CN111586054A - Single sign-on implementation method based on Internet architecture - Google Patents
Single sign-on implementation method based on Internet architecture Download PDFInfo
- Publication number
- CN111586054A CN111586054A CN202010384868.1A CN202010384868A CN111586054A CN 111586054 A CN111586054 A CN 111586054A CN 202010384868 A CN202010384868 A CN 202010384868A CN 111586054 A CN111586054 A CN 111586054A
- Authority
- CN
- China
- Prior art keywords
- subsystem
- platform
- account
- user
- single sign
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention relates to the field of integration of subsystems of a national health information platform, and particularly provides a single sign-on implementation method based on an Internet architecture. The method adopts a mode of mapping a platform account and accounts of each subsystem to realize the correspondence of a platform user authority system and the user authority system of the subsystem, adopts a redis recording platform to distribute bills, cookies and logout interfaces of each subsystem, adopts kafka to inform each subsystem of the information of newly added accounts of the platform, and adopts Nginx as a reverse proxy to realize load balancing. Compared with the prior art, the method and the system reduce the development cost of each subsystem on one hand, reduce the workload of each subsystem maintainer for maintaining the user authority on the other hand, and have good popularization value.
Description
Technical Field
The invention relates to the field of integration of subsystems of a national health information platform, and particularly provides a single sign-on implementation method based on an Internet architecture.
Background
The national health information platform comprises six business applications such as public health, family planning, medical service, medical guarantee, drug management and comprehensive management, and is divided into four-level platforms of China, province, city and county, the four-level platform is used as a junction for the six business applications in longitudinal and transverse connection, the resident health card is used as a medium for the masses to enjoy the health family planning service, and a platform for realizing interconnection and intercommunication, information sharing and effective cooperation of the business applications is provided for various health institutions at all levels.
In terms of coverage, the national health information platform is transversely communicated with the same-level health related information platform and is longitudinally communicated with the upper and lower-level national health information platforms; functionally, various subsystems with different functions are integrated. Generally, each level of information platform and each subsystem have an independent login module, user and authority system, which means that the information platforms and subsystems enter from the national health information platform and need to login one by one, which is very inconvenient for users.
To implement single sign-on, a user authority system of each subsystem needs to be docked first, and the following two common processing modes are adopted:
1. the method is characterized in that an authority system is established, and a user authority system of each subsystem is managed in a centralized mode, namely the user authentication and authorization of each subsystem pass through the authority system, so that the user authentication and authorization modules of each subsystem are almost re-developed, the scheme is not only expensive to transform and difficult to promote, but also enables each subsystem to depend on the high coupling of the authority system and the authority system.
2. The user information of each subsystem is synchronized, namely the user information of the platform and each subsystem is kept consistent, which means that most existing user and authorization information of the system fails, and account numbers and authorization need to be redistributed, thus greatly increasing the workload of maintenance personnel.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a single sign-on implementation method based on an internet architecture, which has strong practicability.
The technical scheme adopted by the invention for solving the technical problems is as follows:
a single sign-on realization method based on an internet framework is characterized in that a platform account and an account mapping mode of each subsystem are adopted to realize the correspondence between a platform user authority system and a user authority system of the subsystem, a redis recording platform is adopted to distribute bills, cookies and a login interface of each subsystem, kafka is adopted to inform each subsystem of newly added account information of the platform, and Nginx is adopted as a reverse proxy to realize load balancing.
Further, the method is realized by the following steps:
(1) distributing user rights;
(2) mapping an account number;
(3) single sign-on;
(4) single-point logout;
(5) and (5) deployment.
Further, in step (1), the platform is responsible for assigning the right of the user to use the subsystem, and each subsystem is responsible for assigning the right of the user to use the function.
Further, in the step (2), when the subsystem has a corresponding account but the platform has no account, the user enters the subsystem from the platform, and after the account and the password input by the user are verified, a mapping relationship between the platform account and the subsystem account needs to be established on the platform;
and when the platform has a corresponding account but the subsystem has no account, writing the platform account information into kafka, reading the account information from the kafka by the subsystem, establishing the corresponding account in the subsystem, and calling a platform interface to establish a mapping relation.
Further, in the step (2), if the platform has a newly added account, the administrator writes the information of the newly added account into kafka, the subsystem reads the information of the account from kafka, establishes a corresponding account in the subsystem, and calls a platform interface to establish a mapping relationship;
if the subsystem has a newly added account, the mapping relation between the platform account and the subsystem account can be established on the platform after the account and the password of the input subsystem are verified.
Further, in the step (3), when the user who logs in the platform enters the subsystem, the user can carry the ID of the subsystem, the subsystem receives the request and can redirect the request to the platform, and the platform verifies whether the user logs in and judges whether the login user has the right to access the subsystem;
if not, displaying an error;
if so, the platform generates ticket, and stores the sessionID, the system ID and the ticket into the redis;
then, attaches ticket to re-access subsystem, subsystem receives request and redirects itself with cookies and log-out address to platform, platform verifies if ticket is valid and session of log-in user is expired,
if the information is valid, the cookies and the logout address of the subsystem are written into the redis, the user of the subsystem corresponding to the platform login user is found out, the subsystem is accessed again, and the subsystem acquires the login account number through the system verification, so that the user can log in the system by himself.
Further, in the step (4), if the platform logs out, the platform queries the currently logged-in subsystem and the logout interface from the redis, asynchronously calls the subsystem and the logout interface, and then logs out from the platform;
and if the subsystem logs out from the subsystem, the subsystem requests a logout interface of the platform, the platform logout interface inquires out the currently logged-in subsystem and the logout interface from the redis, and the subsystem and the logout interface are asynchronously called and then logged out from the platform.
Further, in the step (5), when entering each subsystem, authentication is performed in an authentication center of the platform, and the authentication center adopts distributed deployment and uses Nginx as a reverse proxy to implement load balancing.
Compared with the prior art, the single sign-on realization method based on the Internet architecture has the following outstanding beneficial effects:
the invention can maintain the respective user authority system for each subsystem, and can realize the function of single sign-on from the platform to each subsystem only by making a plurality of calling interfaces with the platform. Only once login is needed on the platform, the integrated systems can be accessed without login; the logout of the platform and all the integrated systems can be realized only by logging out on any integrated system or platform. On one hand, the development cost of each subsystem is reduced, and on the other hand, the workload of each subsystem maintainer for maintaining the user authority is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a login flow chart of a single sign-on implementation method based on an Internet architecture;
FIG. 2 is a platform log-on chart of a single sign-on implementation method based on an Internet architecture;
FIG. 3 is a subsystem log-on diagram of a single sign-on implementation method based on an Internet architecture.
Detailed Description
The present invention will be described in further detail with reference to specific embodiments in order to better understand the technical solutions of the present invention. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
A preferred embodiment is given below:
as shown in fig. 1 to 3, in the method for implementing single sign-on based on an internet architecture in this embodiment, a platform account and an account mapping manner of each subsystem are mainly used to implement correspondence between a platform user permission system and a user permission system of the subsystem, a list, cookies and a logout interface distributed to each subsystem by a redis recording platform are used, kafka is used to notify each subsystem of newly added account information of the platform, and Nginx is used as a reverse proxy to implement load balancing.
When the method is realized, the specific realization is as follows:
(1) and (3) user authority distribution: the platform is responsible for allocating the right of which subsystems a user has to use; each subsystem is responsible for assigning the right of the user to use which functions of the subsystem.
(2) Account mapping: when the subsystem has a corresponding account but the platform has no account, the user enters the subsystem from the platform, and after the account and the password input by the user pass verification, a mapping relation between the platform account and the subsystem account needs to be established on the platform;
and when the platform has a corresponding account but the subsystem has no account, writing the platform account information into kafka, reading the account information from the kafka by the subsystem, establishing the corresponding account in the subsystem, and calling a platform interface to establish a mapping relation.
If the platform has a newly added account, the administrator writes newly added account information into kafka, the subsystem reads the account information from the kafka, establishes a corresponding account in the subsystem, and calls a platform interface to establish a mapping relation;
if the subsystem has a newly added account, the mapping relation between the platform account and the subsystem account can be established on the platform after the account and the password of the input subsystem are verified.
(3) Single sign-on: when a user who logs in the platform enters the subsystem, the user can carry the ID of the subsystem, the subsystem receives a request and can redirect the request to the platform, and the platform verifies whether the user logs in and judges whether the logged-in user has the right to access the subsystem;
if not, displaying an error;
if so, the platform generates ticket, and stores the sessionID, the system ID and the ticket into the redis;
then, attaches ticket to re-access subsystem, subsystem receives request and redirects itself with cookies and log-out address to platform, platform verifies if ticket is valid and session of log-in user is expired,
if the information is valid, the cookies and the logout address of the subsystem are written into the redis, the user of the subsystem corresponding to the platform login user is found out, the subsystem is accessed again, and the subsystem acquires the login account number through the system verification, so that the user can log in the system by himself.
(4) Single-point logout: if the platform logs out, the platform queries a currently logged subsystem and a logged-out interface from the redis, asynchronously calls the subsystem and the logged-out interface, and then logs out from the platform;
and if the subsystem logs out from the subsystem, the subsystem requests a logout interface of the platform, the platform logout interface inquires out the currently logged-in subsystem and the logout interface from the redis, and the subsystem and the logout interface are asynchronously called and then logged out from the platform.
(5) Deployment: when entering each subsystem, the authentication is carried out in the authentication center of the platform, so that the load of the authentication center is large, the authentication center adopts distributed deployment, and Nginx is used as a reverse proxy to realize load balancing.
The above embodiments are only specific cases, and the scope of the present invention includes but is not limited to the above embodiments, and any suitable changes or substitutions that are consistent with the claims of the internet architecture-based single sign-on implementation method of the present invention and are made by those skilled in the art shall fall within the scope of the present invention.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (8)
1. A single sign-on implementation method based on an Internet architecture is characterized in that the method adopts a mode of mapping a platform account and accounts of all subsystems to realize correspondence between a platform user authority system and the user authority system of the subsystems, adopts a redis recording platform to distribute bills, cookies and a logout interface of all subsystems, adopts kafka to inform all subsystems of newly added account information of the platform, and adopts Nginx as a reverse proxy to realize load balancing.
2. The method for implementing single sign-on based on internet architecture as claimed in claim 1, wherein the method comprises the following steps:
(1) distributing user rights;
(2) mapping an account number;
(3) single sign-on;
(4) single-point logout;
(5) and (5) deployment.
3. The method as claimed in claim 2, wherein in step (1), the platform is responsible for assigning the right of the user to use the subsystem, and each subsystem is responsible for assigning the right of the user to use its function.
4. The method for implementing single sign-on based on internet architecture as claimed in claim 2, wherein in step (2), when the subsystem has a corresponding account but the platform has no account, the user enters the subsystem from the platform, and after the account and password of the user input subsystem are verified, the mapping relationship between the platform account and the subsystem account needs to be established on the platform;
and when the platform has a corresponding account but the subsystem has no account, writing the platform account information into kafka, reading the account information from the kafka by the subsystem, establishing the corresponding account in the subsystem, and calling a platform interface to establish a mapping relation.
5. The method for realizing single sign-on based on the internet architecture as claimed in claim 4, wherein in the step (2), if the platform has a new account, the administrator writes the new account information into kafka, the subsystem reads the account information from kafka, establishes a corresponding account in the subsystem, and invokes the platform interface to establish the mapping relationship;
if the subsystem has a newly added account, the mapping relation between the platform account and the subsystem account can be established on the platform after the account and the password of the input subsystem are verified.
6. The method for implementing single sign-on based on internet architecture as claimed in claim 2, wherein in step (3), when the user logging on the platform enters the subsystem, the user carries the ID of the subsystem, the subsystem receives the request and redirects to the platform, the platform verifies whether the user logs on and determines whether the logged-on user has the right to access the subsystem;
if not, displaying an error;
if so, the platform generates ticket, and stores the sessionID, the system ID and the ticket into the redis;
then, attaches ticket to re-access subsystem, subsystem receives request and redirects itself with cookies and log-out address to platform, platform verifies if ticket is valid and session of log-in user is expired,
if the information is valid, the cookies and the logout address of the subsystem are written into the redis, the user of the subsystem corresponding to the platform login user is found out, the subsystem is accessed again, and the subsystem acquires the login account number through the system verification, so that the user can log in the system by himself.
7. The method for implementing single sign-on based on Internet architecture as claimed in claim 2, wherein in step (4), if logging out from the platform, the platform queries the currently logged-in subsystem and the log-out interface from redis, asynchronously calls, and then logs out from the platform;
and if the subsystem logs out from the subsystem, the subsystem requests a logout interface of the platform, the platform logout interface inquires out the currently logged-in subsystem and the logout interface from the redis, and the subsystem and the logout interface are asynchronously called and then logged out from the platform.
8. The method for implementing single sign-on based on internet architecture as claimed in claim 2, wherein in step (5), when entering each subsystem, authentication is performed in an authentication center of the platform, and the authentication center adopts distributed deployment and uses Nginx as a reverse proxy to implement load balancing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010384868.1A CN111586054A (en) | 2020-05-09 | 2020-05-09 | Single sign-on implementation method based on Internet architecture |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010384868.1A CN111586054A (en) | 2020-05-09 | 2020-05-09 | Single sign-on implementation method based on Internet architecture |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111586054A true CN111586054A (en) | 2020-08-25 |
Family
ID=72113474
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010384868.1A Pending CN111586054A (en) | 2020-05-09 | 2020-05-09 | Single sign-on implementation method based on Internet architecture |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111586054A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112288396A (en) * | 2020-10-29 | 2021-01-29 | 上海淇玥信息技术有限公司 | Multi-system user attribute information management method and device and electronic equipment |
| CN112836197A (en) * | 2021-01-12 | 2021-05-25 | 青海绿能数据有限公司 | WEB system function integration system |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102655494A (en) * | 2011-03-01 | 2012-09-05 | 广州从兴电子开发有限公司 | SAML (Security Assertion Markup Language)-based authentication platform designed in single log-in mode |
| US9118657B1 (en) * | 2011-03-15 | 2015-08-25 | Avior, Inc. | Extending secure single sign on to legacy applications |
| CN105450637A (en) * | 2015-11-09 | 2016-03-30 | 歌尔声学股份有限公司 | Single sign-on method and device for multiple application systems |
| CN106101054A (en) * | 2016-04-29 | 2016-11-09 | 乐视控股(北京)有限公司 | The single-point logging method of a kind of multisystem and centralized management system |
| CN106936772A (en) * | 2015-12-29 | 2017-07-07 | ***通信集团湖南有限公司 | A kind of access method, the apparatus and system of cloud platform resource |
| CN107172054A (en) * | 2017-05-26 | 2017-09-15 | 努比亚技术有限公司 | A kind of purview certification method based on CAS, apparatus and system |
| CN109379363A (en) * | 2018-10-25 | 2019-02-22 | 北京开普云信息科技有限公司 | A kind of single-sign-on integrated approach and system based on intensive platform |
| CN110381031A (en) * | 2019-06-21 | 2019-10-25 | 中国平安财产保险股份有限公司 | Single-point logging method, device, equipment and computer readable storage medium |
| CN110519296A (en) * | 2019-09-17 | 2019-11-29 | 焦点科技股份有限公司 | A kind of single-sign-on of isomery web system and publish method |
| CN110830512A (en) * | 2019-12-10 | 2020-02-21 | 宝付网络科技(上海)有限公司 | Multi-platform unified authentication system based on domain account |
| CN111083136A (en) * | 2019-12-12 | 2020-04-28 | 北京百分点信息科技有限公司 | Account resource management device and method and data acquisition system and method |
-
2020
- 2020-05-09 CN CN202010384868.1A patent/CN111586054A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102655494A (en) * | 2011-03-01 | 2012-09-05 | 广州从兴电子开发有限公司 | SAML (Security Assertion Markup Language)-based authentication platform designed in single log-in mode |
| US9118657B1 (en) * | 2011-03-15 | 2015-08-25 | Avior, Inc. | Extending secure single sign on to legacy applications |
| CN105450637A (en) * | 2015-11-09 | 2016-03-30 | 歌尔声学股份有限公司 | Single sign-on method and device for multiple application systems |
| CN106936772A (en) * | 2015-12-29 | 2017-07-07 | ***通信集团湖南有限公司 | A kind of access method, the apparatus and system of cloud platform resource |
| CN106101054A (en) * | 2016-04-29 | 2016-11-09 | 乐视控股(北京)有限公司 | The single-point logging method of a kind of multisystem and centralized management system |
| CN107172054A (en) * | 2017-05-26 | 2017-09-15 | 努比亚技术有限公司 | A kind of purview certification method based on CAS, apparatus and system |
| CN109379363A (en) * | 2018-10-25 | 2019-02-22 | 北京开普云信息科技有限公司 | A kind of single-sign-on integrated approach and system based on intensive platform |
| CN110381031A (en) * | 2019-06-21 | 2019-10-25 | 中国平安财产保险股份有限公司 | Single-point logging method, device, equipment and computer readable storage medium |
| CN110519296A (en) * | 2019-09-17 | 2019-11-29 | 焦点科技股份有限公司 | A kind of single-sign-on of isomery web system and publish method |
| CN110830512A (en) * | 2019-12-10 | 2020-02-21 | 宝付网络科技(上海)有限公司 | Multi-platform unified authentication system based on domain account |
| CN111083136A (en) * | 2019-12-12 | 2020-04-28 | 北京百分点信息科技有限公司 | Account resource management device and method and data acquisition system and method |
Non-Patent Citations (4)
| Title |
|---|
| 姜海庆: "统一安全管理平台在网络管理中的应用", 《通信技术》 * |
| 徐骁麟等: "4A统一安全管理平台关键技术分析与评估", 《电信网技术》 * |
| 朱国萃: "电信企业网中账号口令集中管理体系研究", 《计算机安全》 * |
| 陆川: "《智慧城市"电子信息+"视角下的总体规划与实践》", 30 April 2018 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112288396A (en) * | 2020-10-29 | 2021-01-29 | 上海淇玥信息技术有限公司 | Multi-system user attribute information management method and device and electronic equipment |
| CN112836197A (en) * | 2021-01-12 | 2021-05-25 | 青海绿能数据有限公司 | WEB system function integration system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102947797B (en) | The online service using directory feature extending transversely accesses and controls | |
| US8234336B2 (en) | Virtual conference center architecture | |
| CN104301418B (en) | A kind of cross-domain single login system and login method based on SAML | |
| CN100502307C (en) | Integrated user safety management method and device | |
| CN105429999B (en) | Unified single sign-on system based on cloud platform | |
| CN104836803B (en) | Single-point logging method based on session mechanism | |
| CN106506620A (en) | Cloud desktop intelligent terminal management system | |
| CN108111473A (en) | Mixed cloud Explore of Unified Management Ideas, device and system | |
| JPH09146844A (en) | Security method | |
| CN110891060A (en) | Unified authentication system based on multi-service system integration | |
| CN101488857B (en) | Authenticated service virtualization | |
| CN101309139B (en) | License authentication system | |
| CN111586054A (en) | Single sign-on implementation method based on Internet architecture | |
| CN101707594A (en) | Single sign on based grid authentication trust model | |
| CN106959854A (en) | Cloud terminal virtualization system | |
| CN105516160B (en) | A kind of domain management object map device and unified single sign-on system | |
| US7657945B2 (en) | Systems and arrangements to adjust resource accessibility based upon usage modes | |
| CN109413080B (en) | Cross-domain dynamic authority control method and system | |
| CN108092983A (en) | Unified internal control method for managing security and system | |
| CN111695108B (en) | Unified account identification system for multi-source accounts in heterogeneous computing environment | |
| CN110830512A (en) | Multi-platform unified authentication system based on domain account | |
| CN106686149A (en) | Terminal-to-terminal enterprise-level dynamic virtual desktop delivery method | |
| CN112334898B (en) | System and method for managing multi-domain access credentials for users capable of accessing multiple domains | |
| CN101908967B (en) | Configuration method and system of Linux virtual server | |
| CN101741556B (en) | Method and system for accessing Internet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200825 |
|
| RJ01 | Rejection of invention patent application after publication |