[go: up one dir, main page]

CN106899615A - A kind of single sign-on authentication method and system - Google Patents

A kind of single sign-on authentication method and system Download PDF

Info

Publication number
CN106899615A
CN106899615A CN201710255949.XA CN201710255949A CN106899615A CN 106899615 A CN106899615 A CN 106899615A CN 201710255949 A CN201710255949 A CN 201710255949A CN 106899615 A CN106899615 A CN 106899615A
Authority
CN
China
Prior art keywords
information
access
user
security domain
current business
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710255949.XA
Other languages
Chinese (zh)
Inventor
杜华伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Si Tech Information Technology Co Ltd
Original Assignee
Beijing Si Tech Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Si Tech Information Technology Co Ltd filed Critical Beijing Si Tech Information Technology Co Ltd
Priority to CN201710255949.XA priority Critical patent/CN106899615A/en
Publication of CN106899615A publication Critical patent/CN106899615A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention belongs to network communication technology field, more particularly to a kind of single sign-on authentication method and system.Method includes:Receive the certification request comprising original document information;Judged whether to first log into according to original document information, if it is perform three steps, otherwise perform four steps;Sent to user terminal and log in instruction, user message table is generated when the log-on message that user terminal sends is correct, determine whether authority access service end, business end is fed back to if then generating the first authentication result, otherwise terminated;Judge whether user terminal has permission to access business end, if then performing five steps;Judge whether security domain information is identical according to previous service information list, current business information table and user message table, and it is judged that result generates the second authentication result gives business end.The present invention realizes the memory burden for mitigating user, and flexibility is strong and safe, and verification process is simple.

Description

A kind of single sign-on authentication method and system
Technical field
The invention belongs to network communication technology field, more particularly to a kind of single sign-on authentication method and system.
Background technology
With the popularization of informatization, government, enterprise, mechanism are continuously increased the operation system based on internet, such as wealth Business system, manpower system, Project in Operation system etc., and the requirement of the property and its information privacy principle for operation system, often Set system is required for realizing the safety check measure that user management, identification, permission grant etc. are essential, and these systems All it is that, come identifying user identity, and increasing with system by the way of the user name and password, user needs to remember every set system The username and password of system, causes the burden of memory;And username and password is frequently input into, can accordingly increase the close of user The probability that code is cracked.Given birth to change this situation, single-node login system application, so as to realize being logged at one, while visiting Ask multiple systems.
Existing single-node login system have Passport, IBM of Microsoft Web-Sphere Portal Server and Liberty etc., although these can realize single-sign-on function, but each system has different emphasis and to being respectively System framework has strict demand, and very flexible, information fusion degree is poor, while security is not high, verification process is complicated.
The content of the invention
The technical problems to be solved by the invention are directed to the deficiencies in the prior art, there is provided a kind of single sign-on authentication method And system.
The technical scheme that the present invention solves above-mentioned technical problem is as follows:A kind of single sign-on authentication method, including following step Suddenly:
S1, receives the certification request comprising original document information that business end sends;
S2, according to the original document information searching with the presence or absence of corresponding user message table come judge user terminal whether be First log into, if it is perform S3, otherwise perform S4;
S3, is sent to user terminal and logs in instruction, and user message table, root are generated when the log-on message that user terminal sends is correct Judge whether user terminal has permission to access the data at business end according to current business information table and user message table, if then generating First authentication result simultaneously feeds back to business end, otherwise terminates handling process;
S4, judges whether user terminal has permission to access the number at business end according to current business information table and user message table According to if then performing S5, otherwise terminating handling process;
S5, according to previous service information list, current business information table and user message table judge previous service information list and Whether security domain information is identical in current business information table, and feeds back to business according to the second authentication result of judged result generation End.
The beneficial effects of the invention are as follows:By original document information and corresponding user message table judge user terminal whether be First log into, when being when first logging into, using it is determined that log-on message accurately judges the side whether user terminal has permission to access afterwards Formula carries out double authentication, to realize the security of single-point logging method;When not being when first logging into, using first determining whether Limit determines whether the mode of identical security domain information to dual recognizing across accessing carry out respectively in safe domain browsing and security domain again Card, realizes the strong and safe single sign-on authentication method of flexibility, and verification process is simple, mitigates the memory burden of user, Information fusion degree strengthens.
On the basis of above-mentioned technical proposal, the present invention can also do following improvement:
Further, it is described to judge whether user terminal has permission to access business according to current business information table and user message table The data at end include:Obtain the user class in the access level and the user message table in current business information table;Work as institute Then there is authority, when the access level does not include the user class then not when stating access level including the user class With authority.
Beneficial effect using above-mentioned further scheme is:Believed by the access level in current business information table and user Whether the relation between user class in breath table, realization has permission to access the judgement of the data at business end to user terminal, improves The security of single-sign-on and flexibility.
Further, it is described that previous business is judged according to previous service information list, current business information table and user message table In information table and current business information table security domain information it is whether identical including:Obtain the last access service in user message table Security domain information in ID and current business information table;In determining previous service information list according to the last access service ID Security domain information;Judge whether is security domain information in security domain information in previous service information list and current business information table It is identical.
Beneficial effect using above-mentioned further scheme is:Last access service ID is determined by user message table, according to Last access service ID obtains previous service information list, is believed by the security domain information in previous service information list and current business Security domain information in breath table judges whether security domain information is identical, and then judges across in safe domain browsing or security domain Access, corresponding second authentication result is generated for access type, realize the strong and safe single sign-on authentication of flexibility Method, verification process is simple.
Further, first authentication result includes:The first of grant access instruction, this access record and random generation Billing information, described this accesses record and the first billing information by encryption;
When the security domain information in the security domain information in previous service information list with current business information table is identical Two authentication results include:Grant access instruction, this access record and the original document information, it is described this access record and Original document information is by encryption;
When the security domain information in the security domain information in previous service information list with current business information table is different Two authentication results include:Second billing information of grant access instruction, this access record and random generation, described this access Record and the second billing information are by encryption.
Beneficial effect using above-mentioned further scheme is:Second certification knot is generated by the judged result of security domain information Content included by fruit, the content that the first authentication result includes so that realize to log in first access, across safe domain browsing and Being accessed in security domain carries out corresponding verification process, generates corresponding authentication result, realizes the strong and safe list of flexibility Point login authentication method, verification process is simple, mitigates the memory burden of user.
Further, the S2 includes:Then judge that user terminal is to log in first when corresponding user message table is not found, Perform S3;Then judge that user terminal is not to log in first when corresponding user message table is found, perform S4.
Beneficial effect using above-mentioned further scheme is:By whether finding corresponding user message table judges user terminal Whether it is to log in first, corresponding verification process is carried out for judged result, generate corresponding authentication result, realizes flexible Property strong and safe single sign-on authentication method, verification process is simple, mitigates the memory burden of user.
Further, also including updating user message table according to the first authentication result or the second authentication result the step of.
Beneficial effect using above-mentioned further scheme is:Realize that each user terminal will by updating user message table Corresponding certification can be carried out when seeking access service end data to certification request, previous authentication result does not affect this Verification process, realizes the strong and safe single sign-on authentication method of flexibility, and verification process is simple, mitigates the memory of user Burden.
The technical scheme that the present invention solves above-mentioned technical problem is as follows:A kind of single sign-on authentication system, including:
Receiver module, the certification request comprising original document information for receiving the transmission of business end;
Judge module is logged in first, for whether there is corresponding user message table according to the original document information searching To judge whether user terminal first logs into, if it is triggering first logs into authentication module, otherwise triggers non-first logging into head Authentication module;
Authentication module is first logged into, instruction is logged in for being sent to user terminal, the log-on message sent in user terminal is correct Shi Shengcheng user message tables, judge whether user terminal has permission to access business end according to current business information table and user message table Data, if then generating the first authentication result and feeding back to business end, otherwise terminate handling process;
It is non-to first log into first authentication module, for whether judging user terminal according to current business information table and user message table The data at permission to access business end, if then trigger it is non-first log into reauthentication module, otherwise terminate handling process;
It is non-to first log into reauthentication module, for according to previous service information list, current business information table and user profile Whether security domain information is identical during table judges previous service information list and current business information table, and according to judged result generation the Two authentication results feed back to business end.
The beneficial effects of the invention are as follows:By original document information and corresponding user message table judge user terminal whether be First log into, when being when first logging into, using it is determined that log-on message accurately judges the side whether user terminal has permission to access afterwards Formula carries out double authentication, to realize the security of single-point logging method;When not being when first logging into, using first determining whether Limit determines whether the mode of identical security domain information to dual recognizing across accessing carry out respectively in safe domain browsing and security domain again Card, realizes the strong and safe single sign-on authentication system of flexibility, and verification process is simple, mitigates the memory burden of user, Information fusion degree strengthens.
On the basis of above-mentioned technical proposal, the present invention can also do following improvement:
Further, it is described to judge whether user terminal has permission to access business according to current business information table and user message table The data at end include:Obtain the user class in the access level and the user message table in current business information table;Work as institute Then there is authority, when the access level does not include the user class then not when stating access level including the user class With authority.
Beneficial effect using above-mentioned further scheme is:Believed by the access level in current business information table and user Whether the relation between user class in breath table, realization has permission to access the judgement of the data at business end to user terminal, improves The security of single-sign-on and flexibility.
Further, it is described that previous business is judged according to previous service information list, current business information table and user message table In information table and current business information table security domain information it is whether identical including:Obtain the last access service in user message table Security domain information in ID and current business information table;In determining previous service information list according to the last access service ID Security domain information;Judge whether is security domain information in security domain information in previous service information list and current business information table It is identical.
Beneficial effect using above-mentioned further scheme is:Last access service ID is determined by user message table, according to Last access service ID obtains previous service information list, is believed by the security domain information in previous service information list and current business Security domain information in breath table judges whether security domain information is identical, and then judges across in safe domain browsing or security domain Access, corresponding second authentication result is generated for access type, realize the strong and safe single sign-on authentication of flexibility System, verification process is simple.
Further, first authentication result includes:The first of grant access instruction, this access record and random generation Billing information, described this accesses record and the first billing information by encryption;
When the security domain information in the security domain information in previous service information list with current business information table is identical Two authentication results include:Grant access instruction, this access record and the original document information, it is described this access record and Original document information is by encryption;
When the security domain information in the security domain information in previous service information list with current business information table is different Two authentication results include:Second billing information of grant access instruction, this access record and random generation, described this access Record and the second billing information are by encryption.
Beneficial effect using above-mentioned further scheme is:Second certification knot is generated by the judged result of security domain information Content included by fruit, the content that the first authentication result includes so that realize to log in first access, across safe domain browsing and Being accessed in security domain carries out corresponding verification process, generates corresponding authentication result, realizes the strong and safe list of flexibility Point accession authorization system, verification process is simple, mitigates the memory burden of user.
Brief description of the drawings
The schematic flow sheet of the single sign-on authentication method that Fig. 1 is provided for one embodiment of the invention;
The schematic flow sheet of the single sign-on authentication method that Fig. 2 is provided for another embodiment of the present invention;
The schematic flow sheet of the single sign-on authentication method that Fig. 3 is provided for yet another embodiment of the invention;
Fig. 4 is the structural representation of single sign-on authentication system provided in an embodiment of the present invention;
Fig. 5 is the schematic flow sheet of single-sign-on provided in an embodiment of the present invention.
Specific embodiment
Principle of the invention and feature are described below in conjunction with accompanying drawing, example is served only for explaining the present invention, and It is non-for limiting the scope of the present invention.
As shown in figure 1, the single sign-on authentication method that one embodiment of the invention is provided, comprises the following steps:
S1, receives the certification request comprising original document information that business end sends;
S2, according to the original document information searching with the presence or absence of corresponding user message table come judge user terminal whether be First log into, if it is perform S3, otherwise perform S4;
S3, is sent to user terminal and logs in instruction, and user message table, root are generated when the log-on message that user terminal sends is correct Judge whether user terminal has permission to access the data at business end according to current business information table and user message table, if then generating First authentication result simultaneously feeds back to business end, otherwise terminates handling process;
S4, judges whether user terminal has permission to access the number at business end according to current business information table and user message table According to if then performing S5, otherwise terminating handling process;
S5, according to previous service information list, current business information table and user message table judge previous service information list and Whether security domain information is identical in current business information table, and feeds back to business according to the second authentication result of judged result generation End.
The single sign-on authentication method that above-described embodiment is provided, is sentenced by original document information and corresponding user message table Whether disconnected user terminal is to first log into, when being when first logging into, using it is determined that whether log-on message accurately judges user terminal afterwards The mode of permission to access carries out double authentication, to realize the security of single-point logging method;When not being to use when first logging into First determine whether that authority determines whether the mode of identical security domain information to across access in safe domain browsing and security domain again Double authentication is carried out respectively, the strong and safe single sign-on authentication method of flexibility is realized, verification process is simple, mitigates and uses The memory burden at family, the enhancing of information fusion degree.
Alternatively, it is described to judge that user terminal is according to current business information table and user message table in the embodiment of the present invention The data at no permission to access business end include:In access level and the user message table in acquisition current business information table User class;Then there is authority when the access level includes the user class, when the access level does not include institute Do not have authority then when stating user class.
In the embodiment, access level at least includes a rank, and user class is a rank.Obtain current business Access level in information table includes:Access service ID is determined according to the certification request that business end sends;According to access service ID Service information list is searched, current business information table is determined;Access level is obtained according to current business information table.Service information list bag Include:Access service ID, security domain information and access level.Each service information list pre-builds according to each business end, accesses Traffic ID is used to distinguish different business ends, and business end corresponds with access service ID;Security domain information includes security domain number, Security domain number is used to distinguish different security domains, and security domain number is corresponded with security domain.
The different business end for undertaking same or like type of service is divided into a security domain, and then realization facilitates business pipe Reason, flexibility single-sign-on high and safe.
In above-described embodiment, by the user class in the access level and user message table in current business information table it Between relation, realization whether user terminal is had permission to access business end data judgement, improve the security of single-sign-on And flexibility.
Alternatively, it is described according to previous service information list, current business information table and user profile in the embodiment of the present invention Table judge in previous service information list and current business information table security domain information it is whether identical including:In acquisition user message table Last access service ID and current business information table in security domain information;Determined according to the last access service ID previous Security domain information in service information list;In judging security domain information in previous service information list and current business information table Whether security domain information is identical.
In the embodiment, the last access service ID obtained in user message table includes:By checking that user message table is obtained Take the last access service ID in user message table.The security domain information obtained in current business information table includes:According to business The certification request for sending is held to determine access service ID;Service information list is searched according to access service ID, current business information is determined Table;Security domain number in current business information table is obtained according to current business information table.It is true according to the last access service ID Security domain information in fixed previous service information list includes:Service information list is searched according to last access service ID, is determined previous Service information list;Security domain number in previous service information list is obtained according to previous service information list.Judge previous business information Whether security domain number in table is identical with security domain number in current business information table.
In above-described embodiment, last access service ID is determined by user message table, obtained according to last access service ID Previous service information list, by the security domain information in the security domain information in previous service information list and current business information table Judge whether security domain information is identical, and then judge across being accessed in safe domain browsing or security domain, for access type Corresponding second authentication result is generated, the strong and safe single sign-on authentication method of flexibility is realized, verification process is simple.
Alternatively, in the embodiment of the present invention, first authentication result includes:Grant access instruction, this access record With the first billing information of random generation, described this access record and the first billing information are by encryption;
When the security domain information in the security domain information in previous service information list with current business information table is identical Two authentication results include:Grant access instruction, this access record and the original document information, it is described this access record and Original document information is by encryption;
When the security domain information in the security domain information in previous service information list with current business information table is different Two authentication results include:Second billing information of grant access instruction, this access record and random generation, described this access Record and the second billing information are by encryption.
In the embodiment, the mode of encryption is carried out in different ways according to the affiliated security domain difference in business end Encryption.First billing information is the billing information generated in the data at access service end again after exiting single-sign-on, Second billing information is not exit single-sign-on but to access the safety different from the affiliated security domain in business end of previous access The billing information generated during business end data in domain.
In above-described embodiment, the content included by the second authentication result is generated by the judged result of security domain information, the The content that one authentication result includes, thus realize to log in first access, across in safe domain browsing and security domain access carry out Corresponding verification process, generates corresponding authentication result, realizes the strong and safe single sign-on authentication method of flexibility, recognizes Card process is simple, mitigates the memory burden of user.
Alternatively, in the embodiment of the present invention, the S2 includes:Then judge to use when corresponding user message table is not found Family end is to log in first, performs S3;Then judge that user terminal is not to log in first when corresponding user message table is found, perform S4。
In the embodiment, only preserve a user newest with login user ID identicals for each login user ID and believe Breath table, then separately stores with login user ID identical other users information tables, and the newest user message table is in user terminal It is stored in when exiting single-sign-on and stores the other users information table identical region.According to the original document information Search whether to have corresponding user message table to judge whether user terminal is to log in first, it is described lookup be with login user Carried out in the range of the newest user message table of ID identicals.The corresponding user message table refers to what user message table included Billing information is consistent with the original document information in certification request.When corresponding user message table is not found, user terminal is illustrated Not yet logged in after exiting single-sign-on, judge that user terminal is to first log into, perform S3;When finding corresponding user message table When, illustrating that user has logged on, logging status when user has logged in user message table judge user terminal not to have logged in Be to first log into, first logged into as having logged on, perform S4.
User message table includes:Login user ID, login user password, user class, billing information, last access service ID, login IP, logging status.Logging in IP is used to record user terminal address information so that the usage record of user terminal has good grounds, Improve internet security;Logging status are used to record the logging status of user terminal, and logging status include having logged in and being not logged in.With Family information table updates with content change in user message table.User class uniquely sets in advance.
In above-described embodiment, by whether finding corresponding user message table judges whether user terminal is to log in first, pin Corresponding verification process is carried out to judged result, corresponding authentication result is generated, realizes that flexibility is strong and safe Single sign-on authentication method, verification process is simple, mitigates the memory burden of user.
Alternatively, in the embodiment of the present invention, also including updating user's letter according to the first authentication result or the second authentication result The step of breath table.
In the embodiment, when the second authentication result includes grant access instruction, this access record and the original document The last access service ID in user message table is only updated during information, if now log in IP changing also more new login IP;When Second authentication result includes only updating user during the second billing information of grant access instruction, this access record and random generation Billing information and last access service ID in information table, are updated to the second billing information, if now logging in IP by billing information Change also more new login IP;When generation be the first authentication result when only update user message table in billing information, end Secondary access service ID and logging status, the first billing information is updated to by billing information, and logging status are updated to have logged in, if IP is now logged in change also more new login IP.
In above-described embodiment, realized during each user terminal requirement access service end data by updating user message table Corresponding certification can be carried out to certification request, previous authentication result does not affect this verification process, realized flexible Property strong and safe single sign-on authentication method, verification process is simple, mitigates the memory burden of user.
As shown in Fig. 2 the single sign-on authentication method that another embodiment of the present invention is provided, comprises the following steps:
S1, receives the certification request comprising original document information that business end sends;
S2, according to the original document information searching, in the absence of corresponding user message table, judges that user terminal is to step on first Record;
S3, is sent to user terminal and logs in instruction, and user message table is generated when the log-on message that user terminal sends is correct;
S4, judges whether user terminal has permission to access the number at business end according to current business information table and user message table According to, have, S5 is performed, access instruction to user terminal is refused without then sending, terminate handling process;
S5, generates the first authentication result and feeds back to business end;
S6, user message table is updated according to the first authentication result.
In the embodiment, the S1 steps are specially:The certification comprising original document information that reception business end sends please Ask, the original document information passes through the decryption processing at business end at business end.
The S3 steps are specially:The certification request also includes logging in IP, and login is sent to user terminal according to IP is logged in Instruction, the log-on message includes user name and login user password, and user name is mapped as one can be recognized by single-sign-on Login user ID.Verification process includes to be verified to the log-on message that user terminal sends:User name whether there is, log in User cipher whether there is and whether user name and login user password match;When user name and login user password are all present, And it is correct to be verified as log-on message when user name and login user password match, when log-on message have one it is incorrect when be verified as Log-on message is incorrect.Remain unchanged to be sent to user terminal when log-on message is incorrect and log in instruction;Given birth to when log-on message is correct Into user message table, now the user class in user message table is set in advance, and billing information is zero, last access service ID is zero, and logging status are zero.
User terminal is received and logs in instruction, and sends log-on message according to instruction is logged in.
The S5 steps are specially:Result of determination is that user terminal generates the first certification when having permission to access the data at business end As a result, and business end is fed back to.First authentication result includes:Grant access instruction, this access the of record and random generation One billing information, described this accesses record and the first billing information by encryption.
Business end is instructed business end data, this first bill letter for accessing record and generating at random according to grant access Breath is sent to user terminal.
The S6 steps are specially:User message table is updated according to the first authentication result, billing information is updated to from zero The first newly-generated billing information, last access service ID is updated to from zero to want access service ID, by logging status from zero more New is to have logged in, and the user message table that last access service traffic ID is zero is separately stored.
As shown in figure 3, the single sign-on authentication method that yet another embodiment of the invention is provided, comprises the following steps:
S1, receives the certification request comprising original document information that business end sends;
, according to the original document information searching, there is corresponding user message table in S2, judge that user terminal is not to step on first Record;
S3, judges whether user terminal has permission to access the number at business end according to current business information table and user message table According to, if then performing S4, access instruction to user terminal is refused without then sending, terminate handling process;
S4, according to previous service information list, current business information table and user message table judge previous service information list and Whether security domain information is identical in current business information table, and feeds back to business according to the second authentication result of judged result generation End.
S6, user message table is updated according to the second authentication result.
In the embodiment, the S4 steps are specially:Believed according to previous service information list, current business information table and user Whether security domain information is identical during breath table judges previous service information list and current business information table.When the previous business information of judgement Table generates the second authentication result and feeds back to business end when identical with security domain information in current business information table, now the second certification Result includes:Grant access instruction, this access record and the original document information, described this access record and original ticket It is believed that breath is by encryption;Given birth to when security domain information is differed in judging previous service information list and current business information table Business end is fed back into the second authentication result, now the second authentication result includes:Grant access instruction, this access record and with Second billing information of machine generation, described this accesses record and the second billing information by encryption.
As shown in figure 4, single sign-on authentication system provided in an embodiment of the present invention, including:
Receiver module, the certification request comprising original document information for receiving the transmission of business end;
Judge module is logged in first, for whether there is corresponding user message table according to the original document information searching To judge whether user terminal first logs into, if it is triggering first logs into authentication module, otherwise triggers non-first logging into head Authentication module;
Authentication module is first logged into, instruction is logged in for being sent to user terminal, the log-on message sent in user terminal is correct Shi Shengcheng user message tables, judge whether user terminal has permission to access business end according to current business information table and user message table Data, if then generating the first authentication result and feeding back to business end, otherwise terminate handling process;
It is non-to first log into first authentication module, for whether judging user terminal according to current business information table and user message table The data at permission to access business end, if then trigger it is non-first log into reauthentication module, otherwise terminate handling process;
It is non-to first log into reauthentication module, for according to previous service information list, current business information table and user profile Whether security domain information is identical during table judges previous service information list and current business information table, and according to judged result generation the Two authentication results feed back to business end.
The single sign-on authentication system that above-described embodiment is provided, is sentenced by original document information and corresponding user message table Whether disconnected user terminal is to first log into, when being when first logging into, using it is determined that whether log-on message accurately judges user terminal afterwards The mode of permission to access carries out double authentication, to realize the security of single-point logging method;When not being to use when first logging into First determine whether that authority determines whether the mode of identical security domain information to across access in safe domain browsing and security domain again Double authentication is carried out respectively, the strong and safe single sign-on authentication system of flexibility is realized, verification process is simple, mitigates and uses The memory burden at family, the enhancing of information fusion degree.
Alternatively, it is described to judge that user terminal is according to current business information table and user message table in the embodiment of the present invention The data at no permission to access business end include:In access level and the user message table in acquisition current business information table User class;Then there is authority when the access level includes the user class, when the access level does not include institute Do not have authority then when stating user class.
In above-described embodiment, by the user class in the access level and user message table in current business information table it Between relation, realization whether user terminal is had permission to access business end data judgement, improve the security of single-sign-on And flexibility.
Alternatively, it is described according to previous service information list, current business information table and user profile in the embodiment of the present invention Table judge in previous service information list and current business information table security domain information it is whether identical including:In acquisition user message table Last access service ID and current business information table in security domain information;Determined according to the last access service ID previous Security domain information in service information list;In judging security domain information in previous service information list and current business information table Whether security domain information is identical.
In above-described embodiment, last access service ID is determined by user message table, obtained according to last access service ID Previous service information list, by the security domain information in the security domain information in previous service information list and current business information table Judge whether security domain information is identical, and then judge across being accessed in safe domain browsing or security domain, for access type Corresponding second authentication result is generated, the strong and safe single sign-on authentication system of flexibility is realized, verification process is simple.
Alternatively, in the embodiment of the present invention, first authentication result includes:Grant access instruction, this access record With the first billing information of random generation, described this access record and the first billing information are by encryption;
When the security domain information in the security domain information in previous service information list with current business information table is identical Two authentication results include:Grant access instruction, this access record and the original document information, it is described this access record and Original document information is by encryption;
When the security domain information in the security domain information in previous service information list with current business information table is different Two authentication results include:Second billing information of grant access instruction, this access record and random generation, described this access Record and the second billing information are by encryption.
In above-described embodiment, the content included by the second authentication result is generated by the judged result of security domain information, the The content that one authentication result includes, thus realize to log in first access, across in safe domain browsing and security domain access carry out Corresponding verification process, generates corresponding authentication result, realizes the strong and safe single sign-on authentication system of flexibility, recognizes Card process is simple, mitigates the memory burden of user.
Alternatively, in the embodiment of the present invention, the single sign-on authentication system also includes business information memory module and use Family information storage module, the business information memory module is used to store all of service information list;The user profile storage Module is used to store all of user message table, and subscriber information storing module includes real-time storage module and memory module long, institute State real-time storage module for store with the newest user message table of login user ID identicals, the memory module long is for depositing Storage and login user ID identical other users information tables.
Function performed by all modules of the system has been done in detail in above-described embodiment single sign-on authentication method Thin introduction, repeats no more here.
All embodiments of the invention can be applied in single-sign-on, as shown in figure 5, the flow of single-sign-on is as follows:With Family end sends the access request of access service end data to business end, and access request is including encryption original document information and encrypts this It is secondary access record, it is described encryption original document information and encryption this access record be most to be connect in time with the access request Near encryption original document information accesses record with this is encrypted.Be divided at business end by the method according to present in prior art In different security domains, the division methods of security domain include:Type of service according to business end is divided.In different security domains Business end it is different using decryption method, belong to the decryption method that the business end in a security domain uses identical.Business end Access request is received, the record affiliated security domain in determination business end is accessed according to this is encrypted, using the affiliated security domain in business end The encryption original document information that decryption method includes to access request is decrypted with this access record is encrypted, and business end is entered Obtain decrypting original billing information after row decryption, certification request of the business end generation comprising the original billing information of decryption simultaneously sends. Certification request is authenticated according to single sign-on authentication method or certification request is recognized using single sign-on authentication system Card, obtains the first authentication result or the second authentication result, feeds back to business end.Business end receives the first authentication result or second recognizes Card result, the grant access instruction that the grant access that obtaining the first authentication result includes is instructed or the second authentication result includes, root User is recorded according to this access of the data at grant access instruction transmission business end, the billing information of new encryption and new encryption End, the billing information is the second billing information of original document information, the first billing information of random generation or random generation, User terminal just may have access to the data at business end.
User terminal provides unified single-sign-on entrance, single sign-on authentication and login page, user terminal to all users When receiving login instruction, log-on message is sent to single sign-on authentication by login page according to instruction is logged in, user terminal is carried For the link at all business ends.
The foregoing is only presently preferred embodiments of the present invention, be not intended to limit the invention, it is all it is of the invention spirit and Within principle, any modification, equivalent substitution and improvements made etc. should be included within the scope of the present invention.

Claims (10)

1. a kind of single sign-on authentication method, it is characterised in that comprise the following steps:
S1, receives the certification request comprising original document information that business end sends;
S2, judges whether user terminal is first according to the original document information searching with the presence or absence of corresponding user message table Log in, if it is perform S3, otherwise perform S4;
S3, to user terminal send log in instruction, user terminal send log-on message it is correct when generate user message table, according to work as Preceding service information list and user message table judge whether user terminal has permission to access the data at business end, if then generating first Authentication result simultaneously feeds back to business end, otherwise terminates handling process;
S4, judges whether user terminal has permission to access the data at business end, such as according to current business information table and user message table Fruit has, and performs S5, otherwise terminates handling process;
S5, previous service information list and current is judged according to previous service information list, current business information table and user message table Whether security domain information is identical in service information list, and feeds back to business end according to the second authentication result of judged result generation.
2. single sign-on authentication method according to claim 1, it is characterised in that it is described according to current business information table and User message table judges whether user terminal has permission to access the data at business end and include:Obtain the access in current business information table User class in rank and the user message table;Then there is authority when the access level includes the user class, Do not have authority then when the access level does not include the user class.
3. single sign-on authentication method according to claim 1, it is characterised in that it is described according to previous service information list, Current business information table and user message table judge in previous service information list and current business information table whether is security domain information It is identical including:Obtain the security domain information in the last access service ID and current business information table in user message table;According to The last access service ID determines the security domain information in previous service information list;Judge the safety in previous service information list Whether domain information is identical with security domain information in current business information table.
4. single sign-on authentication method according to claim 1, it is characterised in that first authentication result includes:Together First billing information of meaning access instruction, this access record and random generation, described this is accessed and recorded and the first bill letter Breath is by encryption;
When the security domain information in the security domain information in previous service information list with current business information table is identical, second recognizes Card result includes:Grant access instruction, this access record and the original document information, described this are accessed and recorded and original Billing information is by encryption;
When the security domain information in the security domain information in previous service information list with current business information table is different, second recognizes Card result includes:Second billing information of grant access instruction, this access record and random generation, described this is accessed and recorded With the second billing information by encryption.
5. the single sign-on authentication method according to claim any one of 1-4, it is characterised in that the S2 includes:When not Then judge that user terminal is to log in first when finding corresponding user message table, perform S3;When finding corresponding user profile Then judge that user terminal is not to log in first during table, perform S4.
6. single sign-on authentication method according to claim 5, it is characterised in that also including according to the first authentication result or The step of second authentication result updates user message table.
7. a kind of single sign-on authentication system, it is characterised in that including:
Receiver module, the certification request comprising original document information for receiving the transmission of business end;
Judge module is logged in first, for sentencing with the presence or absence of corresponding user message table according to the original document information searching Whether disconnected user terminal first logs into, and if it is triggering first logging into authentication module, otherwise triggers non-first logging into first certification Module;
Authentication module is first logged into, instruction is logged in for being sent to user terminal, given birth to when the log-on message that user terminal sends is correct Into user message table, judge whether user terminal has permission to access the number at business end according to current business information table and user message table According to if then generating the first authentication result and feeding back to business end, otherwise terminating handling process;
It is non-to first log into first authentication module, for judging whether user terminal has the right according to current business information table and user message table The data at limit access service end, if then trigger it is non-first log into reauthentication module, otherwise terminate handling process;
It is non-to first log into reauthentication module, for being sentenced according to previous service information list, current business information table and user message table Whether security domain information is identical in previous service information list of breaking and current business information table, and recognized according to judged result generation second Card result feeds back to business end.
8. single sign-on authentication system according to claim 7, it is characterised in that it is described according to current business information table and User message table judges whether user terminal has permission to access the data at business end and include:Obtain the access in current business information table User class in rank and the user message table;Then there is authority when the access level includes the user class, Do not have authority then when the access level does not include the user class.
9. single sign-on authentication system according to claim 7, it is characterised in that it is described according to previous service information list, Current business information table and user message table judge in previous service information list and current business information table whether is security domain information It is identical including:Obtain the security domain information in the last access service ID and current business information table in user message table;According to The last access service ID determines the security domain information in previous service information list;Judge the safety in previous service information list Whether domain information is identical with security domain information in current business information table.
10. single sign-on authentication system according to claim 7, it is characterised in that first authentication result includes:Together First billing information of meaning access instruction, this access record and random generation, described this is accessed and recorded and the first bill letter Breath is by encryption;
When the security domain information in the security domain information in previous service information list with current business information table is identical, second recognizes Card result includes:Grant access instruction, this access record and the original document information, described this are accessed and recorded and original Billing information is by encryption;
When the security domain information in the security domain information in previous service information list with current business information table is different, second recognizes Card result includes:Second billing information of grant access instruction, this access record and random generation, described this is accessed and recorded With the second billing information by encryption.
CN201710255949.XA 2017-04-18 2017-04-18 A kind of single sign-on authentication method and system Pending CN106899615A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710255949.XA CN106899615A (en) 2017-04-18 2017-04-18 A kind of single sign-on authentication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710255949.XA CN106899615A (en) 2017-04-18 2017-04-18 A kind of single sign-on authentication method and system

Publications (1)

Publication Number Publication Date
CN106899615A true CN106899615A (en) 2017-06-27

Family

ID=59196371

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710255949.XA Pending CN106899615A (en) 2017-04-18 2017-04-18 A kind of single sign-on authentication method and system

Country Status (1)

Country Link
CN (1) CN106899615A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113297549A (en) * 2021-06-16 2021-08-24 中国农业银行股份有限公司 Authority control method, device, equipment and computer readable storage medium
CN115174229A (en) * 2022-07-08 2022-10-11 医利捷(上海)信息科技有限公司 Service authentication method, system and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060075475A1 (en) * 2004-10-01 2006-04-06 Grand Central Communications, Inc. Application identity design
CN102420836A (en) * 2012-01-12 2012-04-18 中国电子科技集团公司第十五研究所 Sign-on method and sign-on management system for service information system
CN104158818A (en) * 2014-08-25 2014-11-19 中国联合网络通信集团有限公司 Single sign-on method and system
CN105450637A (en) * 2015-11-09 2016-03-30 歌尔声学股份有限公司 Single sign-on method and device for multiple application systems

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060075475A1 (en) * 2004-10-01 2006-04-06 Grand Central Communications, Inc. Application identity design
CN102420836A (en) * 2012-01-12 2012-04-18 中国电子科技集团公司第十五研究所 Sign-on method and sign-on management system for service information system
CN104158818A (en) * 2014-08-25 2014-11-19 中国联合网络通信集团有限公司 Single sign-on method and system
CN105450637A (en) * 2015-11-09 2016-03-30 歌尔声学股份有限公司 Single sign-on method and device for multiple application systems

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113297549A (en) * 2021-06-16 2021-08-24 中国农业银行股份有限公司 Authority control method, device, equipment and computer readable storage medium
CN113297549B (en) * 2021-06-16 2024-03-05 中国农业银行股份有限公司 Authority control method, device, equipment and computer readable storage medium
CN115174229A (en) * 2022-07-08 2022-10-11 医利捷(上海)信息科技有限公司 Service authentication method, system and electronic equipment
CN115174229B (en) * 2022-07-08 2024-02-27 医利捷(上海)信息科技有限公司 Service authentication method, system and electronic equipment

Similar Documents

Publication Publication Date Title
JP5844001B2 (en) Secure authentication in multi-party systems
US7231526B2 (en) System and method for validating a network session
US8683562B2 (en) Secure authentication using one-time passwords
CN104270338B (en) Method and system for electronic identity registration and authentication login
CN102638473B (en) User data authorization method, device and system
US10637650B2 (en) Active authentication session transfer
CN101714918A (en) Safety system for logging in VPN and safety method for logging in VPN
CN103986584A (en) Double-factor identity verification method based on intelligent equipment
US9787678B2 (en) Multifactor authentication for mail server access
CN102378171A (en) Automatic authentication method and system thereof, Portal server, and RADIUS server
CN206212040U (en) A kind of real-name authentication system for express delivery industry
CN105827571B (en) Multimodal biometric authentication method and device based on UAF protocol
CN105743638A (en) System client authorization authentication method based on B/S framework
CN101986598B (en) Authentication method, server and system
CN107370765A (en) A kind of ftp server identity identifying method and system
CN103024706A (en) Short message based device and short message based method for bidirectional multiple-factor dynamic identity authentication
AU2015206050A1 (en) Identification and/or authentication system and method
Rao et al. Authentication using mobile phone as a security token
Yu et al. A new method for identity authentication using mobile terminals
US20130091355A1 (en) Techniques to Prevent Mapping of Internal Services in a Federated Environment
CN112383401A (en) User name generation method and system for providing identity authentication service
CN114726606B (en) User authentication method, client, gateway and authentication server
CN105978688A (en) Information-separation-management-based cross-domain safety authentication method
CN105187417B (en) Authority acquiring method and apparatus
CN106899615A (en) A kind of single sign-on authentication method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170627