Non-Intrusive Single Sign-On Mechanism in Cloud Services
Abstract
A method and apparatus for Single Sign-on, wherein the user accesses a platform server and at least one service provider on the platform server. The method includes intercepting a request sent by the user via a client browser and extracting a domain name included in the request. If the domain name is an original domain name of the platform server, a global session ID is generated for uniquely identifying a session between the user and the platform server. A new domain name of the platform server associated with the global session ID is generated and the URL in the request is redirected to a new URL including the new domain name of the platform server. The request, including the new URL of the platform server, is forwarded to the platform server.
Claims
exact text as granted — not AI-modified1 . A method for Single Sign-On, wherein a user accesses a platform server and at least one service provider on the platform server, the method comprising:
intercepting a request sent by the user via a client browser; extracting a domain name included in the request; determining the type of the domain name; in response to a determination that the type of the domain name is an original domain name of the platform server, generating a global session ID for uniquely identifying a session between the user and the platform server; generating a new domain name of the platform server associated with the global session ID; redirecting the URL in the request to a new URL including the new domain name of the platform server; forwarding the request including the new URL of the platform server to the platform server.
2 . The method of claim 1 , further comprising:
recording the new domain name of the platform server, the global session ID and state information of the session between the user and the platform server in a domain name session mapping table.
3 . The method of claim 2 , further comprising:
in response to a determination that the type of the domain name is an original domain name of the at least one service provider, extracting the new domain name of the platform server associated with the global session ID from the request; extracting the global session ID from the new domain name of the platform server; generating a new domain name of the at least one service provider associated with the global session ID; redirecting the URL accessing the at least one service provider to a new URL including the new domain name of the at least one service provider; forwarding the request including the new URL of the at least one service provider to the at least one service provider.
4 . The method of claim 3 , further comprising:
recording the new domain name of the at least one service provider and state information of the session between the user and the service provider in the domain name session mapping table.
5 . The method of claim 2 , further comprising:
in response to a determination that the type of the domain name is a new domain name of the platform server associated with the global session ID, determining the request type; in response to a determination that the request type is that of signing out of the platform server, invalidating the active and valid session between the user and the service provider associated with the global session ID.
6 . The method of claim 5 , further comprising:
updating the state information of the session between the user and the platform server and that between the user and the service provider recorded in the domain name session mapping table.
7 . The method of claim 2 , further comprising:
in response to a determination that the type of the domain name is a new domain name of a service provider associated with the global session ID, determining the request type; in response to a determination that the request type is accessing the service provider, determining whether the session between the user and the platform server associated with the global session ID is invalid; in response to a determination that the session between the user and platform server is invalid, transforming the request into that of signing out of the service provider; and forwarding the transformed request to the service provider.
8 . The method of claim 7 , further comprising:
updating the state information of the session between the user and the service provider that is recorded in the domain name session mapping table from active and valid to invalid.
9 . A device for Single Sign-On, wherein a user accesses a platform server and at least one service provider on the platform server, the device comprising:
a request interception module configured to intercept a request sent by the user via a client browser; a domain name extracting module configured to extract a domain name included in the request; a domain name type determining module configured to determine the type of the domain name; a global session ID generating module configured to, in response to a determination by the domain type determining module that the type of the domain name is an original domain name of the platform server, generate a global session ID for uniquely identifying the session between the user and the platform server; a new domain name generating module configured to generate a new domain name of the platform server associated with the global session ID; a URL redirecting module configured to redirect the URL in the request to a new URL including the new domain name of the platform server; and a request forwarding module configured to forward the request including the new URL of the platform server to the platform server.
10 . The device of claim 9 , further comprising:
a recording module configured to record the new domain name of the platform server, the global session ID and state information of the session between the user and the platform server in a domain name session mapping table.
11 . The device of claim 10 , further comprising:
a global session ID extracting module configured to, in response to a determination by the domain type determining module that the type of the domain name is an original domain name of the at least one service provider, extracting the new domain name of the platform server associated with the global session ID from the request, and extracting the global session ID from the new domain name of the platform server; wherein, the new domain name generating module is further configured to generate a new domain name of the at least one service provider associated with the global session ID; the URL redirecting module is further configured to redirect the URL accessing the at least one service provider to a new URL including the new domain name of the at least one service provider; and the request forwarding module is further configured to forward the request including the new URL of the at least one service provider to the at least one service provider.
12 . The device of claim 11 , wherein the recording module is further configured to:
record the new domain name of the at least one service provider, the global session ID and the state information of the session between the user and the service provider in the domain name session mapping table.
13 . The device of claim 10 , further comprising:
a request type determining module configured to determine the request type, in response to a determination by the domain type determining module that the type of the domain name is a new domain name of the platform server associated with the global session ID; and a session invalidating module configured, in response to a determination by the request type determining module that the request type is signing out of the platform server, to invalidate the active and valid session between the user and the service provider associated with global session ID.
14 . The device of claim 13 , wherein the recording module is further configured to:
update the state information of the session between the user and the platform server and the session between the user and the service provider recorded in the domain name session mapping table.
15 . The device of claim 10 , wherein
the request type determining module is further configured to determine the request type, in response to a determination by the domain type determining module that the type of the domain name is a new domain name of the service provider associated with the global session ID; a session state querying module is further configured to respond to that a determination by the request type determining module that the request type is that of accessing the service provider, to determine whether the session between the user and the platform server associated with the global session ID is invalid; and the request forwarding module is further configured to respond to a determination that the session between the user and the platform server is invalid, to transform the request into that of signing out of the service provider and forward the transformed request to the service provider.
16 . The device of claim 15 , wherein the recording module is further configured to:
update the state information of the session between the user and the service provider recorded in the domain name session mapping table from active and valid to invalid.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.