1. Field of the Invention
The present invention relates to Single Sign-on, and particularly to a method and device for Single Sign-On in a cloud computing environment.
2. Description of Related Art
With the improvement of information service quality provided by intranets, users' requirements for information security are becoming more and more stronger; especially in a cloud computing environment, users obtain more and more services via a cloud computing platform such as Platform as a Service (PaaS) and Software as a Service (Saas), and hope to provide a secure and unified identity authentication and authorization management service for various information service systems on the cloud computing platform. Currently, the Single Sign-On technology is a popular identity authentication mechanism, which is an authentication and authorization mechanism between a plurality of application systems or services having mutual trust; Single Sign-On includes single sign-in and single sign-out. Single Sign-On allow a user to sign-in to or sign-out of the system only once to sign-in to or sign-out of all other connected application systems or services, without need to sign-in or sign-out again. For example, a system provides a unified platform for browser users (including IE users and FireFox users) of an intranet, enabling the user to receive services provided by other information service systems on the cloud computing platform after accomplishing identity authentication on a sign-on interface of the platform without need to sign-in again. FIG. 1 illustrates a system schematic diagram of a user's Single Sign-On in the prior art; in the system shown in FIG. 1, a user 102 accesses a cloud computing platform server 106 and web services 108 and 110 linked by a platform server page via his/her client browser 104. The user 102 signs in to the platform server 108 via a client browser to obtain the permission to access the platform server 108, and accesses the web services 108 and 110 via the platform server page links.
In the conventional Single Sign-On technology, the session life cycles of the user in various integrated applications are not synchronous; for example, the user accesses a network service 1 provided by a service provider SP1 and a network service 2 provided by a service provider SP2 via the cloud computing intranet platform, and then the user signs out from the sign-out interface of the intranet platform. Although the user has signed out from the sign-out interface of the intranet platform, since he/she has not proposed a sign-out request to be accomplished from SP1 and SP2, he/she has not signed out of SP1 and SP2 actually, and the sessions between the user and SP1 and SP2 may still be valid, thus causing the session life cycles not synchronous between the user and the system platform and applications. At this time, if another user signs on and then accesses SP1 and SP2, he/she will access the interface of the previous user, which will confuse the other user and provide an opportunity to hackers to threaten network security.
In addition, the implementation of the existing Single Sign-On requires the platform and service providers to conform to a unified programming model, while in a cloud computing environment, as user's demands are becoming more and more, it is often needed to temporally add more services; if each service provider needs to be closely coupled with the platform provider, it will require enormous human and financial resources to modify their respective code to jointly build a unified programming model to implement Single Sign-On.
Therefore, it is needed to provide to service providers and the platform a Single Sign-On method which is light-weighted, loosely coupled and non-intrusive, and make session life cycles between the platform and service providers synchronized.