CN105812350B - Cross-platform single sign-on system - Google Patents
Cross-platform single sign-on system Download PDFInfo
- Publication number
- CN105812350B CN105812350B CN201610087728.1A CN201610087728A CN105812350B CN 105812350 B CN105812350 B CN 105812350B CN 201610087728 A CN201610087728 A CN 201610087728A CN 105812350 B CN105812350 B CN 105812350B
- Authority
- CN
- China
- Prior art keywords
- application platform
- user
- platform
- main application
- identity authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a cross-platform single sign-on system, which comprises: the main application platform and the secondary application platform are respectively provided with a unique digital identifier corresponding to the main application platform and the secondary application platform; the user side runs a main application platform which needs user identity authentication; the database management server completes the process of user identity authentication when a user logs in the main application platform for the first time, if the user identity authentication is successful, an authorization identifier of the main application platform is generated and a corresponding relation table of digital identifiers of the main application platform and the secondary application platform which allow single-point login is obtained, and if the digital identifiers of the main application platform and the secondary application platform have the corresponding relation which allows single-point login, the authorization identifier of the main application platform logs in the secondary application platform and the operation authority of the secondary application platform is obtained; the system provided by the invention can ensure the security of the authorization information for cross-platform single sign-on.
Description
[ technical field ] A method for producing a semiconductor device
The invention relates to the technical field of cloud computing security, in particular to a cross-platform single sign-on system.
[ background of the invention ]
The cloud computing environment has the characteristics of centralized resources, massive users, paid on-demand service and the like, a large amount of user sensitive data are stored in the cloud, privacy and sensitive data are easily leaked once the user identity is counterfeited, and 70% of data leakage is brought into the system through an external input source, so that the user identity entering the system and the identities of other input sources need to be strongly authenticated in order to ensure the safety of the cloud service. Identity authentication is the basis of other security policies and is also a precondition for other security policies to implement their security functions. With the continuous maturity of cloud computing, services provided are more and more, the services are distributed in different servers and domains of different organizations, each service has a database belonging to the service, and a user needs to provide a user name and a password or other authentication modes when logging in a virtual desktop through a cloud terminal to access each service, so that more and more logins are performed when switching services. In order to reduce the burden, the user may set the password as a pure number or letter which is easy to remember, even set the same password for various authentications, or record a complex password on paper and attach the complex password to a workbench. It is imperative for administrators to manage more and more identities and maintenance of user responsibility rights can take a significant amount of time to adjust. Therefore, a cross-domain single sign-on system is established in the cloud environment, one-point sign-on (SSO) is realized, and a user can access network resources of different domains in the cloud computing environment through one-time sign-on, so that the burden of the user and an administrator is reduced.
At present, models for realizing single sign-on mainly include three models, namely a gateway model, a proxy model and a token model, and corresponding to the three models, at present, some mature single sign-on solutions exist, such as microsoft Passport, IBM WebSphere Portal Server and CAS, but the solutions have different emphasis points, are suitable for different platforms and architectures, and have the disadvantages of complex system, lack of flexibility, and higher price and learning cost.
No matter which model is adopted, the authentication information which is successfully logged in for the first time needs to be recorded and identified, and because the user login authentication information of different platforms is different, in order to realize that different platforms can be logged in on the premise of not changing the login information of the user, the most common implementation mode is to set an independent SSO authentication server, uniformly store the login information of the user in a user management system in the SSO authentication server, and complete all login processes of the user entering other application platforms through a login entrance by a uniform user management system, which specifically comprises the following steps: when a user application program APP accesses one platform in a cloud computing environment for the first time, login authentication is completed through an SSO authentication server, if login is successful, an authentication identifier is returned, when the user application program APP accesses another platform in the cloud computing environment, the authentication identifier is directly submitted to the other platform, the other platform submits the authentication identifier to the SSO authentication server for verification, and if verification is successful, the user APP can directly access the other platform without performing the whole process of user login again. The operation authorities of different platforms are responsible for all the platforms, so that unified storage and distributed authorization are realized.
Although the mode of completing the login process through the unified user management system realizes the cross-platform single-point login of the user APP, the following security problems exist:
after the user APP successfully logs in and authenticates at the SSO authentication server for the first time, the returned authentication identification of the user APP has the risk of being intercepted, once the authentication identification is intercepted by other users, the other users can easily pretend to be original users, and the authentication identification can be used for accessing any authorized platform in the cloud computing environment, so that unpredictable security risks are brought to the original users.
[ summary of the invention ]
In order to solve the above problems in the prior art, the present invention provides a new cross-platform single sign-on system based on a cloud computing environment, comprising: the system comprises a database management server, an authentication server, a user side, a main application platform and a secondary application platform;
the primary application platform and the secondary application platform are provided with corresponding unique digital identifications;
the user side runs a main application platform which needs user identity authentication;
the database management server completes the process of user identity authentication when a user logs in the main application platform for the first time, if the user identity authentication is successful, an authorization identifier of the main application platform is generated and a corresponding relation table of digital identifiers of the main application platform and the secondary application platform which allow single-point login is obtained, and if the digital identifiers of the main application platform and the secondary application platform have a corresponding relation which allows single-point login, the secondary application platform is logged in through the authorization identifier of the main application platform and the operation authority of the secondary application platform is obtained;
and the authentication server is used for storing the digital identifier corresponding relation table of the main application platform and the secondary application platform which allow single sign-on.
Preferably, when the user side can access the secondary application platform through the authorization identifier of the primary application platform, the secondary application platform authorizes the operation authority of the user side.
Preferably, the process of the database management server completing the user identity authentication for the user to log in the main application platform for the first time includes the following steps:
(1) the user side sends a user name, a login password and a unique digital identifier of the user side;
(2) the database management server detects whether the user name, the login password and the unique digital identifier are completely corresponding and consistent with the user name, the login password and the unique digital identifier stored during user registration;
(3) if the identity authentication is completely corresponding and consistent, the user identity authentication is successful; otherwise, authentication fails.
Preferably, the operation authority includes at least one of the following: reading the platform file, writing the platform file, deleting the platform file and modifying the platform file.
[ description of the drawings ]
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, and are not to be considered limiting of the invention, in which:
fig. 1 is a system framework diagram of single point login in a cloud environment implemented in the prior art.
[ detailed description ] embodiments
The present invention will now be described in detail with reference to the drawings and specific embodiments, wherein the exemplary embodiments and descriptions are provided only for the purpose of illustrating the present invention and are not to be construed as unduly limiting the invention.
A cross-platform single sign-on system, as shown in fig. 1, comprising: the system comprises a database management server, an authentication server, a user side, a main application platform and a secondary application platform;
the primary application platform and the secondary application platform are provided with corresponding unique digital identifications;
the user side runs a main application platform which needs user identity authentication;
the database management server completes the process of user identity authentication when a user logs in the main application platform for the first time, if the user identity authentication is successful, an authorization identifier of the main application platform is generated and a corresponding relation table of digital identifiers of the main application platform and the secondary application platform which allow single-point login is obtained, and if the digital identifiers of the main application platform and the secondary application platform have a corresponding relation which allows single-point login, the secondary application platform is logged in through the authorization identifier of the main application platform and the operation authority of the secondary application platform is obtained;
and the authentication server is used for storing the digital identifier corresponding relation table of the main application platform and the secondary application platform which allow single sign-on.
And when the user side can access the secondary application platform through the authorization identifier of the main application platform, the secondary application platform authorizes the operation authority of the user side.
Specifically, the process of the database management server for completing the user identity authentication of the user logging in the main application platform for the first time comprises the following steps:
(1) the user side sends a user name, a login password and a unique digital identifier of the user side;
(2) the database management server detects whether the user name, the login password and the unique digital identifier are completely corresponding and consistent with the user name, the login password and the unique digital identifier stored during user registration;
(3) if the identity authentication is completely corresponding and consistent, the user identity authentication is successful; otherwise, authentication fails.
The operation authority at least comprises at least one of the following: reading the platform file, writing the platform file, deleting the platform file and modifying the platform file.
It will be understood by those of ordinary skill in the art that all or part of the steps of the above embodiments may be implemented using a computer program flow, which may be stored in a computer readable storage medium and executed on a corresponding hardware platform (e.g., system, apparatus, device, etc.), and when executed, includes one or a combination of the steps of the method embodiments. Alternatively, all or part of the steps of the above embodiments may be implemented by using an integrated circuit, and the steps may be respectively manufactured as an integrated circuit module, or a plurality of the blocks or steps may be manufactured as a single integrated circuit module. The devices/functional modules/functional units in the above embodiments may be implemented by general-purpose computing devices, and they may be centralized on a single computing device or distributed on a network formed by a plurality of computing devices. The means/function modules/function units in the above embodiments are implemented in the form of software function modules and may be stored in a computer-readable storage medium when they are sold or used as separate products. The computer readable storage medium mentioned above may be a read-only memory, a magnetic disk or an optical disk, etc.
Claims (1)
1. A cross-platform single sign-on system, comprising: the system comprises a database management server, an authentication server, a user side, a main application platform and a secondary application platform;
the primary application platform and the secondary application platform are provided with corresponding unique digital identifications;
the user side runs a main application platform which needs user identity authentication;
the database management server completes the process of user identity authentication when a user logs in the main application platform for the first time, if the user identity authentication is successful, an authorization identifier of the main application platform is generated and a corresponding relation table of digital identifiers of the main application platform and the secondary application platform which allow single-point login is obtained, and if the digital identifiers of the main application platform and the secondary application platform have a corresponding relation which allows single-point login, the secondary application platform is logged in through the authorization identifier of the main application platform and the operation authority of the secondary application platform is obtained;
the authentication server is used for storing the digital identifier corresponding relation table of the main application platform and the secondary application platform which allow single sign-on;
when a user side can access a secondary application platform through an authorization identifier of a main application platform, the secondary application platform authorizes the operation authority of the user side;
the process of completing the user identity authentication of the user logging in the main application platform for the first time by the database management server comprises the following steps:
(1) the user side sends a user name, a login password and a unique digital identifier of the user side;
(2) the database management server detects whether the user name, the login password and the unique digital identifier are completely corresponding and consistent with the user name, the login password and the unique digital identifier stored during user registration;
(3) if the identity authentication is completely corresponding and consistent, the user identity authentication is successful; otherwise, authentication fails;
the operation authority at least comprises at least one of the following: reading the platform file, writing the platform file, deleting the platform file and modifying the platform file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610087728.1A CN105812350B (en) | 2016-02-03 | 2016-02-03 | Cross-platform single sign-on system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610087728.1A CN105812350B (en) | 2016-02-03 | 2016-02-03 | Cross-platform single sign-on system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105812350A CN105812350A (en) | 2016-07-27 |
| CN105812350B true CN105812350B (en) | 2020-05-19 |
Family
ID=56466448
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610087728.1A Expired - Fee Related CN105812350B (en) | 2016-02-03 | 2016-02-03 | Cross-platform single sign-on system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105812350B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106936853B (en) * | 2017-04-26 | 2020-12-29 | 河海大学 | Cross-domain single sign-on method based on system integration-oriented cross-domain single sign-on system |
| CN108156159A (en) * | 2017-12-27 | 2018-06-12 | 质数链网科技成都有限公司 | A kind of multi-application system login method and block chain distribution general ledger system |
| CN108809957A (en) * | 2018-05-23 | 2018-11-13 | 广东微校信息科技有限公司 | A method of it prevents from forging wechat enterprise number access request |
| CN109302446B (en) * | 2018-08-15 | 2022-10-25 | 广州市保伦电子有限公司 | Cross-platform access method and device, electronic equipment and storage medium |
| CN109598114B (en) * | 2018-11-23 | 2021-07-09 | 金色熊猫有限公司 | Cross-platform unified user account management method and system |
| CN109977788A (en) * | 2019-03-03 | 2019-07-05 | 湖北无垠智探科技发展有限公司 | A kind of unmanned plane aerial photography image integrated treatment platform |
| CN110149211B (en) * | 2019-05-15 | 2023-04-07 | 杭州朗和科技有限公司 | Service authentication method, service authentication device, medium, and electronic device |
| CN110519296B (en) * | 2019-09-17 | 2021-10-15 | 焦点科技股份有限公司 | Single sign-on and sign-off method of heterogeneous web system |
| CN112995112A (en) * | 2019-12-17 | 2021-06-18 | 江苏太湖慧云数据系统有限公司 | Resource management method of cross-cloud management platform |
| CN111832005B (en) * | 2020-07-15 | 2023-09-05 | 中国工商银行股份有限公司 | Application authorization method, application authorization device and electronic equipment |
Family Cites Families (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7426642B2 (en) * | 2002-11-14 | 2008-09-16 | International Business Machines Corporation | Integrating legacy application/data access with single sign-on in a distributed computing environment |
| CN101193027A (en) * | 2006-11-28 | 2008-06-04 | 深圳市永兴元科技有限公司 | A single-point login system and method for integrated isomerous system |
| CN101159557B (en) * | 2007-11-21 | 2010-09-29 | 华为技术有限公司 | Single point logging method, device and system |
| CN101202753B (en) * | 2007-11-29 | 2010-11-17 | 中国电信股份有限公司 | Method and device for accessing plug-in connector applied system by client terminal |
| CN102082775A (en) * | 2009-11-27 | 2011-06-01 | 中国移动通信集团公司 | Method, device and system for managing subscriber identity |
| US9081951B2 (en) * | 2011-09-29 | 2015-07-14 | Oracle International Corporation | Mobile application, identity interface |
| CN102377788B (en) * | 2011-12-13 | 2014-06-25 | 方正国际软件有限公司 | Single sign-on (SSO) system and single sign-on (SSO) method |
| CN103188237A (en) * | 2011-12-30 | 2013-07-03 | 盛大计算机(上海)有限公司 | Single sign-on system and single sign-on method |
| CN102624737B (en) * | 2012-03-27 | 2015-05-06 | 武汉理工大学 | Single sign-on integrated method for Form identity authentication in single login system |
| CN103716292A (en) * | 2012-09-29 | 2014-04-09 | 西门子公司 | Cross-domain single-point login method and device thereof |
| CN104065674A (en) * | 2013-03-18 | 2014-09-24 | 联想(北京)有限公司 | Terminal device and information processing method |
| CN103248699B (en) * | 2013-05-16 | 2014-07-16 | 广西中烟工业有限责任公司 | Multi-account processing method of single sign on (SSO) information system |
| CN103905201B (en) * | 2014-03-28 | 2017-02-15 | 北界无限(北京)软件有限公司 | Interaction method and device for master application and multiple slave applications |
| CN105024975B (en) * | 2014-04-23 | 2019-02-26 | 腾讯科技(北京)有限公司 | The method, apparatus and system that account logs in |
| CN104468592B (en) * | 2014-12-12 | 2017-10-31 | 北京百度网讯科技有限公司 | Login method and login system |
-
2016
- 2016-02-03 CN CN201610087728.1A patent/CN105812350B/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN105812350A (en) | 2016-07-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105812350B (en) | Cross-platform single sign-on system | |
| US10432608B2 (en) | Selectively enabling multi-factor authentication for managed devices | |
| US10142326B2 (en) | Attribute-based access control | |
| CN105577835B (en) | Cross-platform single sign-on system based on cloud computing | |
| US10187374B2 (en) | Multi-factor authentication for managed applications using single sign-on technology | |
| JP6625636B2 (en) | Identity infrastructure as a service | |
| EP3123692B1 (en) | Techniques to operate a service with machine generated authentication tokens | |
| CN103249045B (en) | A kind of methods, devices and systems of identification | |
| CN104364790B (en) | system and method for implementing multi-factor authentication | |
| US10938572B2 (en) | Revocable biometric-based keys for digital signing | |
| CN108293045A (en) | Single sign-on identity management between local and remote systems | |
| CN104836803B (en) | Single-point logging method based on session mechanism | |
| CN106452772B (en) | Terminal authentication method and device | |
| CN103384198B (en) | A kind of authenticating user identification method of servicing based on mailbox and system | |
| CN110417820A (en) | Processing method, device and the readable storage medium storing program for executing of single-node login system | |
| CN106850612A (en) | The cipher management method and system of a kind of facing cloud system | |
| CN110247758A (en) | The method, apparatus and code management device of Password Management | |
| CN106921616A (en) | A kind of single-point logging method and device | |
| CN107682321A (en) | A kind of method and device of SDN controllers cluster single-sign-on | |
| CN106603567B (en) | A kind of login management method and device of WEB administrator | |
| CN106529216B (en) | Software authorization system and software authorization method based on public storage platform | |
| CN109802927A (en) | A kind of security service providing method and device | |
| Herrera-Cubides et al. | Towards the Construction of a User Unique Authentication Mechanism on LMS Platforms through Model‐Driven Engineering (MDE) | |
| US12015606B2 (en) | Virtual machine provisioning and directory service management | |
| TWI768307B (en) | Open source software integration approach |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20200519 Termination date: 20220203 |