The utility model content
The purpose of this utility model is in order to solve the problem that above-mentioned exploitation once more needs the source code level to transform, to provide a kind of service end or resource system not to need installation agent, and can realize the user once authenticate after current everywhere single-sign-on platform.
The technical solution adopted in the utility model is: a kind of single-sign-on platform of filling out based on number of the account generation comprises:
Number of the account is used for being installed in client-server for filling out the unit;
Authentication server comprises the authentication unit that is used to manage the service management unit of primary account number information and is used to carry out authenticating user identification, and described authentication unit is connected with the service management unit communication, is used to obtain primary account number information; Described authentication unit is connected for filling out unit communications with number of the account; And,
The number of the account management server comprises the account management unit and the principal and subordinate's dispensing unit that is used to carry out primary account number and shine upon from account relating that are used to manage from number of the account, and communication is connected described principal and subordinate's dispensing unit with service management unit with account management unit.
Preferably, described authentication server also comprises the Condition Monitoring Unit that is used for the monitor user ' state, and communication is connected described Condition Monitoring Unit with service management unit with the number of the account agent unit.
Preferably, described authentication server and number of the account management server are deployed on the same server or are deployed in respectively on the server.
The beneficial effects of the utility model are: according to principal and subordinate's account relating mandate of number of the account management server, and authentication server is to user's primary account number authentication result, number of the account is filled out corresponding account number authentication information (from number of the account with from password) for filling out the unit by automatic generation, realizes that the user logins the target resource system automatically; And these target resource systems do not need the transformation of source code level when single-sign-on is integrated.
Embodiment
As shown in Figure 2, with respect to the general networking structure, increased the single-sign-on platform of filling out based on number of the account generation 30 described in the utility model through improved network configuration, this single-sign-on platform 30 comprises the deployment that authentication server 34, number of the account management server 33 and number of the account generation are filled out unit 35.In typical deployed, authentication server 34 and number of the account management server 33 all are deployed as independent server, and this number of the account generation fills out on the client-server that unit 35 is deployed in client 20, as client-server 21,22.Single-sign-on platform 30 support is simplified to install and is implemented, and be about to authentication server 34 and number of the account management server 33 and all be deployed on the station server, but number of the account generation fills out on the client-server that unit 35 must be deployed in client 20.
Authentication server 34 and number of the account management server 33 and the client-server of client 20 and the Resource Server of service end 40 as 41,42, can connect by the switch communication between 43.
The access control that single-sign-on platform 30 comes leading subscriber based on principal and subordinate's number of the account management mode.The user by the locked resource of preserving in the client-server access resources server before, at first must carry out primary account number authentication by authentication server 34, the user initiatively imports primary account number and master password; The user can directly use standard client instrument on the client-server 21,22 (as the WEB browser, perhaps other standard client software etc.) access resources server then; Perhaps the user uses client- server 21,22 to click the corresponding configuration item in the list of authorized resources that authentication server 34 provides and visits Resource Server with the standard client instrument that starts on the client-server.Being deployed in number of the account generation on the client-server fills out unit 35 and recognizes when needing generation fill out number of the account, from the service management unit of authentication server 34, discern the user by the primary account number sign, it is primary account number, and from the account management unit of number of the account management server 33, obtain the corresponding number of the account and the password of user's desire login Resource Server, promptly from number of the account with from password, number of the account realizes user's automatic login for filling out unit 35 automatically for filling out from number of the account with from password then.
As shown in Figure 2, keeper's service management unit of logining authentication server 34 is finished and is created user's (primary account number), deletion user, inquiring user and revise user management work such as user.
As shown in Figure 3, the number of the account management processing flow process of number of the account management server 33 is as follows:
1) rm-cell of keeper's login account management server carries out resource management action, comprises increasing, delete, change, looking into of resource;
2) account management unit of keeper's login account management server is carried out from the number of the account bookkeeping on concrete resource, comprises that number of the account is collected, number of the account is added, number of the account is deleted and account number cipher is reset;
3) keeper selectes concrete resource from number of the account, and obtains user's primary account number by principal and subordinate's dispensing unit of number of the account management server from the service management unit of authentication server, carries out the mandate of principal and subordinate's account relating then.
As shown in Figure 4, authentification of user aggressive mode handling process is as follows:
1) user based on the direct accesses identity certificate server of https WEB service, and sets up the escape way of 34 of client browser and authentication servers at client-server based on SSL;
2) after the user submitted user's primary account number authentication information to by client browser, the information of authentication unit in the inquiring user administrative unit of authentication server 34 was returned the tabulation of authentification of user result and resource authorization;
3) so far, user's primary account number authentication success can be visited and is authorized to the accessed resources server;
4) simultaneously, the real-time monitor user ' client of the Condition Monitoring Unit of authentication server 34, the user initiatively withdraws from, does not have for a long time operation or timely logging off users during improper rolling off the production line when detecting.
As shown in Figure 5, authentification of user Passive Mode handling process is as follows:
1) user uses standard client instrument (as WEB browser or other standard client software etc.) access resources server in client;
2) concrete Resource Server prompting user carries out the primary account number authentication, or the authentication unit that is redirected to authentication server 34 carries out authentication;
3) flow process afterwards is identical with above-mentioned " authentification of user aggressive mode handling process ".
As shown in Figure 6, number of the account is as follows for filling out the flow process that adopts aggressive mode to handle in the unit:
1) in the number of the account generation that is deployed on the client-server, filled out the behavior of unit active monitoring resource access, triggers following processing when the user access resources server;
2) whether number of the account is in line states for filling out the Condition Monitoring Unit inquiring user of unit to authentication server;
3) number of the account generation fill out the unit from the account management unit of number of the account management server, obtain the user be authorized to access resources from number of the account with from password;
4) number of the account is finished the single-sign-on resource system for filling out the unit automatically for filling out from number of the account with from password with assisted user.
As shown in Figure 7, number of the account is as follows for filling out the flow process that adopts Passive Mode to handle in the unit:
1) user initiatively carries out the primary account number authentication to the authentication unit of authentication server by client-server;
2) after the primary account number authentication was passed through, authentication server is inquiring user granted access resource information from the rm-cell of number of the account management server, and represents to the user;
3) user clicks concrete resource and comes sign-on access;
4) at this moment, authentication server is inquired about corresponding from number of the account with from password from the account management unit of number of the account management server;
5) authentication server notice number of the account is carried out number of the account for filling out for filling out the unit;
6) in number of the account generation, filled out unit starting standard client software, and finish number of the account generation and fill out, with assisted user single-sign-on access resources.
As shown in Figure 8, Condition Monitoring Unit is carried out the user and is differentiated that heavily the flow process of processing is as follows:
1) number of the account detects user's keyboard and mouse action in real time for filling out the unit;
2) when the user has activity in the stipulated time, number of the account regularly is in active state to the Condition Monitoring Unit report of user of authentication server for filling out the unit;
3) when the user does not have operation at the appointed time, number of the account is in stupefied state, Condition Monitoring Unit maintenance customer's presence for filling out the also instant report of user in unit; The user initiatively withdraws from, does not have for a long time operation or during improper rolling off the production line, Condition Monitoring Unit is in time notified the service management unit logging off users when detecting.
Being the utility model preferred embodiment only in sum, is not to be used for limiting practical range of the present utility model.Be that all equivalences of doing according to the content of the utility model claim change and modification, all should belong to technology category of the present utility model.