CN109347864A - Single-point logging method and device based on Virtual Private Network - Google Patents

Single-point logging method and device based on Virtual Private Network Download PDF

Info

Publication number
CN109347864A
CN109347864A CN201811398817.3A CN201811398817A CN109347864A CN 109347864 A CN109347864 A CN 109347864A CN 201811398817 A CN201811398817 A CN 201811398817A CN 109347864 A CN109347864 A CN 109347864A
Authority
CN
China
Prior art keywords
vpn
server
resource
authentication
login account
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811398817.3A
Other languages
Chinese (zh)
Other versions
CN109347864B (en
Inventor
陈立
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201811398817.3A priority Critical patent/CN109347864B/en
Publication of CN109347864A publication Critical patent/CN109347864A/en
Application granted granted Critical
Publication of CN109347864B publication Critical patent/CN109347864B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of single-point logging method and device based on Virtual Private Network and sends the VPN login account to certificate server when method therein includes: that vpn server detects the input of VPN login account;The certificate server authenticates the VPN login account, and authentication result is back to the vpn server;Wherein, authentication result when authenticating successfully includes the token as single sign-on authentication authority;When the authentication result expression that the vpn server receives authenticates successfully, if receiving the resource request for obtaining single-sign-on resource, the token is sent to the single sign-on authentication center of Resource Server;Wherein, the Resource Server includes single sign-on authentication center and resource system;The single sign-on authentication center verifies the token, and executes respective operations according to check results.Thus the embodiment of the present invention has the advantages that configuration is simple, account number safety is high and logs in quick.

Description

Single-point logging method and device based on Virtual Private Network
Technical field
The present invention relates to technical field of network security, more particularly to one kind to be based on Virtual Private Network (VPN, Virtual Private Network) single-point logging method and device.
Background technique
VPN is that one kind in common network establishes dedicated network, carries out the technology of encryption communication, is widely used in enterprise network In network.Vpn gateway realizes remote access by the conversion of encryption and data packet destination address to data packet.Therefore, it is using When VPN, user must just have permission to access the resource in VPN by account and password login, and after being certified successfully.
However, needing to be applied to different certifications when VPN number of users is more or needs to meet specific user demand Mode.Therefore for user convenience with improve vpn products ease for use, vpn gateway generally all supports a variety of third parties to recognize at present Server, such as RADIUS authentication server, ldap authentication server, 4A certificate server are demonstrate,proved, to take using Third Party Authentication Business device completes simple Account Logon identifying procedure, this is primary certification.
Wherein, under the complex environment of a condition of multi-system coexistence, often in vpn products using single-sign-on (SSO, Single Sign On), after realizing user's success logging in VPN, resource (the abbreviation single-point by single-sign-on is needed in access Logging resource) when, institute's single sign-on authentication in need and phase mutual trust can be accessed by primary successfully single-sign-on operation Appoint application system, this is re-authentication.
Although can be avoided repeat logon when user requests single-sign-on resource in VPN using single-sign-on, User, which needs to operate by double probate, could access resource, influence resource acquisition efficiency;And since user is using VPN when institute The login account and login account used when request single-sign-on resource after success logging in VPN used are independent from each other, Then when developing vpn products, not only need to be pre-configured with the primary certification account information for logging in VPN gateway, but also need It is pre-configured with the re-authentication account information for single-sign-on, the account information configured needed for causing is more.
Summary of the invention
To overcome the problems in correlation technique, the present invention provides the single-point logging methods based on Virtual Private Network And device.
According to a first aspect of the embodiments of the present invention, a kind of single-point logging method based on Virtual Private Network, institute are provided The method of stating includes:
When vpn server detects the input of VPN login account, the VPN login account is sent to certificate server;
The certificate server authenticates the VPN login account, and authentication result is back to the VPN and is serviced Device;Wherein, authentication result when authenticating successfully includes the token as single sign-on authentication authority;
When the authentication result expression that the vpn server receives authenticates successfully, if received for obtaining The resource request of single-sign-on resource then sends the token to the single sign-on authentication center of Resource Server;Wherein, described Resource Server includes single sign-on authentication center and resource system;
The single sign-on authentication center verifies the token, and executes respective operations according to check results.
According to a second aspect of the embodiments of the present invention, provide it is a kind of applied to vpn server based on Virtual Private Network Single-point logging method, which comprises
When detecting the input of VPN login account, the VPN login account is sent to certificate server;The authentication service Authentication result is back to the vpn server for authenticating to the VPN login account by device, wherein is authenticated successfully When authentication result include the token as single sign-on authentication authority;
When receiving the authentication result that the certificate server returns indicates to authenticate successfully, it is used for if received The resource request of single-sign-on resource is obtained, then sends the token to the single sign-on authentication center of Resource Server;Wherein, The single sign-on authentication center executes respective operations for verifying to the token, and according to check results;The money Source server includes single sign-on authentication center and resource system.
According to a third aspect of the embodiments of the present invention, a kind of single-sign-on device based on Virtual Private Network, institute are provided Stating device includes vpn server, certificate server and Resource Server: the Resource Server includes single sign-on authentication center And resource system;
When the vpn server detects the input of VPN login account, the VPN is sent to the certificate server and is logged in Account;
The certificate server authenticates the VPN login account, and authentication result is back to the VPN and is serviced Device;Wherein, authentication result when authenticating successfully includes the token as single sign-on authentication authority;
When the authentication result expression that the vpn server receives authenticates successfully, if received for obtaining The resource request of single-sign-on resource then sends the token to the single sign-on authentication center;
The single sign-on authentication center verifies the token, and executes respective operations according to check results.
According to a fourth aspect of the embodiments of the present invention, provide it is a kind of applied to vpn server based on Virtual Private Network Single-point step on device, described device includes detection module, the first transceiver module and the second transceiver module:
The detection module, for detecting whether there is the input of VPN login account;
First transceiver module, for the detection module detect VPN login account input when, to authentication service Device sends the VPN login account, so that the certificate server authenticates the VPN login account, and certification is tied Fruit is back to second transceiver module, wherein authentication result when authenticating successfully includes being used as single sign-on authentication authority Token;
Second transceiver module, when for being authenticated successfully in the authentication result expression received, if receiving use In the resource request for obtaining single-sign-on resource, then the token is sent to the single sign-on authentication center of Resource Server;Its In, the single sign-on authentication center executes respective operations for verifying to the token, and according to check results;It is described Resource Server includes single sign-on authentication center and resource system.
The embodiment of the present invention at least can produce following advantageous effects as a result:
The authentication mode mutually incoherent relative to VPN login process in the related technology and single-sign-on process, the present invention are real Apply example by will be used to authenticate VPN login account certificate server and need to carry out re-authentication single-sign-on system phase It mutually combines, i.e., only need to can be achieved with single-sign-on using the login account of vpn server, to only need to be associated with VPN login in advance Account information thereby simplify account information without being in advance the account information of user configuration single-sign-on The register of configuration and user improves resource acquisition efficiency;Also, directly using token as the authority of single-sign-on, energy Enough improve user account safety.Therefore the present invention has many advantages, such as that configuration is simple, account security is high and logs in quick.
Detailed description of the invention
Fig. 1 is a kind of present invention single-point logging method based on Virtual Private Network shown according to an exemplary embodiment Application scenarios schematic diagram;
Fig. 2 is a kind of present invention single-point logging method based on Virtual Private Network shown according to an exemplary embodiment Flow chart;
Fig. 3 is a kind of single-point logging method applied to vpn server that the disclosure is proposed according to an exemplary embodiment Flow chart;
Fig. 4 is a kind of present invention single-sign-on device based on Virtual Private Network shown according to an exemplary embodiment Structural block diagram;
Fig. 5 is a kind of present invention single-sign-on device applied to vpn server shown according to an exemplary embodiment Structural block diagram.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all embodiments consistented with the present invention.On the contrary, they be only with it is such as appended The example of device and method being described in detail in claims, some aspects of the invention are consistent.
It is only to be not intended to limit the invention merely for for the purpose of describing particular embodiments in terminology used in the present invention. It is also intended in the present invention and the "an" of singular used in the attached claims, " described " and "the" including majority Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the present invention A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from In the case where the scope of the invention, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determination ".
In VPN resource access techniques field, the relevant technologies need user to log on to VPN by VPN account, just have permission Access the resource in VPN;Wherein, when needing to access the single-sign-on resource as a service module in VPN, user is also It needs to log on to single-sign-on resource system additionally by single-sign-on account.It follows that VPN in the related technology logs in stream Journey and single-sign-on process are two altogether irrelevant parts, to realize that the two login processes, the relevant technologies need preparatory The relevant informations such as the account of user's login twice are configured, the account information configured needed for causing is more.And due to single-sign-on The configuration of the relevant informations such as account is relatively complicated, and certain obstacle can be caused to the use of single-sign-on resource.
Based on this, the embodiment of the invention provides a kind of single-point logging methods based on Virtual Private Network, relative to phase VPN login process and the mutually incoherent authentication mode of single-sign-on process in the technology of pass, the embodiment of the present invention will be by that will be used to recognize It demonstrate,proves the certificate server of VPN login account and the system for the single-sign-on for carrying out re-authentication is needed to be combined with each other, i.e., only need benefit It can be achieved with single-sign-on with the login account of vpn server, so that the account information for being associated with VPN login in advance is only needed, Without being in advance the account information of user configuration single-sign-on, the configuration of account information and the login of user are thereby simplified Operation improves resource acquisition efficiency;Also, directly it can be improved user account peace using token as the authority of single-sign-on Quan Xing.Therefore the present invention has many advantages, such as that configuration is simple, account security is high and logs in quick.
In the embodiment of the present invention, as shown in Figure 1, Fig. 1 is that present invention one kind shown according to an exemplary embodiment is based on The application scenarios schematic diagram of the single-point logging method of Virtual Private Network.The single-point logging method can be applied to vpn system, So that the VPN login account that the vpn system can be inputted according to user realizes user to the list in VPN resource and VPN resource The access of point logging resource.The vpn system includes vpn server 100, certificate server 102 and Resource Server;The money Source server includes single sign-on authentication center 1031 and resource system 1032.
It is illustrated next, being provided for the embodiments of the invention single-point logging method.
As shown in Fig. 2, Fig. 2 is a kind of present invention list based on Virtual Private Network shown according to an exemplary embodiment The flow chart of point login method;The present embodiment single-point logging method includes:
Step S021 when vpn server detects the input of VPN login account, sends the VPN to certificate server and logs in Account;
Step S022, the certificate server authenticates the VPN login account, and authentication result is back to institute State vpn server;Wherein, authentication result when authenticating successfully includes the token as single sign-on authentication authority;
Step S023, when the authentication result expression that the vpn server receives authenticates successfully, if received For obtaining the resource request of single-sign-on resource, then the token is sent to the single sign-on authentication center of Resource Server; Wherein, the Resource Server includes single sign-on authentication center and resource system;
Step S024, the single sign-on authentication center verify the token, and according to check results execution pair It should operate.
As a result, when user needs logging in VPN server, user can be by starting the VPN installed on ustomer premises access equipment Client sends resource access request to vpn server by way of inputting the address VPN on the webpage in ustomer premises access equipment.
User can be logged in boundary after the resource access request for receiving ustomer premises access equipment transmission by the vpn server Face is back to VPN client, so that VPN client shows user's login interface, so that prompting user to input VPN logs in account Number and to vpn server send.User information associated by the VPN login account includes at least one of: account title, Account number cipher, login time and user right.But to guarantee safety that VPN is logged in, in the present embodiment, the VPN logs in account Number include at least account title and account number cipher.
The vpn server can be considered as vpn server and detect VPN login account when receiving VPN login account Input.At this point, vpn server can send the VPN login account to the certificate server.Wherein, vpn server can be with The VPN login account is sent to the certificate server by the mode of http request message.
After the certificate server receives the VPN login account, the VPN login account is authenticated, and will Authentication result is back to the vpn server.
Wherein, if authenticated successfully, the certificate server is used for yet further still according to VPN login account generation As the token of single sign-on authentication authority, so that the authentication result to vpn server return includes the token.It is based on This, in one embodiment, the method can also include: step S0220, when the certificate server logs in account to the VPN When number authenticating successfully, the token is generated based on user information associated by the VPN login account.Wherein it is possible to based on institute State account title, account number cipher, login time and user right in user information generate jointly for guarantee log in safety and Token with uniqueness.As to how the token is generated based on the user information, it can be related based on the embodiment of the present invention Content and the relevant technologies learn that this will not be repeated here.If authentification failure, the certificate server will directly indicate authentification failure Authentication result return to the vpn server so that the vpn server to the VPN client return login failure letter Breath and the login interface for prompting user to log in again.
In the case of successful certification, the authentication result that the vpn server receives be include indicating that certification is successful Information and the token, and the vpn server can return to the information that login successfully to the VPN client, and allow to use Family accesses VPN resource by VPN client.
After VPN login account authenticates successfully, if the vpn server is received for obtaining single-sign-on resource Resource request, then the vpn server sends the token to the single sign-on authentication center.
After the single sign-on authentication center receives the token, the token is verified, and is tied according to verification Fruit executes respective operations.In one embodiment, the single sign-on authentication center can according to the respective operations that check results execute To include:
Step S0241, when the check results expression verify successfully when, the single sign-on authentication central login with it is described The associated target resource system of resource request, and the target resource is returned to the VPN client by the vpn server The user interface of system.
Step S0242, when the check results indicate verification failure, the single sign-on authentication center passes through described Vpn server is to the VPN client back-checking failure information and single sign-on authentication interface.
Wherein, the target resource system is under the jurisdiction of the resource system.
It can be seen from the above, institute can be passed through between the vpn server and the target resource system when verifying successfully It states single sign-on authentication center and establishes connection, the VPN can be passed through between the VPN client and the target resource system Connection is established at server and the single sign-on authentication center.User can be provided by the target shown by VPN client as a result, The user interface of source system realizes the access to target single-sign-on resource.However, the single-sign-on is recognized when verifying failure Card center returns to single-sign-on to the VPN client by the vpn server and verifies failure information and single sign-on authentication Interface, to remind user to carry out login authentication.Wherein, user can by the single sign-on authentication interface input described in The realization of VPN login account logs on to target resource system.
The embodiment of the present invention, which passes through, as a result, will be used to authenticate the certificate server of VPN login account and needs to carry out secondary The system of the single-sign-on of certification be combined with each other, i.e., only need to can be achieved with single-sign-on using the login account of vpn server, from And the account information for being associated with VPN login in advance is only needed, without being in advance the account information of user configuration single-sign-on, The configuration of account information and the register of user are thereby simplified, resource acquisition efficiency is improved;Also, directly made using token For the authority of single-sign-on, user account safety can be improved.Therefore the present invention has simple configuration, account security height and steps on Record the advantages that quick.
In one embodiment, the vpn server can be SSL vpn server or other support single-sign-on functions Vpn server.
In one embodiment, the certificate server can be third party authentication server, for example, RADIUS authentication service Device, ldap authentication server or 4A certificate server.
In one embodiment, the resource system in the Resource Server includes that single-sign-on resource system and non-single-point are stepped on Record resource system.Connected between the single-sign-on resource system and the vpn server by the single sign-on authentication center It connects, the non-single-sign-on resource system can directly be connect with the vpn server.
For the safety for further increasing VPN login, in one embodiment, in the case where authentification failure, the present invention is real Applying single-point logging method provided by example can also include:
Step S025, when the authentication result that the vpn server receives indicates authentification failure, to the VPN Client return authentication failure information, and update the authentification failure number of current VPN login account;
Step S026, the vpn server determine whether to execute fence operation according to the authentification failure number;It is described anti- Shield operation includes at least one of: locking current VPN login account, alert.
Wherein, the reason of authentication failure message may include authentification failure.
In one example, if the number of authentification failure reaches preset threshold, the VPN service in preset period of time Device can execute the fence operation.The fence operation of execution, can also be according to institute other than locking current VPN login account It states user contact details bound in VPN login account and issues the user with warning message in a manner of short message or phone.
In addition, to further enhance the safety of VPN login, the authentication failure message can also include that certification every time is lost Time, IP address, end equipment mark and the geographical location lost, so that user can clearly understand the feelings of authentification failure Condition, and safeguard procedures are taken in time, further increase the safety of VPN login.
Based on the above method, in one embodiment, can be proposed from the angle of the vpn server a kind of applied to VPN The single-point logging method of server, as shown in figure 3, Fig. 3 is that the disclosure is applied to according to one kind that an exemplary embodiment proposes The flow chart of the single-point logging method of vpn server, which comprises
Step S031 when detecting the input of VPN login account, sends the VPN login account to certificate server;
Step S032, what is returned after receiving the certificate server and authenticating to the VPN login account recognizes When card result expression is authenticated successfully, if receiving the resource request for obtaining single-sign-on resource, to Resource Server Single sign-on authentication center send token;
Step S033, the verification returned after receiving the single sign-on authentication center and being verified to the token When as a result indicating to verify successfully, the user interface of target resource system associated by the resource request is returned to VPN client;
Step S034, the verification returned after receiving the single sign-on authentication center and being verified to the token When as a result indicating verification failure, single-sign-on verification failure information and/or single sign-on authentication interface are returned to VPN client.
Aforementioned related record is referred to the understanding of step S031~S034, this will not be repeated here.
For the safety for further enhancing VPN login, in one embodiment, the single-point applied to vpn server is stepped on Recording method can also include:
S036 unsuccessfully believes when the authentication result received indicates authentification failure to VPN client return authentication Breath, and update the authentification failure number of current VPN login account;
S037 determines whether to execute fence operation according to the authentification failure number;The fence operation include with down toward It is one of few: to lock current VPN login account, alert.
Aforementioned related record is referred to the understanding of step S036~S037, this will not be repeated here.
It is corresponding in the embodiment of the single-point logging method of vpn system with aforementioned applications, the embodiment of the invention also provides A kind of single-sign-on device based on Virtual Private Network, as shown in figure 4, Fig. 4 is that the present invention shows according to an exemplary embodiment A kind of structural block diagram of single-sign-on device based on Virtual Private Network out, described device 400 include vpn server 401, Certificate server 402 and Resource Server 403: the Resource Server 403 includes single sign-on authentication center 4031 and resource System 4032.
When the vpn server 401 detects the input of VPN login account, sent to the certificate server 402 described VPN login account;
The certificate server 402 authenticates the VPN login account, and authentication result is back to the VPN Server 401;Wherein, authentication result when authenticating successfully includes the token as single sign-on authentication authority;
When the authentication result expression that the vpn server 401 receives authenticates successfully, if received for obtaining The resource request of single-sign-on resource is taken, then sends the token to the single sign-on authentication center 4031;
The single sign-on authentication center 4031 verifies the token, and executes corresponding behaviour according to check results Make.
In one embodiment, described to recognize when the authentication result authenticated to the VPN login account is to authenticate successfully It demonstrate,proves server 402 and the token is generated based on user information associated by the VPN login account.
In one embodiment, it after the single sign-on authentication center 4031 verifies the token, is tied according to verification Fruit execute respective operations may include:
When check results expression verifies successfully, log in and the associated target resource system of the resource request 4032, and the user interface of the target resource system 4032 is returned by vpn server 401 to VPN client;
When the check results indicate verification failure, failed by vpn server 401 to VPN client back-checking Information and single sign-on authentication interface.
In one embodiment, to improve the safety that VPN is logged in, the vpn server 401 be can be also used for:
When the authentication result received indicates authentification failure, to VPN client return authentication failure information, and more The authentification failure number of new current VPN login account;
The vpn server 401 determines whether to execute fence operation according to the authentification failure number;The fence operation Including at least one of: locking current VPN login account, alert.
Corresponding in the embodiment of the single-point logging method of vpn server with aforementioned applications, the embodiment of the present invention also provides A kind of single-sign-on device applied to vpn server, as shown in figure 5, Fig. 5 is that the present invention shows according to an exemplary embodiment A kind of structural block diagram of single-sign-on device applied to vpn server out, described device 500 include detection module 501, the One transceiver module 502 and the second transceiver module 503:
The detection module 501, for detecting whether there is the input of VPN login account;
First transceiver module 502, for when the detection module 501 detects the input of VPN login account, to recognizing It demonstrate,proves server and sends the VPN login account, so that the certificate server authenticates the VPN login account, and will Authentication result is back to second transceiver module 503, wherein authentication result when authenticating successfully includes recognizing as single-sign-on Demonstrate,prove the token of authority;
Second transceiver module 503, when for being authenticated successfully in the authentication result expression received, if received For obtaining the resource request of single-sign-on resource, then the token is sent to the single sign-on authentication center of Resource Server; Wherein, the single sign-on authentication center executes respective operations for verifying to the token, and according to check results;Institute Stating Resource Server includes single sign-on authentication center and resource system.
In one embodiment, described device 500 can also include:
Update module, when the authentication result for receiving in second transceiver module 503 indicates authentification failure, to VPN Client return authentication failure information, and update the authentification failure number of current VPN login account;
Protection module executes fence operation for determining whether according to the authentification failure number;The fence operation packet It includes at least one of: locking current VPN login account, alert.
The realization process of the function and effect of each device or modules is specific in device in any of the above-described embodiment It is detailed in the realization that step is corresponded in the above method, this will not be repeated here.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit The module of explanation may or may not be physically separated.Can select according to the actual needs part therein or Person's whole module realizes the purpose of disclosure scheme.Those of ordinary skill in the art are not the case where making the creative labor Under, it can it understands and implements.
It is corresponding with any embodiment of mentioned single point login method, in one exemplary embodiment, the present invention also provides A kind of non-transitorycomputer readable storage medium, is stored thereon with computer program.The computer program is held by processor The step of single-point logging method in any of the preceding embodiments is realized when row.
In embodiments of the present invention, can be used one or more wherein include program code storage medium (including But be not limited to magnetic disk storage, CD-ROM, optical memory etc.) on the form of computer program product implemented.Computer can It include permanent and non-permanent, removable and non-removable media with storage medium, it can be by any method or technique Lai real Existing information storage.Information can be computer readable instructions, data structure, the module of program or other data.Computer is deposited The example of storage media includes but is not limited to: phase change memory (PRAM), static random access memory (SRAM), dynamic randon access Memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electrically erasable are read-only Memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM), digital multi CD (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or other magnetic storage devices or any other Non-transmission medium, can be used for storage can be accessed by a computing device information.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the present invention.

Claims (10)

1. a kind of single-point logging method based on Virtual Private Network, which is characterized in that the described method includes:
When vpn server detects the input of VPN login account, the VPN login account is sent to certificate server;
The certificate server authenticates the VPN login account, and authentication result is back to the vpn server; Wherein, authentication result when authenticating successfully includes the token as single sign-on authentication authority;
When the authentication result expression that the vpn server receives authenticates successfully, if received for obtaining single-point The resource request of logging resource then sends the token to the single sign-on authentication center of Resource Server;Wherein, the resource Server includes single sign-on authentication center and resource system;
The single sign-on authentication center verifies the token, and executes respective operations according to check results.
2. the single-point logging method according to claim 1 based on Virtual Private Network, which is characterized in that the certification clothes Authentication result is back to before the vpn server by business device, further includes:
When the certificate server authenticates successfully to the VPN login account, based on user associated by the VPN login account Information generates the token;Wherein, the user information includes at least one of: when account title, account number cipher, login Between, user right.
3. the single-point logging method according to claim 1 based on Virtual Private Network, which is characterized in that the single-point is stepped on Record authentication center verifies the token, and executes respective operations according to check results, comprising:
When check results expression verifies successfully, login and the associated target resource system of the resource request, and pass through Vpn server returns to the user interface of the target resource system to VPN client.
4. the single-point logging method according to claim 3 based on Virtual Private Network, which is characterized in that the single-point is stepped on Recording system verifies the token, and executes respective operations according to check results, further includes:
When the check results indicate verification failure, by vpn server to VPN client back-checking failure information and list Point login authentication interface.
5. the single-point logging method according to claim 1 based on Virtual Private Network, which is characterized in that further include:
When the authentication result that the vpn server receives indicates authentification failure, fail to VPN client return authentication Information, and update the authentification failure number of current VPN login account;
The vpn server determines whether to execute fence operation according to the authentification failure number;The fence operation include with It is at least one lower: to lock current VPN login account, alert.
6. a kind of single-point logging method based on Virtual Private Network, which is characterized in that be applied to vpn server, the method Include:
When detecting the input of VPN login account, the VPN login account is sent to certificate server;The certificate server is used It is authenticated in the VPN login account, and authentication result is back to the vpn server, wherein when authenticating successfully Authentication result includes the token as single sign-on authentication authority;
When receiving the authentication result that the certificate server returns indicates to authenticate successfully, if received for obtaining The resource request of single-sign-on resource then sends the token to the single sign-on authentication center of Resource Server;Wherein, described Single sign-on authentication center executes respective operations for verifying to the token, and according to check results;The resource clothes Business device includes single sign-on authentication center and resource system.
7. the single-point logging method according to claim 6 based on Virtual Private Network, which is characterized in that further include:
When the authentication result received indicates authentification failure, to VPN client return authentication failure information, and updates and work as The authentification failure number of preceding VPN login account;
Determined whether to execute fence operation according to the authentification failure number;The fence operation includes at least one of: lock Settled preceding VPN login account, alert.
8. a kind of single-sign-on device based on Virtual Private Network, which is characterized in that described device includes vpn server, recognizes Demonstrate,prove server and Resource Server: the Resource Server includes single sign-on authentication center and resource system;
When the vpn server detects the input of VPN login account, the VPN login account is sent to the certificate server;
The certificate server authenticates the VPN login account, and authentication result is back to the vpn server; Wherein, authentication result when authenticating successfully includes the token as single sign-on authentication authority;
When the authentication result expression that the vpn server receives authenticates successfully, if received for obtaining single-point The resource request of logging resource then sends the token to the single sign-on authentication center;
The single sign-on authentication center verifies the token, and executes respective operations according to check results.
9. a kind of single-point based on Virtual Private Network steps on device, which is characterized in that be applied to vpn server, described device packet Include detection module, the first transceiver module and the second transceiver module:
The detection module, for detecting whether there is the input of VPN login account;
First transceiver module, for being sent out to certificate server when the detection module detects the input of VPN login account The VPN login account is sent, so that the certificate server authenticates the VPN login account, and authentication result is returned It is back to second transceiver module, wherein authentication result when authenticating successfully includes the token as single sign-on authentication authority;
Second transceiver module, when for being authenticated successfully in the authentication result expression received, if received for obtaining The resource request of single-sign-on resource is taken, then sends the token to the single sign-on authentication center of Resource Server;Wherein, institute Single sign-on authentication center is stated for verifying to the token, and execute respective operations according to check results;The resource Server includes single sign-on authentication center and resource system.
10. device according to claim 9, which is characterized in that described device further include:
Update module is returned when the authentication result for receiving in second transceiver module indicates authentification failure to VPN client Authentication failure message is returned, and updates the authentification failure number of current VPN login account;
Protection module executes fence operation for determining whether according to the authentification failure number;The fence operation include with It is at least one lower: to lock current VPN login account, alert.
CN201811398817.3A 2018-11-22 2018-11-22 Single sign-on method and device based on virtual private network Active CN109347864B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811398817.3A CN109347864B (en) 2018-11-22 2018-11-22 Single sign-on method and device based on virtual private network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811398817.3A CN109347864B (en) 2018-11-22 2018-11-22 Single sign-on method and device based on virtual private network

Publications (2)

Publication Number Publication Date
CN109347864A true CN109347864A (en) 2019-02-15
CN109347864B CN109347864B (en) 2021-05-28

Family

ID=65317482

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811398817.3A Active CN109347864B (en) 2018-11-22 2018-11-22 Single sign-on method and device based on virtual private network

Country Status (1)

Country Link
CN (1) CN109347864B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109862047A (en) * 2019-04-18 2019-06-07 首约科技(北京)有限公司 The method, apparatus and storage medium of login service device
CN110086785A (en) * 2019-04-12 2019-08-02 杭州迪普科技股份有限公司 User authen method and device based on VPN
CN111191202A (en) * 2019-12-31 2020-05-22 北京指掌易科技有限公司 Single sign-on method, device and system for mobile application
CN113641971A (en) * 2021-08-20 2021-11-12 武汉极意网络科技有限公司 Exception handling system based on behavior verification
CN116170234A (en) * 2023-04-23 2023-05-26 北京首信科技股份有限公司 Single sign-on method and system based on virtual account authentication
WO2023092316A1 (en) * 2021-11-24 2023-06-01 国云科技股份有限公司 Third-party service login method and apparatus, terminal device, and storage medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1805341A (en) * 2006-01-11 2006-07-19 西安电子科技大学 Network authentication and key allocation method across secure domains
CN101060520A (en) * 2006-04-21 2007-10-24 盛趣信息技术(上海)有限公司 Token-based SSO authentication system
CN101674304A (en) * 2009-10-15 2010-03-17 浙江师范大学 Network identity authentication system and method
CN103188248A (en) * 2011-12-31 2013-07-03 卓望数码技术(深圳)有限公司 Identity authentication system and method based on single sign-on
US20130298215A1 (en) * 2012-05-04 2013-11-07 Rawllin International Inc. Single sign-on user registration for online or client account services
CN104320423A (en) * 2014-11-19 2015-01-28 重庆邮电大学 Single sign-on light weight implementation method based on Cookie
CN104348791A (en) * 2013-07-30 2015-02-11 北京神州泰岳软件股份有限公司 Single sign on method and system
CN107070880A (en) * 2017-02-16 2017-08-18 济南浪潮高新科技投资发展有限公司 A kind of method and system of single-sign-on, a kind of authentication center's server
CN107231346A (en) * 2017-05-03 2017-10-03 北京海顿中科技术有限公司 A kind of method of cloud platform identification
CN107294916A (en) * 2016-03-31 2017-10-24 北京神州泰岳软件股份有限公司 Single-point logging method, single-sign-on terminal and single-node login system

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1805341A (en) * 2006-01-11 2006-07-19 西安电子科技大学 Network authentication and key allocation method across secure domains
CN101060520A (en) * 2006-04-21 2007-10-24 盛趣信息技术(上海)有限公司 Token-based SSO authentication system
CN101674304A (en) * 2009-10-15 2010-03-17 浙江师范大学 Network identity authentication system and method
CN103188248A (en) * 2011-12-31 2013-07-03 卓望数码技术(深圳)有限公司 Identity authentication system and method based on single sign-on
US20130298215A1 (en) * 2012-05-04 2013-11-07 Rawllin International Inc. Single sign-on user registration for online or client account services
CN104348791A (en) * 2013-07-30 2015-02-11 北京神州泰岳软件股份有限公司 Single sign on method and system
CN104320423A (en) * 2014-11-19 2015-01-28 重庆邮电大学 Single sign-on light weight implementation method based on Cookie
CN107294916A (en) * 2016-03-31 2017-10-24 北京神州泰岳软件股份有限公司 Single-point logging method, single-sign-on terminal and single-node login system
CN107070880A (en) * 2017-02-16 2017-08-18 济南浪潮高新科技投资发展有限公司 A kind of method and system of single-sign-on, a kind of authentication center's server
CN107231346A (en) * 2017-05-03 2017-10-03 北京海顿中科技术有限公司 A kind of method of cloud platform identification

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110086785A (en) * 2019-04-12 2019-08-02 杭州迪普科技股份有限公司 User authen method and device based on VPN
CN109862047A (en) * 2019-04-18 2019-06-07 首约科技(北京)有限公司 The method, apparatus and storage medium of login service device
CN111191202A (en) * 2019-12-31 2020-05-22 北京指掌易科技有限公司 Single sign-on method, device and system for mobile application
CN113641971A (en) * 2021-08-20 2021-11-12 武汉极意网络科技有限公司 Exception handling system based on behavior verification
WO2023092316A1 (en) * 2021-11-24 2023-06-01 国云科技股份有限公司 Third-party service login method and apparatus, terminal device, and storage medium
CN116170234A (en) * 2023-04-23 2023-05-26 北京首信科技股份有限公司 Single sign-on method and system based on virtual account authentication
CN116170234B (en) * 2023-04-23 2023-07-14 北京首信科技股份有限公司 Single sign-on method and system based on virtual account authentication

Also Published As

Publication number Publication date
CN109347864B (en) 2021-05-28

Similar Documents

Publication Publication Date Title
CN109347864A (en) Single-point logging method and device based on Virtual Private Network
CN108684041B (en) System and method for login authentication
US11165890B2 (en) Secure client-server communication
US10771471B2 (en) Method and system for user authentication
CN109981561A (en) Monomer architecture system moves to the user authen method of micro services framework
CN101227468B (en) Method, device and system for authenticating user to network
CN109309565A (en) A kind of method and device of safety certification
CN107294916B (en) Single-point logging method, single-sign-on terminal and single-node login system
EP3455762B1 (en) Unified vpn and identity based authentication to cloud-based services
CN106209749A (en) Single-point logging method and the processing method and processing device of device, relevant device and application
US11184312B1 (en) Email alias generation
US10764271B2 (en) Systems and methods for performing disturbed authentication using a bridge computer system
US20110107414A1 (en) System and Method for Location Assisted Virtual Private Networks
CN105099707B (en) A kind of offline authentication method, server and system
CN107040513A (en) A kind of credible access registrar processing method, user terminal and service end
CN109388937B (en) Single sign-on method and sign-on system for multi-factor identity authentication
US11368449B2 (en) Asserting a mobile identity to users and devices in an enterprise authentication system
CN101656609A (en) Single sign-on method, system and device thereof
Alhaidary et al. Vulnerability analysis for the authentication protocols in trusted computing platforms and a proposed enhancement of the offpad protocol
CN107094156A (en) A kind of safety communicating method and system based on P2P patterns
CN109981287A (en) A kind of code signature method and its storage medium
US20210297449A1 (en) Token node locking
CN110020869A (en) For generating the method, apparatus and system of block chain authorization message
CN109347887A (en) A kind of identity authentication method and device
CN110166471A (en) A kind of portal authentication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant