CN117411724B - Method and device for sharing credentials across multiple applications of zero-trust application gateway - Google Patents
Method and device for sharing credentials across multiple applications of zero-trust application gateway Download PDFInfo
- Publication number
- CN117411724B CN117411724B CN202311704237.3A CN202311704237A CN117411724B CN 117411724 B CN117411724 B CN 117411724B CN 202311704237 A CN202311704237 A CN 202311704237A CN 117411724 B CN117411724 B CN 117411724B
- Authority
- CN
- China
- Prior art keywords
- application
- domain name
- user
- zero
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000013475 authorization Methods 0.000 claims abstract description 33
- 230000001419 dependent effect Effects 0.000 claims description 27
- 230000009191 jumping Effects 0.000 claims description 8
- 238000012544 monitoring process Methods 0.000 claims description 8
- 230000002441 reversible effect Effects 0.000 claims description 6
- 235000014510 cooky Nutrition 0.000 description 12
- 230000003068 static effect Effects 0.000 description 5
- 238000007726 management method Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 241000239290 Araneae Species 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 210000004556 brain Anatomy 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010899 nucleation Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a zero-trust gateway multi-application cross-domain credential sharing method and device, wherein a request of a user for accessing an application is monitored through a zero-trust gateway, and a domain name of the application is resolved to the zero-trust gateway; intercepting a request of a user for accessing an application, and judging whether the request of the user for accessing the application is authenticated or not; if so, comparing the domain name of the application with a preset domain name, and judging whether the domain name of the application is a cross-domain name according to a comparison result; if yes, generating a temporary authorization code according to authentication credentials obtained by the authentication application of the authenticated user of the zero trust gateway; acquiring the authentication credentials based on the temporary authorization code, and setting the authentication credentials in a browser of an access application; and continuing to access the application through the domain name of the application accessed by the user. The application method and the application device can process multi-application unified authentication by using the zero trust gateway, realize credential sharing and realize cross-domain access of the same application by the user.
Description
Technical Field
Embodiments of the present application belong to the technical field of network security, and in particular, relate to a method and apparatus for sharing credentials across domains by multiple applications in a zero trust application gateway.
Background
In the prior art, the same application is accessed under the same domain name, but the prior art generally encounters cross-domain access, and because the cross-domain access encounters inconsistent support on the security attribute in the browser before and after the cross-domain, single sign-on cannot normally realize the cross-domain skip.
If zero trust gateway application access single sign-on and unified authorization are to be realized based on cookies of a browser, most of butting application domain names are inconsistent, cross-domain causes that cookie bands in an old browser cannot access applications in a new browser easily, and login failure is caused. If the cookie is not shared among a plurality of domain names, the cookie can cause that one user occupies a plurality of authentication tickets and the user logs in for a plurality of times, so that the cookie is inconvenient to use.
Disclosure of Invention
To solve or alleviate the problems in the prior art, embodiments of the present application provide a method for zero trust gateway multi-application cross-domain credential sharing, the method including:
monitoring a request of a user for accessing an application through a zero trust gateway, wherein the domain name of the application is resolved to the zero trust gateway;
intercepting a request of a user for accessing an application, and judging whether the request of the user for accessing the application is authenticated or not;
if so, comparing the domain name of the application with a preset domain name, and judging whether the domain name of the application is a cross-domain name according to a comparison result;
if yes, generating a temporary authorization code according to authentication credentials obtained by the authentication application of the authenticated user of the zero trust gateway;
acquiring the authentication credentials based on the temporary authorization code, and setting the authentication credentials in a browser of an access application;
and continuing to access the application through the domain name of the application accessed by the user.
As a preferred embodiment of the present application, the acquiring the authentication credential based on the temporary authorization code includes:
jumping the domain name of the user access application to a temporary domain name, wherein the temporary domain name comprises identification characters and temporary authorization codes;
the zero trust gateway intercepts a request of accessing an application through a temporary domain name, judges whether the temporary domain name contains identification characters, and acquires the authentication credentials from a browser of a preset domain name through the temporary authorization code if the temporary domain name contains identification characters.
As a preferred embodiment of the present application, before the acquiring the authentication credential from the browser of the preset domain name by the temporary authorization code in the temporary domain name, the method includes:
the zero trust gateway proxies requests to access applications through temporary domain names to applications accessed by users through reverse proxy.
As a preferred embodiment of the present application, continuing to access the application by the user accessing the domain name of the application, including;
replacing the temporary domain name with the domain name accessed by the user to initiate a request for accessing the application;
judging whether authentication credentials in a browser of the user access application are valid or not through a zero trust gateway;
and if so, the zero trust gateway releases the request of the user for accessing the application.
As a preferred embodiment of the present application, when it is determined that there is no authentication credential in the browser accessing the application, jumping to an authentication page for authentication;
and when the authentication is passed, generating an authentication credential and setting the authentication credential in a browser accessing the application through a preset domain name.
As a preferred embodiment of the present application, after the zero trust gateway passes the request of the user to access an application, the method includes:
judging whether other dependent domain names exist in the access application;
and if so, setting the authentication credentials in the browser corresponding to the other dependent domain name.
As a preferred embodiment of the present application, the setting the authentication credential in the browser corresponding to the other dependent domain name includes:
jumping domain names of the user access applications to other dependent domain names;
accessing the zero trust gateway reverse proxy corresponding to the application corresponding to other dependent domain names by a user;
and if the other dependent domain name is not dependent on the other domain name, acquiring the authentication credential and setting the authentication credential in a browser accessing an application through the other dependent domain name.
As a preferred embodiment of the present application, after the authentication credential is set in the browser accessing the application through the other dependent domain name, the method includes:
redirect to other dependent domain name access applications;
judging whether authentication credentials in the browser passing through other dependent domain names are valid or not through the zero trust gateway;
and if so, the zero trust gateway releases the request of the user for accessing the application.
As a preferred embodiment of the present application, the method further comprises:
judging whether the storage time of the authentication credentials exceeds a preset time;
and if so, deleting the authentication credentials.
Compared with the prior art, the embodiment of the application provides a zero-trust gateway multi-application cross-domain credential sharing method, wherein a request of a user for accessing an application is monitored through a zero-trust gateway, and the domain name of the application is resolved to the zero-trust gateway; intercepting a request of a user for accessing an application, and judging whether the request of the user for accessing the application is authenticated or not; if so, comparing the domain name of the application with a preset domain name, and judging whether the domain name of the application is a cross-domain name according to a comparison result; if yes, generating a temporary authorization code according to authentication credentials obtained by the authentication application of the authenticated user of the zero trust gateway; acquiring the authentication credentials based on the temporary authorization code, and setting the authentication credentials in a browser of an access application; and continuing to access the application through the domain name of the application accessed by the user. The application method and the application device can process multi-application unified authentication by using the zero trust gateway, realize credential sharing and realize cross-domain access of the same application by the user.
In a second aspect, an embodiment of the present application provides a zero trust gateway multi-application cross-domain shared credential device, including:
the monitoring module is used for monitoring a request of a user for accessing an application through a zero trust gateway, wherein the domain name of the application is resolved to the zero trust gateway;
the judging module is used for intercepting a request of a user for accessing the application and judging whether the request of the user for accessing the application is authenticated or not;
the comparison module is used for comparing the domain name of the application with a preset domain name and judging whether the domain name of the application is a cross-domain name according to a comparison result;
the generation module is used for generating a temporary authorization code according to authentication credentials obtained by the authentication application of the authenticated user of the zero trust gateway if the authentication credentials are positive;
the setting module is used for acquiring the authentication credentials based on the temporary authorization code and setting the authentication credentials in a browser of an access application;
and the access module is used for continuing to access the application through the domain name of the application accessed by the user.
Compared with the prior art, the beneficial effects of the zero-trust gateway multi-application cross-domain shared credential device provided by the application are the same as those of the first aspect, and are not repeated here.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. Some specific embodiments of the present application will be described in detail hereinafter by way of example and not by way of limitation with reference to the accompanying drawings. The same reference numbers in the drawings denote the same or similar parts or portions, and it will be understood by those skilled in the art that the drawings are not necessarily drawn to scale, in which:
fig. 1 is a flow chart of a method for sharing credentials across domains by multiple applications of a zero trust gateway according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a zero trust gateway multi-application cross-domain shared credential device according to an embodiment of the present application.
Detailed Description
In order to enable those skilled in the art to better understand the present application, the following description will make clear and complete descriptions of the technical solutions in the embodiments of the present application with reference to the accompanying drawings in the embodiments of the present application. It will be apparent that the described embodiments are merely some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
In this application, all applications accessed through the zero trust gateway need to resolve the domain name of the application to the zero trust gateway through DNS.
The zero-trust gateway is the most core part of the zero-trust architecture, is usually deployed at the network entrance or application service front end, separates users from resources, and enforces access control policies on all traffic. The zero trust security gateway generally comprises a security client, a dynamic access control engine, an intelligent security brain, identity management and other components, adopts technologies such as an application proxy, SPA single package authorization, enhanced identity management and AI, and has the functions of application access proxy, application resource hiding, access main body multidimensional authentication, dynamic access control, data security transmission, access log audit, API security protection and the like, and simplifies the access process and improves the service efficiency while improving the application access security.
In a first aspect, as shown in fig. 1, an embodiment of the present application provides a method for zero trust gateway multi-application cross-domain credential sharing, where the method includes:
step S01, monitoring a request of a user for accessing an application through a zero trust gateway, wherein the domain name of the application is resolved to the zero trust gateway;
it should be noted that, the application in the application may be an office automation (Office Automation, abbreviated as OA) system, and the Office Automation (OA) system may be connected with daily transactions through a specific flow or a specific link, so that the efficiency of the document in terms of circulation, approval, release, etc. is improved, office management standardization and information standardization are realized, and the running cost of an enterprise is reduced.
Because the domain name of the application is resolved to a zero trust gateway, the user's request to access the application can be monitored.
In this embodiment of the present application, after the related system component is started, the administrator performs, according to the application managed by the administrator, for example: http://1.Com, https://2.Com, https://3.Com, (wherein https://3.Com depends on some static resources (such as Javascript static resources) in https://2.Com in the application)), respectively access to the zero trust gateway and direct the application request to the zero trust gateway through DNS resolution. (hereinafter referred to as zero trust gateway; domain name: https:// sso. Com).
Step S02, intercepting a request of a user for accessing an application, and judging whether the request of the user for accessing the application is authenticated or not;
it should be noted that, in the embodiment of the present application, when it is determined that an authentication credential exists in a browser accessing the application, proceeding to next step of cross-domain determination;
when judging that the authentication credentials do not exist in the browser accessing the application, jumping to an authentication page to perform authentication;
and when the authentication is passed, generating an authentication credential and setting the authentication credential in a browser accessing the application through a preset domain name.
Specifically, when a user accesses a specific application, the zero trust gateway needs to intercept an access application request first, needs to determine whether the user accesses the application request for authentication, specifically, the user a accesses http://1.Com, the zero trust gateway triggers the interception request, determines authentication credentials of the zero trust gateway, the zero trust gateway triggers a redirection request, and redirects to a domain name https:// sso.com/loginchanguil=http:// 1.Com for login authentication. The zero trust application gateway takes out changeUrl=http:// 1.Com in the domain name, judges whether the user A logs in or not, and after the login is completed, two security cookies are planted under the sso.com domain name, wherein the first is: the name corstoken is a sso standard authentication bill, the domain name is set to be sso.com, the security attribute is true, the sameSite attribute is None, and the second is: the name token, token is sso encryption token, and neither security nor sameSite attribute is set.
The method further comprises the steps of:
judging whether the storage time of the authentication credentials exceeds a preset time;
and if so, deleting the authentication credentials.
It should be noted that, because the authentication credential in the present application is limited by the valid time, the valid time set by the present application is exceeded, and the authentication credential is invalidated, so that the authentication credential is deleted, so that the security of each access application can be ensured.
Step S03, if so, comparing the domain name of the application with a preset domain name, and judging whether the domain name of the application is a cross-domain name according to a comparison result;
in the embodiment of the present application, the preset domain name is a domain name before cross-domain, if the request for accessing the application has been authenticated by the zero trust gateway, it needs to be determined whether the domain name of the application is consistent with the preset domain name, and if not, the request for accessing the application is cross-domain access.
Step S04, if yes, generating a temporary authorization code according to authentication credentials obtained by the zero trust gateway authenticated user access application;
it should be noted that it is necessary to check whether a request to access an application requires cross-domain, e.g. http://1.Com is cross-domain. So the sso standard authentication ticket cookie needs to be seeded in addition to the 1.Com domain name. A relycode is generated from the authentication ticket corstoken in the user zero trust gateway and the browser 302 redirects the request to URL http://1. Com/zerotrust/setcookieielaycode=123. Among the URLs described above, including domain name 1.Com, identification character zerotrust/setookie.
Step S05, acquiring the authentication credentials based on the temporary authorization code, and setting the authentication credentials in a browser of an access application;
the acquiring the authentication credential based on the temporary authorization code includes:
jumping the domain name of the user access application to a temporary domain name, wherein the temporary domain name comprises identification characters and temporary authorization codes;
the zero trust gateway intercepts a request of accessing an application through a temporary domain name, judges whether the temporary domain name contains identification characters, and acquires the authentication credentials from a browser of a preset domain name through the temporary authorization code if the temporary domain name contains identification characters.
Before the temporary authorization code in the temporary domain name is used for acquiring the authentication credential from the browser of the preset domain name, the method comprises the following steps:
the zero trust gateway proxies requests to access applications through temporary domain names to applications accessed by users through reverse proxy.
Specifically, when the request of the access application is determined to be cross-domain access, the zero trust gateway jumps the domain name currently accessed to http://1. Com/setookie/relatecodes code=123 by the user browser, and the request is proxied into the interface of the related application of the zero trust gateway by the zero trust application gateway again, judging that the request contains the unique identifier of setookie/relatecodes and the zero trust gateway is used as a reverse proxy. Where http://1. Com/zerotrust/setcookie.
Note that 302 redirection is also called transient transfer (Temporarily Moved), english name: 302 redirect. Also known as a temporary redirect (temporary redirect), a command to the web browser to display a different URL that the browser is required to display, is used when a web page experiences short-term URL changes, and a temporary redirect is a server-side redirect that can be properly handled by the search engine spider.
And step S06, continuing to access the application through the domain name of the application accessed by the user.
Specifically, continuing to access the application by the domain name of the application accessed by the user, including;
replacing the temporary domain name with the domain name accessed by the user to initiate a request for accessing the application;
judging whether authentication credentials in a browser of the user access application are valid or not through a zero trust gateway;
and if so, the zero trust gateway releases the request of the user for accessing the application.
The interface of the related application, according to the related code parameter 123, authenticates the bill in the zero trust gateway under the domain name 1.Com, and jumps to the address to continue to access after exchanging the original address http://1. Com.
The zero trust gateway triggers the interception request, judges the authenticity of the sso authentication credentials in the domain name, and then judges the real bill, and releases the request for accessing the application to continue to access the application.
After the zero trust gateway passes the request of the user to access the application, the zero trust gateway comprises:
judging whether other dependent domain names exist in the access application;
and if so, setting the authentication credentials in the browser corresponding to the other dependent domain name.
Specifically, for example, the user a accesses https://3.Com, the zero trust gateway triggers an interception request, triggers a redirection request, and sends the interception request to https:// sso.com/loginchangeurl=http:// 3.Com. The zero trust gateway takes out the changeUrl parameter https://3.Com and judges whether the user A logs in or not, and the user browser contains an effective token. User a is considered logged in and continues to process the Javascript static resource judging the http://3.com dependent https://2.com application, triggering site dependent jumps, redirecting the request to https:// sso.2.com/cross origin=https:// 3.com & nextjump=https:/2.com, https://3.com & cross token=xxx & token=aesxxx, (https:// sso.2.com is the zero trust gateway of sso.2.com domain name issued by the zero trust application gateway, equivalent to sso.com, just for seeding cookies under the related application
The related interface judges to be credible according to the next jump parameter, and takes out the parameter token and the cross token after not depending on other applications such as Javascript static resources, and seeds the parameters to the current domain name, deletes the parameters https:/2.Com, https://3.Com, changes the parameters to https://3.Com, and redirects the parameters to https:// sso.3.Com/cross origin=https:// 3.Com & next jump=https:// sso.3.Com & cross token=xxx & token=aesxxx.
The related interface judges that the client is trusted according to the next jump parameter, and takes out the parameters token and the cross token after independent of other application such as Javascript static resources, and the parameters token and the cross token are planted in url which is found to have not been tuned to the source parameter after the next jump under the current domain name is deleted, wherein https://3.Com, a zero trust gateway triggers an interception request, judges the authenticity of the sso authentication ticket in the domain name, judges the real ticket, releases the real ticket, and realizes cross-domain and site-dependent jump of single sign-on by the user A.
Because cookies of all cross-domain application types are generated by one authentication for the zero-trust application gateway or generated by a relay code mapping for the zero-trust application gateway, all application access sharing cookies are realized.
cookies sometimes use their complex forms of cookies as well. The type "small text file," which is data (typically encrypted) stored on the user's local terminal for Session tracking by some web site in order to discern the identity of the user, information temporarily or permanently saved by the user's client computer,
in a second aspect, an embodiment of the present application provides a zero trust gateway multi-application cross-domain shared credential device, including:
a monitoring module 21, configured to monitor, through a zero trust gateway, a request of a user to access an application, where a domain name of the application has been resolved to the zero trust gateway;
a judging module 22, configured to intercept a request of a user to access an application, and judge whether the request of the user to access the application has been authenticated;
the comparison module 23 is configured to compare the domain name of the application with a preset domain name, and determine whether the domain name of the application is a cross-domain name according to a comparison result;
a generating module 24, if yes, configured to generate a temporary authorization code according to an authentication credential obtained by the zero trust gateway by authenticating the user access application;
a setting module 25, configured to acquire the authentication credential based on the temporary authorization code, and set the authentication credential in a browser of an access application;
and the access module 26 is used for continuing to access the application through the domain name of the application accessed by the user.
Compared with the prior art, the beneficial effects of the zero-trust gateway multi-application cross-domain shared credential device provided by the application are the same as those of the first aspect, and are not repeated here.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the corresponding technical solutions from the scope of the technical solutions of the embodiments of the present application.
Claims (9)
1. A method for zero-trust application gateway multi-application cross-domain credential sharing, the method comprising:
monitoring a request of a user for accessing an application through a zero trust gateway, wherein the domain name of the application is resolved to the zero trust gateway;
intercepting a request of a user for accessing an application, and judging whether the request of the user for accessing the application is authenticated or not;
if so, comparing the domain name of the application with a preset domain name, and judging whether the domain name of the application is a cross-domain name according to a comparison result;
if yes, generating a temporary authorization code according to authentication credentials obtained by the authentication application of the authenticated user of the zero trust gateway;
acquiring the authentication credentials based on the temporary authorization code, and setting the authentication credentials in a browser of an access application;
continuing to access the application through the domain name of the application accessed by the user;
the acquiring the authentication credential based on the temporary authorization code includes:
jumping the domain name of the user access application to a temporary domain name, wherein the temporary domain name comprises identification characters and temporary authorization codes;
the zero trust gateway intercepts a request of accessing an application through a temporary domain name, judges whether the temporary domain name contains identification characters, and acquires the authentication evidence from a browser of a preset domain name through the temporary authorization code if the temporary domain name contains identification characters.
2. The method for multi-application cross-domain sharing credentials of a zero-trust application gateway of claim 1, wherein before the acquiring the authentication credentials from a browser of a preset domain name by using a temporary authorization code in the temporary domain name, the method comprises:
the zero trust gateway proxies requests to access applications through temporary domain names to applications accessed by users through reverse proxy.
3. The method for zero-trust application gateway multi-application cross-domain sharing credentials of claim 2, wherein continuing access to the application by a user accessing a domain name of the application comprises;
replacing the temporary domain name with the domain name accessed by the user to initiate a request for accessing the application;
judging whether authentication credentials in a browser of the user access application are valid or not through a zero trust gateway;
and if so, the zero trust gateway releases the request of the user for accessing the application.
4. The method for zero-trust application gateway multi-application cross-domain sharing credentials of claim 1, wherein when judging that authentication credentials do not exist in a browser accessing the application, skipping to an authentication page for authentication;
and when the authentication is passed, generating an authentication credential and setting the authentication credential in a browser accessing the application through a preset domain name.
5. The method for zero-trust application gateway multi-application cross-domain credential sharing of claim 3, wherein the zero-trust gateway passes the user request to access an application, comprising:
judging whether other dependent domain names exist in the access application;
and if so, setting the authentication credentials in the browser corresponding to the other dependent domain name.
6. The method for multi-application cross-domain sharing credentials of a zero-trust application gateway of claim 5, wherein the setting the authentication credentials in the browser corresponding to the other dependent domain name comprises:
jumping domain names of the user access applications to other dependent domain names;
accessing the zero trust gateway reverse proxy corresponding to the application corresponding to other dependent domain names by a user;
and if the other dependent domain name is not dependent on the other domain name, acquiring the authentication credential and setting the authentication credential in a browser accessing an application through the other dependent domain name.
7. The method of zero trust application gateway multi-application cross-domain shared credentials of claim 6, wherein the setting the authentication credentials in the browser of the other dependent domain name access application comprises:
redirect to other dependent domain name access applications;
judging whether authentication credentials in the browser passing through other dependent domain names are valid or not through the zero trust gateway;
and if so, the zero trust gateway releases the request of the user for accessing the application.
8. The method of zero-trust application gateway multi-application cross-domain shared credentials of claim 1, the method further comprising:
judging whether the storage time of the authentication credentials exceeds a preset time;
and if so, deleting the authentication credentials.
9. A zero trust gateway multi-application cross-domain shared credential apparatus comprising:
the monitoring module is used for monitoring a request of a user for accessing an application through a zero trust gateway, wherein the domain name of the application is resolved to the zero trust gateway;
the judging module is used for intercepting a request of a user for accessing the application and judging whether the request of the user for accessing the application is authenticated or not;
the comparison module is used for comparing the domain name of the application with a preset domain name and judging whether the domain name of the application is a cross-domain name according to a comparison result;
the generation module is used for generating a temporary authorization code according to authentication credentials obtained by the authentication application of the authenticated user of the zero trust gateway if the authentication credentials are positive;
the setting module is used for acquiring the authentication credentials based on the temporary authorization code and setting the authentication credentials in a browser of an access application;
the access module is used for continuing to access the application through the domain name of the application accessed by the user;
the acquiring the authentication credential based on the temporary authorization code includes:
jumping the domain name of the user access application to a temporary domain name, wherein the temporary domain name comprises identification characters and temporary authorization codes;
the zero trust gateway intercepts a request of accessing an application through a temporary domain name, judges whether the temporary domain name contains identification characters, and acquires the authentication evidence from a browser of a preset domain name through the temporary authorization code if the temporary domain name contains identification characters.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311704237.3A CN117411724B (en) | 2023-12-13 | 2023-12-13 | Method and device for sharing credentials across multiple applications of zero-trust application gateway |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311704237.3A CN117411724B (en) | 2023-12-13 | 2023-12-13 | Method and device for sharing credentials across multiple applications of zero-trust application gateway |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117411724A CN117411724A (en) | 2024-01-16 |
| CN117411724B true CN117411724B (en) | 2024-03-19 |
Family
ID=89489266
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311704237.3A Active CN117411724B (en) | 2023-12-13 | 2023-12-13 | Method and device for sharing credentials across multiple applications of zero-trust application gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117411724B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106973041A (en) * | 2017-03-02 | 2017-07-21 | 飞天诚信科技股份有限公司 | A kind of method, system and certificate server for issuing authentication authority |
| CN111314340A (en) * | 2020-02-13 | 2020-06-19 | 深信服科技股份有限公司 | Authentication method and authentication platform |
| CN114553480A (en) * | 2022-01-13 | 2022-05-27 | 中国科学院信息工程研究所 | Cross-domain single sign-on method and device |
| CN115603987A (en) * | 2022-09-30 | 2023-01-13 | 国家电网有限公司(Cn) | Cloud-side-end-fused cross-domain zero-trust authentication system for power information communication system |
| CN115913671A (en) * | 2022-11-02 | 2023-04-04 | 北京天融信网络安全技术有限公司 | Token injection access method and device based on zero-trust gateway, electronic equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10122701B2 (en) * | 2015-11-24 | 2018-11-06 | Red Hat, Inc. | Cross-domain single login |
-
2023
- 2023-12-13 CN CN202311704237.3A patent/CN117411724B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106973041A (en) * | 2017-03-02 | 2017-07-21 | 飞天诚信科技股份有限公司 | A kind of method, system and certificate server for issuing authentication authority |
| CN111314340A (en) * | 2020-02-13 | 2020-06-19 | 深信服科技股份有限公司 | Authentication method and authentication platform |
| CN114553480A (en) * | 2022-01-13 | 2022-05-27 | 中国科学院信息工程研究所 | Cross-domain single sign-on method and device |
| CN115603987A (en) * | 2022-09-30 | 2023-01-13 | 国家电网有限公司(Cn) | Cloud-side-end-fused cross-domain zero-trust authentication system for power information communication system |
| CN115913671A (en) * | 2022-11-02 | 2023-04-04 | 北京天融信网络安全技术有限公司 | Token injection access method and device based on zero-trust gateway, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117411724A (en) | 2024-01-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8990911B2 (en) | System and method for single sign-on to resources across a network | |
| US7860882B2 (en) | Method and system for distributed retrieval of data objects using tagged artifacts within federated protocol operations | |
| US7860883B2 (en) | Method and system for distributed retrieval of data objects within multi-protocol profiles in federated environments | |
| US6199113B1 (en) | Apparatus and method for providing trusted network security | |
| CN107277049B (en) | Access method and device of application system | |
| Li et al. | Security issues in OAuth 2.0 SSO implementations | |
| US8683565B2 (en) | Authentication | |
| US8316429B2 (en) | Methods and systems for obtaining URL filtering information | |
| CN111416822B (en) | Method for access control, electronic device and storage medium | |
| US20030033535A1 (en) | Method and system for implementing a common user logon to multiple applications | |
| DE102009008319A1 (en) | Method and apparatus for safely invoking a REST API | |
| US20030226036A1 (en) | Method and apparatus for single sign-on authentication | |
| US20140089661A1 (en) | System and method for securing network traffic | |
| US8555365B2 (en) | Directory authentication method for policy driven web filtering | |
| WO2005069823A2 (en) | Centralized transactional security audit for enterprise systems | |
| CN102638454A (en) | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol | |
| KR20040005815A (en) | Systems and methods for authenticating a user to a web server | |
| CN114915435B (en) | Service data access method and system | |
| CN112685726A (en) | Single-point authentication method based on KEYCLOAK | |
| CN109962892A (en) | A kind of authentication method and client, server logging in application | |
| CN117411724B (en) | Method and device for sharing credentials across multiple applications of zero-trust application gateway | |
| CN111245791A (en) | Single sign-on method for realizing management and IT service through reverse proxy | |
| Li et al. | Your code is my code: Exploiting a common weakness in OAuth 2.0 implementations | |
| Wang et al. | A framework for formal analysis of privacy on SSO protocols | |
| CN113411324B (en) | Method and system for realizing login authentication based on CAS and third-party server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |