CN114006751B - Campus system single sign-on method using temporary authentication code - Google Patents

Campus system single sign-on method using temporary authentication code Download PDF

Info

Publication number
CN114006751B
CN114006751B CN202111269659.3A CN202111269659A CN114006751B CN 114006751 B CN114006751 B CN 114006751B CN 202111269659 A CN202111269659 A CN 202111269659A CN 114006751 B CN114006751 B CN 114006751B
Authority
CN
China
Prior art keywords
application server
user
server
role
authentication center
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111269659.3A
Other languages
Chinese (zh)
Other versions
CN114006751A (en
Inventor
刘沛强
杜振锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Etonedu Co ltd
Original Assignee
Guangdong Etonedu Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Etonedu Co ltd filed Critical Guangdong Etonedu Co ltd
Priority to CN202111269659.3A priority Critical patent/CN114006751B/en
Publication of CN114006751A publication Critical patent/CN114006751A/en
Application granted granted Critical
Publication of CN114006751B publication Critical patent/CN114006751B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a campus system single sign-on method using a temporary authentication code, which is characterized in that a credential ticket is 'hidden' in a URL, a disposable effective temporary authentication code is allocated in advance, an application server can only acquire the credential ticket in an interface mode through the temporary authentication code, and a hacker is prevented from directly intercepting the credential ticket through the URL. The authentication center prevents illegal clients from accessing by applying server ID, more complex access codes, IP white lists and other modes. The application server inquires the authentication center whether the certificate ticket is out of date when the application server has manual operation each time, so that the situation that the application server forgets to exit and is falsely used by other people is avoided. The user IDs of all the users in the authentication center and the application server user IDs in the corresponding application servers are registered in the authentication center, the login accounts of the application servers do not need to be unified, and the modification cost of the application server suppliers is saved.

Description

Campus system single sign-on method using temporary authentication code
Technical Field
The invention relates to the technical field of single sign-on, in particular to a campus system single sign-on method using a temporary authentication code.
Background
With the development of informatization, more and more informatization systems are used in campuses in an area, and in order to avoid a user to switch between different systems to log in, each informatization system needs to be integrated through a single sign-on technology.
Single sign On (SINGLE SIGN On), abbreviated SSO, is one of the more popular solutions for system integration. SSO is defined as the ability of a user to access all mutually trusted applications by logging in only once in multiple applications.
In the prior art, three methods for implementing SSO are mainly available, one of which is a method for authenticating all applications by using an authentication center. In the authentication mode, when an application is opened, if the application detects that the user is not logged in, the user is guided to log in a login page of an authentication center to log in. After the user logs in, the authentication center generates a unique user certificate (ticket), when the third party application is clicked, the ticket is used as a parameter of the URL of the third party application, the application sends the ticket to the authentication center for verification, and after the authentication center verifies, if the application detects that the user is not logged in, the application performs password-free login to generate session information.
However, in the above manner, when the third party application is opened, the ticket needs to be transferred through the URL, which brings a certain risk, if the ticket is illegally intercepted by a hacker, the hacker can use the ticket to pass the authentication of the authentication center, so as to break the protection of the system.
In addition, in the application system scenario of the campus, the following problems exist:
(1) Many application systems are cloud platforms, and the login modes of different systems are inconsistent. Some use work number/school number, some use account number, and some use cell phone number. And there may be duplicate numbers/books in different schools, the authentication center needs to notify the application system after logging in, which user needs to access which school at present.
(2) After the user logs in at the authentication center, it is often necessary to select a role (school manager/teacher/student/employee, etc.). Some business systems support multiple roles (different roles have different permissions), and if the role ID is not passed, it may not identify which role is currently being used by the user to access the application system. The role IDs in each application system are often inconsistent, and the role definitions of each application system are also different, which brings up a new problem for the integration of single sign-on.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a campus system single sign-on method using a temporary authentication code.
In order to achieve the above purpose, the technical scheme provided by the invention is as follows:
A campus system single sign-on method using a temporary authentication code includes the following steps:
S1, configuring a user list, a user mapping table, a school coding mapping table, a role coding mapping table and registered application servers in an authentication center, generating unique server IDs and access codes for each registered application server by the authentication center, and supplementing corresponding data in the user list, the user mapping table, the school coding mapping table and the role coding mapping table;
S2, when a user clicks an application A of one application server X, guiding the user to log in an authentication center; after a user logs in an authentication center by adopting a user ID, the authentication center randomly generates a unique temporary authentication code with a valid period for the user, and the temporary authentication code is put into a parameter capable of jumping to the URL of the application A;
s3, jumping to an application A of an application server X according to the URL in the step S2, analyzing a temporary authentication code in the URL by the application server X, and transmitting the domain name and the temporary authentication code of the application server X, and the server ID and the access code generated in the step S1 to an authentication center for verification;
S4, checking the IP, the server ID, the access code and the domain name of the application server X by the authentication center, if the verification is passed, authenticating the temporary authentication code, and entering a step S5, otherwise, jumping to the authentication center to log in again for authentication;
s5, after the authentication is passed, if the authentication center does not detect the certificate ticket of the user, generating a certificate ticket with a valid period for the user; if the authentication center detects the certificate ticket of the user, the existing certificate ticket is directly used;
S6, the user selects the role in the application server X, so that a role ID corresponding to the role and a school ID corresponding to the user ID are obtained through a user list, an application server role ID is obtained through combining the role ID and the server ID through a role coding mapping table, an application server school ID is obtained through combining the school ID and the server ID through a school coding mapping table, and an application server user ID is obtained through combining the user ID and the server ID through a user mapping table;
S7, the authentication center transmits the certificate ticket of the user in the step S5, the application server role ID, the application server school ID and the application server user ID obtained in the step S6 to the application server X;
S8, after receiving information transmitted by the authentication center, the application server X automatically performs password-free login by using the application server user ID if the application server user ID is detected not to be logged in, creates session information in the application server X, accesses corresponding schools and roles through the application server school ID and the application server role ID, and automatically opens the application A clicked by the user in the step S2;
S9, if the user continues to click other applications in the application server X, the user does not need to log in a secret manner in the valid period of the certificate ticket, and the other applications in the application server X are opened at any time;
If the user clicks the application B of another application server Y in the application server X, re-requesting a temporary authentication code from the authentication center, and re-authenticating the login;
And S10, when the user finishes logging in, the user exits from the authentication center, the authentication center destroys the certificate of the user, and notifies all application servers registered in the authentication center to destroy the session.
Further, in the step S1, the generated access code is composed of a character string and a digital mixture.
Further, the step S1 further includes setting the IP of each registered application server to the access white list, so that each registered application server can only access through the IP address or address segment in the access white list.
Further, the step S1 further includes setting the domain name of each registered application server to be limited to access the domain name.
Further, the fields of the user list comprise a user ID, a role ID and a school ID;
The fields of the user mapping table comprise a user ID, a server ID and an application server user ID;
the fields of the school code mapping table comprise a school ID, a server ID and an application server school ID;
the fields of the role coding mapping table comprise a role ID, a server ID and an application server role ID.
Further, in step S9, after the user clicks and opens the application a, if the user continues to click on other applications in the application server X, the application server X sends a credential ticket of the user to the authentication center to inquire whether the credential ticket expires, if so, the authentication center returns a credential ticket expiration message to the application server X, the application server X logs off the session and closes the current page, jumps to the authentication center to log in again for authentication, otherwise, the valid time of the credential ticket of the user is prolonged; the user is free from closely logging in the effective time of the certificate ticket, and other applications in the application server X are opened at any time.
Further, in step S9, after the user clicks and opens the application a, if the user clicks the application B of another application server Y in the application server X, the application server X requests the temporary authentication code from the authentication center, the authentication center regenerates the temporary authentication code and returns the temporary authentication code to the application server X, the application server X carries the temporary authentication code in the URL of the application B that jumps to the application server Y, and the application server Y uses the regenerated temporary authentication code and the server ID, the access code and the domain name thereof to send to the authentication center for verification, and performs the following steps:
a) The authentication center checks the IP, the server ID, the access code and the domain name of the application server Y, if the check is passed, the temporary authentication code is authenticated, and the step b) is carried out, otherwise, the authentication center is jumped to log in again for authentication;
b) After the authentication is passed, if the authentication center does not detect the certificate ticket of the user, generating a certificate ticket with an effective period for the user; if the authentication center detects the certificate ticket of the user, the existing certificate ticket is directly used;
c) The user selects the role in the application server Y, so that a role ID corresponding to the role and a school ID corresponding to the user ID are obtained through a user list, an application server role ID is obtained through combining the role ID and the server ID through a role coding mapping table, an application server school ID is obtained through combining the school ID and the server ID through a school coding mapping table, and an application server user ID is obtained through combining the user ID and the server ID through a user mapping table;
d) Returning the certificate ticket obtained in the step b) and the application server role ID, the application server school ID and the application server user ID obtained in the step c) to the application server Y;
e) After receiving the information returned in the step d), the application server Y automatically performs password-free login by using the application server user ID if the application server user ID is detected not to be logged in, creates session information in the application server Y, accesses the corresponding schools and roles through the application server school ID and the application server role ID, and automatically opens the application B clicked by the user.
Compared with the prior art, the technical scheme has the following principle and advantages:
1) The certificate ticket is 'hidden' in the URL, and a disposable effective temporary authentication code is allocated in advance, so that the application server can only acquire the certificate ticket in an interface mode through the temporary authentication code, and a hacker is prevented from directly intercepting the certificate ticket through the URL.
2) The authentication center prevents illegal clients from accessing (only a pre-registered server can access) by applying server IDs, more complex access codes, IP whitelists and other modes.
3) The application server inquires the authentication center whether the certificate ticket is out of date when the application server has manual operation each time, so that the situation that the application server forgets to exit and is falsely used by other people is avoided.
4) The user IDs of all users in the authentication center and the application server user IDs in the corresponding application servers are registered in the authentication center, and the technical scheme does not need to unify login accounts of the application servers, so that the modification cost of the application server providers is saved.
5) The user mapping table, the school coding mapping table and the role coding mapping table are configured in the authentication center, so that the application server knows which user logs in which school through which role, modification of each application server is not needed, and multiple role input by the user during the same or switching of the application servers is not needed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions of the prior art, the services required in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the figures in the following description are only some embodiments of the present invention, and that other figures can be obtained according to these figures without inventive effort to a person skilled in the art.
Fig. 1 is a schematic flow chart of a campus system single sign-on method using a temporary authentication code according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of the case when the user continues to click on other applications in the application server X;
Fig. 3 is a schematic flow diagram when a user clicks another application server Y in an application server X to apply B.
Detailed Description
The present invention will be described in further detail with reference to examples and drawings, but embodiments of the present invention are not limited thereto.
As shown in fig. 1, the method for single sign-on of the campus system using the temporary authentication code according to the embodiment includes the following steps:
S1, configuring a user list, a user mapping table, a school coding mapping table, a role coding mapping table and registering an intelligent campus comprehensive management application server X and a teaching application server Y in an authentication center, generating unique server IDs (SmartSchoolApplication, JXPTApplication) and access codes (128 bits in length and formed by mixing character strings and numbers) for the two application servers by the authentication center, and supplementing corresponding data in the user list, the user mapping table, the school coding mapping table and the role coding mapping table corresponding to the unique server IDs and the access codes;
in this step, the fields of the user list include a user ID, a role ID, and a school ID;
the fields of the user mapping table include a user ID, a server ID, and an application server user ID;
The fields of the school code mapping table comprise a school ID, a server ID and an application server school ID;
The fields of the role coding mapping table comprise a role ID, a server ID and an application server role ID;
in the above-mentioned table, the data of the table,
The user ID can be an account number, a work number/school address number, a mobile phone number and the like;
roles include teacher, student, parent, administrator, etc.
In this step, the method further includes setting the registered IP of the intelligent campus integrated management application server X and the teaching application server Y to access the whitelist, so that the registered intelligent campus integrated management application server X and the teaching application server Y can only access through the IP address or address field in the access whitelist.
In this step, the method further includes setting the domain names of the registered intelligent campus integrated management application server X and the teaching application server Y to be access-restricted domain names for domain name verification.
S2, when the user clicks the application A of the intelligent campus comprehensive management application server X, guiding the user to log in an authentication center; after a user logs in an authentication center by adopting a user ID, randomly generating a unique temporary authentication code with 5-minute validity period for the user by the authentication center, and placing the temporary authentication code into a parameter capable of jumping to the URL of the application A;
S3, jumping to an application A of the intelligent campus integrated management application server X according to the URL in the step S2, analyzing a temporary authentication code in the URL by the intelligent campus integrated management application server X, and transmitting the domain name and the temporary authentication code of the intelligent campus integrated management application server X, and transmitting the server ID and the access code generated in the step S1 to an authentication center for verification;
S4, checking the IP, the server ID, the access code and the domain name of the intelligent campus integrated management application server X by the authentication center, if the verification is passed, authenticating the temporary authentication code, and entering a step S5, otherwise, jumping to the authentication center to log in again for authentication;
S5, after the authentication is passed, if the authentication center does not detect the certificate ticket of the user, generating a certificate ticket with a valid period of 5 minutes for the user; if the authentication center detects the certificate ticket of the user, the existing certificate ticket is directly used;
s6, the user selects the role in the intelligent campus integrated management application server X, so that a role ID corresponding to the role and a school ID corresponding to the user ID are obtained through a user list, an application server role ID in the intelligent campus integrated management application server X is obtained through combining the role ID and the server ID through a role coding mapping table, an application server school ID in the intelligent campus integrated management application server X is obtained through combining the school ID and the server ID through a school coding mapping table, and an application server user ID in the intelligent campus integrated management application server X is obtained through combining the user ID and the server ID through a user mapping table;
S7, the authentication center transmits the certificate ticket of the user in the step S5 and the application server role ID, the application server school ID and the application server user ID obtained in the step S6 to an intelligent campus integrated management application server X;
s8, after receiving information transmitted by the authentication center, the intelligent campus integrated management application server X automatically performs password-free login by using the application server user ID if the application server user ID is detected not to be logged in, creates session information in the intelligent campus integrated management application server X, accesses corresponding schools and roles through the application server school ID and the application server role ID, and automatically opens the application A clicked by the user in the step S2;
S9, as shown in FIG. 2, if the user continues to click on other applications in the intelligent campus integrated management application server X, the intelligent campus integrated management application server X sends a certificate ticket of the user to the authentication center to inquire whether the certificate ticket is out of date, if so, the authentication center returns a message of the expiration of the certificate ticket to the intelligent campus integrated management application server X, the intelligent campus integrated management application server X logs off a session and closes a current page, jumps to the authentication center to log in again for authentication, otherwise, the effective time of the certificate ticket of the user is prolonged; the user is free from closely logging in the effective time of the certificate ticket, and opens other applications in the intelligent campus comprehensive management application server X at any time.
As shown in fig. 3, if a user clicks an application B of another teaching application server Y in the intelligent campus integrated management application server X, the intelligent campus integrated management application server X requests a temporary authentication code from an authentication center, the authentication center regenerates the temporary authentication code and returns the temporary authentication code to the intelligent campus integrated management application server X, the intelligent campus integrated management application server X carries the temporary authentication code in a URL of the application B that jumps to the teaching application server Y, and the teaching application server Y uses the regenerated temporary authentication code and its server ID, access code and domain name to send to the authentication center for verification, and performs the following steps:
a) The authentication center checks the IP, the server ID, the access code and the domain name of the teaching application server Y, if the verification is passed, the temporary authentication code is authenticated, and the step b) is carried out, otherwise, the authentication center is jumped to log in again for authentication;
b) After the authentication is passed, if the authentication center does not detect the certificate ticket of the user, generating a certificate ticket with a 5-minute validity period for the user; if the authentication center detects the certificate ticket of the user, the existing certificate ticket is directly used;
c) The user selects the role in the teaching application server Y, so that a role ID corresponding to the role and a school ID corresponding to the user ID are obtained through a user list, an application server role ID is obtained through combining the role ID and the server ID through a role coding mapping table, an application server school ID is obtained through combining the school ID and the server ID through a school coding mapping table, and an application server user ID is obtained through combining the user ID and the server ID through a user mapping table;
d) Returning the certificate ticket obtained in the step b) and the application server role ID, the application server school ID and the application server user ID obtained in the step c) to the teaching application server Y;
e) After the teaching application server Y receives the information returned in the step d), if the user ID of the application server is detected not to be logged in, the user ID of the application server is used for automatically performing password-free login, session information is created in the teaching application server Y, corresponding schools and roles are accessed through the school ID of the application server and the role ID of the application server, and the application B clicked by the user is automatically opened.
And S10, finally, when the user ends logging, the user exits from the authentication center, the authentication center destroys the certificate of the user, and notifies the intelligent campus integrated management application server X and the teaching application server Y to destroy the session.
The above embodiments are only preferred embodiments of the present invention, and are not intended to limit the scope of the present invention, so variations in shape and principles of the present invention should be covered.

Claims (7)

1. A campus system single sign-on method using a temporary authentication code, comprising the steps of:
S1, configuring a user list, a user mapping table, a school coding mapping table, a role coding mapping table and registered application servers in an authentication center, generating unique server IDs and access codes for each registered application server by the authentication center, and supplementing corresponding data in the user list, the user mapping table, the school coding mapping table and the role coding mapping table;
s2, when a user clicks an application A of one of the registered application servers X, guiding the user to log in an authentication center; after a user logs in an authentication center by adopting a user ID, the authentication center randomly generates a unique temporary authentication code with a valid period for the user, and the temporary authentication code is put into a parameter capable of jumping to the URL address of the application A;
S3, jumping to an application A of an application server X according to the URL address in the step S2, analyzing a temporary authentication code in the URL address by the application server X, and transmitting the domain name, the temporary authentication code, the server ID and the access code generated in the step S1 to an authentication center for verification;
S4, checking the IP, the server ID, the access code and the domain name of the application server X by the authentication center, if the verification is passed, authenticating the temporary authentication code, and entering a step S5, otherwise, jumping to the authentication center to log in again for authentication;
s5, after the authentication is passed, if the authentication center does not detect the certificate ticket of the user, generating a certificate ticket with a valid period for the user; if the authentication center detects the certificate ticket of the user, the existing certificate ticket is directly used;
S6, the user selects the role in the application server X, so that a role ID corresponding to the role and a school ID corresponding to the user ID are obtained through a user list, an application server role ID is obtained through combining the role ID and the server ID through a role coding mapping table, an application server school ID is obtained through combining the school ID and the server ID through a school coding mapping table, and an application server user ID is obtained through combining the user ID and the server ID through a user mapping table;
S7, the authentication center transmits the certificate ticket of the user in the step S5, the application server role ID, the application server school ID and the application server user ID obtained in the step S6 to the application server X;
S8, after receiving information transmitted by the authentication center, the application server X automatically performs password-free login by using the application server user ID if the application server user ID is detected not to be logged in, creates session information in the application server X, accesses corresponding schools and roles through the application server school ID and the application server role ID, and automatically opens the application A clicked by the user in the step S2;
S9, if the user continues to click other applications in the application server X, the user does not need to log in a secret manner in the valid period of the certificate ticket, and the other applications in the application server X are opened at any time;
If the user clicks the application B of another application server Y in the application server X, re-requesting a temporary authentication code from the authentication center, and re-authenticating the login;
And S10, when the user finishes logging in, the user exits from the authentication center, the authentication center destroys the certificate of the user, and notifies all application servers registered in the authentication center to destroy the session.
2. The method for single sign-on of campus systems using temporary authentication codes according to claim 1, wherein in step S1, the generated access code is composed of a mixture of character strings and numbers.
3. The method as claimed in claim 2, wherein the step S1 further comprises setting the IP of each registered application server to access the whitelist, so that each registered application server can only access through the IP address or address field in the access whitelist.
4. A campus system single sign-on method using a temporary authentication code as claimed in claim 1 or 3, wherein step S1 further comprises setting a domain name of each registered application server to be restricted from accessing the domain name.
5. The campus system single sign-on method using a temporary authentication code according to claim 1, wherein the fields of the user list include a user ID, a role ID, a school ID;
The fields of the user mapping table comprise a user ID, a server ID and an application server user ID;
the fields of the school code mapping table comprise a school ID, a server ID and an application server school ID;
the fields of the role coding mapping table comprise a role ID, a server ID and an application server role ID.
6. The method for single sign-on of campus system using temporary authentication code according to claim 1, wherein in step S9, after the user clicks and opens the application a, if the user continues to click on other applications in the application server X, the application server X sends a request of the user to the authentication center to inquire whether the user 'S ticket is expired, if so, the authentication center returns a message of expiration of the ticket to the application server X, the application server X logs off the session and closes the current page, jumps to the authentication center to log in again for authentication, otherwise, the valid time of the user' S ticket is prolonged; the user is free from closely logging in the effective time of the certificate ticket, and other applications in the application server X are opened at any time.
7. The method as claimed in claim 1, wherein in the step S9, after the user clicks and opens the application a, if the user clicks the application B of another application server Y in the application server X, the application server X requests the temporary authentication code from the authentication center, the authentication center regenerates the temporary authentication code and returns it to the application server X, the application server X carries the temporary authentication code in the URL address of the application B that jumps to the application server Y, and the application server Y uses the regenerated temporary authentication code and its server ID, access code and domain name to send to the authentication center for verification, and performs the following steps:
a) The authentication center checks the IP, the server ID, the access code and the domain name of the application server Y, if the check is passed, the temporary authentication code is authenticated, and the step b) is carried out, otherwise, the authentication center is jumped to log in again for authentication;
b) After the authentication is passed, if the authentication center does not detect the certificate ticket of the user, generating a certificate ticket with an effective period for the user; if the authentication center detects the certificate ticket of the user, the existing certificate ticket is directly used;
c) The user selects the role in the application server Y, so that a role ID corresponding to the role and a school ID corresponding to the user ID are obtained through a user list, an application server role ID is obtained through combining the role ID and the server ID through a role coding mapping table, an application server school ID is obtained through combining the school ID and the server ID through a school coding mapping table, and an application server user ID is obtained through combining the user ID and the server ID through a user mapping table;
d) Returning the certificate ticket obtained in the step b) and the application server role ID, the application server school ID and the application server user ID obtained in the step c) to the application server Y;
e) After receiving the information returned in the step d), the application server Y automatically performs password-free login by using the application server user ID if the application server user ID is detected not to be logged in, creates session information in the application server Y, accesses the corresponding schools and roles through the application server school ID and the application server role ID, and automatically opens the application B clicked by the user.
CN202111269659.3A 2021-10-29 2021-10-29 Campus system single sign-on method using temporary authentication code Active CN114006751B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111269659.3A CN114006751B (en) 2021-10-29 2021-10-29 Campus system single sign-on method using temporary authentication code

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111269659.3A CN114006751B (en) 2021-10-29 2021-10-29 Campus system single sign-on method using temporary authentication code

Publications (2)

Publication Number Publication Date
CN114006751A CN114006751A (en) 2022-02-01
CN114006751B true CN114006751B (en) 2024-06-11

Family

ID=79925025

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111269659.3A Active CN114006751B (en) 2021-10-29 2021-10-29 Campus system single sign-on method using temporary authentication code

Country Status (1)

Country Link
CN (1) CN114006751B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114070651B (en) * 2022-01-11 2022-04-12 中国空气动力研究与发展中心计算空气动力研究所 Single sign-on system and method

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001075549A2 (en) * 2000-03-30 2001-10-11 Cygent, Inc. System and method for establishing electronic business systems for supporting communications services commerce
JP2007293760A (en) * 2006-04-27 2007-11-08 Hitachi Ltd Single sign-on cooperation method and system using individual authentication
CN103069741A (en) * 2011-08-17 2013-04-24 华为技术有限公司 Credential authentication method and single sign-on server
CN103428077A (en) * 2013-08-22 2013-12-04 北京明朝万达科技有限公司 Method and system for safely receiving and sending mails
CN106973041A (en) * 2017-03-02 2017-07-21 飞天诚信科技股份有限公司 A kind of method, system and certificate server for issuing authentication authority
CN110557365A (en) * 2019-07-11 2019-12-10 江苏一乙生态农业科技有限公司 Safe single sign-on method based on message authentication code
CN110719277A (en) * 2019-09-30 2020-01-21 北京网瑞达科技有限公司 System and method for secure access of network device based on one-time access credential
CN111931157A (en) * 2020-08-12 2020-11-13 广东电力信息科技有限公司 Access method, device, storage medium and computer equipment of single sign-on system
CN112153041A (en) * 2020-09-21 2020-12-29 南京智数云信息科技有限公司 Method and system for realizing multisystem single sign-on based on user synchronization
CN113133076A (en) * 2019-12-30 2021-07-16 荣耀终端有限公司 Communication method, related equipment and communication system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11140155B2 (en) * 2018-11-20 2021-10-05 Imam Abdulrahman Bin Faisal University Methods, computer readable media, and systems for authentication using a text file and a one-time password

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001075549A2 (en) * 2000-03-30 2001-10-11 Cygent, Inc. System and method for establishing electronic business systems for supporting communications services commerce
JP2007293760A (en) * 2006-04-27 2007-11-08 Hitachi Ltd Single sign-on cooperation method and system using individual authentication
CN103069741A (en) * 2011-08-17 2013-04-24 华为技术有限公司 Credential authentication method and single sign-on server
CN103428077A (en) * 2013-08-22 2013-12-04 北京明朝万达科技有限公司 Method and system for safely receiving and sending mails
CN106973041A (en) * 2017-03-02 2017-07-21 飞天诚信科技股份有限公司 A kind of method, system and certificate server for issuing authentication authority
CN110557365A (en) * 2019-07-11 2019-12-10 江苏一乙生态农业科技有限公司 Safe single sign-on method based on message authentication code
CN110719277A (en) * 2019-09-30 2020-01-21 北京网瑞达科技有限公司 System and method for secure access of network device based on one-time access credential
CN113133076A (en) * 2019-12-30 2021-07-16 荣耀终端有限公司 Communication method, related equipment and communication system
CN111931157A (en) * 2020-08-12 2020-11-13 广东电力信息科技有限公司 Access method, device, storage medium and computer equipment of single sign-on system
CN112153041A (en) * 2020-09-21 2020-12-29 南京智数云信息科技有限公司 Method and system for realizing multisystem single sign-on based on user synchronization

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
OAuth-SSO: A Framework to Secure the OAuth-Based SSO Service for Packaged Web Applications;Nazmul Hossain;Communications/ 12th IEEE International Conference On Big Data Science And Engineering;20180906;全文 *
基于校园网单点登录***的设计;刘钦创;;微处理机;20090615(第03期);全文 *

Also Published As

Publication number Publication date
CN114006751A (en) 2022-02-01

Similar Documents

Publication Publication Date Title
JP5795604B2 (en) Method and apparatus for providing trusted single sign-on access to applications and Internet-based services
US6892307B1 (en) Single sign-on framework with trust-level mapping to authentication requirements
US7788711B1 (en) Method and system for transferring identity assertion information between trusted partner sites in a network using artifacts
EP2643955B1 (en) Methods for authorizing access to protected content
CN109196500B (en) Unified VPN and identity based authentication for cloud based services
CN107786571A (en) A kind of method of user's unified certification
CN112468481B (en) Single-page and multi-page web application identity integrated authentication method based on CAS
US20060070114A1 (en) Log-on service providing credential level change without loss of session continuity
CN111355713B (en) Proxy access method, device, proxy gateway and readable storage medium
EP1205057A2 (en) Security architecture with environment sensitive credentials
Sharma et al. Identity and access management-a comprehensive study
KR20130109322A (en) Apparatus and method to enable a user authentication in a communication system
CN112039873A (en) Method for accessing business system by single sign-on
CN114006751B (en) Campus system single sign-on method using temporary authentication code
CN113411324B (en) Method and system for realizing login authentication based on CAS and third-party server
CN114254289A (en) Cloud platform access method and device
CN105812314B (en) A kind of user logs in the method and unification authentication platform of internet application
CN103118025B (en) Based on the single-point logging method of networking certification, device and certificate server
CN109460647B (en) Multi-device secure login method
KR102465744B1 (en) Device authentication method by login session passing
KR20060067732A (en) Method of service logout in single sign on service using federated identity
US11374938B2 (en) Database-agnostic secure structured database connector
Schwartz et al. OAuth
KR20020003633A (en) Method of extending user ID and method of identifying the user ID
CN115996128A (en) Identity recognition method based on trust

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CB02 Change of applicant information

Country or region after: China

Address after: Room 316, No. 5 Fengtong Heng Street, Huangpu District, Guangzhou City, Guangdong Province, 510700

Applicant after: Guangdong Yijiaotong Technology Co.,Ltd.

Address before: 510700 room 106, room 406, No. 1, Yichuang street, Zhongxin Guangzhou Knowledge City, Huangpu District, Guangzhou City, Guangdong Province

Applicant before: GUANGDONG ETONEDU CO.,LTD.

Country or region before: China

CB02 Change of applicant information