifier and the user identity in the cache system, and directly access the cache system when the service system needs to verify the information of the client.
  • the validity of the authentication of the client information can be implemented.
  • the cache system saves the login status of the service server (that is, the service system), and according to the login status information, the validity of the verification information can be determined. Therefore, the embodiment of the present invention can effectively reduce the number of interactions between the service system and the SSO authentication system, reduce the load of the SSO authentication system, and improve the response efficiency of the service system, and achieve high efficiency for the single-sign-on scenario of the multi-service system with high concurrent access.
  • Single sign-on feature is a configurable computing environment, and the user identity, and the user identity in the cache system, and directly access the cache system when the service system needs to verify the information of the client.
  • the validity of the authentication of the client information can be implemented.
  • the cache system
  • FIG. 1 is a schematic diagram of a principle of a single sign-on authentication method in the prior art
  • FIG. 2 is a flowchart of a method for single sign-on authentication in an embodiment of the present invention
  • FIG. 3 is a schematic diagram of a principle of a single sign-on authentication method according to an embodiment of the present invention.
  • FIG. 4 is a structural block diagram of a single sign-on authentication apparatus according to an embodiment of the present invention.
  • the single sign-on authentication method provided by the embodiment of the present invention is used in a service system, and specifically includes the following steps:
  • the detecting step is: detecting whether the service system access request sent by the user end carries the user login identifier; wherein the user login identifier is generated by the single sign-on SSO authentication system, and the login request carrying the user identity sent by the user end is authenticated and generated and fed back to the user. end.
  • the user when the UE sends a service access request to the service system, the user needs to carry the user login identifier or the user identity identifier.
  • the user login identifier is used by the SSO authentication system to feed back to the client after the user authentication is passed, so that the user does not need to perform login authentication again when accessing the other service system, and the user login identifier can be carried in the service system access request. Access by other business systems.
  • the user identity is used in the session of the service system with the user. The session needs to carry the user identity, and the information of the user is determined according to the identity of the user, and the user is directly allowed to access. Based on this, when the service system receives the service system access request sent by the user, it needs to determine the information carried in the service access request, and further processing according to the information.
  • detecting whether the service system access request sent by the user end carries the user login identifier Before detecting, it is also required to detect whether the service system access request sent by the user end carries the user identity identifier; if not detected, further detecting whether the service system access request sent by the user end carries the user login identifier; if detected, according to the The user identity is in session with the client.
  • the processing step is: when the user login identifier is detected, the user login identifier in the service system access request is verified according to the mapping relationship between the user login identifier and the user identity identifier stored in the cache system, and after the verification is passed, the user login identifier is corresponding.
  • the user identity establishes a session with the user end; wherein, after the SSO authentication system authenticates the login request of the client, the mapping relationship is established by the SSO authentication system and the generated user login identifier is mapped and stored in the cache system. .
  • the cache system uses a distributed cache, such as redis and memcache, to store the mapping relationship between the user login identifier and the user identity.
  • a distributed cache such as redis and memcache
  • the mapping relationship is established between the user identity and the user login identifier, and is saved in the cache system.
  • the service system verifies the user login identifier, it is not sent to the SSO authentication system, and is verified by the SSO authentication system.
  • the validity of the user login ID of the user is verified by the mapping between the user login ID and the user ID in the cache system. If the user login ID sent by the user is found in the mapping relationship, the verification succeeds. Otherwise, the authentication is prohibited.
  • the client accesses the business system. Therefore, the direct access to the cache system through the business system not only effectively reduces the load of the SSO authentication system, but also effectively improves the response speed of the service system to the access request.
  • the method further includes: redirecting the SSO authentication system to the SSO authentication system by the SSO authentication system when the user identity identifier and the user login identifier are not detected in the service system access request sent by the UE.
  • the login request sent by the terminal carrying the user identity is authenticated.
  • the service system redirects the client to The SSO authentication system performs login authentication on the client side by the SSO authentication system.
  • the user login identifier in the service system access request is used according to the mapping relationship stored in the cache system, in order to prevent a certain service system from being crashed and not restarted.
  • you need to perform legality authentication and timeout verification for the user login ID including:
  • Determining whether there is a user login identifier in the service system access request in the mapping relationship for example, determining, by using the cache system, whether the user login identifier exists in the mapping relationship;
  • the timestamp information it is verified whether the user login ID is timed out.
  • the timeout period is not set, the user establishes a session according to the user identity and updates the timestamp information to the current time.
  • the initial time of the timestamp information is registered by the SSO authentication system to the client. After the authentication is requested, the time when the authentication is passed is stored in the cache system as the initial time;
  • the timestamp information corresponding to the user login identifier is updated to ensure the validity of the mapping relationship, which can effectively prevent a certain service system from crashing without restarting.
  • the user login ID still exists in the system.
  • the service system needs to store its corresponding system identifier in the mapping relationship corresponding to the cache system.
  • the system identifier the status of the user login service system can be obtained, and whether the mapping relationship is valid is determined. Specifically, the following steps are included:
  • the system identifier corresponding to the service system is stored in a corresponding mapping relationship in the cache system;
  • the method includes: after deleting the system identifier corresponding to the service system in the mapping relationship, detecting whether the mapping relationship still has a system identifier of another service system, and when not present, the mapping relationship is from the cache system. Deleted.
  • the cache system is used to detect whether the mapping relationship still has a system identifier of another service system, and when not present, the mapping relationship is deleted from the cache system.
  • mapping relationship By setting the system identifier in the mapping relationship, the status of the user login service system can be obtained.
  • the mapping relationship previously saved in the cache system needs to be deleted.
  • SSO authentication system needs to be re-authenticated to ensure the validity of the mapping information in the cache system.
  • the entire system includes a distributed cache system, an SSO authentication system, a service system 1, and a service system 2.
  • the embodiments of the present invention are described in conjunction with specific usage scenarios.
  • the user A accesses the service system 1. Since the user A accesses the entire service system for the first time, the session with the user A is not established in the service system 1, and the mapping relationship of the login authentication corresponding to the user A is not stored in the distributed cache system. Therefore, the service system 1 redirects the user to the SSO authentication system for authentication, and jumps to the login page of the SSO authentication system.
  • the user sends a login authentication request to the SSO authentication system.
  • SSO authentication system passes the authentication, user A logs in successfully, and the SSO authentication system accesses the distributed cache system.
  • the user login identifier token and the user identity are added to the distributed cache system.
  • the mapping relationship of the information such as the format "token: (user A information)"
  • the token is returned to the user A, as shown in Figure 2. Steps 1, 2, and 3 are shown.
  • the user A sends the token to the service system 1.
  • the service system 1 establishes a session with the user A based on the user A information, and saves the system identifier to the mapping relationship of the cache system in the format of "token: (user A information: [business system] 1])".
  • the service system 1 When the user A accesses the service system 1 for the second time, the service system 1 directly responds to the request of the user A according to the session with the user A, without determining whether the access is legal through the SSO authentication system.
  • the token held by the user A can be transmitted to the service system 2 through a cookie or other means; the service system 2 does not have the session information of the user A at this time, and can directly access the distributed cache system.
  • the user identity identifier corresponding to the token is obtained from the distributed cache system, and the session with the user A is established based on the user identity, and the mapping relationship stored in the distributed cache system is updated to “token: (user).
  • a information: [Business System 1, Business System 2]) subsequent user A's access to the business system 2 is also verified only based on the session between the two, and does not need to be verified again by the SSO authentication system server.
  • the session timeout occurs.
  • the timeout listener is started: when the timeout is detected, the distributed cache system is accessed, and the user relationship between the user A and the service system 2 is removed from the mapping relationship.
  • the map is deleted, that is, it is updated to "token: (user A information: [business system 1])".
  • the scenario in which the session is closed is similar to the timeout scenario.
  • the listening session is closed, the system identifier corresponding to the mapping relationship is deleted.
  • the session timeout occurs.
  • the service system 1 also accesses the distributed cache system, updates the mapping relationship of the distributed cache system, and deletes the token mapping between the user A and the service system 1.
  • the verification information corresponding to the distributed cache system is updated to "token: (user A: [])".
  • the system identifier of the service system of the user A token mapping relationship is empty, the mapping relationship is deleted from the cache queue.
  • User A accesses the service Both System 1 and Service System 2 need to log in again and establish a new authentication mapping relationship in the distributed cache system.
  • mapping relationship of the distributed cache system exists only when a session is established with the service system, and the validity and security of the mapping relationship can be guaranteed. If the traditional SSO authentication system needs to consider the token timeout period, the timeout period of the service system and the client session, and the session timeout policy of the SSO authentication system, the impact of the session timeout can be determined. In the embodiment of the present invention, the service system session times out. It only needs to monitor the situation of the session, which is simple and flexible to implement.
  • a startup listener is set in the service system to monitor whether the service system is started.
  • the distributed cache system is accessed, and the corresponding system identifier of the service system is deleted from the mapping relationship, so that abnormal token information can be effectively cleared.
  • mapping relationship is deleted from the cache queue to ensure the validity and security of the mapping relationship.
  • the SSO authentication system also caches the initial time of the mapping relationship.
  • the token authentication is passed, the timestamp of the last mapping relationship is updated to the current time.
  • the token is verified, it is determined whether the mapping relationship times out according to the timestamp information.
  • the time stamp can be used to verify that the mapping relationship is invalid, and the business system is prevented from crashing without restarting, and the mapping relationship always exists.
  • an embodiment of the present invention further provides a single sign-on authentication apparatus, which is used in a service system based on the above method for single sign-on authentication.
  • the device includes:
  • the first detecting unit 41 is configured to detect whether the service system access request sent by the user end carries With the user login identifier, the user login identifier is authenticated by the single sign-on SSO authentication system, and the login request carrying the user identity sent by the user end is authenticated, and generated and fed back to the user end;
  • the processing unit 42 is configured to: when the user login identifier is detected, verify the user login identifier in the service system access request according to the mapping relationship between the user login identifier and the user identity identifier stored in the cache system, and after the verification is passed, the user is based on the user The user identity corresponding to the login identifier establishes a session with the user end;
  • mapping relationship is established and stored in the cache system by the user identity sent by the client and the generated user login identifier.
  • the device further includes a second detecting unit 43 configured to detect whether the service system access request sent by the user end is sent before the user system access request sent by the user end is detected. Carry the user identity;
  • the client If not detected, it detects whether the user login identifier is carried in the service system access request sent by the client; if detected, the session is performed based on the user identity identifier.
  • the processing unit 42 is further configured to redirect the SSO authentication system to the SSO authentication system by the SSO authentication system when the user login identifier is not detected in the service system access request sent by the UE.
  • the login request sent by the terminal carrying the user identity is authenticated.
  • processing unit 42 is further configured to determine whether the user logs in the identifier in the mapping relationship
  • the timestamp information of the mapping relationship is obtained, and the timeout information is used to verify whether the user login identifier times out.
  • the timeout expires, a session is established with the user end according to the user identity identifier, and the timestamp information is updated to the current time; After the SSO authentication system authenticates the login request of the client, the initial time is stored in the cache system as the initial time.
  • processing unit 42 is further configured to: after establishing a session with the user end, store the system identifier corresponding to the service system in a corresponding mapping relationship in the cache system;
  • the device further includes a third detecting unit 44 configured to detect a session between the service system and the client and a restart of the service system;
  • the processing unit 42 is further configured to: when the third detecting unit 44 detects that the session with the client is timed out or detects that the service system is restarted, delete the system identifier corresponding to the service system in the mapping relationship.
  • the processing unit 42 is further configured to: after deleting the system identifier corresponding to the service system in the mapping relationship, detecting whether the mapping relationship still has a system identifier of another service system, and if not, the mapping relationship is Remove from the cache system.
  • the first detecting unit 41, the processing unit 42, the second detecting unit 43, and the third detecting unit 44 are all implemented by a processor, wherein the processor may be specifically a central processing unit (CPU), or Microprocessor (MPU), or digital signal processor (DSP), or programmable gate array (FPGA).
  • the processor may be specifically a central processing unit (CPU), or Microprocessor (MPU), or digital signal processor (DSP), or programmable gate array (FPGA).
  • the embodiment further provides a single sign-on authentication apparatus, comprising: a processor and a memory for storing a computer program executable on the processor, wherein the processor is configured to execute the computer program The steps of the method shown in 2.
  • the processor may be an integrated circuit chip with signal processing capabilities.
  • each step of the above method may be completed by an integrated logic circuit of hardware in a processor or an instruction in a form of software.
  • the above described processor may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, or the like.
  • a general purpose processor can be a microprocessor or any conventional processor or the like.
  • the steps of the method disclosed in the embodiment of the present invention may be directly implemented as a hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a storage medium, the storage medium being located in the memory, the processor reading the information in the memory, and completing the steps of the foregoing methods in combination with the hardware thereof.
  • Embodiments of the present invention also provide a computer readable storage medium, such as a memory including a computer program executable by a processor of a single sign-on authentication device to perform the steps described in the foregoing methods.
  • the computer readable storage medium may be a magnetic random access memory (FRAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), and an erasable memory. Erasable Programmable Read-Only Memory (EPROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Flash Memory, Magnetic Surface Memory, Optical Disc Or a memory such as a CD-ROM (Compact Disc Read-Only Memory); or a device including one or any combination of the above memories.
  • FRAM magnetic random access memory
  • ROM Read Only Memory
  • PROM Programmable Read-Only Memory
  • EPROM Erasable Programmable Read-Only Memory
  • EEPROM Electrically Erasable Programmable Read-Only Memory
  • Flash Memory Magnetic Surface Memory
  • the single sign-on authentication method and apparatus, and the storage medium provided by the embodiments of the present invention store the verification information such as the user login identifier and the user identity in the distributed cache system, and the service system needs to verify the client.
  • the distributed cache system is directly accessed.
  • the legality verification of the user information can be implemented.
  • the distributed cache system saves the login status of the service server, and according to the login status information, Directly determine the validity of the verification information.
  • the embodiment of the present invention can effectively reduce the number of interactions between the service system and the SSO authentication system, reduce the load of the SSO authentication system, and improve the response efficiency of the service system, and achieve high efficiency for the single-sign-on scenario of the multi-service system with high concurrent access.
  • Single sign-on feature
  • the disclosed apparatus and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner such as: multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored or not executed.
  • the coupling, or direct coupling, or communication connection of the components shown or discussed may be indirect coupling or communication connection through some interfaces, devices or units, and may be electrical, mechanical or other forms. of.
  • the units described above as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units, that is, may be located in one place or distributed to multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated into one unit;
  • the unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
  • the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed.
  • the foregoing storage medium includes: a removable storage device, a ROM, a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes.
  • the above-described integrated unit of the present invention may be stored in a computer readable storage medium if it is implemented in the form of a software function module and sold or used as a standalone product.
  • the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product stored in a storage medium, including a plurality of instructions.
  • Make a computer device can be a personal computing The machine, server, or network device, etc.) performs all or part of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes various media that can store program codes, such as a mobile storage device, a ROM, a RAM, a magnetic disk, or an optical disk.
  • the verification information such as the user login identifier and the user identity identifier is stored in the cache system.
  • the service system needs to verify the information of the client, the service system directly accesses the cache system to verify the validity of the client information.
  • the system saves the login status of the service server (that is, the service system), and based on the login status information, can determine the validity of the verification information. Therefore, the embodiment of the present invention can effectively reduce the number of interactions between the service system and the SSO authentication system, reduce the load of the SSO authentication system, and improve the response efficiency of the service system, and achieve high efficiency for the single-sign-on scenario of the multi-service system with high concurrent access. Single sign-on feature.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

L'invention concerne un procédé et un appareil d'authentification unique, et un support de stockage. Le procédé consiste à : détecter si une demande d'accès au système de service envoyée par un client contient un identificateur d'authentification d'utilisateur, l'identificateur d'authentification d'utilisateur étant généré et renvoyé au client après que l'authentification, exécutée par un système d'authentification unique (SSO), d'une demande d'authentification contenant un identificateur d'identité d'utilisateur et envoyée par le client est confirmée ; lorsqu'il est détecté que la demande contient l'identificateur d'authentification d'utilisateur, vérifier l'identificateur d'authentification d'utilisateur dans la demande d'accès au système de service au moyen d'une relation de mappage entre un identificateur d'authentification d'utilisateur stocké dans un système de mise en cache correspondant à un système de service et l'identificateur d'identité d'utilisateur ; et lorsque la vérification est concluante, commander au système de service d'établir une session avec le client sur la base de l'identificateur d'identité d'utilisateur correspondant à l'identificateur d'authentification d'utilisateur, la relation de mappage étant stockée dans le système de mise en mémoire cache après l'authentification, exécutée par le système d'authentification SSO, de la demande d'authentification du client et après la relation de mappage entre l'identificateur d'identité d'utilisateur correspondant au client et l'identificateur d'authentification d'utilisateur.
PCT/CN2017/093653 2016-08-22 2017-07-20 Procédé et appareil d'authentification unique, et support de stockage WO2018036314A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610705815.9 2016-08-22
CN201610705815.9A CN107770140A (zh) 2016-08-22 2016-08-22 一种单点登录认证方法及装置

Publications (1)

Publication Number Publication Date
WO2018036314A1 true WO2018036314A1 (fr) 2018-03-01

Family

ID=61246416

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/093653 WO2018036314A1 (fr) 2016-08-22 2017-07-20 Procédé et appareil d'authentification unique, et support de stockage

Country Status (2)

Country Link
CN (1) CN107770140A (fr)
WO (1) WO2018036314A1 (fr)

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108632241A (zh) * 2018-03-07 2018-10-09 湖南小步科技有限公司 一种多应用系统统一登录方法和装置
CN109474435A (zh) * 2018-12-12 2019-03-15 中国移动通信集团江苏有限公司 多个业务接力认证的方法、装置、设备、系统及介质
CN110287660A (zh) * 2019-05-21 2019-09-27 深圳壹账通智能科技有限公司 访问权限控制方法、装置、设备及存储介质
CN110380865A (zh) * 2019-07-12 2019-10-25 苏州浪潮智能科技有限公司 一种多节点管理系统的单点登录方法、装置、介质及设备
CN110430205A (zh) * 2019-08-09 2019-11-08 深圳前海微众银行股份有限公司 单点登录方法、装置、设备及计算机可读存储介质
CN110784534A (zh) * 2019-10-25 2020-02-11 北京奇艺世纪科技有限公司 数据服务方法、装置、系统及电子设备
CN111371725A (zh) * 2018-12-25 2020-07-03 成都鼎桥通信技术有限公司 一种提升会话机制安全性的方法、终端设备和存储介质
CN111385347A (zh) * 2019-12-29 2020-07-07 南京云帐房网络科技有限公司 一种基于token+lua实现的业务系统路由方法
CN111447245A (zh) * 2020-05-27 2020-07-24 杭州海康威视数字技术股份有限公司 一种认证方法、装置、电子设备和服务端
CN111447184A (zh) * 2020-03-09 2020-07-24 上海数据交易中心有限公司 单点登录方法及装置、系统、计算机可读存储介质
CN111917713A (zh) * 2020-06-17 2020-11-10 中国移动通信集团广东有限公司 一种基于软件定义网络认证的无边界控制介入方法及装置
CN112650999A (zh) * 2020-12-29 2021-04-13 北京字节跳动网络技术有限公司 一种用户身份鉴权控制方法、装置及系统
CN113132302A (zh) * 2019-12-31 2021-07-16 北京懿医云科技有限公司 一种登录方法及系统
CN113381978A (zh) * 2021-05-12 2021-09-10 网宿科技股份有限公司 一种安全登录方法和装置
CN113438229A (zh) * 2021-06-23 2021-09-24 未鲲(上海)科技服务有限公司 一种认证方法、认证装置及认证设备
CN114025028A (zh) * 2021-10-28 2022-02-08 杭州数梦工场科技有限公司 一种接口请求处理方法和RESTful协议转换装置
CN114039773A (zh) * 2021-11-08 2022-02-11 北京天融信网络安全技术有限公司 连接建立方法、装置、设备及计算机可读存储介质
CN114124530A (zh) * 2021-11-23 2022-03-01 中国银行股份有限公司 跨境撮合系统的自动登录方法及装置
CN114500097A (zh) * 2022-03-03 2022-05-13 中国农业银行股份有限公司四川省分行 一种基于Web系统单点登录的校验机制
CN114745196A (zh) * 2022-04-27 2022-07-12 广域铭岛数字科技有限公司 接口测试方法、系统、电子设备及可读存储介质
CN116032621A (zh) * 2022-12-30 2023-04-28 中国联合网络通信集团有限公司 前端登录方法、装置、电子设备及介质

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109189386A (zh) * 2018-07-12 2019-01-11 新华三云计算技术有限公司 一种基于微服务的应用访问方法及装置
CN109450976B (zh) * 2018-10-09 2022-02-18 网宿科技股份有限公司 一种业务系统的访问的方法及装置
CN109587251A (zh) * 2018-12-07 2019-04-05 用友网络科技股份有限公司 会话访问方法以及服务器
CN109815656A (zh) * 2018-12-11 2019-05-28 平安科技(深圳)有限公司 登录认证方法、装置、设备及计算机可读存储介质
CN110191090B (zh) * 2019-04-25 2022-03-18 平安科技(深圳)有限公司 单点登录的校验方法、装置、计算机设备及存储介质
CN112104588A (zh) * 2019-06-17 2020-12-18 北京车和家信息技术有限公司 一种登陆认证方法及系统、终端和服务器
CN110490687A (zh) * 2019-07-09 2019-11-22 威富通科技有限公司 一种货物提取方法、装置及服务器
CN111209349B (zh) * 2019-12-26 2023-07-04 曙光信息产业(北京)有限公司 一种更新会话时间的方法和装置
CN112511505A (zh) * 2020-11-16 2021-03-16 北京中关村银行股份有限公司 一种鉴权系统、方法、装置、设备和介质
CN112836235A (zh) * 2021-02-01 2021-05-25 长沙市到家悠享网络科技有限公司 信息的同步方法、系统、装置、设备及存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102065141A (zh) * 2010-12-27 2011-05-18 广州欢网科技有限责任公司 一种跨应用与浏览器实现单点登录的方法及系统
CN102201915A (zh) * 2010-03-22 2011-09-28 中国移动通信集团公司 一种基于单点登录的终端认证方法和装置
CN103188248A (zh) * 2011-12-31 2013-07-03 卓望数码技术(深圳)有限公司 基于单点登录的身份认证系统及方法
CN103491141A (zh) * 2013-09-04 2014-01-01 用友软件股份有限公司 应用服务器和请求处理方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102201915A (zh) * 2010-03-22 2011-09-28 中国移动通信集团公司 一种基于单点登录的终端认证方法和装置
CN102065141A (zh) * 2010-12-27 2011-05-18 广州欢网科技有限责任公司 一种跨应用与浏览器实现单点登录的方法及系统
CN103188248A (zh) * 2011-12-31 2013-07-03 卓望数码技术(深圳)有限公司 基于单点登录的身份认证系统及方法
CN103491141A (zh) * 2013-09-04 2014-01-01 用友软件股份有限公司 应用服务器和请求处理方法

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108632241B (zh) * 2018-03-07 2021-05-25 湖南小步科技有限公司 一种多应用系统统一登录方法和装置
CN108632241A (zh) * 2018-03-07 2018-10-09 湖南小步科技有限公司 一种多应用系统统一登录方法和装置
CN109474435A (zh) * 2018-12-12 2019-03-15 中国移动通信集团江苏有限公司 多个业务接力认证的方法、装置、设备、系统及介质
CN111371725A (zh) * 2018-12-25 2020-07-03 成都鼎桥通信技术有限公司 一种提升会话机制安全性的方法、终端设备和存储介质
CN110287660A (zh) * 2019-05-21 2019-09-27 深圳壹账通智能科技有限公司 访问权限控制方法、装置、设备及存储介质
CN110380865A (zh) * 2019-07-12 2019-10-25 苏州浪潮智能科技有限公司 一种多节点管理系统的单点登录方法、装置、介质及设备
CN110380865B (zh) * 2019-07-12 2022-05-24 苏州浪潮智能科技有限公司 一种多节点管理系统的单点登录方法、装置、介质及设备
CN110430205A (zh) * 2019-08-09 2019-11-08 深圳前海微众银行股份有限公司 单点登录方法、装置、设备及计算机可读存储介质
CN110784534A (zh) * 2019-10-25 2020-02-11 北京奇艺世纪科技有限公司 数据服务方法、装置、系统及电子设备
CN111385347A (zh) * 2019-12-29 2020-07-07 南京云帐房网络科技有限公司 一种基于token+lua实现的业务系统路由方法
CN111385347B (zh) * 2019-12-29 2023-10-24 云帐房网络科技有限公司 一种基于token+lua实现的业务系统路由方法
CN113132302A (zh) * 2019-12-31 2021-07-16 北京懿医云科技有限公司 一种登录方法及系统
CN111447184A (zh) * 2020-03-09 2020-07-24 上海数据交易中心有限公司 单点登录方法及装置、系统、计算机可读存储介质
CN111447245A (zh) * 2020-05-27 2020-07-24 杭州海康威视数字技术股份有限公司 一种认证方法、装置、电子设备和服务端
CN111917713A (zh) * 2020-06-17 2020-11-10 中国移动通信集团广东有限公司 一种基于软件定义网络认证的无边界控制介入方法及装置
CN112650999A (zh) * 2020-12-29 2021-04-13 北京字节跳动网络技术有限公司 一种用户身份鉴权控制方法、装置及系统
CN113381978A (zh) * 2021-05-12 2021-09-10 网宿科技股份有限公司 一种安全登录方法和装置
CN113438229B (zh) * 2021-06-23 2023-04-07 未鲲(上海)科技服务有限公司 一种认证方法、认证装置及认证设备
CN113438229A (zh) * 2021-06-23 2021-09-24 未鲲(上海)科技服务有限公司 一种认证方法、认证装置及认证设备
CN114025028A (zh) * 2021-10-28 2022-02-08 杭州数梦工场科技有限公司 一种接口请求处理方法和RESTful协议转换装置
CN114025028B (zh) * 2021-10-28 2023-05-23 杭州数梦工场科技有限公司 一种接口请求处理方法和RESTful协议转换装置
CN114039773A (zh) * 2021-11-08 2022-02-11 北京天融信网络安全技术有限公司 连接建立方法、装置、设备及计算机可读存储介质
CN114039773B (zh) * 2021-11-08 2024-02-02 北京天融信网络安全技术有限公司 连接建立方法、装置、设备及计算机可读存储介质
CN114124530A (zh) * 2021-11-23 2022-03-01 中国银行股份有限公司 跨境撮合系统的自动登录方法及装置
CN114124530B (zh) * 2021-11-23 2024-04-19 中国银行股份有限公司 跨境撮合系统的自动登录方法及装置
CN114500097A (zh) * 2022-03-03 2022-05-13 中国农业银行股份有限公司四川省分行 一种基于Web系统单点登录的校验机制
CN114745196B (zh) * 2022-04-27 2024-01-02 广域铭岛数字科技有限公司 接口测试方法、系统、电子设备及可读存储介质
CN114745196A (zh) * 2022-04-27 2022-07-12 广域铭岛数字科技有限公司 接口测试方法、系统、电子设备及可读存储介质
CN116032621A (zh) * 2022-12-30 2023-04-28 中国联合网络通信集团有限公司 前端登录方法、装置、电子设备及介质
CN116032621B (zh) * 2022-12-30 2024-05-28 中国联合网络通信集团有限公司 前端登录方法、装置、电子设备及介质

Also Published As

Publication number Publication date
CN107770140A (zh) 2018-03-06

Similar Documents

Publication Publication Date Title
WO2018036314A1 (fr) Procédé et appareil d'authentification unique, et support de stockage
CN109413032B (zh) 一种单点登录方法、计算机可读存储介质及网关
US10834086B1 (en) Hybrid cloud-based authentication for flash storage array access
US9882913B1 (en) Delivering authorization and authentication for a user of a storage array from a cloud
CN111556006B (zh) 第三方应用系统登录方法、装置、终端及sso服务平台
US10419425B2 (en) Method, device, and system for access control of a cloud hosting service
EP3092775B1 (fr) Procédé et système permettant de déterminer si un terminal ouvrant une session dans un site web est un terminal mobile
EP3345087B1 (fr) Procédé, dispositif et système de gestion d'accès d'un service d'hébergement nuagique
US9178868B1 (en) Persistent login support in a hybrid application with multilogin and push notifications
WO2017028804A1 (fr) Dispositif et procédé d'authentification et d'accès de plate-forme de communication web en temps réel
US11277404B2 (en) System and data processing method
US11190501B2 (en) Hybrid single sign-on for software applications and services using classic and modern identity providers
US9369286B2 (en) System and methods for facilitating authentication of an electronic device accessing plurality of mobile applications
US10530763B2 (en) Late binding authentication
WO2018145605A1 (fr) Procédé et serveur d'authentification, et dispositif de contrôle d'accès
WO2014048749A1 (fr) Authentification unique entre domaines
CN112491776B (zh) 安全认证方法及相关设备
KR20220019834A (ko) 디바이스로의 보안 자격증명 전송을 인증하는 방법 및 시스템
CN106161475B (zh) 用户鉴权的实现方法和装置
CN111669351B (zh) 鉴权方法、业务服务器、客户端及计算机可读存储介质
CN111865882A (zh) 一种微服务认证方法和系统
US10791119B1 (en) Methods for temporal password injection and devices thereof
CN111949959A (zh) Oauth协议中的授权认证方法及装置
WO2019184206A1 (fr) Procédé et appareil d'authentification d'identité
CN112260997A (zh) 数据访问方法、装置、计算机设备和存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17842737

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17842737

Country of ref document: EP

Kind code of ref document: A1