[go: up one dir, main page]

CN114398620B - Single sign-on method, system, electronic device and readable medium - Google Patents

Single sign-on method, system, electronic device and readable medium

Info

Publication number
CN114398620B
CN114398620B CN202111583717.XA CN202111583717A CN114398620B CN 114398620 B CN114398620 B CN 114398620B CN 202111583717 A CN202111583717 A CN 202111583717A CN 114398620 B CN114398620 B CN 114398620B
Authority
CN
China
Prior art keywords
single sign
verified
mobile application
data
credential
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111583717.XA
Other languages
Chinese (zh)
Other versions
CN114398620A (en
Inventor
姬照中
王健
徐锐
刘桥
付迎鑫
槐正
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202111583717.XA priority Critical patent/CN114398620B/en
Publication of CN114398620A publication Critical patent/CN114398620A/en
Application granted granted Critical
Publication of CN114398620B publication Critical patent/CN114398620B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)

Abstract

本发明实施例提供了一种单点登录方法、系统、电子设备及可读介质,业务平台系统中保存有移动应用通过接口上报的数字签名和单点登录凭证,所述数字签名为所述移动应用根据应用标识和单点登录凭证生成,所述单点登录凭证为单点登录认证中心为所述移动应用发放的授权登录的凭证;所述方法包括:接收在所述移动应用中登录内嵌页面的登录请求;根据待验证应用标识和待验证单点登录凭证生成待校验数据;当所述待校验数据与所述数字签名匹配时,基于所述单点登录凭证在所述单点登录认证中心进行校验,以在校验通过时在所述移动应用中登录所述内嵌页面。本发明实施例移动应用中登录内嵌页面时进行单点登录,加强单点登录时安全可靠性。

The embodiment of the present invention provides a single sign-on method, system, electronic device and readable medium. The business platform system stores a digital signature and single sign-on credential reported by a mobile application through an interface. The digital signature is generated by the mobile application according to the application identifier and the single sign-on credential. The single sign-on credential is a credential for authorized login issued by a single sign-on authentication center to the mobile application. The method includes: receiving a login request for logging into an embedded page in the mobile application; generating data to be verified according to the application identifier to be verified and the single sign-on credential to be verified; when the data to be verified matches the digital signature, verifying the single sign-on credential in the single sign-on authentication center, so as to log in the embedded page in the mobile application when the verification passes. In the embodiment of the present invention, single sign-on is performed when logging into an embedded page in the mobile application, thereby enhancing the security and reliability of single sign-on.

Description

Single sign-on method, system, electronic equipment and readable medium
Technical Field
Embodiments of the present invention relate to the field of single sign-on technology, and in particular, to a single sign-on method, a single sign-on system, an electronic device, and a computer readable medium.
Background
With the rise of mobile Applications (APP), the scene of opening embedded H5 pages in mobile applications is becoming more common. To avoid secondary login of the embedded H5 page, a single sign-on technology is currently generally used to implement quick login of the embedded H5 page.
Specifically, single sign-On, also called SSO (SINGLE SIGN On), refers to that for multiple mutually trusted service platform systems, a user can access all service platform systems only by performing a login operation once until the login is disabled. In a single sign-on environment, each mobile application communicates authentication functions to the single sign-on system without using its own authentication system. Currently, single sign-on technology has been widely used in communication systems.
With further improvement of information security requirements, how to ensure single sign-on security and reliability becomes an important issue to be solved.
Disclosure of Invention
The embodiment of the invention provides a single sign-on method, a system, electronic equipment and a computer readable storage medium, which are used for solving the problem that the current single sign-on is not safe and reliable enough.
The embodiment of the invention discloses a single sign-on method, which is applied to a service platform system, wherein a digital signature and a single sign-on credential reported by a mobile application through an interface are stored in the service platform system, the digital signature is generated by the mobile application according to an application identifier and the single sign-on credential, and the single sign-on credential is a credential for authorized login issued by a single sign-on authentication center for the mobile application, and the method comprises the following steps:
Receiving a login request for logging in an embedded page in the mobile application, wherein the login request comprises an application identifier to be verified and a single sign-on credential to be verified;
generating data to be verified according to the application identifier to be verified and the single sign-on credential to be verified;
and when the data to be verified is matched with the digital signature, verifying the digital signature in the single sign-on authentication center based on the single sign-on credentials so as to log in the embedded page in the mobile application when verification is passed.
The digital signature is generated by the application program, and is used for acquiring an application identifier of the application program, acquiring a single sign-on credential issued by the single sign-on authentication center for the mobile application, combining the application identifier and the single sign-on credential to obtain composite data, performing data hash on the composite data to obtain a data hash value, and performing encryption processing on the data hash value by using a private key to obtain a digital signature.
Optionally, the generating the data to be verified according to the application identifier to be verified and the single sign-on credential to be verified includes:
Performing data hash on the composite data to be verified, which is obtained after the application identifier to be verified and the single sign-on credentials to be verified are combined, to obtain the data to be verified;
after the generating the data to be verified according to the application identifier to be verified and the single sign-on credential to be verified, the method further comprises:
And decrypting the digital signature by adopting a public key corresponding to the private key to obtain a data hash value, wherein if the data to be verified is consistent with the data hash value, the data to be verified is determined to be matched with the digital signature, and if the data to be verified is inconsistent with the data hash value, the data to be verified is determined to be not matched with the digital signature.
Optionally, the method further comprises:
And when the data to be verified is not matched with the digital signature or the verification is not passed in the single sign-on authentication center based on the single sign-on credentials, notifying the application program to log in the embedded page in the mobile application in other modes.
The embodiment of the invention also discloses a single sign-on method which is applied to the mobile application, wherein a digital signature and a single sign-on credential which are reported by the mobile application through an interface are stored in a service platform system corresponding to the mobile application, the digital signature is generated by the mobile application according to an application identifier and the single sign-on credential, and the single sign-on credential is a credential which is issued by a single sign-on authentication center for the mobile application and authorized to be logged on, and the method comprises the following steps:
The system comprises a mobile application, a service platform system, a single sign-on authentication center and a digital signature, wherein the mobile application is used for receiving a login request of a login embedded page in the mobile application, the login request comprises an application identifier to be verified and a single sign-on credential to be verified, the service platform system is used for generating data to be verified according to the application identifier to be verified and the single sign-on credential to be verified, and verifying in the single sign-on authentication center based on the single sign-on credential when the data to be verified is matched with the digital signature;
And logging in the embedded page in the mobile application when the single sign-on authentication center passes the verification.
Optionally, before the sending, to the service platform system, a login request for logging in an embedded page in the mobile application, the method further includes:
acquiring an application identifier of the application program;
acquiring single sign-on credentials issued by the single sign-on authentication center for the mobile application;
Performing data hash after the application identifier and the single sign-on credential are combined to obtain composite data, and obtaining a data hash value;
and encrypting the data hash value by adopting a private key to obtain a digital signature.
Optionally, the single sign-on credential is obtained by:
the single sign-on authentication center is used for generating a single sign-on credential according to the user identifier, the time stamp and the random character string;
And receiving the single sign-on certificate sent by the single sign-on authentication center.
The embodiment of the invention also discloses a single sign-on system, which comprises a mobile application, a service platform system and a single sign-on authentication center, wherein the service platform system stores a digital signature and a single sign-on credential which are reported by the mobile application through an interface, the digital signature is generated by the mobile application according to an application identifier and the single sign-on credential, the single sign-on credential is a credential which is issued by the single sign-on authentication center for authorizing the mobile application to log in, and the single sign-on system comprises:
The mobile application is used for sending a login request for logging in an embedded page in the mobile application to the service platform system, wherein the login request comprises an application identifier to be verified and a single sign-on credential to be verified;
The service platform system is used for generating data to be verified according to the application identifier to be verified and the single sign-on certificate to be verified, and when the data to be verified is matched with the digital signature, the verification is carried out in the single sign-on authentication center based on the single sign-on certificate so as to log in the embedded page in the mobile application when the verification is passed.
The mobile application is used for acquiring an application identifier of the application program, acquiring a single sign-on certificate issued by the single sign-on authentication center for the mobile application, carrying out data hash on the composite data obtained by combining the application identifier and the single sign-on certificate to obtain a data hash value, and carrying out encryption processing on the data hash value by adopting a private key to obtain a digital signature.
The mobile application is used for sending an acquisition request to the single sign-on authentication center, wherein the acquisition request comprises a user identifier and a time stamp, the single sign-on authentication center is used for generating the single sign-on certificate according to the user identifier, the time stamp and the random character string, and the single sign-on certificate sent by the single sign-on authentication center is received.
The service platform system is used for obtaining to-be-verified composite data after combining the to-be-verified application identifier and the to-be-verified single sign-on credential to obtain to-be-verified data, decrypting the digital signature by adopting a public key corresponding to the private key to obtain a data hash value, wherein if the to-be-verified data is consistent with the data hash value, the to-be-verified data is determined to be matched with the digital signature, and if the to-be-verified data is inconsistent with the data hash value, the to-be-verified data is determined to be not matched with the digital signature.
Optionally, the service platform system is configured to notify the application program to log in the embedded page in the mobile application in other manners when the data to be verified is not matched with the digital signature or the verification is failed in the single sign-on authentication center based on the single sign-on credentials.
The embodiment of the invention also discloses electronic equipment, which comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;
the memory is used for storing a computer program;
The processor is configured to implement the method according to the embodiment of the present invention when executing the program stored in the memory.
Embodiments of the invention also disclose one or more computer-readable media having instructions stored thereon, which when executed by one or more processors, cause the processors to perform the methods described in the embodiments of the invention.
The embodiment of the invention also discloses a computer program product which is stored in a storage medium and is executed by at least one processor to realize the method according to the embodiment of the invention.
The embodiment of the invention has the following advantages:
In the embodiment of the invention, the digital signature of the mobile application is stored in the service platform system, when single sign-on is carried out in the mobile application, the service platform system receives a login request for logging in an embedded page in the mobile application, generates data to be verified according to an application identifier to be verified and a single sign-on credential to be verified in the login request, and can carry out verification in a single sign-on authentication center based on the single sign-on credential when the data to be verified is matched with the digital signature so as to log in the embedded page in the mobile application when verification passes. According to the embodiment of the invention, single sign-on is performed when the embedded page is logged in the mobile application, and the verification of the application identifier of the mobile application is required besides the verification of the single sign-on authentication center during single sign-on, so that the safety and reliability during single sign-on are enhanced.
Drawings
FIG. 1 is a flow chart of steps of a single sign-on method provided in an embodiment of the present invention;
FIG. 2 is a schematic diagram of a digital signature generation process according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a digital signature verification process according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating steps of another single sign-on method provided in an embodiment of the present invention;
FIG. 5 is a system architecture diagram for implementing single sign-on provided in an embodiment of the present invention;
Fig. 6 is a block diagram of a single sign-on system according to an embodiment of the present invention.
Detailed Description
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to the appended drawings and appended detailed description.
In the existing single sign-on system, verification is carried out through a ticket (single sign-on certificate), and the means is relatively single. If a malicious third party acquires a legal ticket, the ticket can be imitated or tampered, and user data is acquired in the service platform system through verification of the single sign-on system, so that user data leakage and even property loss are caused.
In view of the above problems, the embodiments of the present invention provide a secure single sign-on method, which uses a digital signature technique to perform digital signature by using composite data, so as to ensure that when the single sign-on uses digital signature verification, the application identifier of the mobile application is verified, and reduce the possibility that a third party tampers with the content data in the digital signature, thereby enhancing the security reliability during the single sign-on.
Referring to fig. 1, a step flow chart of a single sign-on method provided in an embodiment of the present invention is shown and applied to a service platform system, where the service platform system stores a digital signature and a single sign-on credential reported by a mobile application through an interface, the digital signature is generated by the mobile application according to an application identifier and the single sign-on credential, and the single sign-on credential is a credential authorized to sign on and issued by a single sign-on authentication center for the mobile application, where the method specifically includes the following steps:
And step 101, receiving a login request for logging in an embedded page in the mobile application, wherein the login request comprises an application identifier to be verified and a single sign-on credential to be verified.
The mobile application refers to client software installed in a mobile terminal such as a mobile phone, a tablet computer, a wearable device and the like. For example, mobile applications installed in cell phones that can provide users with services such as promotion, self-help inquiry, recharge and pay, play 3G, business handling, help support, etc.
The embedded page is also called as an embedded page, and is a technology for embedding a webpage in a mobile application, based on the technology, the mobile application can load a website page of a website and then embed the website page into an interface of the mobile application, so that a user can browse the website page through the mobile application. As the website pages are stored in the background server, the method can meet the requirement of rapid iteration.
In a specific implementation, in order to realize the requirement of browsing the website web page of the website in the mobile application, a hybrid development mode of native+h5 is adopted, wherein native refers to a native system, for example, iOS, android and other local operating systems, and h5 refers to HTML (Hyper Text MarkupLanguage ) for realizing the function of displaying the website web page in the mobile application, and through the combination of the native mode and the h5 mode, the website web page can be displayed in the mobile application, or a certain function can be realized by combining a client with the website web page. It can be understood that if the mobile application is in a hybrid development mode of adopting native and h5, correspondingly, the mobile application is also classified into native login (mobile application login) and h5 login (website web page login), and these two logins are independent of each other, that is, even if the mobile application has already logged in, the mobile application still needs to perform h5 login when logging in the website page, so as to obtain authorization of logging in the website page in the mobile application, if the user needs to open multiple website pages, the user needs to perform login operations multiple times, so that multiple logins when logging in the embedded page in the mobile application can be avoided by a single sign-on mode.
In the embodiment of the invention, the service platform system is a platform for realizing various services of mobile applications, and a plurality of mobile applications can be managed under one service platform system. The mobile application has a corresponding application identifier, namely application ID (Identity document, identity identifier) information, which can be a code or a name of the mobile application, and also comprises a single sign-on certificate (ticket) which is issued by a single sign-on authentication center for the mobile application and is authorized to log in, wherein the digital signature is generated by the mobile application according to the application identifier and the single sign-on certificate, and then the mobile application can report the digital signature to the service platform system through the verification interface for storage.
In the embodiment of the invention, if a user wants to log in an embedded page in a mobile application, namely, log in a website page of a website in the mobile application, single sign-on can be tried, at this time, a log-in request of logging in the embedded page in the mobile application, which is sent by the mobile application, is received in a service platform system, wherein the log-in request can include an application identifier to be verified and a single sign-on credential to be verified, and the application identifier to be verified and the single sign-on credential to be verified need to be verified so as to determine whether to allow logging in the embedded page in the mobile application.
And 102, generating data to be verified according to the application identifier to be verified and the single sign-on credential to be verified.
Step 103, when the data to be verified is matched with the digital signature, verifying in the single sign-on authentication center based on the single sign-on credentials, so as to log in the embedded page in the mobile application when verification is passed.
In the embodiment of the invention, the application identifier to be verified and the single sign-on credential to be verified can be extracted from the login request, then the data to be verified is generated according to the application identifier to be verified and the single sign-on credential to be verified, and then when the data to be verified is determined to be matched with the digital signature, if the data to be verified is matched with the digital signature, it is indicated that the application identifier and the single sign-on credential in the mobile application are not tampered, further verification can be performed in the single sign-on authentication center based on the single sign-on credential, and if the verification is also passed in the single sign-on authentication center, the embedded page can be logged in the mobile application.
In the single sign-on method, the digital signature of the mobile application is stored in the service platform system, when the single sign-on is performed in the mobile application, the service platform system receives a login request for logging in an embedded page in the mobile application, generates data to be verified according to an application identifier to be verified and a single sign-on credential to be verified in the login request, and when the data to be verified is matched with the digital signature, can be verified in the single sign-on authentication center based on the single sign-on credential so as to log in the embedded page in the mobile application when verification passes. According to the embodiment of the invention, single sign-on is performed when the embedded page is logged in the mobile application, and the verification of the application identifier of the mobile application is required besides the verification of the single sign-on authentication center during single sign-on, so that the safety and reliability during single sign-on are enhanced.
In an exemplary embodiment, the digital signature is generated by the application program, and is used for acquiring an application identifier of the application program, acquiring a single sign-on credential issued by the single sign-on authentication center for the mobile application, combining the application identifier and the single sign-on credential to obtain composite data, performing data hash on the composite data to obtain a data hash value, and performing encryption processing on the data hash value by using a private key to obtain a digital signature.
Specifically, in order to ensure the validity of the data when generating the digital signature, the digital signature is generated by using composite data, wherein the composite data can be obtained by combining single sign-on credentials ticket and application ID information. Other third parties cannot use the single sign-on certificate ticket to perform single sign-on even if the application ID information acquired during loading of the embedded H5 page is not matched. Meanwhile, the composite data obtained by combining the single sign-on certificate and the application ID information can be subjected to data hash processing to obtain a data hash value, and finally the data hash value is encrypted by private to generate a digital signature, so that a third party cannot tamper with the content of the digital signature, and verification is performed based on the digital signature, thereby ensuring the legal and safe verification.
As an alternative example, referring to fig. 2, when generating a digital signature, first, a single sign-on certificate (single point certificate) and application ID information are combined to obtain composite data, the composite data is subjected to data hash processing to obtain a data hash value, and then the data hash value is subjected to signature private key encryption to generate the digital signature.
It should be noted that after the mobile application generates the digital signature, the check field structure of the service platform system is reported through the check interface as the ticket+digital signature, so that in the service platform system, the digital signature can be checked firstly according to the digital signature, then the digital signature is checked, then the single sign-on certificate ticket is checked on the single sign-on authentication platform, and then if the single sign-on certificate ticket is also checked successfully, the embedded page can be logged in the mobile application. Through double verification of the digital signature and the single sign-on authentication platform, the safety and reliability of single sign-on are enhanced.
In an exemplary embodiment, the step 102 of generating the data to be verified according to the application identifier to be verified and the single sign-on credential to be verified includes:
Performing data hash on the composite data to be verified, which is obtained after the application identifier to be verified and the single sign-on credentials to be verified are combined, to obtain the data to be verified;
after the generating the data to be verified according to the application identifier to be verified and the single sign-on credential to be verified, the method further comprises:
And decrypting the digital signature by adopting a public key corresponding to the private key to obtain a data hash value, wherein if the data to be verified is consistent with the data hash value, the data to be verified is determined to be matched with the digital signature, and if the data to be verified is inconsistent with the data hash value, the data to be verified is determined to be not matched with the digital signature.
In the embodiment of the invention, referring to fig. 3, after the application identifier to be verified submitted by the mobile application is combined with the single sign-on credential to be verified, to obtain the composite data to be verified, and perform data hash processing on the composite data to be verified, to be specific, the data hash value to be verified can be obtained, in addition, the service platform system can decrypt the digital signature submitted by the mobile application by adopting the public key corresponding to the private key to obtain the data hash value, then match the data hash value to be verified with the data hash value of the digital signature, if the two are matched, that is, the two are identical, it can be determined that the data to be verified is matched with the digital signature, then it can be explained that the verification application identifier submitted by the mobile application and the single sign-on credential to be verified are not tampered, and if the two are not matched, that is, it can be determined that the data to be verified is not matched with the digital signature, then it can be explained that the verification application identifier submitted by the mobile application and the single sign-on credential to be tampered with the single sign-on credential in the single sign-on system platform is not needed.
In an exemplary embodiment, the method may further include the steps of:
And when the data to be verified is not matched with the digital signature or the verification is not passed in the single sign-on authentication center based on the single sign-on credentials, notifying the application program to log in the embedded page in the mobile application in other modes.
In the embodiment of the invention, if the data to be verified is not matched with the digital signature, it can be stated that the verification application identifier submitted for the mobile application and the single sign-on certificate to be verified are likely to be tampered, verification based on the single sign-on certificate ticket in the single sign-on system platform is not needed, and the application program is informed to log in the embedded page in the mobile application in other manners, for example, the logged account and password are input again in the mobile application.
Referring to fig. 4, a step flow chart of another single sign-on method provided in the embodiment of the present invention is shown and applied to a mobile application, where a digital signature and a single sign-on credential that are reported by the mobile application through an interface are stored in a service platform system corresponding to the mobile application, the digital signature is generated by the mobile application according to an application identifier and the single sign-on credential, and the single sign-on credential is a credential for authorized sign-on issued by a single sign-on authentication center for the mobile application, where the method specifically includes the following steps:
The method comprises the steps of transmitting a login request for logging in an embedded page in the mobile application to the service platform system, wherein the login request comprises an application identifier to be verified and a single sign-on credential to be verified, generating data to be verified according to the application identifier to be verified and the single sign-on credential to be verified, and verifying in the single sign-on authentication center based on the single sign-on credential when the data to be verified is matched with the digital signature;
Step 402, logging in the embedded page in the mobile application when the single sign-on authentication center passes the verification.
In the embodiment of the invention, if a user wants to log in an embedded page in a mobile application, the mobile application can send a login request to a service platform system corresponding to the mobile application, then the service platform system generates data to be verified according to an application identifier to be verified and a single sign-on certificate to be verified in the login request, the data to be verified is matched with a digital signature submitted by a previous mobile application, when the data to be verified is matched with the digital signature, the data to be verified passes the first verification, then the second verification can be performed in a single sign-on authentication center based on a single sign-on certificate, and if the second verification in the single sign-on authentication center is successful, the embedded page can be logged in the mobile application. According to the embodiment of the invention, single sign-on is performed when the embedded page is logged in the mobile application, and the verification of the single sign-on authentication center is required during single sign-on, and the verification of the application identifier (digital signature) of the mobile application is also required, so that the safety and reliability during single sign-on are enhanced.
In an exemplary embodiment, before the step 401 of sending a login request to the service platform system to login to the embedded page in the mobile application, the method may further include the steps of:
acquiring an application identifier of the application program;
acquiring single sign-on credentials issued by the single sign-on authentication center for the mobile application;
Performing data hash after the application identifier and the single sign-on credential are combined to obtain composite data, and obtaining a data hash value;
and encrypting the data hash value by adopting a private key to obtain a digital signature.
Specifically, in order to ensure the validity of the data when generating the digital signature, the digital signature is generated by using composite data, wherein the composite data can be obtained by combining single sign-on credentials ticket and application ID information. Other third parties cannot use the single sign-on certificate ticket to perform single sign-on even if the application ID information acquired during loading of the embedded H5 page is not matched. Meanwhile, the composite data obtained by combining the single sign-on certificate and the application ID information can be subjected to data hash processing to obtain a data hash value, and finally the data hash value is encrypted by private to generate a digital signature, so that a third party cannot tamper with the content of the digital signature, and verification is performed based on the digital signature, thereby ensuring the legal and safe verification.
In an exemplary embodiment, the single sign-on credential may be obtained by:
the single sign-on authentication center is used for generating a single sign-on credential according to the user identifier, the time stamp and the random character string;
And receiving the single sign-on certificate sent by the single sign-on authentication center.
In the embodiment of the invention, the mobile application can send an acquisition request for requesting the single sign-on credential to the single sign-on authentication center, wherein the acquisition request can comprise a User identifier (User ID) and a timestamp, the single sign-on authentication center uses the User ID of the user+the timestamp+the random string, then the encryption is performed by AES (Advanced Encryption Standard ) to obtain an encryption string, and the encryption string is generated and returned to the mobile application as the single sign-on credential ticket.
For a better understanding of those skilled in the art, a procedure for implementing single sign-on according to an embodiment of the present invention will be described below using a specific example.
Referring to fig. 5, a system architecture diagram for implementing single sign-on provided in an embodiment of the present invention includes an app (mobile application), an embedded H5 system (service platform system), and a single sign-on platform (single sign-on authentication center), specifically:
M1. Single sign on authentication center
The single sign-on authentication center is independent of the service platform system and is mainly used for checking functions of user registration, login and single sign-on.
The single sign-on authentication center involves a module comprising:
m1.1 the first time the user registers the login module:
The user needs to register and log in when using the mobile application for the first time. After user registration, user data is produced in the background.
M1.2 Login verification Module generating Single sign-on certificate (Single sign-on)
When the mobile application requests the single-point ticket, the single-point login authentication center uses the User ID+timestamp+random character string of the User, and then AES encryption is carried out to generate an encryption string as the current single-point ticket to return to the mobile application.
And M1.3, checking the acquired single-point ticket by the service platform system to a single-point login authentication center, and returning a checking result by the single-point login authentication center.
M2. service platform system
M2.1 composite signature generation module (mobile application side):
When the mobile application side calls up the embedded H5 page, a digital signature needs to be generated based on the composite data. In particular, in order to ensure the validity of the data when generating the digital signature, the digital signature is generated using composite data, wherein the composite data may include a single point ticket and application ID information. Other third parties cannot use the single point ticket for single sign-on even if the application ID information acquired during H5 page loading is not matched. Meanwhile, through asymmetric encryption, a third party cannot tamper with the content of the verification data, and the legal and safety of verification are guaranteed. Referring to fig. 2, when generating a digital signature, first, a token and application ID information data are spliced, hashed to generate a data hash value, and then the data hash value is private-key-encrypted to generate the digital signature. It should be noted that the digital signature is a check field structure of a background reported by the mobile application through the check interface, namely a ticket+digital signature.
M2.2 digital signature module (embedded H5 system side) to verify the composite data generation:
The embedded H5 page serves as a called party, and when the call is initiated, the validity of user single sign-on information (namely application ID information to be verified and single-point ticket to be verified) is checked first. Referring to fig. 3, a single-point token and current application ID information (acquired through an application interface) are spliced, hash is performed on the composite data to obtain a data hash value to be verified, and a public key is decrypted on a digital signature to obtain a decrypted data hash value. And finally, comparing the data hash value to be verified with the data hash value after signature processing, thereby checking whether the data hash value is legal or not.
As can be seen from the summary, compared with the prior art, the embodiment of the invention has the main advantages that 1. The reliability of single sign-on security verification is increased by verifying the application ID information of the embedded H5 page. 2. And the composite data is used for carrying out digital signature for secondary encryption, so that the security is improved.
It should be noted that, for simplicity of description, the method embodiments are shown as a series of acts, but it should be understood by those skilled in the art that the embodiments are not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred embodiments, and that the acts are not necessarily required by the embodiments of the invention.
Referring to fig. 6, there is shown a block diagram of a single sign-on system provided in an embodiment of the present invention, where the single sign-on system includes a mobile application 601, a service platform system 602, and a single sign-on authentication center 603, where the service platform system stores a digital signature and a single sign-on credential reported by the mobile application through an interface, the digital signature is generated by the mobile application according to an application identifier and the single sign-on credential, and the single sign-on credential is a credential authorized to sign on issued by the single sign-on authentication center for the mobile application, where:
The mobile application 601 is configured to send a login request for logging in an embedded page in the mobile application to the service platform system, where the login request includes an application identifier to be verified and a single sign-on credential to be verified;
The service platform system 602 is configured to generate data to be verified according to the application identifier to be verified and the single sign-on credential to be verified, and when the data to be verified is matched with the digital signature, verify the single sign-on credential in the single sign-on authentication center based on the single sign-on credential, so as to log in the embedded page in the mobile application when verification is passed.
In an exemplary embodiment, the mobile application 601 is configured to obtain an application identifier of the application program, obtain a single sign-on credential issued by the single sign-on authentication center for the mobile application, perform data hashing after combining the application identifier and the single sign-on credential to obtain composite data, obtain a data hash value, and perform encryption processing on the data hash value by using a private key to obtain a digital signature.
In an exemplary embodiment, the mobile application 601 is configured to send an acquisition request to the single sign-on authentication center, where the acquisition request includes a user identifier and a timestamp, the single sign-on authentication center is configured to generate the single sign-on credential according to the user identifier, the timestamp and a random string, and receive the single sign-on credential sent by the single sign-on authentication center.
In an exemplary embodiment, the service platform system 602 is configured to perform data hashing on the to-be-verified composite data obtained by combining the to-be-verified application identifier and the to-be-verified single sign-on credential to obtain to-be-verified data, and decrypt the digital signature with a public key corresponding to the private key to obtain a data hash value, where if the to-be-verified data is consistent with the data hash value, it is determined that the to-be-verified data is matched with the digital signature, and if the to-be-verified data is inconsistent with the data hash value, it is determined that the to-be-verified data is not matched with the digital signature.
In an exemplary embodiment, the service platform system 602 is configured to notify the application program to log in the embedded page in the mobile application in other manners when the data to be verified does not match the digital signature, or the verification is not passed in the single sign-on authentication center based on the single sign-on credentials.
For system embodiments, the description is relatively simple as it is substantially similar to method embodiments, and reference is made to the description of method embodiments for relevant points.
Preferably, the embodiment of the invention also provides an electronic device, which comprises a processor, a memory, and a computer program stored in the memory and capable of running on the processor, wherein the computer program realizes the processes of the single sign-on method embodiment when being executed by the processor, and can achieve the same technical effects, and the repetition is avoided, so that the description is omitted.
The embodiment of the invention also provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor, realizes the processes of the single sign-on method embodiment and can achieve the same technical effects, and in order to avoid repetition, the description is omitted. The computer readable storage medium is, for example, a Read-Only Memory (ROM), a random access Memory (Random Access Memory RAM), a magnetic disk or an optical disk.
Embodiments of the present invention provide a computer program product stored in a storage medium, where the program product is executed by at least one processor to implement the respective processes of the above method embodiments, and achieve the same technical effects, and for avoiding repetition, a detailed description is omitted herein.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The embodiments of the present invention have been described above with reference to the accompanying drawings, but the present invention is not limited to the above-described embodiments, which are merely illustrative and not restrictive, and many forms may be made by those having ordinary skill in the art without departing from the spirit of the present invention and the scope of the claims, which are to be protected by the present invention.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. The storage medium includes various media capable of storing program codes such as a U disk, a mobile hard disk, a ROM, a RAM, a magnetic disk or an optical disk.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims (8)

1. The single sign-on method is characterized by being applied to a service platform system, wherein the service platform system stores a digital signature and a single sign-on certificate which are reported by a mobile application through an interface, the digital signature is generated by the mobile application according to an application identifier and the single sign-on certificate, the single sign-on certificate is a certificate of authorized login which is issued by a single sign-on authentication center for the mobile application, and the method comprises the following steps:
Receiving a login request for logging in an embedded page in the mobile application, wherein the login request comprises an application identifier to be verified and a single sign-on credential to be verified;
generating data to be verified according to the application identifier to be verified and the single sign-on credential to be verified;
When the data to be verified is matched with the digital signature, verifying the digital signature in the single sign-on authentication center based on the single sign-on credentials so as to log in the embedded page in the mobile application when verification is passed;
The digital signature is generated by the mobile application, which is used for acquiring an application identifier of the mobile application, acquiring a single sign-on credential issued by the single sign-on authentication center for the mobile application, combining the application identifier and the single sign-on credential to obtain composite data, and performing data hash on the composite data to obtain a data hash value;
the generating the data to be verified according to the application identifier to be verified and the single sign-on credential to be verified comprises:
and carrying out data hash on the composite data to be verified, which is obtained after the application identifier to be verified and the single sign-on credentials to be verified are combined, so as to obtain the data to be verified.
2. The method of claim 1, wherein after the generating the data to be verified from the application identification to be verified and the single sign-on credential to be verified, the method further comprises:
And decrypting the digital signature by adopting a public key corresponding to the private key to obtain a data hash value, wherein if the data to be verified is consistent with the data hash value, the data to be verified is determined to be matched with the digital signature, and if the data to be verified is inconsistent with the data hash value, the data to be verified is determined to be not matched with the digital signature.
3. The method according to claim 1, wherein the method further comprises:
and when the data to be verified is not matched with the digital signature or the verification is not passed in the single sign-on authentication center based on the single sign-on credentials, notifying the mobile application to log in the embedded page in the mobile application in other modes.
4. The single sign-on method is characterized by being applied to a mobile application, wherein a digital signature and a single sign-on credential reported by the mobile application through an interface are stored in a service platform system corresponding to the mobile application, the digital signature is generated by the mobile application according to an application identifier and the single sign-on credential, the single sign-on credential is a credential authorized to be logged on, issued by a single sign-on authentication center for the mobile application, and the method comprises the following steps:
The system comprises a mobile application, a service platform system, a single sign-on authentication center and a digital signature, wherein the mobile application is used for receiving a login request of a login embedded page in the mobile application, the login request comprises an application identifier to be verified and a single sign-on credential to be verified, the service platform system is used for generating data to be verified according to the application identifier to be verified and the single sign-on credential to be verified, and verifying in the single sign-on authentication center based on the single sign-on credential when the data to be verified is matched with the digital signature;
when the single sign-on authentication center passes the verification, the embedded page is logged in the mobile application;
before the sending, to the service platform system, a login request for logging in an embedded page in the mobile application, the method further includes:
acquiring an application identifier of the mobile application;
acquiring single sign-on credentials issued by the single sign-on authentication center for the mobile application;
Performing data hash after the application identifier and the single sign-on credential are combined to obtain composite data, and obtaining a data hash value;
and encrypting the data hash value by adopting a private key to obtain a digital signature.
5. The method of claim 4, wherein the single sign-on credentials are obtained by:
the single sign-on authentication center is used for generating a single sign-on credential according to the user identifier, the time stamp and the random character string;
And receiving the single sign-on certificate sent by the single sign-on authentication center.
6. The single sign-on system is characterized by comprising a mobile application, a service platform system and a single sign-on authentication center, wherein the service platform system stores a digital signature and a single sign-on credential which are reported by the mobile application through an interface, the digital signature is generated by the mobile application according to an application identifier and the single sign-on credential, and the single sign-on credential is a credential which is issued by the single sign-on authentication center for authorizing the mobile application to log in, wherein:
The mobile application is used for sending a login request for logging in an embedded page in the mobile application to the service platform system, wherein the login request comprises an application identifier to be verified and a single sign-on credential to be verified;
when the data to be verified is matched with the digital signature, the verification is carried out on the single sign-on authentication center based on the single sign-on credential so as to log in the embedded page in the mobile application when the verification is passed;
The digital signature is generated by the mobile application, which is used for acquiring an application identifier of the mobile application, acquiring a single sign-on credential issued by the single sign-on authentication center for the mobile application, combining the application identifier and the single sign-on credential to obtain composite data, and performing data hash on the composite data to obtain a data hash value;
the generating the data to be verified according to the application identifier to be verified and the single sign-on credential to be verified comprises:
and carrying out data hash on the composite data to be verified, which is obtained after the application identifier to be verified and the single sign-on credentials to be verified are combined, so as to obtain the data to be verified.
7. An electronic device comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory communicate with each other via the communication bus;
the memory is used for storing a computer program;
the processor is configured to implement the method according to any one of claims 1-5 when executing a program stored on a memory.
8. One or more computer-readable media having instructions stored thereon that, when executed by one or more processors, cause the processors to perform the method of any of claims 1-5.
CN202111583717.XA 2021-12-22 2021-12-22 Single sign-on method, system, electronic device and readable medium Active CN114398620B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111583717.XA CN114398620B (en) 2021-12-22 2021-12-22 Single sign-on method, system, electronic device and readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111583717.XA CN114398620B (en) 2021-12-22 2021-12-22 Single sign-on method, system, electronic device and readable medium

Publications (2)

Publication Number Publication Date
CN114398620A CN114398620A (en) 2022-04-26
CN114398620B true CN114398620B (en) 2025-07-15

Family

ID=81226317

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111583717.XA Active CN114398620B (en) 2021-12-22 2021-12-22 Single sign-on method, system, electronic device and readable medium

Country Status (1)

Country Link
CN (1) CN114398620B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116094718B (en) * 2022-09-15 2025-03-21 中国电信股份有限公司 Data transmission method, device, electronic device and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404392A (en) * 2011-11-10 2012-04-04 山东浪潮齐鲁软件产业股份有限公司 Web application or website integrated login method
CN112487400A (en) * 2020-12-15 2021-03-12 平安银行股份有限公司 Single sign-on method and device based on multiple pages, electronic equipment and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102624737B (en) * 2012-03-27 2015-05-06 武汉理工大学 Single sign-on integrated method for Form identity authentication in single login system
CN108600203B (en) * 2018-04-11 2021-05-14 四川长虹电器股份有限公司 Cookie-based safe single sign-on method and unified authentication service system thereof
US10834074B2 (en) * 2018-08-17 2020-11-10 International Business Machines Corporation Phishing attack prevention for OAuth applications
US11595375B2 (en) * 2020-04-14 2023-02-28 Saudi Arabian Oil Company Single sign-on for token-based and web-based applications

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404392A (en) * 2011-11-10 2012-04-04 山东浪潮齐鲁软件产业股份有限公司 Web application or website integrated login method
CN112487400A (en) * 2020-12-15 2021-03-12 平安银行股份有限公司 Single sign-on method and device based on multiple pages, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN114398620A (en) 2022-04-26

Similar Documents

Publication Publication Date Title
JP7083892B2 (en) Mobile authentication interoperability of digital certificates
US10171250B2 (en) Detecting and preventing man-in-the-middle attacks on an encrypted connection
CN108684041B (en) System and method for login authentication
CN109598663B (en) Method and device for providing and acquiring safety identity information
CN112000951B (en) Access method, device, system, electronic equipment and storage medium
KR101563828B1 (en) Method and apparatus for trusted authentication and logon
CN114788226A (en) Unmanaged tool for building decentralized computer applications
CN105072125B (en) A kind of http communication system and method
CN106453361B (en) A kind of security protection method and system of the network information
CN110990827A (en) Identity information verification method, server and storage medium
CN107809317A (en) A kind of identity identifying method and system based on token digital signature
JP2014531163A (en) Centralized secure management method, system, and corresponding communication system for third party applications
JP2014531163A5 (en)
CN114244522B (en) Information protection method, device, electronic equipment and computer readable storage medium
TWI632798B (en) Server, mobile terminal, and network real-name authentication system and method
KR102137122B1 (en) Security check method, device, terminal and server
US10579809B2 (en) National identification number based authentication and content delivery
CN105024813B (en) A kind of exchange method of server, user equipment and user equipment and server
CN113272810A (en) Simple authentication method and system for web page memory using browser
CN114398620B (en) Single sign-on method, system, electronic device and readable medium
CN119722062A (en) Payment link generation method, device and non-volatile storage medium
KR20090054774A (en) Integrated Security Management Method in Distributed Network Environment
CN111723347B (en) Identity authentication method, identity authentication device, electronic equipment and storage medium
CN118606918A (en) Authentication method, device, electronic device, storage medium and program product
CN111614458A (en) Generating method, system and storage medium of gateway JWT

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant