Agent-based single sign on (SSO) method and system

Abstract

The invention discloses an agent-based single sign on (SSO) method and system, belonging to the technical field of computer information. In the method, a user (U) registers and acquires a user certificate (C) in an application server (S); the U logs in an SSO server (L) and sends a certificate setting request; the L stores user identifications, application server identifications and ciphertext (C') in an associated manner; the U logs in the L and requests to access the S; the L is interacted with the S to acquire a token issued by the S and a signature (sig) of the S for the token; the L usesa self-private key to sign the token to acquire sig' and then searches the C' associated with the U identifications and the S identifications as well as sends the C', the token and the sig' to the U;the U uses a private key in the user C to decrypt c' so as to acquire C, and sends SSO server identifications, the C, the token and the sig' to the S; and the S verifies the token and the sig', if the token and the sig' pass the verification, the user C is continued to be verified; and if the user C passes the verification, the U is permitted to log in. The invention also discloses an SSO system corresponding to the SSO method.

Description

technical field [0001] The present invention relates to single sign-on technology, in particular to an agent-based single sign-on method and system. It belongs to the field of computer information technology. Background technique [0002] In recent years, with the development of information technology and network technology and the continuous popularization of various network application services, users need to access many different application systems every day, such as web pages, emails, databases, etc. Each system requires users to follow certain security policies, such as requiring user IDs and passwords to be entered. As the number of systems accessed by users increases, users usually need to remember multiple passwords in order to access different application systems. In order to facilitate memory, users generally simplify passwords, or use the same password in multiple systems, or record passwords, which greatly reduces the security of user identity; on the other ha...

AI Technical Summary

Problems solved by technology

This method can enable users to achieve unified authentication and single sign-on on different machines in different locations, but this method requires all application systems to trust the authentication center, and a front-end program needs to be configured in each application system to complete user authentication. Verification of assertions, which makes the implementation and extension of the system relatively complex

[0004] In the above two methods, the single sign-on service will maintain the user's user name, password and other personal information. If the service is attacked, it may lead to the leakage of user information.

Another single sign-on method is that the user first passes the verification of the first application system, and then clicks the link of the second application system in the first application system, and the first application system generates an authentication information and sends it to the second application system. The application system is authenticated and logged in. In this method, a corresponding trust relationship must be established between each application system, which leads to a tightly coupled relationship between multiple application systems, which is not easy to expand, and if an application If the system is compromised, it will threaten the security of other application systems

[0005] In addition, there are some emerging technologies that can also complete similar proxy login services, such as the OAuth protocol, which enables the user to authorize a third party with a token so that it can use the token without using the user's username and password. Password can be used to apply for the authorization of the user resource, thereby better protecting the user's personal information, but to complete the single sign-on service, it is also necessary to unify the token format and verification method in each application system, which is also not easy to implement and extension

Images