[go: up one dir, main page]

CN111988275A - Single sign-on method, single sign-on server cluster and electronic equipment - Google Patents

Single sign-on method, single sign-on server cluster and electronic equipment Download PDF

Info

Publication number
CN111988275A
CN111988275A CN202010680941.XA CN202010680941A CN111988275A CN 111988275 A CN111988275 A CN 111988275A CN 202010680941 A CN202010680941 A CN 202010680941A CN 111988275 A CN111988275 A CN 111988275A
Authority
CN
China
Prior art keywords
user
single sign
token
application
temporary key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010680941.XA
Other languages
Chinese (zh)
Inventor
施甘图
陈旭
庭治宏
杨小康
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lahuobao Network Technology Co ltd
Hongtu Intelligent Logistics Co ltd
Original Assignee
Lahuobao Network Technology Co ltd
Hongtu Intelligent Logistics Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lahuobao Network Technology Co ltd, Hongtu Intelligent Logistics Co ltd filed Critical Lahuobao Network Technology Co ltd
Priority to CN202010680941.XA priority Critical patent/CN111988275A/en
Publication of CN111988275A publication Critical patent/CN111988275A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0637Modes of operation, e.g. cipher block chaining [CBC], electronic codebook [ECB] or Galois/counter mode [GCM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a single sign-on method, a single sign-on server cluster and an electronic device, wherein the method comprises the following steps: receiving a user authentication request containing user information sent by a user; based on the user authentication request, each single sign-on server in the multiple single sign-on servers encrypts user information according to a first preset encryption rule; if the user information is valid, obtaining a token, encrypting the token through a second preset encryption rule in each single sign-on server in a plurality of single sign-on servers, sending a temporary key corresponding to the encrypted token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system to a user, receiving a login instruction sent by the user, jumping to a new label according to the login instruction, receiving an instruction of requesting to obtain the token from the temporary key, and determining whether the application systems needing to be logged in complete logging in.

Description

Single sign-on method, single sign-on server cluster and electronic equipment
Technical Field
The present application relates to the field of communications technologies, and in particular, to a single sign-on method, a single sign-on server cluster, and an electronic device.
Background
At present, with the increasingly wide application based On networks and the increasingly abundant service types in different fields, it becomes more and more important to use a Single Sign On (SSO) system, for short, that is, a user can access all mutually trusted cross-domain application systems only by logging On once.
In the prior art, on one hand, a single sign-on server is used in the single sign-on system and method, the provided concurrency is limited, and under the condition of large concurrency, the data synchronization delay is large due to large data interaction amount. On the other hand, since the login is only required once, all authorized application systems can access, which may cause some important information to be leaked.
Disclosure of Invention
The present application aims to provide a single sign-on method, a single sign-on server cluster and an electronic device, so as to overcome the technical defects that the concurrency of a single sign-on server is limited and a greater security risk exists.
In a first aspect, an embodiment of the present application provides a single sign-on method, where the method includes: receiving a user authentication request containing user information sent by a user; based on the user authentication request, each single sign-on server in the multiple single sign-on servers encrypts user information according to a first preset encryption rule, and compares the encrypted user information with user identity information in an authentication authorization database to judge whether the user information is valid; if the user information is valid, obtaining a token, encrypting the token through a second preset encryption rule in each single sign-on server in a plurality of single sign-on servers, and sending a temporary key corresponding to the encrypted token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system to the user, wherein the temporary key is used for caching the encrypted token with the user name as the key in a cache space for the user; and receiving a login instruction sent by a user, jumping to a new label according to the login instruction, receiving a temporary key request to acquire the instruction of the token, and determining whether the application systems needing to be logged in complete the login.
With reference to the first aspect, in a first possible implementation manner, after obtaining the token if the user information is valid, the method further includes: the expiration duration of the token is set.
With reference to the first aspect, in a second possible implementation manner, comparing the encrypted user information with the user identity information in the authentication authorization database to determine whether the user information is valid includes: and searching a trust certificate mapped by the user information in an authentication authorization database according to the encrypted user information, and sending an authentication success message to each single sign-on server in the multiple single sign-on servers, or else sending an authentication failure message to each single sign-on server in the multiple single sign-on servers.
With reference to the first aspect, in a third possible implementation manner, the second preset encryption rule in each single sign-on server of the multiple single sign-on servers is an AES-CBC algorithm.
With reference to the first aspect, in a fourth possible implementation manner, receiving a login instruction sent by a user, after jumping to a new tag according to the login instruction, receiving an instruction of a temporary key request to acquire a token, and determining whether a plurality of application systems that need to be logged in complete login includes: receiving a login instruction, wherein the login instruction comprises: the temporary key, the identifier corresponding to each application system and the access address corresponding to the new label, wherein the identifier corresponding to each application system is an application code of each application system; jumping to a page corresponding to the new label according to the access address corresponding to the new label in the login instruction; and receiving an instruction of a temporary key request for obtaining the token, and determining whether the multiple application systems needing to be logged in complete the login.
In a second aspect, an embodiment of the present application provides a single sign-on method, where the method includes: a user sends a user authentication request containing user information, and a temporary key corresponding to a token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system are obtained based on the user authentication request; displaying the application list to a user, clicking and determining a system name of an application system to be logged in by the user, and then generating a login instruction, wherein the login instruction comprises a temporary key, an identifier corresponding to each application system and an access address corresponding to a new label; and requesting the user to obtain the token by using the temporary key, and determining that the multiple application systems needing to be logged in complete the login if the user successfully obtains the token.
In a third aspect, an embodiment of the present application provides a single sign-on server cluster, where the single sign-on server cluster includes a plurality of single sign-on servers, and the single sign-on server cluster is configured to: receiving a user authentication request containing user information sent by a user; based on a user authentication request, each single sign-on server in a plurality of single sign-on servers encrypts user information according to a first preset encryption rule, and compares the encrypted user information with user identity information in an authentication authorization database to judge whether the user information is valid; if the user information is valid, obtaining a token, encrypting the token through a second preset encryption rule in each single sign-on server in a plurality of single sign-on servers, and sending a temporary key corresponding to the encrypted token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system to the user, wherein the temporary key is used for caching the encrypted token with the user name as the key in a cache space for the user; and receiving a login instruction sent by a user, jumping to a new label according to the login instruction, receiving an instruction of a temporary key request for obtaining a token, and determining whether a plurality of application systems needing to be logged in complete the login.
In a fourth aspect, an embodiment of the present application provides an electronic device, where the electronic device includes: the first processing module is used for sending a user authentication request containing user information by a user, and acquiring a temporary key corresponding to the token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system based on the user authentication request; the second processing module is used for displaying the application list to the user, and the user clicks the system name of the application system needing to be logged in and generates a login instruction after determining the system name, wherein the login instruction comprises a temporary key, an identifier corresponding to each application system and an access address corresponding to a new label; and the third processing module is used for requesting the user to acquire the token by using the temporary key, and determining that the multiple application systems needing to be logged in complete the login if the user successfully acquires the token.
The invention has the beneficial effects that: according to the technical scheme provided by the embodiment of the invention, a single sign-on server cluster is introduced, and the feasibility of processing a large amount of concurrent data interaction based on a cluster technology is provided; and the user information in the user authentication request is encrypted based on the first preset encryption rule, and the token is encrypted based on the second preset encryption rule, so that malicious interception or attack is not easy to occur, and the safety of using the single sign-on method can be improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of a single sign-on method according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of another single sign-on method according to an embodiment of the present disclosure;
fig. 3 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
In an embodiment of the present application, the single sign-on method is applied to a single sign-on server cluster, where the single sign-on server cluster includes a plurality of single sign-on servers, and each single sign-on server in the plurality of single sign-on servers executes the following operations: receiving a user authentication request containing user information sent by a user; based on a user authentication request, each single sign-on server in a plurality of single sign-on servers encrypts user information according to a first preset encryption rule, and compares the encrypted user information with user identity information in an authentication authorization database to judge whether the user information is valid; if the user information is valid, obtaining a token, encrypting the token through a second preset encryption rule in each single sign-on server in a plurality of single sign-on servers, and sending a temporary key corresponding to the encrypted token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system to the user, wherein the temporary key is used for caching the encrypted token with the user name as the key in a cache space for the user; and receiving a login instruction sent by a user, jumping to a new label according to the login instruction, receiving an instruction of a temporary key request for obtaining a token, and determining whether a plurality of application systems needing to be logged in complete the login.
Referring to fig. 1, fig. 1 is a schematic flowchart illustrating a single sign-on method according to an embodiment of the present disclosure. The single sign-on method includes step S11, step S12, step S13, and step S14.
Step S11: receiving a user authentication request containing user information sent by a user;
step S12: based on the user authentication request, each single sign-on server in the multiple single sign-on servers encrypts user information according to a first preset encryption rule, and compares the encrypted user information with user identity information in an authentication authorization database to judge whether the user information is valid;
step 13, if the user information is valid, obtaining a token, encrypting the token through a second preset encryption rule in each single sign-on server in a plurality of single sign-on servers, and sending a temporary key corresponding to the encrypted token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system to the user, wherein the temporary key caches the encrypted token with the user name as key in a cache space for the user;
step S14: and receiving a login instruction sent by a user, jumping to a new label according to the login instruction, receiving a temporary key request to acquire the instruction of the token, and determining whether the application systems needing to be logged in complete the login.
Step S11: and receiving a user authentication request which is sent by a user and contains user information.
The user sends a user authentication request carrying user information to the single sign-on server cluster, and the single sign-on server cluster receives the user authentication request. The user information may include a user account and a user login password.
Step S12: based on the user authentication request, each single sign-on server in the multiple single sign-on servers encrypts user information according to a first preset encryption rule, and compares the encrypted user information with user identity information in an authentication authorization database to judge whether the user information is valid.
The cluster of the single sign-on servers receives the user authentication request, and can firstly judge whether the current state of the user authentication request is 'first access', namely the user is not logged in for the target application system, in other words, the user accesses the target application system for the first time, if the judgment result is yes, each single sign-on server in the multiple single sign-on servers encrypts user information according to a first preset encryption rule, and compares the encrypted user information with the user identity information in the authentication authorization database to judge whether the user information is valid.
In detail, according to the encrypted user information, finding a trust certificate mapped by the user information in an authentication authorization database, and sending an authentication success message to each single sign-on server in the multiple single sign-on servers, otherwise, sending an authentication failure message to each single sign-on server in the multiple single sign-on servers. The login authentication can check whether the identity information of the target user carried by the access request is legal or not.
The user identity information table is one or more pre-established data tables and is used for storing the corresponding relation between a user account and a user login password, a user can send a registration request to the single sign-on server cluster through a client in advance, the registration request can comprise the user account and the user login password of the user, and after the user registration success is detected, the single sign-on server cluster can store the user name and the password of the user to the user registration table. Or, the single sign-on server cluster can directly obtain each user account and user sign-on password input by each user through the human-computer interaction interface, and store the corresponding relationship between each user account and each user sign-on password in the user identity information table. Only if the trust certificate mapped with the user information is found in the authentication authorization database, it can be shown that the user information is valid, so that the user information which is not authenticated cannot perform the related operations after step S13 and step S13, and the security of single sign-on is ensured.
And step 13, if the user information is valid, obtaining a token, encrypting the token through a second preset encryption rule in each single sign-on server in the multiple single sign-on servers, and sending a temporary key corresponding to the encrypted token, an application list consisting of system names of multiple application systems and a webpage access address corresponding to each application system to the user, wherein the temporary key caches the encrypted token with the user name as the key in a cache space for the user.
When the user information is authenticated by the authentication authorization database, the user information is valid and can be trustworthy. When the user information is valid, a token is obtained. Because the application system authorized by the user can perform login-free operation when the token is taken, the token is encrypted by using the second preset encryption rule in each single sign-on server in the plurality of single sign-on servers, so that the security of the token is improved, and the whole single sign-on operation is safer.
In detail, after the token is obtained, the expiration time of one token is set, and after the token is generated, the token is valid within the expiration time and can be carried for authentication; if the time period from the generation of the token to the carrying of the token is longer than the expiration time period, the token will be invalid.
When the token is encrypted by using the second preset encryption rule in each single sign-on server of the multiple single sign-on servers, the second preset encryption rule may be an AES-CBC algorithm, and may also be an HMACSHA 256.
And caching the token and generating a temporary key. The cache mode may be a Redis cache or a Memcache cache, and in the embodiment of the present application, a Redis cache is adopted. And sending the temporary key corresponding to the encrypted token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system to the user. Skipping can be performed according to the webpage access address corresponding to each application system, and a new label page is entered.
Each application system may provide different business services. Each application system may be deployed in different application servers, or may be deployed in the same application server, and the deployment manner of the multiple application systems is not limited in the present invention.
Each application system in the multiple application systems may adopt a front-end and back-end separation architecture, and a data processing process of the application system adopting the architecture may be as follows: through the interaction between the front end and the client, the front end can acquire the data stored in the back end and return the acquired data to the client. Therefore, the front end and the rear end are clearly divided, the data decoupling of the application system is realized by the application, and the system performance is improved.
The user may establish a communication connection with multiple application systems through the client, for example, the user may log in and/or request service data from multiple application systems through the client, and the client may be a mobile phone, a tablet, a personal computer, or the like.
Step S14: and receiving a login instruction sent by a user, jumping to a new label according to the login instruction, receiving a temporary key request to acquire the instruction of the token, and determining whether the application systems needing to be logged in complete the login.
After receiving a temporary key corresponding to the encrypted token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system, which are sent by the single sign-on server cluster, the user generates a sign-on instruction and sends the login instruction to the single sign-on server cluster.
In detail, the login instruction includes: the temporary key, an identifier corresponding to each application system, and an access address corresponding to the new tag, wherein the identifier corresponding to each application system encodes an application of each application system. The single sign-on server cluster receives a sign-on instruction sent by a user, jumps to a new label according to the sign-on instruction, receives a temporary key request to acquire a token instruction, and determines whether a plurality of application systems needing to be logged in complete the login.
Referring to fig. 2, another single sign-on method provided in the embodiment of the present application includes: step S21, step S22, and step S23.
Step S21: a user sends a user authentication request containing user information, and a temporary key corresponding to a token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system are obtained based on the user authentication request;
step S22: displaying the application list to a user, clicking and determining a system name of an application system to be logged in by the user, and then generating a login instruction, wherein the login instruction comprises a temporary key, an identifier corresponding to each application system and an access address corresponding to a new label;
step S23: and requesting the user to obtain the token by using the temporary key, and determining that the multiple application systems needing to be logged in complete the login if the user successfully obtains the token.
Step S21: the user sends a user authentication request containing user information, and based on the user authentication request, a temporary key corresponding to the token, an application list composed of system names of a plurality of application systems, and a webpage access address corresponding to each application system are obtained.
In detail, a user sends a user authentication request containing user information to the single sign-on server cluster through a client, and the user information is authenticated through an authentication authorization database, and receives a temporary key corresponding to a token, an application list composed of system names of a plurality of application systems and a webpage access address corresponding to each application system, which are sent by the single sign-on server cluster.
Step S22: and displaying the application list to a user, clicking the system name of the application system needing to be logged in by the user, determining, and generating a login instruction, wherein the login instruction comprises a temporary key, an identifier corresponding to each application system and an access address corresponding to the new label.
In detail, the client may install a browser, and the browser may display a login page, which may provide a login button. The client receives an application list consisting of system names of a plurality of application systems and displays the application list to a user, the user can click the name of the application system needing to be logged in according to actual requirements, after the system name of at least one application system is clicked and determined, the user can add a temporary key and an identifier corresponding to each application system to an access address corresponding to a new label and then jump when the user clicks a determination button. The user clicks a login button, and the single sign-on server cluster can determine that a login instruction is detected after the login button is clicked.
Step S23: and requesting the user to obtain the token by using the temporary key, and determining that the multiple application systems needing to be logged in complete the login if the user successfully obtains the token.
If the login command generated by the client includes a temporary key, the temporary key may be used to request multiple application systems to obtain the token. And comparing the temporary key representing the token transmitted by the client with the token in the Redis cache, if the temporary key is the same as the token, releasing the temporary key, and if the temporary key is different from the token, rejecting the temporary key, namely, if the comparison result is the same, the multiple application systems finish login, and the multiple application systems fail to login.
As will be described in detail below, referring to fig. 3, the electronic device 100 includes:
the first processing module 110 is configured to send a user authentication request including user information by a user, and obtain a temporary key corresponding to the token, an application list composed of system names of multiple application systems, and a web access address corresponding to each application system based on the user authentication request;
the second processing module 120 is configured to display the application list to the user, and after the user clicks the system name of the application system to be logged in and determines that the system name is the same, generate a login instruction, where the login instruction includes a temporary key, an identifier corresponding to each application system, and an access address corresponding to a new tag;
the third processing module 130 is configured to request the user to obtain the token by using the temporary key, and determine that the multiple application systems that need to log in complete the login if the user successfully obtains the token.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the system, the user equipment and the module described above may refer to corresponding processes in the foregoing method embodiments, and are not described herein again.
To sum up, the embodiment of the present application provides a single sign-on method, which includes: receiving a user authentication request containing user information sent by a user; based on the user authentication request, each single sign-on server in the multiple single sign-on servers encrypts user information according to a first preset encryption rule, and compares the encrypted user information with user identity information in an authentication authorization database to judge whether the user information is valid; if the user information is valid, obtaining a token, encrypting the token through a second preset encryption rule in each single sign-on server in a plurality of single sign-on servers, and sending a temporary key corresponding to the encrypted token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system to the user, wherein the temporary key is used for caching the encrypted token with the user name as the key in a cache space for the user; and receiving a login instruction sent by a user, jumping to a new label according to the login instruction, receiving a temporary key request to acquire the instruction of the token, and determining whether the application systems needing to be logged in complete the login.
According to the technical scheme provided by the embodiment of the invention, a single sign-on server cluster is introduced, and the feasibility of processing a large amount of concurrent data interaction based on a cluster technology is provided; and the user information in the user authentication request is encrypted based on the first preset encryption rule, and the token is encrypted based on the second preset encryption rule, so that malicious interception or attack is not easy to occur, and the safety of using the single sign-on method can be improved.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (8)

1. A method of single sign-on, the method comprising:
receiving a user authentication request containing user information sent by a user;
based on the user authentication request, each single sign-on server in the multiple single sign-on servers encrypts the user information according to a first preset encryption rule, and compares the encrypted user information with user identity information in an authentication authorization database to judge whether the user information is valid;
if the user information is valid, obtaining a token, encrypting the token through a second preset encryption rule in each single sign-on server in a plurality of single sign-on servers, and sending a temporary key corresponding to the encrypted token, an application list composed of system names of a plurality of application systems and a webpage access address corresponding to each application system to the user, wherein the temporary key caches the encrypted token with the user name as key in a cache space for the user;
and receiving a login instruction sent by the user, jumping to a new label according to the login instruction, receiving an instruction of the temporary key request for obtaining the token, and determining whether the application systems needing to be logged in complete the login.
2. The single sign-on method of claim 1, wherein after obtaining the token if the user information is valid, the method further comprises:
and setting the expiration time of the token.
3. The single sign-on method of claim 1, wherein the comparing the encrypted user information with user identity information in an authentication and authorization database to determine whether the user information is valid comprises:
and searching a trust certificate mapped by the user information in the authentication authorization database according to the encrypted user information, and sending an authentication success message to each single sign-on server in the single sign-on servers, otherwise, sending an authentication failure message to each single sign-on server in the single sign-on servers.
4. The single sign-on method of claim 1, wherein the second predetermined encryption rule in each of the plurality of single sign-on servers is an AES-CBC algorithm.
5. The single sign-on method according to claim 1, wherein the receiving a login instruction sent by the user, after jumping to a new tag according to the login instruction, receiving an instruction of the temporary key requesting to obtain the token, and determining whether the multiple application systems that need to log on complete the login comprises:
receiving the login instruction, wherein the login instruction comprises: the temporary key, an identifier corresponding to each of the application systems, and an access address corresponding to a new tag, wherein the identifier corresponding to each of the application systems encodes an application code for each of the application systems;
jumping to a page corresponding to the new label according to the access address corresponding to the new label in the login instruction;
and receiving an instruction of the temporary key request for obtaining the token, and determining whether the application systems needing to be logged in complete the login.
6. A method of single sign-on, the method comprising:
a user sends a user authentication request containing user information, and a temporary key corresponding to a token, an application list composed of system names of a plurality of application systems and a webpage access address corresponding to each application system are obtained based on the user authentication request;
displaying the application list to the user, clicking a system name of the application system needing to be logged in by the user, determining the system name, and generating a login instruction, wherein the login instruction comprises the temporary key, an identifier corresponding to each application system and an access address corresponding to a new label;
and requesting the user to acquire the token by using the temporary key, and determining that the application systems needing to be logged in complete the login if the user successfully acquires the token.
7. A single sign-on server cluster comprising a plurality of single sign-on servers, the single sign-on server cluster configured to:
receiving a user authentication request containing user information sent by a user;
based on the user authentication request, each single sign-on server in the multiple single sign-on servers encrypts the user information according to a first preset encryption rule, and compares the encrypted user information with user identity information in an authentication authorization database to judge whether the user information is valid;
if the user information is valid, obtaining a token, encrypting the token through a second preset encryption rule in each single sign-on server in a plurality of single sign-on servers, and sending a temporary key corresponding to the encrypted token, an application list composed of system names of a plurality of application systems and a webpage access address corresponding to each application system to the user, wherein the temporary key caches the encrypted token with the user name as key in a cache space for the user;
and receiving a login instruction sent by the user, jumping to a new label according to the login instruction, receiving an instruction of the temporary key request for obtaining the token, and determining whether the application systems needing to be logged in complete the login.
8. An electronic device, characterized in that the electronic device comprises:
the system comprises a first processing module, a second processing module and a third processing module, wherein the first processing module is used for sending a user authentication request containing user information by a user, and acquiring a temporary key corresponding to a token, an application list consisting of system names of a plurality of application systems and a webpage access address corresponding to each application system based on the user authentication request;
the second processing module is used for displaying the application list to the user, and the user clicks the system name of the application system needing to be logged in and generates a login instruction after determining the system name, wherein the login instruction comprises the temporary key, the identifier corresponding to each application system and the access address corresponding to the new label;
and the third processing module is used for requesting the user to acquire the token by using the temporary key, and determining that the application systems needing to be logged in complete the login if the user successfully acquires the token.
CN202010680941.XA 2020-07-15 2020-07-15 Single sign-on method, single sign-on server cluster and electronic equipment Pending CN111988275A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010680941.XA CN111988275A (en) 2020-07-15 2020-07-15 Single sign-on method, single sign-on server cluster and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010680941.XA CN111988275A (en) 2020-07-15 2020-07-15 Single sign-on method, single sign-on server cluster and electronic equipment

Publications (1)

Publication Number Publication Date
CN111988275A true CN111988275A (en) 2020-11-24

Family

ID=73438674

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010680941.XA Pending CN111988275A (en) 2020-07-15 2020-07-15 Single sign-on method, single sign-on server cluster and electronic equipment

Country Status (1)

Country Link
CN (1) CN111988275A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112613022A (en) * 2020-12-25 2021-04-06 航天信息股份有限公司 Method and system for user single sign-on service system
CN112714166A (en) * 2020-12-22 2021-04-27 新华三大数据技术有限公司 Multi-cluster management method and device for distributed storage system
CN112769826A (en) * 2021-01-08 2021-05-07 深信服科技股份有限公司 Information processing method, device, equipment and storage medium
CN112887284A (en) * 2021-01-14 2021-06-01 北京电解智科技有限公司 Access authentication method and device
CN114254292A (en) * 2021-12-13 2022-03-29 以萨技术股份有限公司 Unified management platform based on application

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111410A (en) * 2011-01-13 2011-06-29 中国科学院软件研究所 Agent-based single sign on (SSO) method and system
CN103188248A (en) * 2011-12-31 2013-07-03 卓望数码技术(深圳)有限公司 Identity authentication system and method based on single sign-on
CN103227799A (en) * 2013-05-13 2013-07-31 山东临沂烟草有限公司 Implementing method of unified user management and single sign-on platform based on multiple application systems
CN103634269A (en) * 2012-08-21 2014-03-12 中国银联股份有限公司 A single sign-on system and a method
US8713658B1 (en) * 2012-05-25 2014-04-29 Graphon Corporation System for and method of providing single sign-on (SSO) capability in an application publishing environment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111410A (en) * 2011-01-13 2011-06-29 中国科学院软件研究所 Agent-based single sign on (SSO) method and system
CN103188248A (en) * 2011-12-31 2013-07-03 卓望数码技术(深圳)有限公司 Identity authentication system and method based on single sign-on
US8713658B1 (en) * 2012-05-25 2014-04-29 Graphon Corporation System for and method of providing single sign-on (SSO) capability in an application publishing environment
US20140143847A1 (en) * 2012-05-25 2014-05-22 Graphon Corporation System for and method of providing single sign-on (sso) capability in an application publishing environment
CN103634269A (en) * 2012-08-21 2014-03-12 中国银联股份有限公司 A single sign-on system and a method
CN103227799A (en) * 2013-05-13 2013-07-31 山东临沂烟草有限公司 Implementing method of unified user management and single sign-on platform based on multiple application systems

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
梁志罡: "基于Web_service的混合架构单点登录的设计", 《计算机应用》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112714166A (en) * 2020-12-22 2021-04-27 新华三大数据技术有限公司 Multi-cluster management method and device for distributed storage system
CN112714166B (en) * 2020-12-22 2022-03-29 新华三大数据技术有限公司 Multi-cluster management method and device for distributed storage system
CN112613022A (en) * 2020-12-25 2021-04-06 航天信息股份有限公司 Method and system for user single sign-on service system
CN112769826A (en) * 2021-01-08 2021-05-07 深信服科技股份有限公司 Information processing method, device, equipment and storage medium
CN112887284A (en) * 2021-01-14 2021-06-01 北京电解智科技有限公司 Access authentication method and device
CN114254292A (en) * 2021-12-13 2022-03-29 以萨技术股份有限公司 Unified management platform based on application

Similar Documents

Publication Publication Date Title
US9473568B2 (en) Detecting code injections through cryptographic methods
CN108322461B (en) Method, system, device, equipment and medium for automatically logging in application program
CN111988275A (en) Single sign-on method, single sign-on server cluster and electronic equipment
US10270758B2 (en) Login method, server, and login system
US8484480B2 (en) Transmitting information using virtual input layout
US6629246B1 (en) Single sign-on for a network system that includes multiple separately-controlled restricted access resources
CN106330850B (en) Security verification method based on biological characteristics, client and server
CN100544361C (en) The method and apparatus that is used for managing session identifiers
US8375425B2 (en) Password expiration based on vulnerability detection
KR20210095093A (en) Method for providing authentification service by using decentralized identity and server using the same
CN109726578B (en) Dynamic two-dimensional code anti-counterfeiting solution
US9198036B2 (en) Method for providing application service
CN108259502A (en) For obtaining the identification method of interface access rights, server-side and storage medium
CN105491058B (en) API access distributed authorization method and system
US20090183246A1 (en) Universal multi-factor authentication
KR102372503B1 (en) Method for providing authentification service by using decentralized identity and server using the same
EP2311020A1 (en) Method and system for securing communication sessions
CN103812651A (en) Password authentication method, device and system
CN101902329A (en) Method and device for single sign on
CN112118238A (en) Method, device, system, equipment and storage medium for authentication login
CN110912676A (en) Key management method and system
US20100250607A1 (en) Personal information management apparatus and personal information management method
KR102771347B1 (en) Integrated log data security management system based on blockchain
CN105100107B (en) The method and apparatus of agent client account certification
CN115130116A (en) Business resource access method, device, equipment, readable storage medium and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20201124

RJ01 Rejection of invention patent application after publication