CN112887331A - Bidirectional authentication method, device and equipment between different single sign-on systems - Google Patents
Bidirectional authentication method, device and equipment between different single sign-on systems Download PDFInfo
- Publication number
- CN112887331A CN112887331A CN202110217600.3A CN202110217600A CN112887331A CN 112887331 A CN112887331 A CN 112887331A CN 202110217600 A CN202110217600 A CN 202110217600A CN 112887331 A CN112887331 A CN 112887331A
- Authority
- CN
- China
- Prior art keywords
- single sign
- login information
- sign
- login
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The application discloses a two-way authentication method between different single sign-on systems, when a target user initiates a login request to a second single sign-on system at a first single sign-on system, not only can the authentication of the second single sign-on system to the first single sign-on system be realized, but also login information submitted by a preset user when the second single sign-on system initiates the login request to the first single sign-on system can be obtained, and the authentication of the first single sign-on system to the second single sign-on system is realized based on the login information, namely, the two-way authentication between the first single sign-on system and the second single sign-on system is realized, and the authentication efficiency is obviously improved. In addition, the application also provides a bidirectional authentication device, equipment and a readable storage medium among different single sign-on systems, and the technical effect of the bidirectional authentication device corresponds to that of the method.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a readable storage medium for mutual authentication between different single sign-on systems.
Background
With the rapid development of various businesses of a company, the limitation of a single system development mode becomes more and more obvious, and a distributed system is a better solution in order to more reasonably utilize resources and reduce the coupling among modules. But the distributed system has the disadvantage that each system module needing authorization needs to be logged in and logged out separately, which will inevitably affect the use experience of users.
A Single Sign On (SSO) system is an implementation scheme in which a user logs in only once in a multi-system scenario, and can be regarded as logged in by other systems. At present, single sign-on systems basically adopt a one-way authentication/authorization mode to complete identity authentication from one single sign-on system to another single sign-on system. However, the traditional single sign-on scheme is not well qualified under the service requirement that two different platform systems need mutual authentication/authorization.
Disclosure of Invention
The present application aims to provide a method, an apparatus, a device and a readable storage medium for mutual authentication between different single sign-on systems, so as to solve the problem that a scheme for realizing mutual authentication between different single sign-on systems is lacking at present. The specific scheme is as follows:
in a first aspect, the present application provides a method for mutual authentication between different single sign-on systems, including:
receiving first login information submitted by a target user when a first single login system initiates a login request to a second single login system;
converting the first login information into login information of the target user in the second single sign-on system according to a pre-stored account mapping relation to obtain second login information;
sending the second login information to the second single sign-on system so that the second single sign-on system can authenticate the second login information;
receiving an authorization token of the second single sign-on system sent by the second single sign-on system when the second single sign-on system passes the authentication, and sending the authorization token of the second single sign-on system to the first single sign-on system;
acquiring third login information from the second single sign-on system, wherein the third login information is login information submitted by a preset user when the second single sign-on system initiates a login request to the first single sign-on system;
according to the account mapping relationship, converting the third login information into login information of the preset user in the first single sign-on system to obtain fourth login information;
sending the fourth login information to the first single sign-on system so that the first single sign-on system can authenticate the fourth login information;
receiving an authorization token of the first single sign-on system sent by the first single sign-on system when the first single sign-on system passes authentication, and caching the authorization token of the first single sign-on system;
and when the preset user initiates a login request to the first single sign-on system at the second single sign-on system, sending the authorization token of the first single sign-on system to the second single sign-on system.
Preferably, the converting, according to a pre-stored account mapping relationship, the first login information into login information of the target user in the second single sign-on system to obtain second login information includes:
decrypting the first login information by adopting a first encryption and decryption algorithm;
converting the first login information into login information of the target user in the second single sign-on system according to a pre-stored account mapping relation to obtain second login information;
and encrypting the second login information by adopting a second encryption and decryption algorithm.
Preferably, the first encryption and decryption algorithm is an encryption and decryption algorithm set by the target user on the first single sign-on system, and the second encryption and decryption algorithm is an encryption and decryption algorithm set by the target user on the second single sign-on system.
Preferably, the account mapping relationship is stored by adopting a cloud storage technology.
Preferably, the target user and the preset user are the same user, and the third login information is equal to the second login information.
Preferably, after the sending the authorization token of the first single sign-on system to the second single sign-on system when the preset user initiates a login request to the first single sign-on system at the second single sign-on system, the method further includes:
and when the first single sign-on system or the second single sign-on system initiates a logout request, invalidating the authorization token of the first single sign-on system and the authorization token of the second single sign-on system.
In a second aspect, the present application provides a bidirectional authentication device between different single sign-on systems, including:
the first login information receiving module: the system comprises a first single sign-on system, a second single sign-on system and a server, wherein the first single sign-on system is used for receiving first sign-on information submitted by a target user when the first single sign-on system initiates a sign-on request to the second single sign-on system;
a first mapping module to: converting the first login information into login information of the target user in the second single sign-on system according to a pre-stored account mapping relation to obtain second login information;
a first authentication module: the second single sign-on system is used for sending the second login information to the second single sign-on system so that the second single sign-on system can authenticate the second login information;
token forwarding module: the system comprises a first single sign-on system and a second single sign-on system, wherein the first single sign-on system is used for receiving an authorization token of the second single sign-on system sent by the second single sign-on system when the second single sign-on system passes authentication, and sending the authorization token of the second single sign-on system to the first single sign-on system;
a third login information acquisition module: the second single sign-on system is used for acquiring second sign-on information from the first single sign-on system, wherein the second sign-on information is the sign-on information submitted by a preset user when the first single sign-on system initiates a sign-on request to the second single sign-on system;
the second mapping module is used for converting the third login information into login information of the preset user in the first single sign-on system according to the account mapping relationship to obtain fourth login information;
a second authentication module: the first single sign-on system is used for sending the fourth login information to the first single sign-on system so that the first single sign-on system can authenticate the fourth login information;
token cache module: the authorization token is used for receiving the authorization token of the first single sign-on system sent by the first single sign-on system when the authentication passes, and caching the authorization token of the first single sign-on system;
token sending module: and the authorization token of the first single sign-on system is sent to the second single sign-on system when the preset user initiates a login request to the first single sign-on system at the second single sign-on system.
Preferably, the method further comprises the following steps:
an invalid module: and the authorization token is used for invalidating the authorization token of the first single sign-on system and the authorization token of the second single sign-on system when the first single sign-on system or the second single sign-on system initiates a logout request.
In a third aspect, the present application provides a bidirectional authentication device between different single sign-on systems, including:
a memory: for storing a computer program;
a processor: for executing the computer program to implement the above-mentioned two-way authentication method between different single sign-on systems.
In a fourth aspect, the present application provides a readable storage medium having stored thereon a computer program for implementing the method for mutual authentication between different single sign-on systems as described above when executed by a processor.
According to the method for the mutual authentication between different single sign-on systems, when a target user initiates a login request to a second single sign-on system at a first single sign-on system, not only can the authentication of the second single sign-on system to the first single sign-on system be realized, but also login information submitted by a preset user when the second single sign-on system initiates the login request to the first single sign-on system can be obtained, and the authentication of the first single sign-on system to the second single sign-on system is realized based on the login information, namely, the mutual authentication between the first single sign-on system and the second single sign-on system is realized, and the authentication efficiency is remarkably improved.
In addition, the application also provides a bidirectional authentication device, equipment and a readable storage medium among different single sign-on systems, and the technical effect of the bidirectional authentication device corresponds to that of the method, and the detailed description is omitted here.
Drawings
For a clearer explanation of the embodiments or technical solutions of the prior art of the present application, the drawings needed for the description of the embodiments or prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a schematic diagram of a single sign-on system;
FIG. 2 is a diagram illustrating an authentication process of a single sign-on system;
FIG. 3 is a flowchart of a first embodiment of a method for mutual authentication between different single sign-on systems according to the present disclosure;
FIG. 4 is a software architecture diagram of a single sign-on system provided herein;
FIG. 5 is a schematic process diagram illustrating a second embodiment of a method for mutual authentication between different single sign-on systems according to the present application;
fig. 6 is a schematic diagram of a one-way authentication process according to a second embodiment of a two-way authentication method between different single sign-on systems provided in the present application;
fig. 7 is a block diagram of an embodiment of a bidirectional authentication device between different single sign-on systems according to the present disclosure.
Detailed Description
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The idea and core point of the single sign-on system are that in a platform including a plurality of modules, as shown in fig. 1, a user only needs to log on once, and after the single sign-on system is authenticated to be legal, the user can access all mutually trusted modules, and meanwhile, the user only needs to log off the system once to log off login information in all mutually trusted modules. It can be seen that the single sign-on system implements identity authentication for login and logout between different modules in one platform, and in addition, the single sign-on system can also implement authentication for login and logout between one system and another system, and the specific authentication process is shown in fig. 2.
In summary, the current single sign-on system implements authentication between systems inside one platform or authentication from one system to another system, but it cannot implement bidirectional authentication between two or more platforms isolated from each other.
Aiming at the problem, the application aims at realizing the aim of mutual authentication of login state identities between different platforms on the system design level aiming at two/more single login systems.
Referring to fig. 3, a first embodiment of a bidirectional authentication method between different single sign-on systems provided in the present application is described below, where the first embodiment is applied to a cloud account authentication system, and the method includes the following steps:
s101, receiving first login information submitted by a target user when a first single login system initiates a login request to a second single login system;
s102, converting the first login information into login information of a target user in a second single sign-on system according to a pre-stored account mapping relation to obtain second login information;
s103, sending the second login information to a second single sign-on system so that the second single sign-on system can conveniently authenticate the second login information;
s104, receiving an authorization token of the second single sign-on system sent by the second single sign-on system when the authentication is passed, and sending the authorization token of the second single sign-on system to the first single sign-on system;
s105, third login information is obtained from the second single login system, wherein the third login information is login information submitted by a preset user when the second single login system initiates a login request to the first single login system;
s106, converting the third login information into login information of a preset user in the first single sign-on system according to the account mapping relation to obtain fourth login information;
s107, sending the fourth login information to the first single sign-on system so that the first single sign-on system can conveniently authenticate the fourth login information;
s108, receiving an authorization token of the first single sign-on system sent by the first single sign-on system when the authentication is passed, and caching the authorization token of the first single sign-on system;
s109, when the preset user initiates a login request to the first single sign-on system in the second single sign-on system, the authorization token of the first single sign-on system is sent to the second single sign-on system.
The embodiment is applied to more than two application clusters, and each application cluster is provided with a single sign-on system. For convenience of description, the present embodiment takes two application clusters (denoted as a first application cluster and a second application cluster) as an example, and details a bidirectional authentication process between different application clusters in a single sign-on system. In this embodiment, the first single sign-on system is a single sign-on system of the first application cluster, and the second single sign-on system is a single sign-on system of the second application cluster.
The single sign-on system is a software system integrating a single sign-on client and a single sign-on server, as shown in fig. 4. Therefore, the single sign-on system can be used as an initiator of a login request, request an authorization Token from the single sign-on system of another application cluster, receive and store the authorization Token, and further indiscriminately access the service function module of the application cluster; meanwhile, the single sign-on system can also verify the sign-on information sent by the single sign-on system of another application cluster, then verify the sign-on information, generate and distribute the authorization token, and then allow the access operation initiated by the application cluster.
In this embodiment, each single sign-on system is connected to a cloud account authentication system, and the bidirectional authentication process between different single sign-on systems is shown in fig. 5.
In this embodiment, the account mapping relationship between the two application clusters is put on a storage device that both parties can access at any time and any place, such as a shared cloud, a private cloud, a third-party storage mechanism, and a physical storage cluster approved by both parties. The method aims to use the cloud storage technology as a medium for conversion of login information between single-point login systems under different application clusters, so that the conversion of the login information can be carried out at any time and any place. In practical application, the cloud storage service can be accessed through a Web service Application Program Interface (API) or through a Web user interface to obtain the account mapping relationship.
As a preferred embodiment, a login information encryption and decryption algorithm that all parties can recognize and support may be used for the login information security risk brought by the cloud storage technology. The first single sign-on system encrypts the login information submitted by the user and then sends the login information to the cloud account authentication system, the cloud account authentication system decrypts the login information firstly, then uses the decrypted login information for mapping, and the mapping result is encrypted and then sent to the second single sign-on system, so that the risk of directly leaking the login information data is avoided.
In summary, the core of the present embodiment mainly has two points: firstly, user login authentication and token authorization of each single sign-on system; and secondly, the cloud account authentication system checks and converts the accounts of different systems.
User login authentication and token authorization: when a user requests to access a second application cluster for the first time in a first application cluster, (1) a first single sign-on system initiates a login request to the second single sign-on system: the cloud account authentication system converts login information (account name and password information) submitted by a user on one side of the first single sign-on system according to the account mapping relationship, sends the converted login information to the second single sign-on system, authenticates the login information by the second single sign-on system, generates an authorization token of the second single sign-on system if the authentication is passed, and sends the authorization token to the first single sign-on system through the cloud account authentication system; (2) the second single sign-on system initiates a login request to the first single sign-on system: the cloud account authentication system converts login information on one side of the second single sign-on system according to the account mapping relationship, the converted login information is sent to the first single sign-on system, the first single sign-on system authenticates the login information, if the authentication is passed, an authorization token of the first single sign-on system is generated and cached in the cloud account authentication system.
Thus, the two-way authentication between the first single sign-on system and the second single sign-on system is completed. When the first application cluster accesses the application system under the second application cluster, the account authentication system under the second application cluster (namely, the second single sign-on system) can be regarded as a login-state user with the authorization token, the user logs out, namely, the authorization token is disabled, and then the user can be regarded as an illegal/unregistered state when the user holds the authorization token to access the application system under the second application cluster. Similarly, when the second application cluster accesses the application system under the first application cluster, the authorization token cached in the cloud account authentication system is obtained first, the account authentication system under the first application cluster (namely, the first single sign-on system) can be regarded as a login-state user with the authorization token, the user logs out, namely, the authorization token is disabled, and then the user can be regarded as an illegal/unregistered state when the user accesses the application system under the first application cluster with the authorization token.
In this embodiment, the authorization token is simply understood to be an authorization token of the system, which is self-called by a string of random characters, and is used to identify that the user owning the authorization token is a legal login-state user.
Cloud account authentication and conversion system: the method and the device have the advantages that the characteristic that cloud storage is not limited by the geographical range of a physical machine is utilized, account conversion rules and corresponding relations of different application clusters are stored in places where both sides can access without the limitation of time and geographical space, and the method and the device are mainly used for carrying out account mapping and conversion at any time and any place and making basic preparation for bidirectional authentication and authorization among single sign-on systems under different application clusters.
It should be noted that, in some specific embodiments, the target user and the preset user may be the same user, and at this time, the third login information is equal to the second login information.
The embodiment provides a bidirectional authentication method among different single sign-on systems, and provides a technical scheme of login state information bidirectional authentication aiming at the limitation of a scene application scene of the existing single sign-on scheme. When a target user initiates a login request to a second single sign-on system at a first single sign-on system, the authentication of the second single sign-on system to the first single sign-on system can be realized, login information submitted by a preset user when the second single sign-on system initiates the login request to the first single sign-on system can be obtained, and the authentication of the first single sign-on system to the second single sign-on system is realized based on the login information, namely, the two-way authentication between the first single sign-on system and the second single sign-on system is realized, and the authentication efficiency is remarkably improved.
The second embodiment of the bidirectional authentication method between different single sign-on systems provided by the present application is described in detail below, and is implemented based on the first embodiment, and is expanded to a certain extent based on the first embodiment.
For a single sign-on system across application clusters, especially for single sign-on systems of different companies/entities, the present embodiment adopts a cloud account authentication system based on a cloud storage technology to implement bidirectional authentication. The cloud account authentication system maintains the login account mapping relationship among different application clusters in the cloud, so that the account mapping relationship is not limited by the location of a storage account machine and complicated access authorization of each application cluster, the query and acquisition of the account mapping relationship are passed through a unified return value provided by the cloud to each application cluster, and meanwhile, the system maintenance and the transverse expansion are facilitated.
Specifically, there are various ways to maintain the account mapping relationship between different application clusters, such as an account mapping table, a global unique ID mapping table, an account hash information table with an identifier, and the like, and the simplest is to maintain a mapping relationship table between an account a of the system 1 and an account a1 of the system 2, as shown in table 1:
TABLE 1
The information interaction between the cloud account authentication system and the single sign-on system mainly includes the transmission, decryption, account mapping, encryption, transmission of authorized Token information, and the like of the sign-on information, the one-way authentication process is shown in fig. 6, and the authentication process in the other direction is not shown here. The cloud account authentication system mainly aims to solve the problems of different application cluster login information conversion paths and authorization paths, enables login information relationship mapping of two parties or multiple parties to be carried out anytime and anywhere, greatly reduces login information maintenance cost and deployment cost, and meanwhile reduces complexity of technical design.
On the basis of the first embodiment, the present embodiment adopts an encryption and decryption algorithm. Specifically, each single sign-on system may set a default encryption/decryption algorithm, and may also set a plurality of alternative encryption/decryption algorithms for the user to select. When the account mapping relationship is maintained, the encryption and decryption algorithm selected by the user in each single-point mapping system can be maintained at the same time.
In this embodiment, each application cluster is further provided with an account authentication system, and the account authentication system can check the token and determine the validity of the token. And when the application system of each application cluster receives the access request, the token can be identified and extracted, and whether the current user is a login user or not is automatically judged by communicating with the account authentication system of the current application cluster. Therefore, after S104 of the first embodiment, the following process may be implemented: the first single sign-on request sends an access request to an application system of a second application cluster, and the application system of the second application cluster identifies and extracts an authorization token of the second single sign-on system; the second application cluster utilizes the account number authentication system of the second application cluster to carry out validity verification on the authorization token; if the verification is passed, continuing to process the access request; and if the verification is not passed, rejecting the access request.
In addition, after the bidirectional authentication between the first single sign-on system and the second single sign-on system is completed, if any single sign-on system issues a logout request, the previously generated authorization token of the first single sign-on system and the previously generated authorization token of the second single sign-on system are invalidated.
In this embodiment, bidirectional authentication is performed on two application clusters to complete single-place login of a user, and each application system of the two application clusters can be regarded as a logged-in service scene. The specific application scenarios may be as follows: the platform A and the platform B are subjected to login system butt joint so that a user of the platform B can log in the platform A and inquire or operate a function module authorized by the platform A without extra operation after the user finishes login in an intranet under the condition that an account number and a password of a business side system are not changed; meanwhile, under special conditions, the platform A can also be allowed to finish the login state setting of the platform B internal system after the platform A finishes the login, and further the authorized platform B internal function module can be checked or operated.
It can be seen that the bidirectional authentication method between different single sign-on systems provided in this embodiment provides a complete solution for bidirectional identity authentication and sign-on state authorization between different application clusters, and by using a cloud storage technology, the problem that mapping and conversion of relationships between accounts of different application clusters are constrained by geographic and physical factors is solved, so that account query, authentication and authorization can be performed anytime and anywhere.
In the following, the bidirectional authentication device between different single sign-on systems provided in the embodiments of the present application is introduced, and the bidirectional authentication device between different single sign-on systems described below and the bidirectional authentication method between different single sign-on systems described above may be referred to correspondingly.
The mutual authentication device between different single sign-on systems of this embodiment includes:
the first login information receiving module: the system comprises a first single sign-on system, a second single sign-on system and a server, wherein the first single sign-on system is used for receiving first sign-on information submitted by a target user when the first single sign-on system initiates a sign-on request to the second single sign-on system;
a first mapping module to: converting the first login information into login information of a target user in a second single sign-on system according to a pre-stored account mapping relation to obtain second login information;
a first authentication module: the second single sign-on system is used for sending the second login information to the second single sign-on system so as to be convenient for the second single sign-on system to authenticate the second login information;
token forwarding module: the system comprises a first single sign-on system and a second single sign-on system, wherein the first single sign-on system is used for receiving an authorization token of the first single sign-on system sent by the first single sign-on system when the authentication is passed;
a third login information acquisition module: the system comprises a first single sign-on system and a second single sign-on system, wherein the first single sign-on system is used for acquiring first sign-on information from the first single sign-on system;
the second mapping module is used for converting the third login information into login information of a preset user in the first single sign-on system according to the account mapping relation to obtain fourth login information;
a second authentication module: the system is used for sending the fourth login information to the first single sign-on system so that the first single sign-on system can conveniently authenticate the fourth login information;
token cache module: the system comprises a first single sign-on system and a second single sign-on system, wherein the first single sign-on system is used for receiving an authorization token of the first single sign-on system sent by the first single sign-on system when the authentication is passed, and caching the authorization token of the first single sign-on system;
token sending module: and the authorization token of the first single sign-on system is sent to the second single sign-on system when a preset user initiates a login request to the first single sign-on system at the second single sign-on system.
The bidirectional authentication device between different single sign-on systems of this embodiment is used to implement the aforementioned bidirectional authentication method between different single sign-on systems, so the specific implementation manner of the device can be found in the foregoing embodiment section of the bidirectional authentication method between different single sign-on systems, and the role of the device corresponds to that of the above method, and is not described again here.
In addition, the present application further provides a bidirectional authentication device between different single sign-on systems, as shown in fig. 7, including:
the memory 100: for storing a computer program;
the processor 200: for executing the computer program to implement the method for mutual authentication between different single sign-on systems as described above.
Finally, the present application provides a readable storage medium having stored thereon a computer program for implementing a method of mutual authentication between different single sign-on systems as described above when executed by a processor.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The above detailed descriptions of the solutions provided in the present application, and the specific examples applied herein are set forth to explain the principles and implementations of the present application, and the above descriptions of the examples are only used to help understand the method and its core ideas of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. A mutual authentication method between different single sign-on systems is characterized by comprising the following steps:
receiving first login information submitted by a target user when a first single login system initiates a login request to a second single login system;
converting the first login information into login information of the target user in the second single sign-on system according to a pre-stored account mapping relation to obtain second login information;
sending the second login information to the second single sign-on system so that the second single sign-on system can authenticate the second login information;
receiving an authorization token of the second single sign-on system sent by the second single sign-on system when the second single sign-on system passes the authentication, and sending the authorization token of the second single sign-on system to the first single sign-on system;
acquiring third login information from the second single sign-on system, wherein the third login information is login information submitted by a preset user when the second single sign-on system initiates a login request to the first single sign-on system;
according to the account mapping relationship, converting the third login information into login information of the preset user in the first single sign-on system to obtain fourth login information;
sending the fourth login information to the first single sign-on system so that the first single sign-on system can authenticate the fourth login information;
receiving an authorization token of the first single sign-on system sent by the first single sign-on system when the first single sign-on system passes authentication, and caching the authorization token of the first single sign-on system;
and when the preset user initiates a login request to the first single sign-on system at the second single sign-on system, sending the authorization token of the first single sign-on system to the second single sign-on system.
2. The method according to claim 1, wherein the converting the first login information into login information of the target user in the second single sign-on system according to a pre-stored account mapping relationship to obtain second login information comprises:
decrypting the first login information by adopting a first encryption and decryption algorithm;
converting the first login information into login information of the target user in the second single sign-on system according to a pre-stored account mapping relation to obtain second login information;
and encrypting the second login information by adopting a second encryption and decryption algorithm.
3. The method of claim 2, wherein the first encryption/decryption algorithm is an encryption/decryption algorithm set by the target user at the first single sign-on system, and wherein the second encryption/decryption algorithm is an encryption/decryption algorithm set by the target user at the second single sign-on system.
4. The method of claim 1, wherein the account mapping relationship is stored using cloud storage technology.
5. The method of claim 1, wherein the target user is the same user as the predetermined user, and the third login information is equal to the second login information.
6. The method of any one of claims 1-5, wherein after sending the authorization token of the first single sign-on system to the second single sign-on system when the predetermined user initiates a login request to the first single sign-on system at the second single sign-on system, further comprising:
and when the first single sign-on system or the second single sign-on system initiates a logout request, invalidating the authorization token of the first single sign-on system and the authorization token of the second single sign-on system.
7. A mutual authentication device between different single sign-on systems, comprising:
the first login information receiving module: the system comprises a first single sign-on system, a second single sign-on system and a server, wherein the first single sign-on system is used for receiving first sign-on information submitted by a target user when the first single sign-on system initiates a sign-on request to the second single sign-on system;
a first mapping module to: converting the first login information into login information of the target user in the second single sign-on system according to a pre-stored account mapping relation to obtain second login information;
a first authentication module: the second single sign-on system is used for sending the second login information to the second single sign-on system so that the second single sign-on system can authenticate the second login information;
token forwarding module: the system comprises a first single sign-on system and a second single sign-on system, wherein the first single sign-on system is used for receiving an authorization token of the second single sign-on system sent by the second single sign-on system when the second single sign-on system passes authentication, and sending the authorization token of the second single sign-on system to the first single sign-on system;
a third login information acquisition module: the second single sign-on system is used for acquiring second sign-on information from the first single sign-on system, wherein the second sign-on information is the sign-on information submitted by a preset user when the first single sign-on system initiates a sign-on request to the second single sign-on system;
the second mapping module is used for converting the third login information into login information of the preset user in the first single sign-on system according to the account mapping relationship to obtain fourth login information;
a second authentication module: the first single sign-on system is used for sending the fourth login information to the first single sign-on system so that the first single sign-on system can authenticate the fourth login information;
token cache module: the authorization token is used for receiving the authorization token of the first single sign-on system sent by the first single sign-on system when the authentication passes, and caching the authorization token of the first single sign-on system;
token sending module: and the authorization token of the first single sign-on system is sent to the second single sign-on system when the preset user initiates a login request to the first single sign-on system at the second single sign-on system.
8. The apparatus of claim 7, further comprising:
an invalid module: and the authorization token is used for invalidating the authorization token of the first single sign-on system and the authorization token of the second single sign-on system when the first single sign-on system or the second single sign-on system initiates a logout request.
9. A mutual authentication device between different single sign-on systems, comprising:
a memory: for storing a computer program;
a processor: for executing said computer program for implementing a method of mutual authentication between different single sign-on systems as claimed in any of claims 1 to 6.
10. A readable storage medium, having stored thereon a computer program for implementing a method of mutual authentication between different single sign-on systems as claimed in any one of claims 1 to 6 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110217600.3A CN112887331B (en) | 2021-02-26 | 2021-02-26 | Bidirectional authentication method, device and equipment between different single sign-on systems |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110217600.3A CN112887331B (en) | 2021-02-26 | 2021-02-26 | Bidirectional authentication method, device and equipment between different single sign-on systems |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112887331A true CN112887331A (en) | 2021-06-01 |
| CN112887331B CN112887331B (en) | 2022-07-08 |
Family
ID=76054810
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110217600.3A Active CN112887331B (en) | 2021-02-26 | 2021-02-26 | Bidirectional authentication method, device and equipment between different single sign-on systems |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112887331B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101222335A (en) * | 2008-02-02 | 2008-07-16 | 国电信息中心 | Cascade connection authentication method and device between application systems |
| KR20090046407A (en) * | 2007-11-06 | 2009-05-11 | 한국전자통신연구원 | Method and system for serving single sign on |
| CN105450637A (en) * | 2015-11-09 | 2016-03-30 | 歌尔声学股份有限公司 | Single sign-on method and device for multiple application systems |
| CN105959311A (en) * | 2016-07-04 | 2016-09-21 | 天闻数媒科技(湖南)有限公司 | Single sign-on method and device for application system |
| US20170346851A1 (en) * | 2016-05-30 | 2017-11-30 | Christopher Nathan Tyrwhitt Drake | Mutual authentication security system with detection and mitigation of active man-in-the-middle browser attacks, phishing, and malware and other security improvements. |
| CN107454077A (en) * | 2017-08-01 | 2017-12-08 | 北京迪曼森科技有限公司 | A kind of single-point logging method based on IKI ID authentications |
| CN109639433A (en) * | 2018-12-05 | 2019-04-16 | 珠海格力电器股份有限公司 | Method, storage medium and processor for mutual authorization between multiple system accounts |
| CN110034933A (en) * | 2018-12-25 | 2019-07-19 | ***股份有限公司 | Inter-system subscriber mutual trust authentication method and inter-system subscriber mutual trust Verification System |
| CN110519296A (en) * | 2019-09-17 | 2019-11-29 | 焦点科技股份有限公司 | A kind of single-sign-on of isomery web system and publish method |
-
2021
- 2021-02-26 CN CN202110217600.3A patent/CN112887331B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20090046407A (en) * | 2007-11-06 | 2009-05-11 | 한국전자통신연구원 | Method and system for serving single sign on |
| CN101222335A (en) * | 2008-02-02 | 2008-07-16 | 国电信息中心 | Cascade connection authentication method and device between application systems |
| CN105450637A (en) * | 2015-11-09 | 2016-03-30 | 歌尔声学股份有限公司 | Single sign-on method and device for multiple application systems |
| US20170346851A1 (en) * | 2016-05-30 | 2017-11-30 | Christopher Nathan Tyrwhitt Drake | Mutual authentication security system with detection and mitigation of active man-in-the-middle browser attacks, phishing, and malware and other security improvements. |
| CN105959311A (en) * | 2016-07-04 | 2016-09-21 | 天闻数媒科技(湖南)有限公司 | Single sign-on method and device for application system |
| CN107454077A (en) * | 2017-08-01 | 2017-12-08 | 北京迪曼森科技有限公司 | A kind of single-point logging method based on IKI ID authentications |
| CN109639433A (en) * | 2018-12-05 | 2019-04-16 | 珠海格力电器股份有限公司 | Method, storage medium and processor for mutual authorization between multiple system accounts |
| CN110034933A (en) * | 2018-12-25 | 2019-07-19 | ***股份有限公司 | Inter-system subscriber mutual trust authentication method and inter-system subscriber mutual trust Verification System |
| CN110519296A (en) * | 2019-09-17 | 2019-11-29 | 焦点科技股份有限公司 | A kind of single-sign-on of isomery web system and publish method |
Non-Patent Citations (1)
| Title |
|---|
| 王川等: "基于跨平台域用户单点登录功能的设计和实现", 《数字通信世界》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112887331B (en) | 2022-07-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7231526B2 (en) | System and method for validating a network session | |
| CN109327481B (en) | Block chain-based unified online authentication method and system for whole network | |
| US7591008B2 (en) | Client authentication using multiple user certificates | |
| EP3316544B1 (en) | Token generation and authentication method, and authentication server | |
| US7231517B1 (en) | Apparatus and method for automatically authenticating a network client | |
| US8527762B2 (en) | Method for realizing an authentication center and an authentication system thereof | |
| US7571311B2 (en) | Scheme for sub-realms within an authentication protocol | |
| US9225721B2 (en) | Distributing overlay network ingress information | |
| KR20170106515A (en) | Multi-factor certificate authority | |
| CN103763319A (en) | Method for safely sharing mobile cloud storage light-level data | |
| CN105554004A (en) | Authentication system and authentication method for container services in hybrid cloud computing environment | |
| CN101321064A (en) | Information system access control method and apparatus based on digital certificate technique | |
| CN112861157A (en) | Data sharing method based on decentralized identity and proxy re-encryption | |
| CN112118242A (en) | Zero trust authentication system | |
| CN103532989A (en) | Downloading method of file data | |
| JP2024501326A (en) | Access control methods, devices, network equipment, terminals and blockchain nodes | |
| WO2022033350A1 (en) | Service registration method and device | |
| JP4847483B2 (en) | Personal attribute information providing system and personal attribute information providing method | |
| US11182470B2 (en) | Online account access recovery system and method utilizing secret splitting | |
| US20050210247A1 (en) | Method of virtual challenge response authentication | |
| US20090055917A1 (en) | Authentication method and authentication system using the same | |
| CN112887331B (en) | Bidirectional authentication method, device and equipment between different single sign-on systems | |
| CN111817860B (en) | Communication authentication method, device, equipment and storage medium | |
| CN110620750A (en) | Network security verification method of distributed system | |
| JP2024514039A (en) | User authentication method for multi-node parties |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |