A kind of on telecommunications network the business hall realize the method for single-sign-on
Technical field
The present invention relates to telecom business support system; Especially can realize the also method of the data sync of Collective qualification, single-sign-on, telecom client information, accounts information and the user profile of operation system of each support system, specifically a kind of on telecommunications network the business hall realize the method for single-sign-on.
Background technology
At present; There is the authentication system of various ways in channel contact systems such as the present online business hall of China Telecom, business hall, No. 10000, self-aided terminal; Authentication based on CRM customer ID and client password is arranged, based on the authentication of product mark and product cipher, based on authentication of account etc.; The form of authentication that some province also develops on this basis and makes new advances: like the authentication of authentication, Customer ID and the two-stage client password of product mark and client password etc.This makes that existing authentication mode complicacy is various.Verify data is distributed within the core support system in MBOSS territory mostly; Objectively make support systems such as CRM, charging account except accomplishing the service operation support function; Also the authentication service of entities such as client, account, product need be provided for the channel contact system, thereby increase the weight of the burden of core support system.
Simultaneously, the enterprise transformation of China Telecom has also driven the fast development of value-added service, needs the service resources of integrating value-added service through portal website badly, appears and the professional channel that uses for telecom client provides centralized and unified business.The online business hall of China Telecom is as the important channel of telecom client contact; Press for its status of further lifting as portal website; Drive business integration with the door construction, progressively develop into client's integrated service door that collection customer service, service propaganda, product are used for one.
In addition; Along with the development of value-added telecom services and increasing of business platform; The user also need remember multiple value-added service and use account number except the customer service class account number of memory channel contact system, all corresponding authentication information need be provided before logining a business platform at every turn; This brings the user inconvenient use experience, also is unfavorable for the bundle sale of telecommunications popularization multiple business simultaneously.
Therefore need to set up unified certification center (hereinafter to be referred as " unified certification platform ") to the MBOSS external client; Integrate existing various authentication system on the one hand; The authentication of core support systems such as shielding CRM, unification provides authentication service for the channel contact system.On the other hand when the user from network channel contact system such as business hall concentrate when using each value-added service, the unified certification and the single-sign-on of trans-sectoral affair and platform are provided, thereby reach the lifting of user experience.
?
Summary of the invention
The objective of the invention is to the login process of business hall on the existing telecommunications network complicated; Telecommunication user need be remembered the registration account number and the password of a plurality of operation systems, and the business hall is routed to the Technical Architecture based on Web and digital certificate safe handling that need repeatedly carry out login authentication etc. in the process of each operation system problem provided a kind of possesses characteristics such as rational in infrastructure, excellent extensibility, fail safe on telecommunications network.
Technical scheme of the present invention is:
A kind of on telecommunications network the business hall realize the method for single-sign-on:
A, on telecommunication server, set up the UAM of unified identity authentication system, the business hall is to the interface module between each service sub-system on the configuration telecommunications network;
B, be customer information, accounts information, user profile, be unified in UAM and store that UAM provides the sync cap of three user data to each service sub-system of telecommunications with three family information of telecommunications; Telecommunications three family information are carried out Collective qualification, and UAM provides unified Collective qualification interface to service sub-system;
The digital certificate of authentication between data certificate on C, configuration UAM SIM and the telecommunications network between the business hall, configuration UAM and each service sub-system.
Among the A of the present invention, the business hall may further comprise the steps to the interface module between each service sub-system on the configuration telecommunications network:
(1) configuration UAM essential information comprises the service sub-system plateau coding, platform access address, platform login state, platform access state information;
(2) configuration UAM business platform information comprises the service sub-system coding, business platform title, the local address of releasing of business platform;
(3) configuration UAM parameter information comprises UAM address, online business hall system coding, the effective duration of authentication assertion, the UAM of group interface IP address.
Among the C of the present invention, the digital certificate of configuration authentication may further comprise the steps:
(1) generate UAM digital certificate and disposing, deployment be with digital integer copying and saving to the application server of UAM;
(2) generate on UAM SIM and the telecommunications network data certificate between the business hall and offer online business hall;
(3) generate the digital certificate of authentication between UAM and each service sub-system and offer each operation system;
Following steps of the present invention:
(1) business hall limited resources on the user capture telecommunications network;
(2) whether having the local T oken corresponding with subscription client in the online business hall inspection telecommunication server is the authentication information of user capture corresponding service subsystem, if exist then the success of registering service subsystem; Otherwise, change step 3;
(3) unified certification platform UA is asked to the user again in online business hall;
(4) whether having the overall Token corresponding with subscription client in the UA inspection telecommunication server is that business hall or any operation system realized logining the authentication information of the authentication information that is generated to the user on the net;
If overall Token does not exist, UA provides the authentication login page to the user, and the prompting user imports the arbitrary authentication information in the three family information, and UA carries out authentication to the user, and authentication is changeed step 5 through generating overall Token; If authentification failure ejects the login error message by UA;
If overall Token exists, then change step 5;
(5) UA generate this authenticated on the net the business hall Ticket and assert information; The information of asserting is meant the descriptor that this authenticate-acknowledge is legal, and Ticket is this index of asserting;
(6) UA is redirected to online business hall with user browser, simultaneously the Ticket of subsidiary this authentication;
(7) online business hall is according to the assert information of the Ticket that passes back to this Ticket correspondence of UA inquiry;
(8) information of asserting that UA is corresponding with this Ticket returns to online business hall, and destroys this Ticket;
(9) online business hall generates local T oken, and the mark user logins identity, logins successfully;
(10) online business hall shows the successful page of login to user browser.
Because overall Token exists, and can pass through the UAM authentication, UAM will generate a legal authentication information to online business hall or operation system, and this legal authentication information is called asserts, each has asserted an index ID, and this index ID is called Ticket.
Beneficial effect of the present invention:
1, promotes client's experience: after the client logins, between business platform, realize an authentication, full-service visit in same channel platform.
2, promote account number operation customer-centric: along with the fast development of value-added telecom services, account number operation customer-centric becomes development trend, needs to integrate multiple account number system; Equally also need promote the door status of customer-oriented online business hall, drive the integration of service resources, realize the unified certification and the single-sign-on of the interdepartmental platform of unifying, satisfy the coherence request of the integrated and customer experience of service interface.
3, optimize IT architecture: the authentication pressure that has alleviated core support system (like CRM, charging account etc.) on the one hand; Make up unified certification, centralized management, data sharing, authentication system safely and efficiently on the other hand, for the access of other business platform reduces cost.
Description of drawings
Fig. 1 concerns sketch map between business hall, each operation system on UAM (unified certification) system and support system and the telecommunications network.
Fig. 2 is the sketch map that UAM (unified certification) realizes single-sign-on.
Fig. 3 is the sequence chart that UAM (unified certification) realizes the federal style single-sign-on.
Embodiment
Below in conjunction with accompanying drawing and embodiment the present invention is further described.
As shown in Figure 1, a kind of on telecommunications network the business hall realize the method for single-sign-on, it may further comprise the steps:
Three family information of A, telecommunications are customer information, accounts information, user profile, are unified in UAM and store, and UAM provides the sync cap of three user data;
B, telecommunications three family information are carried out Collective qualification, and UAM provides unified Collective qualification interface;
C, user use the service sub-system above the business hall after business hall on the telecommunications network is once logined, do not need to carry out once more authentication, realize single-sign-on by UAM;
D, federal style single-sign-on pattern, the business platform of online business hall, UAM, business domains is formed star-like identity alliance;
E, single-sign-on process are made the sensitive data bag that relates to, and carry out digital signature through digital certificate, guarantee the integrality and the fail safe of data.
Like Fig. 2, shown in 3, the net Room belongs to gate system, and ChinaVnet belongs to the service sub-system that is linked in the door.
UAM of the present invention is positioned at the star-like center of federal authentication; Be responsible for client identity is carried out authentication; The net Room and business platform; All trust the authentication result of unified certification platform: be responsible for accomplishing login authentication by UAM when the client logins from netting the Room, and identify client identity and the corresponding relations between ownership and management of enterprises of this client; When the client clicks on the net Room during this business platform of business platform links and accesses, UAM identifies its corresponding service platform account number according to client's relations between ownership and management of enterprises, and the explanation account number has been logined and had the visit legitimacy; The authentication result that business platform sends UAM is represented to trust, and allows the user no longer to import account number cipher and directly visits.
Performing step of the present invention comprises:
The interface module between each operation system is arrived, treatment step in A, the online business hall of configuration:
1) configuration UAM essential information comprises plateau coding, platform access address, platform login state, information such as platform access state;
2) configuration UAM business platform information comprises the business platform coding, business platform title, the local address of releasing of business platform;
3) configuration UAM parameter information comprises UAM address, online business hall system coding, the effective duration of authentication assertion, the UAM of group interface IP address etc.;
Digital certificate between data certificate between B, configuration UAM and the evening business hall, configuration UAM and the individual operation system, implementation step comprises:
1) generates UAM digital certificate and deployment;
2) generate online business hall digital certificate and offer online business hall;
3) generate operation system digital certificate and offer each operation system;
C, realize on the telecommunications network that the business hall single-sign-on is to the treatment step of operation system:
1) the online business hall of user capture limited resources;
2) online business hall checks whether local Token exists, if exist then directly arrive step 13;
3), then be redirected the user and ask UA if do not exist;
4) UA checks whether overall Token exists;
5) overall Token does not exist, and UA provides the authentication login page to the user, and the prompting user inputs authentication informations such as account number type, account number, password type, password;
If overall Token exists, then directly from the continuation of the 8th step;
6) user imports login authentication information, submits to UA;
7) UA carries out authentication to the user, and authentication is through generating overall Token.If authentification failure ejects the login error message by UA;
8) UA generates this authenticated at the Ticket in the net Room and assert information;
9) UA is redirected to online business hall with user browser, simultaneously the Ticket of subsidiary this authentication;
10) online business hall is according to the assert information of the Ticket that passes back to this Ticket correspondence of UA inquiry;
11) information of asserting that UA is corresponding with this Ticket returns to online business hall, and destroys this Ticket;
12) online business hall generates local T oken, and the mark user logins identity, logins successfully;
13) online business hall shows the successful page of login to user browser.
The present invention does not relate to all identical with the prior art prior art that maybe can adopt of part and realizes.