A kind of method that realizes single-sign-on at Internet BOSS
Technical field
The present invention relates to telecom business support system, especially can realize the synchronous method of data of Collective qualification, single-sign-on, telecom client information, accounts information and the user profile of each support system operation system, specifically a kind of method that realizes single-sign-on at Internet BOSS.
Background technology
At present, there is the authentication system of various ways in the channel contact systems such as the current online business hall of China Telecom, business hall, No. 10000, self-aided terminal, there is the certification based on CRM customer ID and client password, based on the certification of product identification and product cipher, the certification based on account etc.; Also develop the on this basis form of authentication that makes new advances of some province: as the certification of the certification of product identification and client password, Customer ID and two-stage client password etc.This makes existing authentication mode complexity various.Within verify data is distributed in the core support system in MBOSS territory mostly, objectively make the support system such as CRM, charging account except finishing service operation support function, also need to provide for channel contact system the authentication service of the entities such as client, account, product, thereby increase the weight of the burden of core support system.
Meanwhile, the enterprise transformation of China Telecom has also driven the fast development of value-added service, needs the service resources of integrating value-added service by portal website badly, uses channel for telecom client provides centralized and unified business to present with business.The online business hall of China Telecom is as the important channel of telecom client contact, in the urgent need to further promoting its status as portal website, drive business integration with door construction, progressively develop into the client comprehensive service door that integrates customer service, service propaganda, product use.
In addition, along with the development of value-added telecom services and increasing of business platform, user is except the customer service class account number of memory channel contact system, also need to remember multiple value increasing service product and use account number, before a business platform of each login, all need to provide corresponding authentication information, the use impression that this brings user's inconvenience, is also unfavorable for the bundle sale of telecommunications popularization multiple business simultaneously.
Therefore need to set up the unified certification center (hereinafter to be referred as " unification authentication platform ") for MBOSS external client, integrate on the one hand existing various authentication system, the certification of the core support systems such as shielding CRM, unifying provides authentication service for channel contact system.On the other hand when user from network the channel contact system such as business hall concentrate while using each value-added service, unified certification and the single-sign-on of trans-sectoral business and platform are provided, thereby reach the lifting that user experiences.
Summary of the invention
The object of the invention is for the login process of existing Internet BOSS complicated, telecommunication user need to be remembered registration account number and the password of multiple operation systems, and in Internet BOSS is routed to the process of each operation system, needs repeatedly to carry out the problems such as login authentication provide a kind of Technical Architecture based on Web and Digital Certificate Security processing that possesses the features such as rational in infrastructure, excellent extensibility, fail safe.
Technical scheme of the present invention is:
A kind of method that realizes single-sign-on at Internet BOSS:
A, on telecommunication server, set up unified single sign-on system UAM, configuration Internet BOSS is to the interface module between each service sub-system;
B, be customer information, accounts information, user profile by three family information of telecommunications, be unified in UAM and store, UAM provides the sync cap of three user data to each service sub-system of telecommunications; Telecommunications three family information are carried out Collective qualification, and UAM provides unified Collective qualification interface to service sub-system;
The digital certificate of authentication between data certificate, configuration UAM and each service sub-system between C, configuration UAM SIM and Internet BOSS.
In A of the present invention, configuration Internet BOSS comprises the following steps to the interface module between each service sub-system:
(1) configuration UAM essential information, comprises service sub-system plateau coding, platform access address, platform login state, platform access state information;
(2) configuration UAM business platform information, comprises service sub-system coding, business platform title, the local address of releasing of business platform;
(3) configuration UAM parameter information, comprises UAM address, Online Business System coding, the effective duration of authentication assertion, the UAM of group interface IP address.
In C of the present invention, the digital certificate of configuration authentication comprises the following steps:
(1) generate UAM digital certificate and dispose, deployment be by digital integer copying and saving to the application server of UAM;
(2) generate the data certificate between UAM SIM and Internet BOSS and offer online business hall;
(3) generate the digital certificate of authentication between UAM and each service sub-system and offer each operation system;
Following steps of the present invention:
(1) user accesses Internet BOSS limited resources;
(2) online business hall checks that in telecommunication server, whether having the local T oken corresponding with subscription client is the authentication information that user accesses corresponding service subsystem, if existed, and the success of registering service subsystem; Otherwise, go to step 3;
(3) unification authentication platform UA is asked to user again in online business hall;
(4) UA check whether exist in telecommunication server the overall Token corresponding with subscription client be user in online business hall or any one operation system realized the authentication information of logining the authentication information generating;
If overall Token does not exist, UA provides certification login page to user, and prompting user inputs the arbitrary authentication information in three family information, and UA authenticates user, and certification, by generating overall Token, goes to step 5; If authentification failure, ejects login error message by UA;
If overall Token exists, go to step 5;
(5) UA generates this authenticated user at the Ticket of online business hall and asserts information; The information of asserting refers to the descriptor that this authenticate-acknowledge is legal, and Ticket is this index of asserting;
(6) user browser is redirected to online business hall by UA, simultaneously the Ticket of subsidiary this certification;
(7) online business hall inquires about to UA the information of asserting that this Ticket is corresponding according to the Ticket passing back;
(8) information of asserting corresponding this Ticket is returned to online business hall by UA, and destroy this Ticket;
(9) online business hall generates local T oken, and mark user logins identity, logins successfully;
(10) online business hall shows and logins successfully the page to user browser.
Because overall Token exists, can authenticate by UAM, UAM will generate a legal authentication information to online business hall or operation system, and this legal authentication information is called asserts, and each has asserted an index ID, and this index ID is called Ticket.
Beneficial effect of the present invention:
1, promote client's experience: after client logins in same channel platform, between business platform, realize once certification, full-service access.
2, promote account number operation customer-centric: along with the fast development of value-added telecom services, account number operation customer-centric becomes development trend, need to integrate multiple account number system; Equally also need to promote the door status of customer-oriented online business hall, drive the integration of service resources, realize unified certification and the single-sign-on of cross-system and platform, meet the coherence request of the integrated and customer experience of service interface.
3, optimize IT architecture: the certification pressure that has alleviated on the one hand core support system (as CRM, charging account etc.); Build on the other hand unified certification, centralized management, data sharing, authentication system safely and efficiently, for the access of other business platform reduces costs.
Brief description of the drawings
Fig. 1 is UAM(unified certification) be related to schematic diagram between system and support system and Internet BOSS, each operation system.
Fig. 2 is UAM(unified certification) realize the schematic diagram of single-sign-on.
Fig. 3 is UAM(unified certification) realize the sequence chart of federal style single-sign-on.
Embodiment
Below in conjunction with drawings and Examples, the present invention is further illustrated.
As shown in Figure 1, a kind of method that realizes single-sign-on at Internet BOSS, it comprises the following steps:
Three family information of A, telecommunications are customer information, accounts information, user profile, are unified in UAM and store, and UAM provides the sync cap of three user data;
B, telecommunications three family information are carried out Collective qualification, and UAM provides unified Collective qualification interface;
C, user, after Internet BOSS is once logined, use the service sub-system above business hall, do not need again to authenticate, and realize single-sign-on by UAM;
D, federal style single-sign-on pattern, the business platform of online business hall, UAM, business domains forms star-like identity federation;
E, single-sign-on process are made the sensitive data bag relating to, and carry out digital signature by digital certificate, ensure integrality and the fail safe of data.
As shown in Figure 2,3, the net Room belongs to gate system, and ChinaVnet belongs to the service sub-system being linked in door.
UAM of the present invention is positioned at the star-like center of federal certification, be responsible for client identity to authenticate, the net Room and business platform, all trust the authentication result of unification authentication platform: client has been responsible for login authentication by UAM in the time that the net Room is logined, and identifies client identity and relations between ownership and management of enterprises corresponding to this client; When client clicks on the net Room when this business platform of business platform links and accesses, UAM identifies its corresponding business platform account number according to client's relations between ownership and management of enterprises, and illustrates that account number logined and have access legitimacy; The authentication result that business platform sends UAM represents to trust, and allows user no longer to input account number cipher and directly accesses.
Performing step of the present invention comprises:
A, configure online business hall to the interface module between each operation system, treatment step:
1) configuration UAM essential information, comprises plateau coding, platform access address, platform login state, the information such as platform access state;
2) configuration UAM business platform information, comprises business platform coding, business platform title, the local address of releasing of business platform;
3) configuration UAM parameter information, comprises UAM address, Online Business System coding, the effective duration of authentication assertion, the UAM of group interface IP address etc.;
Digital certificate between data certificate, configuration UAM and individual operation system between B, configuration UAM and online business hall, implementation step comprises:
1) generate UAM digital certificate and dispose;
2) generate online business hall digital certificate and offer online business hall;
3) generate operation system digital certificate and offer each operation system;
C, realize the treatment step of Internet BOSS single-sign-on to operation system:
1) user accesses online business hall limited resources;
2) online business hall checks whether local Token exists, if existed, directly arrives step 13;
3) if there is no, be redirected user and ask UA;
4) UA checks whether overall Token exists;
5) overall Token does not exist, and UA provides certification login page to user, and prompting user inputs the authentication informations such as account number type, account number, password type, password;
If overall Token exists, directly continue from the 8th step;
6) user inputs login authentication information, submits to UA;
7) UA authenticates user, and certification is by generating overall Token.If authentification failure, ejects login error message by UA;
8) UA generates this authenticated user at the Ticket in the net Room and asserts information;
9) user browser is redirected to online business hall by UA, simultaneously the Ticket of subsidiary this certification;
10) online business hall inquires about to UA the information of asserting that this Ticket is corresponding according to the Ticket passing back;
11) information of asserting corresponding this Ticket is returned to online business hall by UA, and destroy this Ticket;
12) online business hall generates local T oken, and mark user logins identity, logins successfully;
13) online business hall shows and logins successfully the page to user browser.
The part that the present invention does not relate to all prior art that maybe can adopt same as the prior art is realized.