CN119249396A

CN119249396A - Single sign-on method, device, electronic device and readable storage medium

Info

Publication number: CN119249396A
Application number: CN202411222024.1A
Authority: CN
Inventors: 请求不公布姓名
Original assignee: Nfs China Software Co ltd
Current assignee: Nfs China Software Co ltd
Priority date: 2024-09-02
Filing date: 2024-09-02
Publication date: 2025-01-03

Abstract

The application provides a single sign-on method, a device, an electronic device and a readable storage medium, which are applied to authentication equipment, wherein the method comprises the steps of acquiring a target user identifier sent by an application program when the application program in terminal equipment is opened; and feeding back the target authentication result to the application program to determine the authority of logging in the application program according to the target authentication result. The application can realize single sign-on the premise of ensuring the safety of the user identity information.

Description

Single sign-on method, single sign-on device, electronic equipment and readable storage medium

Technical Field

The present application relates to the field of computer technologies, and in particular, to a single sign-on method, a single sign-on device, an electronic device, and a readable storage medium.

Background

Single sign-on is a user authentication mechanism by which a user only needs to perform authentication when logging in to an authentication system for the first time, and subsequently does not need to perform authentication again when logging in to other related applications and services within the authentication system.

In the related art, authentication information of a user is locally stored through a browser, and single sign-on verification is performed based on the authentication information recorded in the local browser.

Recording the authentication information of the user in the local browser may cause leakage of the authentication information, i.e., the single sign-on method in the related art has a security risk.

Disclosure of Invention

The embodiment of the application provides a single sign-on method, a single sign-on device, electronic equipment and a readable storage medium, which are used for solving the problem that the single sign-on method in the prior art has safety risks.

In a first aspect, the embodiment provides a single sign-on method, which is applied to an authentication device, and the method includes that when an application program is opened through a terminal device, a target user identifier sent by the application program is obtained, a target authentication result corresponding to the target user identifier is obtained from a corresponding relation between a pre-stored user identifier and an authentication result, and the target authentication result is fed back to the application program so that the application program can determine permission of logging in the application program according to the target authentication result.

In a second aspect, the embodiment of the application provides a single sign-on method, which is applied to terminal equipment, and comprises the steps of responding to an operation of opening an application program to obtain a target user identifier, sending the target user identifier to authentication equipment through the application program to enable the authentication equipment to obtain a target authentication result corresponding to the target user identifier from a corresponding relation between a prestored user identifier and an authentication result, feeding back the target authentication result to the application program, and determining permission of logging in the application program according to the target authentication result.

In a third aspect, the embodiment provides a single sign-on device, which is applied to authentication equipment, and the device comprises a first acquisition module, a second acquisition module and a feedback module, wherein the first acquisition module is used for acquiring a target user identifier sent by an application program when the application program is opened through terminal equipment, the second acquisition module is used for acquiring a target authentication result corresponding to the target user identifier from a corresponding relation between a prestored user identifier and an authentication result, and the feedback module is used for feeding back the target authentication result to the application program so that the application program can determine permission of logging in the application program according to the target authentication result.

In a fourth aspect, the embodiment provides a single sign-on device, which is applied to a terminal device, and comprises a third acquisition module, a sending module and a determining module, wherein the third acquisition module is used for responding to an operation of opening an application program to acquire a target user identifier, the sending module is used for sending the target user identifier to an authentication device through the application program to enable the authentication device to acquire a target authentication result corresponding to the target user identifier from a corresponding relation between a prestored user identifier and an authentication result, the target authentication result is fed back to the application program, and the determining module is used for determining authority of logging in the application program according to the target authentication result.

In a fifth aspect, an embodiment of the present application further provides an electronic device, including a processor, and a memory for storing instructions executable by the processor, where the processor is configured to execute the instructions to implement the method of the first aspect or the second aspect.

In a sixth aspect, embodiments of the present application also provide a computer-readable storage medium, which when executed by a processor of an electronic device, causes the electronic device to perform the method of the first or second aspect.

In this embodiment, when an application program is opened through a terminal device, the authentication device may obtain a target user identifier sent by the application program without inputting identity authentication information such as an account number and a password, directly obtain a target authentication result according to the target user identifier, and feed back the target authentication result to the application program, where the application program may directly determine login rights according to the target authentication result. In other words, as long as the authentication device stores the target user identification and the target authentication result of the user, automatic login of the application program can be realized later when the application program is opened, that is, single sign-on is realized in the embodiment. In addition, the application program only needs to acquire the target user identification and send the target user identification to the authentication equipment to obtain a target authentication result, and the application program does not need to perform identity authentication according to the identity authentication information again or store the identity authentication information locally. The embodiment avoids the problem of identity authentication information leakage caused by locally storing the identity authentication information, and solves the problem of safety risk of the single sign-on method in the related technology.

The foregoing description is only an overview of the present application, and is intended to be implemented in accordance with the teachings of the present application in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present application more readily apparent.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort to a person skilled in the art.

FIG. 1 is a diagram of an implementation scenario provided by an embodiment of the present application;

FIG. 2 is a flowchart illustrating steps of a single sign-on method according to an embodiment of the present application;

FIG. 3 is a flowchart illustrating steps of another single sign-on method according to an embodiment of the present application;

FIG. 4 is a flowchart illustrating steps of a single sign-on method according to an embodiment of the present application;

FIG. 5 is a flowchart illustrating steps of another single sign-on method according to an embodiment of the present application;

FIG. 6 is a schematic diagram of a single sign-on architecture provided by the related art;

FIG. 7 is a flowchart showing steps for single sign-on provided by the related art;

FIG. 8 is a flowchart illustrating steps of another single sign-on method according to an embodiment of the present application;

FIG. 9 is a flowchart illustrating steps of another single sign-on method according to an embodiment of the present application;

FIG. 10 is a flowchart illustrating steps of another single sign-on method according to an embodiment of the present application;

FIG. 11 is a flowchart illustrating steps of another single sign-on method according to an embodiment of the present application;

FIG. 12 is a flowchart illustrating steps of another single sign-on method according to an embodiment of the present application;

Fig. 13 is a schematic diagram of a domain control terminal login and authentication architecture according to an embodiment of the present application;

FIG. 14 is a schematic diagram of a domain control system and service deployment architecture according to an embodiment of the present application;

FIG. 15 is a block diagram of a single sign-on device according to an embodiment of the present application;

FIG. 16 is a block diagram of another single sign-on device provided by an embodiment of the present application;

FIG. 17 is a block diagram of an electronic device of the present application;

Fig. 18 is a schematic diagram of a server in some embodiments of the application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

The terms first, second and the like in the description and in the claims, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged, as appropriate, such that embodiments of the present application may be implemented in sequences other than those illustrated or described herein, and that the objects identified by "first," "second," etc. are generally of a type, and are not limited to the number of objects, such as the first object may be one or more. Furthermore, the term "and/or" in the specification and claims is used to describe an association relationship of an association object, and means that there may be three relationships, for example, a and/or B, and that there may be three cases where a exists alone, while a and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship. The term "plurality" in embodiments of the present application means two or more, and other adjectives are similar.

Fig. 1 is a diagram of an implementation scenario provided in an embodiment of the present application, and referring to fig. 1, an application scenario includes a terminal device 10, an application server 20, and an authentication device 30.

In the related art, when a User logs in to a browser (Web) application program in a terminal device 10, domain User information is added to a User Agent (User-Agent) field of the browser, and identity information of the User is stored in a local area of the browser, an application server 20 sends the domain User information to an authentication device 30 through the User-Agent field of the browser to perform identity authentication, the authentication device 30 returns the identity information of the User to the browser application program after the identity authentication is passed, and the browser application program performs identity authentication on the User according to the received identity information and the locally stored identity information and determines whether to authorize the login of the browser application program according to an authentication result. Storing the identity information of the user locally at the browser may risk identity information disclosure.

In order to solve the problems of the related art, the application provides a single sign-on method, which is applied to authentication equipment, specifically, when an application program is opened through terminal equipment, a target user identifier sent by the application program is obtained, then a target authentication result corresponding to the target user identifier is obtained from a corresponding relation between a prestored user identifier and the authentication result, and the target authentication result is fed back to the application program so as to determine the authority of the application program to log in according to the target authentication result. When the application program is opened, the application program does not need to input identity authentication information such as account numbers and passwords, the application program automatically sends a target user identification to the authentication equipment, and a target authentication result is obtained according to the target user identification, and the method does not need to locally store the identity authentication information of the user, so that the automatic single sign-on of the application program can be realized, and the information security problem caused by the fact that the identity authentication information is stored locally in a browser in the related technology can be avoided.

Fig. 2 is a flowchart of steps of a single sign-on method according to an embodiment of the present application, and referring to fig. 2, the method may include the following steps:

Step 101, when an application program is opened through a terminal device, a target user identification sent by the application program is obtained.

The method of the embodiment of the application is applied to the authentication equipment. The authentication device may be a computer, server, or other electronic device. The application may be a Web (Web) application, which is a software application accessed through a browser that a user may use.

Further, the authentication device and the at least one terminal device constitute a domain control system, in other words, the authentication device and the terminal device are devices in the domain control system. The domain control system at least comprises a domain controller (Domain Controller) and a domain control terminal, wherein in the domain control system, the authentication equipment forms the domain controller, and the terminal equipment forms the domain control terminal.

The domain control system is a centralized management architecture, is generally applied to an enterprise-level network environment, and can be used for storing and managing important information such as user authentication, resource access rights, policy setting and the like. The domain control system comprises a domain control terminal and a domain controller. The domain controller is used for managing user account numbers, computer objects, security policies and resource access rights of the whole domain. Wherein the domain controlled terminal is typically an interrupt device operating in an enterprise network environment and managed by a domain controller. These terminal devices may include desktop computers, notebook computers, mobile devices, and like electronic devices. These terminal devices may be connected to the enterprise domain to receive centralized authentication, policy management, and resource access control.

Furthermore, the domain controller performs centralized management on the domain control terminals, specifically, the identity information and the authority of the domain control terminals are managed by the domain controller in a unified way, instead of each domain control terminal independently managing the identity information and the authority of each domain control terminal. Through the centralized management of the domain controller, the security of the domain control system can be improved, the management complexity of the domain control system can be reduced, and the software upgrading and patch distributing flow of each device in the domain control system can be simplified. For example, when the domain control terminal needs to access a resource in the domain control system, identity verification is performed to the domain controller, and access rights can be obtained after the identity verification is passed.

By way of example, the application may be a Web application.

Step 102, obtaining a target authentication result corresponding to the target user identifier from the corresponding relation between the pre-stored user identifier and the authentication result.

By way of example, the user identification may be a domain user account of the user, a user name, a user account registered by the user, or other identification.

For example, when a user logs in the terminal device for the first time, the authentication device obtains a user identifier and an authentication result obtained after identity authentication of the user. And storing the user identification and the authentication result corresponding to the user identification in the authentication equipment. For example, when a user logs in the terminal device for the first time, if the identity authentication of the user passes, the user identification and the authentication result of the passing authentication are stored, and if the identity authentication of the user does not pass, the user identification and the authentication result of the failed authentication are not stored. For another example, when a user logs in to the terminal device for the first time, the user identification and the authentication result of passing the authentication are stored only when the identity authentication of the user passes.

For example, the correspondence between the user identifier and the authentication result is stored in a single point authentication center of the authentication device, and further, the correspondence between the user identifier and the authentication result is stored in a dis database of the single point authentication center. Specifically, the correspondence relationship includes a plurality of user identifiers and authentication results, and the authentication result corresponding to the user identifier identical to the target user identifier is determined as a target authentication result corresponding to the target user identifier.

And step 103, feeding back the target authentication result to the application program so as to ensure the authority of the application program to log in according to the target authentication result by the application program.

For example, if the target authentication result is that the authentication is passed, the login application is authorized, and if the target authentication result is that the authentication is not passed, the login application is not authorized. The application program is, for example, a Web application. After the authentication device acquires the target authentication result, the target authentication result is fed back to the Web server of the Web application, the Web server completes automatic login authentication according to the target authentication result, and a response is returned to the browser to realize automatic login of the Web application.

Single Sign On (SSO) is a user identity authentication mechanism, based on the Single sign on mechanism, only a user account (such as a user name) and a password are provided when a user logs in an application or a service of an authentication system for the first time, and when the user subsequently logs in the application or the service in the authentication system again, the user can directly log in to access the application or the service without inputting authentication credentials again, thereby realizing the effect of once login and everywhere passing.

In this embodiment, as long as the authentication device stores the user identifier of the user and the authentication result of the user, the authentication device may obtain the target user identifier sent by the application program without inputting the identity authentication information such as the account number and password again when the application program in the terminal device is opened, and directly obtain the target authentication result according to the target user identifier, and feed back the target authentication result to the application program, the application program may determine the login permission according to the target authentication result. In addition, when an application program in the terminal equipment is opened, a user does not need to input identity authentication information such as an account number and a password, the application program only needs to acquire a target user identification and send the target user identification to the authentication equipment, and the authentication equipment can acquire a target authentication result corresponding to the target user identification according to the corresponding relation between the prestored user identification and the authentication result. The application does not need to perform the authentication again based on the authentication information, and therefore, does not need to store the authentication information locally. Therefore, the problem of identity authentication information leakage caused by locally storing the identity authentication information can be avoided, and the problem that the single sign-on method in the related technology has safety risks is solved.

In the method of the embodiment, the authentication device may be a Linux domain controller, and the terminal device may be a Linux domain control terminal. Specifically, based on the method of the embodiment, when logging in the terminal device, a domain account and a password are input in a system login interface of the terminal device to log in, the authentication device authenticates the domain account and the password, after the authentication is passed, the authentication results of the domain account and the authentication are stored, and subsequently when logging in various service systems in the Linux operating system, the service system is not required to be input again, and only the service system is required to be opened directly, so that the domain account can be obtained, and the domain account is sent to the authentication device to obtain an authentication result, and the automatic login of the service system is realized according to the authentication result. In this embodiment, the service system is an application program in the foregoing embodiment, and based on the method in this embodiment, there is no need to store the complete identity information including the domain account and the password locally in the terminal device, so that the flow is safer and more reliable.

Fig. 3 is another single sign-on method according to an embodiment of the present application, and referring to fig. 3, the method may include the following steps:

Step 201, user identification and authentication information are acquired in response to a login operation of a login terminal device.

The terminal device is, for example, a terminal device in a domain control system, and the terminal device has a system login interface for logging into the domain control system. And the user logs in the terminal equipment in response to the operation that the user inputs the user identification and authentication information (such as a domain account and a password) in a system login interface of the terminal equipment.

For example, the user identifier may be a domain account entered in the system login interface when the user logs into the domain control system, and the authentication information may be a password entered by the user.

Step 202, identity authentication is performed according to the authentication information, and an authentication result is obtained.

Wherein the authentication result corresponds to the user identification.

For example, the authentication device may perform identity authentication on the received authentication information through the identity authentication component to obtain an authentication result. The authentication information may include a password for identity authentication. Identity authentication can be performed according to a user account (such as a domain account) and a password, and an authentication result is obtained.

Illustratively, step 202 may include the sub-steps of:

in step 2021, the authentication information is compared with the prestored authentication information of at least one legal user by the identity authentication component in the authentication device, and if the authentication information is matched with the authentication information of any legal user, the authentication result is determined to be that the authentication passes.

By way of example, the identity authentication component may be a Kerberos component. Identity authentication can be performed by a Kerberos component according to authentication information. Kerberos, among other things, is a network authentication protocol that provides a centralized, dependable way to manage user identity and rights management in a network environment. Kerberos' core functions are to provide secure authentication, authorization, and service access control for users, and in addition, kerberos may provide single sign-on asymmetric encryption, etc.

The authentication information of the legal user is authentication information of the user passing authentication. For example, the domain control system comprises a plurality of terminal devices, different terminal devices are logged in by different users, when each user logs in the respective terminal device, the terminal device responds to the operation of inputting authentication information by the user, the authentication information is sent to the authentication device, the authentication device performs identity authentication according to the authentication information, and if the authentication is passed, the corresponding authentication information is the authentication information of a legal user. The users include the users corresponding to the target user identifier in the embodiment, and may also include other users.

Sub-step 2022, in the case where the authentication information does not match the authentication information of all legitimate users, determines that the authentication result is authentication failure.

If the authentication information is not matched with the authentication information of all legal users, the user corresponding to the authentication information is an illegal user without logging in the terminal equipment and the application in the terminal equipment.

Step 203, storing the authentication result and the user identification corresponding to the authentication result.

For example, the correspondence relationship between the user identifier and the authentication result may be constructed according to the authentication result and the user identifier corresponding to the authentication result.

For example, step 203 may comprise the following sub-steps:

Sub-step 2031, storing the authentication result and the user identification corresponding to the authentication result in a single point authentication center in the authentication device.

For example, the authentication result and the user identification corresponding to the authentication result may be stored in the dis database of the single point authentication center.

The single-point authentication center is located in the authentication device, and in the domain control system, only the user with the access right of the authentication device can access the authentication device, and the data storage security is higher than that of the terminal device, so that the authentication result and the user identifier corresponding to the authentication result are stored in the single-point authentication center in the authentication device, and the data storage security is improved. Further, the authentication result and the user identifier corresponding to the authentication result may be stored in the dis database of the authentication single-point authentication center.

The Redis database is an open-source and high-performance key value storage database, can be used for caching and data structure storage, and is preferably suitable for scenes requiring quick read-write operation, such as session storage, ranking list, message queue and the like in Web application programs. Redis supports a variety of data structures, including strings (String), hashes (Hash), lists (List), collections (Set), and ordered collections (ZSet), providing powerful data manipulation capabilities.

Step 204, when the application program is opened through the terminal equipment, the target user identification sent by the application program is obtained.

By way of example, the application may obtain the target user identification locally from the terminal device via an environment variable.

Specifically, when an application program is opened through a terminal device, the application program automatically acquires a target user identifier according to an environment variable without inputting account password information, and sends the target user identifier to an authentication device.

Step 205, obtaining a target authentication result corresponding to the target user identifier from the single-point authentication center.

The target user identifier sent by the application program is a user identifier which is automatically obtained from the terminal equipment through the environment variable when the application program is opened through the terminal equipment and is sent to the authentication equipment through the application server.

And step 206, feeding back the target authentication result to the application server so as to feed back the target authentication result to the application program by the application server, and determining the authority of logging in the application program by the application program according to the target authentication result.

The method of this step is described in the foregoing step 103, and will not be described here again.

In this embodiment, in response to a login operation of a user logging in a terminal device, a user identifier and authentication information are obtained, identity authentication is performed according to the authentication information, an authentication result is obtained, and the authentication result and the user identifier corresponding to the authentication result are stored. Therefore, when the application program is opened through the terminal equipment subsequently, the target user identification sent by the application program is obtained, the target authentication result corresponding to the target user identification can be directly obtained from the single-point authentication center according to the target user identification, the target authentication result is fed back to the application program, and the application program can determine the authority of logging in the application program according to the target authentication result.

Based on the method of the embodiment, the user identification and the authentication information are only needed to be input when the terminal equipment is logged in for the first time, and the user identification and the authentication information are not needed to be input again when the application program is logged in subsequently, so that the application program can automatically acquire the target authentication result from the authentication equipment, and single sign-on is realized. The application program does not need to perform identity authentication again according to the identity authentication information, and does not need to store the identity authentication information locally. Therefore, the problem of identity authentication information leakage caused by locally storing the identity authentication information can be avoided, and the problem that the single sign-on method in the related technology has safety risks is solved.

Fig. 4 is a schematic diagram of another single sign-on method according to an embodiment of the present application, and referring to fig. 4, the method may include the following steps:

step 301, responding to an operation of opening an application program, and acquiring a target user identification;

Specifically, the method is applied to the terminal equipment, and the target user identification is obtained in response to the operation of opening the application program through the terminal equipment. The terminal device may be an electronic device such as a desktop computer, a notebook computer, a mobile device, etc. The terminal device may be a domain control terminal in a domain control system.

By way of example, the application may be a Web application, and the browser for logging in the Web application is opened by the terminal device, thereby opening the application.

By way of example, step 301 may include the following sub-steps:

Step 3011, in response to the operation of opening the application, locally acquiring, through the environment variable, the pre-stored target user identifier from the terminal device.

The target user identifier pre-stored locally by the terminal equipment is obtained and stored locally by the terminal equipment in response to the operation of logging in the terminal equipment by the user.

Step 302, the target user identifier is sent to the authentication device through the application program, so that the authentication device obtains a target authentication result corresponding to the target user identifier from the pre-stored correspondence between the user identifier and the authentication result, and feeds back the target authentication result to the application program.

The method of this step may refer to the description of step 102, and will not be described herein.

For example, step 302 may include the following sub-steps:

In step 3021, the target user identifier is sent to the application server, so that the authentication request is sent to the authentication device through the application server.

For example, when the application program is a Web application program and a USER opens the Web application program, the Web application program obtains the current domain USER name through an environment variable $USER, and sends the obtained domain USER name to a Web server to perform automatic login verification.

Step 303, determining the authority of logging in the application program according to the target authentication result.

If the target authentication result is authentication passing, determining that the login is successful, and automatically logging in the application program, and if the target authentication result is authentication failure, determining that the login is failed.

In this embodiment, when an application program in a terminal device is opened, the target user identifier is sent to an authentication device without inputting identity authentication information such as an account number and a password, so as to obtain a target authentication result, and the login permission can be directly determined according to the target authentication result. The embodiment realizes single sign-on, the application program only needs to acquire the target user identification and send the target user identification to the authentication equipment to obtain the target authentication result, and the application program does not need to carry out identity authentication according to the identity authentication information again, so that the identity authentication information does not need to be stored locally. The embodiment avoids the problem of identity authentication information leakage caused by locally storing the identity authentication information, and solves the problem of safety risk of the single sign-on method in the related technology.

Fig. 5 is a flowchart of interaction steps of a single sign-on method according to an embodiment of the present application, and referring to fig. 5, the method may include the following steps:

in step 401, the terminal device obtains the target user identifier in response to the operation of opening the application program through the terminal device.

The method of this step is described in the foregoing step 301, and will not be described here again.

In step 402, the terminal device sends, through the application program, the target user identification to the authentication device.

The method of this step is described in the foregoing step 302, and will not be described herein.

In step 403, the authentication device obtains a target authentication result corresponding to the target user identifier from the pre-stored correspondence between the user identifier and the authentication result.

The method of this step is described in the foregoing step 102, and will not be described herein.

In step 404, the authentication device feeds back the target authentication result to the application program.

And step 405, the terminal equipment determines the authority of logging in the application program according to the target authentication result.

The method of this step is described in the foregoing step 303, and will not be described here again.

In summary, when an application program is opened through a terminal device, identity authentication information such as an account number and a password is not required to be input, a target user identifier is sent to an authentication device, the authentication device obtains a target authentication result and feeds back the target authentication result to the application program, and the application program can directly determine login permission according to the target authentication result. The embodiment realizes single sign-on, the application program only needs to acquire the target user identification and send the target user identification to the authentication equipment to obtain the target authentication result, and the application program does not need to carry out identity authentication according to the identity authentication information again, so that the identity authentication information does not need to be stored locally. The embodiment avoids the problem of identity authentication information leakage caused by locally storing the identity authentication information, and solves the problem of security risk of the single sign-on method in the related technology

Fig. 6 is a single sign-on authentication architecture in a multi-domain environment in the related art, and referring to fig. 6, the multi-domain environment includes a centralized network management system (Windows Active Directory, AD) of domain a, an AD of domain B, and an AD of domain C. Wherein each domain has a corresponding authentication server, in particular domain a has an authentication server of domain a, domain B has an authentication server of domain B, and domain C has an authentication server of domain C. The authentication servers of the plurality of domains have a shared credential storage server. Further, in a multi-domain environment, each domain is configured with one authentication server, credentials are shared among the authentication servers, and the authentication server of one domain is set as a default authentication server. The AD is a centralized network management system in the Windows system, and is used for managing and controlling resources and services in the Windows operating system environment. It is mainly composed of domain controllers (Domain Controller) that store and maintain information such as user account numbers, computer accounts, groups, and security policies.

When a User starts up and logs in an operating system, a domain control group strategy needs to be executed, and domain information of the User is added into a User-Agent identifier of the browser and is stored in the local area of the browser. When a user accesses the Web application for the first time, the Web application redirects the user to a default authentication server for authentication. The default authentication server judges the domain to which the User belongs according to the User-Agent identifier in the browser head, and redirects the User to the domain authentication server to which the User belongs for authentication. After the authentication server of the domain to which the user belongs has completed authentication of the user, the authentication server attaches credentials in a uniform resource location system (uniform resource locator, URL) and redirects the user back to the Web application. The Web application requests the identity information of the user from the default authentication server using the transferred credentials. The default authentication server checks the credentials and returns the identity information of the user to the Web application. After the Web application program receives the identity information of the user, the identity authentication of the user is completed, and the response is returned to the browser to realize single sign-on.

Further, the related art method relies on group policy, object oriented programming language (VB), and IE browser to modify registry, and only supports Windows system, not Linux system. The VB language is an object-oriented programming language developed by Microsoft corporation, and is mainly used for application program development of Windows platform, and VBScript (VB of early version) is also widely used for server-side script and system management task.

Further, referring to FIG. 7, a single sign-on method in a multi-domain environment in the related art may include a user accessing a Web APP, a browser sending a website (e.g., http:// APP. Xxx. Com) to the Web APP, the Web APP sending relocation information (e.g., status code 302) to the browser, the browser sending the relocation information to a default authentication server, the default authentication server relocated back to the browser, the browser relocated back to the authentication server of the domain to which the user belongs, the authentication server returning a response (e.g., 302location http:// APP. Xxx. Command = st-xxx) to the browser after authentication, the browser sending the token to the Web APP (Get http:// APP. Xxx. Command = st-xxx), the Web APP sending the token (ticket = st-xxx) to the default authentication server, the default authentication server returning authentication information of the user to the APP after receiving the token, and determining the Web page after the authentication information stored locally according to the browser identity authentication.

However, in the related art method, a single sign-on function and a plurality of domain control environments are combined, so that the single sign-on problem in a multi-domain environment is solved. And based on the related art method, user information needs to be added to a User Agent of a browser and stored locally in a User login process, and the User information is sent to an authentication server for authentication. While recording user information including user name and password information to a local browser may present a risk, an unsafe operation. In addition, the single sign-on method of the related art only supports the Windows system, but not the Linux system.

In this embodiment, during single sign-on, the Web server accesses the domain server, obtains the login status (i.e., the authentication result) from the domain server, records the login status to the single-point authentication center, and then obtains the currently logged-in domain user name (i.e., the target user identifier) from the Web application, and obtains the target authentication result from the single-point authentication center according to the domain user name. The embodiment does not need to store the user information in the local browser, and does not have unsafe problems caused by recording the user information locally.

The single sign-on method according to the embodiment of the present application is further illustrated by the following drawings and embodiments.

Fig. 8 is a flowchart of steps of a single sign-on method according to an embodiment of the present application, and referring to fig. 8, the method may include the following steps:

Step S1, a domain control server and a domain control terminal are built by using a Free IPA component, and the domain control server uses a Kerberos component as an authentication server.

Among them, free internet password authentication (FREE INTERNET Password Authentication, free IPA) is an open-source identity management system that provides an integrated identity and authentication solution, including user management, password policy, single Sign On (SSO), LDAP services, and integration with Kerberos to implement domain controller functions. The domain control server is the authentication device in the foregoing embodiment, and the domain control terminal is the terminal device in the foregoing embodiment. The Kerberos component is the authentication component in the previous embodiments.

And step S2, in the process of starting up and logging in the user, the Kerberos component performs identity authentication on the user, and after the authentication is passed, domain user authentication information is sent to a single-point authentication center for caching.

Specifically, in response to the operation of inputting an account password by a user in the startup login process, the account password is obtained, and identity authentication is performed according to the account password. After the service authentication is passed, the domain user authentication information is sent to a single-point authentication center cache. The domain user authentication information may include a user identification and an authentication result.

Illustratively, the single point authentication center function provides a cache domain user authentication status interface using a Redis database, and a lookup domain user authentication status interface.

And step S3, when the USER opens the Web application program, the Web application program acquires the current domain USER name through the environment variable $USER, and uses the domain USER name to carry out automatic login verification to the Web server.

Illustratively, when a USER opens a Web application, the Web application automatically obtains the current domain username via the environment variable $USER.

And S4, the Web server uses the domain user name to check the single-point authentication center and returns a check result.

Specifically, a verification result is obtained according to the domain user name and the corresponding relation between the prestored domain user name and the verification result. The verification result corresponds to the authentication result in the foregoing embodiment.

And S5, the Web server acquires a verification result, completes automatic login authentication, returns a response to the browser and realizes automatic login of the Web application.

The Web server side directly acquires the verification result fed back by the single-point authentication center, does not need to acquire identity verification information and carry out identity verification again, does not need to store the identity verification information locally, and avoids the risk of information leakage caused by storing the identity verification information locally.

According to the embodiment, the domain control server and the domain control terminal are built by using the Free IPA component, and single sign-on in a Linux system can be realized based on the Kerberos component and the single-point authentication system, so that the problem that a single sign-on method in the related art only supports the Windows system and does not support the Linux system is solved.

Further, referring to fig. 9, a single sign-on method of the present application is further illustrated, and as shown in fig. 9, the method may include the following steps:

and step A1, the terminal equipment responds to the operation of inputting the account number and the password by the user to acquire the account number and the password.

The terminal device is provided with a lightweight display manager (LIGHT DISPLAY MANAGER, LIGHTDM) and responds to the account password input operation of the user according to LightDM to acquire the account password.

LightDM is a lightweight display manager, and is mainly used in a Linux desktop environment. LightDM is used for initializing the login session and the user interface display process in the Linux starting process, that is, the first graphical interface seen after the user starts or locks the screen. LightDM do not directly provide desktop environments, but rather serve as a service to manage login interfaces for desktop environments such as Gnome, K desktop environments (kool desktop environment, KDE), lightweight desktop environments (XForms Common Environment, XFCE), etc., ensuring that users can log in securely and enter their selected desktops.

And step A2, the terminal equipment carries out PAM remote authentication to the Kerberos component.

Specifically, pluggable authentication modules (Pluggable Authentication Modules, PAM) allow system administrators to manage user authentication in a unified manner among multiple services and daemons. PAM provides a modularized mode for the system to process tasks related to authentication such as login, password modification, account management and the like, so that different authentication methods can be flexibly integrated into the same system. The authentication method can comprise local account authentication, external authentication service, hardware token authentication and the like.

And step A3, if the Kerberos component passes the authentication, sending an authentication result to the single-point authentication center.

The Kerberos component and the single-point authentication center may be disposed in the same authentication device, or may be disposed in two authentication devices that are communicatively connected.

And step A4, the single-point authentication center records an authentication result.

The single-point authentication center records the authentication result in the Redis database.

And step A5, the single-point authentication center returns an authentication result to the Kerberos component.

And the single-point authentication center acquires an authentication result corresponding to the account number according to the authentication result recorded in the Redis database.

And step A6, the Kerberos component returns an authentication result to the terminal equipment.

The Kerberos component feeds the authentication result back to the terminal device LightDM for display.

And step A7, the terminal equipment feeds back a login result to the application program.

According to the embodiment shown in fig. 9, in the single sign-on method of the present embodiment, a single sign-on center is added after an authentication component Kerberos component of a domain controller on the premise of not changing an authentication flow of a domain control terminal user, and single sign-on is implemented based on the added single sign-on center. Therefore, the influence on the single sign-on process can be minimized, and the user can log in the application program based on the single sign-on method of the embodiment under the condition that the user does not need to perceive the change of the domain control system.

Further, referring to fig. 10, the single sign-on method may include the steps of:

and B1, logging in a domain user.

And the domain user login is realized in response to the operation of inputting the account password in the terminal equipment by the domain user. The domain user is a user who registers a domain account and sets a password in the domain control system.

And step B2, performing remote authentication through an SSSD module in PAM.

The system security services daemon (System Security Services Daemon, SSSD) is a daemon in the Linux system for providing authentication, directory services, and policy management. SSSD is a universal, pluggable framework capable of supporting a variety of authentication backend and directory services, enabling the system to flexibly switch authentication and configuration information between these different sources.

The authentication backend includes PAM, kerberos, web services (Network Information Service, NIS), lightweight protocols (LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL, LDAP) for accessing and managing directory services, etc., which include LDAP, distributed file system protocol (Network FILE SYSTEM, NFS), core components (Key Distribution Center, KDS) in Kerberos protocol, etc.

And step B3, requesting the Kerberos component to perform user identity authentication.

And the Kerberos component performs user identity authentication according to the account password information stored in the Free IPA service and the account password information sent by the user through the terminal equipment.

And B4, judging whether the authentication result is authentication passing or not, if so, entering a step B5, otherwise, entering a step B8.

If the account password information sent by the user through the terminal equipment is the same as any group of account passwords stored in the Free IPA service, authentication is passed, otherwise, authentication is not passed.

And step B5, the single-point authentication center caches the domain user information passing authentication.

The single-point authentication center caches the domain user information passing authentication through the Redis database.

And step B6, PAM authentication is passed.

PAM authentication pass means that Kerberos component passes identity authentication of the user.

And B7, successful login.

Kerberos authentication is passed, the user can successfully log into the terminal device.

And step B8, PAM authentication fails.

PAM authentication failure indicates that the Kerberos component fails the identity authentication of the user.

And step B9, login failure.

If Kerberos authentication is not passed, the user cannot log in the terminal device.

A further exemplary illustration of a single sign-on method in the present application is provided with reference to fig. 11. Referring to fig. 11, the method may include the steps of:

And step C1, responding to the operation of opening the browser webpage by a user, and acquiring the user name.

By way of example, if the application program is a Web application, the user may open the Web application by opening a browser Web page.

And step C2, automatically sending the user name to the service system.

Specifically, the Web application automatically sends a user name to the business system. The business system of this step includes the Kerberos component of the previous embodiment.

And step C3, the service system initiates single-point authentication to the single-point authentication center.

Specifically, the service system sends a user name to the single-point authentication center so that the single-point authentication center can acquire an authentication result according to the user name.

The user name in this step corresponds to the target user identification in the foregoing embodiment, and the authentication result corresponds to the target authentication result in the foregoing embodiment.

And step C4, if the authentication is passed, returning a single-point authentication result to the service system.

Authentication is passed, indicating that the user name is the user identification of a legitimate user with the authority to log in to the application.

And step C5, the service system returns a service authentication result to the Web application.

The service authentication result corresponds to the target authentication result in the foregoing embodiment.

And step C6, the Web application returns an automatic login result to the user browser.

Referring to steps C1 to C6, an automatic login procedure is added to the automatic login procedure of the Web application in the embodiment of the present application. Specifically, when the Web application is opened, the current USER name of the system is acquired through an environment variable $USER, the USER name is sent to the Web Server to walk an automatic login flow, the Web Server calls a single-point authentication center interface to check the login state after the USER name is obtained, and then a check result is returned.

Further, as shown in fig. 12, referring to fig. 12, the method may include the following steps:

and D1, opening the Web application.

By way of example, the application program may be a Web application, which may be opened by a browser of the terminal device.

And D2, acquiring the current USER name of the system through an environment variable $USER.

When a USER opens an application program through the terminal equipment, the application program automatically acquires the current USER name of the system according to the environment variable $USER.

And D3, requesting the authentication of the service server.

Specifically, the Kerberos component is requested to perform identity authentication.

And D4, requesting single-point authentication center authentication.

The Kerberos component sends the user name to a single-point authentication center, and the single-point authentication center obtains a target authentication result corresponding to the user name sent by the user according to the locally prestored user identification (user name) and the corresponding result of the authentication result.

Step D5, determining whether the authentication is passed or not, if so, entering a step D6, otherwise, entering a step D8.

If the user name sent by the user is prestored locally in the single-point authentication center and the authentication result corresponding to the user name is authentication passing, determining that the authentication passes.

And D6, determining that the business service authentication is successful.

And if the Kerberos determines that the authentication is successful, returning an authentication result of the successful authentication to the application server.

And D7, automatic login is successful.

The application server feeds back a response of successful authentication to the browser, and the application program automatically logs in successfully.

And D8, determining that the business service authentication fails.

And if the Kerberos determines authentication failure, returning an authentication result of authentication failure to the application server.

Step D9, automatic login fails.

Fig. 13 is a domain control terminal and domain control server architecture of system level single sign-on in a Linux environment according to an embodiment of the present application. In the architecture, a plurality of application programs can be included, the application programs can be Web applications, for example, web APP1, web APP2 and Web APP3, the architecture can also include a plurality of application servers corresponding to the application programs, for example, web Server1, web Server2 and Web Server3, and the architecture also includes Kerberos components (Kerberos Server), SSSD, single-point authentication center and Redis databases.

Referring to fig. 13, in the scheme, the change of the domain control terminal is to increase the Web application to realize automatic login through an environment variable $user, the change of the Server is to increase the interaction with the single-point authentication center at the back ends of Kerberos and Web Server, and the Redis database is configured for the single-point authentication center. The scheme does not influence the original domain control terminal authentication and Web application authentication functions.

Referring to fig. 14, an embodiment of the present application further provides a single sign-on architecture, and referring to fig. 14, the architecture includes a client, a service layer, a data layer, and an infrastructure.

The client comprises an SSSD module, a Terminal, a system program and a Web application program, wherein the Web application program comprises a WebAPP1, a WebAPP2 and a Web APP3.

Specifically, domain user authentication information is obtained through the Terminal, and based on a system program, the domain user authentication information is sent to a remote service Kerberos component through the SSSD module.

The service layer comprises Frees IPA components and a Web service end. The Free IPA includes Kerberos components IPA SERVER, LDAP, IPA Web Services, PAM, and other modules.

The Web Server comprises a plurality of Web servers, and concretely comprises a Web Server1, a Web Server2 and a Web Server3.LDAP is used for identity authentication and centrally managing user accounts and passwords.

In addition, the service layer also comprises a log record for recording log and a right control module for controlling the right.

The data layer includes a cache, a database, and a file store. The domain user name and the authentication result are stored in a database through a caching mechanism, and file storage can be used for storing file information such as catalogs.

The infrastructure includes a telecommunications network module for communication, a cloud server, and an operating system. Preferably, the system in this embodiment is a Linux system.

Fig. 15 is a block diagram of a single sign-on device according to an embodiment of the present application, where the device 50 is applied to an authentication apparatus, and the device 50 includes a first obtaining module 501 configured to obtain a target user identifier sent by an application program when the application program is opened by a terminal device, a second obtaining module 502 configured to obtain a target authentication result corresponding to the target user identifier from a correspondence between a prestored user identifier and an authentication result, and a feedback module 503 configured to feed back the target authentication result to the application program, so that the application program determines a permission of the application program according to the target authentication result:

Optionally, the device 50 further includes a fourth obtaining module, configured to obtain the user identifier and the authentication information in response to a login operation of the login terminal device before obtaining a target authentication result corresponding to the target user identifier from a pre-stored correspondence between the user identifier and the authentication result, a fifth obtaining module, configured to perform identity authentication according to the authentication information to obtain the authentication result, where the authentication result corresponds to the user identifier, and a storage module configured to store the authentication result and the user identifier corresponding to the authentication result.

Optionally, the fifth obtaining module may include a first determining submodule, configured to compare the authentication information with the prestored authentication information of at least one legal user through an identity authentication component in the authentication device, and determine that the authentication result is authentication passing if the authentication information is matched with the authentication information of any legal user, or a second determining submodule, configured to determine that the authentication result is authentication failing if the authentication information is not matched with the authentication information of all legal users.

Optionally, the storage module may include a first storage sub-module configured to store the authentication result and the user identifier corresponding to the authentication result to a single point authentication center in the authentication device, and the second obtaining module 502 may include a first obtaining sub-module configured to obtain, from the single point authentication center, a target authentication result corresponding to the target user identifier.

Optionally, when the application program is opened, the application program obtains the target user identifier locally from the terminal device through the environment variable and sends the target user identifier to the authentication device through the application server, and the feedback module 503 may include a first feedback sub-module, configured to feed back the target authentication result to the application server, so as to feed back the target authentication result to the application program by the application server.

In this embodiment, when an application program in a terminal device is opened, the authentication device may obtain a target user identifier sent by the application program without inputting identity authentication information such as an account number and a password, directly obtain a target authentication result according to the target user identifier, and feed back the target authentication result to the application program, where the application program may directly determine login rights according to the target authentication result. In addition, the application program only needs to acquire the target user identification and send the target user identification to the authentication equipment to obtain a target authentication result, and the application program does not need to perform identity authentication according to the identity authentication information again, so that the identity authentication information does not need to be stored locally. The embodiment avoids the problem of identity authentication information leakage caused by locally storing the identity authentication information, and solves the problem of safety risk of the single sign-on method in the related technology.

Fig. 16 provides a single sign-on device, the device 60 is applied to a terminal device, the device 60 comprises a third obtaining module 601, a sending module 602, a determining module 603 and a determining module, wherein the third obtaining module is used for obtaining a target user identifier through an operation of opening an application program, the sending module 602 is used for sending the target user identifier to an authentication device through the application program so that the authentication device obtains a target authentication result corresponding to the target user identifier from a corresponding relation between a prestored user identifier and an authentication result, and feeds the target authentication result back to the application program, and the determining module 603 is used for determining authority of logging in the application program according to the target authentication result.

Optionally, the third obtaining module 601 may include an obtaining sub-module, configured to obtain, locally, a pre-stored target user identifier from the terminal device through an environment variable in response to an operation of opening the application, where the locally pre-stored target user identifier of the terminal device is the target user identifier that is obtained and stored locally by the terminal device in response to an operation of logging in the terminal device by the user.

Optionally, the sending module 602 may include a sending sub-module configured to send the target user identifier to the application server, so as to send the authentication request to the authentication device through the application server.

In this embodiment, when an application program in a terminal device is opened, identity authentication information such as an account number and a password is not required to be input, and a target user identifier is sent to an authentication device to obtain a target authentication result, and login permission can be directly determined according to the target authentication result. The embodiment realizes single sign-on, and an application program does not need to carry out identity authentication according to the identity authentication information again or store the identity authentication information locally. The embodiment avoids the problem of identity authentication information leakage caused by locally storing the identity authentication information, and solves the problem of safety risk of the single sign-on method in the related technology.

For the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments for relevant points. In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described by differences from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other. The specific manner in which the various modules perform the operations in the apparatus of the above embodiments have been described in detail in connection with the embodiments of the method, and will not be described in detail herein.

Embodiments of the present application provide a single sign-on device comprising a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by one or more processors, including methods for performing one or more of the embodiments described above.

Fig. 17 is a block diagram illustrating a single sign-on device 800 according to an exemplary embodiment. For example, apparatus 800 may be a mobile phone, computer, digital broadcast terminal, messaging device, game console, tablet device, medical device, exercise device, personal digital assistant, or the like.

Referring to FIG. 17, the apparatus 800 may include one or more of a processing component 802, a memory 804, a power component 806, a multimedia component 808, an audio component 810, an input/output (I/O) interface 812, a sensor component 814, and a communication component 816.

The processing component 802 generally controls overall operation of the apparatus 800, such as operations associated with display, telephone calls, data communications, camera operations, and recording operations. Processing element 802 may include one or more processors 820 to execute instructions to perform all or part of the steps of the methods described above. Further, the processing component 802 can include one or more modules that facilitate interactions between the processing component 802 and other components. For example, the processing component 802 can include a multimedia module to facilitate interaction between the multimedia component 808 and the processing component 802.

The memory 804 is configured to store various types of data to support operations at the device 800. Examples of such data include instructions for any application or method operating on the device 800, contact data, phonebook data, messages, pictures, videos, and the like. The memory 804 may be implemented by any type or combination of volatile or nonvolatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.

The power supply component 806 provides power to the various components of the device 800. The power components 806 may include a power management system, one or more power sources, and other components associated with generating, managing, and distributing power for the device 800.

The multimedia component 808 includes a screen between the device 800 and the user that provides an output interface. In some embodiments, the screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive input signals from a user. The touch panel includes one or more touch sensors to sense touches, swipes, and gestures on the touch panel. The touch sensor may sense not only the boundary of a touch or sliding action, but also the duration and pressure associated with the touch or sliding operation. In some embodiments, the multimedia component 808 includes a front camera and/or a rear camera. The front camera and/or the rear camera may receive external multimedia data when the device 800 is in an operational mode, such as a shooting mode or a video mode. Each front camera and rear camera may be a fixed optical lens system or have focal length and optical zoom capabilities.

The audio component 810 is configured to output and/or input audio signals. For example, the audio component 810 includes a Microphone (MIC) configured to receive external audio signals when the device 800 is in an operational mode, such as a call mode, a recording mode, and a voice information processing mode. The received audio signals may be further stored in the memory 804 or transmitted via the communication component 816. In some embodiments, audio component 810 further includes a speaker for outputting audio signals. The I/O interface 812 provides an interface between the processing component 802 and peripheral interface modules, which may be a keyboard, click wheel, buttons, etc. These buttons may include, but are not limited to, a home button, a volume button, an activate button, and a lock button.

The sensor assembly 814 includes one or more sensors for providing status assessment of various aspects of the apparatus 800. For example, the sensor assembly 814 may detect the on/off state of the device 800, the relative positioning of the assemblies, such as the display and keypad of the device 800, the sensor assembly 814 may also search for changes in the position of the device 800 or one of the assemblies of the device 800, the presence or absence of user contact with the device 800, the orientation or acceleration/deceleration of the device 800, and temperature changes of the device 800. The sensor assembly 814 may include a proximity sensor configured to detect the presence of nearby objects without any physical contact. The sensor assembly 814 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, the sensor assembly 814 may also include an acceleration sensor, a gyroscopic sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.

The communication component 816 is configured to facilitate communication between the apparatus 800 and other devices, either in a wired or wireless manner. The device 800 may access a wireless network based on a communication standard, such as WiFi,2G or 3G, or a combination thereof. In one exemplary embodiment, the communication component 816 receives broadcast signals or broadcast related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, the communication component 816 further includes a Near Field Communication (NFC) module to facilitate short range communications. For example, the NFC module may be implemented based on radio frequency information processing (RFID) technology, infrared data association (IrDA) technology, ultra Wideband (UWB) technology, bluetooth (BT) technology, and other technologies.

In an exemplary embodiment, the apparatus 800 may be implemented by one or more Application Specific Integrated Circuits (ASICs), digital Signal Processors (DSPs), digital Signal Processing Devices (DSPDs), programmable Logic Devices (PLDs), field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic elements for executing the methods described above.

In an exemplary embodiment, a non-transitory computer readable storage medium is also provided, such as memory 804 including instructions executable by processor 820 of apparatus 800 to perform the above-described method. For example, the non-transitory computer readable storage medium may be ROM, random Access Memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.

Fig. 18 is a schematic diagram of a server in some embodiments of the application. The server 1900 may vary considerably in configuration or performance and may include one or more central processing units (central processing units, CPUs) 1922 (e.g., one or more processors) and memory 1932, one or more storage mediums 1930 (e.g., one or more mass storage devices) that store applications 1942 or data 1944. Wherein the memory 1932 and storage medium 1930 may be transitory or persistent. The program stored in the storage medium 1930 may include one or more modules (not shown), each of which may include a series of instruction operations on a server. Still further, a central processor 1922 may be provided in communication with a storage medium 1930 to execute a series of instruction operations in the storage medium 1930 on the server 1900.

The server 1900 may also include one or more power supplies 1926, one or more wired or wireless network interfaces 1950, one or more input/output interfaces 1958, one or more keyboards 1956, and/or one or more operating systems 1941, such as Windows Server, mac OS XTM, unixTM, linuxTM, freeBSDTM, and the like.

A non-transitory computer readable storage medium, which when executed by a processor of an apparatus (server or terminal) enables the apparatus to perform the above-described embodiment method.

A non-transitory computer-readable storage medium, when the instructions in the storage medium are executed by a processor of an apparatus (server or terminal), enables the apparatus to perform the description of the above embodiment method, and thus, a detailed description will not be given here. In addition, the description of the beneficial effects of the same method is omitted. For technical details not disclosed in the computer program product or the computer program embodiments according to the present application, reference is made to the description of the method embodiments according to the present application.

Furthermore, it should be noted that embodiments of the present application also provide a computer program product or a computer program, which may include computer instructions, which may be stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium, and the processor can execute the computer instructions, so that the computer device performs the description of the method of the above embodiment, and thus, a detailed description will not be given here. In addition, the description of the beneficial effects of the same method is omitted. For technical details not disclosed in the computer program product or the computer program embodiments according to the present application, reference is made to the description of the method embodiments according to the present application.

Other embodiments of the application will be apparent to those skilled in the art from consideration of the specification and practice of the application disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.

It is to be understood that the application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.

The foregoing description of the preferred embodiments of the application is not intended to limit the application to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the application are intended to be included within the scope of the application.

The foregoing describes in detail a single sign-on method, apparatus, electronic device and computer readable storage medium provided by the present application, and specific examples are provided herein to illustrate the principles and embodiments of the present application, and the above examples are provided to assist in understanding the method and core ideas of the present application, and meanwhile, to those skilled in the art, according to the ideas of the present application, there are variations in the specific embodiments and application scope, so the disclosure should not be construed as limiting the present application.

Claims

1. A single sign-on method, the method being applied to an authentication device, the method comprising:

when an application program is opened through terminal equipment, a target user identification sent by the application program is obtained;

obtaining a target authentication result corresponding to the target user identifier from a corresponding relation between a prestored user identifier and an authentication result;

and feeding the target authentication result back to the application program so that the application program can determine the authority of logging in the application program according to the target authentication result.

2. The method according to claim 1, further comprising, before acquiring a target authentication result corresponding to the target user identification from a pre-stored correspondence between user identifications and authentication results:

responding to the login operation of the login terminal equipment, and acquiring a user identifier and authentication information;

Carrying out identity authentication according to the authentication information to obtain an authentication result, wherein the authentication result corresponds to the user identifier;

and storing the authentication result and the user identification corresponding to the authentication result.

3. The method according to claim 2, wherein the step of performing identity authentication according to the authentication information to obtain an authentication result includes:

Comparing the authentication information with prestored authentication information of at least one legal user through an identity authentication component in the authentication equipment, and determining that the authentication result is authentication passing under the condition that the authentication information is matched with the authentication information of any legal user, or

And under the condition that the authentication information is not matched with the authentication information of all legal users, determining that the authentication result is that the authentication is not passed.

4. The method of claim 2, wherein the storing the authentication result and the user identification corresponding to the authentication result comprises:

storing the authentication result and the user identification corresponding to the authentication result to a single-point authentication center in the authentication equipment;

The obtaining the target authentication result corresponding to the target user identifier from the corresponding relation between the pre-stored user identifier and the authentication result comprises the following steps:

And acquiring a target authentication result corresponding to the target user identifier from the single-point authentication center.

5. The method of claim 1, wherein the target user identifier sent by the application program is a user identifier that is obtained locally from the terminal device by an environment variable and sent to the authentication device by an application server when the application program is opened;

The feeding back the target authentication result to the application program comprises the following steps:

and feeding back the target authentication result to the application server so that the application server feeds back the target authentication result to the application program.

6. A single sign-on method, wherein the method is applied to a terminal device, the method comprising:

Responding to the operation of opening the application program, and acquiring a target user identifier;

The target user identification is sent to authentication equipment through the application program, so that the authentication equipment obtains a target authentication result corresponding to the target user identification from the corresponding relation between the prestored user identification and the authentication result, and feeds back the target authentication result to the application program;

and determining the authority of logging in the application program according to the target authentication result.

7. The method of claim 6, wherein the obtaining the target user identification in response to the operation of opening the application program comprises:

responding to the operation of opening an application program, and locally acquiring a prestored target user identifier from the terminal equipment through an environment variable;

8. A single sign-on apparatus for use with an authentication device, the apparatus comprising:

The first acquisition module is used for acquiring a target user identifier sent by an application program when the application program is opened through terminal equipment;

the second acquisition module is used for acquiring a target authentication result corresponding to the target user identifier from the corresponding relation between the prestored user identifier and the authentication result;

and the feedback module is used for feeding back the target authentication result to the application program so that the application program can determine the authority of logging in the application program according to the target authentication result.

9. A single sign-on device, the device being applied to a terminal apparatus, the device comprising:

the third acquisition module is used for responding to the operation of opening the application program and acquiring the target user identification;

The sending module is used for sending the target user identifier to the authentication equipment through the application program so that the authentication equipment can acquire a target authentication result corresponding to the target user identifier from the corresponding relation between the prestored user identifier and the authentication result and feed back the target authentication result to the application program;

And the determining module is used for determining the authority of logging in the application program according to the target authentication result.

10. An electronic device is characterized by comprising a processor;

a memory for storing the processor-executable instructions;

Wherein the processor is configured to execute the instructions to implement the method of any one of claims 1 to 7.

11. A computer readable storage medium, characterized in that instructions in the computer readable storage medium, when executed by a processor of an electronic device, enable the electronic device to perform the method of any one of claims 1 to 7.