WO2023125954A1 - Single sign-on method and system for third-party application, and device and medium - Google Patents

Single sign-on method and system for third-party application, and device and medium Download PDF

Info

Publication number
WO2023125954A1
WO2023125954A1 PCT/CN2022/144019 CN2022144019W WO2023125954A1 WO 2023125954 A1 WO2023125954 A1 WO 2023125954A1 CN 2022144019 W CN2022144019 W CN 2022144019W WO 2023125954 A1 WO2023125954 A1 WO 2023125954A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
party application
target
portal
party
Prior art date
Application number
PCT/CN2022/144019
Other languages
French (fr)
Chinese (zh)
Inventor
丁兆鹏
胡金涌
Original Assignee
上海云盾信息技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 上海云盾信息技术有限公司 filed Critical 上海云盾信息技术有限公司
Publication of WO2023125954A1 publication Critical patent/WO2023125954A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • G06F21/645Protecting data integrity, e.g. using checksums, certificates or signatures using a third party

Definitions

  • Embodiments of the present disclosure relate to but are not limited to a single sign-on method, system, device and medium for a third-party application.
  • SAML Security Assertion Markup Language
  • An object of the present disclosure is to provide a single sign-on method, system, device, and medium for third-party applications, so as to solve the problem of inefficiency and inefficiency in the unified management, control, authorization, and login of third-party applications by users in the prior art. Inconvenient and unsafe issues.
  • a single sign-on method for a third-party application is provided, which is applied to a configuration management center, and the method includes:
  • the edge node configured with the application portal, so that the edge node sends a response message generated according to the application configuration information when receiving an access request for the third-party application to the target terminal for security verification by the third-party application.
  • a single sign-on method for a third-party application is provided, which is applied to a target terminal, and the method includes:
  • a single sign-on method for a third-party application is provided, which is applied to an edge node, where an application portal is configured on the edge node, and the method includes:
  • the target terminal sending a response message to the target terminal, the response message including the single sign-on address of the target third-party application, and an automatic submission form containing the verified identity information, so that the target terminal can submit the
  • the target third-party application corresponding to the single sign-on address sends the automatic submission form for security verification.
  • a single sign-on method for a third-party application is provided, which is applied to a third-party application, and the method includes:
  • the target terminal receiving an automatic submission form sent by the target terminal, the automatic submission form including the verified identity information of the target user;
  • the first application page after login is fed back to the target terminal.
  • a single sign-on system for third-party applications includes a configuration management center and at least one edge node, and an application portal is configured on the edge node;
  • the configuration management center is configured to configure the third-party application in the application portal to generate application configuration information, and send the application configuration information to the edge node; the configuration management center is also configured to sending the metadata of the application portal to the third-party application to establish an association relationship between the application portal and the third-party application;
  • the edge node is configured to feed back a response message to the target terminal when receiving an access request sent by the target terminal for the third-party application, the response message including the single sign-on of the third-party application address, and an automatic submission form containing the verified identity information, and the automatic submission form is used for security verification by the third-party application.
  • a computer-based device comprising:
  • a memory storing computer readable instructions which, when executed, cause the processor to perform operations as described above.
  • a computer-readable medium on which computer-readable instructions are stored, and the computer-readable instructions can be executed by a processor to implement the aforementioned method.
  • this disclosure realizes the single sign-on of third-party applications through the configuration management center, at least one edge node, and the application portal configured on the edge node; wherein: the configuration management center is set to Configure the third-party application to generate application configuration information, and send the application configuration information to the edge node; the configuration management center is also configured to send the metadata of the application portal to the third-party application sending to establish the association relationship between the application portal and the third-party application; the edge node is configured to feed back a response report to the target terminal when receiving the access request sent by the target terminal for the third-party application text, the response message includes the single sign-on address of the third-party application, and an automatic submission form containing the verified identity information, and the automatic submission form is used for the third-party application to perform security verification .
  • the third-party application automatically completes the authentication login, which ensures the security of the third-party application login and optimizes the login experience.
  • Fig. 1 is a schematic flowchart of a single sign-on method applied to a third-party application in a configuration management center according to an exemplary embodiment
  • Fig. 2 is a schematic diagram of an editing page for configuring application configuration information of a third-party application in the configuration management center according to an exemplary embodiment
  • Fig. 3 is a schematic flowchart of a single sign-on method applied to a third-party application of a target terminal according to an exemplary embodiment
  • Fig. 4 is a schematic diagram of a first response page displayed on an application portal according to an exemplary embodiment
  • Fig. 5 is a schematic flowchart of a single sign-on method applied to a third-party application of an edge node according to an exemplary embodiment
  • Fig. 6 is a schematic flowchart of a method for single sign-on of a third-party application applied to a third-party application according to an exemplary embodiment
  • Fig. 7 is a schematic structural diagram of a single sign-on system for a third-party application according to an exemplary embodiment
  • Fig. 8 is an interactive schematic diagram of implementing single sign-on of a third-party application by interacting with multiple terminals according to an exemplary embodiment
  • Fig. 9 is a schematic structural diagram of a single sign-on device applied to a third-party application in the configuration management center according to an exemplary embodiment
  • Fig. 10 is a schematic structural diagram of a single sign-on device applied to a third-party application of a target terminal according to an exemplary embodiment
  • Fig. 11 is a schematic structural diagram of a single sign-on device applied to a third-party application of an edge node according to an exemplary embodiment
  • Fig. 12 is a schematic structural diagram of a device for single sign-on of a third-party application applied to a third-party application according to an exemplary embodiment.
  • the terminal, the device serving the network, and the trusted party all include one or more processors (such as a central processing unit (Central Processing Unit, CPU)), an input/output interface, a network interface, and a memory .
  • processors such as a central processing unit (Central Processing Unit, CPU)
  • CPU Central Processing Unit
  • Memory may include non-permanent memory in computer-readable media, random access memory (Random Access Memory, RAM) and/or non-volatile memory, such as read-only memory (Read Only Memory, ROM) or flash memory ( flash RAM). Memory is an example of computer readable media.
  • RAM Random Access Memory
  • ROM read-only Memory
  • flash RAM flash RAM
  • Computer-readable media including both permanent and non-permanent, removable and non-removable media, can be implemented by any method or technology for storage of information.
  • Information may be computer readable instructions, data structures, modules of a program, or other data.
  • Examples of computer storage media include, but are not limited to, phase-change RAM (Phase-Change RAM, PRAM), static random access memory (Static Random Access Memory, SRAM), dynamic random access memory (Dynamic Random Access Memory, DRAM) , other types of random access memory (RAM), read-only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), flash memory or other memory technologies, only Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disk (DVD) or other optical storage, magnetic cassette, magnetic tape disk storage or other magnetic storage device or any other A non-transmission medium that can be configured to store information that can be accessed by a computing device.
  • computer-readable media excludes non-transitory computer-readable media, such as modulated
  • Fig. 1 is a schematic flowchart of a single sign-on method applied to a third-party application in a configuration management center according to an exemplary embodiment, the method includes: steps S11 to S13, wherein,
  • Step S11 in response to a request for adding a third-party application to the application portal, receiving and storing application configuration information corresponding to the third-party application.
  • the application portal may be an application management platform integrated with at least one third-party application, and the user may conveniently log in to each third-party application through the application portal.
  • the request for adding a third-party application to the application portal may be a request to add information of a unified managed third-party application in the application portal, so as to realize unified management, authorization, control and login of multiple third-party applications that users need to click to access.
  • the configuration management center can provide an application portal configuration function, and the user can log in to the configuration management center and click a specific area (such as the "add application” button, etc.) in the interface provided by the configuration management center to generate Addition request for third-party apps for the App Portal.
  • the application configuration information may include, but not limited to, at least one of application name, application type, application icon, application session expiration time, and additional information that a third-party application needs to carry in the application portal during a session.
  • the application portal can display the third-party application through the application icon and the application name, so that the user can select a target third-party application for automatic login.
  • the session expiration time of the application and the additional information that the third-party application needs to carry in the application portal during the session are used for the interaction between the third-party application and the application portal.
  • the session expiration time it can be determined how long the session expires after it is established According to the additional information that the third-party application needs to carry in the application portal during the session, it can be determined which information the third-party application needs to provide from the application portal during the session.
  • the application portal is used to provide user identity information to a third-party application.
  • the third-party application may be a web application that provides services to users, and the configuration management center may configure the third-party application in the application portal. Configuration and management.
  • the configuration management center may respond to the request for adding a third-party application, receive the application configuration information of the third-party application and store the application configuration information, for example, the configuration management center may respond to the request for adding a third-party application, and provide application configuration information
  • An editing interface, the application configuration information editing interface may include at least one editing option for the user to input application configuration information, and the configuration management center may receive and store the application configuration information input by the user.
  • Step S12 sending the metadata of the application portal to the third-party application, so that the third-party application establishes an association relationship with the application portal according to the metadata.
  • the metadata of the application portal may be information used to describe the data characteristics of the data delivered by the application portal, and the metadata of the application portal may include but not limited to at least one of the following: identification information of the application portal, certificates, supported The format of the name identifier and external service address information.
  • the metadata of the application portal can facilitate third-party applications to trust the application portal of the enterprise, and contains standardized application portal identification information.
  • the metadata includes the following content: identification information of the application portal (Entity ID) is used to declare the current application portal entity, the IDP certificate is used for subsequent third-party applications to verify the accuracy of the signature in the SAML response message, and the supported name tag format (Name ID Format) is used to declare the current IDP Several Name ID formats are supported, among which, the Name ID format includes unspecified, emailAddress, persistent, transient, etc., and the external service address information (SSO Location) is the single sign-on external service address.
  • the configuration management center can send the metadata of the application portal to the third-party application, so that the third-party application can establish an association relationship with the application portal based on the metadata, so that the third-party application can trust the application portal.
  • An enterprise's application portal Users of this enterprise can jump to third-party applications by logging in to the application portal.
  • the metadata of the application portal can be pre-stored in the configuration management center, and when metadata needs to be sent to a third-party application, the configuration management center can obtain the metadata from its own storage space and send the metadata to the third-party application.
  • the third-party application sends it; in another exemplary embodiment, the metadata of the application portal can also be stored in other servers, such as the application portal management database, or the SAML service center, etc., and the configuration management center can request and receive from other servers
  • the metadata of the application portal is used to forward the received metadata of the application portal to a third-party application. It should be noted that those skilled in the art can determine the storage mode of the metadata of the corresponding application portal according to actual implementation needs, which is not specifically limited in the present disclosure.
  • Step S13 sending the application configuration information to the edge node configured with the application portal, so that when the edge node receives an access request for the third-party application, it sends the application configuration information generated according to the application configuration information A response message is sent to the target terminal for the third-party application to perform security verification.
  • the edge nodes can be computer rooms or nodes deployed in various geographical areas, and provide nearby data transmission services for users of the application portal, thereby reducing service delays.
  • the edge node can be an independent physical server, or a server cluster or distributed system composed of multiple physical servers, and can also provide cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network Cloud servers for basic cloud computing services such as services, cloud communications, middleware services, domain name services, security services, CDNs, edge clouds, and big data and artificial intelligence platforms are not specifically limited in this disclosure.
  • the response message may be information for a third-party application to perform security verification, and the third-party application performs security verification on the response message to determine whether the access is legal.
  • the response message may be a SAML response message.
  • an Identity Provider Identity Provider
  • Service Provider Service Provider
  • Different security domains are formed, thereby exchanging authentication and authorization data between different security domains.
  • SP Service Provider
  • IDP Identity Provider
  • the application portal of an enterprise is used to provide user identity information to the SP
  • the Browser user browser
  • the SP provides services.
  • an application portal may be configured on an edge node, so that when a user accesses the application portal, there is no need to visit the central node again, so as to reduce delay.
  • the configuration management center sends the application configuration information of the third-party application to the edge node configured with the application portal, so that the edge node is associated with the third-party application and the application portal.
  • a user uses a target terminal to access a third-party application through the application portal, he can send an access request for the third-party application to the edge node.
  • the edge node After receiving the access request, the edge node can generate the application configuration information corresponding to the third-party application.
  • the response message of the access request the edge node sends the response message to the target terminal.
  • the target terminal can send the response message to the third-party application, so as to perform security verification when the user single-signs on to the third-party application. No traditional account password is required, and the user does not need to log in again. It can be directly accessed from the application portal. You can directly log in to third-party applications, which ensures the security of third-party application logins and optimizes the login experience.
  • step S11 includes:
  • an application configuration information editing interface is displayed, and the application configuration information editing interface includes at least one application configuration information editing option;
  • the application configuration information corresponding to the third-party application is generated and stored according to the editing information received by the at least one application configuration information editing option.
  • the configuration management center when the configuration management center configures the third-party application, according to the received addition request of the third-party application, the configuration management center may display the An application configuration information editing interface for configuring application configuration information of a third-party application, so that configuration operations can be performed on the editing interface.
  • at least one editing option of the application configuration information can be set in the editing interface, so that according to the editing information received by the administrator according to the editing option on the interface, the application configuration information corresponding to the third-party application is generated according to the editing information, and Store the generated application configuration information.
  • unified configuration management is performed through the configuration management center, which is convenient for users to manage multiple third-party applications or multiple accounts of the same third-party application, and can solve users' concerns about unified management, control, authorization, and login of multiple third-party applications. It can also solve the problems of unified management, control, authorization and login of multiple accounts of the same third-party application by users.
  • the at least one application configuration information editing option includes editing options for information required by the third-party application for security verification.
  • the editing options include editing options for the information required for the third-party application to perform security verification.
  • the editing options required by the application and the editing options that can adjust the content of the attributes, such as template type, application type, format of the name tag supported by the application (Name ID Format), application icon, session expiration time, third party Application requirements
  • the application portal needs to carry past additional information, etc.
  • the user can adjust the attribute content of the adjustable application according to the editing options, and the adjusted value is determined by the content that the third-party application requires the application portal to carry when submitting the response content.
  • the application configuration information of the required third-party application can be flexibly configured through the editing option, so as to realize the account permission control at the application level, and the unified configuration management center can conveniently assign or remove application permissions to users.
  • Fig. 3 is a schematic flowchart of a method for single sign-on of a third-party application applied to a target terminal according to an exemplary embodiment, the method includes at least steps S21 to S25, wherein,
  • step S21 a login request for the application portal is sent to the edge node, where the login request includes the identity information of the target user.
  • the login request for the application portal may be information for requesting to log in to the application portal.
  • a login request for the application portal will be generated during login, so that the application portal can access the application portal.
  • the user is authenticated to determine whether the user can log in.
  • the target user is the user who accesses the application portal, and the identity information of the target user can be some information identifying the user's identity, including but not limited to the user's employee number, nickname, login account and other information in the company.
  • the user opens a browser through the target terminal, and sends a login request for the application portal to the edge node.
  • the login request may carry the identity information of the target user currently accessing the application portal.
  • Identity information is authenticated to detect whether the user can log in.
  • step S22 receiving and displaying the first response page fed back by the edge node after identity verification according to the identity information.
  • the first response page may be the response of the page after the identity information is verified. For example, if the user passes the authentication, the first response page may be the page after successfully logging into the application portal, which may include the application list information that the user can access. , allowing the user to select the target third-party application for redirection. If the user identity verification fails, the first response page may be a page containing prompt information of denial of login, or a page containing information prompting identity information error, and so on.
  • the verification result of verifying the identity information of the target user fed back by the edge node is received, so that the first response page is displayed on the browser.
  • the first response page may include the verification result fed back by the edge node, for example, after the identity information of the target user is verified, the application list of the third-party application associated with the application portal is displayed on the first response page (as shown in Figure 4 ), so that users can access third-party applications through the application portal later.
  • step S23 according to the target third-party application determined by the target user from at least one third-party application included in the application portal, an access request for the target third-party application is sent to the edge node configured with the application portal.
  • the target third-party application may be a third-party application currently required to be used selected by the user from the third-party application list displayed through the application portal.
  • A can determine that application A is the target third-party application by clicking the icon of application A on the application portal.
  • the target user selects the target third-party application from the first response page displayed on the application portal, that is, selects the third-party application that needs to be logged in from the list of third-party applications displayed on the application portal, so as to configure the application.
  • the edge node of the portal sends the access request of the target third-party application, so as to complete the jump to the target third-party application and automatically complete the login.
  • step S24 a response message sent by the application portal is received, the response message includes the single sign-on address of the third-party application, and an automatic submission form including the authenticated identity information.
  • the response message can use the SAML response message to realize the single sign-on of the third-party application by using SAML.
  • the SAML response message includes the single sign-on address of the third-party application that needs to log in and the automatic submission form.
  • the automatically submitted form is based on verified identity information.
  • the target terminal before jumping from the application portal to the target third-party application, receives a response message from the application portal that carries the login of the target third-party application.
  • the response message may include the target Single sign-on address for third-party applications and auto-submit forms for authenticated identities.
  • packaging the verification information required for secure login into an automatic submission form can submit the SAML response message to transmit data, which is simple and efficient and has good browser compatibility. It does not need to rely on other front-end components and can be submitted automatically, allowing users No perception.
  • step S25 the automatic submission form is sent to the target third-party application corresponding to the single sign-on address for security verification.
  • the browser on the target terminal can send an automatic submission form to the single sign-on address (that is, the target third-party application), so that the target third-party The application performs security verification after receiving the automatically submitted form, so as to complete the secure login of the third-party application without the user's awareness.
  • the method further includes:
  • the second response page may be the page fed back by the third-party application after the security verification is automatically submitted according to the form.
  • the target third-party application verifies the automatically submitted form and obtains the verification result of the security verification, so that the verification result is fed back to the target terminal, and the second response fed back according to the verification result is displayed on the target terminal
  • the second response page may be a page after successfully logging in to the third-party application, and if the verification result is a verification failure, then the second response page may be a prompt page that prompts the user that the verification fails.
  • Fig. 5 is a schematic flowchart of a single sign-on method for a third-party application according to an exemplary embodiment, which is applied to an edge node on which an application portal is configured, and the method includes at least steps S31 to S34, in,
  • Step S31 receiving a login request for the application portal sent by the target terminal, where the login request includes the identity information of the target user.
  • the login request for the application portal may be information for requesting to log in to the application portal.
  • a login request for the application portal will be generated during login, so that the application portal can access the application portal.
  • the user is authenticated to determine whether the user can log in.
  • the access traffic is diverted to the nearest edge node, and the application portal is configured on the edge node, so that the login for the application portal sent by the target terminal can be received Request, the login request carries the identity information of the target user, such as the currently used login account and password.
  • Step S32 performing identity verification according to the identity information.
  • the edge node may perform authentication according to the identity information carried in the login request to determine whether the user can log in to the application portal.
  • Step S33 if the verification is successful, receiving an access request sent by the target terminal for the target third-party application determined in at least one third-party application included in the application portal.
  • the access request may be an access request for a third-party application selected by the user that needs to be accessed.
  • the user can select a target third-party application that needs to be accessed from at least one third-party application displayed in the application portal, and the target terminal can generate a corresponding access request according to the target third-party application, and send the access request to the application portal. edge node to send.
  • the edge node after receiving the login request, the edge node authenticates the target user according to the identity information of the target user. If the verification is passed, it means that the user can log in to the application portal, and the at least one third-party application for access. Therefore, after the authentication is passed, the edge node can receive an access request for the target third-party application sent by the target terminal, and the access request is for the user to access the target third-party application selected from at least one third-party application through the application portal. For example, after the user's identity verification is passed, the target third-party application A is selected from the third-party application list on the response page displayed on the application portal, and the edge node receives the user's access request to the target third-party application A.
  • step S34 sending a response message to the target terminal, the response message including the single sign-on address of the target third-party application, and an automatic submission form containing verified identity information, so that the The target terminal sends the automatic submission form to the target third-party application corresponding to the single sign-on address for security verification.
  • the edge node may send a response message generated for the access request to the target terminal, so that the target terminal The single sign-on address of the target third-party application in the SSO to the target third-party application to send the automatic submission form containing the verified identity information in the response message, so that the target third-party application performs security verification on the automatic submission form to Complete the user's sign-in to the target third-party application. Therefore, after the user enters the application portal, all third-party applications can automatically complete the authentication and login, which not only ensures the security of the login, but also optimizes the user's login experience.
  • the response message includes: a response message generated according to application configuration information corresponding to the target third-party application.
  • the application configuration information corresponding to the third-party application is the information configured by the configuration management center for the third-party application, which may include the application name, application type, application icon, application session expiration time, and additional information that the third-party application needs to carry on the application portal. Information, etc., so that it can be displayed on the application portal through the application icon and application name.
  • the application configuration information of the target third-party application is configured through the configuration management center, so that when the user accesses the target third-party application, a response message can be generated according to the application configuration information corresponding to the target third-party application to utilize
  • the response message completes the security verification, and the response message may be a SAML response message, which includes the identity information of the authenticated user.
  • the original data of the generated response message may include the Entity ID of the application portal, response signature information, user information, target third-party application (SP) receiver information, and the like.
  • the target third-party application may perform security verification according to the response message generated by the application configuration information corresponding to the target third-party application, so as to ensure the security of user login.
  • the method further includes: acquiring pre-configured application configuration information corresponding to the target third-party application from a configuration management center.
  • At least one third-party application is integrated on the application portal, and the included third-party applications are managed through the application portal. Users can conveniently log in to each third-party application through the application portal.
  • the third-party application is the target third-party application, and the corresponding application configuration information needs to be obtained when logging in to the target third-party application, and the application configuration information can be configured by the administrator in the configuration management center and pre-stored in the configuration management central.
  • the edge node can obtain the application configuration information corresponding to the target third-party application from the configuration management center, so as to facilitate the subsequent generation of a response message according to the obtained application configuration information to feed back to the target terminal.
  • the obtaining the pre-configured application configuration information corresponding to the target third-party application from the configuration management center includes:
  • the edge node when it is necessary to obtain the configuration information corresponding to the target third-party application, the edge node can first detect whether it has stored the application configuration information corresponding to the target third-party application, and if so, the edge node can obtain the configuration information corresponding to the target third-party application from itself.
  • the application configuration information is obtained from the storage space of the . If not, the edge node may send a request for obtaining the application configuration information to the configuration management center, so that the configuration management center will send the configured application configuration information to the edge node where the application portal is located after receiving the request.
  • the acquisition request may include identification information of the target third-party application, so that the configuration management center can search for corresponding application configuration information according to the identification information of the target third-party application.
  • step S34 includes:
  • the edge node when the edge node receives an access request for the target third-party application, the edge node sends the application configuration information of the target third-party application to the SAML service center, so that the SAML service center configures the information to generate a response message.
  • the edge node can display the single sign-on external service address information of the third-party application and the encoded SAML response message in the same automatic submit form, and return the automatically submitted form to the target terminal.
  • Fig. 6 is a schematic flowchart of a method for single sign-on of a third-party application applied to a third-party application according to an exemplary embodiment, the method at least includes:
  • Step S41 receiving the automatic submission form sent by the target terminal, the automatic submission form including the verified identity information of the target user.
  • the automatic submission form may be a form generated by the application portal by packaging the response message generated based on the application configuration information of the third-party application, and the automatic submission form may be automatically submitted to the third-party application after being fed back to the target terminal , to facilitate subsequent identity verification, and quickly realize the login of third-party applications.
  • the application portal returns an automatic submission form to the user browser on the target terminal, and the user browser sends the automatic submission form to a third-party application, and the automatic submission form includes the authenticated target
  • the user's identity information includes the user's identity information when logging into the application portal.
  • step S42 security verification is performed on the target user according to the automatically submitted form.
  • the third-party application can verify the signature in the automatic submission form according to the certificate contained in the previously received metadata to determine the target Whether the user can log in securely.
  • step S43 if the security verification passes, the first application page after login is fed back to the target terminal.
  • the first application page may be the first page after successful login to the target third-party application, that is, the first page of the target third-party application, which is convenient for the user to access and use the target third-party application.
  • the third-party application When the verification response message passes, that is, the target user has passed the security verification, the third-party application will feed back the first application page after successfully logging in to the third-party application to the target terminal, indicating that the user has completed login authentication in the third-party application, and the user can directly use The service provided by the third-party application does not require the user to enter the account password related to the third-party application.
  • the security verification of the target user after the security verification of the target user according to the automatic submission form, it further includes: if the security verification fails, feeding back to the target terminal for prompting Access to the second application page is denied.
  • the first application page and the second application page may be included in the above-mentioned second response page
  • the second application page may be a prompt page when the target third-party application cannot be logged in
  • the prompt page may inform the target user that the current application is to refuse The target user accesses the target third-party application.
  • the second application page is fed back to the target terminal, and the second application page is used to prompt the user to deny access, so as to Ensure the security of logging in to third-party applications.
  • a single sign-on system for third-party applications includes a configuration management center and at least one edge node, and an application portal is configured on the edge node;
  • the configuration management center is configured to configure the third-party application in the application portal to generate application configuration information, and send the application configuration information to the edge node; the configuration management center is also configured to sending the metadata of the application portal to the third-party application to establish an association relationship between the application portal and the third-party application;
  • the edge node is configured to feed back a response message to the target terminal when receiving an access request sent by the target terminal for the third-party application, the response message including the single sign-on of the third-party application address, and an automatic submission form containing the verified identity information, and the automatic submission form is used for security verification by the third-party application.
  • the schematic diagram of the single sign-on system for third-party applications includes a configuration management center and an edge node.
  • An application portal can be configured on the edge node, and at least one third-party application is integrated on the application portal, so that through interactive Complete single sign-on for third-party applications.
  • the architecture diagram in FIG. 7 can use the steps in the schematic flowchart shown in FIG. 8 to implement single sign-on.
  • the third-party application deployed in the application portal of the edge node is configured in the configuration management center to generate application configuration information, and the application configuration information is delivered to the edge node.
  • the configuration management center sends the metadata of the application portal to the third-party application so that the third-party application can establish an association relationship with the application portal. In this way, the interaction between the application portal and the third-party application is realized by using the association relationship, and the jump to the third-party application is realized by logging into the application portal.
  • the edge node When a user accesses a third-party application in the application portal through a browser of a target terminal, the edge node receives an access request for the third-party application.
  • the application portal can request the SAML service center to generate a SAML response message according to the access request, and the application portal can package the SAML response message to generate an automatic submission form carrying the response message, and return the automatic submission form to the
  • the target terminal, and the user browser on the target terminal automatically submits the SAML response message to the third-party application according to the automatic submission form.
  • the third-party application verifies the SAML response message, and returns the login page to the user browser when the verification is passed, so as to realize the single sign-on of the third-party application.
  • an exemplary embodiment of the present disclosure also provides a computer-readable medium on which computer-readable instructions are stored, and the computer-readable instructions can be executed by a processor to implement the aforementioned single sign-on of a third-party application Methods.
  • an exemplary embodiment of the present disclosure further provides a device, which includes modules or units capable of performing the method steps described in each of the above exemplary embodiments, and these modules or units can be implemented by hardware , software, or a combination of hardware and software, which is not limited in the present disclosure.
  • a single sign-on device for a third-party application is also provided, and the device includes:
  • a memory storing computer readable instructions which, when executed, cause the processor to perform operations as described above.
  • Fig. 9 is a schematic structural diagram of a single sign-on device applied to a third-party application in a configuration management center according to an exemplary embodiment.
  • the device 1 includes: a responding device 11, a first sending device 12 and a second sending device means 13, wherein the responding means 11 is configured to receive and store application configuration information corresponding to the third-party application in response to a request for adding a third-party application to the application portal; the first sending means 12 is configured to add the application portal
  • the metadata of the application is sent to the third-party application, so that the third-party application establishes an association relationship with the application portal according to the metadata; the second sending device 13 is configured to send the application configuration information to the configured The edge node of the application portal, so that when the edge node receives the access request for the third-party application, it sends a response message generated according to the application configuration information to the target terminal for the
  • the above-mentioned third-party application performs security verification.
  • the content executed by the responding device 11 , the first sending device 12 and the second sending device 13 is the same as or correspondingly the same as that in the above steps S11 , S12 and S13 respectively, and for the sake of brevity, details are not repeated here.
  • Fig. 10 is a schematic structural diagram of a single sign-on device applied to a third-party application of a target terminal according to an exemplary embodiment.
  • the device 2 includes: a requesting device 21, a display device 22, a determining device 23, a first The receiving device 24 and the third sending device 25, wherein the requesting device 21 is configured to send a login request for the application portal to the edge node, the login request includes the identity information of the target user; the display device 22 is configured to receiving and displaying the first response page fed back by the edge node after identity verification according to the identity information; the determining means 23 is configured to determine the target third-party application according to the target user from at least one third-party application included in the application portal, sending an access request for the target third-party application to the edge node configured with the application portal; the first receiving means 24 is configured to receive a response message sent by the application portal, the response message including the third-party application A single sign-on address, and an automatic submission form containing the verified identity information; the third sending device 25 is configured to
  • the contents executed by the requesting means 21, the displaying means 22, the determining means 23, the first receiving means 24 and the third sending means 25 are respectively the same or correspondingly the same as those in the above-mentioned steps S21, S22, S23, S24 and S25, for the sake of brevity , which will not be repeated here.
  • Fig. 11 is a schematic structural diagram of a single sign-on device applied to a third-party application of an edge node according to an exemplary embodiment.
  • the device 3 includes: a second receiving device 31, a verification device 32, and a third receiving device 33 and the fourth sending means 34, wherein the second receiving means 31 is set to receive the login request sent by the target terminal for the application portal, the login request includes the identity information of the target user; the verification means 32 is set to according to The identity information is authenticated; the third receiving means 33 is configured to receive the access request sent by the target terminal for the target third-party application determined in at least one third-party application contained in the application portal if the verification is passed; the fourth The sending device 34 is configured to send a response message to the target terminal, the response message includes the single sign-on address of the target third-party application, and an automatic submission form that includes the verified identity information, so that The target terminal sends the automatic submission form to the target third-party application corresponding to the single sign-on address for security verification.
  • the contents executed by the second receiving device 31, the verifying device 32, the third receiving device 33 and the fourth sending device 34 are respectively the same or correspondingly the same as those in the above-mentioned steps S31, S32, S33 and S34. Let me repeat.
  • Fig. 12 is a schematic structural diagram of a third-party application single sign-on device applied to a third-party application according to an exemplary embodiment.
  • the device 4 includes: a fourth receiving device 41, a user verification device 42 and a feedback device 43, wherein, the fourth receiving means 41 is set to receive the automatic submission form sent by the target terminal, the automatic submission form includes the identity information of the verified target user; the user verification means 42 is set to automatically submit the form according to the Perform security verification on the target user; the feedback device 43 is configured to feed back the first application page after login to the target terminal if the security verification passes.
  • the contents executed by the fourth receiving device 41 , the user verification device 42 and the feedback device 43 are the same or correspondingly the same as those in the above steps S41 , S42 and S43 respectively, and for the sake of brevity, details are not repeated here.
  • the present disclosure can be implemented in software and/or a combination of software and hardware, for example, using an Application Specific Integrated Circuit (ASIC), a general purpose computer, or any other similar hardware device.
  • ASIC Application Specific Integrated Circuit
  • the software program of the present disclosure can be executed by a processor to realize the steps or functions described above.
  • the software program of the present disclosure (including associated data structures) can be stored in a computer readable recording medium such as RAM memory, magnetic or optical drive or floppy disk and the like.
  • some steps or functions of the present disclosure may be realized by using hardware, for example, as a circuit that cooperates with a processor to execute each step or function.
  • a part of the present disclosure can be applied as a computer program product, such as a computer program instruction.
  • a computer program product such as a computer program instruction.
  • the method and/or technical solution according to the present disclosure can be invoked or provided through the operation of the computer.
  • the program instructions for invoking the method of the present disclosure may be stored in a fixed or removable recording medium, and/or transmitted through a data stream in a broadcast or other signal-carrying medium, and/or stored in a in the working memory of the computer device on which the program instructions described above are executed.
  • an exemplary embodiment according to the present disclosure includes an apparatus comprising a memory for storing computer program instructions and a processor for executing the program instructions, wherein when the computer program instructions are executed by the processor , triggering the device to run the methods and/or technical solutions based on the aforementioned multiple exemplary embodiments of the present disclosure.
  • a third-party application In the single sign-on method, system, device and medium of a third-party application provided by the present disclosure, multiple third-party applications or multiple accounts of the same third-party application can be managed uniformly through the configuration management center, and the edge node
  • the application portal on the website provides users with fast and efficient unified identity authentication. Users jump to third-party applications through the application portal, and the third-party application automatically completes the authentication and login, which ensures the security of third-party application login and optimizes the login experience.

Abstract

The present disclosure relates to a single sign-on method and system for a third-party application, and a device and a medium. The system in the present disclosure comprises a configuration management center and at least one edge node, which is provided with an application portal, wherein the configuration management center is configured to configure a third-party application in the application portal, so as to generate application configuration information, and send the application configuration information to the edge node; and the edge node is configured to feed back a response message to a target terminal after receiving an access request regarding the third-party application that is sent by the target terminal, the response message comprising a single sign-on address of the third-party application, and an automatically submitted form, which includes verified identity information, and the automatically submitted form being configured to be used by the third-party application to perform security verification.

Description

第三方应用的单点登录的方法、系统、设备及介质Single sign-on method, system, device and medium for third-party applications
本公开基于2021年12月31日提交中国专利局、申请号为202111677170.X,发明名称为“第三方应用的单点登录的方法、系统及设备”的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本公开作为参考。This disclosure is based on the Chinese patent application submitted to the China Patent Office on December 31, 2021, with the application number 202111677170.X, and the invention title is "Method, system and device for single sign-on for third-party applications", and requires the Chinese patent Priority of the application, the entire content of the Chinese patent application is hereby incorporated by reference into this disclosure.
技术领域technical field
本公开实施例涉及但不限于一种第三方应用的单点登录的方法、系统、设备及介质。Embodiments of the present disclosure relate to but are not limited to a single sign-on method, system, device and medium for a third-party application.
背景技术Background technique
过去企业员工访问第三方SAAS应用时候,通常是直接使用在第三方应用注册的账号密码进行登录认证,完成认证后再使用第三方应用的服务;然而,随着企业规模的逐渐扩大,采用的第三方应用也逐渐增多,甚至是同一个第三方应用也会创建多个账号来提供不同的服务;过去场景下,企业只能直接将第三方SAAS应用的账密提供给需要使用的员工,如果想要控制账密泄露风险,则需要频繁修改密码,或者不断禁用账号,再创建新的账号,同时对于这些账号的安全管理也存在很大风险。另一方面,解决网页浏览器单点登录的问题时,也可以使用SAML(安全断言标记语言,Security Assertion Markup Language)方式,但是该单点登录方式是在内部网层面比较常见(例如使用Cookie),将其扩展到内部网之外则一直存在问题,并使得不可互操作的专有技术激增,因此使用SAML断言时还需要解决不可互操作、多租户下的SAML协议的配置隔离问题。In the past, when enterprise employees accessed third-party SAAS applications, they usually directly used the account password registered in the third-party application for login authentication, and then used the services of the third-party application after completing the authentication; however, with the gradual expansion of the enterprise scale, the adopted first Three-party applications are also gradually increasing, and even the same third-party application will create multiple accounts to provide different services; To control the risk of account secret leakage, it is necessary to frequently change the password, or constantly disable the account, and then create a new account. At the same time, there are great risks to the security management of these accounts. On the other hand, SAML (Security Assertion Markup Language) can also be used to solve the single sign-on problem of web browsers, but this single sign-on method is more common at the intranet level (for example, using cookies) However, there have always been problems extending it outside the intranet, and it has caused a surge of non-interoperable proprietary technologies. Therefore, when using SAML assertions, it is also necessary to solve the configuration isolation problem of non-interoperable and multi-tenant SAML protocols.
发明内容Contents of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics described in detail in this article. This summary is not intended to limit the scope of the claims.
本公开的一个目的是提供一种第三方应用的单点登录的方法、系统、设备及介质,解决现有技术中用户对第三方应用的统一管理、控制、授权、登录等方面存在低效、不便捷以及不安全的问题。An object of the present disclosure is to provide a single sign-on method, system, device, and medium for third-party applications, so as to solve the problem of inefficiency and inefficiency in the unified management, control, authorization, and login of third-party applications by users in the prior art. Inconvenient and unsafe issues.
根据本公开的第一方面,提供了一种第三方应用的单点登录的方法,应用于配置管理中心,该方法包括:According to the first aspect of the present disclosure, a single sign-on method for a third-party application is provided, which is applied to a configuration management center, and the method includes:
响应于针对应用门户的第三方应用的添加请求,接收并存储与所述第三方应用对应的应用配置信息;Responding to a request for adding a third-party application to the application portal, receiving and storing application configuration information corresponding to the third-party application;
将所述应用门户的元数据向所述第三方应用进行发送,以使所述第三方应用根据所述元数据与所述应用门户建立关联关系;sending the metadata of the application portal to the third-party application, so that the third-party application establishes an association relationship with the application portal according to the metadata;
将所述应用配置信息发送至配置有所述应用门户的边缘节点,以使所述边缘节点在接收到针对所述第三方应用的访问请求时,发送根据所述应用配置信息生成的响应报文给所述目标终端,用以供所述第三方应用进行安全验证。sending the application configuration information to the edge node configured with the application portal, so that the edge node sends a response message generated according to the application configuration information when receiving an access request for the third-party application to the target terminal for security verification by the third-party application.
根据本公开的第二方面,提供了一种第三方应用的单点登录的方法,应用于目标终端,该方法包括:According to a second aspect of the present disclosure, a single sign-on method for a third-party application is provided, which is applied to a target terminal, and the method includes:
向边缘节点发送针对应用门户的登录请求,所述登录请求包括目标用户的身份信息;Sending a login request for the application portal to the edge node, where the login request includes the identity information of the target user;
接收并显示由所述边缘节点根据所述身份信息进行身份验证后反馈的第一响应页面;receiving and displaying the first response page fed back by the edge node after identity verification according to the identity information;
根据目标用户从应用门户包含的至少一个第三方应用中确定的目标第三方应用,向配置有所述应用门户的边缘节点发送针对所述目标第三方应用的访问请求;Sending an access request for the target third-party application to the edge node configured with the application portal according to the target third-party application determined by the target user from at least one third-party application included in the application portal;
接收所述应用门户发送的响应报文,所述响应报文包括第三方应用的单点登录地址,以及包含了所述经过验证的身份信息的自动提交表单;receiving a response message sent by the application portal, the response message including the single sign-on address of the third-party application, and an automatic submission form including the verified identity information;
向所述单点登录地址对应的目标第三方应用发送所述自动提交表单以进行安全验证。Sending the automatically submitted form to the target third-party application corresponding to the single sign-on address for security verification.
根据本公开的第三方面,提供了一种第三方应用的单点登录的方法,应用于边缘节点,所述边缘节点上配置有应用门户,该方法包括:According to a third aspect of the present disclosure, a single sign-on method for a third-party application is provided, which is applied to an edge node, where an application portal is configured on the edge node, and the method includes:
接收目标终端发送的针对应用门户的登录请求,所述登录请求包括目标用户的身份信息;receiving a login request for the application portal sent by the target terminal, where the login request includes identity information of the target user;
根据所述身份信息进行身份验证;Perform identity verification based on said identity information;
若验证通过,接收目标终端发送的针对所述应用门户中包含的至少一个第三方应用中确定的目标第三方应用的访问请求;If the verification is passed, receiving an access request sent by the target terminal for the target third-party application determined in at least one third-party application included in the application portal;
发送响应报文给所述目标终端,所述响应报文包括所述目标第三方应用的单点登录地址,以及包含了所述经过验证的身份信息的自动提交表单,以使所述目标终端向所述单点登录地址对应的目标第三方应用发送所述自动提交表单以进行安全验证。sending a response message to the target terminal, the response message including the single sign-on address of the target third-party application, and an automatic submission form containing the verified identity information, so that the target terminal can submit the The target third-party application corresponding to the single sign-on address sends the automatic submission form for security verification.
根据本公开的第四方面,提供了一种第三方应用的单点登录的方法,应用于第三方应用,该方法包括:According to a fourth aspect of the present disclosure, a single sign-on method for a third-party application is provided, which is applied to a third-party application, and the method includes:
接收由目标终端发送的自动提交表单,所述自动提交表单包括所述经过验证的目标用户的身份信息;receiving an automatic submission form sent by the target terminal, the automatic submission form including the verified identity information of the target user;
根据所述自动提交表单对所述目标用户进行安全验证;performing security verification on the target user according to the automatically submitted form;
若所述安全验证通过,则向所述目标终端反馈登录后的第一应用页面。If the security verification is passed, the first application page after login is fed back to the target terminal.
根据本公开的第五方面,提供了一种第三方应用的单点登录系统,该系统包括配置管理中心以及至少一个边缘节点,所述边缘节点上配置有应用门户;其中:According to a fifth aspect of the present disclosure, a single sign-on system for third-party applications is provided, the system includes a configuration management center and at least one edge node, and an application portal is configured on the edge node; wherein:
所述配置管理中心设置为对所述应用门户中的第三方应用进行配置以生成应用配置信息,并将所述应用配置信息向所述边缘节点进行发送;所述配置管理中心还设置为将所述应用门户的元数据向所述第三方应用进行发送以建立所述应用门户与所述第三方应用的关联关系;The configuration management center is configured to configure the third-party application in the application portal to generate application configuration information, and send the application configuration information to the edge node; the configuration management center is also configured to sending the metadata of the application portal to the third-party application to establish an association relationship between the application portal and the third-party application;
所述边缘节点设置为在接收到由目标终端发送的针对所述第三方应用的访问请求时,向所述目标终端反馈响应报文,所述响应报文包括所述第三方应用的单点登录地址,以及包含了所述经过验证的身份信息的自动提交表单,所述自动提交表单用以供所述第三方应用进行安全验证。The edge node is configured to feed back a response message to the target terminal when receiving an access request sent by the target terminal for the third-party application, the response message including the single sign-on of the third-party application address, and an automatic submission form containing the verified identity information, and the automatic submission form is used for security verification by the third-party application.
根据本公开的第六方面,提供了一种基于计算机的设备,包括:According to a sixth aspect of the present disclosure, there is provided a computer-based device comprising:
一个或多个处理器;以及one or more processors; and
存储有计算机可读指令的存储器,所述计算机可读指令在被执行时使所述处理器执行如前述所述方法的操作。A memory storing computer readable instructions which, when executed, cause the processor to perform operations as described above.
根据本公开的第七方面,提供了一种计算机可读介质,其上存储有计算机可读指令,所述计算机可读指令可被处理器执行以实现如前述所述的方法。According to a seventh aspect of the present disclosure, there is provided a computer-readable medium on which computer-readable instructions are stored, and the computer-readable instructions can be executed by a processor to implement the aforementioned method.
与现有技术相比,本公开通过配置管理中心、至少一个边缘节点以及边缘节点上配置的应用门户实现第三方应用的单点登录;其中:所述配置管理中心设置为对所述应用门户中的第三方应用进行配置以生成应用配置信息,并将所述应用配置信息向所述边缘节点进行发送;所述配置管理中心还设置为将所述应用门户的元数据向所述第三方应用进行发送以建立所述应用门户与所述第三方应用的关联关系;所述边缘节点设置为在接收到由目标终端发送的针对所述第三方应用的访问请求时,向所述目标终端反馈响应报文,所述响应报文包括所述第三方应用的单点登录地址,以及包含了所述经过验证的身份信息的自动提交表单,所述自动提交表单用以供所述第三方应用进行安全验证。从而通过配置管理中心对多个第三方应用或同一第三方应用多个账号进行统一管理,并通过边缘节点上的应用门户为用户提供快速高效的统一身份认证,用户通过应用门户跳转到第三方应用,第三方应用自动完成认证登录,保证了第三方应用登录的安全性,也优化了登录体验。Compared with the prior art, this disclosure realizes the single sign-on of third-party applications through the configuration management center, at least one edge node, and the application portal configured on the edge node; wherein: the configuration management center is set to Configure the third-party application to generate application configuration information, and send the application configuration information to the edge node; the configuration management center is also configured to send the metadata of the application portal to the third-party application sending to establish the association relationship between the application portal and the third-party application; the edge node is configured to feed back a response report to the target terminal when receiving the access request sent by the target terminal for the third-party application text, the response message includes the single sign-on address of the third-party application, and an automatic submission form containing the verified identity information, and the automatic submission form is used for the third-party application to perform security verification . In this way, multiple third-party applications or multiple accounts of the same third-party application can be managed in a unified manner through the configuration management center, and fast and efficient unified identity authentication can be provided for users through the application portal on the edge node. App, the third-party application automatically completes the authentication login, which ensures the security of the third-party application login and optimizes the login experience.
下面通过附图和示例性实施例,对本公开的技术方案做进一步的详细描述。The technical solutions of the present disclosure will be described in further detail below with reference to the accompanying drawings and exemplary embodiments.
应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制 本公开。在阅读并理解了附图和详细描述后,可以明白其他方面。It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the present disclosure. Other aspects will be apparent to others upon reading and understanding the drawings and detailed description.
附图说明Description of drawings
构成本公开的一部分的附图用来提供对本公开的进一步理解,本公开的示例性实施例及其说明用于解释本公开,并不构成对本公开的不当限定。在附图中:The accompanying drawings constituting a part of the present disclosure are used to provide a further understanding of the present disclosure, and the exemplary embodiments and descriptions of the present disclosure are used to explain the present disclosure, and do not constitute an improper limitation of the present disclosure. In the attached picture:
图1是根据一示例性实施例示出的一种应用于配置管理中心的第三方应用的单点登录的方法流程示意图;Fig. 1 is a schematic flowchart of a single sign-on method applied to a third-party application in a configuration management center according to an exemplary embodiment;
图2是根据一示例性实施例示出的在配置管理中心进行配置第三方应用的应用配置信息的编辑页面示意图;Fig. 2 is a schematic diagram of an editing page for configuring application configuration information of a third-party application in the configuration management center according to an exemplary embodiment;
图3是根据一示例性实施例示出的一种应用于目标终端的第三方应用的单点登录的方法的流程示意图;Fig. 3 is a schematic flowchart of a single sign-on method applied to a third-party application of a target terminal according to an exemplary embodiment;
图4是根据一示例性实施例示出的在应用门户显示的第一响应页面的示意图;Fig. 4 is a schematic diagram of a first response page displayed on an application portal according to an exemplary embodiment;
图5是根据一示例性实施例示出的一种应用于边缘节点的第三方应用的单点登录的方法的流程示意图;Fig. 5 is a schematic flowchart of a single sign-on method applied to a third-party application of an edge node according to an exemplary embodiment;
图6是根据一示例性实施例示出的一种应用于第三方应用的第三方应用的单点登录的方法的流程示意图;Fig. 6 is a schematic flowchart of a method for single sign-on of a third-party application applied to a third-party application according to an exemplary embodiment;
图7是根据一示例性实施例示出的一种第三方应用的单点登录系统的架构示意图;Fig. 7 is a schematic structural diagram of a single sign-on system for a third-party application according to an exemplary embodiment;
图8是根据一示例性实施例示出的多端进行交互实现第三方应用的单点登录的交互示意图;Fig. 8 is an interactive schematic diagram of implementing single sign-on of a third-party application by interacting with multiple terminals according to an exemplary embodiment;
图9是根据一示例性实施例示出的一种应用于配置管理中心的第三方应用的单点登录的设备的结构示意图;Fig. 9 is a schematic structural diagram of a single sign-on device applied to a third-party application in the configuration management center according to an exemplary embodiment;
图10是根据一示例性实施例示出的一种应用于目标终端的第三方应用的单点登录的设备的结构示意图;Fig. 10 is a schematic structural diagram of a single sign-on device applied to a third-party application of a target terminal according to an exemplary embodiment;
图11是根据一示例性实施例示出的一种应用于边缘节点的第三方应用的单点登录的设备的结构示意图;Fig. 11 is a schematic structural diagram of a single sign-on device applied to a third-party application of an edge node according to an exemplary embodiment;
图12是根据一示例性实施例示出的一种应用于第三方应用的第三方应用的单点登录的设备的结构示意图。Fig. 12 is a schematic structural diagram of a device for single sign-on of a third-party application applied to a third-party application according to an exemplary embodiment.
附图中相同或相似的附图标记代表相同或相似的部件。The same or similar reference numerals in the drawings represent the same or similar components.
具体实施方式Detailed ways
下面结合附图对本公开作进一步详细描述。The present disclosure will be described in further detail below in conjunction with the accompanying drawings.
在本公开一个典型的配置中,终端、服务网络的设备和可信方均包括一个或多个处理器(例如中央处理器(Central Processing Unit,CPU))、输入/输出接口、网络接口和内存。In a typical configuration of the present disclosure, the terminal, the device serving the network, and the trusted party all include one or more processors (such as a central processing unit (Central Processing Unit, CPU)), an input/output interface, a network interface, and a memory .
内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(Random Access Memory,RAM)和/或非易失性内存等形式,如只读存储器(Read Only Memory,ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。Memory may include non-permanent memory in computer-readable media, random access memory (Random Access Memory, RAM) and/or non-volatile memory, such as read-only memory (Read Only Memory, ROM) or flash memory ( flash RAM). Memory is an example of computer readable media.
计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(Phase-Change RAM,PRAM)、静态随机存取存储器(Static Random Access Memory,SRAM)、动态随机存取存储器(Dynamic Random Access Memory,DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(Electrically Erasable Programmable Read-Only Memory,EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(Compact Disc Read-Only Memory,CD-ROM)、数字多功能光盘(Digital Versatile Disk,DVD)或其他光学存储、磁盒式磁带,磁带磁盘存储或其他 磁性存储设备或任何其他非传输介质,可设置为存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括非暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer-readable media, including both permanent and non-permanent, removable and non-removable media, can be implemented by any method or technology for storage of information. Information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase-change RAM (Phase-Change RAM, PRAM), static random access memory (Static Random Access Memory, SRAM), dynamic random access memory (Dynamic Random Access Memory, DRAM) , other types of random access memory (RAM), read-only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), flash memory or other memory technologies, only Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disk (DVD) or other optical storage, magnetic cassette, magnetic tape disk storage or other magnetic storage device or any other A non-transmission medium that can be configured to store information that can be accessed by a computing device. As defined herein, computer-readable media excludes non-transitory computer-readable media, such as modulated data signals and carrier waves.
图1是根据一示例性实施例示出的一种应用于配置管理中心的第三方应用的单点登录的方法流程示意图,该方法包括:步骤S11~步骤S13,其中,Fig. 1 is a schematic flowchart of a single sign-on method applied to a third-party application in a configuration management center according to an exemplary embodiment, the method includes: steps S11 to S13, wherein,
步骤S11,响应于针对应用门户的第三方应用的添加请求,接收并存储与所述第三方应用对应的应用配置信息。Step S11 , in response to a request for adding a third-party application to the application portal, receiving and storing application configuration information corresponding to the third-party application.
其中,应用门户可以是集成有至少一个第三方应用的应用管理平台,用户可以通过该应用门户便捷登录各第三方应用。Wherein, the application portal may be an application management platform integrated with at least one third-party application, and the user may conveniently log in to each third-party application through the application portal.
针对应用门户的第三方应用的添加请求可以是请求在应用门户中添加统一管理的第三方应用的信息,从而实现对用户需要点击访问的多个第三方应用的统一管理、授权、控制以及登录。在一示例性实施例中,配置管理中心可以提供应用门户配置功能,用户可以通过登录配置管理中心,在该配置管理中心所提供的界面中点击特定区域(例如“添加应用”按键等)以生成针对应用门户的第三方应用的添加请求。The request for adding a third-party application to the application portal may be a request to add information of a unified managed third-party application in the application portal, so as to realize unified management, authorization, control and login of multiple third-party applications that users need to click to access. In an exemplary embodiment, the configuration management center can provide an application portal configuration function, and the user can log in to the configuration management center and click a specific area (such as the "add application" button, etc.) in the interface provided by the configuration management center to generate Addition request for third-party apps for the App Portal.
应用配置信息可以包括但不限于应用名称、应用类型、应用图标、应用的会话过期时长以及会话时第三方应用需要应用门户携带的附加信息中的至少一种。由此,应用门户可以通过应用图标以及应用名称对第三方应用进行展示,以供用户进行选择目标第三方应用进行自动登录。而通过应用的会话过期时长、会话时第三方应用需要应用门户携带的附加信息等用于第三方应用与应用门户之间进行交互,例如根据会话过期时间可以确定建立会话后多长时间后过期,根据会话时第三方应用需要应用门户携带的附加信息可以确定进行会话时第三方应用需要应用门户提供哪些信息等。The application configuration information may include, but not limited to, at least one of application name, application type, application icon, application session expiration time, and additional information that a third-party application needs to carry in the application portal during a session. Thus, the application portal can display the third-party application through the application icon and the application name, so that the user can select a target third-party application for automatic login. The session expiration time of the application and the additional information that the third-party application needs to carry in the application portal during the session are used for the interaction between the third-party application and the application portal. For example, according to the session expiration time, it can be determined how long the session expires after it is established According to the additional information that the third-party application needs to carry in the application portal during the session, it can be determined which information the third-party application needs to provide from the application portal during the session.
在本公开一示例性实施例中,应用门户用于向第三方应用提供用户身份信息,第三方应用可以是向用户提供服务的网页端应用,配置管理中心可以对应用门户中的第三方应用进行配置和管理。配置管理中心可以响应于对第三方应用的添加请求,接收第三方应用的应用配置信息并将该应用配置信息进行存储,例如配置管理中心可以响应于针对第三方应用的添加请求,提供应用配置信息编辑界面,该应用配置信息编辑界面可以包括至少一个编辑选项以供用户进行输入应用配置信息,配置管理中心可以接收用户所输入的应用配置信息,并进行存储。In an exemplary embodiment of the present disclosure, the application portal is used to provide user identity information to a third-party application. The third-party application may be a web application that provides services to users, and the configuration management center may configure the third-party application in the application portal. Configuration and management. The configuration management center may respond to the request for adding a third-party application, receive the application configuration information of the third-party application and store the application configuration information, for example, the configuration management center may respond to the request for adding a third-party application, and provide application configuration information An editing interface, the application configuration information editing interface may include at least one editing option for the user to input application configuration information, and the configuration management center may receive and store the application configuration information input by the user.
步骤S12,将所述应用门户的元数据向所述第三方应用进行发送,以使所述第三方应用根据所述元数据与所述应用门户建立关联关系。Step S12, sending the metadata of the application portal to the third-party application, so that the third-party application establishes an association relationship with the application portal according to the metadata.
其中,应用门户的元数据可以是用于描述应用门户所传递的数据的数据特征的信息,该应用门户的元数据可以包括但不限于以下至少之一:应用门户的标识信息、证书、所支持的名称标识符的格式以及对外服务地址信息。Wherein, the metadata of the application portal may be information used to describe the data characteristics of the data delivered by the application portal, and the metadata of the application portal may include but not limited to at least one of the following: identification information of the application portal, certificates, supported The format of the name identifier and external service address information.
在本公开一示例性实施例中,应用门户(IDP)的元数据可以便于第三方应用信任该企业的应用门户,内含标准化的应用门户标识信息,元数据包括以下内容:应用门户的标识信息(Entity ID)用于申明当前应用门户实体,IDP证书用于后续第三方应用进行验证SAML响应报文中签名的准确性,所支持的名称标签符的格式(Name ID Format)用于申明当前IDP支持几种Name ID格式,其中,Name ID格式包括unspecified、emailAddress、persistent、transient等,对外服务地址信息(SSO Location)为单点登录对外服务地址。In an exemplary embodiment of the present disclosure, the metadata of the application portal (IDP) can facilitate third-party applications to trust the application portal of the enterprise, and contains standardized application portal identification information. The metadata includes the following content: identification information of the application portal (Entity ID) is used to declare the current application portal entity, the IDP certificate is used for subsequent third-party applications to verify the accuracy of the signature in the SAML response message, and the supported name tag format (Name ID Format) is used to declare the current IDP Several Name ID formats are supported, among which, the Name ID format includes unspecified, emailAddress, persistent, transient, etc., and the external service address information (SSO Location) is the single sign-on external service address.
在该示例性实施例中,配置管理中心可以将应用门户的元数据发送给第三方应用,从而使得第三方应用在该元数据的基础上与应用门户建立关联关系,以便于第三方应用信任该企业的应用门户,该企业的用户可以通过登录应用门户实现对第三方应用的跳转。In this exemplary embodiment, the configuration management center can send the metadata of the application portal to the third-party application, so that the third-party application can establish an association relationship with the application portal based on the metadata, so that the third-party application can trust the application portal. An enterprise's application portal. Users of this enterprise can jump to third-party applications by logging in to the application portal.
在一示例性实施例中,应用门户的元数据可以预先存储于配置管理中心中,当需要向第三方应用发送元数据时,配置管理中心可以从自身的存储空间中获取该元数据并向第三方应 用进行发送;在另一示例性实施例中,应用门户的元数据也可以存储于其他服务器中,例如应用门户管理数据库、或者SAML服务中心等等,配置管理中心可以向其他服务器请求并接收应用门户的元数据,以将接收到的应用门户的元数据向第三方应用进行转发。需要说明的,本领域技术人员可以根据实际实现需要,确定对应的应用门户的元数据的存储方式,本公开对此不作特殊限定。In an exemplary embodiment, the metadata of the application portal can be pre-stored in the configuration management center, and when metadata needs to be sent to a third-party application, the configuration management center can obtain the metadata from its own storage space and send the metadata to the third-party application. The third-party application sends it; in another exemplary embodiment, the metadata of the application portal can also be stored in other servers, such as the application portal management database, or the SAML service center, etc., and the configuration management center can request and receive from other servers The metadata of the application portal is used to forward the received metadata of the application portal to a third-party application. It should be noted that those skilled in the art can determine the storage mode of the metadata of the corresponding application portal according to actual implementation needs, which is not specifically limited in the present disclosure.
步骤S13,将所述应用配置信息发送至配置有所述应用门户的边缘节点,以使所述边缘节点在接收到针对所述第三方应用的访问请求时,发送根据所述应用配置信息生成的响应报文给所述目标终端,用以供所述第三方应用进行安全验证。Step S13, sending the application configuration information to the edge node configured with the application portal, so that when the edge node receives an access request for the third-party application, it sends the application configuration information generated according to the application configuration information A response message is sent to the target terminal for the third-party application to perform security verification.
其中,边缘节点可以为部署在各地理区域的机房或节点,为应用门户的用户提供就近的数据传输的服务,从而可以降低服务延迟。需要说明的,该边缘节点可以是独立的物理服务器,也可以是多个物理服务器构成的服务器集群或者分布式系统,还可以是提供云服务、云数据库、云计算、云函数、云存储、网络服务、云通信、中间件服务、域名服务、安全服务、CDN、边缘云以及大数据和人工智能平台等基础云计算服务的云服务器,本公开对此不作特殊限定。Among them, the edge nodes can be computer rooms or nodes deployed in various geographical areas, and provide nearby data transmission services for users of the application portal, thereby reducing service delays. It should be noted that the edge node can be an independent physical server, or a server cluster or distributed system composed of multiple physical servers, and can also provide cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network Cloud servers for basic cloud computing services such as services, cloud communications, middleware services, domain name services, security services, CDNs, edge clouds, and big data and artificial intelligence platforms are not specifically limited in this disclosure.
响应报文可以是用于供第三方应用进行安全验证的信息,第三方应用通过对该响应报文进行安全验证,以确定该访问是否合法。在一示例性实施例中,响应报文可以是SAML响应报文,具体地,可以在SAML中定义身份提供者(Identity Provider)和服务提供者(Service Provider),通过身份提供者和服务提供者构成了不同的安全域,从而在不同的安全域之间交换认证和授权数据。The response message may be information for a third-party application to perform security verification, and the third-party application performs security verification on the response message to determine whether the access is legal. In an exemplary embodiment, the response message may be a SAML response message. Specifically, an Identity Provider (Identity Provider) and a Service Provider (Service Provider) may be defined in SAML. Different security domains are formed, thereby exchanging authentication and authorization data between different security domains.
在本公开一示例性实施例中,使用SAML响应报文,可以实现三个角色:SP(Service Provider)可以是向用户提供服务的web端应用(即第三方应用),IDP(Identity Provider)(比如企业的应用门户)用于向SP提供用户身份信息,Browser(用户浏览器)用于通过登录IDP获取该SAML响应报文并向SP提交该SAML响应报文,在SP认证通过后使用SP提供的服务。In an exemplary embodiment of the present disclosure, using the SAML response message, three roles can be realized: SP (Service Provider) can be a web-side application (that is, a third-party application) that provides services to users, and IDP (Identity Provider) ( For example, the application portal of an enterprise) is used to provide user identity information to the SP, and the Browser (user browser) is used to obtain the SAML response message by logging in to the IDP and submit the SAML response message to the SP. After the SP authentication is passed, the SP provides services.
在本公开一示例性实施例中,边缘节点上可以配置有应用门户,从而用户对应用门户进行访问时,不需要再访问至中心节点,以减少延迟。配置管理中心将第三方应用的应用配置信息下发至配置有应用门户的边缘节点中,从而使得边缘节点与第三方应用以及应用门户建立关联。用户使用目标终端通过应用门户对第三方应用访问时,可以向边缘节点发送针对第三方应用的访问请求,边缘节点在接收到该访问请求后,可以根据该第三方应用对应的应用配置信息生成该访问请求的响应报文,边缘节点将该响应报文发送给目标终端。目标终端可以将该响应报文向第三方应用进行发送,从而进行用户单点登录第三方应用时的安全验证,无需传统的账密,也不需要用户再次登录,直接可以从应用门户跳转即可直接完成登录第三方应用,保证了第三方应用登录的安全性,也优化了登录体验。In an exemplary embodiment of the present disclosure, an application portal may be configured on an edge node, so that when a user accesses the application portal, there is no need to visit the central node again, so as to reduce delay. The configuration management center sends the application configuration information of the third-party application to the edge node configured with the application portal, so that the edge node is associated with the third-party application and the application portal. When a user uses a target terminal to access a third-party application through the application portal, he can send an access request for the third-party application to the edge node. After receiving the access request, the edge node can generate the application configuration information corresponding to the third-party application. The response message of the access request, the edge node sends the response message to the target terminal. The target terminal can send the response message to the third-party application, so as to perform security verification when the user single-signs on to the third-party application. No traditional account password is required, and the user does not need to log in again. It can be directly accessed from the application portal. You can directly log in to third-party applications, which ensures the security of third-party application logins and optimizes the login experience.
在本公开一示例性实施例中,步骤S11包括:In an exemplary embodiment of the present disclosure, step S11 includes:
根据接收到的针对应用门户的第三方应用的添加请求,显示应用配置信息编辑界面,所述应用配置信息编辑界面包括至少一个应用配置信息编辑选项;According to the received request for adding a third-party application to the application portal, an application configuration information editing interface is displayed, and the application configuration information editing interface includes at least one application configuration information editing option;
根据所述至少一个应用配置信息编辑选项接收到的编辑信息,生成并存储与所述第三方应用对应的应用配置信息。The application configuration information corresponding to the third-party application is generated and stored according to the editing information received by the at least one application configuration information editing option.
在该示例性实施例中,在配置管理中心对第三方应用进行配置时,根据接收到的该第三方应用的添加请求,配置管理中心可以在界面中(例如目标终端的显示界面等)显示出用于配置第三方应用的应用配置信息的应用配置信息编辑界面,以供在该编辑界面上进行配置操作。具体地,在该编辑界面中可以设置至少一个应用配置信息的编辑选项,从而根据界面上的编辑选项接收到的管理人员的编辑信息,根据该编辑信息生成第三方应用对应的应用配置信息,并将生成的应用配置信息进行存储。In this exemplary embodiment, when the configuration management center configures the third-party application, according to the received addition request of the third-party application, the configuration management center may display the An application configuration information editing interface for configuring application configuration information of a third-party application, so that configuration operations can be performed on the editing interface. Specifically, at least one editing option of the application configuration information can be set in the editing interface, so that according to the editing information received by the administrator according to the editing option on the interface, the application configuration information corresponding to the third-party application is generated according to the editing information, and Store the generated application configuration information.
由此,通过配置管理中心进行统一配置管理,方便用户管理多个第三方应用或者同一第三方应用多个账号,可以解决用户对多个第三方应用在统一管理、控制、授权以及登录等方面的问题,也可以解决用户对相同第三方应用多个账号的统一管理、控制、授权以及登录等问题。Therefore, unified configuration management is performed through the configuration management center, which is convenient for users to manage multiple third-party applications or multiple accounts of the same third-party application, and can solve users' concerns about unified management, control, authorization, and login of multiple third-party applications. It can also solve the problems of unified management, control, authorization and login of multiple accounts of the same third-party application by users.
其中,所述至少一个应用配置信息编辑选项包括所述第三方应用进行安全验证时所需信息的编辑选项。在此,如图2所示,在编辑界面中对应用名称为“第三方应用XXX”的第三方应用进行配置信息时,编辑选项包括第三方应用进行安全验证时所需信息的编辑选项,配置该应用的应用要求的编辑选项以及可以进行调整属性内容的编辑选项,如模板类型、应用类型、应用的所支持的名称标签符的格式(Name ID Format)、应用图标、会话过期时长、第三方应用要求应用门户需要携带过去的附加信息等。Wherein, the at least one application configuration information editing option includes editing options for information required by the third-party application for security verification. Here, as shown in Figure 2, when configuring information for a third-party application whose application name is "third-party application XXX" in the editing interface, the editing options include editing options for the information required for the third-party application to perform security verification. The editing options required by the application and the editing options that can adjust the content of the attributes, such as template type, application type, format of the name tag supported by the application (Name ID Format), application icon, session expiration time, third party Application requirements The application portal needs to carry past additional information, etc.
用户可根据编辑选项调整可调整的应用的属性内容,调整的值由第三方应用要求应用门户在提交响应内容时需要携带的内容决定。通过编辑选项可以灵活配置所需的第三方应用的应用配置信息,从而实现应用级别的账号权限控制,通过统一的配置管理中心可便捷给用户分配或移除应用权限。The user can adjust the attribute content of the adjustable application according to the editing options, and the adjusted value is determined by the content that the third-party application requires the application portal to carry when submitting the response content. The application configuration information of the required third-party application can be flexibly configured through the editing option, so as to realize the account permission control at the application level, and the unified configuration management center can conveniently assign or remove application permissions to users.
图3是根据一示例性实施例示出的一种应用于目标终端的第三方应用的单点登录的方法的流程示意图,该方法至少包括步骤S21~S25,其中,Fig. 3 is a schematic flowchart of a method for single sign-on of a third-party application applied to a target terminal according to an exemplary embodiment, the method includes at least steps S21 to S25, wherein,
在步骤S21中,向边缘节点发送针对应用门户的登录请求,所述登录请求包括目标用户的身份信息。In step S21, a login request for the application portal is sent to the edge node, where the login request includes the identity information of the target user.
其中,针对应用门户的登录请求可以是用于请求登录应用门户的信息,用户通过浏览器进行访问时需要登录应用门户,登录时会产生对该应用门户的登录请求,以便应用门户对进行访问的用户进行身份验证,确定用户是否可以进行登录。Wherein, the login request for the application portal may be information for requesting to log in to the application portal. When the user accesses the application portal through a browser, a login request for the application portal will be generated during login, so that the application portal can access the application portal. The user is authenticated to determine whether the user can log in.
目标用户为访问应用门户的用户,目标用户的身份信息可以为标识用户身份的一些信息,包括但不限于用户在企业的员工号、花名、登录账号等信息。The target user is the user who accesses the application portal, and the identity information of the target user can be some information identifying the user's identity, including but not limited to the user's employee number, nickname, login account and other information in the company.
在本公开一示例性实施例中,用户通过目标终端打开浏览器,向边缘节点发送针对应用门户的登录请求,该登录请求可以携带有当前访问应用门户的目标用户的身份信息,应用门户根据该身份信息进行身份验证,以检测用户是否可以进行登录。In an exemplary embodiment of the present disclosure, the user opens a browser through the target terminal, and sends a login request for the application portal to the edge node. The login request may carry the identity information of the target user currently accessing the application portal. Identity information is authenticated to detect whether the user can log in.
接着,在步骤S22中,接收并显示由所述边缘节点根据所述身份信息进行身份验证后反馈的第一响应页面。Next, in step S22, receiving and displaying the first response page fed back by the edge node after identity verification according to the identity information.
其中,第一响应页面可以是对身份信息进行验证后的页面响应情况,比如用户身份验证通过,则第一响应页面可以为成功登录应用门户后的页面,其可以包括用户可以访问的应用列表信息,以供用户选择其中的目标第三方应用进行跳转。若用户身份验证未通过,则第一响应页面可以为包含了拒绝登录的提示信息的页面,或者包含了提示身份信息错误的信息的页面,等等。Wherein, the first response page may be the response of the page after the identity information is verified. For example, if the user passes the authentication, the first response page may be the page after successfully logging into the application portal, which may include the application list information that the user can access. , allowing the user to select the target third-party application for redirection. If the user identity verification fails, the first response page may be a page containing prompt information of denial of login, or a page containing information prompting identity information error, and so on.
在本公开一示例性实施例中,将登录请求向边缘节点发送后,接收由边缘节点反馈的对目标用户的身份信息进行验证的验证结果,从而在浏览器上显示出第一响应页面,该第一响应页面上可以包括边缘节点反馈的验证结果,比如对目标用户的身份信息验证通过后,在第一响应页面上显示出与应用门户关联的第三方应用的应用列表(如图4所示),以方便用户后续通过应用门户完成对第三方应用的访问。In an exemplary embodiment of the present disclosure, after the login request is sent to the edge node, the verification result of verifying the identity information of the target user fed back by the edge node is received, so that the first response page is displayed on the browser. The first response page may include the verification result fed back by the edge node, for example, after the identity information of the target user is verified, the application list of the third-party application associated with the application portal is displayed on the first response page (as shown in Figure 4 ), so that users can access third-party applications through the application portal later.
在步骤S23中,根据目标用户从应用门户包含的至少一个第三方应用中确定的目标第三方应用,向配置有所述应用门户的边缘节点发送针对所述目标第三方应用的访问请求。In step S23, according to the target third-party application determined by the target user from at least one third-party application included in the application portal, an access request for the target third-party application is sent to the edge node configured with the application portal.
其中,目标第三方应用可以是用户通过应用门户展示出的第三方应用列表中选择的当前需要使用的第三方应用,比如展示的第三方应用为应用A、应用B和应用C,则用户选择应用A时可以通过点击应用门户上应用A的图标,以确定应用A为目标第三方应用。Wherein, the target third-party application may be a third-party application currently required to be used selected by the user from the third-party application list displayed through the application portal. A can determine that application A is the target third-party application by clicking the icon of application A on the application portal.
继续参考图4,目标用户从应用门户显示出的第一响应页面上选择目标第三方应用,即 从应用门户展示的第三方应用列表中选择出所需要登录的第三方应用,从而向配置有该应用门户的边缘节点发送该目标第三方应用的访问请求,以便完成跳转到目标第三方应用并且自动完成登录。Continuing to refer to FIG. 4 , the target user selects the target third-party application from the first response page displayed on the application portal, that is, selects the third-party application that needs to be logged in from the list of third-party applications displayed on the application portal, so as to configure the application. The edge node of the portal sends the access request of the target third-party application, so as to complete the jump to the target third-party application and automatically complete the login.
在步骤S24中,接收所述应用门户发送的响应报文,所述响应报文包括第三方应用的单点登录地址,以及包含了所述经过验证的身份信息的自动提交表单。In step S24, a response message sent by the application portal is received, the response message includes the single sign-on address of the third-party application, and an automatic submission form including the authenticated identity information.
其中,响应报文可以使用SAML响应报文,通过使用SAML的方式实现第三方应用的单点登录,在SAML响应报文中包括需要进行登录的第三方应用的单点登录地址以及自动提交表单,该自动提交表单是根据经过验证的身份信息得到的。Among them, the response message can use the SAML response message to realize the single sign-on of the third-party application by using SAML. The SAML response message includes the single sign-on address of the third-party application that needs to log in and the automatic submission form. The automatically submitted form is based on verified identity information.
在本公开一示例性实施例中,由应用门户跳转到目标第三方应用前,目标终端接收应用门户发送的携带了有关目标第三方应用进行登录的响应报文,该响应报文可以包括目标第三方应用的单点登录地址以及经过验证的身份信息的自动提交表单。其中,将进行安全登录所需的验证信息包装成自动提交表单可以将SAML响应报文进行提交传递数据,简洁高效且浏览器兼容性好,不需要依赖其他前端组件,可以进行自动提交,使得用户无感知。In an exemplary embodiment of the present disclosure, before jumping from the application portal to the target third-party application, the target terminal receives a response message from the application portal that carries the login of the target third-party application. The response message may include the target Single sign-on address for third-party applications and auto-submit forms for authenticated identities. Among them, packaging the verification information required for secure login into an automatic submission form can submit the SAML response message to transmit data, which is simple and efficient and has good browser compatibility. It does not need to rely on other front-end components and can be submitted automatically, allowing users No perception.
在步骤S25中,向所述单点登录地址对应的目标第三方应用发送所述自动提交表单以进行安全验证。In step S25, the automatic submission form is sent to the target third-party application corresponding to the single sign-on address for security verification.
在该步骤中,由于该单点登录地址与目标第三方应用相对应,目标终端上的浏览器可以向该单点登录地址(即该目标第三方应用)发送自动提交表单,从而使目标第三方应用在接收到该自动提交表单后进行安全验证,以在用户无感知的情况下完成第三方应用的安全登录。In this step, since the single sign-on address corresponds to the target third-party application, the browser on the target terminal can send an automatic submission form to the single sign-on address (that is, the target third-party application), so that the target third-party The application performs security verification after receiving the automatically submitted form, so as to complete the secure login of the third-party application without the user's awareness.
在本公开一些示例性实施例中,所述方法还包括:In some exemplary embodiments of the present disclosure, the method further includes:
接收并显示由所述目标第三方应用根据所述安全验证的验证结果反馈的第二响应页面。receiving and displaying a second response page fed back by the target third-party application according to the verification result of the security verification.
其中,第二响应页面可以为第三方应用根据自动提交表单进行安全验证后所反馈的页面,例如可以为安全验证通过后向用户展示成功登录第三方应用后的页面或为安全验证未通过后向用户提示验证失败的一个提示页面等。Wherein, the second response page may be the page fed back by the third-party application after the security verification is automatically submitted according to the form. A prompt page for the user to prompt that the verification fails, etc.
在该示例性实施例中,目标第三方应用对自动提交表单进行验证后得到安全验证的验证结果,从而将该验证结果反馈给目标终端,在目标终端上显示根据该验证结果反馈的第二响应页面,若验证结果为验证通过,则第二响应页面可以为成功登录第三方应用后的页面,若验证结果为验证失败,则第二响应页面可为提示用户验证失败的提示页面。In this exemplary embodiment, the target third-party application verifies the automatically submitted form and obtains the verification result of the security verification, so that the verification result is fed back to the target terminal, and the second response fed back according to the verification result is displayed on the target terminal If the verification result is that the verification is passed, the second response page may be a page after successfully logging in to the third-party application, and if the verification result is a verification failure, then the second response page may be a prompt page that prompts the user that the verification fails.
图5是根据一示例性实施例示出的一种第三方应用的单点登录的方法的流程示意图,应用于边缘节点,该边缘节点上配置有应用门户,该方法至少包括步骤S31~步骤S34,其中,Fig. 5 is a schematic flowchart of a single sign-on method for a third-party application according to an exemplary embodiment, which is applied to an edge node on which an application portal is configured, and the method includes at least steps S31 to S34, in,
步骤S31,接收目标终端发送的针对应用门户的登录请求,所述登录请求包括目标用户的身份信息。Step S31, receiving a login request for the application portal sent by the target terminal, where the login request includes the identity information of the target user.
其中,针对应用门户的登录请求可以是用于请求登录应用门户的信息,用户通过浏览器进行访问时需要登录应用门户,登录时会产生对该应用门户的登录请求,以便应用门户对进行访问的用户进行身份验证,确定用户是否可以进行登录。Wherein, the login request for the application portal may be information for requesting to log in to the application portal. When the user accesses the application portal through a browser, a login request for the application portal will be generated during login, so that the application portal can access the application portal. The user is authenticated to determine whether the user can log in.
在本公开一示例性实施例中,目标用户进行访问时为了减少延迟将访问流量引流至就近的边缘节点,该边缘节点上配置了应用门户,从而可以接收目标终端发送的针对该应用门户的登录请求,该登录请求携带了目标用户的身份信息,比如当前使用的登录账号以及密码等。In an exemplary embodiment of the present disclosure, in order to reduce the delay when the target user visits, the access traffic is diverted to the nearest edge node, and the application portal is configured on the edge node, so that the login for the application portal sent by the target terminal can be received Request, the login request carries the identity information of the target user, such as the currently used login account and password.
步骤S32,根据所述身份信息进行身份验证。Step S32, performing identity verification according to the identity information.
在该示例性实施例中,边缘节点可以根据该登录请求中携带的身份信息进行身份验证,以确定该用户是否可以登录该应用门户。In this exemplary embodiment, the edge node may perform authentication according to the identity information carried in the login request to determine whether the user can log in to the application portal.
步骤S33,若验证通过,接收目标终端发送的针对所述应用门户中包含的至少一个第三方应用中确定的目标第三方应用的访问请求。Step S33, if the verification is successful, receiving an access request sent by the target terminal for the target third-party application determined in at least one third-party application included in the application portal.
其中,访问请求可以是针对用户选择的需要进行访问的第三方应用的访问请求。用户可以从应用门户中所展示的至少一个第三方应用中选取出需要进行访问的目标第三方应用,目 标终端可以根据该目标第三方应用生成对应的访问请求,并将该访问请求向应用门户所在的边缘节点进行发送。Wherein, the access request may be an access request for a third-party application selected by the user that needs to be accessed. The user can select a target third-party application that needs to be accessed from at least one third-party application displayed in the application portal, and the target terminal can generate a corresponding access request according to the target third-party application, and send the access request to the application portal. edge node to send.
在本公开一示例性实施例中,边缘节点接收到登录请求后,根据目标用户的身份信息对该目标用户进行身份验证,若验证通过,则表示用户可以登录该应用门户,并对应用门户中的至少一个第三方应用进行访问。因此,在身份验证通过后,边缘节点可以接收由目标终端发送的针对目标第三方应用访问请求,该访问请求为用户对通过应用门户从至少一个第三方应用中选择出的目标第三方应用进行访问的请求,比如用户的身份验证通过后,在应用门户显示的响应页面上的第三方应用列表中选择出目标第三方应用A,边缘节点接收用户对该目标第三方应用A的访问请求。In an exemplary embodiment of the present disclosure, after receiving the login request, the edge node authenticates the target user according to the identity information of the target user. If the verification is passed, it means that the user can log in to the application portal, and the at least one third-party application for access. Therefore, after the authentication is passed, the edge node can receive an access request for the target third-party application sent by the target terminal, and the access request is for the user to access the target third-party application selected from at least one third-party application through the application portal For example, after the user's identity verification is passed, the target third-party application A is selected from the third-party application list on the response page displayed on the application portal, and the edge node receives the user's access request to the target third-party application A.
接着,步骤S34,发送响应报文给所述目标终端,所述响应报文包括所述目标第三方应用的单点登录地址,以及包含了经过验证的身份信息的自动提交表单,以使所述目标终端向所述单点登录地址对应的目标第三方应用发送所述自动提交表单以进行安全验证。Next, step S34, sending a response message to the target terminal, the response message including the single sign-on address of the target third-party application, and an automatic submission form containing verified identity information, so that the The target terminal sends the automatic submission form to the target third-party application corresponding to the single sign-on address for security verification.
在本公开一示例性实施例中,当接收到对目标第三方应用的访问请求后,边缘节点可以将针对于该访问请求生成的响应报文发送给目标终端,以使目标终端根据响应报文中的目标第三方应用的单点登录地址向该目标第三方应用发送响应报文中的包含了经过验证的身份信息的自动提交表单,使得目标第三方应用针对该自动提交表单进行安全验证,以完成用户对目标第三方应用的登录。由此,用户在进入应用门户后,所有第三方应用均可自动完成认证登录,既保证了登录的安全性,也优化了用户的登录体验。In an exemplary embodiment of the present disclosure, after receiving an access request for a target third-party application, the edge node may send a response message generated for the access request to the target terminal, so that the target terminal The single sign-on address of the target third-party application in the SSO to the target third-party application to send the automatic submission form containing the verified identity information in the response message, so that the target third-party application performs security verification on the automatic submission form to Complete the user's sign-in to the target third-party application. Therefore, after the user enters the application portal, all third-party applications can automatically complete the authentication and login, which not only ensures the security of the login, but also optimizes the user's login experience.
在本公开一些示例性实施例中,所述响应报文包括:根据所述目标第三方应用对应的应用配置信息生成的响应报文。In some exemplary embodiments of the present disclosure, the response message includes: a response message generated according to application configuration information corresponding to the target third-party application.
其中,第三方应用对应的应用配置信息为配置管理中心对该第三方应用进行配置的信息,可以包含应用名称、应用类型、应用图标、应用的会话过期时长以及第三方应用需要应用门户携带的附加信息等,从而可以在应用门户通过应用图标以及应用名称进行展示。Among them, the application configuration information corresponding to the third-party application is the information configured by the configuration management center for the third-party application, which may include the application name, application type, application icon, application session expiration time, and additional information that the third-party application needs to carry on the application portal. Information, etc., so that it can be displayed on the application portal through the application icon and application name.
在该示例性实施例中,通过配置管理中心配置目标第三方应用的应用配置信息,从而在用户进行访问目标第三方应用时,可以根据目标第三方应用对应的应用配置信息生成响应报文以利用响应报文完成安全验证,该响应报文可以为SAML响应报文,包含了经过验证的用户的身份信息。生成后的响应报文的原始数据可以包括应用门户的Entity ID、响应签名信息、用户信息以及目标第三方应用(SP)接收方信息等。目标第三方应用可以根据该目标第三方应用对应的应用配置信息生成的响应报文进行安全验证,以确保用户登录的安全性。In this exemplary embodiment, the application configuration information of the target third-party application is configured through the configuration management center, so that when the user accesses the target third-party application, a response message can be generated according to the application configuration information corresponding to the target third-party application to utilize The response message completes the security verification, and the response message may be a SAML response message, which includes the identity information of the authenticated user. The original data of the generated response message may include the Entity ID of the application portal, response signature information, user information, target third-party application (SP) receiver information, and the like. The target third-party application may perform security verification according to the response message generated by the application configuration information corresponding to the target third-party application, so as to ensure the security of user login.
接上述示例性实施例,所述方法还包括:从配置管理中心获取预先配置的所述目标第三方应用对应的应用配置信息。Following the above exemplary embodiment, the method further includes: acquiring pre-configured application configuration information corresponding to the target third-party application from a configuration management center.
其中,至少一个第三方应用集成在应用门户上,通过应用门户对所包含的第三方应用进行管理,用户可以通过该应用门户便捷登录各个第三方应用,当用户当前需要登录某一个第三方应用时,该第三方应用为目标第三方应用,登录该目标第三方应用时需要获取到对应的应用配置信息,而该应用配置信息可以是由管理人员在配置管理中心中进行配置并预先存储在配置管理中心的。边缘节点可以从该配置管理中心获取目标第三方应用对应的应用配置信息,从而方便后续根据获取到的应用配置信息生成响应报文,以反馈给目标终端。Among them, at least one third-party application is integrated on the application portal, and the included third-party applications are managed through the application portal. Users can conveniently log in to each third-party application through the application portal. When the user currently needs to log in to a certain third-party application , the third-party application is the target third-party application, and the corresponding application configuration information needs to be obtained when logging in to the target third-party application, and the application configuration information can be configured by the administrator in the configuration management center and pre-stored in the configuration management central. The edge node can obtain the application configuration information corresponding to the target third-party application from the configuration management center, so as to facilitate the subsequent generation of a response message according to the obtained application configuration information to feed back to the target terminal.
在本公开一示例性实施例中,所述从配置管理中心获取预先配置的所述目标第三方应用对应的应用配置信息,包括:In an exemplary embodiment of the present disclosure, the obtaining the pre-configured application configuration information corresponding to the target third-party application from the configuration management center includes:
检测是否存储有所述目标第三应用对应的应用配置信息;Detecting whether application configuration information corresponding to the target third application is stored;
若有,则获取所述应用配置信息;If yes, obtaining the application configuration information;
若无,则向配置管理中心发送所述应用配置信息的获取请求,并接收由所述配置管理中心根据所述获取请求反馈的应用配置信息。If not, send an acquisition request of the application configuration information to the configuration management center, and receive the application configuration information fed back by the configuration management center according to the acquisition request.
在该示例性实施例中,当需要获取目标第三方应用对应的配置信息时,边缘节点可以先 检测自身是否存储有该目标第三方应用对应的应用配置信息,若有,则边缘节点可以从自身的存储空间中获取该应用配置信息。若无,则边缘节点可以向配置管理中心发送该应用配置信息的获取请求,以使配置管理中心在接收到该获取请求后将配置好的应用配置信息下发至该应用门户所在的边缘节点。In this exemplary embodiment, when it is necessary to obtain the configuration information corresponding to the target third-party application, the edge node can first detect whether it has stored the application configuration information corresponding to the target third-party application, and if so, the edge node can obtain the configuration information corresponding to the target third-party application from itself. The application configuration information is obtained from the storage space of the . If not, the edge node may send a request for obtaining the application configuration information to the configuration management center, so that the configuration management center will send the configured application configuration information to the edge node where the application portal is located after receiving the request.
在一示例性实施例中,该获取请求可以包含该目标第三方应用的标识信息,以便于配置管理中心根据该目标第三方应用的标识信息查找对应的应用配置信息。In an exemplary embodiment, the acquisition request may include identification information of the target third-party application, so that the configuration management center can search for corresponding application configuration information according to the identification information of the target third-party application.
在本公开一示例性实施例中,步骤S34包括:In an exemplary embodiment of the present disclosure, step S34 includes:
将所述目标第三方应用对应的应用配置信息向SAML服务中心发送,以使所述SAML服务中心根据所述应用配置信息生成响应报文;Send the application configuration information corresponding to the target third-party application to the SAML service center, so that the SAML service center generates a response message according to the application configuration information;
接收由所述SAML服务中心反馈的响应报文,并发送所述响应报文给所述目标终端。Receive a response message fed back by the SAML service center, and send the response message to the target terminal.
在该示例性实施例中,当边缘节点接收到针对目标第三方应用的访问请求时,边缘节点将该目标第三方应用的应用配置信息向SAML服务中心发送,以使SAML服务中心根据该应用配置信息生成响应报文。边缘节点可以基于第三方应用的单点登录对外服务地址信息以及编码后的SAML响应报文,将该第三方应用的单点登录对外服务地址信息以及编码后的SAML响应报文展示在同一自动提交表单中,并将所述自动提交表单返回至目标终端。In this exemplary embodiment, when the edge node receives an access request for the target third-party application, the edge node sends the application configuration information of the target third-party application to the SAML service center, so that the SAML service center configures the information to generate a response message. The edge node can display the single sign-on external service address information of the third-party application and the encoded SAML response message in the same automatic submit form, and return the automatically submitted form to the target terminal.
图6是根据一示例性实施例示出的一种应用于第三方应用的第三方应用的单点登录的方法的流程示意图,该方法至少包括:Fig. 6 is a schematic flowchart of a method for single sign-on of a third-party application applied to a third-party application according to an exemplary embodiment, the method at least includes:
步骤S41,接收由目标终端发送的自动提交表单,所述自动提交表单包括经过验证的目标用户的身份信息。Step S41, receiving the automatic submission form sent by the target terminal, the automatic submission form including the verified identity information of the target user.
其中,自动提交表单可以是应用门户将基于第三方应用的应用配置信息所生成的响应报文进行包装而生成的表单,该自动提交表单可以在返馈给目标终端后向第三方应用进行自动提交,便于后续的身份验证,快速实现第三方应用的登录。Wherein, the automatic submission form may be a form generated by the application portal by packaging the response message generated based on the application configuration information of the third-party application, and the automatic submission form may be automatically submitted to the third-party application after being fed back to the target terminal , to facilitate subsequent identity verification, and quickly realize the login of third-party applications.
在本公开一示例性实施例中,应用门户返回一个自动提交表单给目标终端上的用户浏览器,用户浏览器将该自动提交表单发送到第三方应用,该自动提交表单包括了经过验证的目标用户的身份信息,即包括了对用户登录应用门户时的身份信息。In an exemplary embodiment of the present disclosure, the application portal returns an automatic submission form to the user browser on the target terminal, and the user browser sends the automatic submission form to a third-party application, and the automatic submission form includes the authenticated target The user's identity information includes the user's identity information when logging into the application portal.
在步骤S42中,根据所述自动提交表单对所述目标用户进行安全验证。In step S42, security verification is performed on the target user according to the automatically submitted form.
在该示例性实施例中,第三方应用接收到该自动提交表单后,第三方应用可以根据在先接收到的元数据中包含的证书,对自动提交表单里面的签名进行验证,以判定该目标用户是否可以进行安全登录。In this exemplary embodiment, after the third-party application receives the automatic submission form, the third-party application can verify the signature in the automatic submission form according to the certificate contained in the previously received metadata to determine the target Whether the user can log in securely.
接着,在步骤S43中,若所述安全验证通过,则向所述目标终端反馈登录后的第一应用页面。Next, in step S43, if the security verification passes, the first application page after login is fed back to the target terminal.
其中,第一应用页面可以为成功登录目标第三方应用后的首页面,即目标第三方应用的首页面,便于用户对目标第三方应用进行访问和使用。Wherein, the first application page may be the first page after successful login to the target third-party application, that is, the first page of the target third-party application, which is convenient for the user to access and use the target third-party application.
当验证响应报文通过,即目标用户通过安全验证,第三方应用则将成功登录第三方应用后的第一应用页面反馈给目标终端,表示该用户在第三方应用完成登录认证,用户可以直接使用第三方应用提供的服务,全程无需用户输入第三方应用相关的账号密码。When the verification response message passes, that is, the target user has passed the security verification, the third-party application will feed back the first application page after successfully logging in to the third-party application to the target terminal, indicating that the user has completed login authentication in the third-party application, and the user can directly use The service provided by the third-party application does not require the user to enter the account password related to the third-party application.
在本公开一些示例性实施例中,在所述根据所述自动提交表单对所述目标用户进行安全验证之后,还包括:若所述安全验证未通过,则向所述目标终端反馈用以提示拒绝访问的第二应用页面。In some exemplary embodiments of the present disclosure, after the security verification of the target user according to the automatic submission form, it further includes: if the security verification fails, feeding back to the target terminal for prompting Access to the second application page is denied.
其中,第一应用页面和第二应用页面可以包含于上述的第二响应页面中,第二应用页面可以为无法登录目标第三方应用时的一个提示页面,该提示页面可以告知目标用户当前是拒绝目标用户访问该目标第三方应用的。Wherein, the first application page and the second application page may be included in the above-mentioned second response page, the second application page may be a prompt page when the target third-party application cannot be logged in, and the prompt page may inform the target user that the current application is to refuse The target user accesses the target third-party application.
在本公开一示例性实施例中,当根据自动提交表单的内容对目标用户进行安全验证未通过,则将第二应用页面反馈给目标终端,该第二应用页面用于提示用户拒绝访问,以保证登 录第三方应用的安全性。In an exemplary embodiment of the present disclosure, when the security verification of the target user fails according to the content of the automatically submitted form, the second application page is fed back to the target terminal, and the second application page is used to prompt the user to deny access, so as to Ensure the security of logging in to third-party applications.
在本公开一些示例性实施例中,还提供了一种第三方应用的单点登录系统,该系统包括配置管理中心以及至少一个边缘节点,所述边缘节点上配置有应用门户;其中:In some exemplary embodiments of the present disclosure, a single sign-on system for third-party applications is also provided, the system includes a configuration management center and at least one edge node, and an application portal is configured on the edge node; wherein:
所述配置管理中心设置为对所述应用门户中的第三方应用进行配置以生成应用配置信息,并将所述应用配置信息向所述边缘节点进行发送;所述配置管理中心还设置为将所述应用门户的元数据向所述第三方应用进行发送以建立所述应用门户与所述第三方应用的关联关系;The configuration management center is configured to configure the third-party application in the application portal to generate application configuration information, and send the application configuration information to the edge node; the configuration management center is also configured to sending the metadata of the application portal to the third-party application to establish an association relationship between the application portal and the third-party application;
所述边缘节点设置为在接收到由目标终端发送的针对所述第三方应用的访问请求时,向所述目标终端反馈响应报文,所述响应报文包括所述第三方应用的单点登录地址,以及包含了所述经过验证的身份信息的自动提交表单,所述自动提交表单用以供所述第三方应用进行安全验证。The edge node is configured to feed back a response message to the target terminal when receiving an access request sent by the target terminal for the third-party application, the response message including the single sign-on of the third-party application address, and an automatic submission form containing the verified identity information, and the automatic submission form is used for security verification by the third-party application.
如图7所示,第三方应用的单点登录系统的架构示意图,包括配置管理中心、边缘节点,边缘节点上可以配置有应用门户,该应用门户上集成了至少一个第三方应用,从而通过交互完成第三方应用的单点登录。具体地,图7的架构图可以使用如图8所示的流程示意图中的步骤来实现单点登录。首先,在配置管理中心对部署在边缘节点的应用门户中的第三方应用进行配置从而生成应用配置信息,将这些应用配置信息下发至边缘节点中。配置管理中心将应用门户的元数据向第三方应用进行发送以使第三方应用建立与应用门户之间的关联关系。从而利用关联关系实现应用门户与第三方应用的交互,通过登录应用门户实现对第三方应用的跳转。As shown in Figure 7, the schematic diagram of the single sign-on system for third-party applications includes a configuration management center and an edge node. An application portal can be configured on the edge node, and at least one third-party application is integrated on the application portal, so that through interactive Complete single sign-on for third-party applications. Specifically, the architecture diagram in FIG. 7 can use the steps in the schematic flowchart shown in FIG. 8 to implement single sign-on. First, the third-party application deployed in the application portal of the edge node is configured in the configuration management center to generate application configuration information, and the application configuration information is delivered to the edge node. The configuration management center sends the metadata of the application portal to the third-party application so that the third-party application can establish an association relationship with the application portal. In this way, the interaction between the application portal and the third-party application is realized by using the association relationship, and the jump to the third-party application is realized by logging into the application portal.
当用户通过目标终端的浏览器访问应用门户中的第三方应用时,边缘节点接收到针对第三方应用的访问请求。应用门户可以根据该访问请求向SAML服务中心请求生成SAML响应报文,应用门户可以对该SAML响应报文进行包装以生成携带有该响应报文的自动提交表单,并将该自动提交表单返回给目标终端,目标终端上的用户浏览器则根据该自动提交表单将SAML响应报文自动提交到第三方应用。第三方应用对该SAML响应报文进行验证,当验证通过时返回登录页面给用户浏览器,实现第三方应用的单点登录。When a user accesses a third-party application in the application portal through a browser of a target terminal, the edge node receives an access request for the third-party application. The application portal can request the SAML service center to generate a SAML response message according to the access request, and the application portal can package the SAML response message to generate an automatic submission form carrying the response message, and return the automatic submission form to the The target terminal, and the user browser on the target terminal automatically submits the SAML response message to the third-party application according to the automatic submission form. The third-party application verifies the SAML response message, and returns the login page to the user browser when the verification is passed, so as to realize the single sign-on of the third-party application.
此外,本公开示例性实施例还提供了一种计算机可读介质,其上存储有计算机可读指令,所述计算机可读指令可被处理器执行以实现前述一种第三方应用的单点登录的方法。In addition, an exemplary embodiment of the present disclosure also provides a computer-readable medium on which computer-readable instructions are stored, and the computer-readable instructions can be executed by a processor to implement the aforementioned single sign-on of a third-party application Methods.
与上文所述的方法相对应的,本公开示例性实施例还提供一种设备,其包括能够执行上述各个示例性实施例所述的方法步骤的模块或单元,这些模块或单元可以通过硬件、软件或软硬结合的方式来实现,本公开并不限定。例如,在本公开一示例性实施例中,还提供了一种第三方应用的单点登录的设备,所述设备包括:Corresponding to the method described above, an exemplary embodiment of the present disclosure further provides a device, which includes modules or units capable of performing the method steps described in each of the above exemplary embodiments, and these modules or units can be implemented by hardware , software, or a combination of hardware and software, which is not limited in the present disclosure. For example, in an exemplary embodiment of the present disclosure, a single sign-on device for a third-party application is also provided, and the device includes:
一个或多个处理器;以及one or more processors; and
存储有计算机可读指令的存储器,所述计算机可读指令在被执行时使所述处理器执行如前述所述方法的操作。A memory storing computer readable instructions which, when executed, cause the processor to perform operations as described above.
图9是根据一示例性实施例示出的一种应用于配置管理中心的第三方应用的单点登录的设备的结构示意图,该设备1包括:响应装置11、第一发送装置12以及第二发送装置13,其中,响应装置11设置为响应于针对应用门户的第三方应用的添加请求,接收并存储与所述第三方应用对应的应用配置信息;第一发送装置12设置为将所述应用门户的元数据向所述第三方应用进行发送,以使所述第三方应用根据所述元数据与所述应用门户建立关联关系;第二发送装置13设置为将所述应用配置信息发送至配置有所述应用门户的边缘节点,以使所述边缘节点在接收到针对所述第三方应用的访问请求时,发送根据所述应用配置信息生成的响应报文给所述目标终端,用以供所述第三方应用进行安全验证。Fig. 9 is a schematic structural diagram of a single sign-on device applied to a third-party application in a configuration management center according to an exemplary embodiment. The device 1 includes: a responding device 11, a first sending device 12 and a second sending device means 13, wherein the responding means 11 is configured to receive and store application configuration information corresponding to the third-party application in response to a request for adding a third-party application to the application portal; the first sending means 12 is configured to add the application portal The metadata of the application is sent to the third-party application, so that the third-party application establishes an association relationship with the application portal according to the metadata; the second sending device 13 is configured to send the application configuration information to the configured The edge node of the application portal, so that when the edge node receives the access request for the third-party application, it sends a response message generated according to the application configuration information to the target terminal for the The above-mentioned third-party application performs security verification.
响应装置11、第一发送装置12以及第二发送装置13执行的内容分别与上述步骤S11、S12和S13中的内容相同或相应相同,为简明起见,在此不再赘述。The content executed by the responding device 11 , the first sending device 12 and the second sending device 13 is the same as or correspondingly the same as that in the above steps S11 , S12 and S13 respectively, and for the sake of brevity, details are not repeated here.
图10是根据一示例性实施例示出的一种应用于目标终端的第三方应用的单点登录的设备的结构示意图,该设备2包括:请求装置21、显示装置22、确定装置23、第一接收装置24以及第三发送装置25,其中,请求装置21设置为向所述边缘节点发送针对所述应用门户的登录请求,所述登录请求包括所述目标用户的身份信息;显示装置22设置为接收并显示由所述边缘节点根据所述身份信息进行身份验证后反馈的第一响应页面;确定装置23设置为根据目标用户从应用门户包含的至少一个第三方应用中确定的目标第三方应用,向配置有所述应用门户的边缘节点发送针对所述目标第三方应用的访问请求;第一接收装置24设置为接收所述应用门户发送的响应报文,所述响应报文包括第三方应用的单点登录地址,以及包含了所述经过验证的身份信息的自动提交表单;第三发送装置25设置为向所述单点登录地址对应的目标第三方应用发送所述自动提交表单以进行安全验证。Fig. 10 is a schematic structural diagram of a single sign-on device applied to a third-party application of a target terminal according to an exemplary embodiment. The device 2 includes: a requesting device 21, a display device 22, a determining device 23, a first The receiving device 24 and the third sending device 25, wherein the requesting device 21 is configured to send a login request for the application portal to the edge node, the login request includes the identity information of the target user; the display device 22 is configured to receiving and displaying the first response page fed back by the edge node after identity verification according to the identity information; the determining means 23 is configured to determine the target third-party application according to the target user from at least one third-party application included in the application portal, sending an access request for the target third-party application to the edge node configured with the application portal; the first receiving means 24 is configured to receive a response message sent by the application portal, the response message including the third-party application A single sign-on address, and an automatic submission form containing the verified identity information; the third sending device 25 is configured to send the automatic submission form to a target third-party application corresponding to the single sign-on address for security verification .
请求装置21、显示装置22、确定装置23、第一接收装置24以及第三发送装置25执行的内容分别与上述步骤S21、S22、S23、S24及S25中的内容相同或相应相同,为简明起见,在此不再赘述。The contents executed by the requesting means 21, the displaying means 22, the determining means 23, the first receiving means 24 and the third sending means 25 are respectively the same or correspondingly the same as those in the above-mentioned steps S21, S22, S23, S24 and S25, for the sake of brevity , which will not be repeated here.
图11是根据一示例性实施例示出的一种应用于边缘节点的第三方应用的单点登录的设备的结构示意图,该设备3包括:第二接收装置31、验证装置32、第三接收装置33及第四发送装置34,其中,第二接收装置31设置为接收目标终端发送的针对所述应用门户的登录请求,所述登录请求包括所述目标用户的身份信息;验证装置32设置为根据所述身份信息进行身份验证;第三接收装置33设置为若验证通过,接收目标终端发送的针对所述应用门户中包含的至少一个第三方应用中确定的目标第三方应用的访问请求;第四发送装置34设置为发送响应报文给所述目标终端,所述响应报文包括所述目标第三方应用的单点登录地址,以及包含了所述经过验证的身份信息的自动提交表单,以使所述目标终端向所述单点登录地址对应的目标第三方应用发送所述自动提交表单以进行安全验证。Fig. 11 is a schematic structural diagram of a single sign-on device applied to a third-party application of an edge node according to an exemplary embodiment. The device 3 includes: a second receiving device 31, a verification device 32, and a third receiving device 33 and the fourth sending means 34, wherein the second receiving means 31 is set to receive the login request sent by the target terminal for the application portal, the login request includes the identity information of the target user; the verification means 32 is set to according to The identity information is authenticated; the third receiving means 33 is configured to receive the access request sent by the target terminal for the target third-party application determined in at least one third-party application contained in the application portal if the verification is passed; the fourth The sending device 34 is configured to send a response message to the target terminal, the response message includes the single sign-on address of the target third-party application, and an automatic submission form that includes the verified identity information, so that The target terminal sends the automatic submission form to the target third-party application corresponding to the single sign-on address for security verification.
第二接收装置31、验证装置32、第三接收装置33及第四发送装置34执行的内容分别与上述步骤S31、S32、S33及S34中的内容相同或相应相同,为简明起见,在此不再赘述。The contents executed by the second receiving device 31, the verifying device 32, the third receiving device 33 and the fourth sending device 34 are respectively the same or correspondingly the same as those in the above-mentioned steps S31, S32, S33 and S34. Let me repeat.
图12是根据一示例性实施例示出的一种应用于第三方应用的第三方应用的单点登录的设备的结构示意图,该设备4包括:第四接收装置41、用户验证装置42及反馈装置43,其中,第四接收装置41设置为接收由目标终端发送的自动提交表单,所述自动提交表单包括所述经过验证的目标用户的身份信息;用户验证装置42设置为根据所述自动提交表单对所述目标用户进行安全验证;反馈装置43设置为若所述安全验证通过,则向所述目标终端反馈登录后的第一应用页面。Fig. 12 is a schematic structural diagram of a third-party application single sign-on device applied to a third-party application according to an exemplary embodiment. The device 4 includes: a fourth receiving device 41, a user verification device 42 and a feedback device 43, wherein, the fourth receiving means 41 is set to receive the automatic submission form sent by the target terminal, the automatic submission form includes the identity information of the verified target user; the user verification means 42 is set to automatically submit the form according to the Perform security verification on the target user; the feedback device 43 is configured to feed back the first application page after login to the target terminal if the security verification passes.
第四接收装置41、用户验证装置42及反馈装置43执行的内容分别与上述步骤S41、S42及S43中的内容相同或相应相同,为简明起见,在此不再赘述。The contents executed by the fourth receiving device 41 , the user verification device 42 and the feedback device 43 are the same or correspondingly the same as those in the above steps S41 , S42 and S43 respectively, and for the sake of brevity, details are not repeated here.
显然,本领域的技术人员可以对本公开进行各种改动和变型而不脱离本公开的精神和范围。这样,倘若本公开的这些修改和变型属于本公开权利要求及其等同技术的范围之内,则本公开也意图包含这些改动和变型在内。It is obvious that those skilled in the art can make various changes and modifications to the present disclosure without departing from the spirit and scope of the present disclosure. Thus, if these modifications and variations of the present disclosure fall within the scope of the claims of the present disclosure and equivalent technologies thereof, the present disclosure also intends to include these modifications and variations.
本公开可在软件和/或软件与硬件的组合体中被实施,例如,可采用专用集成电路(ASIC)、通用目的计算机或任何其他类似硬件设备来实现。在一个示例性实施例中,本公开的软件程序可以通过处理器执行以实现上文所述步骤或功能。同样地,本公开的软件程序(包括相关的数据结构)可以被存储到计算机可读记录介质中,例如,RAM存储器,磁或光驱动器或软磁盘及类似设备。另外,本公开的一些步骤或功能可采用硬件来实现,例如,作为与处理器配合从而执行各个步骤或功能的电路。The present disclosure can be implemented in software and/or a combination of software and hardware, for example, using an Application Specific Integrated Circuit (ASIC), a general purpose computer, or any other similar hardware device. In an exemplary embodiment, the software program of the present disclosure can be executed by a processor to realize the steps or functions described above. Likewise, the software program of the present disclosure (including associated data structures) can be stored in a computer readable recording medium such as RAM memory, magnetic or optical drive or floppy disk and the like. In addition, some steps or functions of the present disclosure may be realized by using hardware, for example, as a circuit that cooperates with a processor to execute each step or function.
另外,本公开的一部分可被应用为计算机程序产品,例如计算机程序指令,当其被计算机执行时,通过该计算机的操作,可以调用或提供根据本公开的方法和/或技术方案。而调用本公开的方法的程序指令,可能被存储在固定的或可移动的记录介质中,和/或通过广播或其 他信号承载媒体中的数据流而被传输,和/或被存储在根据所述程序指令运行的计算机设备的工作存储器中。在此,根据本公开的一个示例性实施例包括一个装置,该装置包括用于存储计算机程序指令的存储器和用于执行程序指令的处理器,其中,当该计算机程序指令被该处理器执行时,触发该装置运行基于前述根据本公开的多个示例性实施例的方法和/或技术方案。In addition, a part of the present disclosure can be applied as a computer program product, such as a computer program instruction. When it is executed by a computer, the method and/or technical solution according to the present disclosure can be invoked or provided through the operation of the computer. The program instructions for invoking the method of the present disclosure may be stored in a fixed or removable recording medium, and/or transmitted through a data stream in a broadcast or other signal-carrying medium, and/or stored in a in the working memory of the computer device on which the program instructions described above are executed. Here, an exemplary embodiment according to the present disclosure includes an apparatus comprising a memory for storing computer program instructions and a processor for executing the program instructions, wherein when the computer program instructions are executed by the processor , triggering the device to run the methods and/or technical solutions based on the aforementioned multiple exemplary embodiments of the present disclosure.
对于本领域技术人员而言,显然本公开不限于上述示例性实施例的细节,而且在不背离本公开的精神或基本特征的情况下,能够以其他的具体形式实现本公开。因此,无论从哪一点来看,均应将实施例看作是示例性的,而且是非限制性的,本公开的范围由所附权利要求而不是上述说明限定,因此旨在将落在权利要求的等同要件的含义和范围内的所有变化涵括在本公开内。不应将权利要求中的任何附图标记视为限制所涉及的权利要求。此外,显然“包括”一词不排除其他单元或步骤,单数不排除复数。第一,第二等词语用来表示名称,而并不表示任何特定的顺序。It will be apparent to those skilled in the art that the present disclosure is not limited to the details of the above-described exemplary embodiments, but that the present disclosure can be embodied in other specific forms without departing from the spirit or essential characteristics of the present disclosure. Therefore, the embodiments should be regarded as illustrative and not restrictive in all points of view, and the scope of the disclosure is defined by the appended claims rather than the foregoing description, and it is intended that the scope of the present disclosure be defined by the appended claims rather than by the foregoing description. All changes within the meaning and range of equivalents of the elements are embraced in the present disclosure. Any reference sign in a claim should not be construed as limiting the claim concerned. In addition, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. The words first, second, etc. are used to denote names and do not imply any particular order.
工业实用性Industrial Applicability
本公开提供的一种第三方应用的单点登录的方法、系统、设备及介质中,可以通过配置管理中心对多个第三方应用或同一第三方应用多个账号进行统一管理,并通过边缘节点上的应用门户为用户提供快速高效的统一身份认证,用户通过应用门户跳转到第三方应用,第三方应用自动完成认证登录,保证了第三方应用登录的安全性,也优化了登录体验。In the single sign-on method, system, device and medium of a third-party application provided by the present disclosure, multiple third-party applications or multiple accounts of the same third-party application can be managed uniformly through the configuration management center, and the edge node The application portal on the website provides users with fast and efficient unified identity authentication. Users jump to third-party applications through the application portal, and the third-party application automatically completes the authentication and login, which ensures the security of third-party application login and optimizes the login experience.

Claims (20)

  1. 一种第三方应用的单点登录的方法,应用于配置管理中心,所述方法包括:A single sign-on method for a third-party application, applied to a configuration management center, the method comprising:
    响应于针对应用门户的第三方应用的添加请求,接收并存储与所述第三方应用对应的应用配置信息;Responding to a request for adding a third-party application to the application portal, receiving and storing application configuration information corresponding to the third-party application;
    将所述应用门户的元数据向所述第三方应用进行发送,以使所述第三方应用根据所述元数据与所述应用门户建立关联关系;sending the metadata of the application portal to the third-party application, so that the third-party application establishes an association relationship with the application portal according to the metadata;
    将所述应用配置信息发送至配置有所述应用门户的边缘节点,以使所述边缘节点在接收到针对所述第三方应用的访问请求时,发送根据所述应用配置信息生成的响应报文给所述目标终端,用以供所述第三方应用进行安全验证。sending the application configuration information to the edge node configured with the application portal, so that the edge node sends a response message generated according to the application configuration information when receiving an access request for the third-party application to the target terminal for security verification by the third-party application.
  2. 根据权利要求1所述的方法,其中,所述响应于针对应用门户的第三方应用的添加请求,接收并存储与所述第三方应用对应的应用配置信息,包括:The method according to claim 1, wherein the receiving and storing application configuration information corresponding to the third-party application in response to the request for adding a third-party application to the application portal includes:
    根据接收到的针对应用门户的第三方应用的添加请求,显示应用配置信息编辑界面,所述应用配置信息编辑界面包括至少一个应用配置信息编辑选项;According to the received request for adding a third-party application to the application portal, an application configuration information editing interface is displayed, and the application configuration information editing interface includes at least one application configuration information editing option;
    根据所述至少一个应用配置信息编辑选项接收到的编辑信息,生成并存储与所述第三方应用对应的应用配置信息。The application configuration information corresponding to the third-party application is generated and stored according to the editing information received by the at least one application configuration information editing option.
  3. 根据权利要求2所述的方法,其中,所述至少一个应用配置信息编辑选项包括所述第三方应用进行安全验证时所需信息的编辑选项。The method according to claim 2, wherein the at least one application configuration information editing option includes editing options for information required by the third-party application for security verification.
  4. 根据权利要求1至3中任一项所述的方法,其中,所述应用门户的元数据包括以下至少之一:应用门户的标识信息、证书、所支持的名称标识符的格式以及对外服务地址信息。The method according to any one of claims 1 to 3, wherein the metadata of the application portal includes at least one of the following: identification information of the application portal, a certificate, a supported name identifier format, and an external service address information.
  5. 一种第三方应用的单点登录的方法,应用于目标终端,所述方法包括:A single sign-on method for a third-party application, applied to a target terminal, the method comprising:
    向边缘节点发送针对应用门户的登录请求,所述登录请求包括目标用户的身份信息;Sending a login request for the application portal to the edge node, where the login request includes the identity information of the target user;
    接收并显示由所述边缘节点根据所述身份信息进行身份验证后反馈的第一响应页面;receiving and displaying the first response page fed back by the edge node after identity verification according to the identity information;
    根据目标用户从应用门户包含的至少一个第三方应用中确定的目标第三方应用,向配置有所述应用门户的边缘节点发送针对所述目标第三方应用的访问请求;Sending an access request for the target third-party application to the edge node configured with the application portal according to the target third-party application determined by the target user from at least one third-party application included in the application portal;
    接收所述应用门户发送的响应报文,所述响应报文包括第三方应用的单点登录地址,以及包含了经过验证的身份信息的自动提交表单;receiving a response message sent by the application portal, the response message including the single sign-on address of the third-party application, and an automatic submission form including verified identity information;
    向所述单点登录地址对应的目标第三方应用发送所述自动提交表单以进行安全验证。Sending the automatically submitted form to the target third-party application corresponding to the single sign-on address for security verification.
  6. 根据权利要求5所述的方法,还包括:The method according to claim 5, further comprising:
    接收并显示由所述目标第三方应用根据所述安全验证的验证结果反馈的第二响应页面。receiving and displaying a second response page fed back by the target third-party application according to the verification result of the security verification.
  7. 一种第三方应用的单点登录的方法,应用于边缘节点,所述边缘节点上配置有应用门户,所述方法包括:A single sign-on method for a third-party application, applied to an edge node, where an application portal is configured on the edge node, the method comprising:
    接收目标终端发送的针对应用门户的登录请求,所述登录请求包括目标用户的身份信息;receiving a login request for the application portal sent by the target terminal, where the login request includes identity information of the target user;
    根据所述身份信息进行身份验证;Perform identity verification based on said identity information;
    若验证通过,接收目标终端发送的针对所述应用门户中包含的至少一个第三方应用中确定的目标第三方应用的访问请求;If the verification is passed, receiving an access request sent by the target terminal for the target third-party application determined in at least one third-party application included in the application portal;
    发送响应报文给所述目标终端,所述响应报文包括所述目标第三方应用的单点登录地址,以及包含了经过验证的身份信息的自动提交表单,以使所述目标终端向所述单点登录地址对应的目标第三方应用发送所述自动提交表单以进行安全验证。Sending a response message to the target terminal, the response message including the single sign-on address of the target third-party application, and an automatic submission form containing verified identity information, so that the target terminal submits to the The target third-party application corresponding to the single sign-on address sends the automatic submission form for security verification.
  8. 根据权利要求7所述的方法,其中,所述响应报文包括:根据所述目标第三方应用对应的应用配置信息生成的响应报文。The method according to claim 7, wherein the response message includes: a response message generated according to application configuration information corresponding to the target third-party application.
  9. 根据权利要求7所述的方法,还包括:从配置管理中心获取预先配置的所述目标第三方应用对应的应用配置信息。The method according to claim 7, further comprising: acquiring pre-configured application configuration information corresponding to the target third-party application from a configuration management center.
  10. 根据权利要求9所述的方法,其中,所述从配置管理中心获取预先配置的所述目标 第三方应用对应的应用配置信息,包括:The method according to claim 9, wherein said acquiring pre-configured application configuration information corresponding to the target third-party application from the configuration management center comprises:
    检测是否存储有所述目标第三应用对应的应用配置信息;Detecting whether application configuration information corresponding to the target third application is stored;
    若有,则获取所述应用配置信息;If yes, obtaining the application configuration information;
    若无,则向配置管理中心发送所述应用配置信息的获取请求,并接收由所述配置管理中心根据所述获取请求反馈的应用配置信息。If not, send an acquisition request of the application configuration information to the configuration management center, and receive the application configuration information fed back by the configuration management center according to the acquisition request.
  11. 根据权利要求8或9所述的方法,其中,所述发送响应报文给所述目标终端,包括:The method according to claim 8 or 9, wherein said sending a response message to said target terminal comprises:
    将所述目标第三方应用对应的应用配置信息向SAML服务中心发送,以使所述SAML服务中心根据所述应用配置信息生成响应报文;Send the application configuration information corresponding to the target third-party application to the SAML service center, so that the SAML service center generates a response message according to the application configuration information;
    接收由所述SAML服务中心反馈的响应报文,并发送所述响应报文给所述目标终端。Receive a response message fed back by the SAML service center, and send the response message to the target terminal.
  12. 一种第三方应用的单点登录的方法,应用于第三方应用,所述方法包括:A single sign-on method for a third-party application, applied to a third-party application, the method comprising:
    接收由目标终端发送的自动提交表单,所述自动提交表单包括所述经过验证的目标用户的身份信息;receiving an automatic submission form sent by the target terminal, the automatic submission form including the verified identity information of the target user;
    根据所述自动提交表单对所述目标用户进行安全验证;performing security verification on the target user according to the automatically submitted form;
    若所述安全验证通过,则向所述目标终端反馈登录后的第一应用页面。If the security verification is passed, the first application page after login is fed back to the target terminal.
  13. 根据权利要求12所述的方法,其中,在所述根据所述自动提交表单对所述目标用户进行安全验证之后,还包括:The method according to claim 12, wherein, after performing security verification on the target user according to the automatically submitted form, further comprising:
    若所述安全验证未通过,则向所述目标终端反馈用以提示拒绝访问的第二应用页面。If the security verification fails, a second application page for prompting access denial is fed back to the target terminal.
  14. 一种第三方应用的单点登录系统,包括配置管理中心以及至少一个边缘节点,所述边缘节点上配置有应用门户;其中:A single sign-on system for third-party applications, including a configuration management center and at least one edge node, where an application portal is configured on the edge node; wherein:
    所述配置管理中心设置为对所述应用门户中的第三方应用进行配置以生成应用配置信息,并将所述应用配置信息向所述边缘节点进行发送;所述配置管理中心还设置为将所述应用门户的元数据向所述第三方应用进行发送以建立所述应用门户与所述第三方应用的关联关系;The configuration management center is configured to configure the third-party application in the application portal to generate application configuration information, and send the application configuration information to the edge node; the configuration management center is also configured to sending the metadata of the application portal to the third-party application to establish an association relationship between the application portal and the third-party application;
    所述边缘节点设置为在接收到由目标终端发送的针对所述第三方应用的访问请求时,向所述目标终端反馈响应报文,所述响应报文包括所述第三方应用的单点登录地址,以及包含了所述经过验证的身份信息的自动提交表单,所述自动提交表单用以供所述第三方应用进行安全验证。The edge node is configured to feed back a response message to the target terminal when receiving an access request sent by the target terminal for the third-party application, the response message including the single sign-on of the third-party application address, and an automatic submission form containing the verified identity information, and the automatic submission form is used for security verification by the third-party application.
  15. 一种第三方应用的单点登录的设备,应用于配置管理中心,所述设备包括:A single sign-on device for a third-party application, applied to a configuration management center, the device includes:
    响应装置,设置为响应于针对应用门户的第三方应用的添加请求,接收并存储与所述第三方应用对应的应用配置信息;The responding device is configured to receive and store application configuration information corresponding to the third-party application in response to a request for adding a third-party application to the application portal;
    第一发送装置,设置为将所述应用门户的元数据向所述第三方应用进行发送,以使所述第三方应用根据所述元数据与所述应用门户建立关联关系;The first sending means is configured to send the metadata of the application portal to the third-party application, so that the third-party application establishes an association relationship with the application portal according to the metadata;
    第二发送装置,设置为将所述应用配置信息发送至配置有所述应用门户的边缘节点,以使所述边缘节点在接收到针对所述第三方应用的访问请求时,发送根据所述应用配置信息生成的响应报文给所述目标终端,用以供所述第三方应用进行安全验证。The second sending means is configured to send the application configuration information to the edge node configured with the application portal, so that when the edge node receives an access request for the third-party application, it sends The response message generated by the configuration information is sent to the target terminal for security verification by the third-party application.
  16. 一种第三方应用的单点登录的设备,应用于目标终端,所述设备包括:A single sign-on device for a third-party application, applied to a target terminal, the device includes:
    请求装置,设置为向边缘节点发送针对应用门户的登录请求,所述登录请求包括目标用户的身份信息;The requesting device is configured to send a login request for the application portal to the edge node, the login request including the identity information of the target user;
    显示装置,设置为接收并显示由所述边缘节点根据所述身份信息进行身份验证后反馈的第一响应页面;A display device configured to receive and display the first response page fed back by the edge node after identity verification according to the identity information;
    确定装置,设置为根据目标用户从应用门户包含的至少一个第三方应用中确定的目标第三方应用,向配置有所述应用门户的边缘节点发送针对所述目标第三方应用的访问请求;The determining device is configured to send an access request for the target third-party application to the edge node configured with the application portal according to the target third-party application determined by the target user from at least one third-party application included in the application portal;
    第一接收装置,设置为接收所述应用门户发送的响应报文,所述响应报文包括第三方应用的单点登录地址,以及包含了所述经过验证的身份信息的自动提交表单;The first receiving device is configured to receive a response message sent by the application portal, the response message includes a single sign-on address of a third-party application, and an automatic submission form including the verified identity information;
    第三发送装置,设置为向所述单点登录地址对应的目标第三方应用发送所述自动提交表单以进行安全验证。The third sending means is configured to send the automatically submitted form to a target third-party application corresponding to the single sign-on address for security verification.
  17. 一种第三方应用的单点登录的设备,应用于边缘节点,所述设备包括:A single sign-on device for a third-party application, applied to an edge node, the device includes:
    第二接收装置,设置为接收目标终端发送的针对应用门户的登录请求,所述登录请求包括目标用户的身份信息;The second receiving means is configured to receive a login request for the application portal sent by the target terminal, the login request including the identity information of the target user;
    验证装置,设置为根据所述身份信息进行身份验证;A verification device configured to perform identity verification according to the identity information;
    第三接收装置,设置为若验证通过,接收目标终端发送的针对所述应用门户中包含的至少一个第三方应用中确定的目标第三方应用的访问请求;The third receiving means is configured to receive the access request sent by the target terminal for the target third-party application determined in at least one third-party application contained in the application portal if the verification is passed;
    第四发送装置,设置为发送响应报文给所述目标终端,所述响应报文包括所述目标第三方应用的单点登录地址,以及包含了所述经过验证的身份信息的自动提交表单,以使所述目标终端向所述单点登录地址对应的目标第三方应用发送所述自动提交表单以进行安全验证。The fourth sending device is configured to send a response message to the target terminal, the response message includes the single sign-on address of the target third-party application, and an automatic submission form including the verified identity information, To make the target terminal send the automatic submission form to the target third-party application corresponding to the single sign-on address for security verification.
  18. 一种第三方应用的单点登录的设备,应用于第三方应用,所述设备包括:A single sign-on device for a third-party application is applied to a third-party application, and the device includes:
    第四接收装置,设置为接收由目标终端发送的自动提交表单,所述自动提交表单包括所述经过验证的目标用户的身份信息;The fourth receiving means is configured to receive the automatic submission form sent by the target terminal, the automatic submission form including the verified identity information of the target user;
    用户验证装置,设置为根据所述自动提交表单对所述目标用户进行安全验证;A user verification device configured to perform security verification on the target user according to the automatically submitted form;
    反馈装置,设置为若所述安全验证通过,则向所述目标终端反馈登录后的第一应用页面。The feedback device is configured to feed back the logged-in first application page to the target terminal if the security verification is passed.
  19. 一种基于计算机的设备,包括:A computer-based device comprising:
    一个或多个处理器;以及one or more processors; and
    存储有计算机可读指令的存储器,所述计算机可读指令在被执行时使所述处理器执行如权利要求1至13中任一项所述方法的操作。A memory storing computer readable instructions which, when executed, cause the processor to perform the operations of the method of any one of claims 1 to 13.
  20. 一种计算机可读介质,其上存储有计算机可读指令,所述计算机可读指令可被处理器执行以实现如权利要求1至13中任一项所述的方法。A computer-readable medium, on which computer-readable instructions are stored, the computer-readable instructions can be executed by a processor to implement the method according to any one of claims 1 to 13.
PCT/CN2022/144019 2021-12-31 2022-12-30 Single sign-on method and system for third-party application, and device and medium WO2023125954A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111677170.X 2021-12-31
CN202111677170.XA CN116415223A (en) 2021-12-31 2021-12-31 Single sign-on method, system and equipment for third party application

Publications (1)

Publication Number Publication Date
WO2023125954A1 true WO2023125954A1 (en) 2023-07-06

Family

ID=86998214

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/144019 WO2023125954A1 (en) 2021-12-31 2022-12-30 Single sign-on method and system for third-party application, and device and medium

Country Status (2)

Country Link
CN (1) CN116415223A (en)
WO (1) WO2023125954A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140068743A1 (en) * 2012-08-30 2014-03-06 International Business Machines Corporation Secure configuration catalog of trusted identity providers
CN109379369A (en) * 2018-11-09 2019-02-22 中国平安人寿保险股份有限公司 Single-point logging method, device, server and storage medium
CN111177686A (en) * 2019-12-31 2020-05-19 华为技术有限公司 Identity authentication method, device and related equipment
US20210014216A1 (en) * 2019-07-08 2021-01-14 Bank Of America Corporation Administration portal for simulated single sign-on

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140068743A1 (en) * 2012-08-30 2014-03-06 International Business Machines Corporation Secure configuration catalog of trusted identity providers
CN109379369A (en) * 2018-11-09 2019-02-22 中国平安人寿保险股份有限公司 Single-point logging method, device, server and storage medium
US20210014216A1 (en) * 2019-07-08 2021-01-14 Bank Of America Corporation Administration portal for simulated single sign-on
CN111177686A (en) * 2019-12-31 2020-05-19 华为技术有限公司 Identity authentication method, device and related equipment

Also Published As

Publication number Publication date
CN116415223A (en) 2023-07-11

Similar Documents

Publication Publication Date Title
US11924214B2 (en) Systems and methods for accessing cloud resources from a local development environment
US10581827B2 (en) Using application level authentication for network login
US10116644B1 (en) Network access session detection to provide single-sign on (SSO) functionality for a network access control device
US9876799B2 (en) Secure mobile client with assertions for access to service provider applications
US10484385B2 (en) Accessing an application through application clients and web browsers
US9356928B2 (en) Mechanisms to use network session identifiers for software-as-a-service authentication
US9118657B1 (en) Extending secure single sign on to legacy applications
TWI400922B (en) Authentication of a principal in a federation
US9736153B2 (en) Techniques to perform federated authentication
US20120144501A1 (en) Regulating access to protected data resources using upgraded access tokens
US20130007867A1 (en) Network Identity for Software-as-a-Service Authentication
US20180205745A1 (en) System, method and computer program product for access authentication
US10375073B2 (en) Configuration based client for OAuth authorization with arbitrary services and applications
US9590972B2 (en) Application authentication using network authentication information
US11012495B1 (en) Remote service credentials for establishing remote sessions with managed devices
US9998453B1 (en) Controlling access to personal data
US9237156B2 (en) Systems and methods for administrating access in an on-demand computing environment
US9009799B2 (en) Secure access
CN114254289A (en) Cloud platform access method and device
US10986081B1 (en) Cross-organization registration for single sign-on
US8819794B2 (en) Integrating server applications with multiple authentication providers
WO2023125954A1 (en) Single sign-on method and system for third-party application, and device and medium
TW201438451A (en) Authentication method and system for backend service integration by proxy server
WO2023160632A1 (en) Method for setting cloud service access permissions of enclave instance, and cloud management platform
US20060235830A1 (en) Web content administration information discovery

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22915202

Country of ref document: EP

Kind code of ref document: A1