A financial system single sign-on method, device, system and storage medium
By using the PAS system to verify clients and issue global invoice information, the cumbersome login process and security risks associated with multi-system account systems in financial institutions have been resolved. This has enabled cross-system single sign-on, improving user experience and security.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- PING AN BANK CO LTD
- Filing Date
- 2023-06-05
- Publication Date
- 2026-07-03
AI Technical Summary
Financial institutions' multi-system account system requires users to remember multiple usernames and passwords, making the login process cumbersome and posing security risks. Furthermore, different top-level domains cannot achieve one-stop single sign-on.
The PAS system verifies the client and issues global bill information. After logging into the first target financial system, the client saves the global bill to a cookie for subsequent logins to related financial systems.
It enables users to achieve one-stop single sign-on across different top-level domains, improving user experience, reducing login operations, and enhancing security and ease of system management.
Smart Images

Figure CN116827608B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of financial technology, and more specifically, to a method, apparatus, system, and storage medium for single sign-on in a financial system. Background Technology
[0002] As a vital component of the financial industry, financial institutions typically possess numerous systems and applications to support their business operations. These systems and applications may involve a wide variety of functions, such as account management, payment processing, investment trading, and more. Therefore, financial institutions require an efficient and secure way to manage these systems and allow users to access them without cumbersome login processes.
[0003] However, in existing technologies, financial institutions possess a large and diverse number of systems—such as office systems, transaction systems, human resources systems, and administrative systems—and due to the lack of unified planning and design, each system has its own account system, requiring users to log in separately on each system. This causes numerous inconveniences for users, including remembering multiple usernames and passwords, spending time logging in multiple times, and encountering unexpected problems when switching between different platforms. The large and complex account system presents significant management challenges and security risks. To address these issues, a single sign-on (SSO) mechanism is introduced to solve the management problems of multi-system account systems.
[0004] Because different top-level domains cannot share cookies, single sign-on cannot be solved by sharing cookies. Therefore, the inability to establish a unified single sign-on across different top-level domains causes significant inconvenience for system logins in financial institutions. Summary of the Invention
[0005] In view of this, and to address the aforementioned technical problems, the present invention provides a single sign-on method for financial systems applied in the field of fintech or fintech-related technical fields, comprising:
[0006] When a client logs into the first target financial system, the first target financial system redirects to the PAS system and returns global bill information based on the login information submitted by the client.
[0007] After the client is redirected to the first target financial system and verifies login, the first target financial system saves the global bill information to a cookie;
[0008] When the client accesses a second target financial system that is outside the first target financial system but associated with it, the second target financial system completes the login based on the global bill information.
[0009] Preferably, when the client logs into the first target financial system, the first target financial system redirects to the PAS system and returns global bill information based on the login information submitted by the client, including:
[0010] When the client accesses the first target financial system, the first target financial system confirms the client's access and login status;
[0011] If the client's access login status is initial access and not logged in, the first target financial system verifies the client through the PAS system and returns global bill information.
[0012] Preferably, the first target financial system verifies the client through the PAS system and returns global bill information, including:
[0013] The first target financial system redirects to the PAS system with a bounce address;
[0014] The PAS system confirms the client's access and login status;
[0015] If the client's access login status is initial access and not logged in, then the client's username and password are obtained and verified through the PAS system's login platform;
[0016] After successful verification, the PAS system returns global ticket information based on the client's access and login status.
[0017] Preferably, after successful verification, the PAS system returns global ticket information based on the client's access and login status, including:
[0018] After the client's authentication is successful, the PAS system saves the current user session to Redis;
[0019] The PAS system creates global ticket information and first temporary ticket information, and returns the global ticket information and the first temporary ticket information to the client.
[0020] Preferably, after the client redirects to the first target financial system and verifies login, the first target financial system saves the global bill information to a cookie, including:
[0021] After the client receives the global ticket information and the first temporary ticket information, the PAS system verifies the first temporary ticket information of the client.
[0022] If the temporary bill is verified, the PAS system deletes the temporary bill information and returns to the bounce address corresponding to the first target financial system;
[0023] The first target financial system stores the client's current session and the global bill information in cookies.
[0024] Preferably, when the client accesses a second target financial system that is outside the first target financial system but associated with it, the second target financial system completing the login based on the global bill information includes:
[0025] The second target financial system confirms the client's access and login status;
[0026] If the client's access login status is initial access and not logged in, then the client accesses the PAS system carrying the current bounce address and the global ticket information;
[0027] The PAS system returns second temporary ticket information based on the global ticket information;
[0028] The client logs into the second target financial system based on the second temporary bill information.
[0029] Preferably, the client logs into the second target financial system based on the second temporary bill information, including:
[0030] The PAS system verifies the second temporary ticket information;
[0031] If the verification is successful, the PAS system deletes the second temporary bill information, and the client, carrying the current user session and the global bill information, is redirected to the jumpback address of the second target financial system.
[0032] The second target financial system saves the client's global bill information and the current user session to a cookie.
[0033] Furthermore, to address the aforementioned problems, the present invention also provides a single sign-on device for a financial system, comprising:
[0034] The bill module is used so that when a client logs into the first target financial system, the first target financial system will redirect to the PAS system and return global bill information based on the login information submitted by the client.
[0035] A storage module is used so that after the client is redirected to the first target financial system and verifies login, the first target financial system saves the global bill information to a cookie.
[0036] The login module is used to enable the second target financial system to complete the login based on the global bill information when the client accesses a second target financial system that is related to the first target financial system.
[0037] In addition, to solve the above problems, the present invention also provides a financial system single sign-on system, including a memory and a processor. The memory stores a financial system single sign-on program, and the processor runs the financial system single sign-on program to enable the financial system single sign-on system to perform the financial system single sign-on method as described above.
[0038] In addition, to solve the above problems, the present invention also provides a computer-readable storage medium storing a financial system single sign-on program, which, when executed by a processor, implements the financial system single sign-on method as described above.
[0039] This invention provides a method, apparatus, system, and storage medium for single sign-on (SSO) in a financial system. The method includes: when a client logs into a first target financial system, the first target financial system redirects to a PAS system and returns global ticket information based on the login information submitted by the client; after the client is redirected to the first target financial system and verifies login, the first target financial system saves the global ticket information to a cookie; when the client accesses a second target financial system that is related to the first target financial system, the second target financial system completes login based on the global ticket information. This invention creates a unified authentication service system based on the SSO method for financial systems. By using the PAS system to verify the client and issue corresponding global ticket information when the client first accesses the system, and then directly verifying and completing cross-system SSO through this global ticket information when logging into a financial system under an associated top-level domain, it achieves one-stop SSO for users across different top-level domains, providing convenience for system login in financial institutions. Attached Figure Description
[0040] Figure 1 This is a schematic diagram of the hardware operating environment involved in an embodiment of the single sign-on method for a financial system according to the present invention;
[0041] Figure 2 This is a flowchart illustrating the first embodiment of the single sign-on method for a financial system according to the present invention.
[0042] Figure 3 This is a detailed flowchart of step S100 in the second embodiment of the single sign-on method for a financial system of the present invention.
[0043] Figure 4This is a detailed flowchart of step S120 in the second embodiment of the single sign-on method for a financial system of the present invention.
[0044] Figure 5 This is a detailed flowchart of step S124 in the second embodiment of the single sign-on method for a financial system of the present invention.
[0045] Figure 6 This is a detailed flowchart of step S200 in the second embodiment of the single sign-on method for financial systems of the present invention;
[0046] Figure 7 This is a detailed flowchart of step S300 in the third embodiment of the single sign-on method for a financial system of the present invention.
[0047] Figure 8 This is a schematic diagram illustrating the process of logging into two financial systems sequentially, as exemplified in the third embodiment of the single sign-on method for financial systems of the present invention.
[0048] Figure 9 This is a detailed flowchart of step S340 in the third embodiment of the single sign-on method for financial systems of the present invention;
[0049] Figure 10 This is a schematic diagram of the module connections of the single sign-on device for the financial system of the present invention.
[0050] The realization of the objective, functional features and advantages of the present invention will be further explained in conjunction with the embodiments and with reference to the accompanying drawings. Detailed Implementation
[0051] The embodiments of the present invention are described in detail below, wherein the same or similar reference numerals denote the same or similar elements or elements having the same or similar functions throughout.
[0052] Furthermore, the terms "first" and "second" are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of this invention, "a plurality of" means two or more, unless otherwise explicitly specified.
[0053] In this invention, unless otherwise explicitly specified and limited, the terms "installation," "connection," "linking," and "fixing," etc., should be interpreted broadly. For example, they can refer to a fixed connection, a detachable connection, or an integral part; they can refer to a mechanical connection or an electrical connection; they can refer to a direct connection or an indirect connection through an intermediate medium; they can refer to the internal communication of two components or the interaction between two components. Those skilled in the art can understand the specific meaning of the above terms in this invention according to the specific circumstances.
[0054] It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
[0055] like Figure 1 The diagram shown is a structural schematic of the hardware operating environment of the terminal involved in an embodiment of the present invention.
[0056] The single sign-on system for financial systems according to embodiments of the present invention can be a PC, or a mobile terminal device such as a smartphone, tablet, or laptop. This single sign-on system may include: a processor 1001, such as a CPU; a network interface 1004; a user interface 1003; a memory 1005; and a communication bus 1002. The communication bus 1002 is used to enable communication between these components. The user interface 1003 may include a display screen, an input unit such as a keyboard, or a remote control; optionally, the user interface 1003 may also include a standard wired interface or a wireless interface. The network interface 1004 may optionally include a standard wired interface or a wireless interface (such as a Wi-Fi interface). The memory 1005 may be a high-speed RAM memory or a stable memory, such as a disk storage device. Optionally, the memory 1005 may also be a storage device independent of the aforementioned processor 1001. Optionally, the single sign-on system may also include RF (Radio Frequency) circuitry, audio circuitry, a Wi-Fi module, etc. In addition, the single sign-on system of this financial system can also be configured with other sensors such as gyroscopes, barometers, hygrometers, thermometers, and infrared sensors, which will not be elaborated here.
[0057] Those skilled in the art will understand that Figure 1 The single sign-on system for financial systems shown is not intended to limit it and may include more or fewer components than illustrated, or combine certain components, or have different component arrangements. For example... Figure 1 As shown, the memory 1005, which is a computer-readable storage medium, may include an operating system, a data interface control program, a network connection program, and a financial system single sign-on program.
[0058] In summary, this invention creates a unified authentication service system based on the single sign-on method for financial systems. When a client first accesses the system, the PAS system verifies the client and issues corresponding global ticket information. When logging into the financial system under the associated top-level domain, the global ticket information is used for direct verification and cross-system single sign-on is completed. This enables users to achieve one-stop single sign-on across different top-level domains, providing convenience for system login in financial institutions.
[0059] Example 1:
[0060] Reference Figure 2 This embodiment provides a single sign-on method for a financial system, including:
[0061] In step S100, when the client logs into the first target financial system, the first target financial system redirects to the PAS system and returns global bill information based on the login information submitted by the client.
[0062] It should be noted that Single Sign-On (SSO) is an authentication method that allows users to authenticate in one system and then avoid authenticating again in other related systems. In other words, users only need to log in once to access different resources across multiple applications or websites using the same set of credentials (username and password, etc.). This method improves user experience, reduces issues such as forgotten passwords, and also enhances security by preventing users from using the same password in every system. This embodiment provides a single sign-on method for a financial system to facilitate single sign-on for users across multiple platforms and systems within a financial institution.
[0063] The aforementioned PAS system, short for Privileged Access Management System, is a technical solution for enterprise internal network security management. This system provides a high level of security by implementing precise access control and permission management for sensitive data and critical equipment, effectively preventing internal and external security threats.
[0064] A PAS (Password Support System) includes functions such as password management, access control, and audit logs. It is primarily used within enterprises for accounts or user groups requiring special protection, such as administrators and system engineers with higher privileges. By adopting a PAS system, enterprises can implement more granular and precise access control and monitoring of these accounts or users, thereby reducing the risk of malicious attacks and data breaches.
[0065] The login information mentioned above may include the username, ID, and corresponding login password provided by the user.
[0066] The aforementioned global ticket information refers to the ticket used by the client to enable single sign-on across multiple platforms and systems within a financial institution; this is known as the global ticket. Through the global ticket, different systems only need to verify the ticket provided by the client to achieve single sign-on.
[0067] In step S200, after the client is redirected to the first target financial system and verifies login, the first target financial system saves the global bill information to a cookie;
[0068] As described above, after obtaining the global bill information, the client is redirected back to the first target financial system. After verification and login, the first financial system saves the global bill information in a cookie.
[0069] The aforementioned global ticket information allows tickets with a valid duration to be valid for a specific time period, saving system resources and improving security.
[0070] In step S300, when the client accesses a second target financial system that is outside the first target financial system but associated with it, the second target financial system completes the login based on the global bill information.
[0071] The second target financial system and the first target financial system are different top-level domains, but belong to the same financial institution or are related.
[0072] When a user logs into a second target financial system that is distinct from the first target financial system, single sign-on can be completed based on global bill information, without requiring the user to re-login with their data.
[0073] This embodiment creates a unified authentication service system based on the single sign-on method of financial systems. When a client first accesses the system, the PAS system verifies the client and issues corresponding global ticket information. When logging into the financial system under the associated top-level domain, the global ticket information is used for direct verification and cross-system single sign-on is completed. This realizes one-stop single sign-on for users across different top-level domains and provides convenience for system login in financial institutions.
[0074] Example 2:
[0075] Reference Figure 3 The second embodiment of the present invention provides a single sign-on method for a financial system, based on the above embodiment 1. In step S100, when a client logs into a first target financial system, the first target financial system redirects to the PAS system and returns global bill information based on the login information submitted by the client, including:
[0076] Step S110: When the client accesses the first target financial system, the first target financial system confirms the client's access and login status.
[0077] As mentioned above, when a client accesses the first target financial system, it must first confirm whether the client is logging in for the first time. If it is, the following process will be followed. If it is not, the first target financial system may already contain the client's global ticket, so there is no need for repeated authentication. After verifying the validity of the global ticket, the login can be completed.
[0078] Step S120: If the client's access login status is initial access and not logged in, the first target financial system verifies the client through the PAS system and returns global bill information.
[0079] As mentioned above, if the access login status is initial access, i.e. first login, then the first target financial system does not contain global bills, and it is necessary to redirect to the PAS system for further verification and issuance of related bills.
[0080] As mentioned above, when confirming login status, since the client is accessing the bank's business system (the primary target financial system) for the first time, this system needs to verify whether the current user is logged in. Because it's the first visit, the customer is not logged in. Therefore, the system needs to redirect the client to the PAS system for further verification.
[0081] Further reference Figure 4 In step S120, the first target financial system verifies the client through the PAS system and returns global bill information, including:
[0082] Step S121: The first target financial system redirects to the PAS system with a bounce address;
[0083] The above refers to the return URL, which can be, for example, the URL of a target business system of a bank that needs to be accessed.
[0084] Step S122: The PAS system confirms the client's access and login status;
[0085] Step S123: If the client's access login status is initial access and not logged in, then obtain the client's username and password through the PAS system's login platform and verify them;
[0086] As described above, the PAS system verifies whether the current user (client) is logged in. Since this is the first visit, the verification result is that the user is not logged in, which means it is a first visit and the user is not logged in.
[0087] Step S124: After successful verification, the PAS system returns global ticket information based on the client's access login status.
[0088] As described above, after successful verification, the user is redirected to the PAS login system. The user enters their username and password on the client to log in. The PAS system verifies the username and password, and if the verification is successful, the login is complete.
[0089] Further reference Figure 5In step S124, after successful verification, the PAS system returns global ticket information based on the client's access and login status, including:
[0090] Step S1241: After the client's verification is successful, the PAS system saves the current user session to Redis;
[0091] In step S1242, the PAS system creates global ticket information and first temporary ticket information, and returns the global ticket information and the first temporary ticket information to the client.
[0092] As described above, the PAS system will save the current user session to Redis, create a global ticket (with a validity period) and issue it to the current user, and at the same time, the PAS system will create a temporary ticket (with a validity period) and issue it to the current user.
[0093] The method described above enables single sign-on functionality for financial systems (banking systems). Specifically, through a centralized identity authentication mechanism, it provides users with a seamless and convenient login experience across multiple systems. This means that users only need to log in once to access all applications and financial systems under the top-level domains associated with that system.
[0094] Further reference Figure 6 In step S200, after the client is redirected to the first target financial system and verifies login, the first target financial system saves the global bill information to a cookie, including:
[0095] Step S210: After the client receives the global ticket information and the first temporary ticket information, the PAS system verifies the first temporary ticket information of the client.
[0096] Step S220: If the temporary bill is verified, the PAS system deletes the temporary bill information and returns to the bounce address corresponding to the first target financial system;
[0097] In step S230, the first target financial system saves the client's current session and the global bill information as cookies.
[0098] Temporary bill information is used by the client to log in to the first target financial system. It can be deleted after successful verification.
[0099] As mentioned above, global ticket information is stored in cookies.
[0100] Therefore, the above method can be specifically described as follows:
[0101] The client carries a temporary ticket and redirects to the returnUrl; it then verifies the temporary ticket's validity with the PAS system. If a verification error occurs (e.g., timeout), a "ticket error" message is displayed, and the user is redirected to the PAS system login page. If the temporary ticket verification is successful, it is deleted, carrying the user session and ticket, and the user is redirected to the returnUrl address again (the first target financial system). The first target financial system stores the current user session and ticket in a cookie (with a valid duration). When the user accesses the current system again within the cookie's validity period, they do not need to log in again (i.e., the second step of login verification); the user successfully logs into a bank's business system.
[0102] In this embodiment, the core idea of implementing single sign-on is as follows: when a user is using a bank's business system and is not yet logged in, the system will redirect the user to the PAS system (also known as the authentication service system) and require the user to log in. If the user is already logged in to another system, the PAS system will return a global ticket and a temporary ticket to the user. The client will then carry these tickets back to the bank's business system and use the temporary ticket to complete the login.
[0103] The implementation mechanism in this embodiment has the following advantages:
[0104] (1) Convenient and fast: Users only need to log in once to access all applications related to the system, avoiding frequent login operations and improving the user experience.
[0105] (2) Security and stability: Since identity authentication is managed uniformly by the PAS system, it can effectively control users' secure access. At the same time, this mechanism can also ensure data security and stability by reasonably setting parameters such as the effective duration.
[0106] (3) Scalability: Due to the adoption of a centralized identity authentication mechanism, it can be easily extended to more systems and applications without affecting existing systems. This provides excellent support for enterprise-level applications.
[0107] In summary, single sign-on financial systems (banking business systems) achieve seamless integration across systems and platforms by uniformly managing user identity and permission information, improving user experience and data security, and have great application value and promotion prospects.
[0108] Example 3:
[0109] Reference Figure 7The third embodiment of the present invention provides a single sign-on method for a financial system. Based on the above embodiment 1, step S300, when the client accesses a second target financial system that is related to the first target financial system, the second target financial system completes the login based on the global bill information, including:
[0110] Step S310: The second target financial system confirms the client's access and login status;
[0111] Step S320: If the client's access login status is initial access and not logged in, then the client accesses the PAS system carrying the current bounce address and the global ticket information;
[0112] Step S330: The PAS system returns second temporary ticket information based on the global ticket information;
[0113] In step S340, the client logs into the second target financial system based on the second temporary bill information.
[0114] The second target financial system, as described above, is a financial system distinct from the first target financial system. Both can be systems with top-level domain names. For example, the first target financial system is Bank A, with the top-level domain name www.bank.com; the second target financial system is Insurance B, with the top-level domain name www.insure.com; both systems have top-level domain names and belong to branches of financial institution C.
[0115] After logging into the first target financial system, when logging into the second target financial system, the user must first verify their access and login status through the second target financial system. After verifying their status, further authorization is granted through the PAS system.
[0116] Based on the global bill information it obtains within the validity period, the PAS system can return a second temporary bill information to the client user, who can then log in to the second target financial system using this temporary bill.
[0117] The main purpose of the above steps and methods is to achieve cross-system single sign-on (SSO) and authorization, so that users can access a second target financial system without having to re-enter their authentication credentials after logging into the first target financial system. This not only improves the user experience but also reduces the cumbersome operations caused by users having to frequently log into multiple systems.
[0118] Specifically, when a user attempts to access the secondary target financial system, the system checks their login status. If the user has not logged into the system before, or is currently not logged in, the system will require the client to access the PAS system with a bounce address and global bill information to obtain secondary temporary bill information. This temporary bill information serves as authorization credentials between the client and the secondary target financial system, used to complete login and access.
[0119] The advantages of this method include:
[0120] (1) Improved user experience: By enabling single sign-on and authorization across systems, users can more easily access and manage multiple systems without having to repeatedly enter authentication credentials.
[0121] (2) Enhanced security: Since the PAS system is responsible for issuing and managing global and temporary ticket information, it can achieve unified management and monitoring of user authentication and authorization, thereby enhancing the security and controllability of the system.
[0122] (3) Reduced system integration and development costs: By using existing authentication and authorization infrastructure, the workload and cost of system integration and development can be reduced, development efficiency can be improved and development risks can be reduced.
[0123] For example, see attached document. Figure 8 When a user is already logged into Bank A's system (www.bank.com) and wants to access Insurance B's system (www.insure.com), this method can achieve the following:
[0124] (1) The user attempts to open the B insurance system link www.insure.com in the browser;
[0125] (2) Insurance system B checks the user's access and login status and finds that the user is not logged in;
[0126] (3) Insurance system B redirects the client to PAS system, carrying the bounce address and global ticket information;
[0127] (4) The PAS system verifies the user's identity based on the global ticket information and issues a second temporary ticket;
[0128] (5) The client returns the second temporary ticket information to Insurance B and completes login and access.
[0129] In this process, users only need to log in to Bank A's system once and obtain global bill information to access other financial systems, eliminating the need to repeatedly enter usernames and passwords, thus improving the user experience. Simultaneously, the PAS system, as an independent authentication and authorization infrastructure, allows for unified management and monitoring of users, thereby enhancing system security and controllability.
[0130] Further reference Figure 9 In step S340, the client logs into the second target financial system based on the second temporary bill information, including:
[0131] Step S341: The PAS system verifies the second temporary ticket information;
[0132] Step S342: If the verification is successful, the PAS system deletes the second temporary bill information, and the client, carrying the current user session and the global bill information, jumps to the jumpback address of the second target financial system.
[0133] Step S343: The second target financial system saves the global bill information and the current user session of the client to a cookie.
[0134] The steps S341-S343 described above further refine the single sign-on and authorization process. Their main purpose is to verify the second temporary ticket information to ensure user identity security and to achieve single sign-on upon successful verification. Specifically, the functions of these steps are as follows:
[0135] First, the PAS system verifies the second temporary ticket information: when the client returns the second temporary ticket information to the PAS system, the PAS system will verify whether the ticket is correct, whether it has expired, and other information.
[0136] If the verification is successful, the PAS system will delete the second temporary ticket information: In order to ensure security and avoid reuse, the PAS system will delete the second temporary ticket information that has been successfully verified.
[0137] The client carries the current user session and global bill information to the jumpback address of the second target financial system: By carrying the current user session and global bill information, the client can directly jump to the jumpback address of the second target financial system to complete single sign-on.
[0138] The second target financial system stores user sessions and global bill information in cookies: by storing user sessions and global bill information in cookies, users can access the system without logging in again within the validity period.
[0139] The main advantages of these steps include:
[0140] (1) Improved user experience: By implementing single sign-on and authorization, users do not need to repeatedly enter authentication credentials, making it easier to access and manage multiple systems, thus improving the user experience.
[0141] (2) Enhanced security: By verifying and deleting the second temporary ticket information, the security of user identity can be guaranteed. At the same time, by saving user sessions and global ticket information to cookies, the security and controllability of the system can also be enhanced.
[0142] (3) Reduced system development costs: By using existing authentication and authorization infrastructure, the workload and cost of system integration and development can be reduced, development efficiency can be improved and development risks can be reduced.
[0143] For example, once the second target financial system successfully verifies the second temporary bill information, the PAS system saves the current user session and global bill information to a cookie. When the user accesses the system again, the system checks the cookie for a valid user session and global bill information, thus enabling access without re-entering authentication credentials. This not only improves the user experience but also reduces system maintenance and development costs.
[0144] In addition, refer to Figure 10 This embodiment also provides a single sign-on device for a financial system, including:
[0145] The bill module 10 is used to redirect the first target financial system to the PAS system and return global bill information based on the login information submitted by the client when the client logs in to the first target financial system.
[0146] The storage module 20 is used so that after the client is redirected to the first target financial system and verifies login, the first target financial system saves the global bill information to a cookie.
[0147] The login module 30 is used to enable the second target financial system to complete the login based on the global bill information when the client accesses a second target financial system that is related to the first target financial system.
[0148] Furthermore, this embodiment also provides a financial system single sign-on system, including a memory and a processor. The memory stores a financial system single sign-on program, and the processor runs the financial system single sign-on program to enable the financial system single sign-on system to perform the financial system single sign-on method as described above.
[0149] In addition, this embodiment also provides a computer-readable storage medium storing a financial system single sign-on program, which, when executed by a processor, implements the financial system single sign-on method as described above.
[0150] In summary, this invention creates a unified authentication service system based on the single sign-on method for financial systems. When a client first accesses the system, the PAS system verifies the client and issues corresponding global ticket information. When logging into the financial system under the associated top-level domain, the global ticket information is used for direct verification and cross-system single sign-on is completed. This enables users to achieve one-stop single sign-on across different top-level domains, providing convenience for system login in financial institutions.
[0151] The sequence numbers of the above embodiments of the present invention are for descriptive purposes only and do not represent the superiority or inferiority of the embodiments.
[0152] Through the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus necessary general-purpose hardware platforms. Of course, they can also be implemented by hardware, but in many cases the former is a better implementation method. Based on this understanding, the technical solution of the present invention, or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product is stored in a storage medium (such as ROM / RAM, magnetic disk, optical disk) as described above, and includes several instructions to cause a terminal device (which may be a mobile phone, computer, server, or network device, etc.) to execute the methods described in the various embodiments of the present invention. The above are only preferred embodiments of the present invention and do not limit the patent scope of the present invention. Any equivalent structural or procedural transformations made based on the content of the present invention specification and drawings, or direct or indirect applications in other related technical fields, are similarly included within the patent protection scope of the present invention.
Claims
1. A method for single sign-on in a financial system, characterized by, include: When a client logs into the first target financial system, the first target financial system redirects to the PAS system and returns global bill information based on the login information submitted by the client. The PAS system creates global ticket information and first temporary ticket information, and returns the global ticket information and the first temporary ticket information to the client; After the client is redirected to the first target financial system and verifies login, the first target financial system saves the global bill information to a cookie; specifically, after the client receives the global bill information and the first temporary bill information, the PAS system verifies the client's first temporary bill information; if the temporary bill verification is successful, the PAS system deletes the temporary bill information and returns to the corresponding redirect address of the first target financial system; the first target financial system saves the client's current session and the global bill information to a cookie. When the client accesses a second target financial system that is associated with but not the first target financial system, the second target financial system completes login based on the global bill information. Specifically, this includes: the second target financial system confirming the client's access and login status; if the client's access and login status is initial access and not logged in, the client accesses the PAS system carrying the current redirect address and the global bill information; the PAS system returns second temporary bill information based on the global bill information; the client completes login to the second target financial system based on the second temporary bill information; wherein, the client completing login to the second target financial system based on the second temporary bill information specifically includes: the PAS system verifying the second temporary bill information; if verification is successful, the PAS system deletes the second temporary bill information, and the client, carrying the current user session and the global bill information, redirects to the redirect address of the second target financial system; the second target financial system saves the client's global bill information and the current user session to a cookie.
2. The financial system single sign-on method of claim 1, wherein, When the client logs into the first target financial system, the first target financial system redirects to the PAS system and returns global bill information based on the login information submitted by the client, including: When the client accesses the first target financial system, the first target financial system confirms the client's access and login status; If the client's access login status is initial access and not logged in, the first target financial system verifies the client through the PAS system and returns global bill information.
3. The financial system single sign-on method of claim 2, wherein, The first target financial system verifies the client through the PAS system and returns global bill information, including: The first target financial system carries a bounce address and redirects to the PAS system; The PAS system confirms the client's access and login status; If the client's access login status is initial access and not logged in, then the client's username and password are obtained and verified through the PAS system's login platform; After successful verification, the PAS system returns global ticket information based on the client's access and login status.
4. The single sign-on method for a financial system as described in claim 3, characterized in that, After successful verification, the PAS system returns global ticket information based on the client's access and login status, including: After the client's authentication is successful, the PAS system saves the current user session to Redis; The PAS system creates global ticket information and first temporary ticket information, and returns the global ticket information and the first temporary ticket information to the client.
5. A financial system single sign-on apparatus, characterized by comprising: include: The bill module is used when a client logs into a first target financial system, the first target financial system redirects to the PAS system and returns global bill information based on the login information submitted by the client; the PAS system creates global bill information and first temporary bill information, and returns the global bill information and the first temporary bill information to the client; The storage module is used to store the global bill information in a cookie after the client is redirected to the first target financial system and verifies login. Specifically, after the client receives the global bill information and the first temporary bill information, the PAS system verifies the client's first temporary bill information. If the temporary bill verification is successful, the PAS system deletes the temporary bill information and returns to the corresponding redirect address of the first target financial system. The first target financial system stores the client's current session and the global bill information in a cookie. The login module is used to enable the second target financial system to complete login based on the global bill information when the client accesses a second target financial system that is associated with but not the first target financial system. Specifically, this includes: the second target financial system confirming the client's access login status; if the client's access login status is initial access and not logged in, the client accesses the PAS system carrying the current redirect address and the global bill information; the PAS system returns second temporary bill information based on the global bill information; the client completes login to the second target financial system based on the second temporary bill information; wherein, the client completing login to the second target financial system based on the second temporary bill information specifically includes: the PAS system verifying the second temporary bill information; if the verification is successful, the PAS system deletes the second temporary bill information, and the client, carrying the current user session and the global bill information, redirects to the redirect address of the second target financial system; the second target financial system saves the client's global bill information and the current user session to a cookie.
6. A financial system single sign-on system, characterized by, The system includes a memory and a processor. The memory stores a financial system single sign-on program, and the processor runs the financial system single sign-on program to enable the financial system single sign-on system to perform the financial system single sign-on method as described in any one of claims 1-4.
7. A computer readable storage medium characterized in that, The computer-readable storage medium stores a financial system single sign-on program, which, when executed by a processor, implements the financial system single sign-on method as described in any one of claims 1-4.