CN109347864A - Single-point logging method and device based on Virtual Private Network - Google Patents
Single-point logging method and device based on Virtual Private Network Download PDFInfo
- Publication number
- CN109347864A CN109347864A CN201811398817.3A CN201811398817A CN109347864A CN 109347864 A CN109347864 A CN 109347864A CN 201811398817 A CN201811398817 A CN 201811398817A CN 109347864 A CN109347864 A CN 109347864A
- Authority
- CN
- China
- Prior art keywords
- vpn
- server
- resource
- authentication
- login account
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of single-point logging method and device based on Virtual Private Network and sends the VPN login account to certificate server when method therein includes: that vpn server detects the input of VPN login account;The certificate server authenticates the VPN login account, and authentication result is back to the vpn server;Wherein, authentication result when authenticating successfully includes the token as single sign-on authentication authority;When the authentication result expression that the vpn server receives authenticates successfully, if receiving the resource request for obtaining single-sign-on resource, the token is sent to the single sign-on authentication center of Resource Server;Wherein, the Resource Server includes single sign-on authentication center and resource system;The single sign-on authentication center verifies the token, and executes respective operations according to check results.Thus the embodiment of the present invention has the advantages that configuration is simple, account number safety is high and logs in quick.
Description
Technical field
The present invention relates to technical field of network security, more particularly to one kind to be based on Virtual Private Network (VPN, Virtual
Private Network) single-point logging method and device.
Background technique
VPN is that one kind in common network establishes dedicated network, carries out the technology of encryption communication, is widely used in enterprise network
In network.Vpn gateway realizes remote access by the conversion of encryption and data packet destination address to data packet.Therefore, it is using
When VPN, user must just have permission to access the resource in VPN by account and password login, and after being certified successfully.
However, needing to be applied to different certifications when VPN number of users is more or needs to meet specific user demand
Mode.Therefore for user convenience with improve vpn products ease for use, vpn gateway generally all supports a variety of third parties to recognize at present
Server, such as RADIUS authentication server, ldap authentication server, 4A certificate server are demonstrate,proved, to take using Third Party Authentication
Business device completes simple Account Logon identifying procedure, this is primary certification.
Wherein, under the complex environment of a condition of multi-system coexistence, often in vpn products using single-sign-on (SSO,
Single Sign On), after realizing user's success logging in VPN, resource (the abbreviation single-point by single-sign-on is needed in access
Logging resource) when, institute's single sign-on authentication in need and phase mutual trust can be accessed by primary successfully single-sign-on operation
Appoint application system, this is re-authentication.
Although can be avoided repeat logon when user requests single-sign-on resource in VPN using single-sign-on,
User, which needs to operate by double probate, could access resource, influence resource acquisition efficiency;And since user is using VPN when institute
The login account and login account used when request single-sign-on resource after success logging in VPN used are independent from each other,
Then when developing vpn products, not only need to be pre-configured with the primary certification account information for logging in VPN gateway, but also need
It is pre-configured with the re-authentication account information for single-sign-on, the account information configured needed for causing is more.
Summary of the invention
To overcome the problems in correlation technique, the present invention provides the single-point logging methods based on Virtual Private Network
And device.
According to a first aspect of the embodiments of the present invention, a kind of single-point logging method based on Virtual Private Network, institute are provided
The method of stating includes:
When vpn server detects the input of VPN login account, the VPN login account is sent to certificate server;
The certificate server authenticates the VPN login account, and authentication result is back to the VPN and is serviced
Device;Wherein, authentication result when authenticating successfully includes the token as single sign-on authentication authority;
When the authentication result expression that the vpn server receives authenticates successfully, if received for obtaining
The resource request of single-sign-on resource then sends the token to the single sign-on authentication center of Resource Server;Wherein, described
Resource Server includes single sign-on authentication center and resource system;
The single sign-on authentication center verifies the token, and executes respective operations according to check results.
According to a second aspect of the embodiments of the present invention, provide it is a kind of applied to vpn server based on Virtual Private Network
Single-point logging method, which comprises
When detecting the input of VPN login account, the VPN login account is sent to certificate server;The authentication service
Authentication result is back to the vpn server for authenticating to the VPN login account by device, wherein is authenticated successfully
When authentication result include the token as single sign-on authentication authority;
When receiving the authentication result that the certificate server returns indicates to authenticate successfully, it is used for if received
The resource request of single-sign-on resource is obtained, then sends the token to the single sign-on authentication center of Resource Server;Wherein,
The single sign-on authentication center executes respective operations for verifying to the token, and according to check results;The money
Source server includes single sign-on authentication center and resource system.
According to a third aspect of the embodiments of the present invention, a kind of single-sign-on device based on Virtual Private Network, institute are provided
Stating device includes vpn server, certificate server and Resource Server: the Resource Server includes single sign-on authentication center
And resource system;
When the vpn server detects the input of VPN login account, the VPN is sent to the certificate server and is logged in
Account;
The certificate server authenticates the VPN login account, and authentication result is back to the VPN and is serviced
Device;Wherein, authentication result when authenticating successfully includes the token as single sign-on authentication authority;
When the authentication result expression that the vpn server receives authenticates successfully, if received for obtaining
The resource request of single-sign-on resource then sends the token to the single sign-on authentication center;
The single sign-on authentication center verifies the token, and executes respective operations according to check results.
According to a fourth aspect of the embodiments of the present invention, provide it is a kind of applied to vpn server based on Virtual Private Network
Single-point step on device, described device includes detection module, the first transceiver module and the second transceiver module:
The detection module, for detecting whether there is the input of VPN login account;
First transceiver module, for the detection module detect VPN login account input when, to authentication service
Device sends the VPN login account, so that the certificate server authenticates the VPN login account, and certification is tied
Fruit is back to second transceiver module, wherein authentication result when authenticating successfully includes being used as single sign-on authentication authority
Token;
Second transceiver module, when for being authenticated successfully in the authentication result expression received, if receiving use
In the resource request for obtaining single-sign-on resource, then the token is sent to the single sign-on authentication center of Resource Server;Its
In, the single sign-on authentication center executes respective operations for verifying to the token, and according to check results;It is described
Resource Server includes single sign-on authentication center and resource system.
The embodiment of the present invention at least can produce following advantageous effects as a result:
The authentication mode mutually incoherent relative to VPN login process in the related technology and single-sign-on process, the present invention are real
Apply example by will be used to authenticate VPN login account certificate server and need to carry out re-authentication single-sign-on system phase
It mutually combines, i.e., only need to can be achieved with single-sign-on using the login account of vpn server, to only need to be associated with VPN login in advance
Account information thereby simplify account information without being in advance the account information of user configuration single-sign-on
The register of configuration and user improves resource acquisition efficiency;Also, directly using token as the authority of single-sign-on, energy
Enough improve user account safety.Therefore the present invention has many advantages, such as that configuration is simple, account security is high and logs in quick.
Detailed description of the invention
Fig. 1 is a kind of present invention single-point logging method based on Virtual Private Network shown according to an exemplary embodiment
Application scenarios schematic diagram;
Fig. 2 is a kind of present invention single-point logging method based on Virtual Private Network shown according to an exemplary embodiment
Flow chart;
Fig. 3 is a kind of single-point logging method applied to vpn server that the disclosure is proposed according to an exemplary embodiment
Flow chart;
Fig. 4 is a kind of present invention single-sign-on device based on Virtual Private Network shown according to an exemplary embodiment
Structural block diagram;
Fig. 5 is a kind of present invention single-sign-on device applied to vpn server shown according to an exemplary embodiment
Structural block diagram.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistented with the present invention.On the contrary, they be only with it is such as appended
The example of device and method being described in detail in claims, some aspects of the invention are consistent.
It is only to be not intended to limit the invention merely for for the purpose of describing particular embodiments in terminology used in the present invention.
It is also intended in the present invention and the "an" of singular used in the attached claims, " described " and "the" including majority
Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps
It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the present invention
A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from
In the case where the scope of the invention, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determination ".
In VPN resource access techniques field, the relevant technologies need user to log on to VPN by VPN account, just have permission
Access the resource in VPN;Wherein, when needing to access the single-sign-on resource as a service module in VPN, user is also
It needs to log on to single-sign-on resource system additionally by single-sign-on account.It follows that VPN in the related technology logs in stream
Journey and single-sign-on process are two altogether irrelevant parts, to realize that the two login processes, the relevant technologies need preparatory
The relevant informations such as the account of user's login twice are configured, the account information configured needed for causing is more.And due to single-sign-on
The configuration of the relevant informations such as account is relatively complicated, and certain obstacle can be caused to the use of single-sign-on resource.
Based on this, the embodiment of the invention provides a kind of single-point logging methods based on Virtual Private Network, relative to phase
VPN login process and the mutually incoherent authentication mode of single-sign-on process in the technology of pass, the embodiment of the present invention will be by that will be used to recognize
It demonstrate,proves the certificate server of VPN login account and the system for the single-sign-on for carrying out re-authentication is needed to be combined with each other, i.e., only need benefit
It can be achieved with single-sign-on with the login account of vpn server, so that the account information for being associated with VPN login in advance is only needed,
Without being in advance the account information of user configuration single-sign-on, the configuration of account information and the login of user are thereby simplified
Operation improves resource acquisition efficiency;Also, directly it can be improved user account peace using token as the authority of single-sign-on
Quan Xing.Therefore the present invention has many advantages, such as that configuration is simple, account security is high and logs in quick.
In the embodiment of the present invention, as shown in Figure 1, Fig. 1 is that present invention one kind shown according to an exemplary embodiment is based on
The application scenarios schematic diagram of the single-point logging method of Virtual Private Network.The single-point logging method can be applied to vpn system,
So that the VPN login account that the vpn system can be inputted according to user realizes user to the list in VPN resource and VPN resource
The access of point logging resource.The vpn system includes vpn server 100, certificate server 102 and Resource Server;The money
Source server includes single sign-on authentication center 1031 and resource system 1032.
It is illustrated next, being provided for the embodiments of the invention single-point logging method.
As shown in Fig. 2, Fig. 2 is a kind of present invention list based on Virtual Private Network shown according to an exemplary embodiment
The flow chart of point login method;The present embodiment single-point logging method includes:
Step S021 when vpn server detects the input of VPN login account, sends the VPN to certificate server and logs in
Account;
Step S022, the certificate server authenticates the VPN login account, and authentication result is back to institute
State vpn server;Wherein, authentication result when authenticating successfully includes the token as single sign-on authentication authority;
Step S023, when the authentication result expression that the vpn server receives authenticates successfully, if received
For obtaining the resource request of single-sign-on resource, then the token is sent to the single sign-on authentication center of Resource Server;
Wherein, the Resource Server includes single sign-on authentication center and resource system;
Step S024, the single sign-on authentication center verify the token, and according to check results execution pair
It should operate.
As a result, when user needs logging in VPN server, user can be by starting the VPN installed on ustomer premises access equipment
Client sends resource access request to vpn server by way of inputting the address VPN on the webpage in ustomer premises access equipment.
User can be logged in boundary after the resource access request for receiving ustomer premises access equipment transmission by the vpn server
Face is back to VPN client, so that VPN client shows user's login interface, so that prompting user to input VPN logs in account
Number and to vpn server send.User information associated by the VPN login account includes at least one of: account title,
Account number cipher, login time and user right.But to guarantee safety that VPN is logged in, in the present embodiment, the VPN logs in account
Number include at least account title and account number cipher.
The vpn server can be considered as vpn server and detect VPN login account when receiving VPN login account
Input.At this point, vpn server can send the VPN login account to the certificate server.Wherein, vpn server can be with
The VPN login account is sent to the certificate server by the mode of http request message.
After the certificate server receives the VPN login account, the VPN login account is authenticated, and will
Authentication result is back to the vpn server.
Wherein, if authenticated successfully, the certificate server is used for yet further still according to VPN login account generation
As the token of single sign-on authentication authority, so that the authentication result to vpn server return includes the token.It is based on
This, in one embodiment, the method can also include: step S0220, when the certificate server logs in account to the VPN
When number authenticating successfully, the token is generated based on user information associated by the VPN login account.Wherein it is possible to based on institute
State account title, account number cipher, login time and user right in user information generate jointly for guarantee log in safety and
Token with uniqueness.As to how the token is generated based on the user information, it can be related based on the embodiment of the present invention
Content and the relevant technologies learn that this will not be repeated here.If authentification failure, the certificate server will directly indicate authentification failure
Authentication result return to the vpn server so that the vpn server to the VPN client return login failure letter
Breath and the login interface for prompting user to log in again.
In the case of successful certification, the authentication result that the vpn server receives be include indicating that certification is successful
Information and the token, and the vpn server can return to the information that login successfully to the VPN client, and allow to use
Family accesses VPN resource by VPN client.
After VPN login account authenticates successfully, if the vpn server is received for obtaining single-sign-on resource
Resource request, then the vpn server sends the token to the single sign-on authentication center.
After the single sign-on authentication center receives the token, the token is verified, and is tied according to verification
Fruit executes respective operations.In one embodiment, the single sign-on authentication center can according to the respective operations that check results execute
To include:
Step S0241, when the check results expression verify successfully when, the single sign-on authentication central login with it is described
The associated target resource system of resource request, and the target resource is returned to the VPN client by the vpn server
The user interface of system.
Step S0242, when the check results indicate verification failure, the single sign-on authentication center passes through described
Vpn server is to the VPN client back-checking failure information and single sign-on authentication interface.
Wherein, the target resource system is under the jurisdiction of the resource system.
It can be seen from the above, institute can be passed through between the vpn server and the target resource system when verifying successfully
It states single sign-on authentication center and establishes connection, the VPN can be passed through between the VPN client and the target resource system
Connection is established at server and the single sign-on authentication center.User can be provided by the target shown by VPN client as a result,
The user interface of source system realizes the access to target single-sign-on resource.However, the single-sign-on is recognized when verifying failure
Card center returns to single-sign-on to the VPN client by the vpn server and verifies failure information and single sign-on authentication
Interface, to remind user to carry out login authentication.Wherein, user can by the single sign-on authentication interface input described in
The realization of VPN login account logs on to target resource system.
The embodiment of the present invention, which passes through, as a result, will be used to authenticate the certificate server of VPN login account and needs to carry out secondary
The system of the single-sign-on of certification be combined with each other, i.e., only need to can be achieved with single-sign-on using the login account of vpn server, from
And the account information for being associated with VPN login in advance is only needed, without being in advance the account information of user configuration single-sign-on,
The configuration of account information and the register of user are thereby simplified, resource acquisition efficiency is improved;Also, directly made using token
For the authority of single-sign-on, user account safety can be improved.Therefore the present invention has simple configuration, account security height and steps on
Record the advantages that quick.
In one embodiment, the vpn server can be SSL vpn server or other support single-sign-on functions
Vpn server.
In one embodiment, the certificate server can be third party authentication server, for example, RADIUS authentication service
Device, ldap authentication server or 4A certificate server.
In one embodiment, the resource system in the Resource Server includes that single-sign-on resource system and non-single-point are stepped on
Record resource system.Connected between the single-sign-on resource system and the vpn server by the single sign-on authentication center
It connects, the non-single-sign-on resource system can directly be connect with the vpn server.
For the safety for further increasing VPN login, in one embodiment, in the case where authentification failure, the present invention is real
Applying single-point logging method provided by example can also include:
Step S025, when the authentication result that the vpn server receives indicates authentification failure, to the VPN
Client return authentication failure information, and update the authentification failure number of current VPN login account;
Step S026, the vpn server determine whether to execute fence operation according to the authentification failure number;It is described anti-
Shield operation includes at least one of: locking current VPN login account, alert.
Wherein, the reason of authentication failure message may include authentification failure.
In one example, if the number of authentification failure reaches preset threshold, the VPN service in preset period of time
Device can execute the fence operation.The fence operation of execution, can also be according to institute other than locking current VPN login account
It states user contact details bound in VPN login account and issues the user with warning message in a manner of short message or phone.
In addition, to further enhance the safety of VPN login, the authentication failure message can also include that certification every time is lost
Time, IP address, end equipment mark and the geographical location lost, so that user can clearly understand the feelings of authentification failure
Condition, and safeguard procedures are taken in time, further increase the safety of VPN login.
Based on the above method, in one embodiment, can be proposed from the angle of the vpn server a kind of applied to VPN
The single-point logging method of server, as shown in figure 3, Fig. 3 is that the disclosure is applied to according to one kind that an exemplary embodiment proposes
The flow chart of the single-point logging method of vpn server, which comprises
Step S031 when detecting the input of VPN login account, sends the VPN login account to certificate server;
Step S032, what is returned after receiving the certificate server and authenticating to the VPN login account recognizes
When card result expression is authenticated successfully, if receiving the resource request for obtaining single-sign-on resource, to Resource Server
Single sign-on authentication center send token;
Step S033, the verification returned after receiving the single sign-on authentication center and being verified to the token
When as a result indicating to verify successfully, the user interface of target resource system associated by the resource request is returned to VPN client;
Step S034, the verification returned after receiving the single sign-on authentication center and being verified to the token
When as a result indicating verification failure, single-sign-on verification failure information and/or single sign-on authentication interface are returned to VPN client.
Aforementioned related record is referred to the understanding of step S031~S034, this will not be repeated here.
For the safety for further enhancing VPN login, in one embodiment, the single-point applied to vpn server is stepped on
Recording method can also include:
S036 unsuccessfully believes when the authentication result received indicates authentification failure to VPN client return authentication
Breath, and update the authentification failure number of current VPN login account;
S037 determines whether to execute fence operation according to the authentification failure number;The fence operation include with down toward
It is one of few: to lock current VPN login account, alert.
Aforementioned related record is referred to the understanding of step S036~S037, this will not be repeated here.
It is corresponding in the embodiment of the single-point logging method of vpn system with aforementioned applications, the embodiment of the invention also provides
A kind of single-sign-on device based on Virtual Private Network, as shown in figure 4, Fig. 4 is that the present invention shows according to an exemplary embodiment
A kind of structural block diagram of single-sign-on device based on Virtual Private Network out, described device 400 include vpn server 401,
Certificate server 402 and Resource Server 403: the Resource Server 403 includes single sign-on authentication center 4031 and resource
System 4032.
When the vpn server 401 detects the input of VPN login account, sent to the certificate server 402 described
VPN login account;
The certificate server 402 authenticates the VPN login account, and authentication result is back to the VPN
Server 401;Wherein, authentication result when authenticating successfully includes the token as single sign-on authentication authority;
When the authentication result expression that the vpn server 401 receives authenticates successfully, if received for obtaining
The resource request of single-sign-on resource is taken, then sends the token to the single sign-on authentication center 4031;
The single sign-on authentication center 4031 verifies the token, and executes corresponding behaviour according to check results
Make.
In one embodiment, described to recognize when the authentication result authenticated to the VPN login account is to authenticate successfully
It demonstrate,proves server 402 and the token is generated based on user information associated by the VPN login account.
In one embodiment, it after the single sign-on authentication center 4031 verifies the token, is tied according to verification
Fruit execute respective operations may include:
When check results expression verifies successfully, log in and the associated target resource system of the resource request
4032, and the user interface of the target resource system 4032 is returned by vpn server 401 to VPN client;
When the check results indicate verification failure, failed by vpn server 401 to VPN client back-checking
Information and single sign-on authentication interface.
In one embodiment, to improve the safety that VPN is logged in, the vpn server 401 be can be also used for:
When the authentication result received indicates authentification failure, to VPN client return authentication failure information, and more
The authentification failure number of new current VPN login account;
The vpn server 401 determines whether to execute fence operation according to the authentification failure number;The fence operation
Including at least one of: locking current VPN login account, alert.
Corresponding in the embodiment of the single-point logging method of vpn server with aforementioned applications, the embodiment of the present invention also provides
A kind of single-sign-on device applied to vpn server, as shown in figure 5, Fig. 5 is that the present invention shows according to an exemplary embodiment
A kind of structural block diagram of single-sign-on device applied to vpn server out, described device 500 include detection module 501, the
One transceiver module 502 and the second transceiver module 503:
The detection module 501, for detecting whether there is the input of VPN login account;
First transceiver module 502, for when the detection module 501 detects the input of VPN login account, to recognizing
It demonstrate,proves server and sends the VPN login account, so that the certificate server authenticates the VPN login account, and will
Authentication result is back to second transceiver module 503, wherein authentication result when authenticating successfully includes recognizing as single-sign-on
Demonstrate,prove the token of authority;
Second transceiver module 503, when for being authenticated successfully in the authentication result expression received, if received
For obtaining the resource request of single-sign-on resource, then the token is sent to the single sign-on authentication center of Resource Server;
Wherein, the single sign-on authentication center executes respective operations for verifying to the token, and according to check results;Institute
Stating Resource Server includes single sign-on authentication center and resource system.
In one embodiment, described device 500 can also include:
Update module, when the authentication result for receiving in second transceiver module 503 indicates authentification failure, to VPN
Client return authentication failure information, and update the authentification failure number of current VPN login account;
Protection module executes fence operation for determining whether according to the authentification failure number;The fence operation packet
It includes at least one of: locking current VPN login account, alert.
The realization process of the function and effect of each device or modules is specific in device in any of the above-described embodiment
It is detailed in the realization that step is corresponded in the above method, this will not be repeated here.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit
The module of explanation may or may not be physically separated.Can select according to the actual needs part therein or
Person's whole module realizes the purpose of disclosure scheme.Those of ordinary skill in the art are not the case where making the creative labor
Under, it can it understands and implements.
It is corresponding with any embodiment of mentioned single point login method, in one exemplary embodiment, the present invention also provides
A kind of non-transitorycomputer readable storage medium, is stored thereon with computer program.The computer program is held by processor
The step of single-point logging method in any of the preceding embodiments is realized when row.
In embodiments of the present invention, can be used one or more wherein include program code storage medium (including
But be not limited to magnetic disk storage, CD-ROM, optical memory etc.) on the form of computer program product implemented.Computer can
It include permanent and non-permanent, removable and non-removable media with storage medium, it can be by any method or technique Lai real
Existing information storage.Information can be computer readable instructions, data structure, the module of program or other data.Computer is deposited
The example of storage media includes but is not limited to: phase change memory (PRAM), static random access memory (SRAM), dynamic randon access
Memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electrically erasable are read-only
Memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM), digital multi
CD (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or other magnetic storage devices or any other
Non-transmission medium, can be used for storage can be accessed by a computing device information.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the present invention.
Claims (10)
1. a kind of single-point logging method based on Virtual Private Network, which is characterized in that the described method includes:
When vpn server detects the input of VPN login account, the VPN login account is sent to certificate server;
The certificate server authenticates the VPN login account, and authentication result is back to the vpn server;
Wherein, authentication result when authenticating successfully includes the token as single sign-on authentication authority;
When the authentication result expression that the vpn server receives authenticates successfully, if received for obtaining single-point
The resource request of logging resource then sends the token to the single sign-on authentication center of Resource Server;Wherein, the resource
Server includes single sign-on authentication center and resource system;
The single sign-on authentication center verifies the token, and executes respective operations according to check results.
2. the single-point logging method according to claim 1 based on Virtual Private Network, which is characterized in that the certification clothes
Authentication result is back to before the vpn server by business device, further includes:
When the certificate server authenticates successfully to the VPN login account, based on user associated by the VPN login account
Information generates the token;Wherein, the user information includes at least one of: when account title, account number cipher, login
Between, user right.
3. the single-point logging method according to claim 1 based on Virtual Private Network, which is characterized in that the single-point is stepped on
Record authentication center verifies the token, and executes respective operations according to check results, comprising:
When check results expression verifies successfully, login and the associated target resource system of the resource request, and pass through
Vpn server returns to the user interface of the target resource system to VPN client.
4. the single-point logging method according to claim 3 based on Virtual Private Network, which is characterized in that the single-point is stepped on
Recording system verifies the token, and executes respective operations according to check results, further includes:
When the check results indicate verification failure, by vpn server to VPN client back-checking failure information and list
Point login authentication interface.
5. the single-point logging method according to claim 1 based on Virtual Private Network, which is characterized in that further include:
When the authentication result that the vpn server receives indicates authentification failure, fail to VPN client return authentication
Information, and update the authentification failure number of current VPN login account;
The vpn server determines whether to execute fence operation according to the authentification failure number;The fence operation include with
It is at least one lower: to lock current VPN login account, alert.
6. a kind of single-point logging method based on Virtual Private Network, which is characterized in that be applied to vpn server, the method
Include:
When detecting the input of VPN login account, the VPN login account is sent to certificate server;The certificate server is used
It is authenticated in the VPN login account, and authentication result is back to the vpn server, wherein when authenticating successfully
Authentication result includes the token as single sign-on authentication authority;
When receiving the authentication result that the certificate server returns indicates to authenticate successfully, if received for obtaining
The resource request of single-sign-on resource then sends the token to the single sign-on authentication center of Resource Server;Wherein, described
Single sign-on authentication center executes respective operations for verifying to the token, and according to check results;The resource clothes
Business device includes single sign-on authentication center and resource system.
7. the single-point logging method according to claim 6 based on Virtual Private Network, which is characterized in that further include:
When the authentication result received indicates authentification failure, to VPN client return authentication failure information, and updates and work as
The authentification failure number of preceding VPN login account;
Determined whether to execute fence operation according to the authentification failure number;The fence operation includes at least one of: lock
Settled preceding VPN login account, alert.
8. a kind of single-sign-on device based on Virtual Private Network, which is characterized in that described device includes vpn server, recognizes
Demonstrate,prove server and Resource Server: the Resource Server includes single sign-on authentication center and resource system;
When the vpn server detects the input of VPN login account, the VPN login account is sent to the certificate server;
The certificate server authenticates the VPN login account, and authentication result is back to the vpn server;
Wherein, authentication result when authenticating successfully includes the token as single sign-on authentication authority;
When the authentication result expression that the vpn server receives authenticates successfully, if received for obtaining single-point
The resource request of logging resource then sends the token to the single sign-on authentication center;
The single sign-on authentication center verifies the token, and executes respective operations according to check results.
9. a kind of single-point based on Virtual Private Network steps on device, which is characterized in that be applied to vpn server, described device packet
Include detection module, the first transceiver module and the second transceiver module:
The detection module, for detecting whether there is the input of VPN login account;
First transceiver module, for being sent out to certificate server when the detection module detects the input of VPN login account
The VPN login account is sent, so that the certificate server authenticates the VPN login account, and authentication result is returned
It is back to second transceiver module, wherein authentication result when authenticating successfully includes the token as single sign-on authentication authority;
Second transceiver module, when for being authenticated successfully in the authentication result expression received, if received for obtaining
The resource request of single-sign-on resource is taken, then sends the token to the single sign-on authentication center of Resource Server;Wherein, institute
Single sign-on authentication center is stated for verifying to the token, and execute respective operations according to check results;The resource
Server includes single sign-on authentication center and resource system.
10. device according to claim 9, which is characterized in that described device further include:
Update module is returned when the authentication result for receiving in second transceiver module indicates authentification failure to VPN client
Authentication failure message is returned, and updates the authentification failure number of current VPN login account;
Protection module executes fence operation for determining whether according to the authentification failure number;The fence operation include with
It is at least one lower: to lock current VPN login account, alert.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811398817.3A CN109347864B (en) | 2018-11-22 | 2018-11-22 | Single sign-on method and device based on virtual private network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811398817.3A CN109347864B (en) | 2018-11-22 | 2018-11-22 | Single sign-on method and device based on virtual private network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109347864A true CN109347864A (en) | 2019-02-15 |
CN109347864B CN109347864B (en) | 2021-05-28 |
Family
ID=65317482
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811398817.3A Active CN109347864B (en) | 2018-11-22 | 2018-11-22 | Single sign-on method and device based on virtual private network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109347864B (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109862047A (en) * | 2019-04-18 | 2019-06-07 | 首约科技(北京)有限公司 | The method, apparatus and storage medium of login service device |
CN110086785A (en) * | 2019-04-12 | 2019-08-02 | 杭州迪普科技股份有限公司 | User authen method and device based on VPN |
CN111191202A (en) * | 2019-12-31 | 2020-05-22 | 北京指掌易科技有限公司 | Single sign-on method, device and system for mobile application |
CN113641971A (en) * | 2021-08-20 | 2021-11-12 | 武汉极意网络科技有限公司 | Exception handling system based on behavior verification |
CN116170234A (en) * | 2023-04-23 | 2023-05-26 | 北京首信科技股份有限公司 | Single sign-on method and system based on virtual account authentication |
WO2023092316A1 (en) * | 2021-11-24 | 2023-06-01 | 国云科技股份有限公司 | Third-party service login method and apparatus, terminal device, and storage medium |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1805341A (en) * | 2006-01-11 | 2006-07-19 | 西安电子科技大学 | Network authentication and key allocation method across secure domains |
CN101060520A (en) * | 2006-04-21 | 2007-10-24 | 盛趣信息技术(上海)有限公司 | Token-based SSO authentication system |
CN101674304A (en) * | 2009-10-15 | 2010-03-17 | 浙江师范大学 | Network identity authentication system and method |
CN103188248A (en) * | 2011-12-31 | 2013-07-03 | 卓望数码技术(深圳)有限公司 | Identity authentication system and method based on single sign-on |
US20130298215A1 (en) * | 2012-05-04 | 2013-11-07 | Rawllin International Inc. | Single sign-on user registration for online or client account services |
CN104320423A (en) * | 2014-11-19 | 2015-01-28 | 重庆邮电大学 | Single sign-on light weight implementation method based on Cookie |
CN104348791A (en) * | 2013-07-30 | 2015-02-11 | 北京神州泰岳软件股份有限公司 | Single sign on method and system |
CN107070880A (en) * | 2017-02-16 | 2017-08-18 | 济南浪潮高新科技投资发展有限公司 | A kind of method and system of single-sign-on, a kind of authentication center's server |
CN107231346A (en) * | 2017-05-03 | 2017-10-03 | 北京海顿中科技术有限公司 | A kind of method of cloud platform identification |
CN107294916A (en) * | 2016-03-31 | 2017-10-24 | 北京神州泰岳软件股份有限公司 | Single-point logging method, single-sign-on terminal and single-node login system |
-
2018
- 2018-11-22 CN CN201811398817.3A patent/CN109347864B/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1805341A (en) * | 2006-01-11 | 2006-07-19 | 西安电子科技大学 | Network authentication and key allocation method across secure domains |
CN101060520A (en) * | 2006-04-21 | 2007-10-24 | 盛趣信息技术(上海)有限公司 | Token-based SSO authentication system |
CN101674304A (en) * | 2009-10-15 | 2010-03-17 | 浙江师范大学 | Network identity authentication system and method |
CN103188248A (en) * | 2011-12-31 | 2013-07-03 | 卓望数码技术(深圳)有限公司 | Identity authentication system and method based on single sign-on |
US20130298215A1 (en) * | 2012-05-04 | 2013-11-07 | Rawllin International Inc. | Single sign-on user registration for online or client account services |
CN104348791A (en) * | 2013-07-30 | 2015-02-11 | 北京神州泰岳软件股份有限公司 | Single sign on method and system |
CN104320423A (en) * | 2014-11-19 | 2015-01-28 | 重庆邮电大学 | Single sign-on light weight implementation method based on Cookie |
CN107294916A (en) * | 2016-03-31 | 2017-10-24 | 北京神州泰岳软件股份有限公司 | Single-point logging method, single-sign-on terminal and single-node login system |
CN107070880A (en) * | 2017-02-16 | 2017-08-18 | 济南浪潮高新科技投资发展有限公司 | A kind of method and system of single-sign-on, a kind of authentication center's server |
CN107231346A (en) * | 2017-05-03 | 2017-10-03 | 北京海顿中科技术有限公司 | A kind of method of cloud platform identification |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110086785A (en) * | 2019-04-12 | 2019-08-02 | 杭州迪普科技股份有限公司 | User authen method and device based on VPN |
CN109862047A (en) * | 2019-04-18 | 2019-06-07 | 首约科技(北京)有限公司 | The method, apparatus and storage medium of login service device |
CN111191202A (en) * | 2019-12-31 | 2020-05-22 | 北京指掌易科技有限公司 | Single sign-on method, device and system for mobile application |
CN113641971A (en) * | 2021-08-20 | 2021-11-12 | 武汉极意网络科技有限公司 | Exception handling system based on behavior verification |
WO2023092316A1 (en) * | 2021-11-24 | 2023-06-01 | 国云科技股份有限公司 | Third-party service login method and apparatus, terminal device, and storage medium |
CN116170234A (en) * | 2023-04-23 | 2023-05-26 | 北京首信科技股份有限公司 | Single sign-on method and system based on virtual account authentication |
CN116170234B (en) * | 2023-04-23 | 2023-07-14 | 北京首信科技股份有限公司 | Single sign-on method and system based on virtual account authentication |
Also Published As
Publication number | Publication date |
---|---|
CN109347864B (en) | 2021-05-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109347864A (en) | Single-point logging method and device based on Virtual Private Network | |
CN108684041B (en) | System and method for login authentication | |
US11165890B2 (en) | Secure client-server communication | |
US10771471B2 (en) | Method and system for user authentication | |
CN109981561A (en) | Monomer architecture system moves to the user authen method of micro services framework | |
CN101227468B (en) | Method, device and system for authenticating user to network | |
CN109309565A (en) | A kind of method and device of safety certification | |
CN107294916B (en) | Single-point logging method, single-sign-on terminal and single-node login system | |
EP3455762B1 (en) | Unified vpn and identity based authentication to cloud-based services | |
CN106209749A (en) | Single-point logging method and the processing method and processing device of device, relevant device and application | |
US11184312B1 (en) | Email alias generation | |
US10764271B2 (en) | Systems and methods for performing disturbed authentication using a bridge computer system | |
US20110107414A1 (en) | System and Method for Location Assisted Virtual Private Networks | |
CN105099707B (en) | A kind of offline authentication method, server and system | |
CN107040513A (en) | A kind of credible access registrar processing method, user terminal and service end | |
CN109388937B (en) | Single sign-on method and sign-on system for multi-factor identity authentication | |
US11368449B2 (en) | Asserting a mobile identity to users and devices in an enterprise authentication system | |
CN101656609A (en) | Single sign-on method, system and device thereof | |
Alhaidary et al. | Vulnerability analysis for the authentication protocols in trusted computing platforms and a proposed enhancement of the offpad protocol | |
CN107094156A (en) | A kind of safety communicating method and system based on P2P patterns | |
CN109981287A (en) | A kind of code signature method and its storage medium | |
US20210297449A1 (en) | Token node locking | |
CN110020869A (en) | For generating the method, apparatus and system of block chain authorization message | |
CN109347887A (en) | A kind of identity authentication method and device | |
CN110166471A (en) | A kind of portal authentication method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |