CN106534219A - Security authentication method and device for desktop cloud portal - Google Patents
Security authentication method and device for desktop cloud portal Download PDFInfo
- Publication number
- CN106534219A CN106534219A CN201611268587.XA CN201611268587A CN106534219A CN 106534219 A CN106534219 A CN 106534219A CN 201611268587 A CN201611268587 A CN 201611268587A CN 106534219 A CN106534219 A CN 106534219A
- Authority
- CN
- China
- Prior art keywords
- strong authentication
- server
- password
- token
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a security authentication method and device for a desktop cloud portal. The security authentication method comprises the following steps: acquiring an account and a password input by a user, sending the account and the password to an AD domain controller through a desktop cloud controller so as to send an AD authentication request to the AD domain controller; receiving an AD authentication request result sent by the AD domain controller; in the case that the AD authentication request is passed, sending a strong authentication request to a second server through a first server to perform strong authentication; in the case that the strong authentication is passed, receiving a strong authentication token sent by the second server through the first server; and in the case that the strong authentication token satisfies a preset condition, performing single sign-on on an internal application. By adoption of the security authentication method and device provided by the embodiment of the invention, the security coefficient of a desktop cloud system can be improved, and the office convenience of staff can be improved.
Description
Technical field
The present invention relates to communication technical field, more particularly to a kind of safety certifying method and dress for desktop cloud door
Put.
Background technology
Current some large enterprises employee dispersion, such as Monodispersed such as operator business hall staff, contact staff exist
Various places, lack the effective management and control means of unification.Independent office terminal value-at-risk used by employee is generally higher, and there is abuse
Situation, increased the risk of high value information leakage.In large enterprise, all kinds of internal applications (including desktop cloud system) species are numerous
It is many, lack unified access control platform, as internal applications increase, user authority management even more complex.It is simultaneously right when needing
When multiple internal applications are operated, user need to repeatedly be input into different account number ciphers, and work complexity is multiplied.
Solution of the correlation technique for the problems referred to above, has gathered following three kinds:First, disperse for employee, office
Terminal is difficult to the situation of management and control, adopts desktop cloud at present.Secondly, for the situation that enterprises application is various, adopt at present
With 4A (Authentication, Account, Authorization, Audit) unified security management platform technology.Again,
For desktop cloud account number and the skimble-scamble situation of 4A account numbers, current most of desktop cloud manufacturers only support the work based on Microsoft
Dynamic catalogue (Active Directory, abbreviation AD) domain control server carries out the mode of user management and certification.But above-mentioned phase
Pass technology is suffered from the drawback that:
(1) the desktop cloud door safety authentication mode based on internet environment lacks the peace such as note key, token strong authentication
, there is certain security risk in full authentication means;
(2) based on desktop cloud account number it is synchronous with 4A unified security management platform account numbers in the case of, user's successful log table
After the operating system of face, needs are secondary to be input into same account number and password, could access 4A unified security management platform doors, and then
Single-sign-on enterprises application.Its complex steps, employee work complexity are multiplied, and there is account number cipher and be repeated several times
The password that input is caused reveals hidden danger.
The content of the invention
A kind of safety certifying method and device are embodiments provided, and enterprise staff are not only improved based on desktop cloud
The office security of system, while also reducing the complexity for accessing enterprises application, improves employee's office efficiency.
In a first aspect, embodiments provide a kind of safety certifying method, for desktop cloud door, including:Obtain
The account and password of user input, the account and password is sent to first server by desktop cloud controller, with to institute
State first server and send certification request;Receive the certification request result that the first server sends;In the certification request
By in the case of, strong authentication request is sent to carry out strong authentication to second server;In the case where the strong authentication passes through,
Receive the strong authentication token that the second server sends;And the strong authentication token meet it is pre-conditioned in the case of,
Single-sign-on internal applications.
Second aspect, embodiments provides a kind of safety certifying method, for first server, including:Receive
Account and password that the desktop cloud door sends, carry out primary account number certification, and the primary account number authentication result are back to institute
State desktop cloud door;After the primary account number certification passes through, strong authentication password request is sent to the second server;Receive institute
The strong authentication password that the user of desktop cloud door transmission is input in the strong authentication interface for password input is stated, will be described
Strong authentication password is sent to the second server to carry out strong authentication, and receives described the recognizing by force of the second server return
Card result;After the strong authentication passes through, to the second server application strong authentication token, and the second server is received
The strong authentication token for sending, and the strong authentication token is sent to the desktop cloud door.
The third aspect, embodiments provides a kind of safety certifying method, for second server, including:With institute
Stating the control of AD domains carries out data syn-chronization;Receive the desktop cloud door to be asked by the strong authentication that the first server sends to enter
Row strong authentication;And after the strong authentication passes through, strong authentication order is sent to the desktop cloud door by the first server
Board.
Fourth aspect, embodiments provides a kind of safety certification device, and for desktop cloud door, certification sends mould
Block, is configured to obtain the account and password of user input, and the account and password are sent to the by desktop cloud controller
One server, to send certification request to the first server;Certification receiver module, is configured to receive the first service
The certification request result that device sends;Strong authentication module, is configured in the case where the certification request passes through, to described second
Server sends strong authentication request to carry out strong authentication;And token module, it is configured in the case where the strong authentication passes through,
Receive the strong authentication token that the second server sends;And single-sign-on module, it is configured in the strong authentication token
Meet it is pre-conditioned in the case of, single-sign-on internal applications.
In terms of 5th, a kind of safety certification device is embodiments provided, for first server, including:Main account
Number authentication module, is configured to receive account and the password that the desktop cloud door sends, carries out primary account number certification, and will be described
Primary account number authentication result is back to the desktop cloud door;Password request module, is configured to pass through in the primary account number certification
Afterwards, strong authentication password request is sent to the second server;Strong authentication module, is configured to receive the desktop cloud door
The strong authentication password that the user for sending is input in the strong authentication interface for password input, the strong authentication password is sent
To the second server to carry out strong authentication, and receive the strong authentication result that the second server is returned;Token mould
Block, is configured to after the strong authentication passes through, and to the second server application strong authentication token, and receives second clothes
The strong authentication token that business device sends, and the strong authentication token is sent to the desktop cloud door.
In terms of 6th, a kind of safety certifying method is embodiments provided, for second server, including:Data
Synchronization module, is configured to carry out data syn-chronization with AD domains control;Authentication management module, is configured to receive the desktop cloud
Door is asked by the strong authentication that the first server sends to carry out strong authentication;And Token Authentication Module, it is configured in institute
State after strong authentication passes through, strong authentication token is sent to the desktop cloud door by the first server.
A kind of safety certifying method and device are embodiments provided, by by desktop cloud account number and 4A unified securities
Management account number synchronization, realizes the unified management of account number safety;By adding short-message verification link, reinforce based on internet environment
Desktop cloud access safety;And strong authentication link is added in short-message verification link, to be lifted enterprises are accessed after logging in desktop cloud
Using security.By verifying strong authentication token, board overtime control of playing drinking games of going forward side by side, in the case where token is not expired, is used
Quick login feature skips the direct single-sign-on internal applications of 4A unified securities management door, on the premise of ensuring safety, pole
The earth improves office efficiency of the employee based on desktop cloud system.
Description of the drawings
From below in conjunction with the accompanying drawings to the present invention specific embodiment description in may be better understood the present invention wherein,
Same or analogous reference represents same or analogous feature.
Fig. 1 is the safety certifying method in one embodiment of the invention, for the flow chart of desktop cloud door;
Fig. 2 is the safety certifying method in one embodiment of the invention, for the flow chart of first server;
Fig. 3 is the safety certifying method in one embodiment of the invention, for the flow chart of second server;
Fig. 4 is the safety certification device in one embodiment of the invention, for the structural representation of desktop cloud door;
Fig. 5 is the safety certification device in one embodiment of the invention, for the structural representation of first server;
Fig. 6 is the safety certification device in one embodiment of the invention, for the structural representation of second server;
Fig. 7 is the internal applications safety certifying method schematic diagram in yet another embodiment of the invention based on desktop cloud system;
Fig. 8 is the strong authentication method schematic diagram in yet another embodiment of the invention based on desktop cloud environment;
Fig. 9 is the virtual machine token method for implanting schematic diagram in yet another embodiment of the invention based on desktop cloud environment;
Figure 10 is unified with 4A for the unified safety authentication agent apparatus in yet another embodiment of the invention based on desktop cloud environment
The schematic diagram of safety management platform interaction.
Specific embodiment
The feature and exemplary embodiment of various aspects of the invention is described more fully below.In following detailed description
In, it is proposed that many details, to provide complete understanding of the present invention.But, to those skilled in the art
It will be apparent that the present invention can be implemented in the case of some details in not needing these details.Below to implementing
The description of example is better understood to the present invention to provide just for the sake of the example by illustrating the present invention.The present invention is never limited
In any concrete configuration set forth below and algorithm, but cover under the premise of without departing from the spirit of the present invention element,
Any modification, replacement and the improvement of part and algorithm.In the the accompanying drawings and the following description, known structure and skill is not shown
Art, to avoid that unnecessary obscuring is caused to the present invention.
Fig. 1 is the safety certifying method in one embodiment of the invention, for the flow chart of desktop cloud door.As shown in figure 1,
The method is comprised the following steps:Step 101, obtains the account and password of user input, and the account and password are passed through desktop
Cloud controller is sent to first server, to send certification request to the first server;Step 102, receives described first
The certification request result that server sends;Step 103, in the case where the certification request passes through, sends to second server
Strong authentication asks to carry out strong authentication;Step 104, in the case where the strong authentication passes through, is connect by the first server
Receive the strong authentication token that the second server sends;Step 105, meets pre-conditioned situation in the strong authentication token
Under, single-sign-on internal applications.
In step 101 and step 102, for example, by AD certifications realize user account be managed collectively, user can at any time with
Ground so as to improve service flexibility, solves that employee is scattered to be asked by internal applications of the internet access based on desktop cloud system
Topic.
In step 103 to step 105, in the case where for example AD certifications pass through, further lifted by strong authentication and stepped on
The security of enterprises application is accessed after record desktop cloud, strong authentication token is obtained by rear in strong authentication, to carry out secondary recognizing
Card, and re-authentication meet it is pre-conditioned in the case of, respectively apply inside single-sign-on desktop cloud system.User is made successfully to step on
After the desktop cloud operating system of land, without the need for the same account number of secondary input and password, direct single-sign-on enterprises application, reduce
User job complexity, raising user's office efficiency;User account number or encrypted message leakage are avoided simultaneously, lift network security
Property.
Embodiments provide a kind of safety certifying method and device, by by desktop cloud account number and 4A in the present invention
Unified security manages account number synchronization, realizes the unified management of account number safety;By adding short-message verification link, reinforce based on interconnection
The desktop cloud access safety of net environment;And strong authentication link is added in short-message verification link, lifted and accessed after logging in desktop cloud
The security of enterprises application.By verifying strong authentication token, board overtime control of playing drinking games of going forward side by side, in the situation that token is not expired
Under, the direct single-sign-on internal applications of 4A unified securities management door are skipped using quick login feature, before safing
Put, greatly improve office efficiency of the employee based on desktop cloud system.
It is understood that step 103 can be implemented as:The account and password are obtained from the User logs in page,
And the account and password are sent to the first server and carry out primary account number certification, after the primary account number certification passes through,
Receive the authentication result that the first server sends;When the User logs in page jump is to strong authentication interface for password input
When, the strong authentication password that user is input in the strong authentication interface for password input is obtained, and the strong authentication password is led to
Crossing the first server and sending to the second server carries out the strong authentication;The strong authentication token is injected into the void
Intend desktop and push to terminal.
Wherein, desktop cloud door is input first from User logs in page direct access user account number and password, and by institute
State account and password sends to the first server and carries out primary account number certification, and after the primary account number certification passes through, from strong
Authentication password inputting interface obtains the strong authentication password of user input, to carry out strong authentication, after strong authentication passes through, receives described
The strong authentication token that second server is sent by the first server, and the strong authentication token is injected into the virtual table
Face simultaneously pushes to terminal.
Wherein, the strong authentication token is injected the virtual desktop and pushes to the mode of terminal and can be included:By institute
State strong authentication token to send to the desktop cloud controller by encrypted tunnel, sent to described by the desktop cloud controller
Virtual desktop.
It is understood that step 105 can be implemented as:Read the identity information of the virtual desktop;Judge institute
Pressure token is stated whether legal;When judged result is no, authentification failure is pointed out;When judged result is to be, determine whether
Whether the pressure token is expired;When judged result is to be, direct single-sign-on internal applications;When judged result is no,
Obtain the account corresponding with the internal applications and password and note key of the user input, and by described with the inside
Send to the second server using corresponding account and password and note key, for asking to the second server
Checking, and after being verified, internal applications described in single-sign-on.
Wherein, the identity information of virtual desktop can include:Virtual desktop IP, DN, AD domains user profile, the strong authentication
Token etc.;AD domains user profile can include:Company, department, account, name, mailbox.
Fig. 2 is according to the safety certifying method in one embodiment of the invention, for the flow chart of first server.Such as Fig. 2
Shown, the method is comprised the following steps:
Step 201, receives account and password that the desktop cloud door sends, carries out primary account number certification, and by the master
Account authentication result is back to the desktop cloud door;
Step 202, after the primary account number certification passes through, sends strong authentication password request to the second server;
Step 203, the user for receiving the desktop cloud door transmission are input in the strong authentication interface for password input
The strong authentication password, the strong authentication password is sent to the second server to carry out strong authentication, and receives described
The strong authentication result that second server is returned;
Step 204, after the strong authentication passes through, to the second server application strong authentication token, and receives described
The strong authentication token that second server sends, and the strong authentication token is sent to the desktop cloud door.
In step 201, first server carries out primary account number and recognizes by receiving the account and password that desktop cloud door sends
Card, and authentication result is back to into desktop cloud door, and the result is back to into desktop cloud door.
Wherein, the account number being related in primary account number certification and password can for example be the account number that user is input into first in log in page
And password.
In step 202 to step 204, in the case where primary account number certification passes through, first server is to second server
Strong authentication password request is sent, to carry out strong authentication;The strong authentication that user is input into from the Password Input page is got in desktop cloud
After password, the strong authentication password that desktop cloud sends is received, and the strong authentication password is sent to second server is carried out
The token that second server sends, after being verified, is back to desktop cloud door by checking.
Wherein, first server can be such as Radius servers.
Fig. 3 is according to the safety certifying method in one embodiment of the invention, for the flow chart of second server.Such as Fig. 3
Shown, the method is comprised the following steps:Step 301, carries out data syn-chronization with AD domains control;Step 302, receives the desktop
Asked by the strong authentication that the first server sends to carry out strong authentication at Yunmen family;And step 303, it is logical in the strong authentication
Later, strong authentication token is sent to the desktop cloud door by the first server.
In step 301, data syn-chronization is carried out with the control of AD domains by second server, realizes the unified pipe of account number safety
Reason.In step 302 and step 303, strong authentication is carried out to login user, and in the case where strong authentication passes through, to desktop cloud
Door sends strong authentication token, so that desktop cloud door carries out secondary checking to user.It is understood that step 302 can be with
It is implemented as:Receive the strong authentication password request that the first server sends;The strong authentication password is sent to user;Connect
Receive the desktop cloud door to be input in the strong authentication interface for password input by the user that the first server sends
The strong authentication password carrying out the strong authentication.Wherein, strong authentication password for example can be directly transmitted for second server
To the short message password of user.Wherein, the second server is 4A unified security management platforms.
Fig. 4 is the safety certification device in one embodiment of the invention, for the structural representation of desktop cloud door.Such as Fig. 4
Shown, the device includes:
AD certifications sending module 401, is configured to obtain the account and password of user input, the account and password is led to
Cross desktop cloud controller to send to first server, to send certification request to the first server;AD certification receiver modules
402, it is configured to receive the certification request result that the first server sends;Strong authentication module 403, is configured to described
In the case that certification request passes through, strong authentication request is sent to carry out strong authentication to the second server;And token module
404, it is configured to, in the case where the strong authentication passes through, receive the strong authentication token that the second server sends;Single-point
Login module 405, be configured to the strong authentication token meet it is pre-conditioned in the case of, single-sign-on internal applications.
It is understood that strong authentication module 403 can be implemented as:From the User logs in page obtain the account and
Password, and the account and password are sent to the first server carry out primary account number certification, it is logical in the primary account number certification
Later, receive the authentication result that the first server sends;When the User logs in page jump is to strong authentication Password Input
During interface, the strong authentication password that user is input in the strong authentication interface for password input is obtained, and will be the strong authentication close
Code is sent to the second server by the first server and carries out the strong authentication;The strong authentication token is injected into institute
State virtual desktop and push to terminal.
Wherein, the strong authentication token is injected the virtual desktop and pushes to the mode of terminal and can be included:By institute
State strong authentication token to send to the desktop cloud controller by encrypted tunnel, sent to described by the desktop cloud controller
Virtual desktop.
It is understood that single-sign-on module 405 can be implemented as:Read the identity letter of the virtual desktop
Breath;Judge whether the pressure token is legal;When judged result is no, authentification failure is pointed out;When judged result is to be, enter
One step judges whether the pressure token is expired;When judged result is to be, direct single-sign-on internal applications;Work as judged result
For it is no when, obtain the account corresponding with the internal applications and password and note key of the user input, and will it is described and
The corresponding account of the internal applications and password and note key are sent to the second server, for the described second clothes
Business device requests verification, and after being verified, internal applications described in single-sign-on.
Wherein, the identity information of virtual desktop can include:Virtual desktop IP, DN, AD domains user profile, the strong authentication
Token etc.;AD domains user profile can include:Company, department, account, name, mailbox.
Fig. 5 is according to the safety certification device in one embodiment of the invention, for the structural representation of first server.Such as
Shown in Fig. 5, the device includes:
Primary account number authentication module 501, is configured to receive account and the password that the desktop cloud door sends, carries out main account
Number certification, and the primary account number authentication result is back to into the desktop cloud door;
Password request module 502, is configured to after the primary account number certification passes through, and sends strong to the second server
Authentication password is asked;
Strong authentication module 503, the user for being configured to receive the desktop cloud door transmission are close in the strong authentication
The strong authentication password of code inputting interface input, the strong authentication password is sent to the second server to be recognized by force
Card, and receive the strong authentication result that the second server is returned;
Token module 504, is configured to after the strong authentication passes through, and makes to the second server application strong authentication
Board, and the strong authentication token that the second server sends is received, and the strong authentication token is sent to the desktop
Yunmen family.Wherein, first server can for example be Radius servers.
Fig. 6 is according to the safety certification device in one embodiment of the invention, for the structural representation of second server.Such as
Shown in Fig. 6, the device includes:Data simultaneous module 601, carries out data syn-chronization with AD domains control;Authentication management module 602,
Receive the desktop cloud door to be asked by the strong authentication that the first server sends to carry out strong authentication;And token authentication mould
Block 603, after the strong authentication passes through, sends strong authentication token to the desktop cloud door by the first server.
It is understood that authentication management module 602 can be implemented as:Receive the strong of the first server transmission
Authentication password is asked;The strong authentication password is sent to user;Receive the desktop cloud door to send out by the first server
The strong authentication password that the user for sending is input in the strong authentication interface for password input is to carry out the strong authentication.Its
In, the second server is 4A unified security management platforms.
Fig. 7 is illustrated according to the internal applications safety certifying method based on desktop cloud system in one embodiment of the invention
Figure, the desktop cloud system include:Desktop cloud door, desktop cloud controller, the control of AD domains, virtual desktop, unified certification agency's dress
Put, 4A unified security management platforms.Specific safety certifying method realizes step, as shown in Figure 7:
1. data are done with 4A unified security management platforms in desktop cloud AD (Active Directory, Active Directory) account storehouses
It is synchronous;
2. user is input into account number cipher in desktop cloud door, is triggered to the certification request of desktop cloud controller;
3. desktop cloud controller initiates AD certification requests to the AD domains control server in the affiliated domain of desktop cloud architecture;
4. control server in AD domains completes account number cipher certification work and returns AD authentication results to desktop cloud controller;
5. the AD authentication results of return are back to desktop cloud door by desktop cloud controller;
6. desktop cloud door obtains the authentication result for passing through, and triggers recognizing for strong authentication sensing 4A unified security management platforms
Card administrative unit;User obtains note key, and backfill is verified;
7. the authentication management unit certification of 4A unified securities management platform passes through, and returns strong authentication token to desktop Yunmen
Family, and the token is injected into user's virtual desktop;
8. desktop cloud door pushes the virtual desktop for carrying strong authentication token to user side terminating machine;
9. the unified certification agent apparatus on virtual desktop by disposing in advance read the IP of source virtual desktop, DN (domains
Name, Domain Name), current AD user profile, strong authentication token;
10. the verification unit of unified safety authentication agent apparatus is sent out to the authentication management unit of 4A unified security management platforms
Play checking request.Including:Judge the legitimacy of the strong authentication token entrained by the virtual desktop of source, if illegal, point out certification
Failure;Continue to judge whether strong authentication token is expired if legal, if no expired,Login internal applications are redirected directly;
If expired,Triggering note verifies login again.
Fig. 8 is according to the strong authentication method schematic diagram based on desktop cloud environment in one embodiment of the invention, wherein desktop
Cloud environment includes:Desktop cloud door, Radius servers, 4A unified safety authentication platforms.Specific safety certifying method is realized
Step, as shown in Figure 8:
1. desktop cloud door obtains account and password from the User logs in page, and is sent to the primary account number of Radius servers
Authentication module carries out primary account number certification;
2., after certification passes through, Radius servers ask short message password to 4A unified securities management platform;
3. Radius servers return authentication result gives desktop cloud door;
If 4. certification passes through, desktop cloud door jumps to short message password inputting interface from User logs in interface;It is simultaneously unified
Safety management platform sends short message password to user;
5. user is input into strong authentication short message password in login page;
6. desktop cloud door obtains the strong authentication password of user and is sent to Radius servers from the User logs in page
Row note strong authentication;
7. Radius servers send strong authentication password and give 4A unified security management platforms, are verified;
8. 4A unified securities management platform return authentication result gives Radius servers;
If 9. certification passes through, Radius server calls strong authentication token service processes;
10. the strong authentication token service process of Radius servers is to 4A unified security management platform application tokens;
4A unified securities management platform returns strong authentication token and gives Radius servers;
Radius servers return strong authentication token;
Radius server return authentication results and strong authentication token give desktop cloud door.
Fig. 9 be according to the virtual machine token method for implanting schematic diagram based on desktop cloud environment in one embodiment of the invention,
Wherein desktop cloud environment includes:Desktop cloud door, Radius servers, 4A unified safety authentication platforms, desktop cloud controller, void
Intend desktop.Specific safety certifying method realizes step, as shown in Figure 9:
1. user input 4A account number, password and dynamic code;
2. complete to verify and trigger the request service of strong authentication token;
3. the strong authentication token of generation is pushed to desktop cloud door by the authentication management unit of 4A unified securities management platform;
4. the strong authentication for generating is made by desktop cloud door by the extension encrypted tunnel based on desktop cloud internal communication protocol
Board is pushed to desktop cloud controller;
5. desktop cloud controller confirms user identity, and pays virtual desktop according to desktop cloud internal communication protocol.Handing over
During paying, strong authentication token is pushed to into user's virtual desktop by extending encrypted tunnel;
6. strong authentication token is stored in shared drive buffer area by virtual desktop;
7. the unified safety authentication device disposed on virtual desktop in advance reads the strong authentication token information in buffer area.
Figure 10 is according to the unified safety authentication agent apparatus based on desktop cloud environment and 4A in one embodiment of the invention
The schematic diagram of unified security management platform interaction, the unified safety authentication agent apparatus include that the first shared drive, second are shared
Internal memory, its functional unit are broadly divided into internal memory reading unit, token verification unit, time-out control unit.
Internal memory reading unit, after desktop cloud passes through in AD certifications, short message password certification, can be by unified security management platform
The strong authentication token write virtual desktop shared drive that authentication management center produces, reads shared drive by internal memory reading unit
To obtain token information.
Wherein, internal memory reading unit acquisition shared drive information flow is as follows:
First, the second shared drive information is inquired about from the first shared drive;Next, the title of the second shared drive of reading,
The information needed such as size (mainly consider the security of shared drive).
Shared drive interface definition is as follows:
First shared drive name:Global\HDP_THIRD_GINA_FILE_NAME
First shared drive content is structures below body:
Second shared drive is second field Name of structure in the first shared drive, and name is:Global\HDP_
(wherein run time has been the system continuous time run, C# since this is started shooting to THIRD_GINA_FILE_NAME_ run times
Code is Environment.TickCount)
Second shared drive size is structure first character section Size (size is 8K) in the first shared drive, for recognizing by force
Card token storage is used, and unnecessary space is filled with OX 00.
Token verification unit, the authentication management with 4A unified security management platforms are carried out centrally through Webservice modes
Interaction, calls Webservice to read IP, DN and strong authentication token and verified, either condition is unsatisfactory for, and does not allow list
Point logs in internal applications.
Time-out control unit, with overtime control function, and user can be with kick out agency (forcing time-out).Specifically
Realization shows as:Time (time of User logs in cloud desktop) is generated as the overtime time started according to strong authentication token, is carried out
Timing.A timeout threshold is set at authentication management center, after User logs in desktop during single-sign-on internal applications, can be surpassed
When judge (logged in the time of virtual desktop whether more than set overtime threshold), if after time-out, unification can be jumped to
The login page of business support system, re-enters account number cipher login.It is super that the system tray of agency can enforce agency
When, user, after confirmation then by agent logs uniform traffic support system, be able to can be pointed out by performing " nullifying agency "
Login-timeout, and jump to 4A unified security management platform portal pages.At this moment want again by act on behalf of inside single-sign-on should
With, it is necessary to after disconnecting desktop, can just act on behalf of after re-starting desktop login.
Those of ordinary skill in the art are it is to be appreciated that the list of each example described with reference to the embodiments described herein
Unit and algorithm steps, can with electronic hardware, computer software or the two be implemented in combination in, in order to clearly demonstrate hardware
With the interchangeability of software, the composition and step of each example are generally described in the above description according to function.This
A little functions actually with hardware or software mode performing, depending on the application-specific and design constraint of technical scheme.Specially
Industry technical staff can use different methods to realize described function to each specific application, but this realization is not
It is considered as beyond the scope of this invention.
Those skilled in the art can be understood that, for convenience of description and succinctly, foregoing description is
The specific work process of system, device and unit, may be referred to the corresponding process in preceding method embodiment, will not be described here.
The above, the only specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, any
Those familiar with the art the invention discloses technical scope in, various equivalent modifications can be readily occurred in or replaced
Change, these modifications or replacement should all be included within the scope of the present invention.Therefore, protection scope of the present invention should be with right
The protection domain of requirement is defined.
Claims (14)
1. a kind of safety certifying method for desktop cloud door, including:
The account and password of user input are obtained, the account and password are sent to first service by desktop cloud controller
Device, to send certification request to the first server;
Receive the certification request result that the first server sends;
In the case where the certification request passes through, strong authentication request is sent to carry out strong authentication to second server;
In the case where the strong authentication passes through, the strong authentication token that the second server sends is received;And
The strong authentication token meet it is pre-conditioned in the case of, single-sign-on internal applications.
2. method according to claim 1, wherein, the first server is Active Directory Domain control server, described
Two servers are 4A unified security management platform servers.
3. method according to claim 1, wherein, the first server is Radius servers, the second service
Device is 4A unified security management platform servers.
4. method according to claim 3, wherein, it is described to send strong authentication request to carry out strong authentication to second server
The step of include:
The account and password are obtained from the User logs in page, and the account and password are sent to the first server
Row primary account number certification, after the primary account number certification passes through, receives the authentication result that the first server sends;
When the User logs in page jump is to strong authentication interface for password input, user is obtained in the strong authentication Password Input
The strong authentication password of interface input, and the strong authentication password is sent to the described second clothes by the first server
Business device carries out the strong authentication;
The strong authentication token is injected into the virtual desktop and terminal is pushed to.
5. method according to claim 4, wherein, it is described the strong authentication token to be injected into the virtual desktop and is pushed
Include to terminal:
The strong authentication token is sent to the desktop cloud controller by encrypted tunnel, is sent out by the desktop cloud controller
Deliver to the virtual desktop.
6. method according to claim 1, wherein, the strong authentication token meet it is pre-conditioned in the case of, single-point
Log in internal applications to specifically include:
Read the identity information of the virtual desktop;
Judge whether the pressure token is legal;
When judged result is no, authentification failure is pointed out;
When judged result is to be, determine whether whether the pressure token is expired;
When judged result is to be, direct single-sign-on internal applications;
When judged result is no, the account corresponding with the internal applications and password and note for obtaining the user input is close
Key, and the account corresponding with the internal applications and password and note key are sent to the second server, with
In to the second server requests verification, and after being verified, internal applications described in single-sign-on.
7. method according to claim 6, wherein,
The identity information includes following at least any one or its combination:Virtual desktop IP, DN, AD domains user profile are described strong
Authentication token;
Wherein described AD domains user profile includes following at least any one or its combination:Company, department, account, name, mailbox.
8. a kind of safety certification device for desktop cloud door, including:
Certification sending module, is configured to obtain the account and password of user input, the account and password is passed through desktop cloud
Controller is sent to first server, to send certification request to the first server;
Certification receiver module, is configured to receive the certification request result that the first server sends;
Strong authentication module, is configured to, in the case where the certification request passes through, send strong authentication to the second server
Ask to carry out strong authentication;And
Token module, is configured to, in the case where the strong authentication passes through, receive the strong authentication that the second server sends
Token;And
Single-sign-on module, be configured to the strong authentication token meet it is pre-conditioned in the case of, inside single-sign-on should
With.
9. safety certification device according to claim 8, wherein, the first server is Active Directory Domain control service
Device, the second server are 4A unified security management platform servers.
10. authentication device according to claim 8, wherein, the first server is Radius servers, described second
Server is 4A unified security management platform servers.
11. safety certification devices according to claim 10, wherein, strong authentication module is configured to:
Primary account number authentication unit, is configured to obtain the account and password from the User logs in page, and by the account and close
Code sends to the first server and carries out primary account number certification, after the primary account number certification passes through, receives the first service
The authentication result that device sends;
Strong authentication password unit, when being configured as the User logs in page jump to strong authentication interface for password input, obtains
The strong authentication password that user is input in the strong authentication interface for password input, and by the strong authentication password by described the
One server sends to the second server and carries out the strong authentication;
Token injection unit, is configured to the strong authentication token is injected the virtual desktop and terminal is pushed to.
12. safety certification devices according to claim 11, wherein, token injection unit is configured to:
The strong authentication token is sent to the desktop cloud controller by encrypted tunnel, is sent out by the desktop cloud controller
Deliver to the virtual desktop.
13. safety certification devices according to claim 8, wherein, single-sign-on module is configured to:
Read the identity information of the virtual desktop;
Judge whether the pressure token is legal;
When judged result is no, authentification failure is pointed out;
When judged result is to be, determine whether whether the pressure token is expired;
When judged result is to be, direct single-sign-on internal applications;
When judged result is no, the account corresponding with the internal applications and password and note for obtaining the user input is close
Key, and the account corresponding with the internal applications and password and note key are sent to the second server, with
In to the second server requests verification, and after being verified, internal applications described in single-sign-on.
14. safety certification devices according to claim 13, wherein,
The identity information includes following at least any one or its combination:Virtual desktop IP, DN, AD domains user profile, strong authentication
Token;
Wherein described AD domains user profile includes following at least any one or its combination:Company, department, account, name, mailbox.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611268587.XA CN106534219A (en) | 2016-12-31 | 2016-12-31 | Security authentication method and device for desktop cloud portal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611268587.XA CN106534219A (en) | 2016-12-31 | 2016-12-31 | Security authentication method and device for desktop cloud portal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106534219A true CN106534219A (en) | 2017-03-22 |
Family
ID=58336466
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611268587.XA Pending CN106534219A (en) | 2016-12-31 | 2016-12-31 | Security authentication method and device for desktop cloud portal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106534219A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108366103A (en) * | 2018-01-29 | 2018-08-03 | 广州杰赛科技股份有限公司 | Long-range connection method, device, computer equipment and storage medium |
| CN109462501A (en) * | 2018-10-29 | 2019-03-12 | 北京芯盾时代科技有限公司 | A kind of identifying procedure control method and system |
| CN110971566A (en) * | 2018-09-29 | 2020-04-07 | 上海擎感智能科技有限公司 | Account unified management method, system and computer readable storage medium |
| CN111327578A (en) * | 2018-12-17 | 2020-06-23 | 上海擎感智能科技有限公司 | User ssh login authentication method |
| CN112291269A (en) * | 2020-11-30 | 2021-01-29 | 南方电网科学研究院有限责任公司 | Cloud desktop authentication method and device, electronic equipment and readable storage medium |
| CN112291198A (en) * | 2020-09-29 | 2021-01-29 | 西安万像电子科技有限公司 | Communication method, terminal device and server |
| CN113114464A (en) * | 2020-01-13 | 2021-07-13 | 中国移动通信集团重庆有限公司 | Unified security management system and identity authentication method |
| CN113452711A (en) * | 2021-06-29 | 2021-09-28 | 新华三大数据技术有限公司 | Single sign-on method of cloud desktop and network equipment |
| CN113515330A (en) * | 2020-04-10 | 2021-10-19 | 南方电网科学研究院有限责任公司 | Cloud desktop security authentication method and system based on domestic password technology |
| CN113726774A (en) * | 2020-10-13 | 2021-11-30 | 杭州涂鸦信息技术有限公司 | Client login authentication method, system and computer equipment |
| US11283805B2 (en) | 2018-07-16 | 2022-03-22 | Alibaba Group Holding Limited | Cloud device account configuration method, apparatus and system, and data processing method |
| CN117453816A (en) * | 2023-10-24 | 2024-01-26 | 上海宁盾信息科技有限公司 | User data unifying method, system, computer and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103067397A (en) * | 2012-12-31 | 2013-04-24 | 华为技术有限公司 | Security authentication method, access gateway and authentication server of desktop cloud system |
| CN103532966A (en) * | 2013-10-23 | 2014-01-22 | 成都卫士通信息产业股份有限公司 | Device and method supporting USB-KEY-based SSO (single sign on) of virtual desktop |
| CN104468550A (en) * | 2014-11-28 | 2015-03-25 | 华为技术有限公司 | User login method for Windows desktop, device and system |
| CN104717261A (en) * | 2013-12-17 | 2015-06-17 | 华为技术有限公司 | Login method and desktop management device |
| CN105227314A (en) * | 2015-08-28 | 2016-01-06 | 飞天诚信科技股份有限公司 | A kind of login enters method and the device of system desktop |
| CN105991709A (en) * | 2015-02-11 | 2016-10-05 | 中国移动通信集团河南有限公司 | Cloud desktop account number management method and apparatus thereof |
-
2016
- 2016-12-31 CN CN201611268587.XA patent/CN106534219A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103067397A (en) * | 2012-12-31 | 2013-04-24 | 华为技术有限公司 | Security authentication method, access gateway and authentication server of desktop cloud system |
| CN103532966A (en) * | 2013-10-23 | 2014-01-22 | 成都卫士通信息产业股份有限公司 | Device and method supporting USB-KEY-based SSO (single sign on) of virtual desktop |
| CN104717261A (en) * | 2013-12-17 | 2015-06-17 | 华为技术有限公司 | Login method and desktop management device |
| CN104468550A (en) * | 2014-11-28 | 2015-03-25 | 华为技术有限公司 | User login method for Windows desktop, device and system |
| CN105991709A (en) * | 2015-02-11 | 2016-10-05 | 中国移动通信集团河南有限公司 | Cloud desktop account number management method and apparatus thereof |
| CN105227314A (en) * | 2015-08-28 | 2016-01-06 | 飞天诚信科技股份有限公司 | A kind of login enters method and the device of system desktop |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108366103B (en) * | 2018-01-29 | 2021-03-02 | 广州杰赛科技股份有限公司 | Remote connection method, device, computer equipment and storage medium |
| CN108366103A (en) * | 2018-01-29 | 2018-08-03 | 广州杰赛科技股份有限公司 | Long-range connection method, device, computer equipment and storage medium |
| US11283805B2 (en) | 2018-07-16 | 2022-03-22 | Alibaba Group Holding Limited | Cloud device account configuration method, apparatus and system, and data processing method |
| CN110971566A (en) * | 2018-09-29 | 2020-04-07 | 上海擎感智能科技有限公司 | Account unified management method, system and computer readable storage medium |
| CN109462501A (en) * | 2018-10-29 | 2019-03-12 | 北京芯盾时代科技有限公司 | A kind of identifying procedure control method and system |
| CN109462501B (en) * | 2018-10-29 | 2021-02-02 | 北京芯盾时代科技有限公司 | Authentication process control method and system |
| CN111327578A (en) * | 2018-12-17 | 2020-06-23 | 上海擎感智能科技有限公司 | User ssh login authentication method |
| CN113114464A (en) * | 2020-01-13 | 2021-07-13 | 中国移动通信集团重庆有限公司 | Unified security management system and identity authentication method |
| CN113114464B (en) * | 2020-01-13 | 2023-10-27 | 中国移动通信集团重庆有限公司 | Unified security management system and identity authentication method |
| CN113515330A (en) * | 2020-04-10 | 2021-10-19 | 南方电网科学研究院有限责任公司 | Cloud desktop security authentication method and system based on domestic password technology |
| CN113515330B (en) * | 2020-04-10 | 2024-04-26 | 南方电网科学研究院有限责任公司 | Cloud desktop security authentication method and system based on domestic cryptographic technology |
| CN112291198A (en) * | 2020-09-29 | 2021-01-29 | 西安万像电子科技有限公司 | Communication method, terminal device and server |
| CN113726774A (en) * | 2020-10-13 | 2021-11-30 | 杭州涂鸦信息技术有限公司 | Client login authentication method, system and computer equipment |
| CN112291269A (en) * | 2020-11-30 | 2021-01-29 | 南方电网科学研究院有限责任公司 | Cloud desktop authentication method and device, electronic equipment and readable storage medium |
| CN113452711A (en) * | 2021-06-29 | 2021-09-28 | 新华三大数据技术有限公司 | Single sign-on method of cloud desktop and network equipment |
| CN117453816A (en) * | 2023-10-24 | 2024-01-26 | 上海宁盾信息科技有限公司 | User data unifying method, system, computer and storage medium |
| CN117453816B (en) * | 2023-10-24 | 2024-05-07 | 上海宁盾信息科技有限公司 | User data unifying method, system, computer and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106534219A (en) | Security authentication method and device for desktop cloud portal | |
| CN107122674B (en) | Access method of oracle database applied to operation and maintenance auditing system | |
| CN108416589A (en) | Connection method, system and the computer readable storage medium of block chain node | |
| CN112468481B (en) | Single-page and multi-page web application identity integrated authentication method based on CAS | |
| CN106534143A (en) | Method and system capable of realizing cross-application authentication authorization | |
| TW200820716A (en) | Method and apparatus for providing trusted single sign-on access to applications and internet-based services | |
| CN103780580B (en) | Method, server and system for providing capability access strategy | |
| CN109873805A (en) | Cloud desktop login method, device, equipment and storage medium based on cloud security | |
| CN112580006A (en) | Access right control method and device of multi-cloud system and authentication server | |
| CN111355713B (en) | Proxy access method, device, proxy gateway and readable storage medium | |
| US8387130B2 (en) | Authenticated service virtualization | |
| CN101529412A (en) | Data file access control | |
| CN111062023B (en) | Method and device for realizing single sign-on of multi-application system | |
| CN105871838A (en) | Third party account login control method and user center platform | |
| CN102571873B (en) | Bidirectional security audit method and device in distributed system | |
| CN109413000A (en) | A kind of anti-stealing link method and door chain gateway system | |
| CN106161348A (en) | A kind of method of single-sign-on, system and terminal | |
| CN101321064A (en) | Information system access control method and apparatus based on digital certificate technique | |
| CN109995699B (en) | Multimedia equipment management system | |
| CN104348791B (en) | A kind of single-point logging method and system | |
| CN103986734B (en) | Authentication management method and authentication management system applicable to high-security service system | |
| CN102271136A (en) | Access control method and equipment under NAT (Network Address Translation) network environment | |
| CN106331003A (en) | Method and device for accessing application portal system on cloud desktop | |
| CN102571874B (en) | On-line audit method and device in distributed system | |
| CN107862198A (en) | One kind accesses verification method, system and client |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170322 |