CN104333557A - Single sign on system and method based on VPN gateway - Google Patents
Single sign on system and method based on VPN gateway Download PDFInfo
- Publication number
- CN104333557A CN104333557A CN201410659382.9A CN201410659382A CN104333557A CN 104333557 A CN104333557 A CN 104333557A CN 201410659382 A CN201410659382 A CN 201410659382A CN 104333557 A CN104333557 A CN 104333557A
- Authority
- CN
- China
- Prior art keywords
- sign
- user
- resource
- request
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
The invention provides a single sign on system and a single sign on method based on VPN gateway. The VPN gateway provides guidance for a user to autonomously configure single sign on user information, and automatically binds user information based on verification on correctness of the user information, thus achieving the method for requesting single sign on for resources by the user. The method makes up for the deficiency of common single sign on, reduces related configuration and management workload of an administrator, and meanwhile ensures correctness of configuration and binding of single sign on information of the user, thus ensuring completeness of single sign on.
Description
Technical field
The present invention relates to a kind of single-node login system based on vpn gateway and method, particularly relate to a kind of terminal use be applicable to based on vpn gateway initiates single-sign-on request single-node login system and method to resource.
Background technology
Single Sign-On Technology Used is after by VPN client authentication success; when user's request access is protected by vpn gateway and supports the background application of single-sign-on; vpn gateway re-assemblies user access request packet by the single-sign-on user profile of coupling; to realize the automated validation to background application, and again fill in user profile without the need to user.
Automatic user bound information technology is when not configuring user's first request single-sign-on resource of background application authentication information, vpn gateway fills in its resources certification information and using this information after single sign-on authentication Information Authentication information correctness guiding user, its user profile is bound with the single-sign-on resource of mating, realizes the automatic configuration of user to its single-sign-on information.
Identity identifying technology differentiates user identity, and extracting a kind of safe practice of User Identity, is the prerequisite of carrying out control of authority.Vpn gateway utilizes identity identifying technology to differentiate user identity, extracts User Identity for the control of authority of gateway to user's access application from authentication information.
Access control technology is a kind of security means for controlling user access activity.
The application system that vpn gateway system is needed reinforcement by the mode protection of open circuit access control.User only has could access by the authentication of gateway the application service protected by vpn gateway.The common vpn gateway system supporting single-sign-on only keeper for after user is configured with the single sign-on authentication information of resource access, the single-sign-on of user to it can be realized when user asks to mate resource.But the single-sign-on request for non-configure user information then cannot guide user to be configured its authentication information, and then do not support that user is in the single-sign-on of this kind of application scenario.
Summary of the invention
The technical problem to be solved in the present invention is to provide a kind of based on vpn gateway, and the user not configuring authentication information realizes the system and method for resource single-sign-on.
The technical solution used in the present invention is as follows: a kind of single-node login system based on vpn gateway, is characterized in that: comprise
Vpn gateway authentication module, carries out authentication to user;
Backstage resource access request module, receives the access request of user;
Single sign-on authentication information configuration judge module, judges whether keeper is the single sign-on authentication information that this user is configured with for request resource;
Resource single-sign-on MIM message input module, receives log-on message that user inputs for this resource and is committed to vpn gateway;
User profile parsing module, resolves the log-on message of user's input;
Single-sign-on request module, utilizes the user profile of catching to initiate single-sign-on request to this resource;
Single-sign-on business redirect module, when single-sign-on request is unsuccessful, by page jump to the module of resource single-sign-on information input page;
User profile logging modle, during single-sign-on request success, fills in successful for single-sign-on request user profile in relevant list.
A kind of single-point logging method based on vpn gateway, its method is: when not configuring user's first request single-sign-on resource of background application authentication information, vpn gateway is after guiding user fills in its resources certification information and carrys out authorization information configuration correctly in this, as single sign-on authentication information, its user profile is saved in single-sign-on user profile list, realizes user to the automatic configuration of its single-sign-on user profile and binding.
As preferably, concrete grammar step is: step one, user start VPN client, shows the voucher for certification and carries out authentication with vpn gateway, and authentication is by then entering next step; Step 2, user initiate access request by web browser to support backstage resource; Step 3, vpn gateway judge whether keeper is the single-sign-on information of its configuration pin to this resource, are then to realize the single-sign-on to request resource by the user profile of configuration, otherwise perform next step; Step 4, user submit to for the single sign-on authentication information of this resource to vpn gateway; The single-sign-on information of the submission in step 5, analyzing step four, and by filling the user profile of catching, single-sign-on request is initiated to this resource, ask successfully then single-sign-on information to be forwarded to browser, and this user profile is filled in in relevant list, otherwise return step 4 prompting user and continue to input correct user profile.
Compared with prior art, the invention has the beneficial effects as follows: not only support common single-sign-on, more can realize not configuring the user of authentication information to the request of the single-sign-on of resource with the method for automatic user bound authentication information.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with embodiment, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
Arbitrary feature disclosed in this specification (comprising any accessory claim, summary), unless specifically stated otherwise, all can be replaced by other equivalences or the alternative features with similar object.That is, unless specifically stated otherwise, each feature is an example in a series of equivalence or similar characteristics.
The invention discloses under security gateway is presented in keeper's non-configure user single-sign-on information state, vpn gateway provides the guiding of user's autonomous configuration single-sign-on user profile, and automatic user bound information on the basis verifying its correctness, realize the method for user to the request of resource single-sign-on.The method compensate for the deficiency of common single-sign-on, while reducing keeper's relevant configuration and management workload, guarantees the correctness of user to its single-sign-on information configuration and binding, the completeness of guarantee single-sign-on.Vpn gateway is deployed in be supported, between single-sign-on background application system and VPN client, to play break type access control.
In this specific embodiment, user ask the flow process of single-sign-on resource access and method as follows:
One, user starts vpn client; Two, user shows the voucher for certification, and carries out authentication with vpn gateway; Three, user initiates access request by web browser to support backstage resource; Four, vpn gateway determines whether the single-sign-on information of its configuration pin to this resource, if do not configured, order performs, otherwise realizes the single-sign-on to request resource by the user profile of configuration; Five, in terminal, eject user account and password input box, prompting user input for the single-sign-on information of this resource, and is committed to vpn gateway; Six, vpn gateway utilizes the user profile of catching to initiate single-sign-on request to this resource, as asked successfully then its request results to be forwarded to client, and this user profile is filled in in relevant list; Otherwise jump to the 5th step reminding user and input correct user profile.
The present invention is define VPN gateway system concrete form not.In the present invention, do not limit concrete single-sign-on and initiate mode.Vpn gateway utilizes the identify label of user to carry out authority ruling according to access control to support single-sign-on resource access request.When user access request is by after authority ruling, if time not for its configuration single sign-on authentication information, vpn gateway then adopts the mode of automatic user bound information to guide user correctly to configure it, and then utilizes the single-sign-on of its authentication information realization to access resources.
The present invention not only supports common single-sign-on, more can not configure the user of authentication information to the request of the single-sign-on of resource with the realization of the method for automatic user bound information.Automatic user bound information module after ensure that the correctness of user profile, then carries out preserving to it and binds.Both having supported user by VPN client to initiate the single-sign-on request to resource after C/S model certification, also having supported in the mode of B/S by initiating single-sign-on request after certification.Support the single-sign-on of three kinds of authentication methods of Post, Get, Basic of http protocol.Reduce keeper to the disposition and management workload of user's single-sign-on binding information.
Can based on the different certification factors, different authentication protocols, the certification of different certification scenes (B/S or C/S) realization to user identity; The application system after vpn gateway can be deployed in based on VPN escape way proxy user visiting portion; Can control the authority of user's access application system; Integrated single-sign-on program and automatic user bound information module, can support that the user's initiation being configured with single sign-on authentication information is to while the normal certification of the background application of support single-sign-on and access, can also support that the user not configuring authentication information realizes it to the certification of single-sign-on background application and access by the method for automatic user bound information.Described vpn gateway receives the authentication request coming from vpn gateway client software, carries out authentication according to the different authentication factor pair user that client is shown.After authentication success, vpn gateway and vpn gateway client software set up escape way.When user is by VPN client access application system, according to the matching relationship of the identify label of user and required access application system banner, vpn gateway judges whether user has the authority of access application system, if Internet access, then based on VPN escape way proxy user access application system, otherwise then refuse the access request of user.When user access request be vpn gateway end configuration single-sign-on resource time, if time not for its configuration single sign-on authentication information, vpn gateway then adopts the mode of automatic user bound information to guide user to be configured it, and then utilizes the single-sign-on of its authentication information realization to access resources.
Claims (3)
1. based on a single-node login system for vpn gateway, it is characterized in that: comprise
Vpn gateway authentication module, carries out authentication to user;
Backstage resource access request module, receives the access request of user;
Single sign-on authentication information configuration judge module, judges whether keeper is the single sign-on authentication information that this user is configured with for request resource;
Resource single-sign-on MIM message input module, receives log-on message that user inputs for this resource and is committed to vpn gateway;
User profile parsing module, resolves the log-on message of user's input;
Single-sign-on request module, utilizes the user profile of catching to initiate single-sign-on request to this resource;
Single-sign-on business redirect module, when single-sign-on request is unsuccessful, by page jump to the module of resource single-sign-on information input page;
User profile logging modle, during single-sign-on request success, fills in successful for single-sign-on request user profile in relevant list.
2. based on the single-point logging method of the single-node login system based on vpn gateway according to claim 1, its method is: when not configuring user's first request single-sign-on resource of background application authentication information, vpn gateway is after guiding user fills in its resources certification information and carrys out authorization information configuration correctly in this, as single sign-on authentication information, its user profile is saved in single-sign-on user profile list, realizes user to the automatic configuration of its single-sign-on user profile and binding.
3. single-point logging method according to claim 2, concrete grammar step is: step one, user start VPN client, shows the voucher for certification and carries out authentication with vpn gateway, and authentication is by then entering next step; Step 2, user initiate access request by web browser to support backstage resource; Step 3, vpn gateway judge whether keeper is the single-sign-on information of its configuration pin to this resource, are then to realize the single-sign-on to request resource by the user profile of configuration, otherwise perform next step; Step 4, user submit to for the single-sign-on information of this resource to vpn gateway; The single-sign-on information of the submission in step 5, analyzing step four, and by filling the user profile of catching, single-sign-on request is initiated to this resource, ask successfully then single-sign-on information to be forwarded to browser, and this user profile is filled in in relevant list, otherwise return step 4 prompting user and continue to input correct user profile.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410659382.9A CN104333557A (en) | 2014-11-19 | 2014-11-19 | Single sign on system and method based on VPN gateway |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410659382.9A CN104333557A (en) | 2014-11-19 | 2014-11-19 | Single sign on system and method based on VPN gateway |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104333557A true CN104333557A (en) | 2015-02-04 |
Family
ID=52408208
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410659382.9A Pending CN104333557A (en) | 2014-11-19 | 2014-11-19 | Single sign on system and method based on VPN gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104333557A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108650209A (en) * | 2018-03-06 | 2018-10-12 | 北京信安世纪科技股份有限公司 | A kind of method of single-sign-on, system, device and authentication method |
| CN108650162A (en) * | 2018-03-19 | 2018-10-12 | 山东云安通信息技术有限公司 | A kind of mobile application gateway and comprehensive office system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060271689A1 (en) * | 2005-05-26 | 2006-11-30 | Katsuro Kikuchi | System and method for single sign-on |
| CN101572608A (en) * | 2009-06-17 | 2009-11-04 | 杭州华三通信技术有限公司 | Method and device for acquiring once-login parameters |
| CN101651666A (en) * | 2008-08-14 | 2010-02-17 | 中兴通讯股份有限公司 | Method and device for identity authentication and single sign-on based on virtual private network |
| CN101651743A (en) * | 2009-09-10 | 2010-02-17 | 华耀环宇科技(北京)有限公司 | Remote desktop access system facing to mobilephone terminal user |
| CN102571762A (en) * | 2011-12-21 | 2012-07-11 | 深信服网络科技(深圳)有限公司 | Method and device for single sign-on |
| CN103236969A (en) * | 2013-04-03 | 2013-08-07 | 中国科学院合肥物质科学研究院 | Gateway system and gateway method for Cloud service accounting management |
| CN103442007A (en) * | 2013-08-29 | 2013-12-11 | 成都卫士通信息安全技术有限公司 | Far-end application service accessing method based on virtual desktop control mode |
-
2014
- 2014-11-19 CN CN201410659382.9A patent/CN104333557A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060271689A1 (en) * | 2005-05-26 | 2006-11-30 | Katsuro Kikuchi | System and method for single sign-on |
| CN101651666A (en) * | 2008-08-14 | 2010-02-17 | 中兴通讯股份有限公司 | Method and device for identity authentication and single sign-on based on virtual private network |
| CN101572608A (en) * | 2009-06-17 | 2009-11-04 | 杭州华三通信技术有限公司 | Method and device for acquiring once-login parameters |
| CN101651743A (en) * | 2009-09-10 | 2010-02-17 | 华耀环宇科技(北京)有限公司 | Remote desktop access system facing to mobilephone terminal user |
| CN102571762A (en) * | 2011-12-21 | 2012-07-11 | 深信服网络科技(深圳)有限公司 | Method and device for single sign-on |
| CN103236969A (en) * | 2013-04-03 | 2013-08-07 | 中国科学院合肥物质科学研究院 | Gateway system and gateway method for Cloud service accounting management |
| CN103442007A (en) * | 2013-08-29 | 2013-12-11 | 成都卫士通信息安全技术有限公司 | Far-end application service accessing method based on virtual desktop control mode |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108650209A (en) * | 2018-03-06 | 2018-10-12 | 北京信安世纪科技股份有限公司 | A kind of method of single-sign-on, system, device and authentication method |
| CN108650209B (en) * | 2018-03-06 | 2021-05-14 | 北京信安世纪科技股份有限公司 | Single sign-on method, system, device and authentication method |
| CN108650162A (en) * | 2018-03-19 | 2018-10-12 | 山东云安通信息技术有限公司 | A kind of mobile application gateway and comprehensive office system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107534651B (en) | Method and apparatus for communicating session identifier | |
| CN106656952B (en) | Authentication method, device and system for login equipment | |
| CN103888265B (en) | A kind of application login system and method based on mobile terminal | |
| CN102244866B (en) | Gate verification method and access controller | |
| CN104734849B (en) | The method and system that third-party application is authenticated | |
| RU2018121828A (en) | SYSTEMS AND METHODS FOR AUTHENTICATING ONLINE USERS USING A SAFE AUTHORIZATION SERVER | |
| CN110381031A (en) | Single-point logging method, device, equipment and computer readable storage medium | |
| US20130212387A1 (en) | System and method for delivering a challenge response in an authentication protocol | |
| US10693854B2 (en) | Method for authenticating a user, corresponding server, communications terminal and programs | |
| CN103200159B (en) | A kind of Network Access Method and equipment | |
| CN103796278A (en) | Mobile terminal wireless network access control method | |
| US9602537B2 (en) | Systems and methods for providing secure communication | |
| RU2018144220A (en) | SUB-TOKEN MANAGEMENT SYSTEM FOR CONNECTED DEVICES | |
| CN101702717A (en) | Method, system and equipment for authenticating Portal | |
| CN107888592A (en) | A kind of VPN login authentication methods and device | |
| CN104811462A (en) | Access gateway redirection method and access gateway | |
| CN105592180B (en) | A kind of method and apparatus of Portal certification | |
| CN104660523A (en) | Network access control system | |
| CN105429979A (en) | Cross-platform user certificating method and intelligent router, Internet surfing system | |
| CN106375348A (en) | Portal authentication method and Portal authentication device | |
| CN106452763A (en) | Method for employing cipher key through remote virtual USB device | |
| CN104936177B (en) | A kind of access authentication method and access authentication system | |
| CN104333557A (en) | Single sign on system and method based on VPN gateway | |
| CN111565181A (en) | Single equipment login method, server and client | |
| CN103957194B (en) | A kind of procotol IP cut-in methods and access device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150204 |
|
| RJ01 | Rejection of invention patent application after publication |