[go: up one dir, main page]

CN107770192A - Identity authentication method and computer-readable recording medium in multisystem - Google Patents

Identity authentication method and computer-readable recording medium in multisystem Download PDF

Info

Publication number
CN107770192A
CN107770192A CN201711113993.3A CN201711113993A CN107770192A CN 107770192 A CN107770192 A CN 107770192A CN 201711113993 A CN201711113993 A CN 201711113993A CN 107770192 A CN107770192 A CN 107770192A
Authority
CN
China
Prior art keywords
service system
user
token
access
enterprise
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711113993.3A
Other languages
Chinese (zh)
Inventor
孙辽东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Yunhai Information Technology Co Ltd
Original Assignee
Zhengzhou Yunhai Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Yunhai Information Technology Co Ltd filed Critical Zhengzhou Yunhai Information Technology Co Ltd
Priority to CN201711113993.3A priority Critical patent/CN107770192A/en
Publication of CN107770192A publication Critical patent/CN107770192A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses one kind in multisystem identity authentication method and computer-readable recording medium.Methods described includes:In user after the first service system of enterprise completes authentication, access request of the user to the second service system of the enterprise is received;Judge whether the second service system approves identity authentication result of the first service system to the user;If the second service system approves identity authentication result of the first service system to the user, the user is directly allowed to access the second service system.

Description

在多系统中身份认证的方法和计算机可读存储介质Method and computer-readable storage medium for identity authentication in multiple systems

技术领域technical field

本发明涉及信息处理领域,尤指一种在多系统中身份认证的方法和计算机可读存储介质。The invention relates to the field of information processing, in particular to a method for identity authentication in multiple systems and a computer-readable storage medium.

背景技术Background technique

随着信息化进一步发展和企业的业务运营需要,企业内部的应用系统越来越多。如OA办公自动化系统、HR人力资源管理系统、企业ERP系统、管理平台等,这些系统有着自己独立的用户认证模块和机制,用户不得不记住每一个系统的登录账号和密码,并且在使用不同的系统时,必须重复登录,给用户带来了很大的不便,同时对用户信息没有一个很好的统一管理,使得维护用户信息变的比较困难。因此,在保证数据安全的前提下,如何简化身份认证流程是亟待解决的问题。With the further development of informatization and the business operation needs of enterprises, there are more and more application systems within enterprises. Such as OA office automation system, HR human resource management system, enterprise ERP system, management platform, etc., these systems have their own independent user authentication modules and mechanisms, users have to remember the login account and password of each system, and use different When using the system, it is necessary to log in repeatedly, which brings great inconvenience to users. At the same time, there is no good unified management of user information, which makes it difficult to maintain user information. Therefore, under the premise of ensuring data security, how to simplify the identity authentication process is an urgent problem to be solved.

发明内容Contents of the invention

为了解决上述技术问题,本发明提供了一种在多系统中身份认证的方法和计算机可读存储介质,能够在保证数据安全的前提下,简化身份认证流程。In order to solve the above technical problems, the present invention provides a method for identity authentication in multiple systems and a computer-readable storage medium, which can simplify the identity authentication process on the premise of ensuring data security.

为了达到本发明目的,本发明提供了一种在多系统中身份认证的方法,包括:In order to achieve the purpose of the present invention, the present invention provides a method for identity authentication in multiple systems, including:

在用户在企业的第一服务系统完成身份认证后,接收所述用户对所述企业的第二服务系统的访问请求;After the user completes identity authentication in the enterprise's first service system, receiving the user's access request to the enterprise's second service system;

判断所述第二服务系统是否认可所述第一服务系统对所述用户的身份认证结果;judging whether the second service system approves the identity authentication result of the user by the first service system;

如果所述第二服务系统认可所述第一服务系统对所述用户的身份认证结果,则直接允许所述用户访问所述第二服务系统。If the second service system approves the identity authentication result of the user by the first service system, the user is directly allowed to access the second service system.

其中,所述方法还具有如下特点:所述获取在企业中信任所述第一服务系统的服务系统之前,所述方法还包括:Wherein, the method also has the following characteristics: before the acquisition of the service system that trusts the first service system in the enterprise, the method further includes:

接收所述企业的多个系统发送的认证请求,其中每个系统的认证请求包括本服务系统所信任的服务系统的标识信息;receiving authentication requests sent by multiple systems of the enterprise, wherein the authentication request of each system includes the identification information of the service system trusted by the service system;

根据所述认证请求,建立服务系统与所信任的服务系统的信任关系。According to the authentication request, a trust relationship between the service system and the trusted service system is established.

其中,所述方法还具有如下特点:所述判断所述第二服务系统是否认可所述第一服务系统对所述用户的身份认证结果包括:Wherein, the method also has the following characteristics: the judging whether the second service system approves the identity authentication result of the user by the first service system includes:

根据预先存储的各服务系统关联的服务系统,获取在企业中信任所述第一服务系统的服务系统;According to the pre-stored service systems associated with each service system, obtain service systems that trust the first service system in the enterprise;

判断所述第一服务系统是否在所述第二服务器所信任的服务系统中;judging whether the first service system is in a service system trusted by the second server;

如果是,则确定第二服务系统认可所述第一服务系统对所述用户的身份认证结果。If yes, it is determined that the second service system approves the identity authentication result of the user by the first service system.

其中,所述方法还具有如下特点:Wherein, the method also has the following characteristics:

所述在用户在企业的第一服务系统完成身份认证后,所述方法还包括:After the user completes identity authentication in the first service system of the enterprise, the method further includes:

向所述用户发放访问令牌,并根据在企业中信任所述第一服务系统的服务系统,记录所述访问令牌允许访问的服务系统;issuing an access token to the user, and recording the service systems that the access token is allowed to access according to the service systems that trust the first service system in the enterprise;

接收所述用户对所述企业的第二服务系统的访问请求,包括:Receiving the user's access request to the second service system of the enterprise includes:

在接收向第二服务系统发送的访问请求时,还接收所述令牌;When receiving the access request sent to the second service system, also receiving the token;

所述判断所述第二服务系统是否认可所述第一服务系统对所述用户的身份认证结果,包括:The judging whether the second service system approves the identity authentication result of the user by the first service system includes:

获取所述访问请求的令牌;Obtain a token for said access request;

根据所述令牌允许访问的服务系统,确定所述第二服务系统是否在所述令牌能够访问的服务系统中;Determine whether the second service system is in the service system accessible by the token according to the service system allowed by the token;

如果所述第二服务系统在所述令牌能够访问的服务系统中,则确定第二服务系统认可所述第一服务系统对所述用户的身份认证结果。If the second service system is in a service system accessible by the token, it is determined that the second service system approves the identity authentication result of the user by the first service system.

其中,所述方法还具有如下特点:所述方法还包括:Wherein, the method also has the following characteristics: the method also includes:

获取所述令牌的有效时长信息;Obtain the valid duration information of the token;

在检测到所述令牌的使用时长达到有效时长后,删除对所述令牌能够访问令牌允许访问的服务系统的记录信息。After detecting that the usage time of the token reaches the valid time, delete the record information that the token can access the service system allowed by the token.

一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现如下步骤,包括:A computer-readable storage medium, on which a computer program is stored, and when the program is executed by a processor, the following steps are implemented, including:

接收步骤,在用户在企业的第一服务系统完成身份认证后,接收所述用户对所述企业的第二服务系统的访问请求;The receiving step is to receive the user's access request to the second service system of the enterprise after the user completes identity authentication in the first service system of the enterprise;

判断步骤,判断所述第二服务系统是否认可所述第一服务系统对所述用户的身份认证结果;Judging step, judging whether the second service system approves the identity authentication result of the user by the first service system;

控制步骤,如果所述第二服务系统认可所述第一服务系统对所述用户的身份认证结果,则直接允许所述用户访问所述第二服务系统。The control step is to directly allow the user to access the second service system if the second service system approves the identity authentication result of the user by the first service system.

其中,所述计算机可读存储介质还具有如下特点:该程序被处理器执行时在所述获取在企业中信任所述第一服务系统的服务系统之前,还实现如下步骤:Wherein, the computer-readable storage medium also has the following characteristics: when the program is executed by the processor, before the acquisition of the service system that trusts the first service system in the enterprise, the following steps are also implemented:

认证请求接收步骤,接收所述企业的多个系统发送的认证请求,其中每个系统的认证请求包括本服务系统所信任的服务系统的标识信息;The authentication request receiving step is to receive the authentication requests sent by multiple systems of the enterprise, wherein the authentication request of each system includes the identification information of the service system trusted by the service system;

信任关系建立步骤,根据所述认证请求,建立服务系统与所信任的服务系统的信任关系。The step of establishing a trust relationship is to establish a trust relationship between the service system and the trusted service system according to the authentication request.

其中,所述计算机可读存储介质还具有如下特点:该程序被处理器执行所述判断步骤时包括:Wherein, the computer-readable storage medium also has the following characteristics: when the program is executed by the processor, the judging step includes:

根据预先存储的各服务系统关联的服务系统,获取在企业中信任所述第一服务系统的服务系统;According to the pre-stored service systems associated with each service system, obtain service systems that trust the first service system in the enterprise;

判断所述第一服务系统是否在所述第二服务器所信任的服务系统中;judging whether the first service system is in a service system trusted by the second server;

如果是,则确定第二服务系统认可所述第一服务系统对所述用户的身份认证结果。If yes, it is determined that the second service system approves the identity authentication result of the user by the first service system.

其中,所述计算机可读存储介质还具有如下特点:该程序被处理器执行时所述在用户在企业的第一服务系统完成身份认证后,还实现如下步骤包括:Wherein, the computer-readable storage medium also has the following characteristics: when the program is executed by the processor, after the user completes identity authentication in the first service system of the enterprise, the following steps are also implemented:

令牌发放步骤,向所述用户发放访问令牌,并根据在企业中信任所述第一服务系统的服务系统,记录所述访问令牌允许访问的服务系统;The token issuance step is to issue an access token to the user, and record the service system that the access token allows to access according to the service system that trusts the first service system in the enterprise;

所述接收步骤,在接收向第二服务系统发送的访问请求时,还接收所述令牌;The receiving step further receives the token when receiving the access request sent to the second service system;

所述判断所述第二服务系统是否认可所述第一服务系统对所述用户的身份认证结果的步骤,包括:The step of judging whether the second service system approves the identity authentication result of the user by the first service system includes:

获取所述访问请求的令牌;Obtain a token for said access request;

根据所述令牌允许访问的服务系统,确定所述第二服务系统是否在所述令牌能够访问的服务系统中;Determine whether the second service system is in the service system accessible by the token according to the service system allowed by the token;

如果所述第二服务系统在所述令牌能够访问的服务系统中,则确定第二服务系统认可所述第一服务系统对所述用户的身份认证结果。If the second service system is in a service system accessible by the token, it is determined that the second service system approves the identity authentication result of the user by the first service system.

其中,所述计算机可读存储介质还具有如下特点:该程序被处理器执行时还实现如下步骤包括:Wherein, the computer-readable storage medium also has the following characteristics: when the program is executed by the processor, the following steps are also implemented:

时长获取步骤,获取所述令牌的有效时长信息;The duration acquisition step is to obtain the effective duration information of the token;

令牌管理步骤,在检测到所述令牌的使用时长达到有效时长后,删除对所述令牌能够访问令牌允许访问的服务系统的记录信息。In the token management step, after detecting that the usage time of the token has reached the valid time, delete the record information of the service system that the token can access to which the token allows access.

本发明提供的实施例,当用户在企业的第一服务系统认证成功后,通过判断第二服务系统是否认可第一服务系统对所述用户的认证结果,如果认可该认证结果,则无需进行身份认证,直接允许该用户访问第二服务系统,省去了身份认证的流程,借助服务系统间的信任关系,实现数据的安全保护,从而实现在保证数据安全的前提下,简化身份认证流程。In the embodiment provided by the present invention, after the user is successfully authenticated by the first service system of the enterprise, by judging whether the second service system approves the authentication result of the user by the first service system, if the authentication result is approved, no identity verification is required. Authentication directly allows the user to access the second service system, eliminating the identity authentication process, and realizing data security protection with the help of the trust relationship between service systems, thereby simplifying the identity authentication process on the premise of ensuring data security.

本发明的其它特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得显而易见,或者通过实施本发明而了解。本发明的目的和其他优点可通过在说明书、权利要求书以及附图中所特别指出的结构来实现和获得。Additional features and advantages of the invention will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

附图说明Description of drawings

附图用来提供对本发明技术方案的进一步理解,并且构成说明书的一部分,与本申请的实施例一起用于解释本发明的技术方案,并不构成对本发明技术方案的限制。The accompanying drawings are used to provide a further understanding of the technical solution of the present invention, and constitute a part of the description, and are used together with the embodiments of the application to explain the technical solution of the present invention, and do not constitute a limitation to the technical solution of the present invention.

图1为本发明提供的在多系统中身份认证的方法的流程图;Fig. 1 is the flowchart of the method for identity authentication in multiple systems provided by the present invention;

图2为本发明提供的计算机可读存储介质的结构图。FIG. 2 is a structural diagram of a computer-readable storage medium provided by the present invention.

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚明白,下文中将结合附图对本发明的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。In order to make the purpose, technical solution and advantages of the present invention more clear, the embodiments of the present invention will be described in detail below in conjunction with the accompanying drawings. It should be noted that, in the case of no conflict, the embodiments in the present application and the features in the embodiments can be combined arbitrarily with each other.

在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行。并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。The steps shown in the flowcharts of the figures may be performed in a computer system, such as a set of computer-executable instructions. Also, although a logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in an order different from that shown or described herein.

图1为本发明提供的在多系统中身份认证的方法的流程图。图1所示方法包括:FIG. 1 is a flow chart of the method for identity authentication in multiple systems provided by the present invention. The methods shown in Figure 1 include:

步骤101、在用户在企业的第一服务系统完成身份认证后,接收所述用户对所述企业的第二服务系统的访问请求;Step 101. After the user completes identity authentication in the enterprise's first service system, receive the user's access request to the enterprise's second service system;

其中,对于同一企业内的多个服务系统,企业内一个用户通常都有上述多个服务系统的访问权限,因此,在进行身份认证时,可以由统一认证平台依靠服务系统间的信任关系,对用户发起的访问请求进行管理。Among them, for multiple service systems in the same enterprise, a user in the enterprise usually has access rights to the above multiple service systems. Therefore, when performing identity authentication, the unified authentication platform can rely on the trust relationship between service systems. User-initiated access requests are managed.

步骤102、判断所述第二服务系统是否认可所述第一服务系统对所述用户的身份认证结果;Step 102, judging whether the second service system approves the identity authentication result of the user by the first service system;

其中,该信任关系是在服务系统发起的,具体实现方式如下:Among them, the trust relationship is initiated in the service system, and the specific implementation method is as follows:

接收所述企业的多个系统发送的认证请求,其中每个系统的认证请求包括本服务系统所信任的服务系统的标识信息;receiving authentication requests sent by multiple systems of the enterprise, wherein the authentication request of each system includes the identification information of the service system trusted by the service system;

根据所述认证请求,建立服务系统与所信任的服务系统的信任关系。According to the authentication request, a trust relationship between the service system and the trusted service system is established.

举例来说,当企业增加一个服务系统后,可以由该新增加的服务系统主动上报其信任的服务系统,完成信任关系的建立;当然,也可以由统一认证平台向已存在的服务系统查询是否信任该新增加的系统,并根据已存在的服务系统的反馈,确定信任关系。For example, when an enterprise adds a service system, the newly added service system can actively report its trusted service system to complete the establishment of the trust relationship; of course, the unified authentication platform can also query the existing service system whether Trust the newly added system, and determine the trust relationship based on the feedback from the existing service system.

需要说明的是,信任关系包括两种,一种是单向的,即第二服务系统信任第一服务系统的身份认证结果,第一服务系统可以不信任第二服务系统的身份认证结果;另一种是双向的,即第一服务器和第二服务器都认可对方的身份认证结果;It should be noted that there are two types of trust relationships, one is unidirectional, that is, the second service system trusts the identity authentication result of the first service system, and the first service system may not trust the identity authentication result of the second service system; One is bidirectional, that is, both the first server and the second server recognize the identity authentication result of the other party;

步骤103、如果所述第二服务系统认可所述第一服务系统对所述用户的身份认证结果,则直接允许所述用户访问所述第二服务系统。Step 103, if the second service system approves the identity authentication result of the user by the first service system, directly allow the user to access the second service system.

本发明提供的方法实施例,当用户在企业的第一服务系统认证成功后,通过判断第二服务系统是否认可第一服务系统对所述用户的认证结果,如果认可该认证结果,则无需进行身份认证,直接允许该用户访问第二服务系统,省去了身份认证的流程,借助服务系统间的信任关系,实现数据的安全保护,从而实现在保证数据安全的前提下,简化身份认证流程。In the embodiment of the method provided by the present invention, after the user is successfully authenticated by the first service system of the enterprise, by judging whether the second service system approves the authentication result of the user by the first service system, if the authentication result is approved, there is no need to Identity authentication directly allows the user to access the second service system, eliminating the identity authentication process, and realizing data security protection with the help of the trust relationship between service systems, thereby simplifying the identity authentication process on the premise of ensuring data security.

在上述方法中,所述判断所述第二服务系统是否认可所述第一服务系统对所述用户的身份认证结果可以通过如下两种方式实现:In the above method, the judging whether the second service system approves the identity authentication result of the user by the first service system can be implemented in the following two ways:

第一种实现方式,包括:The first implementation method includes:

根据预先存储的各服务系统关联的服务系统,获取在企业中信任所述第一服务系统的服务系统;According to the pre-stored service systems associated with each service system, obtain service systems that trust the first service system in the enterprise;

判断所述第一服务系统是否在所述第二服务器所信任的服务系统中;judging whether the first service system is in a service system trusted by the second server;

如果是,则确定第二服务系统认可所述第一服务系统对所述用户的身份认证结果。If yes, it is determined that the second service system approves the identity authentication result of the user by the first service system.

具体的,在接收到用户访问第二服务系统的请求后,获取所述第二服务系统的标识信息,获取所述第二服务系统所信任的服务系统的标识列表,判断第一服务系统的标识是否在该标识列表中,如果在,则表示第二服务系统信任所述第一服务系统的认证结果;否则,表示第二服务系统不信任所述第一服务系统的认证结果,需要该用户在第二服务系统重新执行身份认证流程。Specifically, after receiving the user's request to access the second service system, obtain the identification information of the second service system, obtain the identification list of the service systems trusted by the second service system, and determine the identification of the first service system Whether it is in the identification list, if it is, it means that the second service system trusts the authentication result of the first service system; otherwise, it means that the second service system does not trust the authentication result of the first service system, and the user needs to be in The second service system re-executes the identity authentication process.

第二种实现方式:The second implementation method:

所述在用户在企业的第一服务系统完成身份认证后,所述方法还包括:After the user completes identity authentication in the first service system of the enterprise, the method further includes:

向所述用户发放访问令牌,并根据在企业中信任所述第一服务系统的服务系统,记录所述访问令牌允许访问的服务系统;issuing an access token to the user, and recording the service systems that the access token is allowed to access according to the service systems that trust the first service system in the enterprise;

接收所述用户对所述企业的第二服务系统的访问请求,包括:Receiving the user's access request to the second service system of the enterprise includes:

在接收向第二服务系统发送的访问请求时,还接收所述令牌;When receiving the access request sent to the second service system, also receiving the token;

所述判断所述第二服务系统是否认可所述第一服务系统对所述用户的身份认证结果,包括:The judging whether the second service system approves the identity authentication result of the user by the first service system includes:

获取所述访问请求的令牌;Obtain a token for said access request;

根据所述令牌允许访问的服务系统,确定所述第二服务系统是否在所述令牌能够访问的服务系统中;Determine whether the second service system is in the service system accessible by the token according to the service system allowed by the token;

如果所述第二服务系统在所述令牌能够访问的服务系统中,则确定第二服务系统认可所述第一服务系统对所述用户的身份认证结果。If the second service system is in a service system accessible by the token, it is determined that the second service system approves the identity authentication result of the user by the first service system.

与传统的用户输入身份认证信息相比,在发送访问请求时,只需要根据已发放的令牌就可进行后续访问,也简化了访问操作的复杂度。Compared with the traditional user inputting identity authentication information, when sending an access request, subsequent access can only be performed based on the issued token, which also simplifies the complexity of access operations.

下面对第二种方式进行具体说明,本发明基于微服务环境下多系统之间登陆提供统一的认证方案。The second way will be described in detail below. The present invention provides a unified authentication scheme based on login between multiple systems in a microservice environment.

登陆认证:提供统一的认证系统,把用户的登陆信息与认证系统的用户信息比较。Login authentication: provide a unified authentication system, and compare the user's login information with the user information of the authentication system.

认证标志(ticket):认证成功之后返回认证标志,反馈给用户。Authentication token (ticket): After the authentication is successful, the authentication token will be returned and fed back to the user.

ticket认证:认证系统通过时效性和有效性认证ticket的合法性。Ticket authentication: The authentication system authenticates the legitimacy of the ticket through timeliness and validity.

ticket提取:应用系统应该能对ticket进行识别和提取,通过与认证系统的通讯,能自动判断当前用户是否登录过,从而完成单点登录的功能。Ticket extraction: The application system should be able to identify and extract the ticket. Through communication with the authentication system, it can automatically determine whether the current user has logged in, so as to complete the single sign-on function.

下面以一个应用实例进行说明:The following is an application example to illustrate:

一种基于微服务环境下多系统的单点登陆方案,其特征在于:一次登陆即可访问不同应用系统中的资源,主要包括如下几个步骤:A multi-system single sign-on solution based on a microservice environment, characterized in that resources in different application systems can be accessed by one login, and mainly includes the following steps:

步骤一:用户登陆OA系统。Step 1: The user logs in to the OA system.

步骤二:OA系统在认证系统中查看是否有对应请求的有效令牌,若有,则读取对应的身份信息,允许其访问;若没有或令牌无效,则把用户重定向到统一身份认证平台,并携带业务系统地址,进入步骤三。Step 2: The OA system checks in the authentication system whether there is a valid token corresponding to the request, and if so, reads the corresponding identity information and allows it to access; if not or the token is invalid, redirects the user to unified identity authentication platform, and carry the business system address, go to step 3.

步骤三:在统一身份认证平台提供的页面中,用户输入身份凭证信息,平台验证此身份凭证信息,若有效,则生成一个有效的令牌给用户,进入步骤四;若无效,则继续进行认证,直到认证成功或退出为止。Step 3: On the page provided by the unified identity authentication platform, the user enters the identity credential information, and the platform verifies the identity credential information. If it is valid, it will generate a valid token for the user and go to step 4; if it is invalid, continue to authenticate , until the authentication succeeds or exits.

步骤四:用户携带步骤三获取的令牌,再次访问OA系统。Step 4: The user carries the token obtained in Step 3 and accesses the OA system again.

步骤五:OA系统获取用户携带的令牌,提交到认证平台进行有效性检查和身份信息获取。Step 5: The OA system obtains the token carried by the user and submits it to the authentication platform for validity check and identity information acquisition.

步骤六:若令牌通过有效性检查,则认证平台会把令牌对应的用户身份信息返回给OA系统,业务系统把身份信息和有效令牌写入会话状态中,允许用户以此身份信息进行OA系统的各种操作;若令牌未通过有效性检查,则会再次重定向到认证平台,返回步骤三。Step 6: If the token passes the validity check, the authentication platform will return the user identity information corresponding to the token to the OA system, and the business system will write the identity information and valid token into the session state, allowing the user to use this identity information to Various operations of the OA system; if the token fails the validity check, it will be redirected to the authentication platform again and return to step 3.

需要说明的是,需要对令牌的时效性进行管理,以保证用户访问的安全性,减少黑客攻击的可能,具体实现方法如如下:It should be noted that the timeliness of the token needs to be managed to ensure the security of user access and reduce the possibility of hacker attacks. The specific implementation methods are as follows:

获取所述令牌的有效时长信息;Obtain the valid duration information of the token;

在检测到所述令牌的使用时长达到有效时长后,删除对所述令牌能够访问令牌允许访问的服务系统的记录信息。After detecting that the usage time of the token reaches the valid time, delete the record information that the token can access the service system allowed by the token.

具体的,在本地删除该记录后,即使再次使用该令牌进行访问,由于统一认证平台已经不再存储该令牌的信息,因此不能对该令牌的有效性进行判断,拒绝了利用该令牌进行访问的操作,用户需重新进行身份认证。Specifically, after the record is deleted locally, even if the token is used again for access, since the unified authentication platform no longer stores the information of the token, the validity of the token cannot be judged, and the use of the token is rejected. To access the card, the user needs to re-authenticate.

本发明提供的应用实例,使用基于微服务环境下多系统之间登陆提供统一的认证方案,解决了用户只需要登录一次就可以访问所有相互信任的应用系统,而不用重复登录,提高工作效率,提高了云海平台的竞争力。The application examples provided by the present invention use a unified authentication scheme based on multi-system logins in a microservice environment, which solves the problem that users only need to log in once to access all mutually trusted application systems without repeated logins, improving work efficiency. Improve the competitiveness of Yunhai platform.

图2为本发明提供的计算机可读存储介质的结构图。图2所示计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现如下步骤,包括:FIG. 2 is a structural diagram of a computer-readable storage medium provided by the present invention. The computer-readable storage medium shown in Figure 2 has a computer program stored thereon, and when the program is executed by the processor, the following steps are implemented, including:

接收步骤,在用户在企业的第一服务系统完成身份认证后,接收所述用户对所述企业的第二服务系统的访问请求;The receiving step is to receive the user's access request to the second service system of the enterprise after the user completes identity authentication in the first service system of the enterprise;

判断步骤,判断所述第二服务系统是否认可所述第一服务系统对所述用户的身份认证结果;Judging step, judging whether the second service system approves the identity authentication result of the user by the first service system;

控制步骤,如果所述第二服务系统认可所述第一服务系统对所述用户的身份认证结果,则直接允许所述用户访问所述第二服务系统。The control step is to directly allow the user to access the second service system if the second service system approves the identity authentication result of the user by the first service system.

在本发明提供的一个计算机可读存储介质实施例中,该程序被处理器执行时在所述获取在企业中信任所述第一服务系统的服务系统之前,还实现如下步骤:In an embodiment of the computer-readable storage medium provided by the present invention, when the program is executed by the processor, before the acquisition of the service system that trusts the first service system in the enterprise, the following steps are further implemented:

认证请求接收步骤,接收所述企业的多个系统发送的认证请求,其中每个系统的认证请求包括本服务系统所信任的服务系统的标识信息;The authentication request receiving step is to receive the authentication requests sent by multiple systems of the enterprise, wherein the authentication request of each system includes the identification information of the service system trusted by the service system;

信任关系建立步骤,根据所述认证请求,建立服务系统与所信任的服务系统的信任关系。The step of establishing a trust relationship is to establish a trust relationship between the service system and the trusted service system according to the authentication request.

在本发明提供的一个计算机可读存储介质实施例中,该程序被处理器执行所述判断步骤时包括:In an embodiment of the computer-readable storage medium provided by the present invention, when the program is executed by the processor, the judging step includes:

根据预先存储的各服务系统关联的服务系统,获取在企业中信任所述第一服务系统的服务系统;According to the pre-stored service systems associated with each service system, obtain service systems that trust the first service system in the enterprise;

判断所述第一服务系统是否在所述第二服务器所信任的服务系统中;judging whether the first service system is in a service system trusted by the second server;

如果是,则确定第二服务系统认可所述第一服务系统对所述用户的身份认证结果。If yes, it is determined that the second service system approves the identity authentication result of the user by the first service system.

在本发明提供的一个计算机可读存储介质实施例中:In a computer-readable storage medium embodiment provided by the present invention:

该程序被处理器执行时所述在用户在企业的第一服务系统完成身份认证后,还实现如下步骤包括:When the program is executed by the processor, after the user completes identity authentication in the first service system of the enterprise, the following steps are also implemented:

令牌发放步骤,向所述用户发放访问令牌,并根据在企业中信任所述第一服务系统的服务系统,记录所述访问令牌允许访问的服务系统;The token issuance step is to issue an access token to the user, and record the service system that the access token allows to access according to the service system that trusts the first service system in the enterprise;

所述接收步骤,在接收向第二服务系统发送的访问请求时,还接收所述令牌;The receiving step further receives the token when receiving the access request sent to the second service system;

所述判断所述第二服务系统是否认可所述第一服务系统对所述用户的身份认证结果的步骤,包括:The step of judging whether the second service system approves the identity authentication result of the user by the first service system includes:

获取所述访问请求的令牌;Obtain a token for said access request;

根据所述令牌允许访问的服务系统,确定所述第二服务系统是否在所述令牌能够访问的服务系统中;Determine whether the second service system is in the service system accessible by the token according to the service system allowed by the token;

如果所述第二服务系统在所述令牌能够访问的服务系统中,则确定第二服务系统认可所述第一服务系统对所述用户的身份认证结果。If the second service system is in a service system accessible by the token, it is determined that the second service system approves the identity authentication result of the user by the first service system.

在本发明提供的一个计算机可读存储介质实施例中,该程序被处理器执行时还实现如下步骤包括:In an embodiment of the computer-readable storage medium provided by the present invention, when the program is executed by the processor, the following steps are also implemented:

时长获取步骤,获取所述令牌的有效时长信息;The duration acquisition step is to obtain the effective duration information of the token;

令牌管理步骤,在检测到所述令牌的使用时长达到有效时长后,删除对所述令牌能够访问令牌允许访问的服务系统的记录信息。In the token management step, after detecting that the usage time of the token has reached the valid time, delete the record information of the service system that the token can access to which the token allows access.

本发明提供的计算机可读存储介质,当用户在企业的第一服务系统认证成功后,通过判断第二服务系统是否认可第一服务系统对所述用户的认证结果,如果认可该认证结果,则无需进行身份认证,直接允许该用户访问第二服务系统,省去了身份认证的流程,借助服务系统间的信任关系,实现数据的安全保护,从而实现在保证数据安全的前提下,简化身份认证流程。The computer-readable storage medium provided by the present invention, after the user is successfully authenticated by the first service system of the enterprise, judges whether the second service system approves the authentication result of the user by the first service system, and if the authentication result is approved, then Without identity authentication, the user is directly allowed to access the second service system, which saves the identity authentication process and uses the trust relationship between service systems to realize data security protection, thereby simplifying identity authentication under the premise of ensuring data security process.

本领域普通技术人员可以理解上述实施例的全部或部分步骤可以使用计算机程序流程来实现,所述计算机程序可以存储于一计算机可读存储介质中,所述计算机程序在相应的硬件平台上(如系统、设备、装置、器件等)执行,在执行时,包括方法实施例的步骤之一或其组合。Those of ordinary skill in the art can understand that all or part of the steps of the above-mentioned embodiments can be implemented using a computer program flow, the computer program can be stored in a computer-readable storage medium, and the computer program can be run on a corresponding hardware platform (such as system, device, device, device, etc.), and when executed, includes one or a combination of the steps of the method embodiment.

可选地,上述实施例的全部或部分步骤也可以使用集成电路来实现,这些步骤可以被分别制作成一个个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。Optionally, all or part of the steps in the above embodiments can also be implemented using an integrated circuit, and these steps can be fabricated into individual integrated circuit modules, or multiple modules or steps among them can be fabricated into a single integrated circuit module accomplish. As such, the present invention is not limited to any specific combination of hardware and software.

上述实施例中的各装置/功能模块/功能单元可以采用通用的计算装置来实现,它们可以集中在单个的计算装置上,也可以分布在多个计算装置所组成的网络上。The devices/functional modules/functional units in the above embodiments can be realized by general-purpose computing devices, and they can be concentrated on a single computing device, or distributed on a network composed of multiple computing devices.

上述实施例中的各装置/功能模块/功能单元以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。上述提到的计算机可读取存储介质可以是只读存储器,磁盘或光盘等。When each device/functional module/functional unit in the above-mentioned embodiments is realized in the form of a software function module and sold or used as an independent product, it can be stored in a computer-readable storage medium. The computer-readable storage medium mentioned above may be a read-only memory, a magnetic disk or an optical disk, and the like.

以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求所述的保护范围为准。The above is only a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Anyone skilled in the art can easily think of changes or substitutions within the technical scope disclosed in the present invention. Should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be based on the protection scope described in the claims.

Claims (10)

1. one kind identity authentication method in multisystem, it is characterised in that including:
In user after the first service system of enterprise completes authentication, second service of the user to the enterprise is received The access request of system;
Judge whether the second service system approves identity authentication result of the first service system to the user;
If the second service system approves identity authentication result of the first service system to the user, directly permit Perhaps described user accesses the second service system.
2. according to the method for claim 1, it is characterised in that the first service system is trusted in the acquisition in enterprise Service system before, methods described also includes:
The certification request that multiple systems of the enterprise are sent is received, wherein the certification request of each system includes this service system The identification information for the service system trusted;
According to the certification request, service system and the trusting relationship for the service system trusted are established.
3. according to the method for claim 2, it is characterised in that it is described judge whether the second service system approve described in First service system includes to the identity authentication result of the user:
The service system associated according to each service system prestored, obtains and the first service system is trusted in enterprise Service system;
Judge the first service system whether in the service system that the second server is trusted;
If it is, determine that second service system approves identity authentication result of the first service system to the user.
4. according to the method for claim 2, it is characterised in that:
It is described user enterprise first service system complete authentication after, methods described also includes:
Access token is provided to the user, and according to the service system that the first service system is trusted in enterprise, record The access token allows the service system accessed;
Access request of the user to the second service system of the enterprise is received, including:
When receiving the access request to the transmission of second service system, the token is also received;
It is described to judge whether the second service system approves identity authentication result of the first service system to the user, Including:
Obtain the token of the access request;
The service system for allowing to access according to the token, determines whether the second service system is able to access that in the token Service system in;
If the second service system is in the service system that the token is able to access that, it is determined that second service system is approved Identity authentication result of the first service system to the user.
5. according to the method for claim 4, it is characterised in that methods described also includes:
Obtain the effective time information of the token;
After the use duration for detecting the token reaches effective time, delete and token, which allows to visit, to be able to access that to the token The record information for the service system asked.
6. a kind of computer-readable recording medium, is stored thereon with computer program, it is characterised in that the program is held by processor Following steps are realized during row, including:
Receiving step, in user after the first service system of enterprise completes authentication, the user is received to the enterprise Second service system access request;
Judgment step, judges whether the second service system approves authentication of the first service system to the user As a result;
Rate-determining steps, if the second service system approves authentication knot of the first service system to the user Fruit, then the user is directly allowed to access the second service system.
7. computer-readable recording medium according to claim 6, it is characterised in that when the program is executed by processor Before the service system of the first service system is trusted in the acquisition in enterprise, following steps are also realized:
Certification request receiving step, the certification request that multiple systems of the enterprise are sent is received, wherein the certification of each system Request includes the identification information for the service system that this service system is trusted;
Trusting relationship establishment step, according to the certification request, the trust for the service system established service system and trusted is closed System.
8. computer-readable recording medium according to claim 7, it is characterised in that the program is executed by processor described Include during judgment step:
The service system associated according to each service system prestored, obtains and the first service system is trusted in enterprise Service system;
Judge the first service system whether in the service system that the second server is trusted;
If it is, determine that second service system approves identity authentication result of the first service system to the user.
9. computer-readable recording medium according to claim 7, it is characterised in that:
Also realized such as after the first service system of enterprise completes authentication in user described in when the program is executed by processor Lower step includes:
Token issue step, access token is provided to the user, and according to trusting the first service system in enterprise Service system, record the service system that the access token allows to access;
The receiving step, when receiving the access request to the transmission of second service system, also receive the token;
It is described to judge whether the second service system approves identity authentication result of the first service system to the user The step of, including:
Obtain the token of the access request;
The service system for allowing to access according to the token, determines whether the second service system is able to access that in the token Service system in;
If the second service system is in the service system that the token is able to access that, it is determined that second service system is approved Identity authentication result of the first service system to the user.
10. computer-readable recording medium according to claim 9, it is characterised in that when the program is executed by processor Also realize that following steps include:
Duration obtaining step, obtain the effective time information of the token;
Token management step, after the use duration for detecting the token reaches effective time, deleting can to the token Access token allows the record information of the service system accessed.
CN201711113993.3A 2017-11-13 2017-11-13 Identity authentication method and computer-readable recording medium in multisystem Pending CN107770192A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711113993.3A CN107770192A (en) 2017-11-13 2017-11-13 Identity authentication method and computer-readable recording medium in multisystem

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711113993.3A CN107770192A (en) 2017-11-13 2017-11-13 Identity authentication method and computer-readable recording medium in multisystem

Publications (1)

Publication Number Publication Date
CN107770192A true CN107770192A (en) 2018-03-06

Family

ID=61273578

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711113993.3A Pending CN107770192A (en) 2017-11-13 2017-11-13 Identity authentication method and computer-readable recording medium in multisystem

Country Status (1)

Country Link
CN (1) CN107770192A (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109272302A (en) * 2018-10-16 2019-01-25 翟红鹰 Management method, terminal and readable storage medium storing program for executing based on block chain technology
CN109547432A (en) * 2018-11-19 2019-03-29 中国银行股份有限公司 Multisystem verification method and device, storage medium and electronic equipment
CN110034933A (en) * 2018-12-25 2019-07-19 中国银联股份有限公司 Inter-system subscriber mutual trust authentication method and inter-system subscriber mutual trust Verification System
CN110120946A (en) * 2019-04-29 2019-08-13 武汉理工大学 A kind of Centralized Authentication System and method of Web and micro services
CN111131132A (en) * 2018-10-31 2020-05-08 北京国双科技有限公司 Method and device for realizing multi-system login
CN111385279A (en) * 2018-12-28 2020-07-07 深圳市优必选科技有限公司 Service access authority system and method
CN111538966A (en) * 2020-04-17 2020-08-14 中移(杭州)信息技术有限公司 Access method, access device, server and storage medium
CN111935159A (en) * 2020-08-13 2020-11-13 工银科技有限公司 Method, device and system for authenticating mutual trust between multiple systems
CN114238803A (en) * 2022-02-25 2022-03-25 北京结慧科技有限公司 Method and system for managing business registration data of enterprise-level user
CN115766120A (en) * 2022-10-31 2023-03-07 深圳云天励飞技术股份有限公司 Cross-system permission verification method, device and related equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101183940A (en) * 2007-12-11 2008-05-21 中兴通讯股份有限公司 Method for multi-application system to perform authentication to user identification
CN101453476A (en) * 2009-01-06 2009-06-10 中国人民解放军信息工程大学 Cross domain authentication method and system
CN101605030A (en) * 2008-06-13 2009-12-16 新奥特(北京)视频技术有限公司 A kind of uniform authentication realizing method of using towards TV station based on Active Directory
US20140149741A1 (en) * 2012-11-27 2014-05-29 Oracle International Corporation Access management system using trusted partner tokens

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101183940A (en) * 2007-12-11 2008-05-21 中兴通讯股份有限公司 Method for multi-application system to perform authentication to user identification
CN101605030A (en) * 2008-06-13 2009-12-16 新奥特(北京)视频技术有限公司 A kind of uniform authentication realizing method of using towards TV station based on Active Directory
CN101453476A (en) * 2009-01-06 2009-06-10 中国人民解放军信息工程大学 Cross domain authentication method and system
US20140149741A1 (en) * 2012-11-27 2014-05-29 Oracle International Corporation Access management system using trusted partner tokens

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109272302A (en) * 2018-10-16 2019-01-25 翟红鹰 Management method, terminal and readable storage medium storing program for executing based on block chain technology
CN111131132A (en) * 2018-10-31 2020-05-08 北京国双科技有限公司 Method and device for realizing multi-system login
CN109547432A (en) * 2018-11-19 2019-03-29 中国银行股份有限公司 Multisystem verification method and device, storage medium and electronic equipment
CN109547432B (en) * 2018-11-19 2020-11-27 中国银行股份有限公司 Multi-system verification method and device, storage medium and electronic equipment
CN110034933A (en) * 2018-12-25 2019-07-19 中国银联股份有限公司 Inter-system subscriber mutual trust authentication method and inter-system subscriber mutual trust Verification System
CN111385279A (en) * 2018-12-28 2020-07-07 深圳市优必选科技有限公司 Service access authority system and method
CN110120946A (en) * 2019-04-29 2019-08-13 武汉理工大学 A kind of Centralized Authentication System and method of Web and micro services
CN111538966A (en) * 2020-04-17 2020-08-14 中移(杭州)信息技术有限公司 Access method, access device, server and storage medium
CN111538966B (en) * 2020-04-17 2024-02-23 中移(杭州)信息技术有限公司 Access method, access device, server and storage medium
CN111935159A (en) * 2020-08-13 2020-11-13 工银科技有限公司 Method, device and system for authenticating mutual trust between multiple systems
CN114238803A (en) * 2022-02-25 2022-03-25 北京结慧科技有限公司 Method and system for managing business registration data of enterprise-level user
CN115766120A (en) * 2022-10-31 2023-03-07 深圳云天励飞技术股份有限公司 Cross-system permission verification method, device and related equipment

Similar Documents

Publication Publication Date Title
US10171241B2 (en) Step-up authentication for single sign-on
CN107770192A (en) Identity authentication method and computer-readable recording medium in multisystem
US10097350B2 (en) Privacy enhanced key management for a web service provider using a converged security engine
US9769179B2 (en) Password authentication
US7979899B2 (en) Trusted device-specific authentication
US8209394B2 (en) Device-specific identity
CN102624720B (en) Method, device and system for identity authentication
EP3685287B1 (en) Extensible framework for authentication
KR20040049272A (en) Methods and systems for authentication of a user for sub-locations of a network location
WO2014048749A1 (en) Inter-domain single sign-on
CN105354482B (en) A kind of single-point logging method and device
US11777942B2 (en) Transfer of trust between authentication devices
CN108881218B (en) Data security enhancement method and system based on cloud storage management platform
CN110069909A (en) It is a kind of to exempt from the close method and device for logging in third party system
CN102571874B (en) On-line audit method and device in distributed system
CN110944021A (en) Method and system for campus unified authentication and single sign-on
CN111241523A (en) Authentication processing method, apparatus, device and storage medium
KR20250099091A (en) Cross authentication method and system between online service server and client
US10785213B2 (en) Continuous authentication
US12182251B2 (en) Web-based authentication for desktop applications
CN114090996A (en) Multi-party system mutual trust authentication method and device
CN111163039B (en) Authentication method, authentication server, authentication terminal and authentication equipment
CN104767728A (en) A method and system for identity authentication based on home care
CN116962088B (en) Login authentication methods, zero trust controllers and electronic devices
TWI768307B (en) Open source software integration approach

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180306

RJ01 Rejection of invention patent application after publication