CN115695036A - Method and device for realizing tree topology authentication system group - Google Patents

Abstract

The invention belongs to the technical field of information-based systems, and provides a method for realizing a tree topology authentication system group, which comprises the following steps: when the local authentication system receives an authentication access signal of an application, judging whether a third party authentication system exists or not; if the third party authentication system exists, the local authentication system requires the browser to transfer the application to the third party authentication system; when the application provides a login credential to the third-party authentication system through the browser and the login is successful, the local authentication system acquires an ST issued by the third party; after the local authentication system verifies the ST to a third-party authentication system, generating a TGT of the local authentication system and binding the TGT with the ST of the third-party authentication system; issuing an application side ST to an application through a local authentication system based on the TGT of the local system; and when the application side ST acquiring the local authentication system initiates verification to the local authentication system and succeeds, providing service for the browser.

Description

Method and device for realizing tree topology authentication system group

technical field

The invention relates to the technical field of information systems, in particular to a method and device for realizing a tree topology authentication system group.

Background technique

As the complexity of information systems in various industries continues to increase, business application software is gradually split into multiple sub-application systems based on the principle of high cohesion and low coupling. Each application system needs to authenticate users and perform unified authentication. Service is an integral part. After each sub-application system integrates a unified login authentication system, users only need to log in once to access all systems when accessing different applications, avoiding repeated logins and achieving a better user experience.

The unified authentication of the current application system generally uses the central single-point unified authentication of the jasig-authentication system (Central AuthenticeService). As shown in Figure 2: the user's first access to the application passes the central authentication login process of the authentication system. As shown in Figure 3: the process in which the user has logged in to the authentication system and accesses another application. The basic authentication process of the authentication system is:

1. The user accesses the application server A. Since the user is not authorized at this time, the application server A guides the user to directly access the authentication server

2. The authentication server finds that the user has not logged in, and requires the user to log in. After the user logs in, a TGT (TicketGranted Ticket), which is an authorization ticket, is issued, indicating that the user has obtained the authentication authorization of the authentication service.

3. When the authentication server discovers that the user is visiting an application server A first, it will use the user's TGT to issue a ST (Service Ticket) for the above application server A, that is, a service ticket, and return it to the user.

4. After obtaining the ST, the user visits the above-mentioned application server A again.

5. The above-mentioned application server A discovers that the user has an ST, and then takes the ST to verify the validity of the ticket to the authentication server, that is, asks the authentication server whether it is issued for its own application service.

6. The authentication server returns the ST verification result to the above-mentioned application server A, and the application server A puts the user session in the trusted queue, and provides subsequent application services to the user.

7. At this time, when the user visits another application system B again, since the user session is not in B's trusted list at this time, B will still guide the user to directly access the authentication server.

8. At this time, the authentication server finds that the user already has a TGT, indicating that the user has already logged in, and will directly issue another new ST to the application system B and return it to the user. The user can access the application server B through this ST, avoiding Second login.

It can be seen from the above process that once the two application services are connected to the authentication system, the authentication system can achieve the effect of allowing the user to log in once to obtain resources across applications. Since the authentication system closes the ticket authentication and issuance process inwardly, it can only obtain a ServiceTicket bound to a specific application service externally, and the ST can only be verified once, which makes the ticket issued by it just like a movie in a specific cinema Once the ticket enters the verification process of this specific cinema, it will be invalid immediately, and it is very safe, which is the advantage of its authentication business. However, for the central unified authentication of the authentication system, the cache and issuance of tickets are concentrated on the authentication server. Once the ticket cache node or authentication node of this server is abnormal, it will cause a "single point of failure" in the authentication system. The disadvantage of stability.

At the same time, it is precisely because of the internal closure of the authentication system that the opening and inclusive cascading login authentication is restricted. For example, in a certain production environment, there already exists another party's unified authentication service authentication system, and when our authentication system authentication service needs to be integrated, the two authentication system services are aimed at the same browser, and can only identify the TGT ticket issued by itself, and cannot Form "TGT bills for universal exchange". In many historical actual combat scenarios, it is often necessary for the authentication of other authentication systems to be forced to directly pass information such as user names and passwords to our authentication system to form a TGT ticket recognized by our own, so as to achieve seamless access to application systems under the two authentication systems. . Although this kind of data transmission is encrypted, there will still be certain security risks, and the instability caused by the single point of failure of the authentication system will still cause business interruption.

Contents of the invention

The invention provides a method and device for realizing a tree topology authentication system group to overcome the above-mentioned problems.

The technical scheme provided by the invention is as follows:

On the one hand, the present invention provides a method for realizing a tree topology authentication system group, including:

When the local authentication system receives the application's authentication access signal, determine whether there is a third-party authentication system;

If there is a third-party authentication system, the local authentication system requires the browser to transfer the application to jump to the third-party authentication system;

When the application provides login credentials to the third-party authentication system through the browser and the login is successful, the local authentication system obtains the ST issued by the third party;

After the local authentication system verifies the ST to the third-party authentication system, generate the TGT of the local authentication system and bind it to the ST of the third-party authentication system;

issuing an application-side ST to the application through the native authentication system based on the TGT of the native system;

When the application acquires that the application-side ST of the local authentication system initiates a verification to the local authentication system and succeeds, it provides services for the browser.

In some embodiments, the method further includes: when the local authentication system serves as the central authentication system of the application, directly authenticate the application.

In some embodiments, the method further includes: when the local authentication system uses the third-party authentication system as a central authentication system, the local authentication system is an application system to interface with the third-party authentication system.

In some embodiments, the method further includes: after the third-party authentication system logs out of the authentication process of the application, the TGT of the local authentication system and the bound ST of the third party are synchronously logged out.

In some embodiments, it includes: when there is more than one authentication service, the local authentication system performs unidirectional authentication cascading.

In some embodiments, the present invention also provides a device for implementing a tree topology authentication system group, including: a plurality of local authentication systems, each of which includes:

A judging module, configured to judge whether there is a third-party authentication system when the local authentication system receives an application authentication access signal;

The transfer module is used for if there is no third-party authentication system, the local authentication system requires the browser to provide login credentials and transfers the application to jump to the third-party authentication system;

An obtaining module, configured to obtain the ST issued by the third party by the local authentication system when the application provides login credentials to the third-party authentication system through the browser and the login is successful;

A binding module, configured to generate a TGT of the local authentication system and bind it to the ST of the third-party authentication system after the local authentication system verifies the ST to the third-party authentication system ;

An issuing module, configured to issue an application-side ST to the application through the native authentication system based on the TGT of the native system;

The verification module is configured to provide services for the browser when the application acquires that the application-side ST of the local authentication system initiates a verification to the local authentication system and succeeds.

In some embodiments, the local authentication system is further configured to directly authenticate the application when the local authentication system serves as a central authentication system for the application.

In some embodiments, the local authentication system is further configured to: when the local authentication system uses the third-party authentication system as the central authentication system, the local authentication system is the application system and the third-party authentication The system is connected.

In some embodiments, the local authentication system is further configured to, after the third-party authentication system logs out of the authentication process of the application, bind the TGT of the native authentication system to the ST of the third party Synchronous logout.

In some embodiments, the local authentication system is further configured to perform unidirectional authentication cascading when there is more than one authentication service.

The realization method and device of a tree topology authentication system group provided by the present invention have at least one of the following beneficial effects:

The present invention can realize node authentication based on other networks after a certain node in an authentication network group is disconnected, basically eliminates the "single point" failure in single sign-on, and achieves "each is a certificate", Also "interconnected".

The invention can securely carry out integrated networking to the three-party authentication system.

The present invention can realize the scenario that the three-level (multi-level) authentication systems are connected to each other and authorized independently, which is similar to "group organization authentication center-subsidiary branch company authentication center-department business authentication center".

Description of drawings

Below in conjunction with accompanying drawing and specific embodiment the present invention is described in further detail:

Fig. 1 is the schematic diagram of an embodiment of the realization method of a kind of tree topological authentication system group of the present invention;

Fig. 2 is a schematic diagram of the user's first access to the application through the central authentication login process of the authentication system;

Fig. 3 is a schematic diagram of a process in which a user has logged in to the authentication system and accesses another application;

Figure 4 is a schematic diagram of a single authentication system scenario before transformation;

Fig. 5 is a schematic diagram of a modified scene of a multi-authentication system under the tas system of the present invention;

Fig. 6 is a schematic diagram of the login process of a user accessing an application under our authentication system for the first time after the authentication system of the present invention is transformed.

Detailed ways

In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.

In order to make the drawing concise, each drawing only schematically shows the parts related to the present invention, and they do not represent the actual structure of the product. In addition, to make the drawings concise and easy to understand, in some drawings, only one of the components having the same structure or function is schematically shown, or only one of them is marked. Herein, "a" not only means "only one", but also means "more than one".

It should also be further understood that the term "and/or" used in the description of the present application and the appended claims refers to any combination and all possible combinations of one or more of the associated listed items, and includes these combinations .

In this article, it needs to be explained that unless otherwise clearly specified and limited, the terms "installation", "connection" and "connection" should be understood in a broad sense, for example, it can be a fixed connection or a detachable connection, or Integral connection; it can be mechanical connection or electrical connection; it can be direct connection or indirect connection through an intermediary, and it can be the internal communication of two components. Those of ordinary skill in the art can understand the specific meanings of the above terms in the present invention in specific situations.

In addition, in the description of the present application, the terms "first", "second" and the like are only used to distinguish descriptions, and cannot be understood as indicating or implying relative importance.

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the specific implementation manners of the present invention will be described below with reference to the accompanying drawings. Obviously, the accompanying drawings in the following description are only some embodiments of the present invention, and those skilled in the art can obtain other accompanying drawings based on these drawings and obtain other implementations.

In one embodiment, as shown in FIG. 1, on the one hand, the present invention provides a method for implementing a tree topology authentication system group, including:

S101 When the local authentication system receives the authentication access signal of the application, judge whether there is a third-party authentication system;

S102 If there is a third-party authentication system, the local authentication system requires the browser to transfer the application to jump to the third-party authentication system;

S103 When the application provides login credentials to the third-party authentication system through the browser and the login is successful, the local authentication system obtains the ST issued by the third party;

S104 After the local authentication system verifies the ST to the third-party authentication system, generate a TGT of the local authentication system and bind it to the ST of the third-party authentication system;

S105 Issue an application-side ST to the application based on the TGT of the local system through the local authentication system;

S106 After the application acquires that the ST on the application side of the local authentication system initiates a verification to the local authentication system and succeeds, provide services for the browser.

In addition, if there is no third-party authentication system, the authentication system at this level requires the browser to provide login credentials and authenticate.

Exemplarily, in view of the characteristics of the above-mentioned central authentication system, we found that the jasig open source project proposed by the original Yale University is quite safe for the implementation of the cas ticket-based authentication process, and this feature is its biggest advantage. However, in the original process of cas, faced with the three-party independent authentication system, because multiple authentication systems coexist without mutual authorization, they all regard themselves as the only authorized authority, and there is no trust mechanism for each other, resulting in the original process not being open enough. That is, the authentication systems described in the background information are all self-closing. The first c in cas is a representative of center, which means centrality or centrality, and is not open to other authentication systems.

To this end, we have invented and disclosed a modification method to improve the external inclusiveness of its process, so as to realize certain specific demand scenarios.

For example, there are currently two cas authentication services, one is provided by "other party" and the other is provided by "our party". They cannot be integrated with each other. We will make the following transformation, the basic process:

1. Our cas service is still regarded as the authentication center of our internal applications, which is the original capability of the cas system; at the same time, we regard our cas and other cas as an ordinary application system to connect with other cas , see 2 for the connection method.

2. When an application transfers to our cas to initiate authentication, our cas first judges whether the other cas exists, and if so, execute 3; if not, our cas directly asks the browser to provide login credentials, and then saves The original cas authentication process.

3. Our cas (as an application system of other cas) transfers the user to directly jump to the other cas. The user provides login credentials to the other cas through the browser. After successful login, our cas will obtain the authentication process according to the authentication process of the other cas To the ST issued by other cas.

4. After our cas verifies the ST to the other cas, generate the TGT of our cas and bind it with the ST of the other cas (in the future, once the other cas logs out, our TGT will be synchronously logged out according to the bound ST of the other party)

5. Our cas issues application-side ST to an application accessed in 2 based on TGT.

6. An application obtains the ST of our cas and initiates a verification to our cas, and provides services after success.

The cas before transformation is a star-shaped authentication relationship, and the authentication server is the center of this star-shaped topology, called Central Central Authentication Service.

As shown in Figure 4, the scene of a single cas before transformation is shown (the arrow indicates the direction of authentication connection).

And the cas system after the transformation of the present invention, because it has the dual identity of Server (facing the application system) and Client (facing other party's cas) at the same time, when there is more than 1 cas service, can carry out unidirectional authentication cascading, Just as directed graphs composed of single-entry vectors can be combined serially or tree-like, we tentatively designate this one-way authentication cascade as "hook".

For example, the present invention deploys a plurality of cas authentication system services, except that one cas is not connected to any other cas, and the other cas systems are only connected to one cas service, so that a tree-like authentication topology can be formed for the entire authentication system, and we give It is named TAS (Tree-like Authenticate Service) tree-like authentication system, and we call the whole system formed by running TAS "authentication tree system group".

As shown in Figure 5: Schematic diagram of the modified multi-cas under the tas system (the arrow indicates the direction of authentication docking).

At this time, if the authentication client can maintain the configuration of several authentication nodes at the same time, once a node in the authentication system group is damaged, it can pass the authentication of other network group nodes, which realizes the hot standby effect of the central authentication service.

At the same time, if a node in the authentication network is not our leading construction, we can still build a network based on its authentication method, realize the authentication of our party to other parties, and implement the authentication requirements of specific scenarios.

The present invention can realize node authentication based on other networks after a certain node in an authentication network group is disconnected, basically eliminates the "single point" failure in single sign-on, and achieves "each is a certificate", Also "interconnected". The invention can securely carry out integrated networking to the three-party authentication system. The present invention can realize the scenario that the three-level (multi-level) authentication systems are connected to each other and authorized independently, which is similar to "group organization authentication center-subsidiary branch company authentication center-department business authentication center".

In one embodiment, the method further includes: when the local authentication system serves as the central authentication system of the application, directly authenticate the application.

In one embodiment, the method further includes: when the local authentication system uses the third-party authentication system as a central authentication system, the local authentication system is an application system to interface with the third-party authentication system.

Each authentication center can act as a central CAS or a sub-CAS, and can determine whether it is a central CAS or a sub-CAS by judging whether there is a third-party CAS.

For example, in that embodiment, if I deploy to a province, the cas I deploy to the provincial and municipal systems are the same. It's just that the cas of the prefecture and city will be linked to the cas service of the provincial government. Then the user authority data accessed by the cas of the provincial department is the data platform of the provincial department, and the data platform of the prefecture-level city is to access its own platform. In principle, the province covers the data of all prefectures and cities, so for the user login in this city, the data is available. And if a city in another city opens its own system, it will consider it a "tourist privilege". At this time, it is enough to open any function of the city's system for tourists, but there is no need to "login again".

In terms of data, the data that can be authenticated by the child cas must be covered by the parent cas, and vice versa. For users who pass the authentication of the parent cas but return to the child cas and do not know them, they are visitors. This just solves a topic. For example, when a person in city A logs in to the system of city A, he may be authorized as an "administrator" through the cas of city A. When he arrived in city B, the cas in city B would not allow him to log in again, but had already given him a "tourist" status. He was able to seamlessly access the city B system, and the whole process skipped through the provincial Cas once, but he couldn't detect it. After the three cas are cascaded in this way, this effect can be achieved.

In the traditional technology, if people in city A want to access the system of city B, they must go to city B to log in again, because the two cas of A and B are independent.

In one embodiment, the method further includes: after the third-party authentication system logs out of the authentication process of the application, the TGT of the local authentication system and the bound ST of the third party are synchronously logged out.

In one embodiment, it includes: when there is more than one authentication service, the local authentication system performs unidirectional authentication cascading.

In one embodiment, the present invention also provides a device for implementing a tree topology authentication system group, including: a plurality of local authentication systems, each of which includes:

A judging module, configured to judge whether there is a third-party authentication system when the local authentication system receives an application authentication access signal;

The transfer module is used for if there is no third-party authentication system, the local authentication system requires the browser to provide login credentials and transfers the application to jump to the third-party authentication system;

An obtaining module, configured to obtain the ST issued by the third party by the local authentication system when the application provides login credentials to the third-party authentication system through the browser and the login is successful;

A binding module, configured to generate a TGT of the local authentication system and bind it to the ST of the third-party authentication system after the local authentication system verifies the ST to the third-party authentication system ;

An issuing module, configured to issue an application-side ST to the application through the native authentication system based on the TGT of the native system;

The verification module is configured to provide services for the browser when the application acquires that the application-side ST of the local authentication system initiates a verification to the local authentication system and succeeds.

In one embodiment, the local authentication system is further configured to directly authenticate the application when the local authentication system serves as the central authentication system of the application.

In one embodiment, the local authentication system is further configured to: when the local authentication system uses the third-party authentication system as the central authentication system, the local authentication system is the application system and the third-party authentication The system is connected.

In one embodiment, the local authentication system is further configured to, when the third-party authentication system logs out of the authentication process of the application, the TGT of the local authentication system and the bound ST of the third party Synchronous logout.

In one embodiment, the local authentication system is further configured to perform unidirectional authentication cascading when there is more than one authentication service.

The present invention can realize node authentication based on other networks after a certain node in an authentication network group is disconnected, basically eliminates the "single point" failure in single sign-on, and achieves "each is a certificate", Also "interconnected". The invention can securely carry out integrated networking to the three-party authentication system. The present invention can realize the scenario that the three-level (multi-level) authentication systems are connected to each other and authorized independently, which is similar to "group organization authentication center-subsidiary branch company authentication center-department business authentication center".

Those skilled in the art can appreciate that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented by hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.

In the embodiments provided in this application, it should be understood that the disclosed devices and methods may be implemented in other ways. Exemplary, the system embodiments described above are only illustrative, exemplary, the division of the modules or units is only a logical function division, and there may be other division methods in actual implementation, exemplary , multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware or in the form of software functional units.

It should be noted that the above embodiments can be freely combined as required. The above is only a preferred embodiment of the present invention, it should be pointed out that, for those of ordinary skill in the art, without departing from the principle of the present invention, some improvements and modifications can also be made, and these improvements and modifications can also be made. It should be regarded as the protection scope of the present invention.

Claims (10)

1. A method for realizing a tree topology authentication system group, characterized in that, comprising: When the local authentication system receives the application's authentication access signal, determine whether there is a third-party authentication system; If there is a third-party authentication system, the local authentication system requires the browser to forward the application to jump to the third-party authentication system; When the application provides login credentials to the third-party authentication system through the browser and the login is successful, the local authentication system obtains the ST issued by the third party; After the local authentication system verifies the ST to the third-party authentication system, generate the TGT of the local authentication system and bind it to the ST of the third-party authentication system; issuing an application-side ST to the application through the native authentication system based on the TGT of the native system; When the application acquires that the application-side ST of the local authentication system initiates a verification to the local authentication system and succeeds, it provides services for the browser. 2 . The method for realizing the tree topology authentication system group according to claim 1 , further comprising: when the local authentication system serves as the central authentication system of the application, directly authenticate the application. 3. The method for realizing the tree topology authentication system group according to claim 1, further comprising: when the local authentication system uses the third-party authentication system as the central authentication system, the local authentication system The system is an application system that interfaces with the third-party authentication system. 4. The method for realizing the tree-topology authentication system group according to claim 1, further comprising: after the third-party authentication system logs out of the authentication process of the application, TGT of the local authentication system Log out synchronously with the bound ST of the third party. 5. The method for realizing the tree topology authentication system group according to any one of claims 1 to 4, characterized in that it comprises: when there is more than one authentication service, the local authentication system performs one-way authentication cascade. 6. A device for implementing a tree topology authentication system group, characterized in that it includes: a plurality of local authentication systems, each of which includes: A judging module, configured to judge whether there is a third-party authentication system when the local authentication system receives an application authentication access signal; The migration module is used for, if there is a third-party authentication system, the local authentication system requires the browser to transfer the application to jump to the third-party authentication system; An obtaining module, configured to obtain the ST issued by the third party by the local authentication system when the application provides login credentials to the third-party authentication system through the browser and the login is successful; A binding module, configured to generate a TGT of the local authentication system and bind it to the ST of the third-party authentication system after the local authentication system verifies the ST to the third-party authentication system ; An issuing module, configured to issue an application-side ST to the application through the native authentication system based on the TGT of the native system; The verification module is configured to provide services for the browser when the application acquires that the application-side ST of the local authentication system initiates a verification to the local authentication system and succeeds. 7. The realization device of the tree-topology authentication system group according to claim 6, characterized in that, the local authentication system is also used for when the local authentication system is used as the central authentication system of the application, for all The above application is directly authenticated. 8. The realization device of the tree-topology authentication system group according to claim 7, characterized in that, the local authentication system is also used when the local authentication system uses the third-party authentication system as the central authentication system , the local authentication system is an application system that interfaces with the third-party authentication system. 9. The realization device of the tree topology authentication system group according to claim 1, characterized in that, the local authentication system is further configured to, when the third-party authentication system logs out of the authentication process of the application, the The TGT of the local authentication system and the bound TGT of the third party are deregistered synchronously. 10. The realization device of the tree topology authentication system group according to any one of claims 1 to 4, characterized in that, the local authentication system is also used for when there is more than one authentication service, the local The authentication system performs a unidirectional authentication cascade.

Images