[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2021031689A1 - Single sign-on method, device, and system - Google Patents

Single sign-on method, device, and system Download PDF

Info

Publication number
WO2021031689A1
WO2021031689A1 PCT/CN2020/097895 CN2020097895W WO2021031689A1 WO 2021031689 A1 WO2021031689 A1 WO 2021031689A1 CN 2020097895 W CN2020097895 W CN 2020097895W WO 2021031689 A1 WO2021031689 A1 WO 2021031689A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal device
certificate
request
verification
blockchain network
Prior art date
Application number
PCT/CN2020/097895
Other languages
French (fr)
Chinese (zh)
Inventor
许建东
Original Assignee
北京国双科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京国双科技有限公司 filed Critical 北京国双科技有限公司
Publication of WO2021031689A1 publication Critical patent/WO2021031689A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2133Verifying human interaction, e.g., Captcha
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the present invention relates to the technical field of network security, in particular to a single sign-on method, device and system.
  • SSO Single Sign On
  • the attacker can forge the root certificate and then forge the user certificate. Therefore, even if the application server in SSO uses the certificate-based user identification mechanism to replace the username and password mechanism during authentication, SSO The application server in it may still be accessed by an attacker, causing data leakage.
  • the embodiments of the present invention provide a single sign-on method, device, and system for improving the security of application server data in SSO.
  • an embodiment of the present invention provides a single sign-on method applied to an identity authentication server, and the method includes:
  • the login request carries a certificate of the terminal device, and is used to request to obtain a login credential for logging in to a single sign-on system SSO;
  • the login credential is sent to the terminal device, and the log-in credential is written to the blockchain network according to the authority information of the terminal device. access permission.
  • the method before sending the first verification request to the blockchain network, the method further includes:
  • the method further includes: deleting The certificate generated by the user profile and the authority information.
  • the method further includes:
  • the prompt information is used to prompt that the certificate of the terminal device is invalid.
  • an embodiment of the present invention provides a single sign-on method, which is applied to a target application server in a single sign-on system SSO, and the method includes:
  • the second verification request is used to request the blockchain network to verify whether the terminal device has the permission to access the target application server according to the access permissions corresponding to the login credentials ;
  • the terminal device In a case where the second verification response indicates that the terminal device has the authority to access the target application server, the terminal device is allowed to access.
  • the method further includes:
  • the terminal device If the second verification response indicates that the terminal device does not have the authority to access the target application server, the terminal device is denied access.
  • an embodiment of the present invention provides a single sign-on method, including:
  • the terminal device sends a login request to the identity authentication server;
  • the login request carries the certificate of the terminal device, and is used to request to obtain the login credentials for logging in to the single sign-on system SSO;
  • the identity authentication server receives the first verification response sent by the blockchain network
  • the identity authentication server sends the login credential to the terminal device, and writes the login credentials to the blockchain network according to the authority information of the terminal device. Describe the access rights corresponding to the login credentials;
  • the target application server sends a second verification request to the blockchain network, and the second verification request is used to request the blockchain network to verify whether the terminal device has access to the The permissions of the target application server;
  • the target application server receives the second verification response sent by the blockchain network
  • the target application server allows the terminal device to access.
  • the method before the terminal device sends a login request to the identity authentication server, the method further includes:
  • the terminal device sends a registration request to the identity authentication server, and the registration request carries user information;
  • the identity authentication server generates the certificate according to the user profile and the authority information
  • the identity authentication server sends the certificate to the terminal device, and writes the verification of the certificate into the blockchain network.
  • the Methods after the identity authentication server sends the certificate to the terminal device, and writes the verification of the certificate into the blockchain network, the Methods also include:
  • the identity authentication server deletes the certificate generated according to the user profile and the authority information.
  • the identity authentication server in a case where the first verification response indicates that the certificate is invalid, sends prompt information to the terminal device;
  • the prompt information is used to prompt that the certificate of the terminal device is invalid.
  • the target application server when the second verification response indicates that the terminal device does not have the right to access the target application server, the target application server refuses the terminal device to perform access.
  • an embodiment of the present invention provides a single sign-on device applied to an identity authentication server, including:
  • the receiving unit is configured to receive a login request sent by a terminal device; the login request carries a certificate of the terminal device, and is used to request to obtain a login credential for logging in to a single sign-on system SSO;
  • a sending unit configured to send a first verification request to a blockchain network, the first verification request being used to request the blockchain network to verify whether the certificate is valid according to the verification of the certificate;
  • the receiving unit is further configured to receive the first verification response sent by the blockchain network
  • the sending unit is further configured to send the login credential to the terminal device when the first verification response indicates that the certificate is valid;
  • the writing unit is configured to write the access authority corresponding to the login credential to the blockchain network according to the authority information of the terminal device when the first verification response indicates that the certificate is valid.
  • the single sign-on apparatus further includes: a certificate generating unit;
  • the receiving unit is further configured to receive a registration request sent by the terminal device before the sending unit sends a first verification request to the blockchain network, where the registration request carries user information;
  • the certificate generating unit is configured to generate the certificate according to the user profile and the authority information
  • the sending unit is further configured to send the certificate to the terminal device
  • the writing unit is also used to write the verification of the certificate into the blockchain network.
  • the single sign-on apparatus further includes:
  • the deleting unit is configured to delete the certificate according to the user profile and the terminal device after the writing unit writes the verification of the certificate into the blockchain network.
  • the certificate generated by the authority information.
  • the sending unit is further configured to send prompt information to the terminal device when the first verification response indicates that the certificate is invalid;
  • the prompt information is used to prompt that the certificate of the terminal device is invalid.
  • an embodiment of the present invention provides a single sign-on device, which is applied to an application server, where the application server is an application server in a single sign-on system SSO, and the single sign-on device includes:
  • a receiving unit configured to receive an access request sent by a terminal device, where the access request carries login credentials
  • the sending unit is configured to send a second verification request to the blockchain network, and the second verification request is used to request the blockchain network to verify whether the terminal device has access to the application according to the access authority corresponding to the login credential Server permissions;
  • the receiving unit is further configured to receive a second verification response sent by the blockchain network
  • the processing unit is configured to allow the terminal device to access when the second verification response indicates that the terminal device has the authority to access the application server.
  • the processing unit is further configured to reject the terminal when the second verification response indicates that the terminal device does not have the right to access the application server The device is accessed.
  • an embodiment of the present invention provides an identity authentication server, including: a memory and a processor, the memory is used to store a computer program; the processor is used to execute the first aspect or any one of the implementation manners of the first aspect when the computer program is invoked The single sign-on method described.
  • an embodiment of the present invention provides an application server, including: a memory and a processor, the memory is used to store a computer program; the processor is used to execute the first aspect or the second aspect of the second aspect when the computer program is invoked Single sign-on method.
  • an embodiment of the present invention provides a computer-readable storage medium on which a computer program is stored.
  • the computer program When executed by a processor, it implements any one of the first aspect or the second aspect or the first aspect of the claim or The single sign-on method according to any one of the embodiments of the second aspect.
  • an embodiment of the present invention provides a single sign-on system, including: the single sign-on device according to the third aspect or any implementation manner of the third aspect, and the fourth aspect or any implementation manner of the fourth aspect At least one of the single sign-on device in the fifth aspect, the identity authentication server described in the fifth aspect, and the application server described in the sixth aspect.
  • the identity authentication server when the identity authentication server receives the login request sent by the terminal device, it first sends a request to the blockchain network to verify whether the certificate is valid, and only after the received first verification response instruction Only when the certificate is valid, will the login credential be sent to the terminal device. Therefore, in the embodiment of the present invention, when the terminal device logs in to SSO, the validity of the terminal device's certificate can be verified through the blockchain network. Therefore, the security of the data of the application server in the SSO is improved in terms of identity authentication; in addition, in the case that the first verification response indicates that the certificate is valid, the identity authentication server will also report the authorization information of the terminal device to the The blockchain network writes the access authority corresponding to the login credentials.
  • the target application server When the terminal device logs in to the SSO through the login credentials and wants to access the target application server in the SSO, the target application server will send a request to the blockchain network
  • the blockchain network verifies whether the terminal device has the second verification request for the permission to access the target application server according to the access authority corresponding to the login credential, and only when the second verification response indicates the terminal device
  • the terminal device is allowed to access only if it has the authority to access the target application server. Therefore, the embodiment of the invention can also improve the application server performance in SSO from the aspect of user authority when the terminal device accesses the application server in SSO.
  • Data security that is, the embodiment of the present invention can improve the data security of the application server in SSO in terms of identity authentication and user authority. Therefore, compared with the prior art, the embodiment of the present invention can improve the application server in SSO. The security of your data.
  • Figure 1 is a schematic structural diagram of a single sign-on system provided by an embodiment of the present invention.
  • FIG. 2 is a schematic diagram of the interaction process of the single sign-on method provided by an embodiment of the present invention.
  • Figure 3 is a structural diagram of a single sign-on device provided by an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of the hardware structure of an identity authentication server provided by an embodiment of the present invention.
  • FIG. 5 is a structural diagram of a single sign-on device provided by an embodiment of the present invention.
  • FIG. 6 is a schematic diagram of the hardware structure of an application server provided by an embodiment of the present invention.
  • the words “first” and “second” are used to distinguish the same items or similar items with basically the same function or effect. Personnel can understand that the words “first” and “second” do not limit the quantity and order of execution.
  • words such as “exemplary” or “for example” are used as examples, illustrations, or illustrations. Any embodiment or design solution described as “exemplary” or “for example” in the embodiments of the present invention should not be construed as being more preferable or advantageous than other embodiments or design solutions. To be precise, words such as “exemplary” or “for example” are used to present related concepts in a specific manner.
  • the single sign-on system provided by the embodiment of the present invention includes: at least one terminal device (in FIG. 1, one terminal device 11 is shown as an example), an SSO system 12 including multiple application servers (in FIG. Take the SSO system 12 including an application server 121, an application server 122, an application server 123, an application server 124, and an application server 125 as examples), an identity authentication server 13 and a blockchain network 14.
  • the terminal device 11 and the identity authentication server 13 can perform wired communication or wireless communication, and each application server of the terminal device 11 and the SSO system 12 can perform wired communication or wireless communication; each application server in the SSO system 12 can communicate with each other.
  • Wired communication or wireless communication can be carried out between the blockchain network 14, and wired or wireless communication can also be carried out between the identity authentication server 13 and the blockchain network 14.
  • the terminal device 11 in the embodiment of the present invention may be a mobile phone, a tablet computer, a notebook computer, a personal computer (personal computer, PC), an ultra-mobile personal computer (UMPC), a netbook, or a personal digital assistant (personal digital assistant). , PDA), smart watches, smart bracelets, etc., or the terminal device may also be other types of electronic devices, which are not limited in the embodiment of the present invention.
  • the terminal device 11 is shown as an example in the drawings as a PC.
  • the embodiment of the present invention provides a single sign-on method. As shown in FIG. 2, in the single sign-on method provided by the embodiment of the present invention, each device in the single sign-on system described above performs the following steps:
  • the terminal device sends a login request to the identity authentication server.
  • the identity authentication server receives the login request sent by the terminal device.
  • the login request carries the certificate of the terminal device for requesting to obtain the login credential for logging in to the SSO.
  • the identity authentication server sends a first verification request to the blockchain network.
  • the blockchain network receives the first verification request sent by the identity authentication server.
  • the first verification request is used to request the blockchain network to verify whether the certificate is valid according to the verification of the certificate.
  • the verification of the certificate is written into the blockchain network by the identity authentication server. That is, before the identity authentication server sends the first verification request to the blockchain network, the identity authentication server also needs to generate a certificate and certificate verification based on user profile data and authority data, and write the certificate and certificate verification to In the blockchain network.
  • the identity authentication server writes the certificate and the verification of the certificate into the blockchain network to prevent the certificate and/or the verification of the certificate from being tampered with by an attacker, thereby improving data security.
  • the blockchain network sends a first verification response to the identity verification server.
  • the identity authentication server receives the first verification response sent by the blockchain network.
  • the first verification response is used to indicate that the certificate is valid or the certificate is invalid.
  • the identity authentication server sends the login credential to the terminal device.
  • the terminal device receives the login credential sent by the identity authentication server.
  • the login credentials in the embodiment of the present invention are generated by the identity authentication server.
  • the identity authentication server may generate a login credential corresponding to each terminal device when each terminal device is registered, and store it in the local storage.
  • the log-in credentials from the local storage Find the login credential corresponding to the terminal device and send it to the terminal device.
  • the identity authentication server may also generate the login credentials corresponding to the terminal device when the first verification response indicates that the certificate is valid, and delete the login credentials after sending the login credentials to the terminal device to avoid attacks The person invades the identity authentication server to obtain the login credentials of the terminal device.
  • the identity authentication server writes the access permission corresponding to the login credential to the blockchain network according to the permission information of the terminal device.
  • the blockchain network receives the access authority corresponding to the login credential written by the identity authentication server.
  • the way in which the identity authentication server obtains the authority information of the terminal device can be implemented as follows: establish a Lightweight Directory Access Protocol (LDAP) system, and save the terminal device data (including: terminal device authority information)
  • LDAP Lightweight Directory Access Protocol
  • the terminal device data including: terminal device authority information
  • the authority information of the terminal device is read from the LDAP system.
  • LDAP is an open, neutral, and industry standard application protocol used to provide access control and maintain distributed information directory information through the IP protocol.
  • the LDAP system in the embodiment of the present invention may be independent of the identity authentication server, or may be integrated into the identity authentication server, which is not limited in the embodiment of the present invention.
  • the identity verification server has completed the identity verification of the terminal device.
  • the identity verification server sends the certificate of the terminal device to the blockchain network and receives the verification result of the blockchain network, and determines according to the verification result of the blockchain network Whether to send the login credentials to the terminal device, therefore, the foregoing embodiment can prevent network attackers from forging root certificates and forging user certificates to log in, thereby improving the security of data in the application server in SSO.
  • the terminal device sends an access request to the target application server in the SSO.
  • the target application server receives the access request sent by the terminal device.
  • the access request carries login credentials.
  • the target application server sends a second verification request to the blockchain network.
  • the blockchain network receives the second verification request sent by the target application server.
  • the second verification request is used to request the blockchain network to verify whether the terminal device has the permission to access the target application server according to the access permission corresponding to the login credential.
  • the blockchain network sends a second verification response to the target application server.
  • the target application server receives the second verification response sent by the blockchain network.
  • the second verification response is used to indicate that the terminal device has the authority to access the target application server, or that the terminal device does not have the authority to access the target application server.
  • step S19 is executed.
  • the target application server allows the terminal device to access.
  • the target application server has completed the verification of the access authority of the terminal device.
  • the target application since the target application sends a second verification request to the blockchain network, and determines whether the terminal device is allowed to access according to the second verification response sent by the blockchain network.
  • the foregoing embodiment can prevent network attackers from tampering with the access authority of the terminal device, thereby causing data leakage. Therefore, the embodiment of the present invention can further improve the security of data in the application server in SSO.
  • the identity authentication server when the identity authentication server receives the login request sent by the terminal device, it first sends a request to the blockchain network to verify whether the certificate is valid, and only after the received first verification response instruction Only when the certificate is valid, will the login credential be sent to the terminal device. Therefore, in the embodiment of the present invention, when the terminal device logs in to SSO, the validity of the terminal device's certificate can be verified through the blockchain network. Therefore, the security of the data of the application server in the SSO is improved in terms of identity authentication; in addition, in the case that the first verification response indicates that the certificate is valid, the identity authentication server will also report the authorization information of the terminal device to the The blockchain network writes the access authority corresponding to the login credentials.
  • the target application server When the terminal device logs in to the SSO through the login credentials and wants to access the target application server in the SSO, the target application server will send a request to the blockchain network
  • the blockchain network verifies whether the terminal device has the second verification request for the permission to access the target application server according to the access authority corresponding to the login credential, and only when the second verification response indicates the terminal device
  • the terminal device is allowed to access only if it has the authority to access the target application server. Therefore, the embodiment of the invention can also improve the application server performance in SSO from the aspect of user authority when the terminal device accesses the application server in SSO.
  • Data security that is, the embodiment of the present invention can improve the data security of the application server in SSO in terms of identity authentication and user authority. Therefore, compared with the prior art, the embodiment of the present invention can improve the application server in SSO. The security of your data.
  • the single sign-on method provided by the embodiment of the present invention further includes the following steps a- Step c.
  • Step a The identity authentication server receives the registration request sent by the terminal device.
  • the registration request carries user information.
  • the user profile may include information such as the user name and identification code of the user.
  • Step b The identity authentication server generates the certificate according to the user profile and authority information.
  • the way to obtain the above permission information can be: the identity authentication server configures the terminal device according to the user profile; it can also be: the terminal device carries permission request information in the registration request, and the identity authentication server carries permission request information in the registration request. Perform an audit, and use the approved permission request item as the permission information.
  • the identity authentication server reviews the permission request information carried in the registration request, and uses the approved permission request item as the permission information, the registration request sent by the terminal device
  • the carried permission request information and the permission information may be the same or different.
  • the authorization request information carried in the registration request sent by the terminal device includes: access to application server A, access to application server B, and access to application server C.
  • the authorization information when the identity authentication server generates the certificate may include: access to application server A,
  • the permissions for accessing application server B and accessing application server C may also include: accessing application server A and accessing application server B, but not including accessing application server C.
  • Step c The identity authentication server sends the certificate to the terminal device, and writes the verification of the certificate into the blockchain network.
  • the terminal device receives the certificate sent by the identity authentication server, and the blockchain network receives the written certificate verification.
  • the identity authentication server Since the identity authentication server needs to write the verification of the certificate to the blockchain network, the identity authentication server first needs to generate the verification of the certificate.
  • the embodiment of the present invention does not limit the algorithm for generating certificate verification.
  • the identity authentication server provided by the embodiment of the present invention may be composed of the following modules:
  • Account management module the main functions include:
  • Establish a user management mechanism allowing user administrators to add, delete, modify, and check users, and notify users by email;
  • Certificate management module the main functions include:
  • Identity authentication module the main functions include:
  • the terminal device When the terminal device requests to download the certificate according to the unique link, the certificate is sent to the terminal device;
  • the login credentials are returned to the terminal device.
  • the single sign-on method provided in the embodiment of the present invention further includes:
  • the identity authentication server deletes the certificate generated according to the user profile and the authority information.
  • the identity authentication server After the identity authentication server sends the certificate to the terminal device, it deletes the certificate generated based on the user profile and the authority information, which can prevent network attackers from invading the identity authentication server to obtain the certificate of the terminal device. Therefore, the foregoing embodiment The data security of the application server in SSO can be further improved.
  • the single sign-on method provided in the embodiment of the present invention further includes:
  • the identity authentication server sends prompt information to the terminal device
  • the prompt information is used to prompt that the certificate of the terminal device is invalid.
  • the single sign-on method provided in the embodiment of the present invention further includes :
  • the target application server denies the terminal device access.
  • the embodiment of the present application may divide the terminal device and the like into functional modules according to the foregoing method example.
  • each function module may be divided corresponding to each function, or two or more functions may be integrated into one module.
  • the above-mentioned integrated modules can be implemented in the form of hardware or software functional modules. It should be noted that the division of modules in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation.
  • FIG. 3 shows a possible structural diagram of the single sign-on device applied to the identity authentication server involved in the foregoing embodiment, and the single sign-on device 300 includes:
  • the receiving unit 31 is configured to receive a login request sent by a terminal device; the login request carries a certificate of the terminal device, and is used to request to obtain a login credential for logging in to the SSO system;
  • the sending unit 32 is configured to send a first verification request to the blockchain network, where the first verification request is used to request the blockchain network to verify whether the certificate is valid according to the verification of the certificate;
  • the receiving unit 31 is further configured to receive the first verification response sent by the blockchain network
  • the sending unit 32 is further configured to send the login credentials to the terminal device when the first verification response indicates that the certificate is valid;
  • the writing unit 33 is configured to write the access authority corresponding to the login credential to the blockchain network according to the authority information of the terminal device when the first verification response indicates that the certificate is valid.
  • the single sign-on apparatus 300 further includes: a certificate generating unit 34;
  • the receiving unit 31 is further configured to receive a registration request sent by the terminal device before the sending unit sends the first verification request to the blockchain network, and the registration request carries user information;
  • the certificate generating unit 34 is configured to generate the certificate according to the user profile and the authority information
  • the sending unit 32 is further configured to send the certificate to the terminal device
  • the writing unit 33 is also used to write the verification of the certificate into the blockchain network.
  • the single sign-on apparatus 300 further includes:
  • the deleting unit 35 is configured to delete the certificate according to the user profile after the sending unit sends the certificate to the terminal device, and the writing unit writes the verification of the certificate into the blockchain network And the certificate generated by the authority information.
  • the sending unit 32 is further configured to send prompt information to the terminal device when the first verification response indicates that the certificate is invalid;
  • the prompt information is used to prompt that the certificate of the terminal device is invalid.
  • FIG. 4 shows a possible structural diagram of the single sign-on apparatus applied to the application server in SSO involved in the foregoing embodiment, and the single sign-on apparatus 400 includes:
  • the receiving unit 41 is configured to receive an access request sent by a terminal device, where the access request carries login credentials;
  • the sending unit 42 is configured to send a second verification request to the blockchain network, and the second verification request is used to request the blockchain network to verify whether the terminal device has access to the Application server permissions;
  • the receiving unit 41 is further configured to receive a second verification response sent by the blockchain network
  • the processing unit 43 is configured to allow the terminal device to access when the second verification response indicates that the terminal device has the authority to access the application server.
  • the processing unit 43 is further configured to reject the application server when the second verification response indicates that the terminal device has no right to access the application server Terminal equipment for access.
  • the single sign-on device applied to the identity authentication server and the single sign-on device applied to the application server provided by the embodiment of the present invention can execute the single sign-on method provided in the above method embodiment, the technical effect similar to the above embodiment can be achieved. , I won’t repeat it here.
  • FIG. 5 is a schematic structural diagram of an identity authentication server provided by an embodiment of the present invention.
  • the identity authentication server provided in this embodiment includes: a memory 51 and a processor 52, where the memory 51 is used to store computer programs; and the processor 52 It is used to execute the steps executed by the identity authentication server in the single sign-on method described in the foregoing method embodiment when the computer program is invoked.
  • Fig. 6 is a schematic structural diagram of an application server provided by an embodiment of the present invention.
  • the application server provided by this embodiment includes: a memory 61 and a processor 62.
  • the memory 61 is used for storing computer programs; When the computer program is invoked, the steps executed by the application server in the single sign-on method described in the foregoing method embodiment are executed.
  • the identity authentication server and the application server provided in this embodiment can execute the single sign-on method provided in the above method embodiments, and the implementation principles and technical effects are similar, and will not be repeated here.
  • the embodiment of the present invention also provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the single sign-on method described in the foregoing method embodiment is implemented.
  • this application may be provided as methods, systems, or computer program products. Therefore, this application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, this application may take the form of a computer program product implemented on one or more computer-usable storage media containing computer-usable program codes.
  • the processor can be a central processing unit (Central Processing Unit, CPU), it can also be other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), ready-made programmable Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the memory may include non-permanent memory in a computer readable medium, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM).
  • RAM random access memory
  • ROM read-only memory
  • flash RAM flash memory
  • Computer-readable media include permanent and non-permanent, removable and non-removable storage media.
  • the storage medium can implement information storage by any method or technology, and the information can be computer readable instructions, data structures, program modules, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cassettes, disk storage or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices.
  • PRAM phase change memory
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • RAM random access memory
  • ROM read-only memory
  • EEPROM electrically erasable programmable read-only memory
  • flash memory or other memory technology
  • CD-ROM

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

Embodiments of the present invention provide a single sign-on method, a device, and a system, pertaining to the technical field of network security, for enhancing data security of application servers in the single sign-on technique. The method comprises: receiving a sign-on request sent by a terminal apparatus, the sign-on request carrying a certificate of the terminal apparatus and used to request a sign-on credential for signing on to a single sign-on (SSO) system; sending a first authentication request to a blockchain network, the first authentication request being used to request the blockchain network to authenticate, according to verification of the certificate, whether the certificate is valid; receiving a first authentication response sent by the blockchain network; and if the first authentication response indicates that the certificate is valid, sending the sign-on credential to the terminal apparatus, and writing, according to permission information of the terminal apparatus, access permission corresponding to the sign-on credential in the blockchain network. The embodiments of the present invention are used to perform security authentication on terminal apparatuses attempting to access an application server in an SSO system.

Description

一种单点登录方法、装置及系统Single sign-on method, device and system
本申请基于申请号为201910764781.4、申请日为2019年08月19日的中国专利申请提出,并要求该中国专利申请的中国专利申请的优先权,该中国专利申请的全部内容引入本申请作为参考。This application is filed based on a Chinese patent application with the application number 201910764781.4 and the filing date on August 19, 2019, and claims the priority of the Chinese patent application of the Chinese patent application. The entire content of the Chinese patent application is incorporated into this application as a reference.
技术领域Technical field
本发明涉及网络安全技术领域,尤其涉及一种单点登录方法、装置及系统。The present invention relates to the technical field of network security, in particular to a single sign-on method, device and system.
背景技术Background technique
企业公司或组织往往拥有多个应用服务器,为了提高用户或员工效率、简化管理等目的,企业或组织普遍部署了单点登录系统(Single Sign On,SSO),通过SSO的部署,用户只需要登录一次就可以访问所有相互信任的应用服务器。Enterprise companies or organizations often have multiple application servers. In order to improve user or employee efficiency and simplify management, companies or organizations generally deploy Single Sign On (SSO). Through the deployment of SSO, users only need to log in. All mutually trusted application servers can be accessed at one time.
随着网络黑客在窃取用户凭据(例如账号和密码)的能力和手段方面的进化,登录保护变得越来越不可靠;而且由于攻击者窃取了的用户凭据登录SSO中的任一应用服务器后,攻击者可以获取与该应用服务器相互信任的所有应用服务器中的数据,因此相比于常规应用服务器,SSO中的应用服务器的数据安全性更低。为了SSO中的应用服务器的数据的安全性,现有技术中提出在身份验证时,采用基于证书的用户识别机制替换原来的用户名和密码机制,虽然基于证书的用户识别比原来简单的用户名和密码机制更安全,但是对于小型公司或组织而言,证书验证是非常具有挑战性的。此外,即使采用了基于证书的用户识别机制,攻击者还可以伪造根证书,进而伪造用户证书,因此即使SSO中的应用服务器在身份验证时采用基于证书的用户识别机制替换用户名和密码机制,SSO中的应用服务器仍有可能被攻击者访问,进而造成数据泄露。As network hackers evolve in the ability and means of stealing user credentials (such as account numbers and passwords), login protection has become increasingly unreliable; and because of the user credentials stolen by attackers after logging into any application server in SSO , The attacker can obtain data in all application servers that trust the application server. Therefore, compared with conventional application servers, the data security of the application server in SSO is lower. For the security of application server data in SSO, the prior art proposes to replace the original user name and password mechanism with a certificate-based user identification mechanism during identity verification, although certificate-based user identification is simpler than the original user name and password The mechanism is more secure, but for small companies or organizations, certificate verification is very challenging. In addition, even if the certificate-based user identification mechanism is adopted, the attacker can forge the root certificate and then forge the user certificate. Therefore, even if the application server in SSO uses the certificate-based user identification mechanism to replace the username and password mechanism during authentication, SSO The application server in it may still be accessed by an attacker, causing data leakage.
发明内容Summary of the invention
有鉴于此,本发明实施例提供一种单点登录方法、装置及系统,用于 提高SSO中的应用服务器的数据的安全性。In view of this, the embodiments of the present invention provide a single sign-on method, device, and system for improving the security of application server data in SSO.
为了实现上述目的,本发明实施例提供技术方案如下:In order to achieve the foregoing objectives, the embodiments of the present invention provide technical solutions as follows:
第一方面,本发明实施例提供一种单点登录方法,应用于身份认证服务器,所述方法包括:In the first aspect, an embodiment of the present invention provides a single sign-on method applied to an identity authentication server, and the method includes:
接收终端设备发送的登录请求;所述登录请求携带有所述终端设备的证书,用于请求获取登录单点登录系统SSO的登录凭证;Receiving a login request sent by a terminal device; the login request carries a certificate of the terminal device, and is used to request to obtain a login credential for logging in to a single sign-on system SSO;
向区块链网络发送第一验证请求,所述第一验证请求用于请求所述区块链网络根据所述证书的校验验证所述证书是否有效;Sending a first verification request to a blockchain network, where the first verification request is used to request the blockchain network to verify whether the certificate is valid according to the verification of the certificate;
接收所述区块链网络发送的第一验证应答;Receiving the first verification response sent by the blockchain network;
在所述第一验证应答指示所述证书有效的情况下,向所述终端设备发送所述登录凭证,并根据终端设备的权限信息向所述区块链网络写入与所述登录凭证对应的访问权限。In the case that the first verification response indicates that the certificate is valid, the login credential is sent to the terminal device, and the log-in credential is written to the blockchain network according to the authority information of the terminal device. access permission.
作为本发明实施例一种可选的实施方式,在向区块链网络发送第一验证请求之前,所述方法还包括:As an optional implementation manner of the embodiment of the present invention, before sending the first verification request to the blockchain network, the method further includes:
接收所述终端设备发送的注册请求,所述注册请求携带有用户资料;Receiving a registration request sent by the terminal device, the registration request carrying user information;
根据所述用户资料和所述权限信息生成所述证书;Generating the certificate according to the user profile and the authority information;
向所述终端设备发送所述证书,并将所述证书的校验写入所述区块链网络。Send the certificate to the terminal device, and write the verification of the certificate into the blockchain network.
作为本发明实施例一种可选的实施方式,在向所述终端设备发送所述证书,并将所述证书的校验写入所述区块链网络之后,所述方法还包括:删除根据所述用户资料和所述权限信息生成的所述证书。As an optional implementation manner of the embodiment of the present invention, after sending the certificate to the terminal device and writing the verification of the certificate into the blockchain network, the method further includes: deleting The certificate generated by the user profile and the authority information.
作为本发明实施例一种可选的实施方式,所述方法还包括:As an optional implementation manner of the embodiment of the present invention, the method further includes:
在所述第一验证应答指示所述证书无效的情况下,向所述终端设备发送提示信息;In a case where the first verification response indicates that the certificate is invalid, sending prompt information to the terminal device;
其中,所述提示信息用于提示所述终端设备的证书无效。Wherein, the prompt information is used to prompt that the certificate of the terminal device is invalid.
第二方面,本发明实施例提供一种单点登录方法,应用于单点登录系统SSO中的目标应用服务器,所述方法包括:In the second aspect, an embodiment of the present invention provides a single sign-on method, which is applied to a target application server in a single sign-on system SSO, and the method includes:
接收终端设备发送的访问请求,所述访问请求携带有登录凭证;Receiving an access request sent by a terminal device, where the access request carries login credentials;
向区块链网络发送第二验证请求,所述第二验证请求用于请求所述区块链网络根据所述登录凭证对应的访问权限验证所述终端设备是否具有访 问所述目标应用服务器的权限;Send a second verification request to the blockchain network, the second verification request is used to request the blockchain network to verify whether the terminal device has the permission to access the target application server according to the access permissions corresponding to the login credentials ;
接收所述区块链网络发送的第二验证应答;Receiving a second verification response sent by the blockchain network;
在所述第二验证应答指示所述终端设备具有访问所述目标应用服务器的权限的情况下,允许所述终端设备进行访问。In a case where the second verification response indicates that the terminal device has the authority to access the target application server, the terminal device is allowed to access.
作为本发明实施例一种可选的实施方式,所述方法还包括:As an optional implementation manner of the embodiment of the present invention, the method further includes:
在所述第二验证应答指示所述终端设备没有访问所述目标应用服务器的权限的情况下,拒绝所述终端设备进行访问。If the second verification response indicates that the terminal device does not have the authority to access the target application server, the terminal device is denied access.
第三方面,本发明实施例提供一种单点登录方法,包括:In the third aspect, an embodiment of the present invention provides a single sign-on method, including:
终端设备向身份认证服务器发送登录请求;所述登录请求携带有所述终端设备的证书,用于请求获取登录单点登录系统SSO的登录凭证;The terminal device sends a login request to the identity authentication server; the login request carries the certificate of the terminal device, and is used to request to obtain the login credentials for logging in to the single sign-on system SSO;
所述身份认证服务器向区块链网络发送第一验证请求,所述第一验证请求用于请求所述区块链网络根据所述证书的校验验证所述证书是否有效;Sending, by the identity authentication server, a first verification request to a blockchain network, the first verification request being used to request the blockchain network to verify whether the certificate is valid according to the verification of the certificate;
所述身份认证服务器接收所述区块链网络发送的第一验证应答;The identity authentication server receives the first verification response sent by the blockchain network;
在所述第一验证应答指示所述证书有效的情况下,所述身份认证服务器向所述终端设备发送所述登录凭证,并根据终端设备的权限信息向所述区块链网络写入与所述登录凭证对应的访问权限;In the case that the first verification response indicates that the certificate is valid, the identity authentication server sends the login credential to the terminal device, and writes the login credentials to the blockchain network according to the authority information of the terminal device. Describe the access rights corresponding to the login credentials;
所述终端设备向所述SSO中的目标应用服务器发送的访问请求,所述访问请求携带有登录凭证;An access request sent by the terminal device to the target application server in the SSO, where the access request carries login credentials;
所述目标应用服务器向区块链网络发送第二验证请求,所述第二验证请求用于请求所述区块链网络根据所述登录凭证对应的访问权限验证所述终端设备是否具有访问所述目标应用服务器的权限;The target application server sends a second verification request to the blockchain network, and the second verification request is used to request the blockchain network to verify whether the terminal device has access to the The permissions of the target application server;
所述目标应用服务器接收所述区块链网络发送的第二验证应答;The target application server receives the second verification response sent by the blockchain network;
在所述第二验证应答指示所述终端设备具有访问所述目标应用服务器的权限的情况下,所述目标应用服务器允许所述终端设备进行访问。In a case where the second verification response indicates that the terminal device has the authority to access the target application server, the target application server allows the terminal device to access.
作为本发明实施例一种可选的实施例方式,在终端设备向身份认证服务器发送登录请求之前,所述方法还包括:As an optional implementation manner of the embodiment of the present invention, before the terminal device sends a login request to the identity authentication server, the method further includes:
所述终端设备向所述身份认证服务器发送注册请求,所述注册请求携带有用户资料;The terminal device sends a registration request to the identity authentication server, and the registration request carries user information;
所述身份认证服务器根据所述用户资料和所述权限信息生成所述证 书;The identity authentication server generates the certificate according to the user profile and the authority information;
所述身份认证服务器向所述终端设备发送所述证书,并将所述证书的校验写入所述区块链网络。The identity authentication server sends the certificate to the terminal device, and writes the verification of the certificate into the blockchain network.
作为本发明实施例一种可选的实施例方式,在所述身份认证服务器向所述终端设备发送所述证书,并将所述证书的校验写入所述区块链网络之后,所述方法还包括:As an optional implementation manner of the embodiment of the present invention, after the identity authentication server sends the certificate to the terminal device, and writes the verification of the certificate into the blockchain network, the Methods also include:
所述身份认证服务器删除根据所述用户资料和所述权限信息生成的所述证书。The identity authentication server deletes the certificate generated according to the user profile and the authority information.
作为本发明实施例一种可选的实施例方式,在所述第一验证应答指示所述证书无效的情况下,所述身份认证服务器向所述终端设备发送提示信息;As an optional implementation manner of the embodiment of the present invention, in a case where the first verification response indicates that the certificate is invalid, the identity authentication server sends prompt information to the terminal device;
其中,所述提示信息用于提示所述终端设备的证书无效。Wherein, the prompt information is used to prompt that the certificate of the terminal device is invalid.
作为本发明实施例一种可选的实施例方式,在所述第二验证应答指示所述终端设备没有访问所述目标应用服务器的权限的情况下,所述目标应用服务器拒绝所述终端设备进行访问。As an optional embodiment of the embodiment of the present invention, when the second verification response indicates that the terminal device does not have the right to access the target application server, the target application server refuses the terminal device to perform access.
第四方面,本发明实施例提供一种单点登录装置,应用于身份认证服务器,包括:In a fourth aspect, an embodiment of the present invention provides a single sign-on device applied to an identity authentication server, including:
接收单元,用于接收终端设备发送的登录请求;所述登录请求携带有所述终端设备的证书,用于请求获取登录单点登录系统SSO的登录凭证;The receiving unit is configured to receive a login request sent by a terminal device; the login request carries a certificate of the terminal device, and is used to request to obtain a login credential for logging in to a single sign-on system SSO;
发送单元,用于向区块链网络发送第一验证请求,所述第一验证请求用于请求所述区块链网络根据所述证书的校验验证所述证书是否有效;A sending unit, configured to send a first verification request to a blockchain network, the first verification request being used to request the blockchain network to verify whether the certificate is valid according to the verification of the certificate;
所述接收单元,还用于接收所述区块链网络发送的第一验证应答;The receiving unit is further configured to receive the first verification response sent by the blockchain network;
所述发送单元,还用于在所述第一验证应答指示所述证书有效的情况下,向所述终端设备发送所述登录凭证;The sending unit is further configured to send the login credential to the terminal device when the first verification response indicates that the certificate is valid;
写入单元,用于在所述第一验证应答指示所述证书有效的情况下,根据终端设备的权限信息向所述区块链网络写入与所述登录凭证对应的访问权限。The writing unit is configured to write the access authority corresponding to the login credential to the blockchain network according to the authority information of the terminal device when the first verification response indicates that the certificate is valid.
作为本发明实施例一种可选的实施例方式,所述单点登录装置还包括:证书生成单元;As an optional implementation manner of the embodiment of the present invention, the single sign-on apparatus further includes: a certificate generating unit;
所述接收单元,还用于在所述发送单元向区块链网络发送第一验证请 求之前,接收所述终端设备发送的注册请求,所述注册请求携带有用户资料;The receiving unit is further configured to receive a registration request sent by the terminal device before the sending unit sends a first verification request to the blockchain network, where the registration request carries user information;
所述证书生成单元,用于根据所述用户资料和所述权限信息生成所述证书;The certificate generating unit is configured to generate the certificate according to the user profile and the authority information;
所述发送单元,还用于向所述终端设备发送所述证书;The sending unit is further configured to send the certificate to the terminal device;
所述写入单元,还用于将所述证书的校验写入所述区块链网络。The writing unit is also used to write the verification of the certificate into the blockchain network.
作为本发明实施例一种可选的实施例方式,所述单点登录装置还包括:As an optional implementation manner of the embodiment of the present invention, the single sign-on apparatus further includes:
删除单元,用于在所述发送单元向所述终端设备发送所述证书,且所述写入单元将所述证书的校验写入所述区块链网络之后,删除根据所述用户资料和所述权限信息生成的所述证书。The deleting unit is configured to delete the certificate according to the user profile and the terminal device after the writing unit writes the verification of the certificate into the blockchain network. The certificate generated by the authority information.
作为本发明实施例一种可选的实施例方式,所述发送单元,还用于在所述第一验证应答指示所述证书无效的情况下,向所述终端设备发送提示信息;As an optional embodiment of the embodiment of the present invention, the sending unit is further configured to send prompt information to the terminal device when the first verification response indicates that the certificate is invalid;
其中,所述提示信息用于提示所述终端设备的证书无效。Wherein, the prompt information is used to prompt that the certificate of the terminal device is invalid.
第五方面,本发明实施例提供一种单点登录装置,应用于应用服务器,所述应用服务器为单点登录系统SSO中的应用服务器,所述单点登录装置包括:In a fifth aspect, an embodiment of the present invention provides a single sign-on device, which is applied to an application server, where the application server is an application server in a single sign-on system SSO, and the single sign-on device includes:
接收单元,用于接收终端设备发送的访问请求,所述访问请求携带有登录凭证;A receiving unit, configured to receive an access request sent by a terminal device, where the access request carries login credentials;
发送单元,用于区块链网络发送第二验证请求,所述第二验证请求用于请求所述区块链网络根据所述登录凭证对应的访问权限验证所述终端设备是否具有访问所述应用服务器的权限;The sending unit is configured to send a second verification request to the blockchain network, and the second verification request is used to request the blockchain network to verify whether the terminal device has access to the application according to the access authority corresponding to the login credential Server permissions;
所述接收单元,还用于接收所述区块链网络发送的第二验证应答;The receiving unit is further configured to receive a second verification response sent by the blockchain network;
所述处理单元,用于在所述第二验证应答指示所述终端设备具有访问所述应用服务器的权限的情况下,允许所述终端设备进行访问。The processing unit is configured to allow the terminal device to access when the second verification response indicates that the terminal device has the authority to access the application server.
作为本发明实施例一种可选的实施例方式,所述处理单元,还用于在所述第二验证应答指示所述终端设备没有访问所述应用服务器的权限的情况下,拒绝所述终端设备进行访问。As an optional implementation manner of the embodiment of the present invention, the processing unit is further configured to reject the terminal when the second verification response indicates that the terminal device does not have the right to access the application server The device is accessed.
第六方面,本发明实施例提供一种身份认证服务器,包括:存储器和处理器,存储器用于存储计算机程序;处理器用于在调用计算机程序时执 行第一方面或第一方面任一实施方式所述的单点登录方法。In a sixth aspect, an embodiment of the present invention provides an identity authentication server, including: a memory and a processor, the memory is used to store a computer program; the processor is used to execute the first aspect or any one of the implementation manners of the first aspect when the computer program is invoked The single sign-on method described.
第七方面,本发明实施例提供一种应用服务器,包括:存储器和处理器,存储器用于存储计算机程序;处理器用于在调用计算机程序时执行第一方面或第二方面任二实施方式所述的单点登录方法。In a seventh aspect, an embodiment of the present invention provides an application server, including: a memory and a processor, the memory is used to store a computer program; the processor is used to execute the first aspect or the second aspect of the second aspect when the computer program is invoked Single sign-on method.
第八方面,本发明实施例提供一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现权利要求第一方面或第二方面或第一方面任一实施方式或第二方面任一实施方式所述的单点登录方法。In an eighth aspect, an embodiment of the present invention provides a computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, it implements any one of the first aspect or the second aspect or the first aspect of the claim or The single sign-on method according to any one of the embodiments of the second aspect.
第九方面,本发明实施例提供一种单点登录系统,包括:第三方面或第三方面任一实施方式所述的单点登录装置、第四方面或第四方面任一实施方式所述的单点登录装置、第五方面所述的身份认证服务器以及第六方面所述的应用服务器中的至少一个。In a ninth aspect, an embodiment of the present invention provides a single sign-on system, including: the single sign-on device according to the third aspect or any implementation manner of the third aspect, and the fourth aspect or any implementation manner of the fourth aspect At least one of the single sign-on device in the fifth aspect, the identity authentication server described in the fifth aspect, and the application server described in the sixth aspect.
本发明实施例提供的单点登录方法,在身份认证服务器接收终端设备发送的登录请求时,首先向区块链网络发送请求验证所述证书是否有效,且只有在接收到的第一验证应答指示所述证书有效的情况下,才会向所述终端设备发送所述登录凭证,因此本发明实施例首先可以在终端设备登录SSO时,通过区块链网络对终端设备的证书的有效性进行校验,从而身份认证方面提高SSO中的应用服务器的数据的安全性;此外,在所述第一验证应答指示所述证书有效的情况下,身份认证服务器还会根据终端设备的权限信息向所述区块链网络写入与所述登录凭证对应的访问权限,终端设备在通过登录凭证登录SSO并想要访问SSO中的目标应用服务器时,目标应用服务器会将向区块链网络发送用于请求所述区块链网络根据所述登录凭证对应的访问权限验证所述终端设备是否具有访问所述目标应用服务器的权限的第二验证请求,且只有在所述第二验证应答指示所述终端设备具有访问所述目标应用服务器的权限的情况下,才允许所述终端设备进行访问,因此发明实施例还可以在终端设备访问SSO中的应用服务器时,从用户权限方面提高SSO中的应用服务器的数据的安全性;即,本发明实施例可以从身份认证和用户权限两方面提高SSO中的应用服务器的数据的安全性,因此相比于现有技术本发明实施例可以提高SSO中的应用服务器的数据的安全性。In the single sign-on method provided by the embodiment of the present invention, when the identity authentication server receives the login request sent by the terminal device, it first sends a request to the blockchain network to verify whether the certificate is valid, and only after the received first verification response instruction Only when the certificate is valid, will the login credential be sent to the terminal device. Therefore, in the embodiment of the present invention, when the terminal device logs in to SSO, the validity of the terminal device's certificate can be verified through the blockchain network. Therefore, the security of the data of the application server in the SSO is improved in terms of identity authentication; in addition, in the case that the first verification response indicates that the certificate is valid, the identity authentication server will also report the authorization information of the terminal device to the The blockchain network writes the access authority corresponding to the login credentials. When the terminal device logs in to the SSO through the login credentials and wants to access the target application server in the SSO, the target application server will send a request to the blockchain network The blockchain network verifies whether the terminal device has the second verification request for the permission to access the target application server according to the access authority corresponding to the login credential, and only when the second verification response indicates the terminal device The terminal device is allowed to access only if it has the authority to access the target application server. Therefore, the embodiment of the invention can also improve the application server performance in SSO from the aspect of user authority when the terminal device accesses the application server in SSO. Data security; that is, the embodiment of the present invention can improve the data security of the application server in SSO in terms of identity authentication and user authority. Therefore, compared with the prior art, the embodiment of the present invention can improve the application server in SSO. The security of your data.
附图说明Description of the drawings
图1为本发明实施例提供的单点登录系统的示意性结构图;Figure 1 is a schematic structural diagram of a single sign-on system provided by an embodiment of the present invention;
图2为本发明实施例提供的单点登录方法的交互流程示意图;2 is a schematic diagram of the interaction process of the single sign-on method provided by an embodiment of the present invention;
图3为本发明实施例提供的单点登录装置的结构示图;Figure 3 is a structural diagram of a single sign-on device provided by an embodiment of the present invention;
图4为本发明实施例提供的身份认证服务器的硬件结构示意图;4 is a schematic diagram of the hardware structure of an identity authentication server provided by an embodiment of the present invention;
图5为本发明实施例提供的单点登录装置的结构示图;FIG. 5 is a structural diagram of a single sign-on device provided by an embodiment of the present invention;
图6为本发明实施例提供的应用服务器的硬件结构示意图。FIG. 6 is a schematic diagram of the hardware structure of an application server provided by an embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, rather than all of them. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of the present invention.
本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系;在公式中,字符“/”,表示前后关联对象是一种“相除”的关系。如果不加说明,本文中的“多个”是指两个或两个以上。The term "and/or" in this article is only an association relationship describing associated objects, which means that there can be three relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, exist alone B these three situations. In addition, the character "/" in this article generally indicates that the associated objects before and after are in an "or" relationship; in the formula, the character "/" indicates that the associated objects before and after are in a "division" relationship. If not specified, the "plurality" in this article means two or more.
为了便于清楚描述本发明实施例的技术方案,在本发明的实施例中,以“第一”、“第二”等字样对功能或作用基本相同的相同项或相似项进行区分,本领域技术人员可以理解“第一”、“第二”等字样并不对数量和执行次序进行限定。In order to facilitate the clear description of the technical solutions of the embodiments of the present invention, in the embodiments of the present invention, the words "first" and "second" are used to distinguish the same items or similar items with basically the same function or effect. Personnel can understand that the words "first" and "second" do not limit the quantity and order of execution.
本发明实施例中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本发明实施例中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念。In the embodiments of the present invention, words such as "exemplary" or "for example" are used as examples, illustrations, or illustrations. Any embodiment or design solution described as "exemplary" or "for example" in the embodiments of the present invention should not be construed as being more preferable or advantageous than other embodiments or design solutions. To be precise, words such as "exemplary" or "for example" are used to present related concepts in a specific manner.
以下首先对本发明实施例提供的单点登录方法所应用的系统架构进行说明。The following first describes the system architecture to which the single sign-on method provided in the embodiment of the present invention is applied.
参照图1所示,本发明实施例提供的单点登录系统包括:至少一个终 端设备(图1中以包括一个终端设备11为例示出)、包括多个应用服务器的SSO系统12(图1中以SSO系统12中包括应用服务器121、应用服务器122、应用服务器123、应用服务器124以及应用服务器125为例示出)、身份认证服务器13以及区块链网络14。As shown in FIG. 1, the single sign-on system provided by the embodiment of the present invention includes: at least one terminal device (in FIG. 1, one terminal device 11 is shown as an example), an SSO system 12 including multiple application servers (in FIG. Take the SSO system 12 including an application server 121, an application server 122, an application server 123, an application server 124, and an application server 125 as examples), an identity authentication server 13 and a blockchain network 14.
其中,终端设备11与身份认证服务器13之间可以进行有线通信或无线通信,终端设备11与SSO系统12的各个应用服务器均可以进行有线通信或无线通信;SSO系统12中的各个应用服务器均与区块链网络14之间可以进行有线通信或无线通信,身份认证服务器13与区块链网络14之间也可以进行有线通信或无线通信。Among them, the terminal device 11 and the identity authentication server 13 can perform wired communication or wireless communication, and each application server of the terminal device 11 and the SSO system 12 can perform wired communication or wireless communication; each application server in the SSO system 12 can communicate with each other. Wired communication or wireless communication can be carried out between the blockchain network 14, and wired or wireless communication can also be carried out between the identity authentication server 13 and the blockchain network 14.
本发明实施例中的终端设备11可以为手机、平板电脑、笔记本电脑、个人计算机(personal computer,PC)超级移动个人计算机(ultra-mobile personal computer,UMPC)、上网本、个人数字助理(personal digital assistant,PDA)、智能手表、智能手环等,或者该终端设备还可以为其他类型的电子设备,本发明实施例不作限定。为了便于本领域技术人员的理解,附图中以终端设备11为PC为例示出。The terminal device 11 in the embodiment of the present invention may be a mobile phone, a tablet computer, a notebook computer, a personal computer (personal computer, PC), an ultra-mobile personal computer (UMPC), a netbook, or a personal digital assistant (personal digital assistant). , PDA), smart watches, smart bracelets, etc., or the terminal device may also be other types of electronic devices, which are not limited in the embodiment of the present invention. In order to facilitate the understanding of those skilled in the art, the terminal device 11 is shown as an example in the drawings as a PC.
本发明实施例提供一种单点登录方法,参照图2所示,在本发明实施例提供的单点登录方法中上述单点登录系统中各个装置分别执行如下步骤:The embodiment of the present invention provides a single sign-on method. As shown in FIG. 2, in the single sign-on method provided by the embodiment of the present invention, each device in the single sign-on system described above performs the following steps:
S11、终端设备向身份认证服务器发送登录请求。S11. The terminal device sends a login request to the identity authentication server.
对应的,身份认证服务器接收终端设备发送的登录请求。Correspondingly, the identity authentication server receives the login request sent by the terminal device.
其中,所述登录请求携带有所述终端设备的证书,用于请求获取登录SSO的登录凭证。Wherein, the login request carries the certificate of the terminal device for requesting to obtain the login credential for logging in to the SSO.
S12、身份认证服务器向区块链网络发送第一验证请求。S12. The identity authentication server sends a first verification request to the blockchain network.
对应的,区块链网络接收身份认证服务器发送的第一验证请求。Correspondingly, the blockchain network receives the first verification request sent by the identity authentication server.
其中,所述第一验证请求用于请求所述区块链网络根据所述证书的校验验证所述证书是否有效。The first verification request is used to request the blockchain network to verify whether the certificate is valid according to the verification of the certificate.
其中,所述证书的校验由所述身份认证服务器写入所述区块链网络。即,在身份认证服务器向区块链网络发送第一验证请求之前,身份认证服务器还需要根据用户资料数据和权限数据等生成证书以及证书的校验,并把证书和证书的校验写入到区块链网络中。Wherein, the verification of the certificate is written into the blockchain network by the identity authentication server. That is, before the identity authentication server sends the first verification request to the blockchain network, the identity authentication server also needs to generate a certificate and certificate verification based on user profile data and authority data, and write the certificate and certificate verification to In the blockchain network.
身份认证服务器将证书和证书的校验写入到区块链网络中可以防止证书和/或证书的校验被攻击者篡改,进而提升数据的安全性。The identity authentication server writes the certificate and the verification of the certificate into the blockchain network to prevent the certificate and/or the verification of the certificate from being tampered with by an attacker, thereby improving data security.
S13、区块链网络向身份认证服务器发送第一验证应答。S13. The blockchain network sends a first verification response to the identity verification server.
对应的,身份认证服务器接收区块链网络发送的第一验证应答。Correspondingly, the identity authentication server receives the first verification response sent by the blockchain network.
其中,第一验证应答用于指示所述证书有效,或者所述证书无效。Wherein, the first verification response is used to indicate that the certificate is valid or the certificate is invalid.
当所述第一验证应答指示所述证书有效的情况下,执行如下步骤S14以及S14之后的各步骤。When the first verification response indicates that the certificate is valid, the following steps S14 and the steps after S14 are executed.
S14、身份认证服务器向所述终端设备发送所述登录凭证。S14. The identity authentication server sends the login credential to the terminal device.
对应的,终端设备接收身份认证服务器发送的登录凭证。Correspondingly, the terminal device receives the login credential sent by the identity authentication server.
本发明实施例中的登录凭证是由身份认证服务器生成的。可选的,身份认证服务器可以在各终端设备进行注册时生成各终端设备对应的登录凭证,并存储与本地存储器中,当所述第一验证应答指示所述证书有效的情况下,从本地存储器中查找该终端设备对应的登录凭证,并发送至终端设备。可选的,身份认证服务器也可以在第一验证应答指示所述证书有效的情况下,生成该终端设备对应的登录凭证,并在将登录凭证发送至终端设备后将登录凭证删除,以避免攻击者入侵身份认证服务器获取终端设备的登录凭证。The login credentials in the embodiment of the present invention are generated by the identity authentication server. Optionally, the identity authentication server may generate a login credential corresponding to each terminal device when each terminal device is registered, and store it in the local storage. When the first verification response indicates that the certificate is valid, the log-in credentials from the local storage Find the login credential corresponding to the terminal device and send it to the terminal device. Optionally, the identity authentication server may also generate the login credentials corresponding to the terminal device when the first verification response indicates that the certificate is valid, and delete the login credentials after sending the login credentials to the terminal device to avoid attacks The person invades the identity authentication server to obtain the login credentials of the terminal device.
S15、身份认证服务器根据终端设备的权限信息向所述区块链网络写入与所述登录凭证对应的访问权限。S15. The identity authentication server writes the access permission corresponding to the login credential to the blockchain network according to the permission information of the terminal device.
对应的,区块链网络接收身份认证服务器写入的与所述登录凭证对应的访问权限。Correspondingly, the blockchain network receives the access authority corresponding to the login credential written by the identity authentication server.
可选的,身份认证服务器获取终端设备的权限信息的实现方式可以为:建立轻型目录访问协议(Lightweight Directory Access Protocol,LDAP)系统,并将终端设备的数据(包括:终端设备的权限信息)保存在LDAP系统,在需要获取终端设备的权限信息时,从LDAP系统中读取终端设备的权限信息。Optionally, the way in which the identity authentication server obtains the authority information of the terminal device can be implemented as follows: establish a Lightweight Directory Access Protocol (LDAP) system, and save the terminal device data (including: terminal device authority information) In the LDAP system, when the authority information of the terminal device needs to be obtained, the authority information of the terminal device is read from the LDAP system.
具体的,LDAP是一个开放的,中立的,工业标准的应用协议,用于通过IP协议提供访问控制和维护分布式信息的目录信息。本发明实施例中的LDAP系统可以与身份认证服务器相互独立,也可以集成于身份认证服务器中,本发明实施例对此不做限定。Specifically, LDAP is an open, neutral, and industry standard application protocol used to provide access control and maintain distributed information directory information through the IP protocol. The LDAP system in the embodiment of the present invention may be independent of the identity authentication server, or may be integrated into the identity authentication server, which is not limited in the embodiment of the present invention.
至上述步骤S14,身份验证服务器完成了对终端设备的身份验证。在身份验证服务器对终端设备进行身份验证的过程中,由于身份验证服务器通过将终端设备的证书发送至区块链网络并接收区块链网络的验证结果,且根据区块链网络的验证结果确定是否向终端设备发送登录凭证,因此上述实施例可以防止网络攻击者伪造根证书并伪造用户证书进行登录,进而提升SSO中的应用服务器中的数据的安全性。By the above step S14, the identity verification server has completed the identity verification of the terminal device. In the process that the identity verification server verifies the identity of the terminal device, the identity verification server sends the certificate of the terminal device to the blockchain network and receives the verification result of the blockchain network, and determines according to the verification result of the blockchain network Whether to send the login credentials to the terminal device, therefore, the foregoing embodiment can prevent network attackers from forging root certificates and forging user certificates to log in, thereby improving the security of data in the application server in SSO.
S16、终端设备向所述SSO中的目标应用服务器发送访问请求。S16. The terminal device sends an access request to the target application server in the SSO.
对应的,目标应用服务器接收终端设备发送的访问请求。Correspondingly, the target application server receives the access request sent by the terminal device.
其中,所述访问请求携带有登录凭证。Wherein, the access request carries login credentials.
S17、目标应用服务器向区块链网络发送第二验证请求。S17. The target application server sends a second verification request to the blockchain network.
对应的,区块链网络接收所述目标应用服务器发送的第二验证请求。Correspondingly, the blockchain network receives the second verification request sent by the target application server.
其中,所述第二验证请求用于请求所述区块链网络根据所述登录凭证对应的访问权限验证所述终端设备是否具有访问所述目标应用服务器的权限。The second verification request is used to request the blockchain network to verify whether the terminal device has the permission to access the target application server according to the access permission corresponding to the login credential.
S18、区块链网络向目标应用服务器发送第二验证应答。S18. The blockchain network sends a second verification response to the target application server.
对应的,目标应用服务器接收区块链网络发送的第二验证应答。Correspondingly, the target application server receives the second verification response sent by the blockchain network.
其中,所述第二验证应答用于指示所述终端设备具有访问所述目标应用服务器的权限,或者所述终端设备没有访问所述目标应用服务器的权限。The second verification response is used to indicate that the terminal device has the authority to access the target application server, or that the terminal device does not have the authority to access the target application server.
在第二验证应答指示所述终端设备具有访问所述目标应用服务器的权限的情况下,执行如下步骤S19。In the case where the second verification response indicates that the terminal device has the authority to access the target application server, the following step S19 is executed.
S19、目标应用服务器允许所述终端设备进行访问。S19. The target application server allows the terminal device to access.
通过上述步骤S15至S19,目标应用服务器完成了对终端设备访问权限的验证。在目标应用服务器对终端设备访问权限的验证的过程中,由于目标应用向区块链网络发送第二验证请求,并根据区块链网络发送的第二验证应答确定是否允许终端设备进行访问,因此上述实施例可以避免网络攻击者篡改终端设备的访问权限,进而造成数据泄露,因此本发明实施例可以进一步提升SSO中的应用服务器中的数据的安全性。Through the above steps S15 to S19, the target application server has completed the verification of the access authority of the terminal device. In the process of verifying the access authority of the terminal device by the target application server, since the target application sends a second verification request to the blockchain network, and determines whether the terminal device is allowed to access according to the second verification response sent by the blockchain network. The foregoing embodiment can prevent network attackers from tampering with the access authority of the terminal device, thereby causing data leakage. Therefore, the embodiment of the present invention can further improve the security of data in the application server in SSO.
本发明实施例提供的单点登录方法,在身份认证服务器接收终端设备发送的登录请求时,首先向区块链网络发送请求验证所述证书是否有效,且只有在接收到的第一验证应答指示所述证书有效的情况下,才会向所述 终端设备发送所述登录凭证,因此本发明实施例首先可以在终端设备登录SSO时,通过区块链网络对终端设备的证书的有效性进行校验,从而身份认证方面提高SSO中的应用服务器的数据的安全性;此外,在所述第一验证应答指示所述证书有效的情况下,身份认证服务器还会根据终端设备的权限信息向所述区块链网络写入与所述登录凭证对应的访问权限,终端设备在通过登录凭证登录SSO并想要访问SSO中的目标应用服务器时,目标应用服务器会将向区块链网络发送用于请求所述区块链网络根据所述登录凭证对应的访问权限验证所述终端设备是否具有访问所述目标应用服务器的权限的第二验证请求,且只有在所述第二验证应答指示所述终端设备具有访问所述目标应用服务器的权限的情况下,才允许所述终端设备进行访问,因此发明实施例还可以在终端设备访问SSO中的应用服务器时,从用户权限方面提高SSO中的应用服务器的数据的安全性;即,本发明实施例可以从身份认证和用户权限两方面提高SSO中的应用服务器的数据的安全性,因此相比于现有技术本发明实施例可以提高SSO中的应用服务器的数据的安全性。In the single sign-on method provided by the embodiment of the present invention, when the identity authentication server receives the login request sent by the terminal device, it first sends a request to the blockchain network to verify whether the certificate is valid, and only after the received first verification response instruction Only when the certificate is valid, will the login credential be sent to the terminal device. Therefore, in the embodiment of the present invention, when the terminal device logs in to SSO, the validity of the terminal device's certificate can be verified through the blockchain network. Therefore, the security of the data of the application server in the SSO is improved in terms of identity authentication; in addition, in the case that the first verification response indicates that the certificate is valid, the identity authentication server will also report the authorization information of the terminal device to the The blockchain network writes the access authority corresponding to the login credentials. When the terminal device logs in to the SSO through the login credentials and wants to access the target application server in the SSO, the target application server will send a request to the blockchain network The blockchain network verifies whether the terminal device has the second verification request for the permission to access the target application server according to the access authority corresponding to the login credential, and only when the second verification response indicates the terminal device The terminal device is allowed to access only if it has the authority to access the target application server. Therefore, the embodiment of the invention can also improve the application server performance in SSO from the aspect of user authority when the terminal device accesses the application server in SSO. Data security; that is, the embodiment of the present invention can improve the data security of the application server in SSO in terms of identity authentication and user authority. Therefore, compared with the prior art, the embodiment of the present invention can improve the application server in SSO. The security of your data.
作为本发明实施例一种可选的实施方式,在上述步骤S12(身份认证服务器向区块链网络发送第一验证请求)之前,本发明实施例提供的单点登录方法还包括如下步骤a-步骤c。As an optional implementation manner of the embodiment of the present invention, before the above step S12 (the identity authentication server sends the first verification request to the blockchain network), the single sign-on method provided by the embodiment of the present invention further includes the following steps a- Step c.
步骤a、身份认证服务器接收所述终端设备发送的注册请求。Step a: The identity authentication server receives the registration request sent by the terminal device.
其中,所述注册请求携带有用户资料。Wherein, the registration request carries user information.
示例性的,用户资料可以包括用户的用户名称、识别码等信息。Exemplarily, the user profile may include information such as the user name and identification code of the user.
步骤b、身份认证服务器根据用户资料和权限信息生成所述证书。Step b: The identity authentication server generates the certificate according to the user profile and authority information.
需要说明的,上述权限信息的获取方式可以为:身份认证服务器根据用户资料为终端设备配置;也可以为:终端设备在注册请求中携带权限请求信息,身份认证服务器对注册请求中携带权限请求信息进行审核,并将审核通过的权限请求项作为所述权限信息。It should be noted that the way to obtain the above permission information can be: the identity authentication server configures the terminal device according to the user profile; it can also be: the terminal device carries permission request information in the registration request, and the identity authentication server carries permission request information in the registration request. Perform an audit, and use the approved permission request item as the permission information.
当终端设备在注册请求中携带权限请求信息,身份认证服务器对注册请求中携带权限请求信息进行审核,并将审核通过的权限请求项作为所述权限信息的情况下,终端设备发送的注册请求中携带的权限请求信息与权限信息可以相同,也可以不同。例如:终端设备发送的注册请求中携带的 权限请求信息包括:访问应用服务器A、访问应用服务器B以及访问应用服务器C,身份认证服务器生成所述证书时的权限信息可以包括:访问应用服务器A、访问应用服务器B以及访问应用服务器C的权限,也可以包括:访问应用服务器A和访问应用服务器B的权限,而不包括访问应用服务器C的权限。When the terminal device carries the permission request information in the registration request, the identity authentication server reviews the permission request information carried in the registration request, and uses the approved permission request item as the permission information, the registration request sent by the terminal device The carried permission request information and the permission information may be the same or different. For example, the authorization request information carried in the registration request sent by the terminal device includes: access to application server A, access to application server B, and access to application server C. The authorization information when the identity authentication server generates the certificate may include: access to application server A, The permissions for accessing application server B and accessing application server C may also include: accessing application server A and accessing application server B, but not including accessing application server C.
步骤c、身份认证服务器向所述终端设备发送所述证书,并将所述证书的校验写入所述区块链网络。Step c: The identity authentication server sends the certificate to the terminal device, and writes the verification of the certificate into the blockchain network.
对应的,终端设备接收身份认证服务器发送的证书,区块链网络接收写入的证书校验。Correspondingly, the terminal device receives the certificate sent by the identity authentication server, and the blockchain network receives the written certificate verification.
由于身份认证服务器需要向区块链网络写入证书的校验,因此身份认证服务器首先需要生成证书的校验。本发明实施例对生成证书校验的算法不做限定。Since the identity authentication server needs to write the verification of the certificate to the blockchain network, the identity authentication server first needs to generate the verification of the certificate. The embodiment of the present invention does not limit the algorithm for generating certificate verification.
根据上述单点登录方法中身份认证服务器的功能,本发明实施例提供的身份认证服务器可以由如下几个模块构成:According to the function of the identity authentication server in the above single sign-on method, the identity authentication server provided by the embodiment of the present invention may be composed of the following modules:
账号管理模块,主要功能包括:Account management module, the main functions include:
建立LDAP系统存储用户数据;Establish an LDAP system to store user data;
建立用户注册与审核机制,允许用户在线注册,并对用户进行审核;Establish a user registration and review mechanism, allow users to register online, and review users;
建立用户管理机制,允许用户管理员对用户进行增删改查,并利用邮件等方式通知用户;Establish a user management mechanism, allowing user administrators to add, delete, modify, and check users, and notify users by email;
建立用户权限管理机制,允许管理员对用户访问相关系统的权限进行管理。Establish a user authority management mechanism to allow administrators to manage the authority of users to access related systems.
证书管理模块,主要功能包括:Certificate management module, the main functions include:
用于根据用户资料数据生成证书;Used to generate a certificate based on user profile data;
计算证书的校验,并写入到区块链网络中;Calculate the verification of the certificate and write it into the blockchain network;
生成用户下载证书的唯一链接并发送至终端设备;Generate a unique link for the user to download the certificate and send it to the terminal device;
建立证书管理机制,允许管理员对证书进行撤销和续期。Establish a certificate management mechanism to allow administrators to revoke and renew certificates.
身份认证模块,主要功能包括:Identity authentication module, the main functions include:
在终端设备根据唯一链接请求下载证书时,将证书发送至终端设备;When the terminal device requests to download the certificate according to the unique link, the certificate is sent to the terminal device;
在终端和设备登录请求时,对终端设备携带的证书进行解析;Analyze the certificate carried by the terminal device at the time of terminal and device login request;
按照规定数据结构填充证书信息后,向区块链网络发起证书验证请求;After filling the certificate information according to the specified data structure, initiate a certificate verification request to the blockchain network;
证书验证成功后,从LDAP系统获取权限信息,然后向区块链网络写入访问权限;After the certificate is successfully verified, obtain the permission information from the LDAP system, and then write the access permission to the blockchain network;
证书验证成功后,向终端设备返回登录凭证。After the certificate is successfully verified, the login credentials are returned to the terminal device.
作为本发明实施例一种可选的实施方式,在上述步骤c中向所述终端设备发送所述证书之后,本发明实施例提供的单点登录方法还包括:As an optional implementation manner of the embodiment of the present invention, after the certificate is sent to the terminal device in step c, the single sign-on method provided in the embodiment of the present invention further includes:
身份认证服务器删除根据所述用户资料和所述权限信息生成的所述证书。The identity authentication server deletes the certificate generated according to the user profile and the authority information.
由于身份认证服务器在将证书发送至终端设备之后,会删除根据所述用户资料和所述权限信息生成的所述证书,可以避免网络攻击者入侵身份认证服务器获取终端设备的证书,因此上述实施例可以进一步提升SSO中的应用服务器的数据的安全性。After the identity authentication server sends the certificate to the terminal device, it deletes the certificate generated based on the user profile and the authority information, which can prevent network attackers from invading the identity authentication server to obtain the certificate of the terminal device. Therefore, the foregoing embodiment The data security of the application server in SSO can be further improved.
作为本发明实施例一种可选的实施方式,在所述第一验证应答指示所述证书无效的情况下,本发明实施例提供的单点登录方法还包括:As an optional implementation manner of the embodiment of the present invention, when the first verification response indicates that the certificate is invalid, the single sign-on method provided in the embodiment of the present invention further includes:
身份认证服务器向所述终端设备发送提示信息;The identity authentication server sends prompt information to the terminal device;
其中,所述提示信息用于提示所述终端设备的证书无效。Wherein, the prompt information is used to prompt that the certificate of the terminal device is invalid.
作为本发明实施例一种可选的实施方式,在所述第二验证应答指示所述终端设备没有访问所述目标应用服务器的权限的情况下,本发明实施例提供的单点登录方法还包括:As an optional implementation manner of the embodiment of the present invention, in the case that the second verification response indicates that the terminal device does not have the authority to access the target application server, the single sign-on method provided in the embodiment of the present invention further includes :
目标应用服务器拒绝所述终端设备进行访问。The target application server denies the terminal device access.
本申请实施例可以根据上述方法示例对终端设备等进行功能模块的划分。例如,可以对应各个功能划分各个功能模块,也可以将两个或两个以上的功能集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。需要说明的是,本申请实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。The embodiment of the present application may divide the terminal device and the like into functional modules according to the foregoing method example. For example, each function module may be divided corresponding to each function, or two or more functions may be integrated into one module. The above-mentioned integrated modules can be implemented in the form of hardware or software functional modules. It should be noted that the division of modules in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation.
在采用集成单元的情况下,图3示出了上述实施例中所涉及的应用于身份认证服务器的单点登录装置的一种可能的结构示意图,该单点登录装置300包括:In the case of an integrated unit, FIG. 3 shows a possible structural diagram of the single sign-on device applied to the identity authentication server involved in the foregoing embodiment, and the single sign-on device 300 includes:
接收单元31,用于接收终端设备发送的登录请求;所述登录请求携带有所述终端设备的证书,用于请求获取登录单点登录系统SSO的登录凭证;The receiving unit 31 is configured to receive a login request sent by a terminal device; the login request carries a certificate of the terminal device, and is used to request to obtain a login credential for logging in to the SSO system;
发送单元32,用于向区块链网络发送第一验证请求,所述第一验证请求用于请求所述区块链网络根据所述证书的校验验证所述证书是否有效;The sending unit 32 is configured to send a first verification request to the blockchain network, where the first verification request is used to request the blockchain network to verify whether the certificate is valid according to the verification of the certificate;
所述接收单元31,还用于接收所述区块链网络发送的第一验证应答;The receiving unit 31 is further configured to receive the first verification response sent by the blockchain network;
所述发送单元32,还用于在所述第一验证应答指示所述证书有效的情况下,向所述终端设备发送所述登录凭证;The sending unit 32 is further configured to send the login credentials to the terminal device when the first verification response indicates that the certificate is valid;
写入单元33,用于在所述第一验证应答指示所述证书有效的情况下,根据终端设备的权限信息向所述区块链网络写入与所述登录凭证对应的访问权限。The writing unit 33 is configured to write the access authority corresponding to the login credential to the blockchain network according to the authority information of the terminal device when the first verification response indicates that the certificate is valid.
参照图3所示,作为本发明实施例一种可选的实施例方式,所述单点登录装置300还包括:证书生成单元34;Referring to FIG. 3, as an optional implementation manner of the embodiment of the present invention, the single sign-on apparatus 300 further includes: a certificate generating unit 34;
所述接收单元31,还用于在所述发送单元向区块链网络发送第一验证请求之前,接收接收所述终端设备发送的注册请求,所述注册请求携带有用户资料;The receiving unit 31 is further configured to receive a registration request sent by the terminal device before the sending unit sends the first verification request to the blockchain network, and the registration request carries user information;
所述证书生成单元34,用于根据所述用户资料和所述权限信息生成所述证书;The certificate generating unit 34 is configured to generate the certificate according to the user profile and the authority information;
所述发送单元32,还用于向所述终端设备发送所述证书;The sending unit 32 is further configured to send the certificate to the terminal device;
所述写入单元33,还用于将所述证书的校验写入所述区块链网络。The writing unit 33 is also used to write the verification of the certificate into the blockchain network.
参照图3所示,作为本发明实施例一种可选的实施例方式,所述单点登录装置300还包括:Referring to FIG. 3, as an optional implementation manner of the embodiment of the present invention, the single sign-on apparatus 300 further includes:
删除单元35,用于在所述发送单元向所述终端设备发送所述证书,且所述写入单元将所述证书的校验写入所述区块链网络之后,删除根据所述用户资料和所述权限信息生成的所述证书。The deleting unit 35 is configured to delete the certificate according to the user profile after the sending unit sends the certificate to the terminal device, and the writing unit writes the verification of the certificate into the blockchain network And the certificate generated by the authority information.
作为本发明实施例一种可选的实施例方式,所述发送单元32,还用于在所述第一验证应答指示所述证书无效的情况下,向所述终端设备发送提示信息;As an optional embodiment of the embodiment of the present invention, the sending unit 32 is further configured to send prompt information to the terminal device when the first verification response indicates that the certificate is invalid;
其中,所述提示信息用于提示所述终端设备的证书无效。Wherein, the prompt information is used to prompt that the certificate of the terminal device is invalid.
在采用集成单元的情况下,图4示出了上述实施例中所涉及的应用于SSO中的应用服务器的单点登录装置的一种可能的结构示意图,该单点登录装置400包括:In the case of using an integrated unit, FIG. 4 shows a possible structural diagram of the single sign-on apparatus applied to the application server in SSO involved in the foregoing embodiment, and the single sign-on apparatus 400 includes:
接收单元41,用于接收终端设备发送的访问请求,所述访问请求携带 有登录凭证;The receiving unit 41 is configured to receive an access request sent by a terminal device, where the access request carries login credentials;
发送单元42,用于区块链网络发送第二验证请求,所述第二验证请求用于请求所述区块链网络根据所述登录凭证对应的访问权限验证所述终端设备是否具有访问所述应用服务器的权限;The sending unit 42 is configured to send a second verification request to the blockchain network, and the second verification request is used to request the blockchain network to verify whether the terminal device has access to the Application server permissions;
所述接收单元41,还用于接收所述区块链网络发送的第二验证应答;The receiving unit 41 is further configured to receive a second verification response sent by the blockchain network;
所述处理单元43,用于在所述第二验证应答指示所述终端设备具有访问所述应用服务器的权限的情况下,允许所述终端设备进行访问。The processing unit 43 is configured to allow the terminal device to access when the second verification response indicates that the terminal device has the authority to access the application server.
作为本发明实施例一种可选的实施例方式,所述处理单元43,还用于在所述第二验证应答指示所述终端设备没有访问所述应用服务器的权限的情况下,拒绝所述终端设备进行访问。As an optional implementation manner of the embodiment of the present invention, the processing unit 43 is further configured to reject the application server when the second verification response indicates that the terminal device has no right to access the application server Terminal equipment for access.
由于本发明实施例提供的应用于身份认证服务器的单点登录装置及应用于应用服务器的单点登录装置可以执行上述方法实施例提供的单点登录方法,因此可以达到技术效果与上述实施例类似,此处不再赘述。Since the single sign-on device applied to the identity authentication server and the single sign-on device applied to the application server provided by the embodiment of the present invention can execute the single sign-on method provided in the above method embodiment, the technical effect similar to the above embodiment can be achieved. , I won’t repeat it here.
基于同一发明构思,本发明实施例还提供了一种身份认证服务器。图5为本发明实施例提供的身份认证服务器的结构示意图,如图5所示,本实施例提供的身份认证服务器包括:存储器51和处理器52,存储器51用于存储计算机程序;处理器52用于在调用计算机程序时执行上述方法实施例所述的单点登录方法中身份认证服务器所执行的步骤。Based on the same inventive concept, the embodiment of the present invention also provides an identity authentication server. FIG. 5 is a schematic structural diagram of an identity authentication server provided by an embodiment of the present invention. As shown in FIG. 5, the identity authentication server provided in this embodiment includes: a memory 51 and a processor 52, where the memory 51 is used to store computer programs; and the processor 52 It is used to execute the steps executed by the identity authentication server in the single sign-on method described in the foregoing method embodiment when the computer program is invoked.
基于同一发明构思,本发明实施例还提供了一种SSO中的应用服务器。图6为本发明实施例提供的应用服务器的结构示意图,如图6所示,本实施例提供的应用服务器包括:存储器61和处理器62,存储器61用于存储计算机程序;处理器62用于在调用计算机程序时执行上述方法实施例所述的单点登录方法中应用服务器所执行的步骤。Based on the same inventive concept, the embodiment of the present invention also provides an application server in SSO. Fig. 6 is a schematic structural diagram of an application server provided by an embodiment of the present invention. As shown in Fig. 6, the application server provided by this embodiment includes: a memory 61 and a processor 62. The memory 61 is used for storing computer programs; When the computer program is invoked, the steps executed by the application server in the single sign-on method described in the foregoing method embodiment are executed.
本实施例提供的身份认证服务器以及应用服务器可以执行上述方法实施例提供的单点登录方法,其实现原理与技术效果类似,此处不再赘述。The identity authentication server and the application server provided in this embodiment can execute the single sign-on method provided in the above method embodiments, and the implementation principles and technical effects are similar, and will not be repeated here.
本发明实施例还提供一种计算机可读存储介质,该计算机可读存储介质上存储有计算机程序,计算机程序被处理器执行时实现上述方法实施例所述的单点登录方法。The embodiment of the present invention also provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the single sign-on method described in the foregoing method embodiment is implemented.
本领域技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、 或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present application may be provided as methods, systems, or computer program products. Therefore, this application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, this application may take the form of a computer program product implemented on one or more computer-usable storage media containing computer-usable program codes.
处理器可以是中央处理单元(Central Processing Unit,CPU),还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。The processor can be a central processing unit (Central Processing Unit, CPU), it can also be other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), ready-made programmable Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
存储器可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。存储器是计算机可读介质的示例。The memory may include non-permanent memory in a computer readable medium, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
计算机可读介质包括永久性和非永久性、可移动和非可移动存储介质。存储介质可以由任何方法或技术来实现信息存储,信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。根据本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer-readable media include permanent and non-permanent, removable and non-removable storage media. The storage medium can implement information storage by any method or technology, and the information can be computer readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cassettes, disk storage or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.
最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand: It is still possible to modify the technical solutions described in the foregoing embodiments, or equivalently replace some or all of the technical features; these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the embodiments of the present invention range.

Claims (16)

  1. 一种单点登录方法,应用于身份认证服务器,其特征在于,所述方法包括:A single sign-on method applied to an identity authentication server, characterized in that the method includes:
    接收终端设备发送的登录请求;所述登录请求携带有所述终端设备的证书,用于请求获取登录单点登录系统SSO的登录凭证;Receiving a login request sent by a terminal device; the login request carries a certificate of the terminal device, and is used to request to obtain a login credential for logging in to a single sign-on system SSO;
    向区块链网络发送第一验证请求,所述第一验证请求用于请求所述区块链网络根据所述证书的校验验证所述证书是否有效;Sending a first verification request to a blockchain network, where the first verification request is used to request the blockchain network to verify whether the certificate is valid according to the verification of the certificate;
    接收所述区块链网络发送的第一验证应答;Receiving the first verification response sent by the blockchain network;
    在所述第一验证应答指示所述证书有效的情况下,向所述终端设备发送所述登录凭证,并根据终端设备的权限信息向所述区块链网络写入与所述登录凭证对应的访问权限。In the case that the first verification response indicates that the certificate is valid, the login credential is sent to the terminal device, and the log-in credential is written to the blockchain network according to the authority information of the terminal device. access permission.
  2. 根据权利要求1所述的方法,其特征在于,在向区块链网络发送第一验证请求之前,所述方法还包括:The method according to claim 1, characterized in that, before sending the first verification request to the blockchain network, the method further comprises:
    接收所述终端设备发送的注册请求,所述注册请求携带有用户资料;Receiving a registration request sent by the terminal device, the registration request carrying user information;
    根据所述用户资料和所述权限信息生成所述证书;Generating the certificate according to the user profile and the authority information;
    向所述终端设备发送所述证书,并将所述证书的校验写入所述区块链网络。Send the certificate to the terminal device, and write the verification of the certificate into the blockchain network.
  3. 根据权利要求2所述的方法,其特征在于,在向所述终端设备发送所述证书,并将所述证书的校验写入所述区块链网络之后,所述方法还包括:删除根据所述用户资料和所述权限信息生成的所述证书。The method according to claim 2, wherein after sending the certificate to the terminal device and writing the verification of the certificate into the blockchain network, the method further comprises: deleting The certificate generated by the user profile and the authority information.
  4. 根据权利要求1-3任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1-3, wherein the method further comprises:
    在所述第一验证应答指示所述证书无效的情况下,向所述终端设备发送提示信息;In a case where the first verification response indicates that the certificate is invalid, sending prompt information to the terminal device;
    其中,所述提示信息用于提示所述终端设备的证书无效。Wherein, the prompt information is used to prompt that the certificate of the terminal device is invalid.
  5. 一种单点登录方法,应用于单点登录系统SSO中的目标应用服务器,其特征在于,所述方法包括:A single sign-on method applied to a target application server in a single sign-on system SSO, characterized in that the method includes:
    接收终端设备发送的访问请求,所述访问请求携带有登录凭证;Receiving an access request sent by a terminal device, where the access request carries login credentials;
    向区块链网络发送第二验证请求,所述第二验证请求用于请求所述区块链网络根据所述登录凭证对应的访问权限验证所述终端设备是否具有访 问所述目标应用服务器的权限;Send a second verification request to the blockchain network, the second verification request is used to request the blockchain network to verify whether the terminal device has the permission to access the target application server according to the access permissions corresponding to the login credentials ;
    接收所述区块链网络发送的第二验证应答;Receiving a second verification response sent by the blockchain network;
    在所述第二验证应答指示所述终端设备具有访问所述目标应用服务器的权限的情况下,允许所述终端设备进行访问。In a case where the second verification response indicates that the terminal device has the authority to access the target application server, the terminal device is allowed to access.
  6. 根据权利要求5所述的方法,其特征在于,所述方法还包括:The method of claim 5, wherein the method further comprises:
    在所述第二验证应答指示所述终端设备没有访问所述目标应用服务器的权限的情况下,拒绝所述终端设备进行访问。If the second verification response indicates that the terminal device does not have the authority to access the target application server, the terminal device is denied access.
  7. 一种单点登录方法,其特征在于,包括:A single sign-on method, characterized in that it comprises:
    终端设备向身份认证服务器发送登录请求;所述登录请求携带有所述终端设备的证书,用于请求获取登录单点登录系统SSO的登录凭证;The terminal device sends a login request to the identity authentication server; the login request carries the certificate of the terminal device, and is used to request to obtain the login credentials for logging in to the single sign-on system SSO;
    所述身份认证服务器向区块链网络发送第一验证请求,所述第一验证请求用于请求所述区块链网络根据所述证书的校验验证所述证书是否有效;Sending, by the identity authentication server, a first verification request to a blockchain network, the first verification request being used to request the blockchain network to verify whether the certificate is valid according to the verification of the certificate;
    所述身份认证服务器接收所述区块链网络发送的第一验证应答;The identity authentication server receives the first verification response sent by the blockchain network;
    在所述第一验证应答指示所述证书有效的情况下,所述身份认证服务器向所述终端设备发送所述登录凭证,并根据终端设备的权限信息向所述区块链网络写入与所述登录凭证对应的访问权限;In the case that the first verification response indicates that the certificate is valid, the identity authentication server sends the login credential to the terminal device, and writes the login credentials to the blockchain network according to the authority information of the terminal device. Describe the access rights corresponding to the login credentials;
    所述终端设备向所述SSO中的目标应用服务器发送的访问请求,所述访问请求携带有登录凭证;An access request sent by the terminal device to the target application server in the SSO, where the access request carries login credentials;
    所述目标应用服务器向区块链网络发送第二验证请求,所述第二验证请求用于请求所述区块链网络根据所述登录凭证对应的访问权限验证所述终端设备是否具有访问所述目标应用服务器的权限;The target application server sends a second verification request to the blockchain network, and the second verification request is used to request the blockchain network to verify whether the terminal device has access to the The permissions of the target application server;
    所述目标应用服务器接收所述区块链网络发送的第二验证应答;The target application server receives the second verification response sent by the blockchain network;
    在所述第二验证应答指示所述终端设备具有访问所述目标应用服务器的权限的情况下,所述目标应用服务器允许所述终端设备进行访问。In a case where the second verification response indicates that the terminal device has the authority to access the target application server, the target application server allows the terminal device to access.
  8. 根据权利要求7所述的方法,其特征在于,在终端设备向身份认证服务器发送登录请求之前,所述方法还包括:The method according to claim 7, wherein before the terminal device sends a login request to the identity authentication server, the method further comprises:
    所述终端设备向所述身份认证服务器发送注册请求,所述注册请求携带有用户资料;The terminal device sends a registration request to the identity authentication server, and the registration request carries user information;
    所述身份认证服务器根据所述用户资料和所述权限信息生成所述证 书;The identity authentication server generates the certificate according to the user profile and the authority information;
    所述身份认证服务器向所述终端设备发送所述证书,并将所述证书的校验写入所述区块链网络。The identity authentication server sends the certificate to the terminal device, and writes the verification of the certificate into the blockchain network.
  9. 根据权利要求8所述的方法,其特征在于,在所述身份认证服务器向所述终端设备发送所述证书,并将所述证书的校验写入所述区块链网络之后,所述方法还包括:The method according to claim 8, characterized in that, after the identity authentication server sends the certificate to the terminal device, and writes the verification of the certificate into the blockchain network, the method Also includes:
    所述身份认证服务器删除根据所述用户资料和所述权限信息生成的所述证书。The identity authentication server deletes the certificate generated according to the user profile and the authority information.
  10. 根据权利要求7-9任一项所述的方法,其特征在于,The method according to any one of claims 7-9, wherein:
    在所述第一验证应答指示所述证书无效的情况下,所述身份认证服务器向所述终端设备发送提示信息;In a case where the first verification response indicates that the certificate is invalid, the identity authentication server sends prompt information to the terminal device;
    其中,所述提示信息用于提示所述终端设备的证书无效。Wherein, the prompt information is used to prompt that the certificate of the terminal device is invalid.
  11. 根据权利要求7-10任一项所述的方法,其特征在于,在所述第二验证应答指示所述终端设备没有访问所述目标应用服务器的权限的情况下,所述目标应用服务器拒绝所述终端设备进行访问。The method according to any one of claims 7-10, wherein in the case that the second verification response indicates that the terminal device does not have the right to access the target application server, the target application server rejects the Said terminal device for access.
  12. 一种单点登录的装置,应用于身份认证服务器,其特征在于,包括:A single sign-on device applied to an identity authentication server, characterized in that it includes:
    接收单元,用于接收终端设备发送的登录请求;所述登录请求携带有所述终端设备的证书,用于请求获取登录单点登录系统SSO的登录凭证;The receiving unit is configured to receive a login request sent by a terminal device; the login request carries a certificate of the terminal device, and is used to request to obtain a login credential for logging in to a single sign-on system SSO;
    发送单元,用于向区块链网络发送第一验证请求,所述第一验证请求用于请求所述区块链网络根据所述证书的校验验证所述证书是否有效;A sending unit, configured to send a first verification request to a blockchain network, the first verification request being used to request the blockchain network to verify whether the certificate is valid according to the verification of the certificate;
    所述接收单元,还用于接收所述区块链网络发送的第一验证应答;The receiving unit is further configured to receive the first verification response sent by the blockchain network;
    所述发送单元,还用于在所述第一验证应答指示所述证书有效的情况下,向所述终端设备发送所述登录凭证;The sending unit is further configured to send the login credential to the terminal device when the first verification response indicates that the certificate is valid;
    写入单元,用于在所述第一验证应答指示所述证书有效的情况下,根据终端设备的权限信息向所述区块链网络写入与所述登录凭证对应的访问权限。The writing unit is configured to write the access authority corresponding to the login credential to the blockchain network according to the authority information of the terminal device when the first verification response indicates that the certificate is valid.
  13. 一种单点登录装置,应用于应用服务器,其特征在于,所述应用服务器为单点登录系统SSO中的应用服务器,所述单点登录装置包括:A single sign-on device applied to an application server, wherein the application server is an application server in a single sign-on system SSO, and the single sign-on device includes:
    接收单元,用于接收终端设备发送的访问请求,所述访问请求携带有 登录凭证;A receiving unit, configured to receive an access request sent by a terminal device, where the access request carries login credentials;
    发送单元,用于区块链网络发送第二验证请求,所述第二验证请求用于请求所述区块链网络根据所述登录凭证对应的访问权限验证所述终端设备是否具有访问所述应用服务器的权限;The sending unit is configured to send a second verification request to the blockchain network, and the second verification request is used to request the blockchain network to verify whether the terminal device has access to the application according to the access authority corresponding to the login credential Server permissions;
    所述接收单元,还用于接收所述区块链网络发送的第二验证应答;The receiving unit is further configured to receive a second verification response sent by the blockchain network;
    所述处理单元,用于在所述第二验证应答指示所述终端设备具有访问所述应用服务器的权限的情况下,允许所述终端设备进行访问。The processing unit is configured to allow the terminal device to access when the second verification response indicates that the terminal device has the authority to access the application server.
  14. 一种身份认证服务器,其特征在于,包括:存储器和处理器,存储器用于存储计算机程序;处理器用于在调用计算机程序时执行权利要求1-4任一项所述的单点登录方法。An identity authentication server, comprising: a memory and a processor, the memory is used to store a computer program; the processor is used to execute the single sign-on method according to any one of claims 1 to 4 when the computer program is called.
  15. 一种应用服务器,其特征在于,包括:存储器和处理器,存储器用于存储计算机程序;处理器用于在调用计算机程序时执行权利要求5或6所述的单点登录方法。An application server, characterized by comprising: a memory and a processor, the memory is used to store a computer program; the processor is used to execute the single sign-on method of claim 5 or 6 when the computer program is called.
  16. 一种计算机可读存储介质,其特征在于,其上存储有计算机程序,计算机程序被处理器执行时实现权利要求1-11任一项所述的单点登录方法。A computer-readable storage medium, characterized in that a computer program is stored thereon, and when the computer program is executed by a processor, the single sign-on method according to any one of claims 1-11 is realized.
PCT/CN2020/097895 2019-08-19 2020-06-24 Single sign-on method, device, and system WO2021031689A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910764781.4 2019-08-19
CN201910764781.4A CN112398799A (en) 2019-08-19 2019-08-19 Single sign-on method, device and system

Publications (1)

Publication Number Publication Date
WO2021031689A1 true WO2021031689A1 (en) 2021-02-25

Family

ID=74603399

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/097895 WO2021031689A1 (en) 2019-08-19 2020-06-24 Single sign-on method, device, and system

Country Status (2)

Country Link
CN (1) CN112398799A (en)
WO (1) WO2021031689A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113794716A (en) * 2021-09-14 2021-12-14 中钞信用卡产业发展有限公司杭州区块链技术研究院 Terminal device network access authentication method, device, equipment and readable storage medium
CN114567509A (en) * 2022-03-18 2022-05-31 上海派拉软件股份有限公司 Web application access system and method
CN115250186A (en) * 2021-04-12 2022-10-28 顺丰科技有限公司 Network connection authentication method, device, computer equipment and storage medium
CN116028915A (en) * 2023-03-29 2023-04-28 江苏智云天工科技有限公司 Single-point authentication method, system and medium for user access

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113420282B (en) * 2021-06-12 2022-03-01 济南浪潮数据技术有限公司 Cross-site single sign-on method and device
CN117544379B (en) * 2023-11-22 2024-06-07 北京京东方技术开发有限公司 User data transmission method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108173850A (en) * 2017-12-28 2018-06-15 杭州趣链科技有限公司 A kind of identity authorization system and identity identifying method based on block chain intelligence contract
CN109639711A (en) * 2018-12-29 2019-04-16 成都康赛信息技术有限公司 A kind of Distributed C AS authentication method based on privately owned chain session id
WO2019097046A1 (en) * 2017-11-20 2019-05-23 International Business Machines Corporation Authentication using delegated identities
CN109889503A (en) * 2019-01-22 2019-06-14 平安科技(深圳)有限公司 Identity management method, electronic device and storage medium based on block chain
CN109936569A (en) * 2019-02-21 2019-06-25 领信智链(北京)科技有限公司 A kind of decentralization digital identity login management system based on ether mill block chain

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10102526B1 (en) * 2017-03-31 2018-10-16 Vijay K. Madisetti Method and system for blockchain-based combined identity, ownership, integrity and custody management
US10642967B2 (en) * 2017-11-28 2020-05-05 American Express Travel Related Services Company, Inc. Single sign-on solution using blockchain

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019097046A1 (en) * 2017-11-20 2019-05-23 International Business Machines Corporation Authentication using delegated identities
CN108173850A (en) * 2017-12-28 2018-06-15 杭州趣链科技有限公司 A kind of identity authorization system and identity identifying method based on block chain intelligence contract
CN109639711A (en) * 2018-12-29 2019-04-16 成都康赛信息技术有限公司 A kind of Distributed C AS authentication method based on privately owned chain session id
CN109889503A (en) * 2019-01-22 2019-06-14 平安科技(深圳)有限公司 Identity management method, electronic device and storage medium based on block chain
CN109936569A (en) * 2019-02-21 2019-06-25 领信智链(北京)科技有限公司 A kind of decentralization digital identity login management system based on ether mill block chain

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115250186A (en) * 2021-04-12 2022-10-28 顺丰科技有限公司 Network connection authentication method, device, computer equipment and storage medium
CN115250186B (en) * 2021-04-12 2024-04-16 顺丰科技有限公司 Network connection authentication method, device, computer equipment and storage medium
CN113794716A (en) * 2021-09-14 2021-12-14 中钞信用卡产业发展有限公司杭州区块链技术研究院 Terminal device network access authentication method, device, equipment and readable storage medium
CN114567509A (en) * 2022-03-18 2022-05-31 上海派拉软件股份有限公司 Web application access system and method
CN114567509B (en) * 2022-03-18 2024-04-30 上海派拉软件股份有限公司 Web application access system and method
CN116028915A (en) * 2023-03-29 2023-04-28 江苏智云天工科技有限公司 Single-point authentication method, system and medium for user access

Also Published As

Publication number Publication date
CN112398799A (en) 2021-02-23

Similar Documents

Publication Publication Date Title
US11963006B2 (en) Secure mobile initiated authentication
US11659392B2 (en) Secure mobile initiated authentications to web-services
US11881937B2 (en) System, method and computer program product for credential provisioning in a mobile device platform
WO2021031689A1 (en) Single sign-on method, device, and system
CN110915183B (en) Block chain authentication via hard/soft token validation
EP3061027B1 (en) Verifying the security of a remote server
JP2022545627A (en) Decentralized data authentication
US20130125222A1 (en) System and Method for Vetting Service Providers Within a Secure User Interface
US20100138908A1 (en) Access Control Method And Apparatus
US10642664B2 (en) System and method for securing an inter-process communication via a named pipe
US10375084B2 (en) Methods and apparatuses for improved network communication using a message integrity secure token
WO2021127577A1 (en) Secure mobile initiated authentications to web-services
CN105577835B (en) Cross-platform single sign-on system based on cloud computing
CA2798024C (en) One time passwords with ipsec and ike version 1 authentication
BR112015032325B1 (en) COMPUTER-IMPLEMENTED METHOD TO IMPROVE SECURITY IN AUTHENTICATION/AUTHORIZATION SYSTEMS AND COMPUTER READABLE MEDIA
WO2021127575A1 (en) Secure mobile initiated authentication
Alnahari et al. Authentication of IoT device and IoT server using security key
Schwarz et al. Feido: Recoverable FIDO2 tokens using electronic ids
US20130091355A1 (en) Techniques to Prevent Mapping of Internal Services in a Federated Environment
US11977620B2 (en) Attestation of application identity for inter-app communications
Binu et al. A mobile based remote user authentication scheme without verifier table for cloud based services
CN108886524B (en) Securing remote authentication
Tiwari et al. Design and Implementation of Enhanced Security Algorithm for Hybrid Cloud using Kerberos
US12143817B2 (en) Secure mobile initiated authentications to web-services
US11741217B1 (en) Systems and methods for managing multiple valid one time password (OTP) for a single identity

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20854238

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20854238

Country of ref document: EP

Kind code of ref document: A1