A single sign-on method and device

By using random number signatures generated by the business server and public key verification in single sign-on, combined with the verification server and Active Directory domain services, the problems of low security and low efficiency in existing technologies are solved, achieving higher security and faster data processing.

CN114329538BActive Publication Date: 2026-06-30WEBANK (CHINA)

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
WEBANK (CHINA)
Filing Date
2021-12-24
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

Existing single sign-on solutions have low security, cookies are easily stolen, middleware cannot verify the authenticity and validity of user identifiers, and the verification process of business servers is complex, resulting in low data processing efficiency.

Method used

By interacting with the business server through electronic devices, using the random number signature generated by the business server and the public key verification, combined with the verification server and Active Directory domain services, the reliability and security of login names are ensured, and the verification pressure on the business server is reduced.

Benefits of technology

It improves the security and data processing efficiency of single sign-on, reduces the complex verification process of business servers, and enhances the user experience.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN114329538B_ABST
    Figure CN114329538B_ABST
Patent Text Reader

Abstract

This application provides a single sign-on method and apparatus applied to an electronic device. The electronic device is equipped with a browser, which has multiple browser plugins. Based on the access request of a target object detected by the browser, the electronic device determines a page data access request corresponding to a first browser plugin. The first browser plugin is one of the multiple browser plugins. The page data access request carries a signature of a first random number and an encrypted identifier of the first browser plugin. The first random number is generated by a business server. The electronic device sends the page data access request to the business server, so that after the business server verifies the page access request, it obtains the login name of the target object from the verification server and queries business data based on the login name of the target object. The electronic device receives the business data fed back by the business server. This method can ensure the security of single sign-on and the reliability of the target object information.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of financial technology (Fintech), and more particularly to a single sign-on method and apparatus. Background Technology

[0002] With the development of computer technology, more and more technologies are being applied in the financial field. The traditional financial industry is gradually transforming into financial technology, and big data technology is no exception. However, due to the security and real-time requirements of the financial industry, higher demands are being placed on the technology.

[0003] Current single sign-on (SSO) solutions mainly fall into two categories: those based on browser cookies and those based on middleware-recorded user identifiers, which are then used to retrieve user data from the SSO business system. However, cookies are typically stored in local files, making them vulnerable to being stolen by malware. Middleware-based solutions, on the other hand, rely on local middleware to obtain user identifiers. While this local middleware is assumed to be trustworthy, the business system cannot verify the authenticity of the user identifier. Therefore, current SSO solutions have relatively low security. Summary of the Invention

[0004] This application provides a single sign-on method and apparatus to improve the security of single sign-on, reduce the complex verification process of business servers, and improve data processing efficiency.

[0005] Firstly, this application provides a single sign-on method applicable to electronic devices or business servers. This method can be implemented separately by the electronic device and the business server, or through interaction between the electronic device and the business server. The following explanation uses interaction between the two as an example. The electronic device is equipped with a browser, and the browser has multiple browser plugins. The electronic device can be understood as a PC, laptop, etc., and this application does not specifically limit this definition.

[0006] The electronic device can determine the page data access request corresponding to the first browser plugin based on the access request of the target object detected by the browser; the first browser plugin is one of multiple browser plugins; the page data access request carries the signature of the first random number and the encrypted identifier of the first browser plugin; the first random number is generated by the business server; the signature of the first random number is determined by signing with the private key of the business server; the electronic device sends the page data access request to the business server, and the business server can receive the page data access request corresponding to the first browser plugin from the browser of the electronic device; the business server uses the public key of the business server to verify the signature of the first random number in the page access request; if the verification is successful, the business server obtains the login name of the target object from the verification server and queries the business data according to the login name of the target object; the business server sends the business data to the browser; the electronic device receives the business data fed back by the business server.

[0007] In this application, during single sign-on, when an electronic device requests page data, it carries a signature of a first random number generated by the business system to the business system for verification. Upon receiving the request, the business system verifies the signature using a public key. After successful verification, it can obtain the login name of the target object from the verification server, query business data based on the login name of the target object, and send the business data to the browser. This method does not obtain the login name of the target object from the browser's cookie, nor does it obtain the login name of the target object from the middleware. Instead, it obtains the login name of the target object from the verification server after verification, which can ensure the reliability of the login name of the target object and ensure the security of single sign-on.

[0008] In one alternative approach, the electronic device may request the login name of the target object and the address of the electronic device from the Active Directory (AD) domain service based on a first browser plugin; the electronic device receives response information from the AD domain service, which includes the login name of the target object and the address of the electronic device; the electronic device determines the identifier of the first browser plugin and a second random number based on the address of the electronic device and the current timestamp; the electronic device sends the encrypted login name of the target object, the encrypted identifier of the first browser plugin, and the second random number to the verification server for signature processing, and determines the signature of the second random number; the verification server decrypts and stores the login name of the target object and the identifier of the first browser plugin; the electronic device verifies the signature of the second random number based on the first browser plugin; the verification server stores the private key of the first browser plugin and the private key of the business server.

[0009] It's important to note that different browser plugins correspond to different URLs. For example, browser plugin 1 corresponds to URL 1. Typically, when a target user queries data at URL 1, they may need to log in with the username registered at URL 1. Active Directory (AD) domains are used to store user account information, computer account information, printer and shared folder information, etc. The component providing directory services is the AD domain service, primarily responsible for storing, adding, deleting, modifying, and querying the directory database. After an electronic device obtains the target user's login name from the first browser plugin through the AD domain service, it performs signature verification and stores the signature on the verification server. This eliminates the need for the target user to re-enter their login name at the URL corresponding to the first browser plugin after opening the browser. This improves data processing efficiency and enhances the user experience. Furthermore, after the business server verifies the electronic device, it obtains the target user's login name information from the verification server, not a cookie, ensuring user information security.

[0010] In one alternative approach, when an electronic device detects an access request for a target object, it sends a page request to the business server. The electronic device receives response information from the business server regarding the page request, which includes a first random number, the identifier of the business server, and the page corresponding to the first browser plugin.

[0011] It should be noted that after the electronic device detects the access request of the target object, it wants to request the page of the first browser plugin so that it can obtain business data more quickly after the page is successfully loaded.

[0012] In one alternative approach, after the electronic device loads the page corresponding to the first browser plugin based on the browser, it encrypts the first random number and the identifier of the business server through the first browser plugin to obtain the encrypted first random number and the encrypted identifier of the business server; and then, based on the first browser plugin, it signs the encrypted first random number and the encrypted identifier of the business server to determine the signature of the first random number.

[0013] It should be noted that after obtaining the first random number from the business server, it is signed so that the business server can verify it and determine the secure identity of the electronic device. The login name of the target object is then obtained from the verification server. This method can ensure the security of data processing during single sign-on.

[0014] In one alternative approach, before the business server obtains the login name of the target object from the verification server, the business server may generate a business request signature based on the business server's identifier, the business server's token, and a third random number; the business server sends the business request signature, the encrypted identifier of the first browser plugin, the business server's identifier, and the third random number to the verification server for signature verification; if the signature verification is successful, the business server receives the login name of the target object queried by the verification server based on the identifier of the first browser plugin.

[0015] In this method, after the verification server verifies the signature of the business server, it queries the login name of the target object and sends it back to the business server. Based on the login name of the target object, the business server retrieves relevant business data. After the business server verifies the identity of the electronic device, the verification server verifies the identity of the business server. Only after both verifications are successful can the business data of the target object be queried. This method can ensure the security of single sign-on, and the identity verification operation is not entirely performed on the business server side, which can reduce the data processing pressure on the business server and improve data processing efficiency.

[0016] Secondly, this application provides a single sign-on device, comprising: a determining unit, configured to determine a page data access request corresponding to a first browser plugin based on an access request of a target object detected by a browser; the first browser plugin is one of a plurality of browser plugins; the page data access request carries a signature of a first random number and an encrypted identifier of the first browser plugin; the first random number is generated by a business server; a sending unit, configured to send the page data access request to the business server, so that after the business server verifies the page access request, it obtains the login name of the target object from the verification server and queries business data based on the login name of the target object; and a receiving unit, configured to receive business data fed back by the business server.

[0017] Thirdly, this application provides another single sign-on device, comprising: a receiving unit, configured to receive a page data access request corresponding to a first browser plugin of a browser from an electronic device; the first browser plugin is one of a plurality of browser plugins; the page data access request carries a signature of a first random number and an encrypted identifier of the first browser plugin; the first random number is generated by a business server; a verification unit, configured to verify the signature of the first random number in the page access request using the public key of the business server; a query unit, configured to, if the verification is successful, obtain the login name of the target object from the verification server and query business data based on the login name of the target object; and a sending unit, configured to send business data to the browser.

[0018] Fourthly, this application provides a computing device, including: a memory and a processor; the memory for storing program instructions; and the processor for calling the program instructions stored in the memory and executing the method described in the first aspect according to the obtained program.

[0019] Fifthly, this application provides a computer storage medium storing computer-executable instructions for performing the method described in the first aspect.

[0020] For the technical effects that can be achieved by the second to fifth aspects mentioned above, please refer to the description of the technical effects that can be achieved by the corresponding possible design schemes in the first aspect mentioned above. This application will not repeat them here.

[0021] Other features and advantages of this application will be set forth in the description which follows, and will be apparent in part from the description, or may be learned by practicing the application. The objectives and other advantages of this application may be realized and obtained by means of the structures particularly pointed out in the written description, claims, and drawings. Attached Figure Description

[0022] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0023] Figure 1 This is a flowchart illustrating a single sign-on process.

[0024] Figure 2 This application provides a schematic diagram of a single sign-on application scenario for an embodiment of this application.

[0025] Figure 3 A schematic diagram of the single sign-on process provided in an embodiment of this application;

[0026] Figure 4 A schematic diagram of the single sign-on process provided in an embodiment of this application;

[0027] Figure 5 This is a schematic diagram of the execution logic of single sign-on provided in an embodiment of this application;

[0028] Figure 6 This is a schematic diagram of the single sign-on device provided in the embodiments of this application;

[0029] Figure 7 This is a schematic diagram of the single sign-on device provided in the embodiments of this application;

[0030] Figure 8This is a schematic diagram of the structure of a computing device provided in an embodiment of this application. Detailed Implementation

[0031] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings.

[0032] It should be noted that the terms "first," "second," etc., used in this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data used can be interchanged where appropriate so that the embodiments of this disclosure described herein can be implemented in orders other than those illustrated or described herein. The implementations described in the following exemplary embodiments do not represent all implementations consistent with this application. Rather, they are merely examples of apparatuses and methods consistent with some aspects of this application as detailed in the appended claims.

[0033] As described in the background section, current single sign-on solutions mainly fall into two categories: those based on browser cookies and those based on middleware recording user identifiers. Among these, browser-cookie-based single sign-on... Figure 1 As shown, after a user turns on their electronic device, they can enter the business system's URL in their browser. The browser requests the user's business data from the business server. If the business server determines that the user is not logged in, it returns a response, and the browser is redirected to the login page. The browser then requests the page from the single sign-on server. After a successful request, the browser returns the page. The user enters their username and password in the browser, which sends these to the single sign-on server for single sign-on. Upon successful login, the browser returns user identification information, writes this information to a cookie, and requests business data from the business server. The business server then requests the same data from the single sign-on server, returns the data, and displays it to the user through the browser. Cookies are typically stored locally, which carries the risk of being stolen by malware. The business server assumes the single sign-on server is trustworthy and only performs one-way authentication; the business server itself cannot determine the reliability of the obtained user information. The business server's access process is complex, involving numerous judgments and redirection logic that the business server must handle. Therefore, this application provides a single sign-on method that improves efficiency while ensuring information security.

[0034] The single sign-on process is described in detail below. In the embodiments of this application, "and / or" describes the relationship between associated objects, indicating that three relationships can exist. For example, A and / or B can represent: A alone, A and B simultaneously, or B alone, where A and B can be singular or plural. The character " / " generally indicates that the preceding and following associated objects are in an "or" relationship. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one of a, b, or c can represent: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or multiple. The singular expressions "a," "an," "the," "the," "this," and "this" are intended to also include expressions such as "one or more," unless the context explicitly indicates otherwise. Furthermore, unless otherwise stated, the ordinal numbers such as "first" and "second" mentioned in the embodiments of this application are used to distinguish multiple objects and are not used to limit the order, sequence, priority, or importance of multiple objects. For example, "first task execution device" and "second task execution device" are only used to distinguish different task execution devices, and do not indicate a difference in priority or importance between the two task execution devices.

[0035] References to "one embodiment" or "some embodiments" as described in this specification mean that one or more embodiments of this application include a specific feature, structure, or characteristic described in connection with that embodiment. Therefore, the phrases "in one embodiment," "in some embodiments," "in other embodiments," "in still other embodiments," etc., appearing in different parts of this specification do not necessarily refer to the same embodiment, but rather mean "one or more, but not all, embodiments," unless otherwise specifically emphasized. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless otherwise specifically emphasized.

[0036] This application describes a single sign-on application scenario, such as... Figure 2 As shown, this includes electronic devices and users. The electronic devices are equipped with browsers, and the browsers have multiple browser plugins. Figure 2Let's take loading three browser plugins as an example. Browser plugin 1 corresponds to URL A, browser plugin 2 corresponds to URL B, and browser plugin 3 corresponds to URL C. Normally, users might need to log in with their registered username at each URL to query data. However, if a user wants to access URL 1, after opening their electronic device, they can simply click on URL 1 in their browser to retrieve their business data. They no longer need to log in with their registered username at URL 1 again. This method improves data processing efficiency and provides a better user experience.

[0037] Figure 3 This is a flowchart illustrating a single sign-on method provided in an embodiment of this application. This method can be used on electronic devices or business servers. It can be implemented separately by the electronic device and the business server, or it can be implemented through interaction between the electronic device and the business server. This application does not specifically limit this method; the following explanation uses interaction between the two as an example. The following is an example of what can be executed:

[0038] Step 301: The electronic device can determine the page data access request corresponding to the first browser plugin based on the access request of the target object detected by the browser; the first browser plugin is one of multiple browser plugins; the page data access request carries the signature of the first random number and the encrypted identifier of the first browser plugin; the first random number is generated by the business server; the signature of the first random number is determined by signing with the private key of the business server.

[0039] It should be noted that the page data access request carries a signature of the first random number to ensure the secure identity of the electronic device and guarantee the security of data processing. The first random number can be sent by the business server to the browser, or it can be sent by the business server after the browser sends a request. This application does not specifically limit this; the example given is that the business server sends the first random number after the browser sends a request.

[0040] For example, if an electronic device detects an access request for a target object, it sends a page request to the business server. The electronic device receives a response from the business server, which includes a first random number, the identifier of the business server, and the page corresponding to the first browser plugin. Typically, an electronic device can request business data from multiple business servers, and the responses from the business servers can carry the identifier of the business server for quick retrieval of business data.

[0041] Subsequently, after the electronic device loads the page corresponding to the first browser plugin via its browser, it encrypts the first random number and the identifier of the business server using the first browser plugin, resulting in an encrypted first random number and an encrypted identifier of the business server. Then, it signs the encrypted first random number and the encrypted identifier of the business server using the first browser plugin, determining the signature of the first random number. After obtaining the first random number from the business server, it performs signature processing so that the business server can verify its identity and determine the secure identity of the electronic device. The login name of the target object is then obtained from the verification server. This method ensures the security of data processing during single sign-on.

[0042] Step 302: The electronic device sends a page data access request to the business server; correspondingly, the business server can receive a page data access request from the first browser plugin of the electronic device's browser.

[0043] Step 303: The business server uses its public key to verify the signature of the first random number in the page access request.

[0044] Step 304: If the verification is successful, the business server obtains the login name of the target object from the verification server and queries the business data based on the login name of the target object.

[0045] Step 305: The business server sends business data to the browser; correspondingly, the electronic device receives the business data fed back by the business server.

[0046] In this application, during single sign-on, when an electronic device requests page data, it carries a signature of a first random number generated by the business system to the business system for verification. Upon receiving the request, the business system verifies the signature using a public key. After successful verification, it can obtain the login name of the target object from the verification server, query business data based on the login name of the target object, and send the business data to the browser. This method does not obtain the login name of the target object from the browser's cookie, nor does it obtain the login name of the target object from the middleware. Instead, it obtains the login name of the target object from the verification server after verification, which can ensure the reliability of the login name of the target object and ensure the security of single sign-on.

[0047] In one optional approach, the electronic device may request the login name of the target object and the address of the electronic device from the Active Directory (AD) domain service based on a first browser plugin; the electronic device receives response information from the AD domain service, which includes the login name of the target object and the address of the electronic device; the electronic device determines the identifier of the first browser plugin and a second random number based on the address of the electronic device and the current timestamp; the electronic device sends the encrypted login name of the target object, the encrypted identifier of the first browser plugin, and the second random number to the verification server for signature processing, and determines the signature of the second random number; the verification server decrypts and stores the login name of the target object and the identifier of the first browser plugin; the electronic device verifies the signature of the second random number based on the first browser plugin; wherein, the verification server stores the private key of the first browser plugin and the private key of the business server.

[0048] It's important to note that different browser plugins correspond to different URLs. For example, browser plugin 1 corresponds to URL 1. Typically, when a target user queries data at URL 1, they may need to log in with the username registered at URL 1. Active Directory (AD) domains are used to store user account information, computer account information, printer and shared folder information, etc. The component providing directory services is the AD domain service, primarily responsible for storing, adding, deleting, modifying, and querying the directory database. After an electronic device obtains the target user's login name from the first browser plugin through the AD domain service, it performs signature verification and stores the signature on the verification server. This eliminates the need for the target user to re-enter their login name at the URL corresponding to the first browser plugin after opening the browser. This improves data processing efficiency and enhances the user experience. Furthermore, after the business server verifies the electronic device, it obtains the target user's login name information from the verification server, not a cookie, ensuring user information security.

[0049] In one alternative approach, before the business server obtains the login name of the target object from the verification server, the business server may generate a business request signature based on the business server's identifier, the business server's token, and a third random number; the business server sends the business request signature, the encrypted identifier of the first browser plugin, the business server's identifier, and the third random number to the verification server for signature verification; if the signature verification is successful, the business server receives the login name of the target object queried by the verification server based on the identifier of the first browser plugin.

[0050] In this method, after the verification server verifies the signature of the business server, it queries the login name of the target object and sends it back to the business server. Based on the login name of the target object, the business server retrieves relevant business data. After the business server verifies the identity of the electronic device, the verification server verifies the identity of the business server. Only after both verifications are successful can the business data of the target object be queried. This method can ensure the security of single sign-on, and the identity verification operation is not entirely performed on the business server side, which can reduce the data processing pressure on the business server and improve data processing efficiency.

[0051] To better illustrate the scheme of this application, by Figure 4 The single sign-on method shown is illustrated in detail below. The first browser plugin stores its public key p_pub, the authentication server stores its private key p_inv and the business server's private key b_inv, the target object's login name is user, the electronic device's address is IP, the first random number is b_ran, the first random number's signature is b_ran_enc, the encrypted target object's login name is user_enc, the encrypted first browser plugin's identifier is p_key_enc, the first browser plugin's identifier is p_key, the second random number is p_ran, the second random number's signature is p_ran_sign, the business server's public key is b_pub, the business server's identifier is b_appid, the business server's token is b_token, the third random number is b_nonce, and the business request signature is b_req_sign.

[0052] The first browser plugin can obtain the user, IP address, and timestamp from the Active Directory service to generate a p_key (p_key = IP address + timestamp) and a second random number (p_ran). The first browser plugin can then encrypt the p_key and user information. Encryption can be performed using RSA or other methods, which are not specifically limited here. Details are as follows:

[0053] p_key_enc=rsa.encrypt(p_key, p_pub)

[0054] user_enc=rsa.encrypt(user,p_pub)

[0055] Afterwards, the first browser plugin can send information to the verification server to register the relationship between the first browser plugin and the target object. The verification server decrypts the first browser plugin's private key to obtain p_key and user, stores p_key and user in the database, and returns a signature p_ran to the first browser plugin: p_ran_sign = rsa.sign(p_ran, p_inv). The first browser plugin verifies the signature of the second random number to prevent intermediate systems from intercepting the request. It can verify the validity of the second random number's signature using rsa.verify(p_ran_sign, p_pub).

[0056] The target, i.e., the user, enters a URL in the browser. The business server responds to the browser request, returns the page corresponding to the first browser plugin, and generates a `b_ran`. It writes `b_ran` and `b_appid` into a cookie for subsequent interface verification of user information validity. After the browser page loads, the first browser plugin encrypts `b_ran` and `b_appid` to obtain `b_ran_enc` and `b_appid_enc`, which are then sent to the verification server. A signature is obtained using `b_inv` to obtain `b_ran_sign`, which is returned to the browser plugin. The verification server can obtain `b_inv` based on `b_appid`, and `b_ran_sign = rsa.sign(b_ran, b_inv)`. The first browser plugin modifies the request headers of all business servers (i.e., page data access requests), adding `p_key_enc` and `b_ran_sign` to the request header. After receiving the page data request from the browser, the business server retrieves `p_key_enc` and `b_ran_sign` from the request header, first verifying the signature validity to prevent forged user information, and then obtaining the user information (i.e., `user`) from the verification server. Specifically, the following steps can be executed sequentially:

[0057] Step A. Verify whether the signature b_ran_sign is valid = rsa.verify(b_ran_sign, b_pub);

[0058] Step B. Generate a signature: b_req_sign = generate_sign(b_appid, b_token, b_nonce);

[0059] Step C. Send b_req_sign, p_key_enc, b_appid, and b_nonce to the verification server;

[0060] Step D. The verification server retrieves the b_token based on the b_appid, generates a signature based on the b_token, b_appid, and b_nonce, and compares it with the b_req_sign. If they match, the server returns the user information.

[0061] Step E. The verification server can cache user information based on p_key_enc to avoid repeatedly retrieving user information from the verification server within a short period of time.

[0062] It should be noted that the integration and reusability of business servers are relatively low. Using a trusted third-party service, namely a verification server, can reduce the reuse rate of business servers. Furthermore, the browser plugin and the verification server need to hold a pair of keys, rather than placing all the keys on the business servers. If the keys are placed on the business servers, each business server will hold this pair of keys, which will increase the risk of key leakage and reduce the trustworthiness of the browser plugin.

[0063] Figure 5 The execution logic of this application is shown below:

[0064] Process 1: The first browser plugin obtains the target's login name from the local Active Directory service; this process does not require verification.

[0065] Step 2: The first browser plugin reports the target object's login name, the second random number, the identifier of the first browser plugin, and other information to the verification server. The first browser plugin uses a public key to encrypt the information.

[0066] Step 3: The server returns a second random number signature, and the first browser plugin verifies the signature using the public key.

[0067] Step 4: The business server transmits the first random number and the business server's identifier to the first browser plugin. The first browser plugin writes the random number into a cookie, which is not encrypted.

[0068] Step 5: The first browser plugin transmits an encrypted first random number and the identifier of the business server to the verification server.

[0069] Step 6: Verify the server to decrypt the first random number and the identifier of the business server, and sign the first random number using the private key of the business system to obtain the signature of the first random number.

[0070] Step 7: The first browser plugin sends the signature of the first random number to the business server for signature verification.

[0071] Step 8: The business server obtains user information from the verification server.

[0072] Based on the same concept, embodiments of this application provide a single sign-on device, such as... Figure 6 As shown, it includes: a determining unit 61, a sending unit 62, and a receiving unit 63.

[0073] The determining unit 61 is used to determine the page data access request corresponding to the first browser plugin based on the access request of the target object detected by the browser; the first browser plugin is one of multiple browser plugins; the page data access request carries the signature of a first random number and the encrypted identifier of the first browser plugin; the first random number is generated by the business server; the signature of the first random number is determined by signing with the private key of the business server; the sending unit 62 is used to send the page data access request to the business server so that after the business server verifies the page access request, it obtains the login name of the target object from the verification server and queries business data based on the login name of the target object; the receiving unit 63 is used to receive the business data fed back by the business server.

[0074] In this application, during single sign-on, when an electronic device requests page data, it carries a signature of a first random number generated by the business system to the business system for verification. Upon receiving the request, the business system verifies the signature using a public key. After successful verification, it can obtain the login name of the target object from the verification server, query business data based on the login name of the target object, and send the business data to the browser. This method does not obtain the login name of the target object from the browser's cookie, nor does it obtain the login name of the target object from the middleware. Instead, it obtains the login name of the target object from the verification server after verification, which can ensure the reliability of the login name of the target object and ensure the security of single sign-on.

[0075] In one optional embodiment, the single sign-on device further includes a processing unit that can request the login name of the target object and the address of the electronic device from the Active Directory (AD) domain service based on a first browser plugin; the electronic device receives response information from the AD domain service, which includes the login name of the target object and the address of the electronic device; the electronic device determines the identifier of the first browser plugin and a second random number based on the address of the electronic device and the current timestamp; the electronic device sends the encrypted login name of the target object, the encrypted identifier of the first browser plugin, and the second random number to the verification server for signature processing, and determines the signature of the second random number; the verification server decrypts and stores the login name of the target object and the identifier of the first browser plugin; the electronic device verifies the signature of the second random number based on the first browser plugin; wherein, the verification server stores the private key of the business server, and the first browser plugin stores the public key of the business server.

[0076] It's important to note that different browser plugins correspond to different URLs. For example, browser plugin 1 corresponds to URL 1. Typically, when a target user queries data at URL 1, they may need to log in with the username registered at URL 1. Active Directory (AD) domains are used to store user account information, computer account information, printer and shared folder information, etc. The component providing directory services is the AD domain service, primarily responsible for storing, adding, deleting, modifying, and querying the directory database. After an electronic device obtains the target user's login name from the first browser plugin through the AD domain service, it performs signature verification and stores the signature on the verification server. This eliminates the need for the target user to re-enter their login name at the URL corresponding to the first browser plugin after opening the browser. This improves data processing efficiency and enhances the user experience. Furthermore, after the business server verifies the electronic device, it obtains the target user's login name information from the verification server, not a cookie, ensuring user information security.

[0077] In one alternative approach, the single sign-on device further includes a processing unit that, upon detecting an access request from a target object, sends a page request to a business server; the electronic device receives response information from the business server regarding the page request, the response information including a first random number, the identifier of the business server, and the page corresponding to the first browser plugin.

[0078] It should be noted that after the electronic device detects the access request of the target object, it wants to request the page of the first browser plugin so that it can obtain business data more quickly after the page is successfully loaded.

[0079] In one optional approach, the processing unit further encrypts the first random number and the identifier of the business server through the first browser plugin after the browser loads the page corresponding to the first browser plugin, thereby obtaining the encrypted first random number and the encrypted identifier of the business server; and then performs signature processing on the encrypted first random number and the encrypted identifier of the business server based on the first browser plugin to determine the signature of the first random number.

[0080] It should be noted that after obtaining the first random number from the business server, it is signed so that the business server can verify it and determine the secure identity of the electronic device. The login name of the target object is then obtained from the verification server. This method can ensure the security of data processing during single sign-on.

[0081] Based on the same concept, embodiments of this application provide a single sign-on device, such as... Figure 7 As shown, it includes: a receiving unit 71, a verification unit 72, a query unit 73, and a sending unit 74.

[0082] The receiving unit 71 is used to receive a page data access request corresponding to a first browser plugin from a browser of an electronic device; the first browser plugin is one of multiple browser plugins; the page data access request carries a signature of a first random number and an encrypted identifier of the first browser plugin; the first random number is generated by a business server; the signature of the first random number is determined by signing with the private key of the business server; the verification unit 72 is used to verify the signature of the first random number in the page access request using the public key of the business server; the query unit 73 is used to obtain the login name of the target object from the verification server and query business data based on the login name of the target object if the verification is successful; and the sending unit 74 is used to send business data to the browser.

[0083] In one alternative approach, the single sign-on device further includes a processing unit that generates a business request signature based on the identifier of the business server, the token of the business server, and a third random number; the business server sends the business request signature, the encrypted identifier of the first browser plugin, the identifier of the business server, and the third random number to the verification server for signature verification; if the signature verification is successful, the device receives the login name of the target object queried by the verification server based on the identifier of the first browser plugin.

[0084] In this method, after the verification server verifies the signature of the business server, it queries the login name of the target object and sends it back to the business server. Based on the login name of the target object, the business server retrieves relevant business data. After the business server verifies the identity of the electronic device, the verification server verifies the identity of the business server. Only after both verifications are successful can the business data of the target object be queried. This method can ensure the security of single sign-on, and the identity verification operation is not entirely performed on the business server side, which can reduce the data processing pressure on the business server and improve data processing efficiency.

[0085] Having introduced the single sign-on method and apparatus in the exemplary embodiments of this application, we will now introduce a computing device in another exemplary embodiment of this application.

[0086] Those skilled in the art will understand that various aspects of this application can be implemented as a system, method, or program product. Therefore, various aspects of this application can be specifically implemented in the following forms: a completely hardware implementation, a completely software implementation (including firmware, microcode, etc.), or a combination of hardware and software implementations, collectively referred to herein as a "circuit," "module," or "system."

[0087] In some possible implementations, the computing device according to this application may include at least one processor and at least one memory. The memory stores a computer program that, when executed by the processor, causes the processor to perform the steps of the single sign-on method according to the various exemplary embodiments of this application described above. For example, the processor may perform actions such as... Figure 3 Steps 301-305 are shown in the diagram.

[0088] The following reference Figure 8 To describe a computing device 130 according to this embodiment of the present application. Figure 8 The computing device 130 shown is merely an example and should not be construed as limiting the functionality and scope of the embodiments of this application. Figure 8 As shown, the computing device 130 is presented in the form of a general-purpose smart terminal. The components of the computing device 130 may include, but are not limited to: at least one processor 131, at least one memory 132, and a bus 133 connecting different system components (including memory 132 and processor 131).

[0089] Bus 133 represents one or more of several bus architectures, including a memory bus or memory controller, peripheral bus, processor, or local bus using any of the various bus architectures. Memory 132 may include readable media in the form of volatile memory, such as random access memory (RAM) 1321 and / or cache memory 1322, and may further include read-only memory (ROM) 1323. Memory 132 may also include a program / utility 1325 having a set (at least one) of program modules 1324, including but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of these examples may include an implementation of a network environment.

[0090] The computing device 130 can also communicate with one or more external devices 134 (e.g., keyboard, pointing device, etc.), and / or with any device that enables the computing device 130 to communicate with one or more other smart terminals (e.g., router, modem, etc.). This communication can be performed via input / output (I / O) interface 135. Furthermore, the computing device 130 can also communicate with one or more networks (e.g., local area network (LAN), wide area network (WAN), and / or public networks, such as the Internet) via network adapter 136. As shown, network adapter 136 communicates with other modules used in the computing device 130 via bus 133. It should be understood that, although not shown in the figures, other hardware and / or software modules can be used in conjunction with the computing device 130, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, and data backup storage systems.

[0091] In some possible implementations, various aspects of the transaction data backup method provided in this application can also be implemented in the form of a program product, which includes a computer program. When the program product is run on a computer device, the computer program causes the computer device to perform the steps in the single sign-on method according to the various exemplary embodiments of this application described above. For example, a processor can execute, as... Figure 3 Steps 301-305 are shown in the diagram.

[0092] The program product may employ any combination of one or more readable media. A readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples (a non-exhaustive list) of readable storage media include: electrical connections having one or more wires, portable disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof.

[0093] The program product for 3D visual relocalization according to the embodiments of this application may employ a portable compact disc read-only memory (CD-ROM) and include a computer program, and may run on a smart terminal. However, the program product of this application is not limited to this. In this document, the readable storage medium may be any tangible medium that contains or stores a program that may be used by or in conjunction with an instruction execution system, apparatus, or device.

[0094] A readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, carrying a readable computer program. Such propagated data signals may take various forms, including—but not limited to—electromagnetic signals, optical signals, or any suitable combination thereof. A readable signal medium may also be any readable medium other than a readable storage medium, capable of sending, propagating, or transmitting a program for use by or in conjunction with an instruction execution system, apparatus, or device.

[0095] It should be noted that although several units or sub-units of the device have been mentioned in the detailed description above, this division is merely exemplary and not mandatory. In fact, according to embodiments of this application, the features and functions of two or more units described above can be embodied in one unit. Conversely, the features and functions of one unit described above can be further divided and embodied by multiple units.

[0096] Furthermore, although the operations of the method of this application are described in a specific order in the accompanying drawings, this does not require or imply that these operations must be performed in that specific order, or that all the operations shown must be performed to achieve the desired result. Additionally or alternatively, certain steps may be omitted, multiple steps may be combined into one step, and / or one step may be broken down into multiple steps.

[0097] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this application. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable access frequency prediction device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable access frequency prediction device, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0098] These computer program instructions may also be stored in a computer-readable storage medium capable of directing a computer or other programmable access predictive device to operate in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0099] These computer program instructions can also be loaded onto a computer or other programmable access device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable device for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0100] Although preferred embodiments of this application have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments as well as all changes and modifications falling within the scope of this application.

[0101] Obviously, those skilled in the art can make various modifications and variations to this application without departing from the spirit and scope of this application. Therefore, if such modifications and variations fall within the scope of the claims of this application and their equivalents, this application also intends to include such modifications and variations.

Claims

1. A single sign-on method, characterized in that, Applied to electronic devices, the electronic devices are equipped with a browser, and the browser is equipped with multiple browser plugins, including: The electronic device determines the page data access request corresponding to the first browser plugin based on the access request of the target object detected by the browser; the first browser plugin is one of the plurality of browser plugins; the page data access request carries the signature of a first random number and the encrypted identifier of the first browser plugin; the first random number is generated by the business server; the signature of the first random number is determined by signing with the private key of the business server; The electronic device sends the page data access request to the business server, so that after the business server verifies the page data access request, it obtains the login name of the target object from the verification server and queries business data based on the login name of the target object. The electronic device receives the service data fed back by the service server; The electronic device requests the login name of the target object and the address of the electronic device from the Active Directory domain service based on the first browser plugin; The electronic device receives the response information from the Active Directory (AD) domain service, which includes the login name of the target object and the address of the electronic device. The electronic device determines the identifier of the first browser plugin and the second random number based on the address of the electronic device and the current timestamp; The electronic device sends the encrypted login name of the target object, the encrypted identifier of the first browser plugin, and the second random number to the verification server for signature processing based on the first browser plugin, and determines the signature of the second random number; the verification server decrypts the login name of the target object and the identifier of the first browser plugin and stores them; The electronic device verifies the signature of the second random number based on the first browser plugin; The verification server stores the private key of the first browser plugin and the private key of the business server. Before the electronic device determines the page data access request corresponding to the first browser plugin based on the detected access request of the target object, it also includes: If the electronic device detects an access request for the target object, it sends a page request to the business server. The electronic device receives response information from the business server regarding the page request. The response information includes the first random number, the identifier of the business server, and the page corresponding to the first browser plugin.

2. The method according to claim 1, characterized in that, Also includes: After the electronic device loads the page corresponding to the first browser plugin based on the browser, it encrypts the first random number and the identifier of the business server through the first browser plugin to obtain the encrypted first random number and the encrypted identifier of the business server. The electronic device performs signature processing on the encrypted first random number and the encrypted identifier of the business server based on the first browser plugin to determine the signature of the first random number.

3. A single sign-on method, characterized in that, Applied to business servers, including: The service server receives a page data access request from a browser plugin of an electronic device; the first browser plugin is one of the plurality of browser plugins; the page data access request carries a signature of a first random number and an encrypted identifier of the first browser plugin; the first random number is generated by the service server; the signature of the first random number is determined by signing with the private key of the service server. The business server uses its public key to verify the signature of the first random number in the page data access request; If the verification is successful, the business server obtains the login name of the target object from the verification server and queries business data based on the login name of the target object; The service server sends the service data to the browser; Before the business server obtains the login name of the target object from the verification server, it also includes: The service server generates a service request signature based on the service server's identifier, the service server's token, and a third random number. The business server sends the business request signature, the encrypted identifier of the first browser plugin, the identifier of the business server, and the third random number to the verification server for signature verification; The business server obtains the login name of the target object from the verification server, including: If the signature verification is successful, the login name of the target object, which is queried from the verification server based on the identifier of the first browser plugin, is received.

4. A single sign-on device, characterized in that, include: The determining unit is used to determine the page data access request corresponding to the first browser plugin based on the access request of the target object detected by the browser. The first browser plugin is one of the plurality of browser plugins; the page data access request carries a signature of a first random number and an encrypted identifier of the first browser plugin; The first random number is generated by the business server; the signature of the first random number is determined by signing with the private key of the business server. The sending unit is used to send the page data access request to the business server, so that after the business server verifies that the page data access request is successful, it obtains the login name of the target object from the verification server and queries business data based on the login name of the target object. A receiving unit is configured to receive the service data fed back by the service server; The processing unit is configured to request the login name of the target object and the address of the electronic device from the Active Directory domain service based on the first browser plugin; The processing unit is further configured to determine the identifier of the first browser plugin and the second random number based on the address of the electronic device and the current timestamp of the first browser plugin; and send the encrypted login name of the target object, the encrypted identifier of the first browser plugin, and the second random number to the verification server for signature processing based on the first browser plugin, and determine the signature of the second random number. The verification server decrypts and stores the login name of the target object and the identifier of the first browser plugin; it verifies the signature of the second random number based on the first browser plugin; wherein, the verification server stores the private key of the first browser plugin and the private key of the business server; The processing unit is further configured to: upon detecting an access request for a target object, send a page request to the business server.

5. A single sign-on device, characterized in that, include: The receiving unit is used to receive page data access requests corresponding to the first browser plugin of the browser of the electronic device. The first browser plugin is one of the plurality of browser plugins; the page data access request carries a signature of a first random number and an encrypted identifier of the first browser plugin; The first random number is generated by the business server; the signature of the first random number is determined by signing with the private key of the business server. The verification unit is used to verify the signature of the first random number in the page data access request using the public key of the business server; The query unit is used to obtain the login name of the target object from the verification server after the verification is successful, and to query business data based on the login name of the target object. A sending unit, configured to send the service data to the browser; The processing unit generates a business request signature based on the business server's identifier, the business server's token, and a third random number; The business server sends the business request signature, the encrypted identifier of the first browser plugin, the identifier of the business server, and the third random number to the verification server for signature verification; If the signature verification is successful, the login name of the target object, which is retrieved from the verification server based on the identifier of the first browser plugin, will be received.

6. A computing device, characterized in that, include: Memory and processor; Memory, used to store program instructions; A processor is configured to invoke program instructions stored in the memory and execute the method of any one of claims 1-2 or 3 according to the obtained program.

7. A computer storage medium storing computer-executable instructions, characterized in that, The computer-executable instructions are used to perform the method as described in any one of claims 1-2 or 3.