CN107425983A - A kind of unified identity authentication method and system platform based on WEB service - Google Patents

A kind of unified identity authentication method and system platform based on WEB service Download PDF

Info

Publication number
CN107425983A
CN107425983A CN201710670133.3A CN201710670133A CN107425983A CN 107425983 A CN107425983 A CN 107425983A CN 201710670133 A CN201710670133 A CN 201710670133A CN 107425983 A CN107425983 A CN 107425983A
Authority
CN
China
Prior art keywords
user
identity
authentication
information
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710670133.3A
Other languages
Chinese (zh)
Inventor
李成日
喻波
王志海
魏力
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Wondersoft Technology Co Ltd
Original Assignee
Beijing Wondersoft Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wondersoft Technology Co Ltd filed Critical Beijing Wondersoft Technology Co Ltd
Priority to CN201710670133.3A priority Critical patent/CN107425983A/en
Publication of CN107425983A publication Critical patent/CN107425983A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of unified identity authentication method based on WEB service, including:Identity service system obtains authenticating identity certification information needed from security catalog system;User asks identity service system to complete authentication, and identity service system obtains the voucher of user's request, relies on identity documents system, according to the authentication information needed of acquisition, completes the authentication to user;User obtains token to identity service system request, and identity service system generates user identity token according to the identity authentication result to user and provided to user;User is sent using identity token accesses application resource request;After trust control equipment passes through to user's progress authentication and authentication, the request of access application resource is sent to application system;User accesses application system and operated.By this programme, single-sign-on is carried out by token, realizes once certification, the whole network passes through, and avoids repeating certification.

Description

A kind of unified identity authentication method and system platform based on WEB service
Technical field
The present invention relates to Computer Data Security management domain, and in particular to a kind of Unified Identity based on WEB service is recognized Demonstrate,prove method and apparatus.
Background technology
Information age e-commerce development is more and more faster, and many enterprises all stride forward towards electric business, the external structure of enterprise and The even closer association of internal structure, or even combine together.This transformation profound influence inside processing flow and the enterprise of enterprise Organization, and it is this influence be reflected in exchange of the enterprise with client, such as commercial negotiation.Information age is competing with market Strive increasingly severity, market condition quickly to change, enterprise must be answered using innovation, flexible, efficiency as strategy, enterprise's own service This more automates, simplified, diversification so that internal structure and external structure integration, so this demand needs enterprise Between various applications should the system integration, make satisfaction currently all demands.The application integration of enterprise can be by hardware platform, application Software support, various technical standards, operation flow are joined together, and are realized the system integration in multiple application support platforms, are made letter Breath exchange and information sharing are simpler, conveniently.So that meeting the needs of business event function, such as miscellaneous service flow is managed simultaneously Real-time monitoring analysis is carried out, management information flow is realized between different enterprise operation systems or during cross-domain application system intercommunication, And provide safety guarantee.This application integration is to the significant of enterprise.The appearance of WebService technologies so that between enterprise Application integration such as Distributed Application, is more prone to and simply, its advantage is to realize that simple general-purpose is strong, exactly software Multiplexing is brought up in whole Internet this aspect, if you have individual application program to be issued by WebService, then no Only intra-company can use (can be other C/S or B/S application program), and other are connected to the company on Internet It can also use.
Several integrated application systems are needed all to be learnt in itself by the identity authorization system of oneself, user in the prior art Road logs in the user name and password of different application systems, energy normal use, but bad maintenance, and security is difficult to ensure that.
Prior art has the following disadvantages:
1st, it is a set of independent identity authorization system of each application system development, information redundancy and the wasting of resources can be caused, Not only increase information management cost, and strengthen difficulty to maintenance work;
2nd, user must know the user name and password every time when using different application systems, operate very cumbersome;
3rd, the password setup in multiple systems is often briefly digital or English for convenience, simply by user Letter, subscriber identity information is so revealed, and threatened the security of application system.
With being continuously increased for application system quantity, and the stand-alone development of all multi-application systems, the state of discrete running Various problems are brought, for example some important user profile (especially sensitive data, such as log in the account and mouth of application system Make) it is very big in online plaintext transmission, the possibility by assault;Further, user will when using multiple application systems The information such as account number, password are repeatedly input, it is not only cumbersome, and easily there is password loss, once and password is lost and will result in Immeasurable loss;In addition, application system each safeguards a set of user data, inter-system data and information redundancy be present, tie up Protect the problems such as cumbersome.Such state both brought numerous inconvenience to application system user (asu), also made technical support unit pressure big, Serious potential safety hazard what is more be present.Software development has entered the second stage of the system integration and resource consolidation, and conduct The basis of integration is firstly the need of the unified user identity of a whole network.Therefore, information system is badly in need of wanting one with compared with high safety The unified single sign-on system of control, with ensure data it is consistent, safely, use and manage and facilitate.Develop the purpose of the system just It is to solve the different skimble-scamble problems of network application system authentication mode, it is expected to provide the authentication of a kind of convenience, safety Method, and manage concentratedly, as long as allowing the unified authentication mode of user to carry out all application systems of single-sign-on can Internet access.
The centralized and unified Valuation Standard and user management that the main thought of system design is just to provide an application system connect Mouthful, by formulating corresponding Collective qualification technical specification, to realize the unified centralized management of all newly-built system user certifications, Accomplish the Collective qualification of real meaning." Collective qualification " of each application system is realized, it is necessary to possess following feature:
1st, perfect user management mechanism:Need a set of perfect user management and authority distribution mechanism, management application system Each user of system;
2nd, isomery characteristic:Compatible each application system platform, accomplishes good docking;
3rd, security:The storage of information and data and it will ensure securely and reliably with the information transmission of each application system;
4th, stability:The operational support mechanism of Erecting and improving ensures the reliable and stable operation of the application system.
The content of the invention
In order to solve the above technical problems, the invention provides a kind of unified identity authentication method based on WEB service, including Following steps:
1) in network trust system configuration authentication relevant information and certification policy information on services, and it is published to safe mesh Recording system;
2) identity service system obtains authenticating identity certification information needed from security catalog system;
3) user asks identity service system to complete authentication, and identity service system obtains user's voucher, and according to obtaining The authenticating identity certification information needed taken, completes the authentication to user;
4) user obtains token to identity service system request, and identity service system is according to the identity authentication result to user Identity token is provided to user;
5) user sends the request for accessing application resource using identity token;
6) after passing through to user's progress authentication and authentication, the request of access application resource is sent to application system;
7) user accesses application system and operated.
According to an embodiment of the invention, it is preferred that the authentication relevant information in the step 1) includes:Authentication service Information, user's binding information, policy service information and required other configurations information;
Authentication information needed includes in the step 2):Authentication service information, user's binding information, trust control are set Standby information, certification ensure information and required other configurations information.
According to an embodiment of the invention, it is preferred that the step 5) user is sent using identity token and accesses application resource Request include:
5.1) request for accessing application resource and identity token are sent to trust control equipment by user;
According to an embodiment of the invention, it is preferred that after the step 6) passes through to user's progress authentication and authentication, The request for accessing application resource is sent to application system, specifically includes:
6.1) validity and correlation attribute information of trust control device authentication identity token;
6.2) authentication of the trust control equipment to user passes through;
6.3) trust control device request policy service system provides access control right;
6.4) after policy service system authenticates successfully, response, request of the trust control equipment access application resource are returned It is sent to application system.
According to an embodiment of the invention, it is preferred that wherein, the identity service system, policy service system, trust control The circulation of identity information is identified by the network trust number of user between equipment and application system, i.e., as identity passing The mark ID of user uses the network trust number that network trust management system is safeguarded in the identity token of carrier.
In order to solve the above technical problems, the invention provides a kind of unified single sign-on system platform based on WEB service, Including:
User's voucher management system, network trust management system, security catalog system, identity service system, policy service System and trust control equipment (access control gateway);
Wherein, in network trust system configuration authentication relevant information, and it is published to security catalog system;
Identity service system obtains authenticating identity certification information needed from security catalog system;
User completes authentication by client request identity service system, and identity service system obtains user's request Voucher, user's voucher management system is relied on, according to the authenticating identity certification information needed of acquisition, completes the authentication to user;
Client obtains token to identity service system request, and identity service system is according to the authentication knot to user Fruit, user identity token is generated, is issued to user;
Client sends the request for accessing application resource using identity token;
After passing through to user's progress authentication and authentication, the request of access application resource is sent to application system.
According to an embodiment of the invention, it is preferred that system platform according to claim 6, the authentication phase Closing information includes:Authentication service information, user's binding information, policy service information and required other configurations information;
The authentication information needed includes:Authentication service information, user's binding information, trust control facility information, Certification ensures information and required other configurations information.
According to an embodiment of the invention, it is preferred that system platform according to claim 6, the client utilize The request that identity token sends access application resource includes:The request for accessing application resource and identity token are sent to trust control Control equipment;
According to an embodiment of the invention, it is preferred that system platform according to claim 6, also system platform are also wrapped Include a trust control equipment and policy service system, the validity of the trust control device authentication identity token and related category Property information;Authentication of the trust control equipment to user is by rear, the trust control device request policy service mould Block provides access control right, after the policy service module authenticates successfully, returns to response, trust control equipment applies access The request of resource is sent to application system.
According to an embodiment of the invention, it is preferred that wherein, the identity service system, policy service system, trust control The circulation of identity information is identified by the network trust number of user between equipment and application system, i.e., as identity passing The mark ID of user uses the network trust number that network trust management system is safeguarded in the identity token of carrier.
In order to solve the above technical problems, the invention provides a kind of unified single sign-on system platform based on WEB service, It includes computer-readable storage medium and computer processor unit, and the computer-readable storage medium includes computer program instructions, The computer program instructions, the method for realizing one of the claims are performed by the computer processor unit.
Following technique effect is achieved by technical scheme:
Unified certification mode:Need to build unified authentication mode, avoid repeating certification, authentication mode disunity, realize Single-sign-on, once certification, the whole network pass through;
Perfect user management mechanism:A set of perfect, unified user identity management and authority distribution mechanism are needed, is managed Each user of application system;
Isomery characteristic:Compatible each application system platform, accomplishes good docking;
Security:The storage of information and data and it will ensure securely and reliably with the information transmission of each application system.
Brief description of the drawings
Fig. 1 is the network trust system assumption diagram of the present invention
Fig. 2 is identity service system architecture figure of the present invention
Fig. 3 is messenger service function structure chart of the present invention
Fig. 4 is authentication frame diagram of the present invention
Fig. 5 is certification message 4-Way Handshake process flow diagram flow chart of the present invention
Fig. 6 is identity token application flow chart of the present invention
Fig. 7 is that the present invention carries token access control device flow chart
Embodiment
Identity service systematic difference background
Network trust system is to solve in information system for the purpose of certification and access control etc., be supported by password, basis Facility, trust the integral framework that the key elements such as application, organization and administration, statutory standard are formed.Identity service system is as letter therein Appoint one of service, there is authentication, token application, token acquisition, attribute request, attribute to obtain, publish the functions such as notice.
The whole flow process that user accesses application system is as follows:
1st, network trust system configuration authentication service information, user's binding information, policy service information and required its His configuration information, and it is published to security catalog system;
2nd, identity service system obtains authentication service information, user's binding information, trust control from security catalog system and set Standby information, certification ensure information and required other configurations information;
3rd, according to the trust control facility information of system configuration, access control policy information can be pushed to automatically specified Trust control equipment;
4th, user asks identity service system to complete authentication;The voucher that identity service system provides according to user, it is complete Into its authentication;
5th, user's acquisition request token;Identity service system provides identity token;
6th, the request for accessing application resource and identity token are sent to trust control equipment by user;
7th, the validity and correlation attribute information of trust control device authentication token;
8th, trust control equipment (access control gateway) is after a series of authentication, trust control device request strategy The authorization policy service of service system issue provides access control right;
9th, after policy service authenticates successfully, response is returned;Trust control equipment sends a request to application system;
10th, user accesses application system and operated.
Aforesaid operations are referring specifically to Fig. 1.It is the architecture of identity service system such as Fig. 2.It includes:
1st, messenger service module
Messenger service externally provides the messenger service based on HTTP+SOAP+XML, and the configurable transmission safety of messenger service is protected Protection mechanism, but the particular data labels in Message Payload are not provided separately protected.It can be matched somebody with somebody according to concrete application configuration mode Put SSL transmission protection mechanisms or WS-Security safety protecting mechanisms.
SSL (SSL, Secure Socket Layer) agreement is safety between Web browser and Web server Exchange the Internet protocol of information, there is provided two basic security services:Differentiate and maintain secrecy.In logic, it is clear to provide Web for it The safety corridor look between device and Web server.
During using SSL transmission mechanisms, the not responsible safeguard protection to soap message of messenger service.
In Web service communication, XML document structure, rule and mechanism that SOAP is defined can be used between supporting to apply Communication.SOAP does not define any security mechanism, but SOAP header can be used to define and increase characteristic, to support that such as numeral is signed Name and encryption etc. apply specific security mechanism.
Need to use message-level and transmitting stage security feature (as propagate safe context, support a variety of safe practices, Its integrality and confidentiality are ensured during messages traverse intermediate node) Web service End-to-End Security application scenarios in, in SOAP header Middle addition security mechanism will increase complexity and bring challenges.Importantly, security mechanism will be added in SOAP header to be influenceed Support the interoperability of various security infrastructures (such as PKI, binary system security token, digital signature format, encryption mechanism).
WS-Security specifications define one group of SOAP standard extension, to meet safety and the realization of protecting Web service The demands such as message confidentiality, message integrity and security token transmission, and it is sent to message using security information as security token The method of recipient, to support certification and identity information is represented in soap message.WS-Security specifies definition safety The mechanism of token, including username and password, binary system security token (such as X.509 certificate, Kerberos v5 bills) and XML Security token (such as SAML, REL).
During using WS-Security security mechanisms, messenger service can configure carries out integrality, secret to soap message Property, preventing playback attack Preservation tactics.
Message integrity refers to for Web service, and the authenticity of message and sender's identity is determined using digital signature It is extremely important.Digital signature is applied in WS-Security, the recipient of soap message can be sure that the integrality and message of message And its element is not tampered with transmitting procedure, both the private key signature data message of sender, recipient were disclosed with sender Public key verify that data actually from sender, make to be not tampered with transmitting procedure.
Message confidentiality refers in Web service communication, and the SSL/TLS mechanism of standard can be used to be encrypted, and to whole Bar message is encrypted, confidentiality during ensuring to send it to one or more recipients.It can meet to pass using SSL/TLS Defeated level confidentiality demand, in needs, selectively encryption unit divides XML message to ensure its confidentiality, then by different user label Name, this can not meet message-level demand for security.WS-Security encrypts and decrypted message using XML encryption specifications, so as to prop up Hold and entire message or selected part are encrypted, multiple recipients of message can look into according to the identity and authority that it has been signed See and the content using encryption.WS-Security also supports the use of SOAP intermediate nodes.
Preventing playback attack, which refers to each message transmission, unique mark.One must be included in the message SOAP heads received Timestamp, for specifying the term of validity of message, message recipient confirms present system time when Timestamp is specified Between in the range of.
The module handles engine, authentication service module by HTTP soap messages engine, WS-Security, asserts request clothes Business module forms with the part of service module five is published, and modular structure is as shown in the figure:
If Fig. 3 is messenger service modular structure, it includes:
(1) HTTP soap messages engine:
Http communication information is handled, receives HTTP soap messages, service is called according to different Service names respectively, is used Axis2 mode handles service.Axis2 is an Apache Web Service framework realized based on Java, wherein simultaneously The solution of server end and client is contained, Axis2 is realized based on modular mode, scalability.
(2)WS-Security:
Optional module, based on WS-Security specifications, security protection is provided for soap message, such as integrality, secret Property, anti-reproduction etc..
(3) authentication service module:
The module only handles authentication handshake interactive information.Encapsulation and parsing authentication handshake message, call authentication module, And according to the corresponding response message of result tissue of authentication module.
(4) request service module is asserted
The module only handles the token request message based on SAML agreements.Request message is asserted in parsing, according to inquiry certification shape The authentication state that state management module returns, the corresponding response message of SAML processing module tissues is called according to terminal authentication state.
(5) service module is published
The module is only handled publishes request message based on SAML agreements.Request is published in parsing, calls authentication state management Module deletes terminal landing state, and tissue publishes response message.
2nd, authentication module
Authentication module is authenticated according to the Service Ticket of authentication service module transmission to terminal identity.Authentication Module supports a variety of different identification authentication modes, calls different authentication modules to enter successively according to different Service Ticket types Row authentication.
3rd, SAML processing modules
SAML is security service standard, allow multiple applications can shared security information, so as to support single sign-on.SAML is general Meet these cores interoperability demand.SAML summaries allow agreement and asserted SAML is used for into special-purpose.SAML summaries One group is defined relating to how to which SAML to be asserted to the rule for being embedded into agreement or other contexts and how extracting SAML and assert Then and guide.By using SAML summaries, service application can in SAML message seamlessly exchanging safety information, and easily With supporting SAML system to realize interoperability.
SAML processing modules are responsible for realizing the encapsulation and parsing of the protocol-dependent data structures of SAML2.0, in system Token application, token acquisition, attribute request, attribute obtain, publish request, publish handle etc. functional module need SAML technologies.
4th, authentication state management module
Record authentication in real time, token application, token acquisition, attribute request, attribute obtain, publish request, publish place State during reason.
5th, configuration information management module
Configure the authentication service information obtained from security catalog, user's binding information, trust control facility information, certification guarantor Hinder information and required other configurations information.
6th, cryptographic service module
Realize the related service interface of cryptographic algorithm, including the function such as generating random number, XML encryption, signature.
The block diagram of authentication, as shown in Figure 4.
HTTP+SOAP+XML devolved authentication protocol messages, identity service system are used between client and identity service system The signature validity of system local verification certificate, pass through OCSP protocol and access OCSP server lookup certificate status.
The 4-Way Handshake process of verification process is as shown in Figure 5.
Term is explained, as follows:
Type of data packet describes explanation
The first message that verification process Authentication Clients of the ACReq based on public key is sent
The first message that verification process certificate servers of the ASAck based on public key is sent
Second message that verification process Authentication Clients of the ACAuth based on public key is sent
Second message that verification process certificate servers of the AuthState based on public key is sent
The state that ACState Authentication Clients are periodically sent maintains message
Random number caused by Ra terminal control devices
Ida subject identities identify
The session key Ka that Ka is protected using certificate server public key encryption.
The certification rule that AuthRule is protected using session key.
Random number caused by Rs certificate servers
Ras Ra and Rs connection value.
AuthTmpPK session public key (temporary public key)
EncryptedID user's internal indicator, the ID for the internal system unique mark user that certification returns when successful, With Ka encipherment protections.
KeyName public key titles, certification return when successful, for identifying the public key during internal authentication data are sent
Verification process is to generate xml structures with defined schema to realize:
(1) client initiates certification, generates ACReq information.Processing procedure is as follows:
■ clients select authentication mode according to the authentication mode display interface being locally configured, user, input relevant information.
■ produces random number R a, session key Ka
■ calculates E (PKs:) and E (Ka Ka:AuthRule)
◆ authentication mode encodes:The authentication mode of user is represented, value is provided by network trust management system
◆ crypto-operation mode:0:Software realization mode;1:Crypto module implementation (such as UKEY)
◆ if user name/password certification, control user must input IDa.Certificate verification only prompts to input PIN code
■ generates ACReq information
■ client secures store Ra, Ka
(2) identity service system generation ASAck, returns to client.Processing procedure is as follows:
Produce random number R s
It is not controlled at this stage according to the IDa authentication modes allowed user temporarily, directly using the E (Ka received: AuthRule)
Generate ASAck
(3) client process ASAck, ACAuth is generated.Processing procedure is as follows:
Handle E (Ka:AuthRule), the authentication mode that user allows to select is obtained, if the authentication mode of user's selection No longer AuthRule, then user error information is prompted, initiates certification again.
Produce interim public private key pair (AuthTmpPK, AuthTmpSK).
Generate authentication data
Certificate verification:Terminal certificate
Password authentication:The password data of AuthTmpPK, Ka encryption
Generate signed data:To Ra, Rs, authentication data is signed
Generate ACAuth
(4) identity service system generation AuthState, returns to client.Processing procedure is as follows:
Checking signature
Authentication verification data, obtain user's trusted identity
Generate AuthState
Authentication state:Success or failure
The information that success returns
EncryptedID:The ID of internal system unique mark user, and encrypted with Ka
KeyName:System is used in internal authentication data the public key sent
Mistake returns to ErrorInfo
2nd, token application
Initiate situation
Situation one:After certification success, client-side program automatically initiates token application process, as shown in Figure 6.
Situation two:Gateway/proxy checking token valid is (such as:Exceed the term of validity, sign invalid etc.), client-side program root Miscue is returned according to gateway/proxy, automatically initiates token application process, as shown in Figure 7.
Token form/content
Asserted using SAML, the main body affirmed method of key holder (holder-of-key) is used to main body.Main body is true In verifying method<ds:keyinfo>Value be authentication data in public key.
Identity Association
Identity information between identity service system, trust control equipment and application system and networking trust management system Circulation is identified by the network trust number of user.Mark ID i.e. as user in the token of identity passing carrier is (as broken The main body ID of speech) using the network trust number of network trust management system maintenance.
Sign originator
Signing and issuing for token is carried out using the private key of identity service system certificate.
3rd, token obtains
Bearing protocol uses HTTP+POST, referring to the SAML of SAML agreements Redirect/POST Bindings.
Realized using the Authentication Request Protocol in SAML specifications.Request uses AuthnRequest, response use Response.Signature is all supported in request and response.The signature of request uses internal authentication data Private key signature corresponding to the public key of middle transmission, response use the device certificate private key signature of identity service system.
4th, authentication
During trust control device authentication token, if the label originator of token can be made in trust list with local verification Whether board is effective, including asserts the validity of signature, the term of validity;If in the label originator of token no longer its trust list, need Remote validation is carried out to specified identity service system.Remote validation uses WS_trust agreements.
5th, attribute obtains
To support the decision-making based on strategy, it is necessary to a variety of attributes.Including body attribute, system resource attribute and answer Use environment attribute.The bundle of services provides the access mechanism of standard, and defines the shape of attribute query such as how SAML attribute assertions Formula is returned.Request-response mechanism is also based on the SAML agreements of standard.Body attribute service refers to offer inquiry and obtains interface To access body attribute, the main body can be individual or entity.No defined attribute classification and " plan " are serviced, but by bottom Attribute authority (aa) (such as identity storehouse) defines.Attribute is recovered by asking, and is used as SAML and is asserted, these, which are asserted, is used as strategy The input of decision logic.At present, body attribute is mainly managed by existing identity management system and is stored in a variety of mesh In record.Therefore, in being asserted bind service with subject identity, the service only provides " reading " function to obtain the category of storage Property.
Using simplified attribute query appealing structure, saml is occurred without in attribute query message:Attribute elements.Category Property inquiry request structure is as follows:
<samlp:AttributeQueryxmlns:Samlp=" urn:oasis:names:tc:SAML:2.0: The time is signed and issued in protocol " Version=" 2.0 " ID=" message id " IssueInstant=" request ">
<saml:Subjectxmlns:Saml=" urn:oasis:names:tc:SAML:2.0:assertion">
<saml:NameIDSPNameQualifier=" applies ID ">Unified trust number</saml:NameID>
</saml:Subject>
<samlp:AttributeQuery>
6th, notice is published
When user publishes, client, which needs to send to identity service system, publishes notice.Bearing protocol uses HTTP+ POST, referring to the SAML of SAML agreements Redirect/POST Bindings.Using the Single Logout in SAML specifications Protocol.Wherein request uses LogoutRequest, and response uses LogoutResponse.Label are all supported in request and response Name.The signature of request uses private key signature corresponding to the public key sent in internal authentication data, and response uses identity service system Device certificate private key signature.
7th, authentication context
The authentication context of client and service end is in shared when authentication, token application, token are obtained and published Deposit mechanism realization.
Network trust system is safing support platform, is divided into trust management and trust service system.Identity service System as one of trust service therein, have authentication, token application, token acquisitions, attribute request, attribute acquisition, Publish the functions such as notice.
This identity authorization system has following several features:
1st, perfect user management mechanism:Need a set of perfect user management and authority distribution mechanism, management application system Each user of system;
2nd, isomery characteristic:Compatible each application system platform, accomplishes good docking;
3rd, security:The storage of information and data and it will ensure securely and reliably with the information transmission of each application system.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all Within the spirit and principles in the present invention, any modification, equivalent substitution and improvement for being made etc., the guarantor in the present invention all should be protected Within the scope of shield.

Claims (11)

1. a kind of unified identity authentication method based on WEB service, comprises the following steps:
1) in network trust system configuration authentication relevant information and certification policy information on services, and it is published to security catalog system System;
2) identity service system obtains authenticating identity certification information needed from security catalog system;
3) user asks identity service system to complete authentication, and identity service system obtains user's voucher, and according to acquisition Authenticating identity certification information needed and the certification policy information on services, complete the authentication to user;
4) user to identity service system request obtain token, identity service system according to the identity authentication result to user to Provide identity token in family;
5) user sends the request for accessing application resource using identity token;
6) after passing through to user's progress authentication and authentication, the request of access application resource is sent to application system;
7) user accesses application system and operated.
2. according to the method for claim 1, the authentication relevant information in the step 1) includes:Authentication service is believed Breath, user's binding information, policy service information and required other configurations information;
Authentication information needed includes in the step 2):Authentication service information, user's binding information, trust control equipment letter Breath, certification ensure information and required other configurations information.
3. according to the method for claim 1, the step 5) user is sent using identity token accesses asking for application resource Ask including:
5.1) request for accessing application resource and identity token are sent to trust control equipment by user.
After 4. according to the method for claim 1, the step 6) passes through to user's progress authentication and authentication, access The request of application resource is sent to application system, specifically includes:
6.1) validity and correlation attribute information of trust control device authentication identity token;
6.2) authentication of the trust control equipment to user passes through;
6.3) trust control device request policy service system provides access control right;
6.4) after policy service system authenticates successfully, response is returned to, trust control equipment sends the request of access application resource To application system.
5. the method according to claim 11, wherein, the identity service system, policy service system, trust control equipment And the circulation of identity information is identified by the network trust number of user between application system, i.e., as identity passing carrier Identity token in user mark ID use network trust management system safeguard network trust number.
6. a kind of unified single sign-on system platform based on WEB service, including:
User's voucher management system, network trust management system, security catalog system, identity service system, policy service system And trust control equipment;
Wherein, in network trust system configuration authentication relevant information, and it is published to security catalog system;
Identity service system obtains authenticating identity certification information needed from security catalog system;
User by client request identity service system complete authentication, identity service system obtain user request with Card, user's voucher management system is relied on, according to the authenticating identity certification information needed of acquisition, completes the authentication to user, And return to authentication response;
Client obtains token to identity service system request, and identity service system is raw according to the identity authentication result to user Into user identity token, user is issued to;
Client sends the request for accessing application resource using identity token;
After passing through to user's progress authentication and authentication, the request of access application resource is sent to application system.
7. system platform according to claim 6, the authentication relevant information includes:Authentication service information, user Binding information, policy service information and required other configurations information;
The authentication information needed includes:Authentication service information, user's binding information, trust control facility information, certification Ensure information and required other configurations information.
8. system platform according to claim 6, the client is sent using identity token accesses asking for application resource Ask including:The request for accessing application resource and identity token are sent to trust control equipment.
9. system platform according to claim 6, also system platform also includes a trust control equipment and policy service System, the validity and correlation attribute information of the trust control device authentication identity token;The trust control equipment to By rear, the trust control device request policy service module provides access control right, the strategy for the authentication at family After service system authenticates successfully, response is returned to, the request of access application resource is sent to application system by trust control equipment.
10. system platform according to claim 9, wherein, the identity service system, policy service system, trust control The circulation of identity information is identified by the network trust number of user between control equipment and application system, i.e., is passed as identity The mark ID of user uses the network trust number that network trust management system is safeguarded in the identity token of delivery carrier.
11. a kind of unified single sign-on system platform based on WEB service, it includes computer-readable storage medium and computer disposal Device, the computer-readable storage medium include computer program instructions, and the meter is performed by the computer processor unit Calculation machine programmed instruction, the method for realizing one of claim 1-5.
CN201710670133.3A 2017-08-08 2017-08-08 A kind of unified identity authentication method and system platform based on WEB service Pending CN107425983A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710670133.3A CN107425983A (en) 2017-08-08 2017-08-08 A kind of unified identity authentication method and system platform based on WEB service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710670133.3A CN107425983A (en) 2017-08-08 2017-08-08 A kind of unified identity authentication method and system platform based on WEB service

Publications (1)

Publication Number Publication Date
CN107425983A true CN107425983A (en) 2017-12-01

Family

ID=60437472

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710670133.3A Pending CN107425983A (en) 2017-08-08 2017-08-08 A kind of unified identity authentication method and system platform based on WEB service

Country Status (1)

Country Link
CN (1) CN107425983A (en)

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108616530A (en) * 2018-04-25 2018-10-02 苏州云坤信息科技有限公司 Unified identity authentication system based on the internet ends Web and its authentication method
CN109120596A (en) * 2018-07-18 2019-01-01 河北中科恒运软件科技股份有限公司 A kind of more single sign-on Integrated Solutions
CN109327477A (en) * 2018-12-06 2019-02-12 泰康保险集团股份有限公司 Authentication method, device and storage medium
CN109379336A (en) * 2018-09-18 2019-02-22 中汇信息技术(上海)有限公司 A kind of uniform authentication method, distributed system and computer readable storage medium
CN109787975A (en) * 2019-01-17 2019-05-21 深圳壹账通智能科技有限公司 Identity identifying method, device, computer equipment and storage medium
CN110191112A (en) * 2019-05-22 2019-08-30 北京百度网讯科技有限公司 Auth method, device, mobile unit and server
CN110417730A (en) * 2019-06-17 2019-11-05 平安科技(深圳)有限公司 The unified access method and relevant device of multiple utility program
CN110535957A (en) * 2019-09-02 2019-12-03 珠海格力电器股份有限公司 The data of service application platform transfer method and service application plateform system
CN110545272A (en) * 2019-08-29 2019-12-06 珠海格力电器股份有限公司 Identity authentication method, authority authentication method, device and user management system
CN110602123A (en) * 2019-09-21 2019-12-20 苏州浪潮智能科技有限公司 Single-point certificate authentication system and method based on micro-service
CN110611661A (en) * 2019-08-23 2019-12-24 国网浙江省电力有限公司电力科学研究院 Acquired information sharing method and system based on double-authentication multiple-protection measures
CN110769009A (en) * 2019-12-29 2020-02-07 深圳竹云科技有限公司 User identity authentication method and system
CN111107105A (en) * 2019-12-31 2020-05-05 厦门中控智慧信息技术有限公司 Identity authentication system and identity authentication method thereof
CN111291340A (en) * 2020-03-05 2020-06-16 浪潮通用软件有限公司 Unified identity authentication management system and method
CN111510461A (en) * 2020-04-26 2020-08-07 成都安恒信息技术有限公司 System and method for managing WEB application centralized release authority
CN111783051A (en) * 2020-07-08 2020-10-16 支付宝(杭州)信息技术有限公司 Identity authentication method and device and electronic equipment
CN111917837A (en) * 2020-07-13 2020-11-10 西安即刻易用网络科技有限公司 Web micro application program publishing system and implementation method thereof
CN112003818A (en) * 2020-07-04 2020-11-27 中信银行股份有限公司 Identity authentication method and identity authentication system
CN112383557A (en) * 2020-11-17 2021-02-19 北京明朝万达科技股份有限公司 Security access gateway and industrial equipment communication management method
CN112434276A (en) * 2020-12-08 2021-03-02 武汉卓尔信息科技有限公司 Self-adaptive identity recognition system based on UKEY
CN112583834A (en) * 2020-12-14 2021-03-30 建信金融科技有限责任公司 Method and device for single sign-on through gateway
CN113067797A (en) * 2021-02-01 2021-07-02 上海金融期货信息技术有限公司 Identity authentication and authorization system supporting multiple terminals and multiple certificates in cross-network area
CN113411349A (en) * 2021-07-22 2021-09-17 用友汽车信息科技(上海)股份有限公司 Authentication method, authentication system, computer device and storage medium
CN113434836A (en) * 2021-05-31 2021-09-24 深信服科技股份有限公司 Identity authentication method, device, equipment and medium
CN113542201A (en) * 2020-04-20 2021-10-22 上海云盾信息技术有限公司 Access control method and device for Internet service
CN113660192A (en) * 2021-06-23 2021-11-16 云南昆钢电子信息科技有限公司 Web system identity authentication system and method
CN114157434A (en) * 2021-11-30 2022-03-08 中国光大银行股份有限公司 Login verification method and device, electronic equipment and storage medium
CN114629719A (en) * 2022-04-08 2022-06-14 ***通信集团陕西有限公司 Resource access control method and resource access control system
CN115277085A (en) * 2022-06-23 2022-11-01 国网浙江省电力有限公司湖州供电公司 Method and related equipment for identity authentication and authority management of cloud computing platform
CN116074014A (en) * 2022-11-25 2023-05-05 四川启睿克科技有限公司 Unified authentication method and system for multiple application servers

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1812403A (en) * 2005-01-28 2006-08-02 广东省电信有限公司科学技术研究院 Single-point logging method for realizing identification across management field
CN101202753A (en) * 2007-11-29 2008-06-18 中国电信股份有限公司 Method and device for accessing plug-in connector applied system by client terminal
CN101605030A (en) * 2008-06-13 2009-12-16 新奥特(北京)视频技术有限公司 A kind of uniform authentication realizing method of using towards TV station based on Active Directory
CN103490899A (en) * 2013-09-27 2014-01-01 浪潮齐鲁软件产业有限公司 Application cloud safety certification method based on third-party service
CN103686724A (en) * 2012-09-25 2014-03-26 金蝶软件(中国)有限公司 A mobile application access authentication and authorization method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1812403A (en) * 2005-01-28 2006-08-02 广东省电信有限公司科学技术研究院 Single-point logging method for realizing identification across management field
CN101202753A (en) * 2007-11-29 2008-06-18 中国电信股份有限公司 Method and device for accessing plug-in connector applied system by client terminal
CN101605030A (en) * 2008-06-13 2009-12-16 新奥特(北京)视频技术有限公司 A kind of uniform authentication realizing method of using towards TV station based on Active Directory
CN103686724A (en) * 2012-09-25 2014-03-26 金蝶软件(中国)有限公司 A mobile application access authentication and authorization method and system
CN103490899A (en) * 2013-09-27 2014-01-01 浪潮齐鲁软件产业有限公司 Application cloud safety certification method based on third-party service

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李成日: "基于WEB服务的身份服务***的设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108616530A (en) * 2018-04-25 2018-10-02 苏州云坤信息科技有限公司 Unified identity authentication system based on the internet ends Web and its authentication method
CN109120596A (en) * 2018-07-18 2019-01-01 河北中科恒运软件科技股份有限公司 A kind of more single sign-on Integrated Solutions
CN109120596B (en) * 2018-07-18 2021-06-11 河北中科恒运软件科技股份有限公司 Multi-single sign-on integration method
CN109379336A (en) * 2018-09-18 2019-02-22 中汇信息技术(上海)有限公司 A kind of uniform authentication method, distributed system and computer readable storage medium
CN109327477A (en) * 2018-12-06 2019-02-12 泰康保险集团股份有限公司 Authentication method, device and storage medium
CN109787975A (en) * 2019-01-17 2019-05-21 深圳壹账通智能科技有限公司 Identity identifying method, device, computer equipment and storage medium
CN110191112A (en) * 2019-05-22 2019-08-30 北京百度网讯科技有限公司 Auth method, device, mobile unit and server
CN110417730A (en) * 2019-06-17 2019-11-05 平安科技(深圳)有限公司 The unified access method and relevant device of multiple utility program
CN110417730B (en) * 2019-06-17 2022-07-19 平安科技(深圳)有限公司 Unified access method of multiple application programs and related equipment
CN110611661A (en) * 2019-08-23 2019-12-24 国网浙江省电力有限公司电力科学研究院 Acquired information sharing method and system based on double-authentication multiple-protection measures
CN110545272A (en) * 2019-08-29 2019-12-06 珠海格力电器股份有限公司 Identity authentication method, authority authentication method, device and user management system
CN110535957A (en) * 2019-09-02 2019-12-03 珠海格力电器股份有限公司 The data of service application platform transfer method and service application plateform system
CN110602123A (en) * 2019-09-21 2019-12-20 苏州浪潮智能科技有限公司 Single-point certificate authentication system and method based on micro-service
CN110769009A (en) * 2019-12-29 2020-02-07 深圳竹云科技有限公司 User identity authentication method and system
CN111107105A (en) * 2019-12-31 2020-05-05 厦门中控智慧信息技术有限公司 Identity authentication system and identity authentication method thereof
CN111291340A (en) * 2020-03-05 2020-06-16 浪潮通用软件有限公司 Unified identity authentication management system and method
CN113542201A (en) * 2020-04-20 2021-10-22 上海云盾信息技术有限公司 Access control method and device for Internet service
CN111510461B (en) * 2020-04-26 2022-02-22 成都安恒信息技术有限公司 System and method for managing WEB application centralized release authority
CN111510461A (en) * 2020-04-26 2020-08-07 成都安恒信息技术有限公司 System and method for managing WEB application centralized release authority
CN112003818A (en) * 2020-07-04 2020-11-27 中信银行股份有限公司 Identity authentication method and identity authentication system
CN111783051A (en) * 2020-07-08 2020-10-16 支付宝(杭州)信息技术有限公司 Identity authentication method and device and electronic equipment
CN111783051B (en) * 2020-07-08 2023-11-10 支付宝(杭州)信息技术有限公司 Identity authentication method and device and electronic equipment
CN111917837A (en) * 2020-07-13 2020-11-10 西安即刻易用网络科技有限公司 Web micro application program publishing system and implementation method thereof
CN112383557A (en) * 2020-11-17 2021-02-19 北京明朝万达科技股份有限公司 Security access gateway and industrial equipment communication management method
CN112434276A (en) * 2020-12-08 2021-03-02 武汉卓尔信息科技有限公司 Self-adaptive identity recognition system based on UKEY
CN112583834A (en) * 2020-12-14 2021-03-30 建信金融科技有限责任公司 Method and device for single sign-on through gateway
CN113067797A (en) * 2021-02-01 2021-07-02 上海金融期货信息技术有限公司 Identity authentication and authorization system supporting multiple terminals and multiple certificates in cross-network area
CN113434836A (en) * 2021-05-31 2021-09-24 深信服科技股份有限公司 Identity authentication method, device, equipment and medium
CN113660192A (en) * 2021-06-23 2021-11-16 云南昆钢电子信息科技有限公司 Web system identity authentication system and method
CN113411349B (en) * 2021-07-22 2022-09-02 用友汽车信息科技(上海)股份有限公司 Authentication method, authentication system, computer device and storage medium
CN113411349A (en) * 2021-07-22 2021-09-17 用友汽车信息科技(上海)股份有限公司 Authentication method, authentication system, computer device and storage medium
CN114157434A (en) * 2021-11-30 2022-03-08 中国光大银行股份有限公司 Login verification method and device, electronic equipment and storage medium
CN114629719A (en) * 2022-04-08 2022-06-14 ***通信集团陕西有限公司 Resource access control method and resource access control system
CN114629719B (en) * 2022-04-08 2024-05-07 ***通信集团陕西有限公司 Resource access control method and resource access control system
CN115277085A (en) * 2022-06-23 2022-11-01 国网浙江省电力有限公司湖州供电公司 Method and related equipment for identity authentication and authority management of cloud computing platform
CN115277085B (en) * 2022-06-23 2023-07-25 国网浙江省电力有限公司湖州供电公司 Cloud computing platform identity authentication and authority management method and related equipment
CN116074014A (en) * 2022-11-25 2023-05-05 四川启睿克科技有限公司 Unified authentication method and system for multiple application servers

Similar Documents

Publication Publication Date Title
CN107425983A (en) A kind of unified identity authentication method and system platform based on WEB service
AU2021206913B2 (en) Systems and methods for distributed data sharing with asynchronous third-party attestation
CN104639534B (en) The loading method and browser device of web portal security information
Todorov Mechanics of user identification and authentication: Fundamentals of identity management
CN107294916B (en) Single-point logging method, single-sign-on terminal and single-node login system
CN102984127B (en) User-centered mobile internet identity managing and identifying method
CN1885771B (en) Method and apparatus for establishing a secure communication session
CN104767731B (en) A kind of Restful move transactions system identity certification means of defence
CN108965230A (en) A kind of safety communicating method, system and terminal device
US20090307486A1 (en) System and method for secured network access utilizing a client .net software component
CN103220303B (en) The login method of server and server, authenticating device
US20090240936A1 (en) System and method for storing client-side certificate credentials
JP5602165B2 (en) Method and apparatus for protecting network communications
CN109728903B (en) Block chain weak center password authorization method using attribute password
CN101459505B (en) Method, system for generating private key for user, user equipment and cipher key generating center
CN109981287A (en) A kind of code signature method and its storage medium
Gritzalis et al. A digital seal solution for deploying trust on commercial transactions
CN101296230A (en) Web service security control mechanism based on PKI and PMI
Karamanian et al. PKI Uncovered: Certificate-Based Security Solutions for Next-Generation Networks
You et al. Research and design of web single sign-on scheme
Sultan et al. Overcoming Barriers to Client-Side Digital Certificate Adoption
AU2022283634A1 (en) System and method for exchange of data and/or secret keys
KR101510473B1 (en) Method and system of strengthening security of member information offered to contents provider
CN118300890A (en) User login method, device, equipment and storage medium
CN116506138A (en) Safe interaction method and device and related equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20171201