HK1096790B - Method and website for enabling single sign-on between websites - Google Patents
Method and website for enabling single sign-on between websites Download PDFInfo
- Publication number
- HK1096790B HK1096790B HK07102970.3A HK07102970A HK1096790B HK 1096790 B HK1096790 B HK 1096790B HK 07102970 A HK07102970 A HK 07102970A HK 1096790 B HK1096790 B HK 1096790B
- Authority
- HK
- Hong Kong
- Prior art keywords
- website
- user
- identity
- signature
- identity signature
- Prior art date
Links
Description
Technical Field
The invention relates to computer and internet technology, in particular to a method for realizing single login among websites and a website.
Background
Many internet-based applications require a series of operations to be performed by a user between multiple independent, but closely cooperating, web site systems. For example, for a C2C (Consumer to Consumer) e-commerce application, a user may select a purchase of a self-service item on a C2C website and then complete the transaction via a payment website that provides a transaction guarantee and a convenient payment means. In this example, the C2C website and the payment website are two completely independent websites, each having a respective user identity domain and authentication mechanism. However, it is often desirable for a user to have the smoothest shopping experience, rather than having to log in to two different websites separately during a single purchase. Therefore, a convenient, safe and fast Single Sign-On (SSO) mechanism is needed in this case. The single login is that the user only needs to input the identity information for authentication once, and a plurality of application programs needing to be authenticated or a plurality of website systems needing to be authenticated can be used, and the user does not need to input the identity information again.
The traditional single-sign-on method and system are built on two basic software and hardware facilities. First, a single user view needs to be maintained through a unified user management system; second, a common authentication system is required to achieve uniform user authentication. The user logs in the public identity authentication system with the uniform user identity, and obtains a token which can prove the identity of the user, when the user accesses the system in the same identity management domain, the token is contained in the access request, and each system respectively requests the uniform identity authentication system to verify the validity of the token and determines whether the identity is real. The conventional single-sign-on method and system are shown in fig. 1, and the process of implementing single-sign-on is as follows:
step 1, a user browser firstly requests to access a certain resource in an application system, the application system finds that the user does not have an identity token, and redirects the user to a unified identity authentication system for identity authentication.
And 2, the user passes the identity authentication in the unified identity authentication system.
And 3, redirecting the user back to the application system by the unified identity verification system, and submitting the identity token to the application system.
And 4, the application system gives the token to the unified identity authentication system to verify the authenticity of the token, if the token is authentic, the user is allowed to access the requested resource in the application system, and otherwise, the user is refused to access the requested resource.
Because the traditional single login method and system need to establish a uniform user identity library among different websites and establish a uniform identity verification system. For websites managed by different organizations, a unified user identity library and an identity verification system are required to be established, and difficulties exist in the implementation of management strategies and technologies. These difficulties are particularly manifested in:
1. different websites have respective user groups, and the user sets have intersection but are not completely overlapped, so that different user sets are difficult to be incorporated into a unified user identity library.
2. Different websites have user registration and management strategies and processes specific to the websites, and the requirements for converting the user registration and management into the user registration and management by using a unified user identity management system are not always in accordance with the requirements of services.
3. Since the unified user identity library is common to each website system, but different website systems are operated independently, it is difficult to decide who establishes and maintains the unified user identity library.
4. The identity token is typically passed through a cookie, and passing authentication information through a cookie requires that different website systems in the single-sign-on domain be located in the same network domain. For a single login between different network domains, implementation with this mechanism requires a rather complex flow.
5. The unified identity authentication system as a centralized session management component has potential single point of failure and performance bottleneck problems. To solve this problem, a high-cost and complex clustering technique needs to be introduced, which will greatly increase the cost of construction and maintenance.
6. The original dispersed user identity management and identity verification system is transformed into a unified identity management and identity verification system, the original system needs to be greatly transformed, and the cost and the transformation risk are large.
Disclosure of Invention
The invention provides a method for realizing single login among websites and the websites, which are used for solving the problems of great technical difficulty and difficult management in the prior art that the realization of the single login among the systems needs to introduce a centralized unified user identity library and a unified identity verification system.
The invention provides the following technical scheme:
a method for realizing single login between websites comprises the following steps:
the first website stores the identity mapping relation between the first website and the second website of the user;
the first website acquires the identity of a user who logs in the website in a second website according to the user identity mapping relation stored in the website and generates an identity signature; and
and carrying the identity signature in a request message of the user for requesting to log in a second website, and verifying the user by the second website according to the identity signature.
According to the above method:
and the first website generates the identity signature when knowing that the user who has logged in the website needs to access the second website.
The second website redirects the login request of the user to the first website and identifies the request identity signature, and the first website generates the identity signature according to the request and redirects the login request to the second website. The first website further requires the user to provide identity information to authenticate the user when it is determined that the user is not logged into the website.
Further identifying in the request message carrying the identity signature that the user is from the first website; and the second website analyzes the identity signature according to the identification.
Adding a timestamp in the process of generating the identity signature; the second website verifies the validity of the identity signature using the timestamp.
A website, comprising:
the storage device is used for storing the user information of the user at the website and storing the mapping relation between the user at the website and the identity marks of other websites;
the identity authentication device is used for acquiring user information from the storage device and authenticating the identity of the user requesting to log in;
and the identity signature generator is used for acquiring the identity of the user who has logged in the website in other websites from the storage device according to the mapping relation, generating an identity signature, carrying the identity signature in a request message of the user requesting to log in the other websites, and verifying the user by the other websites according to the identity signature. .
The invention has the following beneficial effects:
1. the invention introduces the user identity mapping relation in the system to realize the user identity mapping between the systems, realizes the single login between the mutual trust systems through the distributed identity signature generator and the identity signature verifier, and does not need to introduce a centralized identity verification system. The identity signature generator and the identity signature verifier are simple extensions of the system, and the original identity verification system does not need to be modified. Therefore, compared with the centralized identity authentication system in the prior art, the technical scheme of the invention is not only easy to realize, but also easy to maintain and manage; meanwhile, potential performance bottlenecks and single-point failures caused by a centralized identity authentication system are avoided, and implementation cost and technical risks of the traditional single-login method and system are avoided.
2. Because the invention introduces the user identity mapping relation into the system, the user sets of the system still keep relative independence, and the mapping relation between the user sets and the user sets can be flexibly established and released according to the requirements.
3. The invention realizes real, complete, anti-repudiation and anti-replay single login through the safe identity signature generation and verification algorithm, and the safety of the invention can meet the requirements of e-commerce and other website systems with higher safety requirements. The minimization of the times of signature generation and verification is realized through a single login process of generating the identity signature on demand, and the design goal of rapidness and convenience is achieved.
The invention has the following beneficial effects:
1. the invention introduces the user identity mapping relation in the system to realize the user identity mapping between the systems, realizes the single login between the mutual trust systems through the distributed identity signature generator and the identity signature verifier, and does not need to introduce a centralized identity verification system. The identity signature generator and the identity signature verifier are simple extensions of the system, and the original identity verification system does not need to be modified. Therefore, compared with the centralized identity authentication system in the prior art, the technical scheme of the invention is not only easy to realize, but also easy to maintain and manage; meanwhile, potential performance bottlenecks and single-point failures caused by a centralized identity authentication system are avoided, and implementation cost and technical risks of the traditional single-login method and system are avoided.
2. Because the invention introduces the user identity mapping relation into the system, the user sets of the system still keep relative independence, and the mapping relation between the user sets and the user sets can be flexibly established and released according to the requirements.
3. The invention realizes real, complete, anti-repudiation and anti-replay single login through the safe identity signature generation and verification algorithm, and the safety of the invention can meet the requirements of e-commerce and other website systems with higher safety requirements. The minimization of the times of signature generation and verification is realized through a single login process of generating the identity signature on demand, and the design goal of rapidness and convenience is achieved.
Drawings
FIG. 1 is a diagram illustrating a prior art implementation of single sign-on between website systems;
FIG. 2 is a schematic structural diagram of a system for implementing single-sign-on in an embodiment of the present invention;
fig. 3 and 4 are flowcharts illustrating a single login between two website systems according to an embodiment of the present invention.
Detailed Description
The present embodiment mainly describes the implementation of the present invention by taking the example of implementing single sign-on between a website system a (hereinafter referred to as website a) and a website B (hereinafter referred to as website B) providing e-commerce applications in the internet.
Referring to fig. 2, website a and website B are two independent websites located anywhere on the internet, and located in two different network domains a and B. Of course, website a and website B may also be located in the same network domain. The website A has its own user group, and a user library A containing user information is stored in the storage device 20 of the website A; the site B also has its own user group, and a user library B containing user information is stored in the storage device 30 of the site B. After the user of the website a is authenticated by the authentication means 21, the resource of the website a can be accessed. After the user of the website B is authenticated by the authentication device 31, the resource of the website B can be accessed. This is a typical way of user management and authentication for two independently operated websites on the existing internet.
In the invention, after the cooperation relationship between the website A and the website B is established, a website A/B user mapping relationship table is established in the website A. The user C is a user of both the website A and the website B, the identity of the user C is CA in the website A, and the identity of the user C is CB in the website B, so that the user C has the following items in the user mapping relation table of the website A/B: CA → CB, which means that the identity of the user with CA in website A is CB in website B. After the user logs in the website A, the identity CB of the user at the website B can be obtained according to the identity CA of the user. The user's identity CA, CB may be a user identity (i.e. identity ID), although additional information for verification or control may be added.
The website a further includes an identity signature generator 22, and if the user C has logged in the website a and the identity is CA, the identity signature generator 22 signs the identity CB of the user at the website B using a signature algorithm and a signature key agreed by the website a and the website B.
The website B further comprises an identity signature verifier 32, when the user request includes an identity signature generated by the website a, the identity signature verifier 32 analyzes the identity signature and verifies the authenticity, integrity and validity of the identity signature, and after the verification is passed, the website B can know the identity of the user at the website B, and an appropriate role is established for the user. When the identity information is verified by the identity signature verifier 32, complete user information is obtained from the stored user identity information according to the identity ID of the user in the request. If the user ID is invalid or the corresponding user is not allowed to log in (e.g., state is not correct or is on a blacklist), the user will not be allowed to log in if the authentication fails.
The website B further comprises an authority controller 33, and the authority controller 33 determines the access authority of the user to the resources of the website B according to the login mode of the user, namely, whether the user directly logs in from the website or automatically logs in from the trusted website. The right controller 33 may also read necessary user information from the storage device 30 when deciding the access right of the user. After the user logs in and establishes a session, the login mode of the user is recorded in the stored session information, and therefore, the authorization controller 33 can determine the login mode of the user from the session information. For example, where website A is the C2C website and website B is the payment website, the entitlement controller 33 may only allow the user to process his transactions on the C2C website when the user logs onto the payment website a single time from the C2C website, but not allow the user to process accounts and other transactions on the payment website through this login. Since payment websites are generally higher in security level than the C2C website, in this way a good balance between ease of use and security can be achieved-even if the user's password is stolen on the C2C website, only the user's traffic related to the C2C website is affected.
In the website a, the identity authentication device 21 and the identity signature generator 22 may be independent entities or may be the same entity; in the website B, the authentication device 31 and the authentication signature verifier 32 may be independent entities or may be the same entity.
The realization of single sign-on between the website a and the website B is ensured by identity signatures, and the security of the identity signature algorithm is the key of the single sign-on security, so that the security requirements on the authenticity, integrity, denial prevention and replay prevention of the identity signatures need to be met.
Authenticity means that the user identity information of website B and other additional information contained in the identity signature do come from website a.
Integrity, means that the identity signature has not been modified by a third party during transmission.
The denial prevention means that the website B and any other third party except the website a cannot produce valid identity signatures, so that the website a cannot deny that the identity signatures are generated by itself if security-related disputes occur.
Anti-replay, meaning that an identity signature can only be used once, after use the identity signature is no longer valid. Thus, the third party cannot log in to website B by eavesdropping on the identity signature and replaying the identity signature.
In order to achieve the above-mentioned authenticity, integrity and non-repudiation-proof security requirements, a signature algorithm based on a public key system may be employed. A public key and a key pair are agreed between the website A and the website B, the key is kept by the website A and kept secret for any other entity including the website B; the public key corresponding to this key is public and known by website B. When performing the identity signature, the identity signature generator 22 in the website a uses a public key signature algorithm to sign the identity of the user at the website B with a secret key. When the identity signature verifier 32 of the website B verifies the identity signature, the public key signature algorithm is used to verify the authenticity and integrity of the identity signature by using the public key. Meanwhile, the website B records the identity signature passing the verification in the log so as to be used as an evidence when a security dispute occurs, and the website A is prevented from denying the related identity signature.
In order to realize the anti-replay performance, the adopted identity signature algorithm requires that the identity verification information contains a time stamp and signs the time stamp and the user identity together; website B may determine the authenticity of the identity signature from the timestamp. The way it uses the time stamp can be two kinds:
1. when the identity signature verifier in the website B carries out identity signature verification, the time stamp in the identity signature of this time is compared with the time stamp in the identity signature of the user last time. Since the time stamps of two access requests of the same user to the website B are always increased, if the time stamp in the identity signature is older than the last time stamp (i.e. earlier in time than the previous time) or the two are the same, it indicates that the identity signature is a replay request, and the identity signature verification fails.
2. Website a and website B agree on the validity period of the timestamp, say within 1 minute. And when the website B receives the identity signature, the validity of the identity signature can be determined according to the comparison between the time indicated by the timestamp and the current time. Thus, even if the signature leaks, there is only a1 minute validity period.
The identity Signature and verification algorithm that can be used is not limited to a Signature algorithm using a public key system such as dsa (digital Signature algorithm). If the trust between the website A and the website B is enough and a non-repudiation prevention mechanism is not needed, the identity information and the timestamp can be encrypted by adopting a key system, and the authenticity, the integrity and the anti-repudiation performance of the identity signature can be realized in a mode of transmitting a ciphertext string; alternatively, the identity information and the timestamp may be signed using a simpler obfuscation Algorithm SHA1(Secure Hash Algorithm (version 1.0)) or MD5(Message Digest (version 5)), etc. When the confusion algorithm is adopted, the two parties agree on the seeds of the confusion algorithm, so that the situation that a third party cannot generate an effective identity signature can be ensured.
Referring to fig. 3, the process of automatically logging in the website B by the website a actively generating a signature for the user is as follows:
in step 300, user C requests to log on to website a and inputs identity information (e.g., username and password) for authenticating the identity.
In step 301, the identity authentication device 21 in the website a reads the information of the user from the user library of the storage device 20, and authenticates the identity information provided by the user.
Step 302, the user C is successfully verified, and the user C accesses the resource of the website A.
Step 303, when the website a detects that the user C needs to access the website B (for example, when the user C requests a resource in the website a that needs to be served by the website B), the identity signature generator 22 reads the identity information of the user C in the website B from the website a/B identity mapping relation table, signs the identity of the user in the website B and other additional information (for example, a timestamp and the like) by using a signature algorithm agreed with the website B, and attaches the identity signature to the request parameter of the website B.
At step 304, the access request containing the identity signature is directed to website B. User C is identified in the request as coming from website a. The identification can be in different sub-domain names or in the form of additional parameters.
In step 305, the identity signature verifier 32 in the website B analyzes the identity signature by using an algorithm agreed with the website a, verifies the validity of the identity signature, denies the user to access the resource requested by the user in the website B if the identity signature is invalid, and performs step 306 if the identity signature is valid.
Step 306, the identity signature is valid, which indicates that the user has been authenticated at the website a trusted by the website B, a session is established for the user according to the identity of the user at the website B included in the identity signature, and the identity signature is recorded in a log.
In step 307, the permission controller 33 further performs permission check on the user C, and allows the user to access the requested resource if permission is checked, otherwise, does not allow the user to access the requested resource.
The single-sign-on procedure described above needs to be performed only once. In the subsequent session between the user and the website B, the user can directly access the authorized resource of the website B without single login.
In the embodiment of the invention, the website B can initiate the identity verification request to the website A when determining that the user C needs to log in once, but not actively sign every time the user C visits the website B from the website A, so that the times of identity signature and identity verification can be greatly reduced, and the operation overhead, the identity signature log storage overhead and the risk of identity signature leakage caused by repeated identity signature generation and identity signature verification are avoided. Such a single-sign-on process is illustrated in fig. 4:
in step 400, user C requests access to website B, identifying himself from website A in the request. The identification can be in different sub-domain names or in the form of additional parameters.
In step 401, the website B determines whether the user has logged in the website (or has logged in through the website a once), if so, step 407 is performed, otherwise, step 402 is performed.
Step 402, the website B redirects the request of the user C to the website a, and the redirected request carries a parameter identifier that the website a needs to provide authentication and identity signature, and contains the resources of the website B that the user requests to access.
Step 403, after the website a determines that the user C has logged in the website, and determines that the user requests an identity signature according to the parameter identifier, the identity signature generator 22 reads the identity information of the user C on the website B from the website a/B identity mapping relation table, and generates an identity signature for the identity of the user on the website B and other additional information (such as a timestamp) by using a signature algorithm agreed with the website B.
In the case that the user does not log in to the website a first time, the website a requests the user to submit the user name and password at the website in this step, and the authentication device 21 authenticates the user name and password.
Step 404, attach the identity signature to the request parameters for website B and redirect the user C request back to website B.
In step 405, the identity signature verifier 32 in the website B analyzes the identity signature by using an algorithm agreed with the website a, verifies the validity of the identity signature, and if the identity signature is invalid, denies the user to access the resource requested by the user in the website B, otherwise, proceeds to step 406.
And step 406, the identity signature is valid, which indicates that the user has been authenticated at the website a trusted by the website B, a session is established for the user according to the identity of the user at the website B contained in the identity signature, and the identity signature is recorded in a log.
In step 407, the permission controller 33 further performs permission check on the user C, and allows the user to access the requested resource if permission is checked, otherwise, does not allow the user to access the requested resource.
In summary, the website a/B user identity mapping table is introduced into the website a to implement identity mapping between the website a and the website B, thereby avoiding management risks and technical risks caused by introducing a centralized user management system. The user sets of the website A and the website B are still relatively independent, and the mapping relation between the two sets can be flexibly established and released according to needs.
The single login between the mutually trusted websites is realized through the distributed identity signature generator and the identity signature verifier, a centralized identity verification system is not required to be introduced, and the problems of potential performance bottleneck and single point fault caused by the centralized identity verification system are avoided. The identity signature generator and the identity signature verifier are simple extensions of a website system, and compared with a centralized identity verification system, the identity signature generator and the identity signature verifier do not need to modify the original identity verification system of the website, so that the implementation cost and risk of the traditional single login method are avoided.
The method realizes real, complete, anti-repudiation and anti-replay single login through a safe identity signature generation and verification algorithm, and the safety of the method can meet the requirements of e-commerce and other websites with high safety requirements. The minimization of the times of signature generation and verification is realized through a single login process of generating the identity signature as required, and the design goal of rapidness and convenience is achieved.
Although the present embodiment is described by taking the website a and the website B as examples, the invention is not limited thereto. For example, in addition to establishing the website a/B user identity mapping table, the website a may also establish a website a/C user identity mapping table with the website C. Similarly, website B may also establish a website B/C user identity mapping table to implement single login with website C (i.e. website C has a relationship with multiple websites), and even website B may also establish a B/a user identity mapping table. But the process of implementing single sign-on between any two websites is the same as described above.
Although the present embodiment is described by taking a website system providing e-commerce applications as an example, the present invention is not limited thereto, and the present invention is also applicable to any other network system, communication system, etc. that needs to verify the user identity to access system resources, such as an instant messaging system.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is intended to include such modifications and variations.
Claims (11)
1. A method for realizing single login between websites is characterized by comprising the following steps:
the first website stores the identity mapping relation between the first website and the second website of the user;
the first website acquires the identity of the user who has logged in the website in the second website and generates an identity signature according to the user identity mapping relation stored in the website, and
and carrying the identity signature in a request message of the user for requesting to log in a second website, and verifying the user by the second website according to the identity signature.
2. The method of claim 1, wherein the identity signature is generated when the first website learns that a user who has logged into the website needs to access the second website.
3. The method of claim 1, wherein a user's login request is redirected by the second website to the first website and a request identity signature is identified, the first website generating the identity signature from the request and redirecting the login request to the second website.
4. The method of claim 3, wherein the first website further requires the user to provide identity information to authenticate the user upon determining that the user is not logged into the website.
5. The method of claim 1, further identifying the user as coming from the first website in a request message carrying an identity signature; and the second website analyzes the identity signature according to the identification.
6. The method of claim 5, wherein the first website generates the identity signature using a public key system signature algorithm, a key system signature algorithm, or a obfuscation algorithm; and the second website analyzes the identity signature by adopting a corresponding algorithm.
7. A method according to any one of claims 1 to 6, characterized by adding a time stamp in the generation of the identity signature; the second website verifies the validity of the identity signature using the timestamp.
8. The method of claim 7, wherein the second website determines the validity of the identity signature by comparing timestamps of the current access request and the previous access request of the same user; alternatively, the validity of the identity signature is determined by comparing the time represented by the timestamp with an agreed validity time.
9. The method of claim 7, wherein the second website further controls the access rights of the user after successfully verifying the user based on the identity signature and allowing the user to log in.
10. The method of claim 7, wherein the second website further records the identity signature in a log after successfully authenticating the user based on the identity signature and allowing the user to log in.
11. A website, comprising:
the storage device is used for storing the user information of the user at the website and storing the mapping relation between the user at the website and the identity marks of other websites;
the identity authentication device is used for acquiring user information from the storage device and authenticating the identity of the user requesting to log in;
and the identity signature generator is used for acquiring the identity of the user who has logged in the website in other websites from the storage device according to the mapping relation, generating an identity signature, carrying the identity signature in a request message of the user requesting to log in the other websites, and verifying the user by the other websites according to the identity signature.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2006100655583A CN1835438B (en) | 2006-03-22 | 2006-03-22 | Method of realizing single time accession between websites and website thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| HK1096790A1 HK1096790A1 (en) | 2007-06-08 |
| HK1096790B true HK1096790B (en) | 2011-11-25 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1835438B (en) | Method of realizing single time accession between websites and website thereof | |
| US9055107B2 (en) | Authentication delegation based on re-verification of cryptographic evidence | |
| US8281379B2 (en) | Method and system for providing a federated authentication service with gradual expiration of credentials | |
| US20050108575A1 (en) | Apparatus, system, and method for faciliating authenticated communication between authentication realms | |
| EP2842258B1 (en) | Multi-factor certificate authority | |
| CN104767731B (en) | A kind of Restful move transactions system identity certification means of defence | |
| CA2357792C (en) | Method and device for performing secure transactions | |
| CN104580184B (en) | Identity identifying method between mutual trust application system | |
| US20060294366A1 (en) | Method and system for establishing a secure connection based on an attribute certificate having user credentials | |
| US20150039896A1 (en) | System and method for pool-based identity generation and use for service access | |
| JP5602165B2 (en) | Method and apparatus for protecting network communications | |
| CN104283886A (en) | A realization method of web security access based on local authentication of intelligent terminal | |
| US20030135734A1 (en) | Secure mutual authentication system | |
| CN109672675A (en) | A kind of WEB authentication method of the cryptographic service middleware based on OAuth2.0 | |
| CN116886352A (en) | Authentication and authorization method and system for digital intelligent products | |
| CN119484898B (en) | Encrypted video playing method and device, storage medium and computer equipment | |
| CN101938465B (en) | Method and system based on webservice authentication | |
| US20080250248A1 (en) | Identity Management System with an Untrusted Identity Provider | |
| EP2359525B1 (en) | Method for enabling limitation of service access | |
| HK1096790B (en) | Method and website for enabling single sign-on between websites | |
| JP4219076B2 (en) | Electronic document management method, electronic document management system, and recording medium | |
| CN113868694B (en) | A method for securely accessing multiple existing application systems based on a middleware system | |
| CN118869231A (en) | Single sign-on method and system across heterogeneous authentication domains based on tickets | |
| Marasinghe et al. | Critical Analysis of X. 509 and Kerberos for Distributed Authentication | |
| AU2004229654A1 (en) | Apparatus, system and method for facilitating authenticated communication between authentication realms |