TWI249931B - Unique sign-on service system based on electronic directory service of directory server - Google Patents

Abstract

For Intranet and Internet, the user needs to input the account number and password and go through the identity authentication to enter an information system or each portal. The present invention provides a temporary storage medium which uses the LDAP (lightweight directory access protocol) in addition to the electronic directory service of directory server as the mechanism for user identity authentication, and which generates a unique sign-on key from this unique sign-on service mechanism, so as to accomplish the service of unique sign-on. In addition to logging on each information system easily and conveniently for user, software developer can effectively control and handle the user's logon situation through this service mechanism. The system is constructed on the SSL security protocol, which can ensure the security of user's personally related information. Thus, the current situation, in which when users of Intranet and Internet want to log on each information system, the logon authentication mechanism for the correctness of user's password/account number, expiry of password and password security level need to be developed/determined repeatedly, is improved.

Description

1249931 发明, invention description: [Technical field of invention] The present invention relates to a single check-in service system based on an electronic directory service of a directory server, in particular, a user only needs to input an account password once to enter A single check-in service system based on the electronic directory service of the directory server of multiple information systems. [Prior Art] When users log in to the internal information system of the enterprise and the portal on the general Internet, they need to pass the identity authentication mechanism and successfully authenticate before they can enter the information system and the portal. In addition to remembering the account and password of each information system and portal, the information system and the portal must also need to input the account and password repeatedly for each information system. It is inconvenient, but currently it is to be solved. This problem, the current solution is mostly to record user accounts and passwords in the Relational Database or L〇calFile for legitimate and trusted information systems or websites. SQL or other methods of query, and even some are temporarily stored in the application server (APPHCationS (4) _ Sessi〇n variables. But because these methods have the following disadvantages: L will temporarily store the account of the marriage and password mosquito, for pure (four) security comes Said, it will cause certain risks and low security. Even if Server is invaded, the user is related When the information is seen, it can be seen that there are still some places where the above methods are suitable, and there are areas for improvement. In view of the _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ After the research, the single check-in service system based on the catalogue service of the catalogue was finally successfully developed. [Invention] The object of the present invention is to provide a single based on the electronic catalog service of the directory server. The check-in service system is to improve the current situation in which each information system has to handle the user's login and verification passwords individually. The second object of the present invention is to provide a single check-in service system based on the electronic directory service of the directory server. It is possible to judge whether or not the information system of the high security level can be accessed according to the interaction between the length of the user's password and the information system. The third object of the present invention is to provide a simple architecture, particularly suitable for directory protocol with LDAP protocol. The electronic directory service is a single sign-in architecture for identity authentication and authorization information systems. The single sign-in service system based on the electronic directory service of the directory server is an electronic directory service that uses the directory server of the LDAP protocol to temporarily store the media because it has a single name (Naming) and is fast. Simple search function, distributed, reference, referrai, etc., can be used as the unique single check-in value generated by the user's identity authentication mechanism and thus a single check-in service mechanism (this 丨-sign〇nKey Temporarily storing media to achieve a single check-in service. Another function of the present invention is to determine whether a high security level information system can be entered according to the user's weight length and the cooperation of various information systems. [Embodiment] The present invention is to improve the traditional user to log in to each information system, and must repeatedly input the user 1249931 account password and the information system must repeatedly develop the login webpage structure for judging the user account password. In a single sign-in service system based on the directory server's electronic directory service, the user only has to enter the account password once. The present invention provides an information system that is simple and suitable for use in an electronic directory service of a directory servo state of the LDAp protocol for user identity account password authentication. The overall environment to which the present invention is applicable is as shown in FIG. 1. The user can use the single directory service server and the directory server's electronic directory service to achieve the user's need to input the account number and password once, and then the information system can be accessed. Situation. The steps are as follows: • If the user clicks to log in to the information system or portal 3, the single sign-in service server 2 will present a user-entered account password page, which is connected to the single page using the browser n. Check in to service server 2. 2. After the single sign-in service server 2 determines that the user account password is correct, the unique single check-in value will be stored in the directory server and the value will be redirected to the back-end information system or portal 3. 2. The backend poor messaging system or portal 3 uses the unique single check-in value brought by the check-in service server 2 to make an inquiry with the directory server's electronic directory service. If it is correct, it can enter the information system or portal. Website 3. 4. If the user wants to go to another information system or portal 4, the single sign-off service server 2 will, 'I be judged that the user has a unique single check-in value, and the value is heavy Lead to the negative system or portal 4 of the user's 4 people. The important core of the present invention is a single check-in service server. The overall detailed process diagram is shown in Figure 2. The steps are as follows: 1249931 Enter)- .〇· - A User 1 opens the www browser for the first timeΗ , I want to go to the login information system 3. The first page 31 of the communication system 3 unconditionally redirects the user to a single check-in service program 5 page and brings it to the second page URL 32 of the information system 3 to prepare for a single check-in service. 2. Since the user 1 enters the single check-in service program 5 page for the first time, the single check-in service program 5 presents the user input account password page 51. 4. After the user 1 enters the correct account number and password, the single check-in service program 5 will go to the electronic directory service of the back-end directory server 6 to determine the correctness of the user account and password. 5. If the directory server 6 determines that the account password is correct, it will return ",, the message, indicating that the authentication is successful. 丨 ~ early - the check-in service program 5 receives the message sent back from the directory server 6, and then A unique-single-check-in value is generated and is aged in the user's personal account on the directory server 6. 7. Early-check in the service program 5 and write the unique single check-in value to the user's browser 11 cookie. 八. The early-signer service program 5 redirects user 1 to the second of the information pure 3 Page 32, and entraps a unique single check-in value to the second page 32 of the information system 3. The second page 32 of the information system 3 will receive the unique single check-in value, and the information system 3 will use the proprietary program to search the directory feeder 6 to see if the value exists on the electronic directory service of the directory server. . X. If the order is the same - the value of the check-in exists in the electronic catalogue service of the catalogue. The second page 32 of the information system 3 will be able to make the basics: the miscellaneous, the social Wei 3 can allow 1249931 users. And enter this λ system 3 ' and can add the process and other steps required by each information secret. Ten--then, if the maker! Want to go to the f system 4. 12. The first page of the information secret 4 ^ also redirects the user i secret to the single_signer service program 5 〇 twelve early - check in the service program 5 can be used by the user ww server U C feel e / Sessi 〇n Grab the only check-in value, which means that user j has just successfully logged in via a single check-in service program 5. 14. Since the user cookie/Sesskm has a unique single check-in value, the single check-in service program 5 will not appear on the user's account password page 5 and will be redirected to the first page of the information system 4 42 And entraining the unique single check-in value to the second page 42 of the information system 4. The second single page 42 of the information system 4 will receive the unique single check-in value to check whether there is an electronic directory service of the directory feeder 6 (same step 9). 16. If the only single check-in value exists in the electronic directory service of the directory server 6, the first page 42 of the information system 4 will get the user basic information, and the information system 4 can allow the user to log in to the information system 4 (the same Step ten). Another important point of the present invention is shown in Figure 1. The information system can be matched with the electronic directory service of the single check-in service server and the directory feeder 6 to achieve easy identification of users and code security. The level of Wei, its concept is shown in Figure 3, the steps are as follows: First, the user chooses to log in to the information system 3, the information system 3 will use the ^HTTP needs 1249931 to find the multi-redirect unit to the user丨Redirected to the single-player server 2, then the single-check-in service program will present the user with the account password page. 2. After the account password is judged correctly, a single check-in value containing the attribute "with user mil length" is generated and stored in the directory server 6, and the unique single check-in value is redirected to the information system 3. f. (4) The system uses the “user password length” attribute brought by the check-in service feeder 2 to uniquely check the value and the electronic directory service query of the directory feeder 6 and preset with the Beixun system itself. The password level is used for judgment. If both are judged correctly, then Rulu enters the information system. The single-check-in service system based on the electronic directory service of the directory server provided by the invention has the following advantages when compared with other conventional technologies: 1. The invention can greatly reduce each of the f-systems Time-honored, providing users with a more convenient and more friendly interface. 2. The invention can avoid the repeated development of the identity authentication mechanism of other information systems, and can ensure the administrative efficiency of the users and the fullness and convenience of the Japanese, and the competitiveness and economics are more prominent. The description of the present invention is not intended to limit the scope of the invention, and is not intended to limit the scope of the invention. All should be included in the full-time financial resources of this case. This case is not only innovative in terms of technical thinking, but also has the method of using the method of the past. It has fully complied with the statutory invention patent requirements of novelty and progress. 爰1249931 Brief Description: The Office approves the invention of the invention and seeks to invent the invention. The following is a detailed description of the present invention and its accompanying drawings. The technical contents of the present invention and its effects can be further understood. Figure 1 is a schematic diagram of a single check-in service architecture based on the electronic catalog service of the catalogue feeder;

Figure 2 is a schematic diagram of the overall detailed process of the single sign-in service. I Figure 2 is a schematic diagram of the actual operation process of the information system based on the length of the stone and the length of the information system. [Main part representative symbol] 1 user 2 single · ^ check-in service server 3 information system 4 information system 5 single, check-in service program _ 6 directory server 11 (four) W browser 31 information system 3 home page 32 information system 3 The second page of the URL 42 information system * the first page 41 information system 4 home page 1249931 51 enter the account password page

12

Claims (1)

Ϊ24993! Pickup, patent application scope: L - a single-check-in service system based on the electronic directory service of the server, which includes: a network as a data transmission medium; a usage end, which is on the network User; a single check-in service server 'R includes a single check-in service program, which can present the user's account password page; - an electronic directory service server for storing a unique single check-in value and use The account password information can be used by various systems to query; HTTP and the re-directing unit 'is responsible for bringing the information system into the side of the electronic directory service through the directory, after the authentication and authorization, re-directed to the next ^丨, an information system, which is the subject of the user's desire to log in; s on the network - when the user requests to log in to the information system, the information system home page uses an HTTP demand multiple redirection unit to redirect the user terminal To the single check-in service server, the user enters the account password page, and after the user enters the account start code, the single check-in service program will The back-end electronic directory service server determines the correctness of its user account and password, and the electronic directory service server returns a message to the single check-in service server, and adds a unique single sign through its internal single sign-in service program. The value is entered for each information system to query and judge. 2. A single sign-in service system based on the electronic server directory service of the directory server according to item 1 of the patent application scope, wherein the network may be the Internet. - 3. A single check-in service system based on the electronic server directory service of the directory server as described in item 1 of the patent application, wherein the network can be a company internal network. 4. The single-check-in service system based on the electronic directory service of the directory server as described in item 1 of the patent application, wherein the main identity authentication mechanism of the electronic directory service server is an electronic directory service under the LDAP agreement. . 5. The single-check-in service system based on the electronic directory service of the directory server as described in the patent scope g1, wherein the electronic directory service server is the temporary storage of the unique single-Φ check-in value. media. 6. A single check-in service system based on the electronic server directory service of the directory server as described in the scope of patent application ,i, wherein the unique single check-in value generation method is a single check-in mechanism algorithm. 7. A single check-in service system based on the electronic directory service of the directory server as described in claim 1 of the patent application, wherein the security level associated with the information system is judged by a unique single check-in value as An important gateway to the security of information systems. & A single check-in service system based on the electronic directory service of the directory server as described in claim 7 of the patent application, wherein the attribute of the single check-in value is "having a user secret length". 14 ...... * ' '' ' 1249931 I a r .-' j " · ! ^ l _ _ r — -- ·' ' ·..-···· -.··' ·· - ;': ..-.---- - - -- * - ·· · ·- -'- ·'-·- 柒, designated representative map: (1) The representative representative of the case is: (2) Figure. (2) The representative symbol of the representative figure is a simple description: 1 User 2 single check-in service server 3 information system 4 information system ^ 5 single check-in service program 6 directory server 11 WWW browser 31 information system 3 home page The second page of the information system 3 URL 42 The second page of the information system 4 41 The first page of the information system 4 51 Enter the account password page 捌, if the case has a chemical formula, please reveal the chemical formula that best shows the characteristics of the invention: