CN113420282A - Cross-site single sign-on method and device - Google Patents

Cross-site single sign-on method and device Download PDF

Info

Publication number
CN113420282A
CN113420282A CN202110657473.9A CN202110657473A CN113420282A CN 113420282 A CN113420282 A CN 113420282A CN 202110657473 A CN202110657473 A CN 202110657473A CN 113420282 A CN113420282 A CN 113420282A
Authority
CN
China
Prior art keywords
site
user
certificate
single sign
user information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110657473.9A
Other languages
Chinese (zh)
Other versions
CN113420282B (en
Inventor
张康
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jinan Inspur Data Technology Co Ltd
Original Assignee
Jinan Inspur Data Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jinan Inspur Data Technology Co Ltd filed Critical Jinan Inspur Data Technology Co Ltd
Priority to CN202110657473.9A priority Critical patent/CN113420282B/en
Publication of CN113420282A publication Critical patent/CN113420282A/en
Application granted granted Critical
Publication of CN113420282B publication Critical patent/CN113420282B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a cross-site single sign-on method and a cross-site single sign-on device, wherein the method comprises the following steps: synchronizing the user information from the first site to the second site, and analyzing the user information at the second site to create or update a user corresponding to the user information; generating an exclusive certificate for a user based on user information at a second site, and guiding the user to import and activate the exclusive certificate, wherein the exclusive certificate stores the user information; receiving, by a first site, an activated dedicated certificate and a request for a login credential from a user, and sending a single sign-on credential from the first site to the user in response to the first site successfully verifying the dedicated certificate; the method further includes receiving, by the second site, the activated proprietary certificate and the single sign-on credential from the user, and completing the single sign-on through a user session generated by the second site in response to the second site successfully verifying the proprietary certificate and the single sign-on credential. The method and the device can reduce the probability of being attacked in the single sign-on scene without changing the mechanism of the single sign-on certificate, and improve the system safety.

Description

Cross-site single sign-on method and device
Technical Field
The present invention relates to the field of network security, and more particularly, to a cross-site single sign-on method and apparatus.
Background
The present invention relates to the field of Session-based single sign-on and certificate authentication, where generally each individual system has its own security system and identity authentication system. With more and more intra-office business application systems, for a certain intra-office user, a plurality of accounts are available in different business application systems, and switching among different application systems requires continuous login and logout, which is relatively troublesome. Such situation not only brings great difficulty to management, but also brings about great hidden danger in the aspect of safety. Therefore, a single sign-on scheme is generated, but in terms of security, in the single sign-on used in the current market, the old project in the prior art uses the timeliness of adding a Ticket (single sign-on credential) to maintain security, and after someone else hijacks the Ticket, an attacker can use the Ticket to log in the system, which may cause a system security problem. And for old projects, if new technology is introduced to solve single sign-on, the amount of modification is increased.
Aiming at the problem that potential safety hazards are caused by hijacking of single sign-on certificates in the prior art, no effective solution is available at present.
Disclosure of Invention
In view of this, an object of the embodiments of the present invention is to provide a cross-site single sign-on method and apparatus, which can reduce the probability of being attacked in a single sign-on scenario without changing a single sign-on credential, and improve system security.
Based on the above object, a first aspect of the embodiments of the present invention provides a cross-site single sign-on method, including the following steps:
synchronizing the user information from the first site to the second site, and analyzing the user information at the second site to create or update a user corresponding to the user information;
generating an exclusive certificate for a user based on user information at a second site, and guiding the user to import and activate the exclusive certificate, wherein the exclusive certificate stores the user information;
receiving, by the first site, an activated exclusive certificate and a request for login credentials from the user, and sending a single-sign-on credential from the first site to the user in response to the first site successfully verifying the exclusive certificate;
receiving, by the second site, the activated proprietary certificate and the single sign-on credential from the user, and completing a single sign-on through a user session generated by the second site in response to the second site successfully verifying the proprietary certificate and the single sign-on credential.
In some embodiments, synchronizing the user information from the first site to the second site includes at least one of:
in response to determining that the user information in the first site is changed, synchronizing the changed user information to the second site in real time through a message interface;
synchronizing the variable quantity of the user information of the first site in the first synchronization period to the second site through a file every interval of the first synchronization period, and updating the user information at the second site according to the part of the variable quantity which is not synchronized in real time;
and synchronizing all the user information of the first site to the second site through the file every second synchronization period, and updating the user information at the second site in a covering mode, wherein the second synchronization period is larger than the first synchronization period.
In some embodiments, directing the user to import and activate the proprietary certificate includes: leading the user to lead the exclusive certificate into the certificate management of the browser of the user, and restarting the browser to activate the exclusive certificate;
receiving, by the first site, an activated proprietary certificate and a login credential request from the user comprises: sending, by a user, a login credential request to a first site using a browser;
receiving, by the second site, the activated proprietary certificate and the single sign-on credentials from the user comprises: the single sign-on credentials are sent to the second site by the user using the browser.
In some embodiments, successful verification of the proprietary certificate by the first station or the second station includes verifying at least one of: whether the exclusive certificate exists, whether the identity of the user is matched with the user information carried in the exclusive certificate, whether the identity of the user is legal in the system, and the correctness of the user information carried in the exclusive certificate.
In some embodiments, the second station successfully verifying the proprietary certificate and the single sign-on credentials comprises: the second site firstly verifies the exclusive certificate and further verifies the single sign-on certificate in response to the successful verification of the exclusive certificate; the authentication is stopped directly in response to the proprietary certificate failing to authenticate.
In some embodiments, further comprising: the second station also updates the exclusive certificate for the user based on the change of the user information; after the user imports and activates the exclusive certificate, the updated exclusive certificate is also imported and activated again.
In some embodiments, the single sign-on credentials have cryptographically stored login information for the user, the login information including a username, an account number, and a password.
In some embodiments, single sign-on credentials have a valid lifetime; the successful verification of the single sign-on credentials by the second site comprises: the second site decrypts the single sign-on credentials, confirms that the login information stored in the single sign-on credentials is correct, and confirms that the single sign-on credentials are within their valid lifetime during the period they are authenticated.
In some embodiments, further comprising: in response to the user determining that the single sign-on credential is exhausted of its valid lifetime, the activated proprietary certificate and the request for the login credential are resent to the first site to obtain the single sign-on credential having the valid lifetime.
A second aspect of an embodiment of the present invention provides an apparatus, including:
a processor;
a controller storing program code executable by a processor, the processor executing the following steps when executing the program code:
synchronizing the user information from the first site to the second site, and analyzing the user information at the second site to create or update a user corresponding to the user information;
generating an exclusive certificate for a user based on user information at a second site, and guiding the user to import and activate the exclusive certificate, wherein the exclusive certificate stores the user information;
receiving, by the first site, an activated exclusive certificate and a request for login credentials from the user, and sending a single-sign-on credential from the first site to the user in response to the first site successfully verifying the exclusive certificate;
receiving, by the second site, the activated proprietary certificate and the single sign-on credential from the user, and completing a single sign-on through a user session generated by the second site in response to the second site successfully verifying the proprietary certificate and the single sign-on credential.
In some embodiments, synchronizing the user information from the first site to the second site includes at least one of:
in response to determining that the user information in the first site is changed, synchronizing the changed user information to the second site in real time through a message interface;
synchronizing the variable quantity of the user information of the first site in the first synchronization period to the second site through a file every interval of the first synchronization period, and updating the user information at the second site according to the part of the variable quantity which is not synchronized in real time;
and synchronizing all the user information of the first site to the second site through the file every second synchronization period, and updating the user information at the second site in a covering mode, wherein the second synchronization period is larger than the first synchronization period.
In some embodiments, directing the user to import and activate the proprietary certificate includes: leading the user to lead the exclusive certificate into the certificate management of the browser of the user, and restarting the browser to activate the exclusive certificate;
receiving, by the first site, an activated proprietary certificate and a login credential request from the user comprises: sending, by a user, a login credential request to a first site using a browser;
receiving, by the second site, the activated proprietary certificate and the single sign-on credentials from the user comprises: the single sign-on credentials are sent to the second site by the user using the browser.
In some embodiments, successful verification of the proprietary certificate by the first station or the second station includes verifying at least one of: whether the exclusive certificate exists, whether the identity of the user is matched with the user information carried in the exclusive certificate, whether the identity of the user is legal in the system, and the correctness of the user information carried in the exclusive certificate.
In some embodiments, the second station successfully verifying the proprietary certificate and the single sign-on credentials comprises: the second site firstly verifies the exclusive certificate and further verifies the single sign-on certificate in response to the successful verification of the exclusive certificate; the authentication is stopped directly in response to the proprietary certificate failing to authenticate.
In some embodiments, the steps further comprise: the second station also updates the exclusive certificate for the user based on the change of the user information; after the user imports and activates the exclusive certificate, the updated exclusive certificate is also imported and activated again.
In some embodiments, the single sign-on credentials have cryptographically stored login information for the user, the login information including a username, an account number, and a password.
In some embodiments, single sign-on credentials have a valid lifetime; the successful verification of the single sign-on credentials by the second site comprises: the second site decrypts the single sign-on credentials, confirms that the login information stored in the single sign-on credentials is correct, and confirms that the single sign-on credentials are within their valid lifetime during the period they are authenticated.
In some embodiments, the steps further comprise: in response to the user determining that the single sign-on credential is exhausted of its valid lifetime, the activated proprietary certificate and the request for the login credential are resent to the first site to obtain the single sign-on credential having the valid lifetime.
The invention has the following beneficial technical effects: according to the cross-site single sign-on method and device provided by the embodiment of the invention, the user information is synchronized from the first site to the second site, and the user information is analyzed at the second site to create or update the user corresponding to the user information; generating an exclusive certificate for a user based on user information at a second site, and guiding the user to import and activate the exclusive certificate, wherein the exclusive certificate stores the user information; receiving, by the first site, an activated exclusive certificate and a request for login credentials from the user, and sending a single-sign-on credential from the first site to the user in response to the first site successfully verifying the exclusive certificate; the second site receives the activated exclusive certificate and the single sign-on certificate from the user, and responds to the technical scheme that the second site successfully verifies the exclusive certificate and the single sign-on certificate and completes single sign-on through the user session generated by the second site, so that the probability of attacking a single sign-on scene can be reduced without changing a mechanism of the single sign-on certificate, and the system safety is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart of a cross-site single sign-on method provided by the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following embodiments of the present invention are described in further detail with reference to the accompanying drawings.
It should be noted that all expressions using "first" and "second" in the embodiments of the present invention are used for distinguishing two entities with the same name but different names or different parameters, and it should be noted that "first" and "second" are merely for convenience of description and should not be construed as limitations of the embodiments of the present invention, and they are not described in any more detail in the following embodiments.
In view of the foregoing, a first aspect of the embodiments of the present invention provides an embodiment of a cross-site single sign-on method that reduces the probability of a single sign-on scenario being attacked without changing a single sign-on credential and improves system security. Fig. 1 is a schematic flowchart illustrating a cross-site single sign-on method provided by the present invention.
The cross-site single sign-on method, as shown in fig. 1, includes the following steps:
step S101, synchronizing the user information from a first site to a second site, and analyzing the user information at the second site to create or update a user corresponding to the user information;
step S103, generating an exclusive certificate for the user based on the user information at the second site, and guiding the user to import and activate the exclusive certificate, wherein the exclusive certificate stores the user information;
step S105, receiving an activated exclusive certificate and a login certificate request from the user through the first site, and sending a single sign-on certificate from the first site to the user in response to the first site successfully verifying the exclusive certificate;
step S107, receiving the activated dedicated certificate and the single sign-on credential from the user through the second site, and completing the single sign-on through the user session generated by the second site in response to the second site successfully verifying the dedicated certificate and the single sign-on credential.
The invention provides a single sign-on and certificate authentication parallel scheme based on a Session Session mechanism. The technology is divided into a single sign-on scheme and a certificate authentication scheme based on a Session Session mechanism. A single sign-on and certificate authentication parallel scheme based on a Session mechanism mainly comprises user information synchronization, socket generation, certificate downloading, certificate verification, socket verification and user Session information acquisition and encapsulation. Firstly, a third-party system needs to synchronize user information capable of performing single sign-on to the system, the system stores the synchronized user information and creates a user, then the system generates an exclusive certificate for each user, a download path is provided for the user needing the single sign-on, the user needs to import the certificate into the certificate management of a browser, and the browser is restarted to enable the certificate to take effect. And then, when the third-party system user performs Ticket acquisition operation, carrying a local certificate which is provided for the user and is imported into the browser for verification, and if no certificate exists, the Ticket acquisition cannot be performed, and if the certificate verification is successful, the Ticket can be normally acquired. After the user acquires the Ticket, the user can carry the acquired Ticket and the local certificate to perform single sign-on, when the single sign-on is performed, the certificate is checked firstly, if the certificate is failed to be checked, the Ticket check cannot be performed, and if the certificate is successfully checked, the next Ticket check is performed. After Ticket verification is successful, user information of the user is obtained, a Session is generated and stored in the Session, and then the address is redirected to the system, so that single sign-on is completed. The scheme of the parallel single sign-on and certificate verification greatly enhances the security of the system and reduces the probability of the attack of the single sign-on scene.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), a Random Access Memory (RAM), or the like. Embodiments of the computer program may achieve the same or similar effects as any of the preceding method embodiments to which it corresponds.
In some embodiments, synchronizing the user information from the first site to the second site includes at least one of:
in response to determining that the user information in the first site is changed, synchronizing the changed user information to the second site in real time through a message interface;
synchronizing the variable quantity of the user information of the first site in the first synchronization period to the second site through a file every interval of the first synchronization period, and updating the user information at the second site according to the part of the variable quantity which is not synchronized in real time;
and synchronizing all the user information of the first site to the second site through the file every second synchronization period, and updating the user information at the second site in a covering mode, wherein the second synchronization period is larger than the first synchronization period.
In some embodiments, directing the user to import and activate the proprietary certificate includes: leading the user to lead the exclusive certificate into the certificate management of the browser of the user, and restarting the browser to activate the exclusive certificate;
receiving, by the first site, an activated proprietary certificate and a login credential request from the user comprises: sending, by a user, a login credential request to a first site using a browser;
receiving, by the second site, the activated proprietary certificate and the single sign-on credentials from the user comprises: the single sign-on credentials are sent to the second site by the user using the browser.
In some embodiments, successful verification of the proprietary certificate by the first station or the second station includes verifying at least one of: whether the exclusive certificate exists, whether the identity of the user is matched with the user information carried in the exclusive certificate, whether the identity of the user is legal in the system, and the correctness of the user information carried in the exclusive certificate.
In some embodiments, the second station successfully verifying the proprietary certificate and the single sign-on credentials comprises: the second site firstly verifies the exclusive certificate and further verifies the single sign-on certificate in response to the successful verification of the exclusive certificate; the authentication is stopped directly in response to the proprietary certificate failing to authenticate.
The various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as software or hardware depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the disclosed embodiments of the present invention.
In some embodiments, the method further comprises: the second station also updates the exclusive certificate for the user based on the change of the user information; after the user imports and activates the exclusive certificate, the updated exclusive certificate is also imported and activated again.
In some embodiments, the single sign-on credentials have cryptographically stored login information for the user, the login information including a username, an account number, and a password.
In some embodiments, single sign-on credentials have a valid lifetime; the successful verification of the single sign-on credentials by the second site comprises: the second site decrypts the single sign-on credentials, confirms that the login information stored in the single sign-on credentials is correct, and confirms that the single sign-on credentials are within their valid lifetime during the period they are authenticated.
In some embodiments, the method further comprises: in response to the user determining that the single sign-on credential is exhausted of its valid lifetime, the activated proprietary certificate and the request for the login credential are resent to the first site to obtain the single sign-on credential having the valid lifetime.
The computer-readable storage media (e.g., memory) described herein can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. By way of example, and not limitation, nonvolatile memory can include Read Only Memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM), which can act as external cache memory. By way of example and not limitation, RAM is available in a variety of forms such as synchronous RAM (DRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), and Direct Rambus RAM (DRRAM). The storage devices of the disclosed aspects are intended to comprise, without being limited to, these and other suitable types of memory.
The following further illustrates embodiments of the invention in terms of specific examples. The embodiment of the invention can be explained by 6 aspects of user information synchronization, Ticket acquisition, certificate verification, Ticket verification, certificate management and Session generation.
The user information synchronization mainly adopts an interface docking mode to acquire user information which is provided by a third-party system and needs to be subjected to single sign-on, and the user information is stored in a database of the system. The existing single sign-on scheme based on Session generally guarantees safety according to the timeliness of Ticket, the life cycle of the Ticket is generally set to one minute, the Ticket is required to be obtained again in the next single sign-on, although the scheme can avoid high-probability safety attack, a large leak still exists, therefore, a certificate is issued to each user, the user introduces the certificate into a browser, the certificate is carried to be verified in the single sign-on process, the Ticket obtaining and the Ticket verifying are carried out in parallel with the certificate verifying, the local certificate is verified firstly in the Ticket and Ticket verifying process, if the local certificate does not exist, the Ticket obtaining and the Ticket verifying process are not carried out, the Ticket obtaining service is prevented from being attacked maliciously by the outside, and an attacker logs in the system by using the Ticket after the Ticket is hijacked. By the method, the safety of cross-site single sign-on can be greatly improved. If the verification fails, the single sign-on fails, after Ticket and certificate are verified successfully, a Session is generated, information of a user and information which should be stored in the normal sign-on Session are obtained and stored in the Session, and then the Session is redirected to a home page of the system, so that the single sign-on is completed.
A cross-site login optimization scheme based on Session single sign-on and certificate authentication is mainly optimized by adding personal exclusive certificate verification when Ticket verification and Ticket acquisition are carried out, and Ticket hijack attack and Ticket acquisition service attack are prevented. Through the optimization scheme, the software security is enhanced from the research and development angle and the user use angle, the personal property security of the user is guaranteed, and the cross-station single sign-on security based on the Session conversation mechanism is greatly guaranteed. Better guarantee is provided for users.
Specifically, the user synchronization service comprises user real-time synchronization, daily increment synchronization and monthly full amount synchronization, under triple guarantee, the users are guaranteed to be synchronized in the system, the user synchronization of the system is synchronized to a third party and a third party system user, the synchronization can be bidirectional, and after the synchronization is finished, if the user does not exist in the system, a new user can be created in the system for the user. The third-party system synchronizes the user information to the system, including real-time synchronization, daily increment file synchronization and monthly full file synchronization, and analyzes the user information and stores the user information into a database, so that the user generates an operable user in the system. A message interface mode is adopted for real-time synchronization of the users, and when the users add, delete and modify, the synchronization operation is triggered to synchronize the user information to the system. For the daily increment synchronization of the users, the user information which is newly added, modified and deleted at present is synchronized to the system, the system judges whether the information is synchronized in real time, and if not, the user rest is synchronously modified. And for full-moon synchronization, synchronizing all user information needing single sign-on to the system, analyzing files by the system in a file synchronization mode, and covering the locally stored user information needing single sign-on by a third party. Through the three modes, the correctness of the user information can be extremely guaranteed.
The certificate management service can generate an exclusive certificate of the user according to the information of the user, provide user downloading, and the user needs to import the exclusive certificate into a local browser after the user downloading is completed, and can carry the certificate to be added into verification during Ticket acquisition and verification. The user can add, update, delete and download own certificates through the service, and if the certificates are updated, the certificates need to be imported into the browser again. The user's certificate contains the user's information, and the verification of the user's certificate is to determine whether the certificate exists and whether the certificate information matches the user who wants to perform single sign-on.
The method comprises the steps that a certificate management service is used for generating an exclusive certificate containing user information for a user, wherein the exclusive certificate comprises a user name, a source system, an account number, a password, a mobile phone number and the like, the user can also regenerate the certificate if modifying the user information, an entrance for the user to obtain the certificate is provided, the user can obtain the certificate after synchronously finishing information, otherwise, the certificate cannot pass certificate verification, the user is led into a local browser after obtaining the certificate, and then the browser is restarted to enable the certificate to take effect.
The certificate verification service can verify the certificate carried in the request, and the method mainly comprises the steps of verifying whether the certificate exists, verifying matching between the single sign-on user and the user in the information carried by the certificate, verifying whether the user carried by the certificate exists in the system and verifying the correctness of the user information. After the certificate verification service is added, the security of single sign-on is greatly guaranteed.
The Ticket acquiring service is to acquire a single sign-on credential, where the credential includes a user name, an account number, a password, and other necessary information of a user, and is provided to a third-party system after being encrypted, and of course, timeliness, such as one-minute timeliness, is added to the Ticket. After one minute this Ticket cannot be used. The Ticket will be stored in the system database and used when it is to be verified.
The third-party system carries user information, such as a user name account and the like, and performs Ticket acquisition. In the process of requesting service, the special certificate of the user is carried, if the special certificate is not carried, the request service is ended, and an error is informed. If the certificate exists, the information in the certificate is obtained, whether the exclusive certificate of the user does not exist is judged, and if the exclusive certificate of the user does not exist, the authentication is passed; if not, an error is notified, the correct user is allowed to use for reacquisition, or the user is allowed to update the credentials and re-download the import. After the certificate passes verification, the information of the user is acquired and encrypted to generate a socket, and the socket is returned to the third-party system.
The socket verification service can identify a socket carried by third-party system login and judge whether the socket is valid or not, and if the socket is valid, the socket is decrypted through a secret key to obtain encapsulated user information. And the system checks the acquired user information, judges whether the user information exists in the system, acquires necessary information when the user normally logs in according to the user information if the user information exists, generates a Session and stores the Session, then redirects the browser to a system home page, and directly skips the login operation to enter a home page service after the system judges that the user already has an available Session.
Furthermore, the method disclosed according to an embodiment of the present invention may also be implemented as a computer program executed by a CPU, and the computer program may be stored in a computer-readable storage medium. The computer program, when executed by the CPU, performs the above-described functions defined in the method disclosed in the embodiments of the present invention. The above-described method steps and system elements may also be implemented using a controller and a computer-readable storage medium for storing a computer program for causing the controller to implement the functions of the above-described steps or elements.
It can be seen from the foregoing embodiments that, in the cross-site single sign-on method provided in the embodiments of the present invention, user information is synchronized from a first site to a second site, and the user information is analyzed at the second site to create or update a user corresponding to the user information; generating an exclusive certificate for a user based on user information at a second site, and guiding the user to import and activate the exclusive certificate, wherein the exclusive certificate stores the user information; receiving, by the first site, an activated exclusive certificate and a request for login credentials from the user, and sending a single-sign-on credential from the first site to the user in response to the first site successfully verifying the exclusive certificate; the second site receives the activated exclusive certificate and the single sign-on certificate from the user, and responds to the technical scheme that the second site successfully verifies the exclusive certificate and the single sign-on certificate and completes single sign-on through the user session generated by the second site, so that the probability of attacking a single sign-on scene can be reduced without changing a mechanism of the single sign-on certificate, and the system safety is improved.
It should be particularly noted that, the steps in the embodiments of the cross-site single sign-on method described above can be mutually intersected, replaced, added, or deleted, and therefore, these reasonable permutation and combination transformations should also belong to the scope of the present invention, and should not limit the scope of the present invention to the described embodiments.
In view of the foregoing, a second aspect of the embodiments of the present invention provides an embodiment of a cross-site single sign-on apparatus that reduces the probability of a single sign-on scenario being attacked without changing a single sign-on credential and improves system security. The device comprises:
a processor;
a controller storing program code executable by a processor, the processor executing the following steps when executing the program code:
synchronizing the user information from the first site to the second site, and analyzing the user information at the second site to create or update a user corresponding to the user information;
generating an exclusive certificate for a user based on user information at a second site, and guiding the user to import and activate the exclusive certificate, wherein the exclusive certificate stores the user information;
receiving, by the first site, an activated exclusive certificate and a request for login credentials from the user, and sending a single-sign-on credential from the first site to the user in response to the first site successfully verifying the exclusive certificate;
receiving, by the second site, the activated proprietary certificate and the single sign-on credential from the user, and completing a single sign-on through a user session generated by the second site in response to the second site successfully verifying the proprietary certificate and the single sign-on credential.
The steps of a method or algorithm described in connection with the disclosure herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.
In some embodiments, synchronizing the user information from the first site to the second site includes at least one of:
in response to determining that the user information in the first site is changed, synchronizing the changed user information to the second site in real time through a message interface;
synchronizing the variable quantity of the user information of the first site in the first synchronization period to the second site through a file every interval of the first synchronization period, and updating the user information at the second site according to the part of the variable quantity which is not synchronized in real time;
and synchronizing all the user information of the first site to the second site through the file every second synchronization period, and updating the user information at the second site in a covering mode, wherein the second synchronization period is larger than the first synchronization period.
In some embodiments, directing the user to import and activate the proprietary certificate includes: leading the user to lead the exclusive certificate into the certificate management of the browser of the user, and restarting the browser to activate the exclusive certificate;
receiving, by the first site, an activated proprietary certificate and a login credential request from the user comprises: sending, by a user, a login credential request to a first site using a browser;
receiving, by the second site, the activated proprietary certificate and the single sign-on credentials from the user comprises: the single sign-on credentials are sent to the second site by the user using the browser.
In some embodiments, successful verification of the proprietary certificate by the first station or the second station includes verifying at least one of: whether the exclusive certificate exists, whether the identity of the user is matched with the user information carried in the exclusive certificate, whether the identity of the user is legal in the system, and the correctness of the user information carried in the exclusive certificate.
In some embodiments, the second station successfully verifying the proprietary certificate and the single sign-on credentials comprises: the second site firstly verifies the exclusive certificate and further verifies the single sign-on certificate in response to the successful verification of the exclusive certificate; the authentication is stopped directly in response to the proprietary certificate failing to authenticate.
In one or more exemplary designs, the functions may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Also, any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. Disk and disc, as used herein, includes Compact Disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), floppy disk, blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.
In some embodiments, the steps further comprise: the second station also updates the exclusive certificate for the user based on the change of the user information; after the user imports and activates the exclusive certificate, the updated exclusive certificate is also imported and activated again.
In some embodiments, the single sign-on credentials have cryptographically stored login information for the user, the login information including a username, an account number, and a password.
In some embodiments, single sign-on credentials have a valid lifetime; the successful verification of the single sign-on credentials by the second site comprises: the second site decrypts the single sign-on credentials, confirms that the login information stored in the single sign-on credentials is correct, and confirms that the single sign-on credentials are within their valid lifetime during the period they are authenticated.
In some embodiments, the steps further comprise: in response to the user determining that the single sign-on credential is exhausted of its valid lifetime, the activated proprietary certificate and the request for the login credential are resent to the first site to obtain the single sign-on credential having the valid lifetime.
The apparatuses and devices disclosed in the embodiments of the present invention may be various electronic terminal devices, such as a mobile phone, a Personal Digital Assistant (PDA), a tablet computer (PAD), a smart television, and the like, or may be a large terminal device, such as a server, and therefore the scope of protection disclosed in the embodiments of the present invention should not be limited to a specific type of apparatus and device. The client disclosed in the embodiment of the present invention may be applied to any one of the above electronic terminal devices in the form of electronic hardware, computer software, or a combination of both.
It can be seen from the foregoing embodiments that, in the cross-site single sign-on apparatus provided in the embodiments of the present invention, user information is synchronized from a first site to a second site, and the user information is analyzed at the second site to create or update a user corresponding to the user information; generating an exclusive certificate for a user based on user information at a second site, and guiding the user to import and activate the exclusive certificate, wherein the exclusive certificate stores the user information; receiving, by the first site, an activated exclusive certificate and a request for login credentials from the user, and sending a single-sign-on credential from the first site to the user in response to the first site successfully verifying the exclusive certificate; the second site receives the activated exclusive certificate and the single sign-on certificate from the user, and responds to the technical scheme that the second site successfully verifies the exclusive certificate and the single sign-on certificate and completes single sign-on through the user session generated by the second site, so that the probability of attacking a single sign-on scene can be reduced without changing a mechanism of the single sign-on certificate, and the system safety is improved.
It should be particularly noted that the above-mentioned embodiment of the apparatus employs the cross-site single sign-on method to specifically describe the working process of each module, and those skilled in the art can easily think that these modules are applied to other embodiments of the cross-site single sign-on method. Of course, since the steps in the cross-site single sign-on method embodiment can be mutually intersected, replaced, added, or deleted, these reasonable permutation and combination transformations shall also belong to the scope of the present invention, and shall not limit the scope of the present invention to the embodiment.
Finally, it should be noted that, as will be understood by those skilled in the art, all or part of the processes of the methods of the above embodiments may be implemented by a computer program, which may be stored in a computer-readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), a Random Access Memory (RAM), or the like. Embodiments of the computer program may achieve the same or similar effects as any of the preceding method embodiments to which it corresponds.
The foregoing is an exemplary embodiment of the present disclosure, but it should be noted that various changes and modifications could be made herein without departing from the scope of the present disclosure as defined by the appended claims. The functions, steps and/or actions of the method claims in accordance with the disclosed embodiments described herein need not be performed in any particular order. Furthermore, although elements of the disclosed embodiments of the invention may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, of embodiments of the invention is limited to these examples; within the idea of an embodiment of the invention, also technical features in the above embodiment or in different embodiments may be combined and there are many other variations of the different aspects of an embodiment of the invention as described above, which are not provided in detail for the sake of brevity. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present invention are intended to be included within the scope of the embodiments of the present invention.

Claims (10)

1. A cross-site single sign-on method is characterized by comprising the following steps:
synchronizing user information from a first site to a second site, and parsing the user information at the second site to create or update a user corresponding to the user information;
generating an exclusive certificate for the user based on the user information at the second site, and guiding the user to import and activate the exclusive certificate, wherein the exclusive certificate stores the user information;
receiving, by the first site, the activated proprietary certificate and login credential request from the user, and sending a single-sign-on credential from the first site to the user in response to the first site successfully verifying the proprietary certificate;
receiving, by the second site, the activated proprietary certificate and the single sign-on credential from the user, and completing a single sign-on through a user session generated by the second site in response to the second site successfully verifying the proprietary certificate and the single sign-on credential.
2. The method of claim 1, wherein synchronizing user information from a first site to a second site comprises at least one of:
in response to determining that the user information in the first site has changed, synchronizing the changed user information to the second site in real time through a message interface;
synchronizing the variable quantity of the user information of the first site in the first synchronization period to the second site through a file every interval of a first synchronization period, and updating the user information at the second site according to the part of the variable quantity which is not synchronized in real time;
and synchronizing all the user information of the first site to the second site through files every second synchronization period, and updating the user information in the second site in a covering manner, wherein the second synchronization period is greater than the first synchronization period.
3. The method of claim 1, wherein directing the user to import and activate the proprietary certificate comprises: enabling the user to import the proprietary certificate into certificate management of a browser of the user and restart the browser to activate the proprietary certificate;
receiving, by the first site, the activated proprietary certificate and login credential request from the user comprises: sending, by the user, the login credential request to the first site using the browser;
receiving, by the second site, the activated proprietary certificate and the single sign-on credentials from the user comprises: sending, by the user, the single sign-on credentials to the second site using the browser.
4. The method of claim 1, wherein the first station or the second station successfully verifying the proprietary certificate comprises verifying at least one of: whether the exclusive certificate exists, whether the identity of the user is matched with the user information carried in the exclusive certificate, whether the identity of the user is legal in a system, and the correctness of the user information carried in the exclusive certificate.
5. The method of claim 4, wherein the second station successfully verifying the proprietary certificate and the single sign-on credentials comprises: the second site firstly verifies the exclusive certificate and further verifies the single sign-on certificate in response to the exclusive certificate being successfully verified; stopping authentication directly in response to the proprietary certificate failing authentication.
6. The method of claim 1, further comprising: the second site further updating the proprietary certificate for the user based on a change in the user information; and after the user imports and activates the exclusive certificate, the updated exclusive certificate is also imported and activated again.
7. The method of claim 1, wherein the single sign-on credentials have cryptographically stored login information for the user, the login information including a username, an account number, and a password.
8. The method of claim 7, wherein the single sign-on credentials have a validity lifetime; the second site successfully verifying the single sign-on credentials comprises: the second site decrypts the single sign-on credential, confirms that the login information stored in the single sign-on credential is correct, and confirms that the single sign-on credential is within its valid lifetime during authentication.
9. The method of claim 8, further comprising: in response to the user determining that the single sign-on credential has an exhausted useful life, re-sending the activated proprietary certificate and login credential request to the first site to obtain the single sign-on credential having a useful life.
10. A cross-site single sign-on apparatus, comprising:
a processor;
a controller storing program code executable by the processor, the processor executing the following steps when executing the program code:
synchronizing user information from a first site to a second site, and parsing the user information at the second site to create or update a user corresponding to the user information;
generating an exclusive certificate for the user based on the user information at the second site, and guiding the user to import and activate the exclusive certificate, wherein the exclusive certificate stores the user information;
receiving, by the first site, the activated proprietary certificate and login credential request from the user, and sending a single-sign-on credential from the first site to the user in response to the first site successfully verifying the proprietary certificate;
receiving, by the second site, the activated proprietary certificate and the single sign-on credential from the user, and completing a single sign-on through a user session generated by the second site in response to the second site successfully verifying the proprietary certificate and the single sign-on credential.
CN202110657473.9A 2021-06-12 2021-06-12 Cross-site single sign-on method and device Active CN113420282B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110657473.9A CN113420282B (en) 2021-06-12 2021-06-12 Cross-site single sign-on method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110657473.9A CN113420282B (en) 2021-06-12 2021-06-12 Cross-site single sign-on method and device

Publications (2)

Publication Number Publication Date
CN113420282A true CN113420282A (en) 2021-09-21
CN113420282B CN113420282B (en) 2022-03-01

Family

ID=77788519

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110657473.9A Active CN113420282B (en) 2021-06-12 2021-06-12 Cross-site single sign-on method and device

Country Status (1)

Country Link
CN (1) CN113420282B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8955080B2 (en) * 2012-12-07 2015-02-10 Sap Se Managing single sign-ons between different entities
CN104378210A (en) * 2014-11-26 2015-02-25 成都卫士通信息安全技术有限公司 Cross-trust-domain identity authentication method
CN102655494B (en) * 2011-03-01 2017-04-12 瑞典爱立信有限公司 SAML (Security Assertion Markup Language)-based authentication platform designed in single log-in mode
CN206878870U (en) * 2017-06-28 2018-01-12 杭州帕拉迪网络科技有限公司 A kind of safe single-sign-on accesses system
CN112153041A (en) * 2020-09-21 2020-12-29 南京智数云信息科技有限公司 Method and system for realizing multisystem single sign-on based on user synchronization
CN112398799A (en) * 2019-08-19 2021-02-23 北京国双科技有限公司 Single sign-on method, device and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102655494B (en) * 2011-03-01 2017-04-12 瑞典爱立信有限公司 SAML (Security Assertion Markup Language)-based authentication platform designed in single log-in mode
US8955080B2 (en) * 2012-12-07 2015-02-10 Sap Se Managing single sign-ons between different entities
CN104378210A (en) * 2014-11-26 2015-02-25 成都卫士通信息安全技术有限公司 Cross-trust-domain identity authentication method
CN206878870U (en) * 2017-06-28 2018-01-12 杭州帕拉迪网络科技有限公司 A kind of safe single-sign-on accesses system
CN112398799A (en) * 2019-08-19 2021-02-23 北京国双科技有限公司 Single sign-on method, device and system
CN112153041A (en) * 2020-09-21 2020-12-29 南京智数云信息科技有限公司 Method and system for realizing multisystem single sign-on based on user synchronization

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张成雷等: "基于PKI/PMI的单点登录***的研究与设计", 《电脑知识与技术》 *

Also Published As

Publication number Publication date
CN113420282B (en) 2022-03-01

Similar Documents

Publication Publication Date Title
CN102201915B (en) Terminal authentication method and device based on single sign-on
CN107948204B (en) One-key login method and system, related equipment and computer readable storage medium
US8196193B2 (en) Method for retrofitting password enabled computer software with a redirection user authentication method
US20170353442A1 (en) Proximity-based authentication
US8646063B2 (en) Methods, apparatus, and computer program products for subscriber authentication and temporary code generation
JP2020108159A (en) Query system and method for determining authentication capability
US11729169B2 (en) Identity defined secure connect
CN107612889B (en) Method for preventing user information leakage
CN109388937B (en) Single sign-on method and sign-on system for multi-factor identity authentication
WO2023093500A1 (en) Access verification method and apparatus
CN111431920A (en) Security control method and system based on dynamic token
CN111949959B (en) Authorization authentication method and device in Oauth protocol
CN111405016B (en) User information acquisition method and related equipment
CN102970308A (en) User authentication method and server
CN114844644A (en) Resource request method, device, electronic equipment and storage medium
KR20050071768A (en) System and method for one time password service
US11750391B2 (en) System and method for performing a secure online and offline login process
CN113420282B (en) Cross-site single sign-on method and device
KR20170103691A (en) Authentication mehtod and system using ip address and short message service
CN114938278B (en) Zero-trust access control method and device
GB2582180A (en) Distributed authentication
US11750597B2 (en) Unattended authentication in HTTP using time-based one-time passwords
CN111723347B (en) Identity authentication method, identity authentication device, electronic equipment and storage medium
CN109429226B (en) Temporary user certificate generation method, user card, terminal and network equipment
CN117155718B (en) Gateway dynamic access control method, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant