CN114329538A - Single sign-on method and device - Google Patents

Single sign-on method and device Download PDF

Info

Publication number
CN114329538A
CN114329538A CN202111596294.5A CN202111596294A CN114329538A CN 114329538 A CN114329538 A CN 114329538A CN 202111596294 A CN202111596294 A CN 202111596294A CN 114329538 A CN114329538 A CN 114329538A
Authority
CN
China
Prior art keywords
browser plug
service server
random number
server
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111596294.5A
Other languages
Chinese (zh)
Inventor
彭纪钢
卢道和
谢波
朱敏毅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WeBank Co Ltd
Original Assignee
WeBank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WeBank Co Ltd filed Critical WeBank Co Ltd
Priority to CN202111596294.5A priority Critical patent/CN114329538A/en
Publication of CN114329538A publication Critical patent/CN114329538A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Information Transfer Between Computers (AREA)

Abstract

The application provides a single sign-on method and a single sign-on device, which are applied to electronic equipment, wherein the electronic equipment is provided with a browser, the browser is provided with a plurality of browser plug-ins, and the electronic equipment determines a page data access request corresponding to a first browser plug-in based on an access request of a target object detected by the browser; the first browser plug-in is one of a plurality of browser plug-ins; the page data access request carries a signature of a first random number and an encrypted identifier of the first browser plug-in; the first random number is generated by the service server; the electronic equipment sends a page data access request to the service server, so that the service server obtains the login name of the target object from the verification server after the page access request is verified, and inquires service data according to the login name of the target object; and the electronic equipment receives the service data fed back by the service server. The method can ensure the safety of single sign-on and the reliability of the target object information.

Description

Single sign-on method and device
Technical Field
The invention relates to the field of financial technology (Fintech), in particular to a single sign-on method and a single sign-on device.
Background
With the development of computer technology, more and more technologies are applied in the financial field, the traditional financial industry is gradually changing to financial technology (Finteh), big data technology is no exception, but due to the requirements of the financial industry on safety and real-time performance, higher requirements are also put forward on the technologies.
The current single sign-on scheme mainly comprises two types, namely recording a user identifier based on cookie of a browser or based on middleware, and obtaining user data by a single sign-on service system according to the user identifier. However, cookies are typically saved in local files, with the possibility of being stolen by trojans. According to the scheme based on the middleware, the service system acquires the user identification through the local middleware, the default local middleware is trustable, but the service system cannot identify whether the user identification is real and effective. Therefore, the current single sign-on scheme has low security.
Disclosure of Invention
The application provides a single sign-on method and a single sign-on device, which are used for improving the security of single sign-on, reducing the complex verification process of a service server and improving the data processing efficiency.
In a first aspect, the present application provides a single sign-on method, which is applied to an electronic device or a service server, and can be implemented by separate implementation of the electronic device and the service server, or by interaction between the electronic device and the service server, which is described below by taking an example of interaction between the electronic device and the service server. The electronic device is provided with a browser, the browser is provided with a plurality of browser plug-ins, and the electronic device can be understood as a PC, a notebook computer, and the like, which is not specifically limited herein.
The electronic equipment can determine a page data access request corresponding to the first browser plug-in based on the access request of the target object detected by the browser; the first browser plug-in is one of a plurality of browser plug-ins; the page data access request carries a signature of a first random number and an encrypted identifier of the first browser plug-in; the first random number is generated by the service server; the signature of the first random number is determined by a private key signature of the service server; the electronic equipment sends a page data access request to the service server, and the service server can receive the page data access request corresponding to a first browser plug-in of a browser from the electronic equipment; the service server adopts a public key of the service server to verify the signature of the first random number in the page access request; if the verification is passed, the business server acquires the login name of the target object from the verification server, and inquires business data according to the login name of the target object; the service server sends service data to the browser; and the electronic equipment receives the service data fed back by the service server.
In the method, the login name of the target object is not acquired from cookie of the browser, the login name of the target object is not acquired from middleware, but the login name of the target object is acquired from the authentication server after the authentication, after the authentication is finished, the login name of the target object is acquired from the authentication server, so that the reliability of the login name of the target object can be ensured, and the security of single sign-on can be ensured.
In an alternative manner, the electronic device may request a login name of the target object and an address of the electronic device from an Active Directory (AD) domain service based on the first browser plug-in; the electronic equipment receives response information of the AD domain service, wherein the response information of the AD domain service comprises a login name of a target object and an address of the electronic equipment; the electronic equipment determines the identifier of the first browser plug-in and a second random number according to the address of the electronic equipment and the current timestamp based on the first browser plug-in; the electronic equipment sends the encrypted login name of the target object, the encrypted identifier of the first browser plug-in and the second random number to a verification server for signature processing based on the first browser plug-in, and determines the signature of the second random number; the verification server decrypts the login name of the target object and the identifier of the first browser plug-in and stores the login name and the identifier of the first browser plug-in; the electronic equipment verifies the signature of the second random number based on the first browser plug-in; and the verification server stores the private key of the first browser plug-in and the private key of the business server.
It should be noted that different browser plug-ins correspond to different websites, such as website 1 corresponding to browser plug-in 1, and usually, the target object may need to log in a user name registered on website 1 when querying data at website 1. The AD domain is used for storing objects such as user account information, computer account information, printers, shared folders and the like, and the component for providing the directory service is the AD domain service and is mainly responsible for operations such as storage, addition, deletion, modification, inquiry and the like of the directory database. The electronic equipment obtains the login name of the target object in the first browser plug-in through the AD domain service, then signature verification is carried out, the signature verification is stored in the verification server, the login name is input again in the website corresponding to the first browser plug-in after the target object does not need to be opened again through the method, the data processing efficiency can be improved through the method, the user experience is improved, the login name information of the target object is obtained from the verification server instead of cookie after the business server passes the verification of the electronic equipment, and the safety of the user information can be guaranteed through the method.
In an optional mode, when detecting an access request of a target object, the electronic device sends a page request to a service server; the electronic equipment receives response information of a page request from the service server, wherein the response information of the page request comprises a first random number, an identifier of the service server and a page corresponding to the first browser plug-in.
It should be noted that, after detecting the access request of the target object, the electronic device wants to request the page of the first browser plug-in, so as to obtain the service data more quickly after the page is loaded successfully.
In an optional mode, after the electronic device loads a page corresponding to a first browser plug-in based on a browser, the first random number and an identifier of a service server are encrypted through the first browser plug-in to obtain an encrypted first random number and an encrypted identifier of the service server; and performing signature processing on the encrypted first random number and the encrypted identification of the service server based on the first browser plug-in, and determining the signature of the first random number.
It should be noted that, after the first random number is obtained from the service server, signature processing is performed so that after the service server passes verification, the secure identity of the electronic device is determined, and the login name of the target object is obtained from the verification server.
In an alternative manner, before the service server obtains the login name of the target object from the verification server, the service server may generate a service request signature based on the identifier of the service server, the token of the service server, and the third random number; the service server sends the service request signature, the encrypted identifier of the first browser plug-in, the identifier of the service server and the third random number to a verification server for signature verification; and if the signature verification is successful, receiving the login name of the target object inquired by the verification server according to the identifier of the first browser plug-in.
In the method, after the signature of the business server is verified by the verification server, the login name of the target object is inquired and fed back to the business server, the business server retrieves related business data based on the login name of the target object, after the business server passes the authentication of the electronic equipment, the verification server verifies the identity of the business server, and after the authentication passes, the business data of the target object is inquired.
In a second aspect, the present application provides a single sign-on apparatus, comprising: the determining unit is used for determining a page data access request corresponding to the first browser plug-in based on the access request of the target object detected by the browser; the first browser plug-in is one of a plurality of browser plug-ins; the page data access request carries a signature of a first random number and an encrypted identifier of the first browser plug-in; the first random number is generated by the service server; the sending unit is used for sending a page data access request to the service server so that the service server acquires the login name of the target object from the verification server after the page access request is verified to pass, and inquires service data according to the login name of the target object; and the receiving unit is used for receiving the service data fed back by the service server.
In a third aspect, the present application provides another single sign-on apparatus, comprising: the receiving unit is used for receiving a page data access request corresponding to a first browser plug-in of a browser of the electronic equipment; the first browser plug-in is one of a plurality of browser plug-ins; the page data access request carries a signature of a first random number and an encrypted identifier of the first browser plug-in; the first random number is generated by the service server; the verification unit is used for verifying the signature of the first random number in the page access request by adopting a public key of the service server; the query unit is used for acquiring the login name of the target object from the verification server and querying the service data according to the login name of the target object if the verification is passed; and the sending unit is used for sending the service data to the browser.
In a fourth aspect, the present application provides a computing device comprising: a memory and a processor; a memory for storing program instructions; a processor for calling the program instructions stored in the memory and executing the method of the first aspect according to the obtained program.
In a fifth aspect, the present application provides a computer storage medium storing computer-executable instructions for performing the method of the first aspect.
For technical effects that can be achieved by the second aspect to the fifth aspect, please refer to the description of the technical effects that can be achieved by the corresponding possible design scheme in the first aspect, and the detailed description is omitted here.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flow chart of a single sign-on;
fig. 2 is a schematic view of an application scenario for providing single sign-on according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a single sign-on provided in an embodiment of the present application;
fig. 4 is a schematic flowchart of a single sign-on provided in an embodiment of the present application;
fig. 5 is a schematic diagram illustrating an execution logic of a single sign-on according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a single sign-on apparatus according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a single sign-on apparatus according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a computing device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention.
It should be noted that the terms "first," "second," and the like in this application are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the disclosure described herein are capable of operation in sequences other than those illustrated or otherwise described herein. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
As described in the background art, the current single sign-on schemes mainly include two types, where a cookie based on a browser or a middleware records a user identifier, where the single sign-on based on the cookie of the browser is shown in fig. 1, a user can input a service system website in the browser after opening an electronic device, the browser can request service data of the user from a service server, the service server determines that the user is not logged on, and returns response information, the browser redirects to a login page, the browser requests a page from a single sign-on server, and returns the page after the request is successful, the user inputs a user name and a password in the browser, the browser sends the user name and the password to the single sign-on server for single sign-on, and after the login is successful, feeds back user identifier information, the browser writes the user identifier information into the cookie, the browser requests the service server for service data, and the service server requests service data from the single sign-on server, returns the service data and displays the service data to the user through the browser. Typically cookies are stored in local files with the possibility of being stolen by trojans. The service server defaults that the server of single sign-on is trustable, only one-way verification is carried out, and the service server cannot judge whether the obtained user information is reliable or not. The access flow of the service server is complex, and a large amount of judgment and redirection logic are required to be completed by the service server. Based on this, the application provides a single sign-on method, which improves the efficiency of single sign-on under the condition of ensuring information security.
The single sign-on process is described in detail below. In the following embodiments of the present application, "and/or" describes an association relationship of associated objects, indicating that three relationships may exist, for example, a and/or B may indicate: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or multiple. The singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, such as "one or more", unless the context clearly indicates otherwise. And, unless stated to the contrary, the embodiments of the present application refer to the ordinal numbers "first", "second", etc., for distinguishing a plurality of objects, and do not limit the sequence, timing, priority, or importance of the plurality of objects. For example, the first task execution device and the second task execution device are only for distinguishing different task execution devices, and do not indicate a difference in priority, degree of importance, or the like between the two task execution devices.
Reference throughout this specification to "one embodiment" or "some embodiments," or the like, means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the present application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," or the like, in various places throughout this specification are not necessarily all referring to the same embodiment, but rather "one or more but not all embodiments" unless specifically stated otherwise. The terms "comprising," "including," "having," and variations thereof mean "including, but not limited to," unless expressly specified otherwise.
Fig. 2 illustrates an application scenario of single sign-on, which includes an electronic device and a user, where the electronic device is provided with a browser, the browser is provided with a plurality of browser plug-ins, fig. 2 illustrates that the browser loads 3 browser plug-ins, a website a corresponding to the browser plug-in 1, a website B corresponding to the browser plug-in 2, and a website C corresponding to the browser plug-in 3, and generally, the user may need to log in a user name registered on a website in website query data. The method has the advantages that the user wants to access the website 1, after the electronic equipment is opened, the user can obtain the service data of the user in the website 1 by clicking the website 1 with the browser, the user does not need to log in the user name registered on the website 1 again in the website 1, the data processing efficiency can be improved, and good service experience is brought to the user.
Fig. 3 is a schematic flowchart of a single sign-on method according to an embodiment of the present application, where the method may be implemented by an electronic device or a service server, and may be implemented by the electronic device and the service server separately, or implemented by interaction between the electronic device and the service server. The following may be performed:
step 301, the electronic device may determine, based on an access request of a target object detected by a browser, a page data access request corresponding to a first browser plug-in; the first browser plug-in is one of a plurality of browser plug-ins; the page data access request carries a signature of a first random number and an encrypted identifier of the first browser plug-in; the first random number is generated by the service server; the signature of the first random number is determined by a private key signature of the service server.
It should be noted that the page data access request carries a signature of the first random number, so as to ensure the secure identity of the electronic device and ensure the security of data processing. The first random number may be sent by the service server to the browser, or sent by the service server after the browser sends the request, and the application is not limited in detail herein, and the description will be given by taking an example that the service server sends the first random number again after the browser sends the request.
For example, when the electronic device detects an access request of a target object, a page request is sent to a service server; the electronic equipment receives response information of a page request from the service server, wherein the response information of the page request comprises a first random number, an identifier of the service server and a page corresponding to the first browser plug-in. Generally, the electronic device can request service data from a plurality of service servers, and the service servers can feed back the request response of the electronic device and can carry the identification of the service servers, so that the service data can be acquired quickly.
Then, after the electronic equipment loads a page corresponding to the first browser plug-in based on the browser, the first random number and the identification of the service server are encrypted through the first browser plug-in to obtain the encrypted first random number and the encrypted identification of the service server; and performing signature processing on the encrypted first random number and the encrypted identification of the service server based on the first browser plug-in, and determining the signature of the first random number. After the first random number is obtained from the service server, signature processing is carried out so that the safety identity of the electronic equipment can be determined after the service server passes verification, and the login name of the target object is obtained from the verification server.
Step 302, the electronic device sends a page data access request to a service server; accordingly, the business server can receive a page data access request corresponding to a first browser plug-in of a browser of the electronic equipment.
Step 303, the service server verifies the signature of the first random number in the page access request by using the public key of the service server.
And 304, if the verification is passed, the service server acquires the login name of the target object from the verification server, and queries the service data according to the login name of the target object.
Step 305, the service server sends service data to the browser; accordingly, the electronic equipment receives the service data fed back by the service server.
In the method, the login name of the target object is not acquired from cookie of the browser, the login name of the target object is not acquired from middleware, but the login name of the target object is acquired from the authentication server after the authentication, after the authentication is finished, the login name of the target object is acquired from the authentication server, so that the reliability of the login name of the target object can be ensured, and the security of single sign-on can be ensured.
In an alternative mode, the electronic device can request the login name of the target object and the address of the electronic device from the AD domain service based on the first browser plug-in; the electronic equipment receives response information of the AD domain service, wherein the response information of the AD domain service comprises a login name of a target object and an address of the electronic equipment; the electronic equipment determines the identifier of the first browser plug-in and a second random number according to the address of the electronic equipment and the current timestamp based on the first browser plug-in; the electronic equipment sends the encrypted login name of the target object, the encrypted identifier of the first browser plug-in and the second random number to a verification server for signature processing based on the first browser plug-in, and determines the signature of the second random number; the verification server decrypts the login name of the target object and the identifier of the first browser plug-in and stores the login name and the identifier of the first browser plug-in; the electronic equipment verifies the signature of the second random number based on the first browser plug-in; the verification server stores a private key of the first browser plug-in and a private key of the business server.
It should be noted that different browser plug-ins correspond to different websites, such as website 1 corresponding to browser plug-in 1, and usually, the target object may need to log in a user name registered on website 1 when querying data at website 1. The AD domain is used for storing objects such as user account information, computer account information, printers, shared folders and the like, and the component for providing the directory service is the AD domain service and is mainly responsible for operations such as storage, addition, deletion, modification, inquiry and the like of the directory database. The electronic equipment obtains the login name of the target object in the first browser plug-in through the AD domain service, then signature verification is carried out, the signature verification is stored in the verification server, the login name is input again in the website corresponding to the first browser plug-in after the target object does not need to be opened again through the method, the data processing efficiency can be improved through the method, the user experience is improved, the login name information of the target object is obtained from the verification server instead of cookie after the business server passes the verification of the electronic equipment, and the safety of the user information can be guaranteed through the method.
In an alternative manner, before the service server obtains the login name of the target object from the verification server, the service server may generate a service request signature based on the identifier of the service server, the token of the service server, and the third random number; the service server sends the service request signature, the encrypted identifier of the first browser plug-in, the identifier of the service server and the third random number to a verification server for signature verification; and if the signature verification is successful, receiving the login name of the target object inquired by the verification server according to the identifier of the first browser plug-in.
In the method, after the signature of the business server is verified by the verification server, the login name of the target object is inquired and fed back to the business server, the business server retrieves related business data based on the login name of the target object, after the business server passes the authentication of the electronic equipment, the verification server verifies the identity of the business server, and after the authentication passes, the business data of the target object is inquired.
To better explain the scheme of the present application, specifically illustrated by the single sign-on method shown in fig. 4, the first browser plug-in stores a public key p _ pub of the first browser plug-in, the verification server stores a private key p _ inv of the first browser plug-in and a private key b _ inv of the service server, the login name of the target object is user, the address of the electronic device is ip, the first random number is b _ ran, a signature b _ ran _ enc of the first random number, a login name user _ enc of the encrypted target object, an identifier p _ key _ enc of the encrypted first browser plug-in, an identifier p _ key of the first browser plug-in, the second random number is p _ ran, a signature p _ ran _ sign of the second random number, a public key b _ pub of the service server, an identifier b _ appid of the service server, a token b _ token of the service server, a third random number b _ nonce, and a signature of the service request.
The first browser plug-in can obtain a user, an ip and a time stamp from the AD domain service, and generates p _ key: ip + timestamp, and a second random number: p _ ran, then the first browser plug-in can encrypt p _ key and user, can adopt RSA to encrypt when encrypting, also can adopt other modes to encrypt this application does not specifically limit here, specifically as follows:
p_key_enc=rsa.encrypt(p_key,p_pub)
user_enc=rsa.encrypt(user,p_pub)
then, the first browser plug-in can send information to a verification server, register the relation between the first browser plug-in and the target object, the verification server obtains p _ key and user through decryption of a private key of the first browser plug-in, stores the p _ key and the user into a database, and returns a signature p _ ran to the first browser plug-in: sign (p _ ran, p _ inv). The first browser plug-in verifies the signature of the second random number, avoids an intermediate system interception request, and can verify whether the signature of the second random number is valid through rsa.verify (p _ ran _ sign, p _ pub).
And the target object, namely the user inputs the website in the browser, the service server responds to the browser request, returns the page corresponding to the first browser plug-in, generates b _ ran, and writes the b _ ran and the b _ api into the cookie for a subsequent interface to check whether the user information is valid. After the browser page is loaded, the first browser plug-in encrypts b _ ran and b _ appid to obtain b _ ran _ enc and b _ appid _ enc, sends the b _ ran _ enc and b _ appid _ enc to the verification server, adopts b _ inv to perform signature to obtain b _ ran _ sign, and returns the b _ ran _ sign to the browser plug-in, and the verification server can obtain b _ inv according to b _ appid, wherein b _ ran _ sign is rsa. The first browser plug-in modifies the request headers (namely, the page data access requests) of all the service servers, and puts p _ key _ enc and b _ ran _ sgin the request headers. After receiving a page data request sent by a browser, a service server takes out p _ key _ enc and b _ ran _ sgin from the head of the request, verifies the signature validity a priori, avoids forging user information, obtains the user information, namely a user, from a verification server, and specifically can sequentially execute the following steps:
step a. verifying whether the signature b _ ran _ sgin is valid as rsa.verify (b _ ran _ sign, b _ pub);
b, generating a signature, wherein b _ req _ sign is generated _ sign (b _ approximate, b _ token, b _ nonce);
c, sending the b _ req _ sign, the p _ key _ enc, the b _ appid and the b _ nonce to a verification server;
and D, the verification server takes out the b _ token according to the b _ app, generates a signature according to the b _ token, the b _ app and the b _ nonce, compares the signature with the b _ req _ sign, and returns user information if the signature is consistent with the b _ req _ sign.
And step E, the verification server can cache the user information according to the p _ key _ enc, so that the user information is prevented from being repeatedly acquired from the verification server in a short time.
It should be noted that, the integration multiplexing ratio of the service server is relatively low, and the reuse ratio of the service server can be reduced by using a trusted third party service, that is, the authentication server, and a pair of keys is required to be held between the browser plug-in and the authentication server, instead of placing the keys in the service server, if the keys are placed in the service server, each service server holds the pair of keys, the risk of key leakage is increased, and the reliability of the browser plug-in is also reduced.
FIG. 5 illustrates the execution logic of the present application as follows:
the method comprises the following steps that 1, a first browser plug-in obtains a login name of a target object from a local AD domain service, and verification is not needed in the process;
and 2, reporting information such as login name information of the target object, the second random number, the identifier of the first browser plug-in and the like to a verification server by the first browser plug-in, wherein the first browser plug-in adopts a public key to encrypt the information.
And 3, returning the second random number signature by the verification server, and verifying the signature by the first browser plug-in by using the public key.
And 4, the service server transmits the first random number and the identification of the service server to the first browser plug-in, and the first browser plug-in writes the cookie without encryption.
And 5, the first browser plug-in transmits the encrypted first random number and the identification of the service server to the verification server.
And 6, decrypting by the verification server to obtain a first random number and the identifier of the service server, and signing the first random number by using a service system private key to obtain a signature of the first random number.
And 7, the first browser plug-in sends the signature of the first random number to the service server for signature verification.
And 8, the service server acquires the user information from the verification server.
Based on the same concept, an embodiment of the present application provides a single sign-on apparatus, as shown in fig. 6, including: a determination unit 61, a transmission unit 62 and a reception unit 63.
The determining unit 61 is configured to determine, based on an access request of a target object detected by a browser, a page data access request corresponding to a first browser plug-in; the first browser plug-in is one of a plurality of browser plug-ins; the page data access request carries a signature of a first random number and an encrypted identifier of the first browser plug-in; the first random number is generated by the service server; the signature of the first random number is determined by a private key signature of the service server; a sending unit 62, configured to send a page data access request to a service server, so that the service server obtains a login name of a target object from a verification server after the page access request is verified, and queries service data according to the login name of the target object; a receiving unit 63, configured to receive the service data fed back by the service server.
In the method, the login name of the target object is not acquired from cookie of the browser, the login name of the target object is not acquired from middleware, but the login name of the target object is acquired from the authentication server after the authentication, after the authentication is finished, the login name of the target object is acquired from the authentication server, so that the reliability of the login name of the target object can be ensured, and the security of single sign-on can be ensured.
In an optional manner, the single sign-on apparatus further includes a processing unit, which may request a login name of the target object and an address of the electronic device from an Active Directory (AD) domain service based on the first browser plug-in; the electronic equipment receives response information of the AD domain service, wherein the response information of the AD domain service comprises a login name of a target object and an address of the electronic equipment; the electronic equipment determines the identifier of the first browser plug-in and a second random number according to the address of the electronic equipment and the current timestamp based on the first browser plug-in; the electronic equipment sends the encrypted login name of the target object, the encrypted identifier of the first browser plug-in and the second random number to a verification server for signature processing based on the first browser plug-in, and determines the signature of the second random number; the verification server decrypts the login name of the target object and the identifier of the first browser plug-in and stores the login name and the identifier of the first browser plug-in; the electronic equipment verifies the signature of the second random number based on the first browser plug-in; the verification server stores a private key of the service server, and the first browser plug-in stores a public key of the service server.
It should be noted that different browser plug-ins correspond to different websites, such as website 1 corresponding to browser plug-in 1, and usually, the target object may need to log in a user name registered on website 1 when querying data at website 1. The AD domain is used for storing objects such as user account information, computer account information, printers, shared folders and the like, and the component for providing the directory service is the AD domain service and is mainly responsible for operations such as storage, addition, deletion, modification, inquiry and the like of the directory database. The electronic equipment obtains the login name of the target object in the first browser plug-in through the AD domain service, then signature verification is carried out, the signature verification is stored in the verification server, the login name is input again in the website corresponding to the first browser plug-in after the target object does not need to be opened again through the method, the data processing efficiency can be improved through the method, the user experience is improved, the login name information of the target object is obtained from the verification server instead of cookie after the business server passes the verification of the electronic equipment, and the safety of the user information can be guaranteed through the method.
In an optional manner, the single sign-on device further includes a processing unit, and the processing unit sends a page request to the service server when detecting an access request of the target object; the electronic equipment receives response information of a page request from the service server, wherein the response information of the page request comprises a first random number, an identifier of the service server and a page corresponding to the first browser plug-in.
It should be noted that, after detecting the access request of the target object, the electronic device wants to request the page of the first browser plug-in, so as to obtain the service data more quickly after the page is loaded successfully.
In an optional manner, after loading a page corresponding to a first browser plug-in based on a browser, the processing unit encrypts the first random number and the identifier of the service server through the first browser plug-in to obtain the encrypted first random number and the encrypted identifier of the service server; and performing signature processing on the encrypted first random number and the encrypted identification of the service server based on the first browser plug-in, and determining the signature of the first random number.
It should be noted that, after the first random number is obtained from the service server, signature processing is performed so that after the service server passes verification, the secure identity of the electronic device is determined, and the login name of the target object is obtained from the verification server.
Based on the same concept, an embodiment of the present application provides a single sign-on apparatus, as shown in fig. 7, including: a receiving unit 71, an authentication unit 72, a querying unit 73 and a sending unit 74.
The receiving unit 71 is configured to receive a page data access request corresponding to a first browser plug-in of a browser of the electronic device; the first browser plug-in is one of a plurality of browser plug-ins; the page data access request carries a signature of a first random number and an encrypted identifier of the first browser plug-in; the first random number is generated by the service server; the signature of the first random number is determined by a private key signature of the service server; a verification unit 72, configured to verify a signature of the first random number in the page access request by using a public key of the service server; the query unit 73 is configured to, if the verification passes, obtain a login name of the target object from the verification server, and query the service data according to the login name of the target object; a sending unit 74, configured to send the service data to the browser.
In an optional manner, the single sign-on apparatus further includes a processing unit, which generates a service request signature based on the identifier of the service server, the token of the service server, and the third random number; the service server sends the service request signature, the encrypted identifier of the first browser plug-in, the identifier of the service server and the third random number to a verification server for signature verification; and if the signature verification is successful, receiving the login name of the target object inquired by the verification server according to the identifier of the first browser plug-in.
In the method, after the signature of the business server is verified by the verification server, the login name of the target object is inquired and fed back to the business server, the business server retrieves related business data based on the login name of the target object, after the business server passes the authentication of the electronic equipment, the verification server verifies the identity of the business server, and after the authentication passes, the business data of the target object is inquired.
After introducing the single sign-on method and apparatus in the exemplary embodiments of the present application, a computing device in another exemplary embodiment of the present application is introduced next.
As will be appreciated by one skilled in the art, aspects of the present application may be embodied as a system, method or program product. Accordingly, various aspects of the present application may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
In some possible implementations, a computing device according to the present application may include at least one processor, and at least one memory. Wherein the memory stores a computer program that, when executed by the processor, causes the processor to perform the steps of the single sign-on method according to various exemplary embodiments of the present application described above in the present specification. For example, the processor may perform steps 301-305 as shown in FIG. 3.
The computing device 130 according to this embodiment of the present application is described below with reference to fig. 8. The computing device 130 shown in fig. 8 is only an example and should not bring any limitations to the functionality or scope of use of the embodiments of the present application. As shown in fig. 8, the computing device 130 is embodied in the form of a general purpose smart terminal. Components of computing device 130 may include, but are not limited to: the at least one processor 131, the at least one memory 132, and a bus 133 that connects the various system components (including the memory 132 and the processor 131).
Bus 133 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, a processor, or a local bus using any of a variety of bus architectures. The memory 132 may include readable media in the form of volatile memory, such as Random Access Memory (RAM)1321 and/or cache memory 1322, and may further include Read Only Memory (ROM) 1323. Memory 132 may also include a program/utility 1325 having a set (at least one) of program modules 1324, such program modules 1324 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Computing device 130 may also communicate with one or more external devices 134 (e.g., keyboard, pointing device, etc.) and/or any device (e.g., router, modem, etc.) that enables computing device 130 to communicate with one or more other intelligent terminals. Such communication may occur via input/output (I/O) interfaces 135. Also, computing device 130 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via network adapter 136. As shown, network adapter 136 communicates with other modules for computing device 130 over bus 133. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with computing device 130, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
In some possible embodiments, the aspects of the transaction data backup method provided herein may also be implemented in the form of a program product including a computer program for causing a computer device to perform the steps of the single sign-on method according to various exemplary embodiments of the present application described above in this specification when the program product is run on the computer device. For example, the processor may perform steps 301-305 as shown in FIG. 3.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The program product for three-dimensional visual repositioning of embodiments of the present application may employ a portable compact disc read-only memory (CD-ROM) and include a computer program, and may be run on a smart terminal. The program product of the present application is not so limited, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A readable signal medium may include a propagated data signal with a readable computer program embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
It should be noted that although several units or sub-units of the apparatus are mentioned in the above detailed description, such division is merely exemplary and not mandatory. Indeed, the features and functions of two or more units described above may be embodied in one unit, according to embodiments of the application. Conversely, the features and functions of one unit described above may be further divided into embodiments by a plurality of units.
Further, while the operations of the methods of the present application are depicted in the drawings in a particular order, this does not require or imply that these operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable access frequency predicting device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable access frequency predicting device, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable access device to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable access device to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (10)

1. A single sign-on method is applied to electronic equipment, the electronic equipment is provided with a browser, the browser is provided with a plurality of browser plug-ins, and the method comprises the following steps:
the electronic equipment determines a page data access request corresponding to a first browser plug-in based on an access request of a target object detected by the browser; the first browser plug-in is one of the plurality of browser plug-ins; the page data access request carries a signature of a first random number and an encrypted identifier of the first browser plug-in; the first random number is generated by a service server; the signature of the first random number is determined by a private key signature of a service server;
the electronic equipment sends the page data access request to the service server, so that the service server obtains the login name of the target object from a verification server after the page access request is verified to pass, and inquires service data according to the login name of the target object;
and the electronic equipment receives the service data fed back by the service server.
2. The method of claim 1, further comprising:
the electronic equipment requests a login name of the target object and an address of the electronic equipment from an AD domain service based on the first browser plug-in;
the electronic equipment receives response information of the AD domain service, wherein the response information of the AD domain service comprises a login name of the target object and an address of the electronic equipment;
the electronic equipment determines the identification of the first browser plug-in and a second random number according to the address of the electronic equipment and the current timestamp based on the first browser plug-in;
the electronic equipment sends the encrypted login name of the target object, the encrypted identifier of the first browser plug-in and the second random number to the verification server for signature processing based on the first browser plug-in, and determines the signature of the second random number; the verification server decrypts the login name of the target object and the identifier of the first browser plug-in and stores the login name and the identifier of the first browser plug-in;
the electronic device verifying a signature of the second random number based on the first browser plug-in;
the verification server stores a private key of the first browser plug-in and a private key of the business server.
3. The method according to claim 1 or 2, wherein before the electronic device detects the access request of the target object and determines the page data access request corresponding to the first browser plug-in, the method further comprises:
the electronic equipment sends a page request to the service server when detecting an access request of a target object;
and the electronic equipment receives response information of the page request from the service server, wherein the response information of the page request comprises the first random number, the identification of the service server and a page corresponding to the first browser plug-in.
4. The method of claim 3, further comprising:
after the electronic equipment loads a page corresponding to the first browser plug-in based on the browser, encrypting the first random number and the identification of the service server through the first browser plug-in to obtain the encrypted first random number and the encrypted identification of the service server;
and the electronic equipment signs the encrypted first random number and the encrypted identification of the service server based on the first browser plug-in, and determines the signature of the first random number.
5. A single sign-on method is applied to a service server and comprises the following steps:
the business server receives a page data access request corresponding to a first browser plug-in of a browser of the electronic equipment; the first browser plug-in is one of the plurality of browser plug-ins; the page data access request carries a signature of a first random number and an encrypted identifier of the first browser plug-in; the first random number is generated by a service server; the signature of the first random number is determined by a private key signature of a service server;
the service server adopts a public key of the service server to verify the signature of the first random number in the page access request;
if the verification is passed, the business server acquires the login name of the target object from the verification server, and inquires business data according to the login name of the target object;
and the service server sends the service data to the browser.
6. The method of claim 5, wherein before the service server obtains the login name of the target object from the authentication server, the method further comprises:
the service server generates a service request signature based on the identification of the service server, the token of the service server and a third random number;
the service server sends the service request signature, the encrypted identifier of the first browser plug-in, the identifier of the service server and the third random number to the verification server for signature verification;
the business server obtains the login name of the target object from the verification server, and the method comprises the following steps:
and if the signature verification is successful, receiving the login name of the target object inquired by the verification server according to the identifier of the first browser plug-in.
7. A single sign-on device, comprising:
the determining unit is used for determining a page data access request corresponding to a first browser plug-in based on the access request of the target object detected by the browser; the first browser plug-in is one of the plurality of browser plug-ins; the page data access request carries a signature of a first random number and an encrypted identifier of the first browser plug-in; the first random number is generated by a service server; the signature of the first random number is determined by a private key signature of a service server;
a sending unit, configured to send the page data access request to the service server, so that the service server obtains a login name of the target object from a verification server after the page access request is verified, and queries service data according to the login name of the target object;
and the receiving unit is used for receiving the service data fed back by the service server.
8. A single sign-on device, comprising:
the receiving unit is used for receiving a page data access request corresponding to a first browser plug-in of a browser of the electronic equipment; the first browser plug-in is one of the plurality of browser plug-ins; the page data access request carries a signature of a first random number and an encrypted identifier of the first browser plug-in; the first random number is generated by a service server; the signature of the first random number is determined by a private key signature of a service server;
the verification unit is used for verifying the signature of the first random number in the page access request by adopting a public key of the service server;
the query unit is used for acquiring the login name of the target object from the verification server and querying the service data according to the login name of the target object if the verification is passed;
and the sending unit is used for sending the service data to the browser.
9. A computing device, comprising: a memory and a processor;
a memory for storing program instructions;
a processor for calling program instructions stored in said memory to perform the method of any of claims 1-4 or 5-6 in accordance with the obtained program.
10. A computer storage medium storing computer-executable instructions for performing the method of any one of claims 1-4 or 5-6.
CN202111596294.5A 2021-12-24 2021-12-24 Single sign-on method and device Pending CN114329538A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111596294.5A CN114329538A (en) 2021-12-24 2021-12-24 Single sign-on method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111596294.5A CN114329538A (en) 2021-12-24 2021-12-24 Single sign-on method and device

Publications (1)

Publication Number Publication Date
CN114329538A true CN114329538A (en) 2022-04-12

Family

ID=81012764

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111596294.5A Pending CN114329538A (en) 2021-12-24 2021-12-24 Single sign-on method and device

Country Status (1)

Country Link
CN (1) CN114329538A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114697137A (en) * 2022-05-10 2022-07-01 中国建设银行股份有限公司 Application program login method, device, equipment and storage medium
CN114826616A (en) * 2022-04-27 2022-07-29 中国建设银行股份有限公司 Data processing method, device, electronic equipment and medium

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826616A (en) * 2022-04-27 2022-07-29 中国建设银行股份有限公司 Data processing method, device, electronic equipment and medium
CN114826616B (en) * 2022-04-27 2024-04-26 中国建设银行股份有限公司 Data processing method, device, electronic equipment and medium
CN114697137A (en) * 2022-05-10 2022-07-01 中国建设银行股份有限公司 Application program login method, device, equipment and storage medium
CN114697137B (en) * 2022-05-10 2024-05-10 中国建设银行股份有限公司 Application program login method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
US10270758B2 (en) Login method, server, and login system
CN108900464B (en) Electronic device, block chain-based data processing method, and computer storage medium
US8997198B1 (en) Techniques for securing a centralized metadata distributed filesystem
CN114726643B (en) Data storage and access methods and devices on cloud platform
US8850185B1 (en) Post attack man-in-the-middle detection
KR102146587B1 (en) Method, client, server and system of login verification
US9219722B2 (en) Unclonable ID based chip-to-chip communication
CN110048848B (en) Method, system and storage medium for sending session token through passive client
US20160219041A1 (en) Sharing usb key by multiple virtual machines located at different hosts
CN109657492B (en) Database management method, medium, and electronic device
US11888980B2 (en) Stateless service-mediated security module
CN114329538A (en) Single sign-on method and device
US11949688B2 (en) Securing browser cookies
CN113765968A (en) File transmission method, device and system
CN116980230A (en) Information security protection method and device
CN114172663B (en) Business right determining method and device based on block chain, storage medium and electronic equipment
CN114584381A (en) Security authentication method and device based on gateway, electronic equipment and storage medium
WO2022088710A1 (en) Mirror image management method and apparatus
US10326833B1 (en) Systems and method for processing request for network resources
CN112862484A (en) Secure payment method and device based on multi-terminal interaction
CN114584378B (en) Data processing method, device, electronic equipment and medium
CN114640524B (en) Method, apparatus, device and medium for processing transaction replay attack
CN114095165B (en) Key updating method, server device, client device and storage medium
CN115022012A (en) Data transmission method, device, system, equipment and storage medium
CN114065170A (en) Method and device for acquiring platform identity certificate and server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination