[go: up one dir, main page]

CN103078932B - A kind of methods, devices and systems realizing universal single sign-on - Google Patents

A kind of methods, devices and systems realizing universal single sign-on Download PDF

Info

Publication number
CN103078932B
CN103078932B CN201210589796.XA CN201210589796A CN103078932B CN 103078932 B CN103078932 B CN 103078932B CN 201210589796 A CN201210589796 A CN 201210589796A CN 103078932 B CN103078932 B CN 103078932B
Authority
CN
China
Prior art keywords
authentication
single sign
access system
request
middle layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210589796.XA
Other languages
Chinese (zh)
Other versions
CN103078932A (en
Inventor
江卫冲
王春华
俞新华
叶璐
刘利明
陈若鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Group Jiangsu Co Ltd
Original Assignee
China Mobile Group Jiangsu Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Group Jiangsu Co Ltd filed Critical China Mobile Group Jiangsu Co Ltd
Priority to CN201210589796.XA priority Critical patent/CN103078932B/en
Publication of CN103078932A publication Critical patent/CN103078932A/en
Application granted granted Critical
Publication of CN103078932B publication Critical patent/CN103078932B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本发明公开了一种实现通用单点登录的方法、装置和系统,在接入系统与单点登录认证服务器之间设置通用于不同单点登录产品的服务中间层;所述服务中间层基于通用的单点登录方式为接入系统进行权限验证时,服务中间层通过接入系统接收用户浏览器的访问请求,将其中包含的身份令牌提交给单点登录认证服务器进行验证,并接收单点登录认证服务器返回的认证结果。本发明使得各接入系统与服务中间层交互,而不是直接与单点登录产品交互,并且服务中间层提供通用的单点登录方式,因而保证了单点登录的通用性,能够统一为各接入系统进行权限验证。

The invention discloses a method, device and system for realizing universal single sign-on. A service intermediate layer commonly used for different single sign-on products is set between an access system and a single sign-on authentication server; When the single sign-on method of the access system performs authority verification, the service middle layer receives the access request of the user browser through the access system, submits the identity token contained in it to the single sign-on authentication server for verification, and receives the single sign-on Log in to the authentication result returned by the authentication server. The invention enables each access system to interact with the service middle layer instead of directly interacting with the single sign-on product, and the service middle layer provides a general single sign-on mode, thereby ensuring the versatility of the single sign-on Enter the system for permission verification.

Description

一种实现通用单点登录的方法、装置和系统A method, device and system for realizing universal single sign-on

技术领域 technical field

本发明涉及通信领域,具体涉及一种实现通用单点登录的方法、装置和系统。The present invention relates to the communication field, in particular to a method, device and system for realizing universal single sign-on.

背景技术 Background technique

作为一种通用的企业业务整合方案,单点登录(SingleSignOn,SSO)已经在企业内部信息系统中得到广泛应用。实现单点登录需要一套统一的认证系统,用户在访问接入应用系统前,必须先在认证系统通过认证。认证系统在用户通过认证后记录用户登录状态,并向用户浏览器核发身份令牌(Token)。用户浏览器在访问某个应用系统时,应用系统先获取所述身份令牌,接着向认证服务器校验该身份令牌的合法性并获取用户身份,最后根据校验结果进行响应。As a common enterprise business integration solution, Single Sign On (SSO) has been widely used in enterprise internal information systems. A unified authentication system is required to implement single sign-on, and users must first pass authentication in the authentication system before accessing the application system. The authentication system records the user's login status after the user passes the authentication, and issues an identity token (Token) to the user's browser. When a user browser accesses an application system, the application system first obtains the identity token, then verifies the legitimacy of the identity token to the authentication server and obtains the user identity, and finally responds according to the verification result.

实现上述单点登录过程需要接入系统做一定改造,具体方式根据单点接入的产品和技术方案的不同而有所区别。一部分方案需要在接入应用系统的服务器上安装部署插件,插件可以提前截获HTTP请求并发往认证服务器,认证服务器会提取身份令牌以进行验证,之后应用系统可以直接从HTTP请求(如HTTP头)中获得用户身份;另一些方案需要接入系统完成提取身份令牌并发往认证服务器校验的工作。上述两种方案中,前一种方案的单点登录产品需对所有的系统提供插件支持;后一种方案会在进行所述改造时产生的工作量。To realize the above single sign-on process, the access system needs to be modified to a certain extent, and the specific methods vary according to the products and technical solutions of single sign-on access. Some solutions need to install and deploy plug-ins on the servers connected to the application system. The plug-ins can intercept HTTP requests in advance and send them to the authentication server. The authentication server will extract the identity token for verification. ) to obtain the user identity; other schemes need to access the system to complete the extraction of the identity token and send it to the authentication server for verification. Among the above two solutions, the single sign-on product of the former solution needs to provide plug-in support for all systems; the latter solution will generate a lot of workload when performing the transformation.

由于企业信息化水平的不断提升,单点登录技术在企业内部信息系统中的应用极为广泛,但使用单点登录面临着以下几个问题:Due to the continuous improvement of enterprise informatization level, single sign-on technology is widely used in enterprise internal information systems, but the use of single sign-on faces the following problems:

1、企业内部信息化系统环境复杂,单点登录产品不一定能支持所有的系统。当前的很多单点登录产品需在接入系统服务器安装部署插件等,插件虽然丰富,但针对不同种类及版本的操作系统和服务器产品需要部署特定的插件,而由厂商提供的插件尽管品种繁多但数量仍然有限,一旦接入系统使用了单点登录产品不支持的应用,那么在不改动接入系统架构的情况下无法实现单点登录。1. The enterprise's internal information system environment is complex, and single sign-on products may not be able to support all systems. Many current single sign-on products need to install and deploy plug-ins on the access system server. Although there are many plug-ins, specific plug-ins need to be deployed for different types and versions of operating systems and server products. The number is still limited. Once the access system uses an application that is not supported by the single sign-on product, single sign-on cannot be implemented without changing the access system architecture.

2、更换单点登录产品时改造困难、工作量大。企业内部信息化系统有时会因为客观原因更换单点登录产品(如更换企业信息化系统的入口),单点登录产品一般也会随入口产品一同更换。一旦更换单点登录产品,则所有接入到该单点登录产品的系统需根据新的单点登录产品的要求重新改造,随之而来的是大量的开发和测试工作,这些工作必然给系统运行带来影响,同时也带来了很多不可控因素。2. When replacing single sign-on products, it is difficult to transform and the workload is heavy. The internal information system of the enterprise sometimes replaces the single sign-on product due to objective reasons (such as changing the entrance of the enterprise information system), and the single sign-on product is generally replaced together with the entrance product. Once the single sign-on product is replaced, all the systems connected to the single sign-on product need to be rebuilt according to the requirements of the new single sign-on product, followed by a lot of development and testing work, which will inevitably affect the system Operation has brought influence, but also brought many uncontrollable factors.

3、不利于及时定位故障。大部分成熟产品都是将插件安装部署在接入系统的Web服务器上,拦截了Web服务器接收的所有请求,因此理论上接入系统出现的故障都可能与单点登录产品有关。由于插件和认证服务器间的通讯对于接入系统不可见,因此接入系统的操作人员在出现故障时很难简单判断出故障是否与单点登录产品有关。3. It is not conducive to timely location of faults. Most mature products install and deploy plug-ins on the web server of the access system, intercepting all requests received by the web server, so in theory, any failure of the access system may be related to the single sign-on product. Since the communication between the plug-in and the authentication server is invisible to the access system, it is difficult for the operator of the access system to simply determine whether the fault is related to the single sign-on product when a fault occurs.

发明内容 Contents of the invention

有鉴于此,本发明的主要目的在于提供一种实现通用单点登录的方法、装置和系统,保证单点登录的通用性。In view of this, the main purpose of the present invention is to provide a method, device and system for realizing universal single sign-on, so as to ensure the universality of single sign-on.

为达到上述目的,本发明的技术方案是这样实现的:In order to achieve the above object, technical solution of the present invention is achieved in that way:

一种实现通用单点登录的系统,该系统包括服务中间层、接入系统;其中,A system for realizing general single sign-on, the system includes a service middle layer and an access system; wherein,

所述服务中间层通用于不同单点登录产品,设置于接入系统与单点登录认证服务器之间,用于基于通用的单点登录方式为接入系统进行权限验证;The service middle layer is commonly used in different single sign-on products, and is set between the access system and the single sign-on authentication server, and is used to perform permission verification for the access system based on the general single sign-on method;

所述接入系统,用于根据用户浏览器的访问请求向服务中间层发送认证请求;以及接收来自服务中间层的认证结果,并根据得到的认证结果完成授权工作。The access system is used to send an authentication request to the service middle layer according to the access request of the user browser; and receive the authentication result from the service middle layer, and complete the authorization work according to the obtained authentication result.

所述服务中间层包括通用认证服务器、认证处理器和认证适配器;其中,The service middle layer includes a general authentication server, an authentication processor and an authentication adapter; wherein,

所述通用认证服务器,用于提供认证服务,接收接入系统的认证请求并将认证结果反馈给接入系统;The general authentication server is used to provide authentication services, receive an authentication request from the access system and feed back the authentication result to the access system;

所述认证处理器,用于处理接入系统的认证请求并反馈认证结果;The authentication processor is configured to process an authentication request for accessing the system and feed back an authentication result;

所述认证适配器,用于对不同单点登陆产品提供的认证请求的字符数据进行抽象和封装,屏蔽不同单点登录认证服务器之间的差异性,以及提供认证服务以供认证处理器调用。The authentication adapter is used for abstracting and encapsulating character data of authentication requests provided by different SSO products, shielding differences between different SSO authentication servers, and providing authentication services for calling by authentication processors.

一种实现通用单点登录的装置,该装置通用于不同单点登录产品,设置于接入系统与单点登录认证服务器之间,用于基于通用的单点登录方式为接入系统进行权限验证;所述装置包括通用认证服务器、认证处理器和认证适配器;其中,A device for realizing universal single sign-on, the device is commonly used in different single sign-on products, and is set between the access system and the single sign-on authentication server, and is used to verify the authority of the access system based on the universal single sign-on method ; the apparatus includes a general authentication server, an authentication processor, and an authentication adapter; wherein,

所述通用认证服务器,用于提供认证服务,接收接入系统的认证请求并将认证结果反馈给接入系统;The general authentication server is used to provide authentication services, receive an authentication request from the access system and feed back the authentication result to the access system;

所述认证处理器,用于处理接入系统的认证请求并反馈认证结果;The authentication processor is configured to process an authentication request for accessing the system and feed back an authentication result;

所述认证适配器,用于对不同单点登陆产品提供的认证请求的字符数据进行抽象和封装,屏蔽不同单点登录认证服务器之间的差异性,以及提供认证服务以供认证处理器调用。The authentication adapter is used for abstracting and encapsulating character data of authentication requests provided by different SSO products, shielding differences between different SSO authentication servers, and providing authentication services for calling by authentication processors.

所述通用认证服务器,用于:The general authentication server is used for:

在处理接入系统的认证请求时,提取并整理认证请求中的请求字符串的数据,将整理后的数据发往单点登录认证服务器进行认证;和/或,When processing the authentication request for accessing the system, extract and sort the data of the request string in the authentication request, and send the sorted data to the single sign-on authentication server for authentication; and/or,

在反馈认证结果时,根据认证请求的请求字符串和单点登录认证服务器的反馈结果,整理需要反馈的数据,并将整理后的数据反馈给接入系统。When feeding back the authentication result, according to the request string of the authentication request and the feedback result of the single sign-on authentication server, the data to be fed back is sorted out, and the sorted data is fed back to the access system.

所述装置基于通用的单点登录方式为接入系统进行权限验证时,所述通用认证服务器用于:When the device performs permission verification for the access system based on a general single sign-on method, the general authentication server is used for:

通过接入系统接收用户浏览器的访问请求,将其中包含的身份令牌提交给单点登录认证服务器进行验证,并接收单点登录认证服务器返回的认证结果。Receive the access request from the user's browser through the access system, submit the identity token contained therein to the SSO authentication server for verification, and receive the authentication result returned by the SSO authentication server.

所述装置支持HTTP。The device supports HTTP.

一种实现通用单点登录的方法,在接入系统与单点登录认证服务器之间设置通用于不同单点登录产品的服务中间层,该方法还包括:在所述服务中间层基于通用的单点登录方式为接入系统进行权限验证时,服务中间层通过接入系统接收用户浏览器的访问请求,将其中包含的身份令牌提交给单点登录认证服务器进行验证,并接收单点登录认证服务器返回的认证结果。A method for realizing universal single sign-on, wherein a service intermediate layer commonly used in different single sign-on products is set between an access system and a single sign-on authentication server, the method further includes: in the service intermediate layer based on the general single sign-on When the login method is the access system for authority verification, the service middle layer receives the access request of the user browser through the access system, submits the identity token contained in it to the single sign-on authentication server for verification, and receives the single sign-on authentication The authentication result returned by the server.

在进行所述权限验证之前,该方法还包括:用户浏览器向单点登录认证服务器发起认证请求,接收发放的身份令牌,并向接入系统发起包含该身份令牌的访问请求;和/或,Before performing the authority verification, the method further includes: the user browser initiates an authentication request to the single sign-on authentication server, receives the issued identity token, and initiates an access request containing the identity token to the access system; and/or or,

在进行所述权限验证之后,该方法还包括:服务中间层将认证结果返回给接入系统,接入系统根据得到的认证结果完成授权工作。After performing the authority verification, the method further includes: the service middle layer returns the authentication result to the access system, and the access system completes the authorization work according to the obtained authentication result.

所述服务中间层基于通用的单点登录方式为接入系统进行权限验证时,对不同单点登陆产品提供的认证请求的字符数据进行抽象和封装,屏蔽不同单点登录认证服务器之间的差异性。The service middle layer abstracts and encapsulates the character data of authentication requests provided by different single sign-on products when performing permission verification for the access system based on the general single sign-on method, and shields the differences between different single sign-on authentication servers sex.

接入系统通过HTTP方式以XML数据格式与服务中间层进行通讯。The access system communicates with the service middle layer in XML data format through HTTP.

本发明使得各接入系统与服务中间层交互,而不是直接与单点登录产品交互,并且服务中间层提供通用的单点登录方式,因而保证了单点登录产品间的通用性,能够统一为各接入系统进行权限验证。The invention enables each access system to interact with the service middle layer instead of directly interacting with the single sign-on product, and the service middle layer provides a general single sign-on mode, thereby ensuring the versatility of the single sign-on products, which can be unified as Each access system performs authority verification.

附图说明 Description of drawings

图1为本发明实施例的单点登录系统示意图;FIG. 1 is a schematic diagram of a single sign-on system according to an embodiment of the present invention;

图2为本发明实施例的单点登录流程图;Fig. 2 is a single sign-on flowchart of an embodiment of the present invention;

图3为本发明实施例的单点登录流程简图。Fig. 3 is a schematic diagram of a single sign-on process in an embodiment of the present invention.

具体实施方式 detailed description

在实际应用中,可以对单点登录产品提供的认证请求的字符数据(如:现有成熟的多个单点登录产品提供的认证请求的字符数据)进行抽象、封装,并增加通用的服务中间层(如:HTTP服务中间层,下面以HTTP服务中间层为例进行描述)。各接入系统与服务中间层交互,而不是直接与单点登录产品交互;并且服务中间层提供通用的单点登录方式(如:HTTP单点登录方式),以便为各接入系统进行权限验证。In practical applications, the character data of the authentication request provided by the single sign-on product (such as: the character data of the authentication request provided by the existing mature multiple single sign-on products) can be abstracted and encapsulated, and a common service middleware can be added layer (for example: the HTTP service middle layer, the following description will take the HTTP service middle layer as an example). Each access system interacts with the service middle layer instead of directly interacting with single sign-on products; and the service middle layer provides a common single sign-on method (such as: HTTP single sign-on method) to perform authority verification for each access system .

下面结合附图并应用具体实例对本发明进行详细描述。The present invention will be described in detail below in conjunction with the accompanying drawings and specific examples.

参见图1,图1中,HTTP服务中间层处于接入系统和单点登录认证服务器之间,能够分别与接入系统和单点登录认证服务器进行交互,以屏蔽接入系统与单点登录认证服务器之间的直接交互。HTTP服务中间层可以包含三部分:通用认证服务器(如HTTP认证服务器,下面以HTTP认证服务器为例进行描述)、认证处理器和认证适配器。See Figure 1. In Figure 1, the HTTP service middle layer is located between the access system and the SSO authentication server, and can interact with the access system and the SSO authentication server respectively to shield the access system from the SSO authentication. Direct interaction between servers. The middle layer of the HTTP service may include three parts: a general authentication server (such as an HTTP authentication server, described below using the HTTP authentication server as an example), an authentication processor, and an authentication adapter.

1)HTTP认证服务器1) HTTP authentication server

HTTP认证服务器能够提供认证服务,接收接入系统的认证请求并将认证结果反馈给接入系统,接收的数据格式参照数据接口规范,HTTP认证服务器与接入系统的交互可以遵循目前所通用的协议,如HTTP协议。The HTTP authentication server can provide authentication services, receive authentication requests from the access system and feed back the authentication results to the access system. The received data format refers to the data interface specification, and the interaction between the HTTP authentication server and the access system can follow the current common protocol , such as the HTTP protocol.

2)认证处理器2) Authentication Processor

认证处理器能够处理接入系统的认证请求并反馈认证结果。The authentication processor is capable of processing authentication requests for accessing the system and feeding back authentication results.

处理接入系统的认证请求时,认证处理器能够提取并整理认证请求中的请求字符串的数据,将整理后的数据发往单点登录认证服务器进行认证。When processing the authentication request for accessing the system, the authentication processor can extract and arrange the data of the request string in the authentication request, and send the arranged data to the single sign-on authentication server for authentication.

反馈认证结果时,认证处理器能够根据认证请求的请求字符串和单点登录认证服务器的反馈结果,整理需要反馈的数据,并将整理后的数据反馈给接入系统。When feeding back the authentication result, the authentication processor can sort out the data to be fed back according to the request string of the authentication request and the feedback result from the SSO authentication server, and feed back the sorted data to the access system.

3)认证适配器3) Authentication Adapter

认证适配器能够对不同单点登陆产品提供的认证请求的字符数据进行抽象和封装,屏蔽不同单点登录认证服务器之间的差异性,提供简单的认证服务以供认证处理器调用。单点登录认证服务器的产品升级或变更时,只需对认证适配器进行相应的定制开发,不涉及接入系统的改造。The authentication adapter can abstract and encapsulate the character data of authentication requests provided by different single sign-on products, shield the differences between different single sign-on authentication servers, and provide simple authentication services for the authentication processor to call. When the product of the single sign-on authentication server is upgraded or changed, only the corresponding customized development of the authentication adapter is required, and no modification of the access system is involved.

接入系统是指各类应用系统。用户浏览器在访问各应用系统时,不需要通过输入用户认证信息来完成验证,而是利用单点登录功能即可完成系统登录。The access system refers to various application systems. When the user browser accesses each application system, it does not need to complete the verification by inputting user authentication information, but can complete the system login by using the single sign-on function.

接入系统可以根据数据接口规范,基于通用的通信协议以特定的数据格式与服务中间层进行通讯,即可完成单点接入,如:通过HTTP方式以XML数据格式与HTTP服务中间层进行通讯。According to the data interface specification, the access system can communicate with the service middle layer in a specific data format based on a common communication protocol to complete single-point access, such as communicating with the HTTP service middle layer in XML data format through HTTP .

基于上述情况,接入系统不直接与单点登录认证服务器交互,单点登录认证服务器更换时不影响接入系统的架构。Based on the above situation, the access system does not directly interact with the single sign-on authentication server, and the architecture of the access system is not affected when the single sign-on authentication server is replaced.

本实施例中,通用认证服务器只针对HTTP服务中间层和用户直接访问提供认证服务。In this embodiment, the general authentication server only provides authentication services for HTTP service middle layer and direct access by users.

用户浏览器是指用户访问应用系统时所使用的浏览器。The user browser refers to the browser used by the user to access the application system.

前述的数据接口规范定义了单点登录时接入系统和HTTP服务中间层之间的通讯规范,包括请求字符串和响应字符串,两者均可以通过XML方式封装并存放在HTTP体(Body)中。The aforementioned data interface specification defines the communication specification between the access system and the HTTP service middle layer during single sign-on, including the request string and response string, both of which can be encapsulated in XML and stored in the HTTP body (Body) middle.

1)请求字符串1) request string

请求字符串是接入系统向HTTP服务中间层发起验证请求时所定义的XML格式的字符串,主要包含token和员工编号(employeeNumber)两个部分,具体定义形式如下:The request string is a character string in XML format defined when the access system initiates a verification request to the HTTP service middle layer. It mainly includes two parts: token and employee number (employeeNumber). The specific definition form is as follows:

<request><request>

<token>$token</token><token>$token</token>

<employeeNumber/><employeeNumber/>

</request></request>

其中,token字段是记录用户在通用认证服务器上登录信息的一串字符串,接入系统可从用户的HTTP请求中提取token字段的信息。通常,token字段必须填写。Among them, the token field is a string of character strings that record the user's login information on the general authentication server, and the access system can extract the information in the token field from the user's HTTP request. Usually, the token field must be filled.

employeeNumber是指向HTTP服务中间层申请的员工编号的值。employeeNumber字段可以不填写,不填写employeeNumber字段时则不申请相应值。employeeNumber is the value pointing to the employee number applied for by the HTTP service middle layer. The employeeNumber field can be left blank. If the employeeNumber field is not filled in, the corresponding value will not be applied.

2)响应字符串2) Response string

响应字符串是HTTP服务中间层根据接入系统的请求,反馈给接入系统的XML字符串,具体形式如下:The response string is an XML string fed back to the access system by the middle layer of the HTTP service according to the request of the access system. The specific form is as follows:

其中,状态(status)字段表示单点验证结果,取值为正确(ok)或错误(error)。所述ok说明身份令牌在通用认证服务器上有对应用户,且该用户目前状态是正常登录,HTTP服务中间层向接入系统返回用户标识(uid)和employeeNumber值。所述error表明身份令牌不正确或已经失效。返回message值。Wherein, the status (status) field indicates the single-point verification result, and the value is correct (ok) or error (error). Said ok shows that the identity token has a corresponding user on the universal authentication server, and the user's current status is a normal login, and the HTTP service middle layer returns the user identification (uid) and employeeNumber values to the access system. The error indicates that the identity token is incorrect or expired. Return message value.

所述uid包含当前登录用户的标识。The uid contains the identity of the currently logged-in user.

在单点验证结果为ok且接入系统在请求时要求了员工工号信息时返回employeeNumber,其中包含当前登录用户的工号。When the single-point verification result is ok and the access system requires employee ID information when requesting, return employeeNumber, which contains the ID of the currently logged-in user.

所述message中包含错误代码。The message contains error codes.

需要说明的是,单点登录时需要有账户信息的映射关系,考虑接入系统的帐号信息不统一,允许接入系统请求用户的多种属性(如员工工号等)以进行用户身份映射。接入系统需要在请求字符串中增加需要的属性,HTTP服务中间层会在获得用户id后,从通用认证服务器的账户数据库(如轻量目录访问协议(LightweightDirectoryAccessProtocol,LDAP))中查询需要的属性并返回。It should be noted that the mapping relationship of account information is required for single sign-on. Considering that the account information of the access system is not uniform, the access system is allowed to request various attributes of the user (such as employee ID, etc.) for user identity mapping. To access the system, you need to add the required attributes in the request string. After obtaining the user id, the HTTP service middle layer will query the required attributes from the account database of the general authentication server (such as Lightweight Directory Access Protocol (LDAP)) and return.

基于图1所示的设置,可以进行如图2所示的流程,该流程包括以下步骤:Based on the settings shown in Figure 1, the process shown in Figure 2 can be performed, which includes the following steps:

步骤1:用户应用用户浏览器登录门户,向单点登录认证服务器(特定的单点登陆产品)发起认证请求。Step 1: The user uses the user browser to log in to the portal, and initiates an authentication request to the SSO authentication server (specific SSO product).

步骤2:单点登录认证服务器记录用户浏览器的登录状态,并向用户浏览器发放身份令牌,用户浏览器将身份令牌保存在本地。Step 2: The single sign-on authentication server records the login status of the user browser, and issues an identity token to the user browser, and the user browser stores the identity token locally.

步骤3:用户应用用户浏览器访问某个接入系统(各接入系统可以使用相同的域名后缀),用户浏览器向访问的接入系统发起的访问请求(HTTP请求)中默认带上本地已经保存的身份令牌。Step 3: The user uses the user browser to access a certain access system (each access system can use the same domain name suffix), and the access request (HTTP request) initiated by the user browser to the accessed access system carries the local already Saved identity token.

步骤4:接入系统从用户的HTTP请求中提取身份令牌,按照数据接口规范将身份令牌封装为请求字符串并以认证请求的方式提交给HTTP服务中间层。Step 4: The access system extracts the identity token from the user's HTTP request, encapsulates the identity token into a request string according to the data interface specification, and submits it to the HTTP service middle layer in the form of an authentication request.

步骤5:HTTP服务中间层接收到接入系统的认证请求后,将其中的请求字符串包含的身份令牌提交给单点登录认证服务器进行验证。Step 5: After receiving the authentication request for accessing the system, the HTTP service middle layer submits the identity token included in the request string to the single sign-on authentication server for verification.

步骤6:单点登录认证服务器(特定的单点登陆产品)校验收到的身份令牌,并向HTTP服务中间层返回认证结果。Step 6: The SSO authentication server (specific SSO product) verifies the received identity token, and returns the authentication result to the HTTP service middle layer.

步骤7:HTTP服务中间层将认证结果封装为响应字符串并返回给接入系统。Step 7: The HTTP service middle layer encapsulates the authentication result into a response string and returns it to the access system.

步骤8:接入系统根据得到的响应字符串中的认证信息完成授权工作。Step 8: The access system completes the authorization work according to the authentication information in the obtained response string.

上述流程中,步骤1和步骤2是接入系统利用单点登录功能成功登录接入系统的前提条件,接入系统重复步骤3到步骤8即可完成单点登录。In the above process, steps 1 and 2 are prerequisites for the access system to successfully log in to the access system using the single sign-on function, and the access system can complete the single sign-on by repeating steps 3 to 8.

结合以上描述可见,本发明实现通用单点登录的操作思路可以表示如图3所示的流程,该流程包括以下步骤:In combination with the above description, it can be seen that the operation idea of the present invention to realize the general single sign-on can represent the flow shown in Figure 3, which includes the following steps:

步骤310:在接入系统与单点登录认证服务器之间设置通用于不同单点登录产品的服务中间层;Step 310: Set up a service middle layer common to different SSO products between the access system and the SSO authentication server;

步骤320:在所述服务中间层基于通用的单点登录方式为接入系统进行权限验证时,服务中间层通过接入系统接收用户浏览器的访问请求,将其中包含的身份令牌提交给单点登录认证服务器进行验证,并接收单点登录认证服务器返回的认证结果。Step 320: When the service middle layer performs permission verification for the access system based on the general single sign-on method, the service middle layer receives the access request of the user browser through the access system, and submits the identity token contained therein to the single Log in to the authentication server for verification, and receive the authentication result returned by the single sign-on authentication server.

综上所述可见,无论是方法,还是实现该方法的装置、系统,本发明实现通用单点登录的技术,具有以下优点:To sum up, it can be seen that whether it is a method, or a device or system for realizing the method, the technology of the present invention to realize universal single sign-on has the following advantages:

1、降低了对单点登录产品的依赖,可降低因更换单点登录产品而导致的高成本、高风险。由构建的服务中间层与具体的单点登录产品进行交互,更换单点登录产品时,只需改造服务中间层即可,可节约大量的成本和工作量,降低不确定因素的影响。1. It reduces the dependence on single sign-on products, which can reduce the high cost and high risk caused by the replacement of single sign-on products. The built service middle layer interacts with specific SSO products. When replacing SSO products, only the service middle layer needs to be transformed, which can save a lot of cost and workload, and reduce the influence of uncertain factors.

2、对接入系统的支持更全面。所有接入系统都只需要与服务中间层进行交互,保证了单点登录的通用性,避免了接入系统因为系统架构不兼容而无法接入的问题。2. More comprehensive support for the access system. All access systems only need to interact with the service middle layer, which ensures the versatility of single sign-on and avoids the problem that access systems cannot be accessed due to incompatible system architectures.

3、开发和维护成本低。避免了因接入系统环境差异造成的重复工作量,并且接入系统的操作人员不需要了解过多的单点登录产品,节约了维护成本。3. Low development and maintenance costs. It avoids repeated workload caused by differences in access system environments, and operators who access the system do not need to know too many single sign-on products, which saves maintenance costs.

以上所述,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention.

Claims (9)

1.一种实现通用单点登录的系统,其特征在于,该系统包括服务中间层、接入系统;其中,1. A system for realizing general single sign-on, characterized in that the system includes a service middle layer and an access system; wherein, 所述服务中间层通用于不同单点登录产品,设置于接入系统与单点登录认证服务器之间,用于基于通用的单点登录方式为接入系统进行权限验证,对不同单点登录产品提供的认证请求的字符数据进行抽象和封装,屏蔽不同单点登录认证服务器之间的差异性;The service middle layer is commonly used in different single sign-on products, and is set between the access system and the single sign-on authentication server. The character data of the provided authentication request is abstracted and encapsulated to shield the differences between different single sign-on authentication servers; 所述接入系统,用于根据用户浏览器的访问请求向服务中间层发送认证请求;以及接收来自服务中间层的认证结果,并根据得到的认证结果完成授权工作。The access system is used to send an authentication request to the service middle layer according to the access request of the user browser; and receive the authentication result from the service middle layer, and complete the authorization work according to the obtained authentication result. 2.根据权利要求1所述的系统,其特征在于,所述服务中间层包括通用认证服务器、认证处理器和认证适配器;其中,2. The system according to claim 1, wherein the service middle layer comprises a general authentication server, an authentication processor and an authentication adapter; wherein, 所述通用认证服务器,用于提供认证服务,接收接入系统的认证请求并将认证结果反馈给接入系统;The general authentication server is used to provide authentication services, receive an authentication request from the access system and feed back the authentication result to the access system; 所述认证处理器,用于处理接入系统的认证请求并反馈认证结果;The authentication processor is configured to process an authentication request for accessing the system and feed back an authentication result; 所述认证适配器,用于对不同单点登录产品提供的认证请求的字符数据进行抽象和封装,屏蔽不同单点登录认证服务器之间的差异性,以及提供认证服务以供认证处理器调用。The authentication adapter is used for abstracting and encapsulating character data of authentication requests provided by different SSO products, shielding differences between different SSO authentication servers, and providing authentication services for calling by authentication processors. 3.一种实现通用单点登录的装置,其特征在于,该装置通用于不同单点登录产品,设置于接入系统与单点登录认证服务器之间,用于基于通用的单点登录方式为接入系统进行权限验证;所述装置包括通用认证服务器、认证处理器和认证适配器;其中,3. A device for realizing universal single sign-on, characterized in that the device is generally applicable to different single sign-on products, and is arranged between the access system and the single sign-on authentication server, and is used for the general purpose single sign-on method based on The access system performs authority verification; the device includes a general authentication server, an authentication processor, and an authentication adapter; wherein, 所述通用认证服务器,用于提供认证服务,接收接入系统的认证请求并将认证结果反馈给接入系统;The general authentication server is used to provide authentication services, receive an authentication request from the access system and feed back the authentication result to the access system; 所述认证处理器,用于处理接入系统的认证请求并反馈认证结果;The authentication processor is configured to process an authentication request for accessing the system and feed back an authentication result; 所述认证适配器,用于对不同单点登录产品提供的认证请求的字符数据进行抽象和封装,屏蔽不同单点登录认证服务器之间的差异性,以及提供认证服务以供认证处理器调用。The authentication adapter is used for abstracting and encapsulating character data of authentication requests provided by different SSO products, shielding differences between different SSO authentication servers, and providing authentication services for calling by authentication processors. 4.根据权利要求3所述的装置,其特征在于,所述通用认证服务器,用于:4. The device according to claim 3, wherein the general authentication server is configured to: 在处理接入系统的认证请求时,提取并整理认证请求中的请求字符串的数据,将整理后的数据发往单点登录认证服务器进行认证;和/或,When processing the authentication request for accessing the system, extract and sort the data of the request string in the authentication request, and send the sorted data to the single sign-on authentication server for authentication; and/or, 在反馈认证结果时,根据认证请求的请求字符串和单点登录认证服务器的反馈结果,整理需要反馈的数据,并将整理后的数据反馈给接入系统。When feeding back the authentication result, according to the request string of the authentication request and the feedback result of the single sign-on authentication server, the data to be fed back is sorted out, and the sorted data is fed back to the access system. 5.根据权利要求3或4所述的装置,其特征在于,所述装置基于通用的单点登录方式为接入系统进行权限验证时,所述通用认证服务器用于:5. The device according to claim 3 or 4, wherein, when the device performs authority verification for the access system based on a general single sign-on method, the general authentication server is used for: 通过接入系统接收用户浏览器的访问请求,将其中包含的身份令牌提交给单点登录认证服务器进行验证,并接收单点登录认证服务器返回的认证结果。Receive the access request from the user's browser through the access system, submit the identity token contained therein to the SSO authentication server for verification, and receive the authentication result returned by the SSO authentication server. 6.根据权利要求3所述的装置,其特征在于,所述装置支持HTTP。6. The device according to claim 3, wherein the device supports HTTP. 7.一种实现通用单点登录的方法,其特征在于,在接入系统与单点登录认证服务器之间设置通用于不同单点登录产品的服务中间层,该方法还包括:在所述服务中间层基于通用的单点登录方式为接入系统进行权限验证时,对不同单点登录产品提供的认证请求的字符数据进行抽象和封装,屏蔽不同单点登录认证服务器之间的差异性,服务中间层通过接入系统接收用户浏览器的访问请求,将其中包含的身份令牌提交给单点登录认证服务器进行验证,并接收单点登录认证服务器返回的认证结果。7. A method for realizing general single sign-on, characterized in that a service middle layer commonly used in different single sign-on products is set between the access system and the single sign-on authentication server, the method also includes: When the middle layer performs permission verification for the access system based on the general single sign-on method, it abstracts and encapsulates the character data of the authentication request provided by different single sign-on products, and shields the differences between different single sign-on authentication servers. The middle layer receives the access request from the user's browser through the access system, submits the identity token contained therein to the SSO authentication server for verification, and receives the authentication result returned by the SSO authentication server. 8.根据权利要求7所述的方法,其特征在于,8. The method of claim 7, wherein, 在进行所述权限验证之前,该方法还包括:用户浏览器向单点登录认证服务器发起认证请求,接收发放的身份令牌,并向接入系统发起包含该身份令牌的访问请求;和/或,Before performing the authority verification, the method further includes: the user browser initiates an authentication request to the single sign-on authentication server, receives the issued identity token, and initiates an access request containing the identity token to the access system; and/or or, 在进行所述权限验证之后,该方法还包括:服务中间层将认证结果返回给接入系统,接入系统根据得到的认证结果完成授权工作。After performing the authority verification, the method further includes: the service middle layer returns the authentication result to the access system, and the access system completes the authorization work according to the obtained authentication result. 9.根据权利要求7或8所述的方法,其特征在于,接入系统通过HTTP方式以XML数据格式与服务中间层进行通讯。9. The method according to claim 7 or 8, wherein the access system communicates with the service middle layer in XML data format through HTTP.
CN201210589796.XA 2012-12-31 2012-12-31 A kind of methods, devices and systems realizing universal single sign-on Active CN103078932B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210589796.XA CN103078932B (en) 2012-12-31 2012-12-31 A kind of methods, devices and systems realizing universal single sign-on

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210589796.XA CN103078932B (en) 2012-12-31 2012-12-31 A kind of methods, devices and systems realizing universal single sign-on

Publications (2)

Publication Number Publication Date
CN103078932A CN103078932A (en) 2013-05-01
CN103078932B true CN103078932B (en) 2016-01-27

Family

ID=48155334

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210589796.XA Active CN103078932B (en) 2012-12-31 2012-12-31 A kind of methods, devices and systems realizing universal single sign-on

Country Status (1)

Country Link
CN (1) CN103078932B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103685741B (en) * 2013-12-03 2015-09-23 方正国际软件有限公司 The method and system that a kind of mobile terminal single-sign-on and single-point are nullified
CN103929421A (en) * 2014-04-03 2014-07-16 深圳英飞拓科技股份有限公司 Single sign-on system and method of security and protection system
FR3038097B1 (en) * 2015-06-26 2017-06-23 Schneider Electric Ind Sas SAFETY SYSTEM FOR INDUSTRIAL CONTROL SYSTEM
CN105187434A (en) * 2015-09-24 2015-12-23 歌尔声学股份有限公司 User account control method and system on the basis of multi-application systems
CN108259435B (en) * 2016-12-29 2021-02-26 中国移动通信集团浙江有限公司 Method and device for realizing hybrid application of access Web component
CN108933767A (en) * 2017-05-26 2018-12-04 南宁富桂精密工业有限公司 Server and webpage authentication method
CN107862198A (en) * 2017-11-17 2018-03-30 浪潮软件股份有限公司 One kind accesses verification method, system and client
CN109462577A (en) * 2018-10-16 2019-03-12 同伦拍拍科技服务有限公司 A kind of third party communicates the inside login system and method for SSO in time
CN109905365B (en) * 2019-01-14 2020-10-09 江苏第二师范学院(江苏省教育科学研究院) Distributed deployed single sign-on and service authorization system and method
CN110266722A (en) * 2019-07-05 2019-09-20 深圳市浩科电子有限公司 A kind of method and system of multipath access server
CN110572388B (en) * 2019-09-05 2022-01-04 北京宝兰德软件股份有限公司 Method for connecting unified authentication server and unified authentication adapter
CN113553569B (en) * 2021-07-06 2022-12-09 猪八戒股份有限公司 Single sign-on method, system and terminal of Syngnathus system based on proxy server

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101719960A (en) * 2009-12-01 2010-06-02 中国电信股份有限公司 Communication device and cdma terminal
CN102238148A (en) * 2010-04-22 2011-11-09 中兴通讯股份有限公司 Identity management method and system
CN102469075A (en) * 2010-11-09 2012-05-23 中科正阳信息安全技术有限公司 Integrated authentication method based on WEB single sign-on

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040123144A1 (en) * 2002-12-19 2004-06-24 International Business Machines Corporation Method and system for authentication using forms-based single-sign-on operations
US7748046B2 (en) * 2005-04-29 2010-06-29 Microsoft Corporation Security claim transformation with intermediate claims
US8245051B2 (en) * 2005-05-13 2012-08-14 Microsoft Corporation Extensible account authentication system
US8713589B2 (en) * 2010-12-23 2014-04-29 Microsoft Corporation Registration and network access control

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101719960A (en) * 2009-12-01 2010-06-02 中国电信股份有限公司 Communication device and cdma terminal
CN102238148A (en) * 2010-04-22 2011-11-09 中兴通讯股份有限公司 Identity management method and system
CN102469075A (en) * 2010-11-09 2012-05-23 中科正阳信息安全技术有限公司 Integrated authentication method based on WEB single sign-on

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
一种企业应用中的单点登录系统的设计;郭玲;《计算机与数字工程》;20100731;第38卷(第7期);84-88 *
一种新的兼容多种身份认证方式的web单点登录方案;黄琛,李忠献,杨义先,徐国胜;《北京邮电大学学报》;20061030;第29卷(第5期);130-134 *

Also Published As

Publication number Publication date
CN103078932A (en) 2013-05-01

Similar Documents

Publication Publication Date Title
CN103078932B (en) A kind of methods, devices and systems realizing universal single sign-on
TWI706263B (en) Trust registration method, server and system
CN108476216B (en) System and method for integrating a transactional middleware platform with a centralized access manager for single sign-on in an enterprise-class computing environment
US20240114059A1 (en) Systems and Methods for In-Session Refresh of Entitlements Associated with Web Applications
US20160359861A1 (en) Accessing an application through application clients and web browsers
CN106713271B (en) Web system login constraint method based on single sign-on
US8775245B2 (en) Secure coupon distribution
CN103049684B (en) A kind of data permission control method based on RBAC model extension and system
US20160080358A1 (en) Hosted application sandbox model
CN109565511A (en) Tenant and service management for multi-tenant identity and data safety management cloud service
CN106685771A (en) Unified access method for all service channels of electric power marketing
CN104255007A (en) Oauth framework
CN106209726A (en) A kind of Mobile solution single-point logging method and device
CN104580211B (en) SOA architecture-based intrusive system
CN112559010B (en) Multi-application system data isolation implementation method and system based on micro-service
CN105812350A (en) Cross-platform single-point registration system
KR20140112643A (en) Method and user device and web server for providing using cache into browser among heterogeneous service
US10735399B2 (en) System, service providing apparatus, control method for system, and storage medium
US9218200B2 (en) Selective class hiding in open API component architecture system
CN103888415B (en) The nomadic control method and device of IMS user
Huang et al. Research on Single Sign-on Technology for Educational Administration Information Service Platform
CN111243715A (en) Login method for unifying business system to integrated platform
Chen et al. Design of web service single sign-on based on ticket and assertion
KR101636986B1 (en) A Integrated interface user authentication method
JP4993083B2 (en) Session management apparatus, program, and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant