CN108900561A - The method, apparatus and system of single-sign-on - Google Patents
The method, apparatus and system of single-sign-on Download PDFInfo
- Publication number
- CN108900561A CN108900561A CN201811145990.2A CN201811145990A CN108900561A CN 108900561 A CN108900561 A CN 108900561A CN 201811145990 A CN201811145990 A CN 201811145990A CN 108900561 A CN108900561 A CN 108900561A
- Authority
- CN
- China
- Prior art keywords
- certification
- sign
- request
- user name
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 230000009977 dual effect Effects 0.000 claims description 23
- 238000004590 computer program Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 7
- 235000013399 edible fruits Nutrition 0.000 claims 1
- 230000032258 transport Effects 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 13
- 230000008569 process Effects 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 238000012790 confirmation Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 235000014510 cooky Nutrition 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The present invention provides a kind of method, apparatus of single-sign-on and systems, are related to the technical field of information security, the single-sign-on request issued including obtaining user, carry user name in single-sign-on request;According to user name, single-sign-on is requested to carry out first time certification, certification for the first time includes following at least one authentication mode:Recognition of face certification, audio identification certification, finger print identifying and dynamic password authentication;If it is determined that the result of certification is to pass through for the first time, then second is carried out to the user name in single-sign-on request and authenticated, second of certification is the certification to identification code corresponding with user name;The technical issues of if result of second of certification is to pass through, logging request passes through, and reduces user password authentication mode bring security risk.
Description
Technical field
The present invention relates to field of information security technology, more particularly, to the method, apparatus and system of a kind of single-sign-on.
Background technique
In recent years, as China's informatization constantly promotes, information technology rapid development;The informationization of enterprise or government
Using also more and more, the puzzlement of the memory more accounts of multisystem, therefore many enterprises or government are brought to user behind at this
Very popular central authentication service (CAS) is introduced to solve the problems, such as more accounts.
The effective authentication mode of CAS is user name cipher authentication at present, and there are all multi-risk Systems for this authentication mode, such as:It is weak close
Code drags library, hits library etc.;Once central authentication CAS user data is broken evidence, attacker will obtain the relevant CAS application of institute
Access authority;Verizon《The report of 2016 leaking datas》63% is related to weak passwurd, China's net report in enterprise's intrusion event
Road:30% information leakage causes because password is too weak, and the risk caused by being generated by password has become government, IT application in enterprises peace
Battalion for the national games seriously threatens.
For safety problem existing for the user name of CAS, cipher authentication mode, effective solution is provided, is reduced
User name cipher authentication mode bring security risk.
Summary of the invention
In view of this, the purpose of the present invention is to provide a kind of method, apparatus of single-sign-on and system, to reduce use
The technical issues of name in an account book cipher authentication mode bring security risk.
In a first aspect, the embodiment of the invention provides a kind of methods of single-sign-on, including:
The single-sign-on request that user is issued is obtained, carries user name in single-sign-on request;
According to user name, single-sign-on is requested to carry out first time certification, certification for the first time includes that following at least one is recognized
Card mode:Recognition of face certification, audio identification certification, finger print identifying and dynamic password authentication;
If it is determined that the result of certification is to pass through for the first time, then the user name in single-sign-on request is recognized for the second time
Card, second of certification are the certifications to identification code corresponding with user name;
If the result of second of certification is to pass through, logging request passes through.
With reference to first aspect, the embodiment of the invention provides the first possible embodiments of first aspect, wherein step
Suddenly carrying out certification for the first time to the logging request of single-sign-on includes:Carry out any one following certification:If the face received
When frame image is consistent with pre-stored face frame image, it is determined that the result of certification is to pass through for the first time, pre-stored people
Face frame image is and the matched face frame image of user name;If the audio received is consistent with pre-stored audio, really
The result of fixed certification for the first time is to pass through, and pre-stored audio is and the matched audio of user name;If the fingerprint received with
When pre-stored fingerprint is consistent, it is determined that the result of certification is to pass through for the first time;If the dynamic password received with deposit in advance
When the dynamic password of storage is consistent, it is determined that the result of certification is to pass through for the first time.
With reference to first aspect, the embodiment of the invention provides second of possible embodiment of first aspect, steps pair
User name in single-sign-on request carries out second of certification:Unique identification code is generated according to user name, identification code is
The identification code of corresponding each subsystem in single-sign-on request;When the result for verifying identification code is legal, then recognize for the second time
The result of card is to pass through.
Second aspect, the embodiment of the present invention also provide a kind of method of single-sign-on, including:
Single-sign-on request is sent to certificate server, user name is carried in single-sign-on request, so that authentication service
Device carries out first time certification according to user name;Password or the face frame image or sound of user are carried in first time authentication information
Frequency or fingerprint or dynamic password;If the mark for receiving certificate server return authenticates the message passed through for the first time, to certification
Server sends second of authentication information, authenticates so that certificate server carries out second according to second of authentication information.
The third aspect, the embodiment of the present invention also provide a kind of device of single-sign-on, including:
Module is obtained, is requested for obtaining the single-sign-on that user is issued, carries user name in single-sign-on request;
First time authentication module carries out first time certification to the logging request of single-sign-on for according to user name, and first
Secondary certification includes following at least one authentication mode:Recognition of face certification, audio identification certification, finger print identifying and dynamic password are recognized
Card;
Second of authentication module, for if it is determined that the result of certification is to pass through for the first time, then in single-sign-on request
User name carries out second and authenticates;
In conjunction with the third aspect, the embodiment of the invention provides the first possible embodiments of the third aspect, for the second time
Authentication module includes:Generation unit, for generating unique identification code according to user name, identification code is right in single-sign-on request
The identification code for each subsystem answered;Second of authentication unit, for when the result for verifying identification code is legal, then second
The result of certification is to pass through.
Fourth aspect, the embodiment of the present invention also provide a kind of device of single-sign-on, including:First sending module, is used for
To certificate server send single-sign-on request, single-sign-on request in carry user name so that certificate server according to
Name in an account book carries out first time certification;Password or the face frame image or audio or fingerprint of user are carried in first time authentication information
Or dynamic password;Second sending module, if the mark for receiving certificate server return authenticates the message passed through for the first time,
Second of authentication information then is sent to certificate server, so that certificate server is recognized for the second time according to second of authentication information
Card.
5th aspect, the embodiment of the present invention also provide a kind of system of single-sign-on, including:CAS user terminal, for obtaining
The single-sign-on request that family is issued is taken, carries user name in single-sign-on request;Dual factor anthentication terminal is used for basis
User name carries out first time certification to the logging request of single-sign-on, and certification for the first time includes following at least one authentication mode:
Recognition of face certification, audio identification certification, finger print identifying and dynamic password authentication;CAS service terminal is used for if it is determined that for the first time
The result of certification is to pass through, then carries out second to the user name in single-sign-on request and authenticate;CAS user terminal, for working as
The result for determining second of certification is to pass through, then logging request passes through.
6th aspect, the embodiment of the present invention also provide a kind of device of single-sign-on, and device includes processor, memory and
Bus, processor and memory are connected by bus;
Memory is for storing program;
Processor executes above-mentioned first aspect or second party for calling program stored in memory by bus
Face either method.
7th aspect, the embodiment of the present invention also provide a kind of electronic equipment, including memory, processor and are stored in storage
On device and the computer program that can run on a processor, which is characterized in that processor is realized above-mentioned when executing computer program
The step of first aspect or second aspect method.
The embodiment of the present invention brings following beneficial effect:Obtain the single-sign-on request that user is issued, single-sign-on
User name is carried in request;According to user name, single-sign-on is requested to carry out first time certification, certification includes as follows for the first time
At least one authentication mode:Recognition of face certification, audio identification certification, finger print identifying and dynamic password authentication;If it is determined that first
The result of secondary certification is to pass through, then carries out second to the user name in single-sign-on request and authenticate, second of certification be to
The certification of the corresponding identification code of user name is asked safely for existing for the user name of the single-sign-on under CAS, cipher authentication mode
Topic increases dual factor anthentication mode, reduces user password authentication mode bring security risk.
Other features and advantages of the present invention will illustrate in the following description, also, partly become from specification
It obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention are in specification, claims
And specifically noted structure is achieved and obtained in attached drawing.
To enable the above objects, features and advantages of the present invention to be clearer and more comprehensible, preferred embodiment is cited below particularly, and cooperate
Appended attached drawing, is described in detail below.
Detailed description of the invention
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art
Embodiment or attached drawing needed to be used in the description of the prior art be briefly described, it should be apparent that, it is described below
Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor
It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of flow diagram of the method for single-sign-on provided in an embodiment of the present invention;
Fig. 2 is a kind of structural schematic diagram of the device of single-sign-on provided in an embodiment of the present invention;
Fig. 3 is a kind of structural schematic diagram of the system of single-sign-on provided in an embodiment of the present invention;
Fig. 4 is a kind of structural schematic diagram of the device of single-sign-on provided in an embodiment of the present invention.
Icon:
201- obtains module;202- first time authentication module;Second of authentication module of 203-.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with attached drawing to the present invention
Technical solution be clearly and completely described, it is clear that described embodiments are some of the embodiments of the present invention, rather than
Whole embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not making creative work premise
Under every other embodiment obtained, shall fall within the protection scope of the present invention.
Currently, having multiple related systems in enterprise's routine work, the every one of system of login of user just be may require that
A username and password is inputted, in order to easy to use, it is desirable to the account number cipher that need to only input a related system, after login
Other systems are entered back into without input username and password also can automated log on again.Therefore many enterprises or government introduce non-
Normal welcome central authentication service (CAS) solves the problems, such as more accounts.But the effective authentication mode of CAS is that user name is close
Code authentication, there are all multi-risk Systems for this authentication mode, such as:Weak password, Tuo Ku, library is hit etc.;Once central authentication CAS user data quilt
Break through evidence, attacker will obtain the access authority of the relevant CAS application of institute.Based on this, a kind of list provided in an embodiment of the present invention
The method, apparatus and system that point logs in, can reduce and only use user name cipher authentication mode bring security risk.
To be situated between in detail to a kind of method disclosed in the embodiment of the present invention first convenient for understanding the present embodiment
It continues,
Embodiment one:
The embodiment of the invention provides a kind of methods of single-sign-on, are that a kind of single-point is stepped on referring to Fig. 1, shown in Fig. 1
The flow diagram of the method for record, including:
Step S102 obtains the single-sign-on request that user is issued, carries user name in single-sign-on request;
Step S104 requests single-sign-on to carry out first time certification according to user name, certification for the first time include such as down toward
A kind of few authentication mode:Recognition of face certification, audio identification certification, finger print identifying and dynamic password authentication;
Step S106, however, it is determined that the result of certification is to pass through for the first time, then carries out to the user name in single-sign-on request
Second of certification, second of certification are the certifications to identification code corresponding with user name;
Step S108, if the result of second of certification is to pass through, logging request passes through.
Single-sign-on refers to one system of login in Multiple system, it will be able to be awarded in other all systems
Power is without logging on, including single-sign-on and single-point nullify two parts.Single-sign-on is in multiple application systems, and user is only
Need to log in the application system that can once access all mutual trusts.Such as in a large-scale website or system, such as
These large-scale systems of Tencent, AliBaBa, log in QQ and log in Tencent's game, Tencent's video, QQ music again, then only need to step on
The one of application of record can log in other application, and Alipay and these customer certification systems of Taobao, are just applied to for another example
Single-sign-on.User carries out double probate to the authentication information of user when logging in one of associated application for the first time, the
Primary certification is the increased dual factor anthentication terminal in cas system, is authenticated as follows to user name:Recognition of face certification,
Audio identification certification, finger print identifying and dynamic password authentication.It is requested when first time, certification passed through, then to the single-sign-on of user
Carry out the certification of user name in CAS.After second of certification passes through, then the request of single-sign-on passes through.
Further, wherein step S104 carries out certification for the first time to the logging request of single-sign-on and includes:It carries out following
Any one certification:If the face frame image received is consistent with pre-stored face frame image, it is determined that recognize for the first time
The result of card is to pass through, and pre-stored face frame image is and the matched face frame image of user name;If the audio received
When consistent with pre-stored audio, it is determined that the result of certification is to pass through for the first time, and pre-stored audio is and user name
Matched audio;If the fingerprint received is consistent with pre-stored fingerprint, it is determined that the result of certification is to pass through for the first time;
If the dynamic password received is consistent with pre-stored dynamic password, it is determined that the result of certification is to pass through for the first time.
Recognition of face certification:Confirmation and refusal button are shown on the log-on message interface of user terminal.User clicks true
After recognizing, APP collects the face frame image of user by terminal camera, and face frame image is sent to dual factor anthentication terminal.
Dual factor anthentication terminal compares the face frame image that the user of the login in the face frame image and system that receive binds
It is right.After comparing unanimously, above-mentioned request is sent CAS service terminal by dual factor anthentication terminal, is carried out second by CAS server-side
Certification.
Audio identification certification:Confirmation and refusal button are shown on user terminal log-on message interface.User clicks confirmation
Afterwards, APP collects the audio message of user by terminal, and audio message is sent to dual factor anthentication terminal.Dual factor anthentication is whole
The audio message of user in the audio message and system that receive is compared at end.After comparing unanimously, dual factor anthentication is whole
End sends CAS service terminal for above-mentioned request for above-mentioned logging request dual factor anthentication terminal, carries out second by CAS server-side
Secondary certification.
Finger print identifying:Confirmation and refusal button are shown on user terminal log-on message interface.After user clicks confirmation,
APP collects the finger print information of user by terminal, and finger print information is sent to dual factor anthentication terminal.Dual factor anthentication terminal will
The audio-frequency information of the user in finger print information and system received is compared.After comparing unanimously, dual factor anthentication terminal will
Above-mentioned request is sent CAS service terminal by above-mentioned logging request dual factor anthentication terminal, is recognized for the second time by CAS server-side
Card.
Dynamic password authentication:After the user name in binding logging request, dual factor anthentication terminal can be sent out user terminal A PP
Give the key of user terminal A PP and user identity binding.User terminal A PP supports Android and iOS version, using short message
The mode of identifying code carries out user name identity and the binding of APP.After binding success, user terminal A PP can generate user key, and
It is placed in user terminal A PP.User terminal A PP binding procedure is as follows:User ties up in terminal APP input handset number, application activation
Determine APP.APP sends this request to dual factor anthentication terminal, after dual factor anthentication terminal receives request, sends short-message verification
Code arrives user terminal.After user terminal receives short message verification code, this short message verification code is inputted in APP, is sent to multifactor
Authenticate terminal.Dual factor anthentication terminal is compared with the short message for being sent to user, after comparison passes through, generates user key.It returns
User terminal A PP is returned to, user terminal A PP saves this key.
Specifically, step S106, which authenticate for the second time to the user name in single-sign-on request, includes:According to user name
Unique identification code is generated, identification code is the identification code of corresponding each subsystem in single-sign-on request;When verifying identification code
Result when being legal, then the result of second certification is to pass through.
CAS Client (CAS user terminal) and shielded client application are disposed together, are protected in a manner of Filter
Protect shielded resource.For accessing each browse request of locked resource, CAS Client, which can be analyzed in the request, is
It is no then to be redirected requests to specified comprising ServiceTicket if it is not, illustrating that active user not yet logs in
CAS Server (CAS service terminal) entry address, and Service (the purpose resource address to be accessed) is transmitted, to log in
Success goes back to the address later.User's input authentication information, if logined successfully, CAS Server be randomly generated one it is considerably long
The Service Ticket spend, is unique, can not forge, and cache so as to verify in the future, system is automatically redirected to later
Service address, and one Ticket Granted Cookie (TGC) is set in user terminal browser, TGC storage is used
The cookie of the voucher of family authentication is used when communicating between browser and CAS Service, and can be based on exit passageway
Transmission is the voucher that CAS Server is used to clear user identity.CAS Client is taking Service and newly-generated
After Ticket, subscriber authentication is carried out in CAS Server, to ensure the legitimacy of Service Ticket.
It is all to be all made of ssl protocol with CAS interaction, it is ensured that the safety of Service Ticket and TGC in the agreement
Property.The process of 2 redirections is had in the agreement course of work, but carries out Ticket between CAS Client and CAS Server
The process of verifying is transparent for user.
Further, single-sign-on request is sent to certificate server, carries user name in single-sign-on request, so that
Certificate server carries out first time certification according to user name;The face frame image or sound of user are carried in first time authentication information
Frequency or fingerprint or dynamic password;If the mark for receiving certificate server return authenticates the message passed through for the first time, to certification
Server sends second of authentication information, authenticates so that certificate server carries out second according to second of authentication information.
User terminal receive for the first time certification information after, show on the log-on message interface of user terminal confirmation with
Refuse button, carries out dual factor anthentication.
Specifically, the embodiment of the present invention also provides a kind of device of single-sign-on, Fig. 2 shows be a kind of single-sign-on
The structural schematic diagram of device, including:
Module 201 is obtained, is requested for obtaining the single-sign-on that user is issued, carries user in single-sign-on request
Name;
First time authentication module 202, for carrying out first time certification to the logging request of single-sign-on according to user name,
Certification for the first time includes following at least one authentication mode:Recognition of face certification, audio identification certification, finger print identifying and dynamic mouth
Enable certification;
Second of authentication module 203, for if it is determined that the result of certification is to pass through for the first time, then in single-sign-on request
User name carry out second and authenticate.
The technical effect and preceding method embodiment phase of device provided by the embodiment of the present invention, realization principle and generation
Together, to briefly describe, Installation practice part does not refer to place, can refer to corresponding contents in preceding method embodiment.
Further, second of authentication module 203 includes:Generation unit, for generating unique identification according to user name
Code, identification code are the identification codes of corresponding each subsystem in single-sign-on request;Second of authentication unit, for knowing when verifying
When the result of other code is legal, then the result of second of certification is to pass through.
The embodiment of the present invention also provides a kind of device of single-sign-on, including:First sending module is used for authentication service
Device sends single-sign-on request, carries user name in single-sign-on request, so that certificate server carries out the according to user name
Primary certification;The face frame image or audio or fingerprint or dynamic password of user are carried in first time authentication information;Second hair
Module is sent, if the mark for receiving certificate server return authenticates the message passed through for the first time, is sent out to certificate server
Second of authentication information is sent, is authenticated so that certificate server carries out second according to second of authentication information.
The technical effect and preceding method embodiment phase of device provided by the embodiment of the present invention, realization principle and generation
Together, to briefly describe, Installation practice part does not refer to place, can refer to corresponding contents in preceding method embodiment.
In order to be better described, the embodiment of the present invention also provides a kind of system of single-sign-on, is a kind of as shown in Figure 3
The structural schematic diagram of the system of single-sign-on, including:CAS user terminal, the single-sign-on request issued for obtaining user,
User name is carried in single-sign-on request;Dual factor anthentication terminal is used for according to user name, to the logging request of single-sign-on
First time certification is carried out, certification for the first time includes following at least one authentication mode:Recognition of face certification, audio identification certification,
Finger print identifying and dynamic password authentication;CAS service terminal, for if it is determined that the result of certification is to pass through for the first time, then to single-point
User name in logging request carries out second and authenticates;CAS user terminal, for being logical when the result for determining second of certification
It crosses, then logging request passes through.
1. be user by browser access HR system (having integrated CAS Client, CAS user terminal) in Fig. 3, and CAS is used
Family end obtains the single-sign-on request logged in from browser, and obtains user name.
2. being that browser carries address in a manner of Get, 302 be that address connection is redirected to CAS Server (CAS service
Terminal) CAS service terminal serves as public certification authority, it is responsible for sending bill and verifying user identity.CAS Client is responsible for place
The access request to user terminal is managed, when needing to log in, is redirected to CAS Server.
3.CAS Server calls MFA SDK to generate signature according to random factor, APPID, APPKEY, carries signature and returns
Browser.MFA (multifactor authentication, multifactor authentication), multifactor authentication (MFA) is one
Kind security system is to carry out a variety of authentications to verify the reasonability of a transaction.The purpose of MFA is established more than one
The defence of level keeps unauthorized person's access computer system or network more difficult.
4. carrying signing messages in a manner of Get goes to dual factor anthentication terminal, answered in signing messages comprising what user logged in
With information, some specific application that user logs in can determine.
5.MFA returns to dual factor anthentication terminal and waits authentication result with long on-link mode (OLM).
6. user carries out first time certification, the process of certification includes for the first time:Recognition of face certification, audio identification certification,
Finger print identifying and dynamic password authentication.
7. user terminal A PP confirms, Portable device fingerprint simultaneously encrypts and notifies MFA Server.
8.MFA Server finds user name according to device-fingerprint and encrypts return browser.
Signing messages is submitted to CAS Server in a manner of Post by 9.MFA JS SDK, calls MFA SDK at this time, according to
The random factor decrypted signature information acquisition user name and ticket stored in Session is bound, when 12 steps demonstrate,prove ticket
User name is returned into HR system.
10.MFA Server carries Ticket, Service to HR and applies (CAS Client).
11.HR application (CAS Client) verifies Ticket to CAS Server.
After 12.Ticket is proved to be successful, user name is found according to Ticket and returns to HR using (CAS Client).
13. certification is successfully transmitted message to HR using (CAS Client).
The flow chart and block diagram in the drawings show the system of multiple embodiments according to the present invention, method and computer journeys
The architecture, function and operation in the cards of sequence product.In this regard, each box in flowchart or block diagram can generation
A part of one module, section or code of table, a part of the module, section or code include one or more use
The executable instruction of the logic function as defined in realizing.It should also be noted that in some implementations as replacements, being marked in box
The function of note can also occur in a different order than that indicated in the drawings.For example, two continuous boxes can actually base
Originally it is performed in parallel, they can also be executed in the opposite order sometimes, and this depends on the function involved.It is also noted that
It is the combination of each box in block diagram and or flow chart and the box in block diagram and or flow chart, can uses and execute rule
The dedicated hardware based system of fixed function or movement is realized, or can use the group of specialized hardware and computer instruction
It closes to realize.
Further, the embodiment of the present invention also provides a kind of device of single-sign-on, and device includes processor, memory and
Bus, processor and memory are connected by bus;
Memory is for storing program;
Processor executes the above method for calling program stored in memory by bus.
It is apparent to those skilled in the art that for convenience and simplicity of description, the device of foregoing description
Specific work process, can refer to corresponding processes in the foregoing method embodiment, details are not described herein.
Further, the embodiment of the present invention also provides a kind of electronic equipment, including memory, processor and is stored in storage
On device and the computer program that can run on a processor, which is characterized in that processor is realized above-mentioned when executing computer program
The step of method.
A kind of electronic equipment provided in an embodiment of the present invention, with a kind of method tool of single-sign-on provided by the above embodiment
There is identical technical characteristic, so also can solve identical technical problem, reaches identical technical effect.
Referring to fig. 4, the embodiment of the present invention also provides a kind of device of single-sign-on, and a kind of single-point shown referring to fig. 4 is stepped on
The structural schematic diagram of the device of record, the embodiment of the present invention also provide a kind of device of single-sign-on, including:Processor 40, storage
Device 41 and bus 42, the processor 40 and memory 41 are connected by bus 42;Processor 40 is for executing in memory 41
The executable module of storage, such as computer program.
Wherein, memory 41 may include high-speed random access memory (RAM, Random Access Memory),
It may further include non-labile memory (non-volatile memory), for example, at least a magnetic disk storage.Bus 42
It can be isa bus, pci bus or eisa bus etc..The bus can be divided into address bus, data/address bus, control bus
Deng.Only to be indicated with a four-headed arrow in Fig. 4 convenient for indicating, it is not intended that an only bus or a type of total
Line.
Wherein, memory 41 is for storing program, and the processor 40 executes the journey after receiving and executing instruction
Sequence, method performed by the device that the stream process that aforementioned any embodiment of the embodiment of the present invention discloses defines can be applied to handle
In device 40, or realized by processor 40.
Processor 40 may be a kind of IC chip, the processing capacity with signal.During realization, above-mentioned side
Each step of method can be completed by the integrated logic circuit of the hardware in processor 40 or the instruction of software form.Above-mentioned
Processor 40 can be general processor, including central processing unit (Central Processing Unit, abbreviation CPU), network
Processor (Network Processor, abbreviation NP) etc.;It can also be digital signal processor (Digital Signal
Processing, abbreviation DSP), specific integrated circuit (Application Specific Integrated Circuit, referred to as
ASIC), ready-made programmable gate array (Field-Programmable Gate Array, abbreviation FPGA) or other are programmable
Logical device, discrete gate or transistor logic, discrete hardware components.It may be implemented or execute in the embodiment of the present invention
Disclosed each method, step and logic diagram.General processor can be microprocessor or the processor is also possible to appoint
What conventional processor etc..The step of method in conjunction with disclosed in the embodiment of the present invention, can be embodied directly in hardware decoding processing
Device executes completion, or in decoding processor hardware and software module combination execute completion.Software module can be located at
Machine memory, flash memory, read-only memory, programmable read only memory or electrically erasable programmable memory, register etc. are originally
In the storage medium of field maturation.The storage medium is located at memory 41, and processor 40 reads the information in memory 41, in conjunction with
Its hardware completes the step of above method.
The computer program production of the method, apparatus and system of a kind of single-sign-on is carried out provided by the embodiment of the present invention
Product, the computer readable storage medium including storing the executable non-volatile program code of processor, said program code
Including instruction can be used for executing previous methods method as described in the examples, specific implementation can be found in embodiment of the method, herein
It repeats no more.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed systems, devices and methods, it can be with
It realizes by another way.The apparatus embodiments described above are merely exemplary, for example, the division of the unit,
Only a kind of logical function partition, there may be another division manner in actual implementation, in another example, multiple units or components can
To combine or be desirably integrated into another system, or some features can be ignored or not executed.Another point, it is shown or beg for
The mutual coupling, direct-coupling or communication connection of opinion can be through some communication interfaces, device or unit it is indirect
Coupling or communication connection can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product
It is stored in the executable non-volatile computer-readable storage medium of a processor.Based on this understanding, of the invention
Technical solution substantially the part of the part that contributes to existing technology or the technical solution can be with software in other words
The form of product embodies, which is stored in a storage medium, including some instructions use so that
One computer equipment (can be personal computer, server or the network equipment etc.) executes each embodiment institute of the present invention
State all or part of the steps of method.And storage medium above-mentioned includes:USB flash disk, mobile hard disk, read-only memory (ROM, Read-
Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk etc. are various can be with
Store the medium of program code.
Finally it should be noted that:Embodiment described above, only a specific embodiment of the invention, to illustrate the present invention
Technical solution, rather than its limitations, scope of protection of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair
It is bright to be described in detail, those skilled in the art should understand that:Anyone skilled in the art
In the technical scope disclosed by the present invention, it can still modify to technical solution documented by previous embodiment or can be light
It is readily conceivable that variation or equivalent replacement of some of the technical features;And these modifications, variation or replacement, do not make
The essence of corresponding technical solution is detached from the spirit and scope of technical solution of the embodiment of the present invention, should all cover in protection of the invention
Within the scope of.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. a kind of method of single-sign-on, which is characterized in that including:
The single-sign-on request that user is issued is obtained, carries user name in the single-sign-on request;
According to the user name, request to carry out first time certification to the single-sign-on, the first time certification include such as down toward
A kind of few authentication mode:Recognition of face certification, audio identification certification, finger print identifying and dynamic password authentication;
If it is determined that the result of first time certification is to pass through, then the is carried out to the user name in single-sign-on request
Re-authentication, second of certification are the certifications to identification code corresponding with the user name;
If the result of second of certification is to pass through, the logging request passes through.
2. the method according to claim 1, wherein step carries out first to the logging request of the single-sign-on
Secondary certification includes:
Carry out any one following certification:
If the face frame image received is consistent with pre-stored face frame image, it is determined that the knot of the first time certification
Fruit is to pass through, and the pre-stored face frame image is and the matched face frame image of the user name;
If the audio received is consistent with the pre-stored audio, it is determined that the result of the first time certification is logical
It crosses, the pre-stored audio is and the matched audio of the user name;
If the fingerprint received is consistent with the pre-stored fingerprint, it is determined that the result of the first time certification is logical
It crosses;
If the dynamic password received is consistent with pre-stored dynamic password, it is determined that first time result of certification is
Pass through.
3. the method according to claim 1, wherein step is to the user name in single-sign-on request
Carrying out second of certification includes:
Unique identification code is generated according to the user name, the identification code is corresponding every height in the single-sign-on request
The identification code of system;
When the result for verifying the identification code is legal, then the result of second of certification is to pass through.
4. a kind of method of single-sign-on, which is characterized in that including:
Single-sign-on request is sent to certificate server, user name is carried in the single-sign-on request, so that the certification
Server carries out first time certification according to the user name;Password or the people of user are carried in the first time authentication information
Face frame image or audio or fingerprint or dynamic password;
If receive the mark that the certificate server returns authenticates the message passed through for the first time, sent out to the certificate server
Second of authentication information is sent, is authenticated so that the certificate server carries out second according to second of authentication information.
5. a kind of device of single-sign-on, which is characterized in that including:
Module is obtained, is requested for obtaining the single-sign-on that user is issued, carries user name in the single-sign-on request;
First time authentication module, for carrying out first time certification to the logging request of the single-sign-on according to the user name,
The first time certification includes following at least one authentication mode:Recognition of face certification, audio identification certification, finger print identifying and dynamic
State password authentication;
Second of authentication module, for if it is determined that the result of first time certification is to pass through, then to single-sign-on request
In the user name carry out second and authenticate;
6. device according to claim 5, which is characterized in that second of authentication module include:
Generation unit, for generating unique identification code according to the user name, the identification code is the single-sign-on request
In corresponding each subsystem identification code;
Second of authentication unit, for when the result for verifying the identification code is legal, then the result of second of certification to be logical
It crosses.
7. a kind of device of single-sign-on, which is characterized in that including:
First sending module carries useful for sending single-sign-on request to certificate server in the single-sign-on request
Name in an account book, so that the certificate server carries out first time certification according to the user name;It is carried in the first time authentication information
There are password or the face frame image or audio or fingerprint or dynamic password of user;
Second sending module, if authenticating the message passed through for the first time for receiving the mark that the certificate server returns,
To the certificate server send second of authentication information so that the certificate server according to second of authentication information into
Second of certification of row.
8. a kind of system of single-sign-on, which is characterized in that including:
CAS user terminal is requested for obtaining the single-sign-on that user is issued, and carries user in the single-sign-on request
Name;
Dual factor anthentication terminal, for carrying out first time certification to the logging request of the single-sign-on according to the user name,
The first time certification includes following at least one authentication mode:Recognition of face certification, audio identification certification, finger print identifying and dynamic
State password authentication;
CAS service terminal, for if it is determined that the result of first time certification is to pass through, then in single-sign-on request
The user name carries out second and authenticates;
CAS user terminal, for being to pass through when the result for determining second of certification, then the logging request passes through.
9. a kind of device of single-sign-on, which is characterized in that described device includes processor, memory and bus, the processing
Device is connected with memory by the bus;
The memory is for storing program;
The processor executes the claim for calling the program of storage in the memory by the bus
Any the method for 1-4.
10. a kind of electronic equipment, including memory, processor and it is stored on the memory and can transports on the processor
Capable computer program, which is characterized in that the processor realizes the claims 1 to 4 when executing the computer program
The step of described in any item methods.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811145990.2A CN108900561A (en) | 2018-09-28 | 2018-09-28 | The method, apparatus and system of single-sign-on |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811145990.2A CN108900561A (en) | 2018-09-28 | 2018-09-28 | The method, apparatus and system of single-sign-on |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108900561A true CN108900561A (en) | 2018-11-27 |
Family
ID=64360392
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811145990.2A Pending CN108900561A (en) | 2018-09-28 | 2018-09-28 | The method, apparatus and system of single-sign-on |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108900561A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111177686A (en) * | 2019-12-31 | 2020-05-19 | 华为技术有限公司 | Identity authentication method, device and related equipment |
| CN111245795A (en) * | 2019-12-31 | 2020-06-05 | 熵加网络科技(北京)有限公司 | Single sign-on method for protecting enterprise information assets |
| CN111460434A (en) * | 2020-03-24 | 2020-07-28 | 北京大米未来科技有限公司 | Login authentication method and device, storage medium and electronic equipment |
| CN111639316A (en) * | 2020-05-19 | 2020-09-08 | 北京芯盾时代科技有限公司 | Information processing method and device for WEB page |
| CN112182535A (en) * | 2020-09-24 | 2021-01-05 | 建信金融科技有限责任公司 | Operation request processing method, apparatus, electronic device and readable storage medium |
| CN112311785A (en) * | 2020-10-27 | 2021-02-02 | 珠海格力电器股份有限公司 | Method and device for cascade update of equipment authentication information |
| EP3786820A4 (en) * | 2019-06-28 | 2021-06-16 | Rakuten, Inc. | AUTHENTICATION SYSTEM, AUTHENTICATION DEVICE, AUTHENTICATION PROCESS AND PROGRAM |
| WO2021197288A1 (en) * | 2020-03-30 | 2021-10-07 | Iq Works Limited | Multi step authentication method and system |
| CN113542238A (en) * | 2021-06-29 | 2021-10-22 | 上海派拉软件股份有限公司 | Risk judgment method and system based on zero trust |
| CN114500074A (en) * | 2022-02-11 | 2022-05-13 | 京东科技信息技术有限公司 | Single-point system security access method, device and related equipment |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101877637A (en) * | 2009-04-30 | 2010-11-03 | 中国移动通信集团江西有限公司 | Single sign-on method and single sign-on system |
| CN103780397A (en) * | 2014-02-25 | 2014-05-07 | 中国科学院信息工程研究所 | Multi-screen multi-factor WEB identity authentication method convenient and fast to implement |
| US20160065571A1 (en) * | 2014-08-26 | 2016-03-03 | Hoyos Labs Corp. | System and methods for secure file sharing and access management |
| CN105791249A (en) * | 2014-12-26 | 2016-07-20 | 深圳云之家网络有限公司 | Third-party application processing method, device and system |
| CN106230845A (en) * | 2016-08-04 | 2016-12-14 | 杭州帕拉迪网络科技有限公司 | A kind of multifactor user authen method of flexibly configurable |
| CN107690792A (en) * | 2015-06-15 | 2018-02-13 | 安维智有限公司 | Single sign-on for unmanaged mobile devices |
| CN107743702A (en) * | 2015-06-15 | 2018-02-27 | 安维智有限公司 | Managed single sign-on for mobile devices |
| US20180152297A1 (en) * | 2016-11-01 | 2018-05-31 | Netcomm Inc. | System and Method For Digitally Signing Documents Using Biometric Data in a Blockchain or PKI |
-
2018
- 2018-09-28 CN CN201811145990.2A patent/CN108900561A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101877637A (en) * | 2009-04-30 | 2010-11-03 | 中国移动通信集团江西有限公司 | Single sign-on method and single sign-on system |
| CN103780397A (en) * | 2014-02-25 | 2014-05-07 | 中国科学院信息工程研究所 | Multi-screen multi-factor WEB identity authentication method convenient and fast to implement |
| US20160065571A1 (en) * | 2014-08-26 | 2016-03-03 | Hoyos Labs Corp. | System and methods for secure file sharing and access management |
| CN105791249A (en) * | 2014-12-26 | 2016-07-20 | 深圳云之家网络有限公司 | Third-party application processing method, device and system |
| CN107690792A (en) * | 2015-06-15 | 2018-02-13 | 安维智有限公司 | Single sign-on for unmanaged mobile devices |
| CN107743702A (en) * | 2015-06-15 | 2018-02-27 | 安维智有限公司 | Managed single sign-on for mobile devices |
| CN106230845A (en) * | 2016-08-04 | 2016-12-14 | 杭州帕拉迪网络科技有限公司 | A kind of multifactor user authen method of flexibly configurable |
| US20180152297A1 (en) * | 2016-11-01 | 2018-05-31 | Netcomm Inc. | System and Method For Digitally Signing Documents Using Biometric Data in a Blockchain or PKI |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3786820A4 (en) * | 2019-06-28 | 2021-06-16 | Rakuten, Inc. | AUTHENTICATION SYSTEM, AUTHENTICATION DEVICE, AUTHENTICATION PROCESS AND PROGRAM |
| WO2021136290A1 (en) * | 2019-12-31 | 2021-07-08 | 华为技术有限公司 | Identity authentication method and apparatus, and related device |
| CN111245795A (en) * | 2019-12-31 | 2020-06-05 | 熵加网络科技(北京)有限公司 | Single sign-on method for protecting enterprise information assets |
| CN111177686A (en) * | 2019-12-31 | 2020-05-19 | 华为技术有限公司 | Identity authentication method, device and related equipment |
| CN111177686B (en) * | 2019-12-31 | 2022-07-29 | 华为云计算技术有限公司 | Identity authentication method, device and related equipment |
| CN111245795B (en) * | 2019-12-31 | 2021-11-26 | 北京升鑫网络科技有限公司 | Single sign-on method for protecting enterprise information assets |
| CN111460434A (en) * | 2020-03-24 | 2020-07-28 | 北京大米未来科技有限公司 | Login authentication method and device, storage medium and electronic equipment |
| WO2021197288A1 (en) * | 2020-03-30 | 2021-10-07 | Iq Works Limited | Multi step authentication method and system |
| CN111639316A (en) * | 2020-05-19 | 2020-09-08 | 北京芯盾时代科技有限公司 | Information processing method and device for WEB page |
| CN111639316B (en) * | 2020-05-19 | 2021-04-06 | 北京芯盾时代科技有限公司 | Information processing method and device for WEB page |
| CN112182535A (en) * | 2020-09-24 | 2021-01-05 | 建信金融科技有限责任公司 | Operation request processing method, apparatus, electronic device and readable storage medium |
| CN112311785A (en) * | 2020-10-27 | 2021-02-02 | 珠海格力电器股份有限公司 | Method and device for cascade update of equipment authentication information |
| CN113542238A (en) * | 2021-06-29 | 2021-10-22 | 上海派拉软件股份有限公司 | Risk judgment method and system based on zero trust |
| CN114500074A (en) * | 2022-02-11 | 2022-05-13 | 京东科技信息技术有限公司 | Single-point system security access method, device and related equipment |
| CN114500074B (en) * | 2022-02-11 | 2024-04-12 | 京东科技信息技术有限公司 | Single-point system security access method and device and related equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108900561A (en) | The method, apparatus and system of single-sign-on | |
| US11405380B2 (en) | Systems and methods for using imaging to authenticate online users | |
| US12250209B2 (en) | Network identity protection method and device, and electronic equipment and storage medium | |
| CN108777684B (en) | Identity authentication method, system and computer readable storage medium | |
| US9124571B1 (en) | Network authentication method for secure user identity verification | |
| US20160080157A1 (en) | Network authentication method for secure electronic transactions | |
| TW201741922A (en) | Biometric-based safety authentication method and device | |
| KR20180026508A (en) | A security verification method based on biometric characteristics, a client terminal, and a server | |
| CN103905194B (en) | Identity traceability authentication method and system | |
| CN103716292A (en) | Cross-domain single-point login method and device thereof | |
| CN107426235A (en) | Purview certification method, apparatus and system based on device-fingerprint | |
| CN108965341A (en) | The method, apparatus and system of login authentication | |
| KR20130107188A (en) | Server and method for authentication using sound code | |
| CN105447715A (en) | Method and apparatus for anti-theft electronic coupon sweeping by cooperating with third party | |
| CN104820944A (en) | Method and system for bank self-service terminal authentication, and device | |
| CN106161475B (en) | Method and device for realizing user authentication | |
| CN107770192A (en) | Identity authentication method and computer-readable recording medium in multisystem | |
| CN101951321A (en) | Device, system and method for realizing identity authentication | |
| CN109495458A (en) | A kind of method, system and the associated component of data transmission | |
| KR20150003297A (en) | Method and system using a cyber id to provide secure transactions | |
| CN105991519A (en) | Method, device and system of verifying identifying codes | |
| CN116248368B (en) | Blockchain-based identity authentication method, system, device, and storage medium | |
| CN115696329B (en) | Zero trust authentication method and device, zero trust client device and storage medium | |
| CN109587683B (en) | Method and system, application program and terminal information database for SMS anti-monitoring | |
| CN108574657B (en) | Server access method, device and system, computing equipment and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181127 |