[go: up one dir, main page]

CN112560006A - Single sign-on method and system under multi-application system - Google Patents

Single sign-on method and system under multi-application system Download PDF

Info

Publication number
CN112560006A
CN112560006A CN202011550970.0A CN202011550970A CN112560006A CN 112560006 A CN112560006 A CN 112560006A CN 202011550970 A CN202011550970 A CN 202011550970A CN 112560006 A CN112560006 A CN 112560006A
Authority
CN
China
Prior art keywords
application system
single sign
information
login
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011550970.0A
Other languages
Chinese (zh)
Other versions
CN112560006B (en
Inventor
王国超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Electronic Soul Network Technology Co Ltd
Original Assignee
Hangzhou Electronic Soul Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Electronic Soul Network Technology Co Ltd filed Critical Hangzhou Electronic Soul Network Technology Co Ltd
Priority to CN202011550970.0A priority Critical patent/CN112560006B/en
Publication of CN112560006A publication Critical patent/CN112560006A/en
Application granted granted Critical
Publication of CN112560006B publication Critical patent/CN112560006B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)
  • Hardware Redundancy (AREA)

Abstract

The application relates to a single sign-on method under a multi-application system, wherein the single sign-on method under the multi-application system comprises the following steps: after receiving the logged-in information of the first application system, the single sign-on server acquires a login request sent by a client, determines a second application system according to the login request, acquires user authority information and generates a system authentication code; and under the condition that the user permission information comprises permission requirement information of the second application system, the single sign-on server acquires an application system ID of the second application system, and generates an initial callback address according to the application system ID configuration. By the method and the device, whether the single sign-on is automatic or not is controlled according to the application security level by configuring the login callback address according to the application ID background, introducing the application security level control; the problem that the safety and the reliability of a related single sign-on system are low is solved, and the safety and the reliability of the single sign-on system are improved.

Description

Single sign-on method and system under multi-application system
Technical Field
The present application relates to the field of computer technologies, and in particular, to a single sign-on method and system under a multi-application system, an electronic device, and a computer-readable storage medium.
Background
In the case that an enterprise has multiple application systems, it is quite troublesome for a user to input an account password once for each system, and therefore a single sign-on method is proposed, that is, the application systems can be used by inputting the account password once.
In the related technology, the callback address is directly spliced to the single sign-on interface, and the callback address directly jumps to the connection address corresponding to the callback address after the login is successful, so that the callback address transmitted by the client can be artificially forged and the safety is poor based on the characteristics; in addition, since each application system is not classified, the reliability of the trust mechanism between the systems is poor, and further, an authority management system needs to be independently designed to manage the authority of the user and the application system, which is heavy in workload.
At present, no effective solution is provided for the problem of low security of the single sign-on method in the related art.
Disclosure of Invention
The embodiment of the application provides a single sign-on method, a single sign-on system, a computer device and a computer readable storage medium under a multi-application system, so as to at least solve the problem of low security of the single sign-on method in the related art.
In a first aspect, an embodiment of the present application provides a single sign-on method in a multi-application system, where the method includes:
after receiving the logged-in information of the first application system, the single sign-on server acquires a login request sent by a client, determines a second application system according to the login request, acquires user authority information and generates a system authentication code;
under the condition that the user permission information comprises permission requirement information of a second application system, the single sign-on server acquires an application system ID of the second application system and generates an initial callback address according to the application system ID configuration;
the single sign-on server generates a callback address according to the initial callback address and the system authentication code;
and the single sign-on server adds the callback address to a target link to generate a login address, and sends the login address to the client, wherein the login address is used for jumping to the second application system.
In some embodiments, after the single sign-on server determines the second application system according to the login request, the method further comprises:
the single sign-on server acquires the security level of the first application system and the security level of the second application system;
and under the condition that the security level of the first application system is greater than or equal to that of the second application system, the single sign-on server acquires the user permission information and generates a system authentication code according to the sign-on request.
In some embodiments, after the single sign-on server obtains the security levels of the first application system and the second application system, the method further comprises:
and under the condition that the security level of the first application system is smaller than that of the second application system, the single sign-on server sends security level authentication failure information to the client, and the client renders and generates a first authentication failure interface based on the security level authentication failure information.
In some embodiments, in a case that the user permission information does not include permission requirement information of the second application system, the single sign-on client sends permission authentication failure information to the client, and the client generates a second authentication failure interface based on the permission authentication information in a rendering mode.
In some embodiments, the single sign-on server obtains an IP address of the client, and queries a home domain corresponding to the IP address, where the home domain is in a fixed IP address format;
and acquiring a preset login mode of the home domain, and rendering and generating a login interface by the client according to the preset login mode, wherein the preset login mode comprises third-party application login and local login.
In a second aspect, an embodiment of the present application provides a single sign-on system under a multi-application system, where the system includes: the system comprises client equipment and single sign-on equipment, wherein the client equipment is connected with the single sign-on equipment;
the client device is used for sending the logged-in information and the login request of the first application system to the single sign-on device, or receiving a callback address sent by the single sign-on device, wherein the callback address is used for logging in the second application system;
the single sign-on equipment is used for receiving first application system information logged-on information and a login request sent by client equipment, determining a second application system according to the login request, acquiring user authority information and generating a system authentication code;
or the application system ID of the second application system is acquired and an initial callback address is generated according to the application system ID configuration when the user permission information includes permission requirement information of the second application system; and generating a callback address according to the initial callback address and the system authentication code, adding the callback address to a target link to generate a login address, and sending the login address to the client equipment, wherein the login address is used for jumping to the second application system.
In some embodiments, the single sign-on device is further configured to obtain the priority of the first application system and the priority of the second application system after the second application system is determined according to the login request;
under the condition that the security level of the first application system is greater than or equal to that of the second application system, the single sign-on equipment acquires the user permission information and generates a system authentication code according to the sign-on request;
and under the condition that the security level of the first application system is smaller than that of the second application system, the single sign-on server sends security level authentication failure information to the client equipment, and the client equipment generates a first authentication failure interface based on the security level authentication failure information in a rendering mode.
In some embodiments, the single sign-on device sends permission authentication failure information to the client device when the user permission information does not include permission requirement information of a second application system, and the client device generates a second authentication failure interface based on the permission authentication information in a rendering mode.
In a third aspect, an embodiment of the present application provides a computer device, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and when the processor executes the computer program, the processor implements the single sign-on method under the multi-application system according to the first aspect.
In a fourth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a single sign-on method under a multi-application system as described in the first aspect above.
Compared with the related art, the single sign-on method under the multi-application system provided by the embodiment of the application controls whether to automatically perform single sign-on or not according to the application security level by configuring the login callback address according to the application ID background and introducing the application security level; logging in the high-level application first, and then logging in the low-level application to automatically perform single sign-on; the low-level application is logged in first, and then the high-level application is logged in, so that single-point login cannot be performed. In addition, an authority verification mechanism is added, and when a user logs in, the user can not log in the application without the authority temporarily. The problem that the safety and the reliability of a related single sign-on system are low is solved, and the safety and the reliability of the single sign-on system are improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a schematic diagram of an application environment of a single sign-on method under a multi-application system according to an embodiment of the present application;
FIG. 2 is a flow chart of a single sign-on method in a multi-application scenario according to an embodiment of the present application;
FIG. 3 is a schematic diagram of an application system trust mechanism according to an embodiment of the present application;
FIG. 4 is a schematic diagram of an application authority mechanism according to an embodiment of the present application;
FIG. 5 is a block diagram of a single sign-on system in a multi-application scenario according to an embodiment of the present application;
fig. 6 is an internal structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.
It is obvious that the drawings in the following description are only examples or embodiments of the present application, and that it is also possible for a person skilled in the art to apply the present application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The single sign-on method under the multi-application system provided by the application can be applied to the application environment shown in fig. 1, and fig. 1 is an application environment schematic diagram of the single sign-on method under the multi-application system according to the embodiment of the application. As shown in fig. 1, in which a terminal 10 and a server 11 communicate through a network. The server 11 receives a login request sent by the client 10, the server 11 determines a second application system according to the login request, acquires user permission information and generates a system authentication code, and generates an initial callback address according to the second application system ID configuration; the server 11 generates a callback address according to the initial callback address and the system authentication code, and adds the callback address to the target link to generate a login address. The terminal 10 jumps to the second application system through the login address. The terminal 10 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices, and the server 11 may use an independent server or a server cluster composed of a plurality of servers to implement the single sign-on method under the multi-application system provided by the present application.
Under the condition that a plurality of application systems exist in a working scene, the input of an account password is very complicated and unnecessary when logging in one system, so that a single sign-on method which can enter the plurality of application systems by inputting the password once is required to be designed, and the use is convenient for users.
The present embodiment provides a single sign-on method in a multi-application scenario, and fig. 2 is a flowchart of the single sign-on method in the multi-application scenario according to the embodiment of the present application, and as shown in fig. 2, the flowchart includes the following steps:
step S201, after logging in a first application system successfully, a single sign-on server acquires a new login request sent by a client; in this embodiment, the login request is a request initiated by the client for the single sign-on server to perform single sign-on verification and acquire parameters. Further, the login request includes a client identification such as an ID of the client initiating the login, an IP address of the client requesting the login, an application system requesting the login, and user authority information. The client is a program which corresponds to the server and provides local service for a user, and is generally installed on a terminal (such as a mobile terminal, etc.), and the client needs to be matched with the server to operate; a server refers to a collection of software programs and data that serve a client. It can be understood that, the method provided in this embodiment is executed by the server, in the scheme of step S201, the login request further includes a cookie generated by logging in the first application, and correspondingly, if the login request does not carry the cookie for logging in the first application system, it indicates that the client initiates the login request for the first time;
step S202, the single sign-on server determines a second application system, acquires user authority information and generates a system authentication code according to a sign-on request; the second application system is a new application system that the client logs in after the first application system has already logged in, and it should be noted that, in this embodiment, the first and second application systems are not serialization results generated according to the relationship between the size of the numerical value and the amount of data. Optionally, the single sign-on server determines the second application system according to the sign-on request, and acquires the user permission information according to the user information; it should be noted that the user right information is used to reflect the usage right owned by the user. Optionally, the user right may also be a use right for a specific function in the application system, for example: camera use permission, microphone use permission and local data reading permission.
Step S203, under the condition that the user authority information comprises the authority information of the second application system, the single sign-on server acquires the application system ID of the second application system and generates an initial callback address according to the application system ID configuration; in the embodiment, the authority verification mechanism is added, when the user logs in, the user authority information in the login request and the authority information of the application system requesting to log in are compared to judge the use authority of the user for the current login system, and whether to carry out the next process or send authentication failure information is decided according to the compared result. Optionally, the single sign-on server may return the list of rights identification details to the application system. It should be noted that, for all application systems in a working scene, the authority checking mechanism provided in this embodiment also performs an authority checking process correspondingly in the process of logging in the first application system by the user in the single sign-on server;
step S204, the single sign-on server generates a callback address according to the initial callback address and the system authentication code; note that the callback address is used to specify the URL to jump back to the web site. The purpose of callback address registration is to secure third party APPID accounts from being stolen by other malicious websites, such as: the beep-li animation supports login by using a WeChat account, when a user connects for the first time (a jump link is provided with an api which is applied to the WeChat by the beep-li animation), the WeChat prompts 'authorization to log in the beep-li animation', and after a user name and a password are input, the WeChat jumps back to the beep-li animation (a callback address here) and is provided with a message which passes authentication, in the embodiment, the initial callback address is configured according to an application system ID, and a link address generated based on the initial callback address can avoid jumping to any link, so that the safety of the system is improved;
step S205, the single sign-on server adds the callback address to the target link to generate a login address, and sends the login address to the client, wherein the login address is used for jumping to a second application system;
through steps S201 to S205, in this embodiment, the initial callback address is configured according to the application ID, the login address is generated based on the initial callback address, the system authentication code and the target link, and the client jumps to the second application system through the login address, so that the problem of poor security of the single sign-on system in the related art is solved, and the security and controllability of the single sign-on system are improved.
In some embodiments, fig. 3 is a schematic diagram of an application system trust mechanism according to an embodiment of the present application, and as shown in fig. 3, after the single sign-on server determines the second application system according to the login request, the single sign-on server obtains the security levels of the first application system and the second application system; and under the condition that the security level of the first application system is greater than or equal to that of the second application system, the single sign-on server acquires the user authority information and generates a system authentication code according to the login request. And under the condition that the security level of the first application system is smaller than that of the second application system, the single sign-on server sends security level authentication failure information to the client, and the client renders and generates a first authentication failure interface based on the security level authentication failure information. In this embodiment, the security levels of the application systems are configured by developers according to a certain preset rule, and each application system corresponds to one security level. Based on the embodiment, the single sign-on server can control whether to automatically perform single sign-on or not according to the application security level; further, normally performing single sign-on when logging in a low-level application with a smaller security level from a high-level application with a larger security level; when logging in a high-level application with a larger security level from a low-level application with a smaller security level, single sign-on cannot be performed, and a user needs to re-input an account password or scan a code to log in. For example: the security level of the application system A is 5, the security level of the application system B is 2, and a user logs in the system A first and can enter the system B without logging in; on the contrary, single sign-on cannot be performed, through the embodiment, single sign-on can be better controlled according to needs, a certain trust mechanism is established among application systems instead of defaulting that all application systems trust each other and perform complete single sign-on, and therefore the reliability of the system is improved.
In some embodiments, fig. 4 is a schematic diagram of an application permission mechanism according to an embodiment of the present application, as shown in fig. 4, when user permission information does not include permission requirement information of a second application system, that is, a user does not have a use permission of the second application system, a single sign-on client sends permission authentication failure information to a client, and the client generates a second authentication failure interface based on permission authentication information rendering.
In some embodiments, the single sign-on server obtains an IP address of the client, and queries a home domain corresponding to the IP address, where the home domain is in a fixed IP address format; the single sign-on server obtains a preset sign-on mode of the home domain, and the client renders and generates a sign-on interface according to the preset sign-on mode, wherein the preset sign-on mode comprises third-party application sign-on and local sign-on. For example: in an enterprise scene, a user opens a single sign-on page, a client detects a branch company (branch company fixed IP address) to which an IP address of a visitor belongs, and inquires a preset sign-on mode selected by the branch company in a database; if the M branch company sets WeChat login, the login page only displays WeChat login related information, and if the N branch company sets local user login, the login page only displays local login related information; optionally, the login mode selection for different applications may also be implemented by applying the above embodiment.
It should be noted that the steps illustrated in the above-described flow diagrams or in the flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order different than here.
The embodiment also provides a single sign-on system in a multi-application scenario, where the system is used to implement the foregoing embodiment and preferred embodiments, and details are not repeated after the description is given. As used hereinafter, the terms "module," "unit," "subunit," and the like may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 5 is a block diagram of a single sign-on system in a multi-application scenario according to an embodiment of the present application, and as shown in fig. 5, the system includes a client device 51 and a single sign-on device 52, where the client device 51 is connected to the single sign-on device 52; the client device 51 is configured to send the first application system logged-in information and a login request to the single sign-on device 52, or is configured to receive a login address sent by the single sign-on device 52, wherein the login address is used for jumping to the second application system. The single sign-on device 52 is configured to receive the first application system information logged in information and the login request sent by the client device 51, determine a second application system according to the login request, acquire user right information, and generate a system authentication code. Or the application system ID of the second application system is acquired under the condition that the user permission information comprises permission requirement information of the second application system, and the initial callback address is generated according to the application system ID configuration; and generating a callback address according to the initial callback address and the system authentication code, adding the callback address to the target link to generate a login address, and sending the login address to the client device 51, wherein the login address is used for jumping to the second application system.
In some embodiments, the single sign-on device is further configured to obtain the priority of the first application system and the priority of the second application system after determining the second application system according to the login request; under the condition that the security level of the first application system is greater than or equal to that of the second application system, the single sign-on equipment acquires user right information and generates a system authentication code according to a sign-on request; and under the condition that the security level of the first application system is smaller than that of the second application system, the single sign-on server sends security level authentication failure information to the client equipment, and the client equipment generates a first authentication failure interface based on the security level authentication failure information in a rendering mode.
In some embodiments, the single sign-on device sends the permission authentication failure information to the client device when the user permission information does not include the permission requirement information of the second application system, and the client device generates a second authentication failure interface based on the permission authentication information in a rendering manner.
In one embodiment, a computer device is provided, which may be a terminal. The computer device includes a processor, a memory, a network interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a single sign-on method under a multi-application system. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
In an embodiment, fig. 6 is a schematic internal structure diagram of an electronic device according to an embodiment of the present application, and as shown in fig. 6, there is provided an electronic device, which may be a server, and its internal structure diagram may be as shown in fig. 6. The electronic device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the electronic device is configured to provide computing and control capabilities. The memory of the electronic equipment comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the electronic device is used for storing data. The network interface of the electronic device is used for connecting and communicating with an external terminal through a network. The computer program is executed by a processor to implement a single sign-on method under a multi-application system.
Those skilled in the art will appreciate that the configuration shown in fig. 6 is a block diagram of only a portion of the configuration associated with the present application, and does not constitute a limitation on the electronic device to which the present application is applied, and a particular electronic device may include more or less components than those shown in the drawings, or may combine certain components, or have a different arrangement of components.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
It should be understood by those skilled in the art that various features of the above-described embodiments can be combined in any combination, and for the sake of brevity, all possible combinations of features in the above-described embodiments are not described in detail, but rather, all combinations of features which are not inconsistent with each other should be construed as being within the scope of the present disclosure.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A single sign-on method under a multi-application system is characterized by comprising the following steps:
after receiving the logged-in information of the first application system, the single sign-on server acquires a login request sent by a client, determines a second application system according to the login request, acquires user authority information and generates a system authentication code;
under the condition that the user permission information comprises permission requirement information of a second application system, the single sign-on server acquires an application system ID of the second application system and generates an initial callback address according to the application system ID configuration;
the single sign-on server generates a callback address according to the initial callback address and the system authentication code;
and the single sign-on server adds the callback address to a target link to generate a login address, and sends the login address to the client, wherein the login address is used for jumping to the second application system.
2. The method of claim 1, wherein after the single sign-on server determines a second application system from the login request, the method further comprises:
the single sign-on server acquires the security level of the first application system and the security level of the second application system;
and under the condition that the security level of the first application system is greater than or equal to that of the second application system, the single sign-on server acquires the user permission information and generates a system authentication code according to the sign-on request.
3. The method of claim 2, wherein after the single sign-on server obtains the security level of the first application system and the second application system, the method further comprises:
and under the condition that the security level of the first application system is smaller than that of the second application system, the single sign-on server sends security level authentication failure information to the client, and the client renders and generates a first authentication failure interface based on the security level authentication failure information.
4. The method according to any one of claims 1, wherein in a case that the user permission information does not include permission requirement information of the second application system, the single sign-on client sends permission authentication failure information to the client, and the client generates a second authentication failure interface based on the permission authentication information.
5. The method according to any one of claims 1 to 4, wherein the single sign-on server obtains the IP address of the client and queries a home domain corresponding to the IP address, wherein the home domain is in a fixed IP address format;
and acquiring a preset login mode of the home domain, and rendering and generating a login interface by the client according to the preset login mode, wherein the preset login mode comprises third-party application login and local login.
6. A single sign-on system under a multi-application system, the system comprising: the system comprises client equipment and single sign-on equipment, wherein the client equipment is connected with the single sign-on equipment;
the client device is used for sending the logged-in information and the login request of the first application system to the single sign-on device, or receiving a login address sent by the single sign-on device, wherein the login address is used for jumping to the second application system;
the single sign-on equipment is used for receiving first application system information logged-on information and a login request sent by client equipment, determining a second application system according to the login request, acquiring user authority information and generating a system authentication code;
the single sign-on equipment is used for acquiring the application system ID of a second application system under the condition that the user permission information comprises permission requirement information of the second application system, and generating an initial callback address according to the application system ID configuration; and generating a callback address according to the initial callback address and the system authentication code, adding the callback address to a target link to generate a login address, and sending the login address to the client equipment, wherein the login address is used for jumping to the second application system.
7. The system of claim 6, wherein the single sign-on device is further configured to obtain a priority of the first application system and the second application system after the second application system is determined according to the login request;
under the condition that the security level of the first application system is greater than or equal to that of the second application system, the single sign-on equipment acquires the user permission information and generates a system authentication code according to the sign-on request;
and under the condition that the security level of the first application system is smaller than that of the second application system, the single sign-on server sends security level authentication failure information to the client equipment, and the client equipment generates a first authentication failure interface based on the security level authentication failure information in a rendering mode.
8. The system of claim 6, wherein the single sign-on device sends permission authentication failure information to the client device if the user permission information does not include permission requirement information of a second application system, and the client device generates a second authentication failure interface based on the permission authentication information.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements a single sign-on method under a multi-application system according to any one of claims 1 to 5 when executing the computer program.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements a single sign-on method under a multi-application system according to any one of claims 1 to 5.
CN202011550970.0A 2020-12-24 2020-12-24 Single sign-on method and system under multi-application system Active CN112560006B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011550970.0A CN112560006B (en) 2020-12-24 2020-12-24 Single sign-on method and system under multi-application system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011550970.0A CN112560006B (en) 2020-12-24 2020-12-24 Single sign-on method and system under multi-application system

Publications (2)

Publication Number Publication Date
CN112560006A true CN112560006A (en) 2021-03-26
CN112560006B CN112560006B (en) 2024-09-27

Family

ID=75033464

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011550970.0A Active CN112560006B (en) 2020-12-24 2020-12-24 Single sign-on method and system under multi-application system

Country Status (1)

Country Link
CN (1) CN112560006B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114189375A (en) * 2021-12-06 2022-03-15 银清科技有限公司 Business system management method and device
CN114363090A (en) * 2022-03-02 2022-04-15 工业互联网创新中心(上海)有限公司 Method for realizing single sign-on platform of multi-application system and management system
CN119484120A (en) * 2024-11-20 2025-02-18 学科网(北京)股份有限公司 Cross-subsystem login method, communication system and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130276070A1 (en) * 2012-04-17 2013-10-17 Salesforce.Com, Inc. Cross instance user authentication architecture
CN103501344A (en) * 2013-10-10 2014-01-08 从兴技术有限公司 Method and system for realizing single sign-on of plurality of applications
CN111382415A (en) * 2019-04-24 2020-07-07 深圳市鸿合创新信息技术有限责任公司 A unified login method and device, and electronic equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130276070A1 (en) * 2012-04-17 2013-10-17 Salesforce.Com, Inc. Cross instance user authentication architecture
CN103501344A (en) * 2013-10-10 2014-01-08 从兴技术有限公司 Method and system for realizing single sign-on of plurality of applications
CN111382415A (en) * 2019-04-24 2020-07-07 深圳市鸿合创新信息技术有限责任公司 A unified login method and device, and electronic equipment

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114189375A (en) * 2021-12-06 2022-03-15 银清科技有限公司 Business system management method and device
CN114189375B (en) * 2021-12-06 2024-02-27 银清科技有限公司 Service system management method and device
CN114363090A (en) * 2022-03-02 2022-04-15 工业互联网创新中心(上海)有限公司 Method for realizing single sign-on platform of multi-application system and management system
CN119484120A (en) * 2024-11-20 2025-02-18 学科网(北京)股份有限公司 Cross-subsystem login method, communication system and storage medium

Also Published As

Publication number Publication date
CN112560006B (en) 2024-09-27

Similar Documents

Publication Publication Date Title
CN112597472B (en) Single sign-on method, device and storage medium
US8561172B2 (en) System and method for virtual information cards
CN105991614B (en) It is a kind of it is open authorization, resource access method and device, server
KR101076911B1 (en) System and method for providing security to an application
US9053306B2 (en) Authentication system, authentication server, service providing server, authentication method, and computer-readable recording medium
CN109873805A (en) Cloud desktop login method, device, device and storage medium based on cloud security
US20140150055A1 (en) Data reference system and application authentication method
CN112187465B (en) Non-inductive login method, device, computer equipment and storage medium
CN106549909B (en) Authorization verification method and device
US11025635B2 (en) Secure remote support authorization
US10650153B2 (en) Electronic document access validation
CN109842616B (en) Account binding method and device and server
CN112560006B (en) Single sign-on method and system under multi-application system
CN112637167A (en) System login method and device, computer equipment and storage medium
CN113626840A (en) Interface authentication method and device, computer equipment and storage medium
US20190102534A1 (en) Single sign-on management for multiple independent identity providers
CN107645474B (en) Method and device for logging in open platform
AU2019370092A1 (en) Centralized authentication and authorization
CN114338130B (en) Information processing method, device, server and storage medium
CN111310141A (en) Authentication management method, device, computer equipment and storage medium
US10936383B2 (en) Hard coded credential bypassing
US20220150277A1 (en) Malware detonation
CN105141586B (en) A kind of method and system verified to user
US20240007457A1 (en) Time-based token trust depreciation
CN118869289A (en) Method and device for managing access to Windows assets based on bastion host

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant