CN110691089B - Authentication method applied to cloud service, computer equipment and storage medium - Google Patents

Authentication method applied to cloud service, computer equipment and storage medium Download PDF

Info

Publication number
CN110691089B
CN110691089B CN201910936314.5A CN201910936314A CN110691089B CN 110691089 B CN110691089 B CN 110691089B CN 201910936314 A CN201910936314 A CN 201910936314A CN 110691089 B CN110691089 B CN 110691089B
Authority
CN
China
Prior art keywords
user
authentication
name
tenant
target user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910936314.5A
Other languages
Chinese (zh)
Other versions
CN110691089A (en
Inventor
顾逸圣
王宾
钟晶晶
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Transwarp Technology Shanghai Co Ltd
Original Assignee
Transwarp Technology Shanghai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Transwarp Technology Shanghai Co Ltd filed Critical Transwarp Technology Shanghai Co Ltd
Priority to CN201910936314.5A priority Critical patent/CN110691089B/en
Publication of CN110691089A publication Critical patent/CN110691089A/en
Application granted granted Critical
Publication of CN110691089B publication Critical patent/CN110691089B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Abstract

The embodiment of the invention discloses an authentication method, computer equipment and a storage medium applied to cloud service, wherein the method comprises the following steps: acquiring authentication associated information input by a target user; the authentication associated information comprises a tenant name, a user name and a password of a target user; the tenant name comprises at least one user name; confirming a plurality of authentication sources registered by the tenant name according to the tenant name; and sequentially calling the docking interfaces of the authentication sources to authenticate the user name and the password of the target user. The technical scheme of the embodiment of the invention can improve the flexibility of multi-tenant authentication, thereby meeting the authentication control requirements of multiple tenants.

Description

Authentication method applied to cloud service, computer equipment and storage medium
Technical Field
The embodiment of the invention relates to the technical field of information security, in particular to an authentication method, computer equipment and a storage medium applied to cloud service.
Background
With the continuous expansion of business scale, a plurality of World Wide Web (World Wide Web) application systems usually exist in an enterprise at the same time. Most of these systems require a user to provide an account and a password for login authentication due to the need of security control.
In the prior art, a unified authentication system is used as a solution for user authentication, and can access all accessed Web systems by single login, thereby avoiding repeated login operations of users among multiple systems and realizing the separation of specific services from user authentication. However, the personnel configuration of the enterprise users is complex, and the departments, the job levels or the functions are different. The traditional unified authentication system cannot divide and control the user according to certain logic. The concept of "tenant" is introduced into the current unified authentication system, so that people in different departments are abstracted into users under different tenants, and the people in each department are managed by taking the tenant as a unit.
The existing multi-tenant-based unified authentication system emphasizes that user information needs to be uniformly stored in a certain data source, so that user data with different formats of various systems need to be uniformly migrated in the docking process, an original authentication interface is abandoned, and the flexibility is poor.
Disclosure of Invention
The embodiment of the invention provides an authentication method, computer equipment and a storage medium applied to cloud services, so that the flexibility of multi-tenant authentication is improved, and the authentication management and control requirements of multiple tenants are met.
In a first aspect, an embodiment of the present invention provides an authentication method applied to a cloud service, including:
acquiring authentication associated information input by a target user; the authentication associated information comprises a tenant name, a user name and a password of a target user; the tenant name comprises at least one user name;
confirming a plurality of authentication sources registered by the tenant name according to the tenant name;
and sequentially calling the docking interfaces of the authentication sources to authenticate the user name and the password of the target user.
In a second aspect, an embodiment of the present invention further provides an authentication apparatus applied to a cloud service, including:
the authentication associated information acquisition module is used for acquiring authentication associated information input by a target user; the authentication associated information comprises a tenant name, a user name and a password of a target user; the tenant name comprises at least one user name;
the authentication source confirmation module is used for confirming a plurality of authentication sources registered by the tenant name according to the tenant name;
and the information authentication module is used for sequentially calling the docking interfaces of the authentication sources to authenticate the user name and the password of the target user.
In a third aspect, an embodiment of the present invention further provides a computer device, including a processor and a memory, where the memory is used to store instructions, and when the instructions are executed, the processor is caused to perform the following operations:
acquiring authentication associated information input by a target user; the authentication associated information comprises a tenant name, a user name and a password of a target user; the tenant name comprises at least one user name;
confirming a plurality of authentication sources registered by the tenant name according to the tenant name;
and sequentially calling the docking interfaces of the authentication sources to authenticate the user name and the password of the target user.
In a fourth aspect, an embodiment of the present invention further provides a storage medium, where the storage medium is configured to store instructions for performing:
acquiring authentication associated information input by a target user; the authentication associated information comprises a tenant name, a user name and a password of a target user; the tenant name comprises at least one user name;
confirming a plurality of authentication sources registered by the tenant name according to the tenant name;
and sequentially calling the docking interfaces of the authentication sources to authenticate the user name and the password of the target user.
The authentication associated information at least comprising the tenant name, the user name and the password of the target user, which is input by the target user, is obtained, and the multiple authentication sources registered by the tenant name are confirmed according to the tenant name, so that the butt joint interfaces of the authentication sources are sequentially called to authenticate the user name and the password of the target user, the problem that fine-grained trust relationship control cannot be performed on each tenant and user in the conventional authentication system is solved, the flexibility of multi-tenant authentication is improved, and the authentication control requirement of the multi-tenant is met.
Drawings
Fig. 1 is a schematic structural diagram of an authentication system according to an embodiment of the present invention;
fig. 2 is a flowchart of an authentication method applied to a cloud service according to an embodiment of the present invention;
fig. 3 is a flowchart of an authentication method applied to a cloud service according to a second embodiment of the present invention;
fig. 4 is a flowchart of an authentication method applied to a cloud service according to a third embodiment of the present invention;
fig. 5 is a schematic diagram of an authentication apparatus applied to a cloud service according to a fourth embodiment of the present invention;
fig. 6 is a schematic structural diagram of a computer device according to a fifth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention.
It should be further noted that, for the convenience of description, only some but not all of the relevant aspects of the present invention are shown in the drawings. Before discussing exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart may describe the operations (or steps) as a sequential process, many of the operations can be performed in parallel, concurrently or simultaneously. In addition, the order of the operations may be re-arranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figure. The processes may correspond to methods, functions, procedures, subroutines, and the like.
The term "target user" as used herein may be a user who needs to log on to a certain client.
The term "authentication association information" as used herein may be related information for authentication by a client.
The term "priority attribute information" used herein may be information that characterizes the priority level of each authentication source.
The term "associated user information" used herein may be associated information of the target user stored in the authentication source, such as information of a mailbox, a contact address, and the like of the target user.
The term "pre-set authentication protocol" as used herein may be any type of authentication protocol, such as CAS, OAuth, or oid, etc.
The term "authentication identifier" used herein may be an identifier for authentication, such as a ticket or token, generated according to a preset authentication protocol.
The term "mutual trust association information between a user and a tenant" used herein may be that the user is trusted by another tenant, or that all users under the tenant are trusted by another tenant.
The term "first tenant name list" as used herein may be a list built from tenant names queried by the authentication identity.
The term "second tenant name list" used herein may be a list constructed according to tenant names to which clients belong.
The term "user association information" as used herein may include, but is not limited to, a username, a tenant name, a password, and associated user information, among others.
For ease of understanding, the main inventive concepts of the embodiments of the present invention are briefly described.
The existing multi-tenant-based unified authentication system emphasizes that user information needs to be uniformly stored in a certain data source, so that user data with different formats of each system needs to be uniformly migrated in the docking process, and an original authentication interface is abandoned. Meanwhile, different tenants in the multi-tenant-based unified authentication system are in a completely isolated state, namely, a user in a tenant cannot access resources of other tenants, or any user in the tenant can access resources of other tenants through authentication, and the state of the attribute of the tenant is recorded only through a user name or other identifiers. Therefore, the existing multi-tenant-based unified authentication system cannot control the fine-grained trust relationship between each tenant and the user.
Based on the above thought, the inventor creatively proposes that authentication associated information input by a target user and at least comprising a tenant name, a user name and a password of the target user is obtained, so as to confirm a plurality of authentication sources registered by the tenant name, and then a docking interface of each authentication source is sequentially called to authenticate the user name and the password of the target user, thereby solving the problem that the existing authentication system cannot control fine-grained trust relationship of each tenant and user, improving the flexibility of multi-tenant authentication, and further meeting the authentication control requirement of multiple tenants.
Correspondingly, the embodiment of the invention provides the authentication system applicable to the cloud service system to solve the problems of the authentication mode in the existing unified authentication system. Fig. 1 is a schematic structural diagram of an authentication system according to an embodiment of the present invention. As shown in fig. 1, the authentication system provided in the embodiment of the present invention may include a system Interface API (application programming Interface), and the system Interface API may implement a role-based access control function. At the service logic layer, the system can at least comprise a multi-authentication-source authentication module, a user management module, a tenant management module, a client management module, a mutual trust management module and the like. The multi-authentication-source authentication module can be used for authenticating each user under the tenant, and the tenant can be registered in one or more authentication sources. The user management module can be used for managing user information, the tenant management module can be used for managing tenant information, the client management module can be used for managing client information, and the mutual trust management module can be used for managing trust relationships between tenants and between users and tenants. The data persistence layer is used for managing various associated data (such as user name and password information).
The authentication system may further comprise a user module for managing users of the system, the user module supporting direct registration of users to the authentication system as system users. A system user may belong to a tenant reserved for the system. The user module in the authentication system can provide a uniform centralized user source, and can access resources of other tenants by configuring mutual trust relationship like users of common tenants. Meanwhile, the user module can also give some predefined roles to system users to realize access control of system API call. Wherein the predefined roles may include at least a system user, a system administrator, a system guest, a system user administrator, a system user guest, a system tenant administrator, and a system tenant guest. Specifically, a system administrator (FED _ ADMIN) may have the highest authority of the system; the system visitor (FED _ VIEWER) can have the view authority of all the resources of the system; a system USER administrator (FED _ USER _ ADMIN) may have administrative rights to authenticate system USERs; a system USER visitor (FED _ USER _ VIEWER) can have the view right of the authentication system USER; a system TENANT administrator (FED _ TENANT _ ADMIN) can have the administrative authority to authenticate all TENANTs of the system; the system TENANT guest (FED _ TENANT _ VIEWER) may have a view right to authenticate all TENANTs of the system. The permissions of the various system roles described above also have the following priority relationships. FED _ ADMIN > FED _ VIEWER, FED _ ADMIN > FED _ USER _ ADMIN > FED _ USER _ VIEWER, FED _ ADMIN > FED _ TENAT _ VIEWER, FED _ VIEWER > FED _ USER _ VIEWER, FED _ VIEWER > FED _ TENAT _ VIEWER. In addition, the authentication system may also introduce two roles of "TENANT OWNER (TENANT _ OWNER)" and "TENANT visitor (TENANT _ access)". The tenant owner is a tenant creator of a tenant. If a user is trusted by other tenants, the user becomes a tenant visitor of the other tenant. The priority relationship between the TENANT OWNER and the TENANT guest is TENAT _ OWNER > TENAT _ ACCESS.
Table 1 is a partial authority control list in the authentication system, and as shown in table 1, the authorities in the system possessed by different system users in the authentication system are different. Illustratively, a system USER having a FED _ USER _ ADMIN role has the authority to add, delete, update, add tenants, and view system USERs. The functional management of the authentication system can be realized by setting different authorities for different system users. It should be noted that table 1 exemplarily lists the most basic role definitions in the authentication system, and further, other permissions of the system users may be derived according to the priority relationship between the system roles. Illustratively, from the priority relationship of FED _ USER _ ADMIN > FED _ USER _ video, it can be deduced that FED _ USER _ ADMIN has a higher priority than FED _ USER _ video. Since the system USER having the FED _ USER _ VIEWER role has the authority to view the system USER, the system USER having the FED _ USER _ ADMIN role also has the authority to view the system USER.
The Authentication system provided in the embodiment of the present invention does not limit the type of the protocol for implementing single sign-on, and includes, but is not limited to, CAS (Central Authentication Service), OAuth (open authorization), oid (openid connect), and the like. Before accessing the authentication system, the client needs to register in the authentication system, indicating the tenant to which the client belongs. During the operation of the authentication system, the multi-authentication-source authentication module and the mutual trust management module play main functions. The core function of the multi-authentication-source authentication module is to enable the authentication system to simultaneously interface with a plurality of authentication sources providing different interfaces, such as a database interface, an LDAP (Lightweight directory access Protocol) interface or a Kerberos interface, and to configure the authentication sources under each tenant as a unit. The mutual trust management module can be used for managing whether a user in an authentication source configured for a certain tenant can pass authentication in the clients of other tenants.
TABLE 1 System Authority settings Allocation
Figure BDA0002221675230000081
Example one
Fig. 2 is a flowchart of an authentication method applied to a cloud service according to an embodiment of the present invention, where the present embodiment is applicable to authentication management and control of multiple tenants, and the method may be executed by an authentication apparatus applied to a cloud service, where the apparatus may be implemented by software and/or hardware, and may be generally integrated in a computer device, and used in cooperation with a client, a user agent, and the like for completing authentication applied to a cloud service. Accordingly, as shown in fig. 2, the method includes the following operations:
step 110, obtaining authentication associated information input by a target user; the authentication associated information comprises a tenant name, a user name and a password of a target user; the tenant name comprises at least one user name.
The target user is a user who needs to log in a certain client. The authentication associated information may be related information used for the client to perform authentication, including but not limited to a tenant name, a user name, a password, and the like of the target user, for example, verification information such as a verification code may also be used as the authentication associated information, and the specific content of the authentication associated information is not limited in the embodiment of the present invention. The tenant name may include at least one user name including a user name of the target user, so that data of each authentication source is managed in tenant units.
In the embodiment of the present invention, before authenticating the login information of the target user, the authentication association information input by the target user through the authentication system may be first obtained.
In an optional embodiment of the present invention, before the obtaining the authentication association information input by the target user, the method may include: configuring a matched docking interface according to each authentication source; wherein, the docking interface is used for configuring authentication source information.
In the embodiment of the present invention, the authentication system may implement interfacing to various authentication sources, such as a database or an LDAP, in advance. Specifically, the matching docking interfaces may be designed according to the types of the authentication sources. During the operation process of the authentication system, the authentication source information can be dynamically added or deleted through the docking interface.
It should be noted that, in order to ensure that the authentication system can interface with the authentication source, the registration information of the target user when registering the authentication source needs to be accompanied by associated information such as authentication source type attribute information, attribute information of the tenant to which the target user belongs, and priority attribute information of the authentication source, and these associated information can be used for the authentication system to distinguish the types of the interface.
In an optional embodiment of the present invention, before the obtaining the authentication association information input by the target user, the method may include: and configuring mutual trust association information between the user and the tenant through the docking interface.
And 120, confirming a plurality of authentication sources registered by the tenant name according to the tenant name.
It is understood that the tenant name to which the target user belongs may be registered in multiple authentication sources, that is, multiple authentication sources may have been registered under the tenant name to which the target user belongs. Therefore, after the authentication associated information input by the target user is acquired, the multiple authentication sources registered by the tenant name can be confirmed according to the tenant name to which the target user belongs.
And step 130, sequentially calling the docking interfaces of the authentication sources to authenticate the user name and the password of the target user.
Correspondingly, after confirming a plurality of authentication sources registered by the tenant name to which the target user belongs, the docking interface of each authentication source can be called to authenticate the user name and the password of the target user.
In an optional embodiment of the present invention, the sequentially invoking the docking interfaces of the authentication sources to authenticate the user name and the password of the target user may include: sequencing the authentication sources according to the priority attribute information of the authentication sources; and sequentially calling the docking interfaces of the authentication sources according to the sequencing result to authenticate the user name and the password of the target user.
The priority attribute information may be information indicating the priority of each authentication source. For example, the priority attribute information of the database is of one level, the attribute information of the LDAP is of two levels, and the priority of the one level is higher than that of the two levels.
Specifically, when the user name and the password of the target user are authenticated, the authentication sources may be sorted according to the priority attribute information of the authentication sources. Illustratively, the authentication sources may be sorted in order from high to low priority. And then sequentially calling the docking interfaces of the authentication sources according to the sequencing result to authenticate the user name and the password of the target user.
In an optional embodiment of the present invention, the sequentially invoking the docking interfaces of the authentication sources according to the sorting result to authenticate the user name and the password of the target user may include: verifying the user name and the password of the target user according to the docking interface of the current authentication source; if the user name is confirmed to be matched with the password, recording the tenant name and the user name of the target user and the associated user information of the target user, generating an authentication identifier according to a preset authentication protocol, and establishing a binding relationship between the authentication identifier and the tenant name and the user name of the target user and the associated user information of the target user; otherwise, taking the next authentication source as the current authentication source, and returning to execute the operation of verifying the user name and the password of the target user according to the docking interface of the current authentication source; and if all the authentication sources are determined not to pass the verification, returning error information to the target user.
The associated user information may be associated information of the target user stored in the authentication source, such as information of a mailbox, a contact way, and the like of the target user, and the information type may be specifically modified according to actual requirements. The preset authentication protocol may be any type of authentication protocol, such as CAS, OAuth, or oid, and the embodiment of the present invention does not limit the specific type of the preset authentication protocol. The authentication identifier may be an identifier for authentication, such as a ticket or a token, generated according to a preset authentication protocol, and the embodiment of the present invention also does not limit the type of the authentication identifier.
Specifically, when the authentication system calls the docking interfaces of the authentication sources in sequence according to the sequencing result to authenticate the user name and the password of the target user, whether the user name and the password of the target user are matched can be verified according to the docking interface of the current authentication source. And if the user name is determined to be matched with the password, recording the tenant name of the target user, the user name and the associated user information stored in the authentication source by the target user, and generating an authentication identifier according to a preset authentication protocol so as to establish a binding relationship between the authentication identifier and the tenant name, the user name and the associated user information of the target user. The authentication system may call the authentication identifier through other system interfaces to perform subsequent operations, such as determining whether the user is trusted by other tenants. And if the user name and the password are determined not to be matched, continuing to verify the user name and the password according to the next authentication source until all authentication sources under the tenant of the target user cannot be matched after traversal is completed, and returning error report information to the target user.
In an optional embodiment of the present invention, after generating the authentication identifier according to the preset authentication protocol, the method may further include: inquiring the tenant name corresponding to the target user according to the authentication identification, and establishing a first tenant name list according to the tenant name corresponding to the target user; comparing the first tenant name list with a second tenant name list; the second tenant name list comprises tenant names corresponding to clients; if the first tenant name list is determined to be consistent with the second tenant name list, returning the tenant name, the user name and the associated user information of the target user to the target user; otherwise, judging whether the user name and/or the first tenant name list and the second tenant name list have a trust relationship according to a pre-stored trust relationship list, if so, returning the tenant name, the user name and associated user information of the target user to the target user; otherwise, returning error information to the target user; and the user name returned to the target user carries a tenant name suffix.
In an optional embodiment of the present invention, after the confirming that the user name and the password match, the method may further include: and caching the verification results of the user name and the password.
Considering that the number of authentication sources registered by the same tenant may be large, a large network overhead may be generated each time the user is authenticated. Therefore, the authentication system can cache the authentication result of the user, thereby avoiding checking the user name and the password to each authentication source every time when the user requests authentication, and saving network overhead.
The authentication associated information at least comprising the tenant name, the user name and the password of the target user, which is input by the target user, is obtained, and the multiple authentication sources registered by the tenant name are confirmed according to the tenant name, so that the butt joint interfaces of the authentication sources are sequentially called to authenticate the user name and the password of the target user, the problem that fine-grained trust relationship control cannot be performed on each tenant and user in the conventional authentication system is solved, the flexibility of multi-tenant authentication is improved, and the authentication control requirement of the multi-tenant is met.
Example two
Fig. 3 is a flowchart of an authentication method applied to a cloud service according to a second embodiment of the present invention, which may be combined with various optional solutions in one or more embodiments of the present invention. Accordingly, as shown in fig. 3, the method of the present embodiment may include:
step 210, configuring a matched docking interface according to the type of each authentication source, and configuring mutual trust association information between a user and a tenant through the docking interface;
the mutual trust association information between the user and the tenant can be that the user is trusted by another tenant, or all users under the tenant are trusted by another tenant.
In the embodiment of the invention, mutual trust association information between the user and the tenant can be dynamically added or deleted through the docking interface of the authentication system. For example, it may be set that a certain user or some users under a tenant are trusted by another tenant, or all users under a certain tenant are trusted by another tenant. It should be noted that, if the configured mutual trust association information is trust between tenants, the configured trust relationship may be unidirectional or bidirectional, that is, mutual trust.
And step 220, acquiring authentication associated information input by the target user.
And step 230, confirming a plurality of authentication sources registered by the tenant name according to the tenant name.
And 240, sequentially calling the docking interfaces of the authentication sources to authenticate the user name and the password of the target user.
And step 250, inquiring the tenant name corresponding to the target user according to the authentication identification, and establishing a first tenant name list according to the tenant name corresponding to the target user.
The first tenant name list can be a list constructed according to tenant names queried according to the authentication identifications.
In the embodiment of the invention, if the authentication system calls the docking interfaces of the authentication sources to successfully authenticate the user name and the password of the target user, the tenant name corresponding to the target user can be inquired in the tenant name, the user name and the associated user information of the target user bound by the authentication identifier generated in the authentication process, and a first tenant name list is established according to the tenant name corresponding to the target user.
Step 260, comparing the first tenant name list with a second tenant name list; and the second tenant name list comprises tenant names corresponding to the clients.
The second tenant name list may be a list constructed according to the tenant name to which the client belongs.
Accordingly, after establishing the first tenant name list, the authentication system may compare the first tenant name list with the second tenant name list.
Step 270, judging whether the first tenant name list is consistent with the second tenant name list, if so, executing step 280, otherwise, executing step 290.
Step 280, returning the tenant name, the user name and the associated user information of the target user to the target user.
Specifically, if the authentication system determines that the first tenant name list is consistent with the second tenant name list, information such as the tenant name of the target user, the user name, and associated user information of the target user may be returned to the target user.
Optionally, the user name returned to the target user may carry a tenant name suffix to uniquely identify the user ID (Identity document).
And 290, judging whether the user name and/or the first tenant name list and the second tenant name list have a trust relationship, if so, executing step 280, and otherwise, executing step 2110.
Correspondingly, if the authentication system determines that the first tenant name list is inconsistent with the second tenant name list, whether a trust relationship exists before the user name of the target user and/or the first tenant name list and the second tenant name list can be continuously judged according to the trust relationship configured and stored in the authentication system through the docking interface. Specifically, whether the target user is trusted by the second tenant name list or whether the first tenant name list is trusted by the second tenant name list is judged. And if the user name of the target user and/or the trust relationship between the first tenant name list and the second tenant name list is determined to exist, returning information such as the tenant name, the user name and the associated user information of the target user to the target user.
And step 2110, returning error information to the target user.
Correspondingly, if the user name of the target user and/or the trust relationship between the first tenant name list and the second tenant name list does not exist before, error reporting information is returned to the target user.
According to the embodiment of the invention, the trust relationship between the users is managed, so that the fine-grained trust relationship can be controlled for each tenant and each user.
EXAMPLE III
Fig. 4 is a flowchart of an authentication method applied to a cloud service according to a third embodiment of the present invention, which may be combined with various optional solutions in one or more embodiments of the present invention, and in this embodiment, a specific flow is given in which a client accesses an authentication system and implements single sign-on through the authentication system. Correspondingly, as shown in fig. 4, the method of this embodiment may include:
step 310, the user agent sends an access request to the client to request the content of the client.
Step 320, the client feeds back the login page of the authentication system to the user agent.
Step 330, the user agent sends a login request to the authentication system.
Step 340, the authentication system responds to the login request.
Step 350, the user agent inputs information such as the tenant name, the user name and the password of the target user.
And step 360, the multi-authentication-source authentication module in the authentication system authenticates the user name and the password according to the tenant name. And when the authentication is successful, generating an authentication identifier. A cookie (data stored on the user's local terminal) is also set to record the current login status. Meanwhile, a one-time authentication identifier is attached after a URL (Uniform Resource Locator) of the client.
Step 370, the target user successfully logs in the client.
Step 380, the authentication system requests the client to obtain the user association information through the mutual trust management module once or multiple times.
Step 390, the mutual trust module returns the user association information to the target user.
The user association information may include, but is not limited to, a user name, a tenant name, a password, and associated user information.
Step 3110, the client sets a cookie to record the current login status and feed back the client content page to the user agent.
Step 3120, the user agent accesses a client content page.
Step 3130, the client authenticates the cookie and responds to the user agent's access request.
The embodiment of the invention realizes the improvement of the flexibility of multi-tenant authentication by butting a plurality of authentication sources providing different interfaces, configuring the authentication sources under each tenant by taking the tenant as a unit and managing whether the user in the authentication source configuring the tenant can pass the authentication in the client of other tenants, thereby meeting the authentication control requirements of the multi-tenant.
It should be noted that any permutation and combination between the technical features in the above embodiments also belong to the scope of the present invention.
Example four
Fig. 5 is a schematic diagram of an authentication apparatus applied to a cloud service according to a fourth embodiment of the present invention, and as shown in fig. 5, the authentication apparatus includes: an authentication association information obtaining module 410, an authentication source confirming module 420 and an information authentication module 430, wherein:
an authentication associated information obtaining module 410, configured to obtain authentication associated information input by a target user; the authentication associated information comprises a tenant name, a user name and a password of a target user; the tenant name comprises at least one user name;
an authentication source confirmation module 420, configured to confirm, according to the tenant name, a plurality of authentication sources registered by the tenant name;
and the information authentication module 430 is configured to sequentially invoke the docking interfaces of the authentication sources to authenticate the user name and the password of the target user.
The authentication associated information at least comprising the tenant name, the user name and the password of the target user, which is input by the target user, is obtained, and the multiple authentication sources registered by the tenant name are confirmed according to the tenant name, so that the butt joint interfaces of the authentication sources are sequentially called to authenticate the user name and the password of the target user, the problem that fine-grained trust relationship control cannot be performed on each tenant and user in the conventional authentication system is solved, the flexibility of multi-tenant authentication is improved, and the authentication control requirement of the multi-tenant is met.
Optionally, the apparatus further comprises: the docking interface configuration module is used for configuring matched docking interfaces according to the types of the authentication sources; wherein, the docking interface is used for configuring authentication source information.
Optionally, the information authentication module 430 includes: the authentication source sequencing unit is used for sequencing the authentication sources according to the priority attribute information of the authentication sources; and the information authentication unit is used for sequentially calling the docking interfaces of the authentication sources according to the sequencing result to authenticate the user name and the password of the target user.
Optionally, the information authentication unit is specifically configured to verify a user name and a password of the target user according to a docking interface of the current authentication source; if the user name is confirmed to be matched with the password, recording the tenant name and the user name of the target user and the associated user information of the target user, generating an authentication identifier according to a preset authentication protocol, and establishing a binding relationship between the authentication identifier and the tenant name and the user name of the target user and the associated user information of the target user; otherwise, taking the next authentication source as the current authentication source, and returning to execute the operation of verifying the user name and the password of the target user according to the docking interface of the current authentication source; and if all the authentication sources are determined not to pass the verification, returning error information to the target user.
Optionally, the apparatus further comprises: and the information caching module is used for caching the verification results of the user name and the password.
Optionally, the apparatus further comprises: and the mutual trust correlation information configuration module is used for configuring mutual trust correlation information between the user and the tenant through the docking interface.
Optionally, the apparatus further comprises: the mutual trust management module is used for inquiring the tenant name corresponding to the target user according to the authentication identification and establishing a first tenant name list according to the tenant name corresponding to the target user; comparing the first tenant name list with a second tenant name list; the second tenant name list comprises tenant names corresponding to clients; if the first tenant name list is determined to be consistent with the second tenant name list, returning the tenant name, the user name and the associated user information of the target user to the target user; otherwise, judging whether the user name and/or the first tenant name list and the second tenant name list have a trust relationship according to a pre-stored trust relationship list, if so, returning the tenant name, the user name and associated user information of the target user to the target user; otherwise, returning error information to the target user; and the user name returned to the target user carries a tenant name suffix.
The authentication device applied to the cloud service can execute the authentication method applied to the cloud service provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method. For technical details that are not described in detail in this embodiment, reference may be made to an authentication method applied to a cloud service provided in any embodiment of the present invention.
Since the authentication apparatus applied to the cloud service described above is an apparatus capable of executing the authentication method applied to the cloud service in the embodiment of the present invention, based on the authentication method applied to the cloud service described in the embodiment of the present invention, a person skilled in the art can understand a specific implementation manner of the authentication apparatus applied to the cloud service in the embodiment of the present invention and various variations thereof, and therefore, how to implement the authentication method applied to the cloud service in the embodiment of the present invention by the authentication apparatus applied to the cloud service is not described in detail herein. As long as a person skilled in the art implements the device used in the authentication method applied to the cloud service in the embodiment of the present invention, the device is within the scope of the present application.
EXAMPLE five
Fig. 6 is a schematic structural diagram of a computer device according to a fifth embodiment of the present invention. FIG. 6 illustrates a block diagram of a computer device 512 suitable for use in implementing embodiments of the present invention. The computer device 512 shown in FIG. 6 is only an example and should not bring any limitations to the functionality or scope of use of embodiments of the present invention.
As shown in FIG. 6, computer device 512 is in the form of a general purpose computing device. Components of computer device 512 may include, but are not limited to: one or more processors 516, a storage device 528, and a bus 518 that couples the various system components including the storage device 528 and the processors 516.
Bus 518 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Computer device 512 typically includes a variety of computer system readable media. Such media can be any available media that is accessible by computer device 512 and includes both volatile and nonvolatile media, removable and non-removable media.
Storage 528 may include computer system readable media in the form of volatile Memory, such as Random Access Memory (RAM) 530 and/or cache Memory 532. The computer device 512 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 534 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 6, and commonly referred to as a "hard drive"). Although not shown in FIG. 6, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a Compact disk-Read Only Memory (CD-ROM), a Digital Video disk (DVD-ROM), or other optical media) may be provided. In these cases, each drive may be connected to bus 518 through one or more data media interfaces. Storage 528 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
Program 536 having a set (at least one) of program modules 526 may be stored, for example, in storage 528, such program modules 526 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination may include an implementation of a network environment. Program modules 526 generally perform the functions and/or methodologies of the described embodiments of the invention.
Computer device 512 may also communicate with one or more external devices 514 (e.g., keyboard, pointing device, camera, display 524, etc.), with one or more devices that enable a user to interact with computer device 512, and/or with any devices (e.g., network card, modem, etc.) that enable computer device 512 to communicate with one or more other computing devices. Such communication may be through an Input/Output (I/O) interface 522. Further, computer device 512 may also communicate with one or more networks (e.g., a Local Area Network (LAN), Wide Area Network (WAN), and/or a public Network, such as the internet) via Network adapter 520. As shown, the network adapter 520 communicates with the other modules of the computer device 512 via the bus 518. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the computer device 512, including but not limited to: microcode, device drivers, Redundant processing units, external disk drive arrays, disk array (RAID) systems, tape drives, and data backup storage systems, to name a few.
The processor 516 executes various functional applications and data processing by executing programs stored in the storage 528, for example, implementing the authentication method applied to the cloud service provided by the above-described embodiment of the present invention.
That is, the processing unit implements, when executing the program: acquiring authentication associated information input by a target user; the authentication associated information comprises a tenant name, a user name and a password of a target user; the tenant name comprises at least one user name; confirming a plurality of authentication sources registered by the tenant name according to the tenant name; and sequentially calling the docking interfaces of the authentication sources to authenticate the user name and the password of the target user.
On the basis of the above embodiments, the processor 516 is configured to complete the operation performed before acquiring the authentication association information input by the target user by:
configuring a matched docking interface according to the type of each authentication source; wherein, the docking interface is used for configuring authentication source information.
On the basis of the foregoing embodiments, the processor 516 is configured to sequentially invoke the docking interfaces of the authentication sources to authenticate the user name and the password of the target user, by: sequencing the authentication sources according to the priority attribute information of the authentication sources; and sequentially calling the docking interfaces of the authentication sources according to the sequencing result to authenticate the user name and the password of the target user.
On the basis of the foregoing embodiments, the processor 516 is configured to sequentially invoke the docking interfaces of the authentication sources to authenticate the user name and the password of the target user, by: verifying the user name and the password of the target user according to the docking interface of the current authentication source; if the user name is confirmed to be matched with the password, recording the tenant name and the user name of the target user and the associated user information of the target user, generating an authentication identifier according to a preset authentication protocol, and establishing a binding relationship between the authentication identifier and the tenant name and the user name of the target user and the associated user information of the target user; otherwise, taking the next authentication source as the current authentication source, and returning to execute the operation of verifying the user name and the password of the target user according to the docking interface of the current authentication source; and if all the authentication sources are determined not to pass the verification, returning error information to the target user.
On the basis of the above embodiments, the processor 516 is configured to complete the operation after confirming that the user name and the password match by: and caching the verification results of the user name and the password.
On the basis of the above embodiments, the processor 516 is configured to complete the operation before acquiring the authentication association information input by the target user by: and configuring mutual trust association information between the user and the tenant through the docking interface.
On the basis of the above embodiments, the processor 516 is configured to perform the following operations after generating the authentication identifier according to the preset authentication protocol: inquiring the tenant name corresponding to the target user according to the authentication identification, and establishing a first tenant name list according to the tenant name corresponding to the target user; comparing the first tenant name list with a second tenant name list; the second tenant name list comprises tenant names corresponding to clients; if the first tenant name list is determined to be consistent with the second tenant name list, returning the tenant name, the user name and the associated user information of the target user to the target user; otherwise, judging whether the user name and/or the first tenant name list and the second tenant name list have a trust relationship according to a pre-stored trust relationship list, if so, returning the tenant name, the user name and associated user information of the target user to the target user; otherwise, returning error information to the target user; and the user name returned to the target user carries a tenant name suffix.
EXAMPLE six
An embodiment of the present invention further provides a computer storage medium storing a computer program, where the computer program is used to execute the authentication method applied to the cloud service according to any one of the above embodiments of the present invention when executed by a computer processor: acquiring authentication associated information input by a target user; the authentication associated information comprises a tenant name, a user name and a password of a target user; the tenant name comprises at least one user name; confirming a plurality of authentication sources registered by the tenant name according to the tenant name; and sequentially calling the docking interfaces of the authentication sources to authenticate the user name and the password of the target user.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read Only Memory (ROM), an Erasable Programmable Read Only Memory (EPROM) or flash Memory), an optical fiber, a portable compact disc Read Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, Radio Frequency (RF), etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (15)

1. An authentication method applied to a cloud service, comprising:
acquiring authentication associated information input by a target user; the target user is a user logging in a client, and the authentication associated information comprises a tenant name, a user name and a password of the target user; the tenant name comprises at least one user name;
confirming a plurality of authentication sources registered by the tenant name according to the tenant name;
sequentially calling a docking interface of each authentication source to authenticate the user name and the password of the target user;
inquiring a tenant name corresponding to the target user according to the authentication identifier, and establishing a first tenant name list according to the tenant name corresponding to the target user; the authentication identification is generated according to a preset authentication protocol when the user name is confirmed to be matched with the password, and a binding relationship is established among the authentication identification, the tenant name of the target user, the user name and the associated user information of the target user;
comparing the first tenant name list with a second tenant name list; the second tenant name list comprises tenant names corresponding to clients;
if the first tenant name list is determined to be consistent with the second tenant name list, returning the tenant name, the user name and the associated user information of the target user to the target user; otherwise, judging whether the user name and/or the first tenant name list and the second tenant name list have a trust relationship according to a pre-stored trust relationship list, if so, returning the tenant name, the user name and associated user information of the target user to the target user; and the associated user information of the target user is the associated information of the target user stored in the authentication source.
2. The method according to claim 1, wherein before the obtaining the authentication association information input by the target user, the method comprises:
configuring a matched docking interface according to the type of each authentication source;
wherein, the docking interface is used for configuring authentication source information.
3. The method of claim 2, wherein said invoking the docking interface of each of the authentication sources in turn authenticates the username and password of the target user, comprising:
sequencing the authentication sources according to the priority attribute information of the authentication sources;
and sequentially calling the docking interfaces of the authentication sources according to the sequencing result to authenticate the user name and the password of the target user.
4. The method according to claim 3, wherein the sequentially invoking the docking interfaces of the authentication sources according to the sorting result to authenticate the user name and the password of the target user comprises:
verifying the user name and the password of the target user according to the docking interface of the current authentication source;
if the user name is confirmed to be matched with the password, recording the tenant name and the user name of the target user and the associated user information of the target user, generating an authentication identifier according to a preset authentication protocol, and establishing a binding relationship between the authentication identifier and the tenant name and the user name of the target user and the associated user information of the target user;
otherwise, taking the next authentication source as the current authentication source, and returning to execute the operation of verifying the user name and the password of the target user according to the docking interface of the current authentication source;
and if all the authentication sources are determined not to pass the verification, returning error information to the target user.
5. The method of claim 4, further comprising, after the confirming that the username and the password match:
and caching the verification results of the user name and the password.
6. The method according to claim 4, wherein before the obtaining the authentication association information input by the target user, the method comprises:
configuring mutual trust association information between the user and the tenants through the docking interface, wherein the mutual trust association information between the user and the tenants comprises that one user under one tenant is trusted by another tenant or all users under one tenant are trusted by another tenant.
7. The method according to claim 1, wherein the user name returned to the target user carries a tenant name suffix;
after comparing the first tenant name list with the second tenant name list, the method further comprises:
and if the first tenant name list is determined to be inconsistent with the second tenant name list and the user name and/or the first tenant name list and the second tenant name list do not have a trust relationship according to a pre-stored trust relationship list, returning error reporting information to the target user.
8. A computer device comprising a processor and a memory for storing a computer program that, when executed, causes the processor to:
acquiring authentication associated information input by a target user; the target user is a user logging in a client, and the authentication associated information comprises a tenant name, a user name and a password of the target user; the tenant name comprises at least one user name;
confirming a plurality of authentication sources registered by the tenant name according to the tenant name;
sequentially calling a docking interface of each authentication source to authenticate the user name and the password of the target user;
inquiring a tenant name corresponding to the target user according to the authentication identifier, and establishing a first tenant name list according to the tenant name corresponding to the target user; the authentication identification is generated according to a preset authentication protocol when the user name is confirmed to be matched with the password, and a binding relationship is established among the authentication identification, the tenant name of the target user, the user name and the associated user information of the target user;
comparing the first tenant name list with a second tenant name list; the second tenant name list comprises tenant names corresponding to clients;
if the first tenant name list is determined to be consistent with the second tenant name list, returning the tenant name, the user name and the associated user information of the target user to the target user; otherwise, judging whether the user name and/or the first tenant name list and the second tenant name list have a trust relationship according to a pre-stored trust relationship list, if so, returning the tenant name, the user name and associated user information of the target user to the target user; and the associated user information of the target user is the associated information of the target user stored in the authentication source.
9. The computer device of claim 8, wherein the processor is configured to perform the operations performed before obtaining the authentication association information input by the target user by:
configuring a matched docking interface according to the type of each authentication source;
wherein, the docking interface is used for configuring authentication source information.
10. The computer device of claim 9, wherein the processor is configured to sequentially invoke the docking interfaces of the authentication sources to authenticate the username and password of the target user by:
sequencing the authentication sources according to the priority attribute information of the authentication sources;
and sequentially calling the docking interfaces of the authentication sources according to the sequencing result to authenticate the user name and the password of the target user.
11. The computer device of claim 10, wherein the processor is configured to sequentially invoke the docking interfaces of the authentication sources to authenticate the username and password of the target user by:
verifying the user name and the password of the target user according to the docking interface of the current authentication source;
if the user name is confirmed to be matched with the password, recording the tenant name and the user name of the target user and the associated user information of the target user, generating an authentication identifier according to a preset authentication protocol, and establishing a binding relationship between the authentication identifier and the tenant name and the user name of the target user and the associated user information of the target user;
otherwise, taking the next authentication source as the current authentication source, and returning to execute the operation of verifying the user name and the password of the target user according to the docking interface of the current authentication source;
and if all the authentication sources are determined not to pass the verification, returning error information to the target user.
12. The computer device of claim 11, wherein the processor is configured to perform operations after confirming that the username and the password match by:
and caching the verification results of the user name and the password.
13. The computer device of claim 11, wherein the processor is configured to perform operations prior to obtaining the authentication association information input by the target user by:
configuring mutual trust association information between the user and the tenants through the docking interface, wherein the mutual trust association information between the user and the tenants comprises that one user under one tenant is trusted by another tenant or all users under one tenant are trusted by another tenant.
14. The computer device of claim 8, wherein a user name returned by the processor to the target user carries a tenant name suffix;
the processor is configured to perform operations performed after comparing the first tenant name list to a second tenant name list by:
and if the first tenant name list is determined to be inconsistent with the second tenant name list and the user name and/or the first tenant name list and the second tenant name list do not have a trust relationship according to a pre-stored trust relationship list, returning error reporting information to the target user.
15. A computer storage medium on which a computer program is stored, the computer program, when executed by a processor, implementing the authentication method applied to a cloud service according to any one of claims 1 to 7.
CN201910936314.5A 2019-09-29 2019-09-29 Authentication method applied to cloud service, computer equipment and storage medium Active CN110691089B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910936314.5A CN110691089B (en) 2019-09-29 2019-09-29 Authentication method applied to cloud service, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910936314.5A CN110691089B (en) 2019-09-29 2019-09-29 Authentication method applied to cloud service, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN110691089A CN110691089A (en) 2020-01-14
CN110691089B true CN110691089B (en) 2020-08-11

Family

ID=69111058

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910936314.5A Active CN110691089B (en) 2019-09-29 2019-09-29 Authentication method applied to cloud service, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN110691089B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111984965A (en) * 2020-08-31 2020-11-24 成都安恒信息技术有限公司 Multi-source user management authentication system and method based on operation and maintenance audit system
CN112434041A (en) * 2020-11-30 2021-03-02 中国人寿保险股份有限公司 Cross-tenant and cross-bucket retrieval method, device, medium and equipment based on index alias
CN115913793B (en) * 2023-03-09 2023-05-30 浪潮电子信息产业股份有限公司 Security authentication method, system, electronic device, distributed storage system and medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103780580A (en) * 2012-10-23 2014-05-07 中国电信股份有限公司 Method, server and system for providing capability access strategy
CN108471395A (en) * 2017-02-23 2018-08-31 华为技术有限公司 Realize method, apparatus, cloud computing system and the computer system of certification/mandate

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8336089B1 (en) * 2007-12-21 2012-12-18 Emc Corporation Method and apparatus for providing authentication and encryption services by a software as a service platform
CN102970308B (en) * 2012-12-21 2016-08-10 北京网康科技有限公司 A kind of user authen method and server
US10044723B1 (en) * 2015-06-30 2018-08-07 EMC IP Holding Company LLC Principal/user operation in the context of a tenant infrastructure
CN105847239A (en) * 2016-03-17 2016-08-10 汉柏科技有限公司 User authentication manner determining method and device
CN109417557B (en) * 2016-06-06 2021-11-09 伊鲁米那股份有限公司 Method, system, and computer readable medium for authenticating a client accessing a hosted application
CN107483406A (en) * 2017-07-17 2017-12-15 北京捷通华声科技股份有限公司 A kind of method for authenticating user identity and equipment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103780580A (en) * 2012-10-23 2014-05-07 中国电信股份有限公司 Method, server and system for providing capability access strategy
CN108471395A (en) * 2017-02-23 2018-08-31 华为技术有限公司 Realize method, apparatus, cloud computing system and the computer system of certification/mandate

Also Published As

Publication number Publication date
CN110691089A (en) 2020-01-14

Similar Documents

Publication Publication Date Title
CN108293045B (en) Single sign-on identity management between local and remote systems
CN111801923B (en) Replication of resource types and schema metadata for multi-tenant identity cloud services
CN111556006B (en) Third-party application system login method, device, terminal and SSO service platform
US7721322B2 (en) Enterprise service-to-service trust framework
CN113239344B (en) Access right control method and device
US7571473B1 (en) Identity management system and method
US8847729B2 (en) Just in time visitor authentication and visitor access media issuance for a physical site
CN110691089B (en) Authentication method applied to cloud service, computer equipment and storage medium
CN113630377B (en) Single sign-on for hosted mobile devices
US20170041504A1 (en) Service providing system, information processing apparatus, program, and method for generating service usage information
US10375177B1 (en) Identity mapping for federated user authentication
WO2009002705A2 (en) Device provisioning and domain join emulation over non-secured networks
US20130312069A1 (en) Multiple authentication support in a shared environment
CN110717171B (en) Access token management for state preservation and reuse
US20180332043A1 (en) Integrated hosted directory
US20170353449A1 (en) Information processing apparatus and device coordination authentication method
CN112583834A (en) Method and device for single sign-on through gateway
US20220394040A1 (en) Managing user identities in a managed multi-tenant service
CN110247917B (en) Method and apparatus for authenticating identity
CN112352411B (en) Registration of the same domain with different cloud service networks
US9083697B2 (en) Deriving a username based on a digital certificate
US9027107B2 (en) Information processing system, control method thereof, and storage medium thereof
US20190132304A1 (en) Loopback verification of multi-factor authentication
CN115525880A (en) Method, device, equipment and medium for providing SAAS service facing multi-tenant
CN116170234B (en) Single sign-on method and system based on virtual account authentication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 200233 11-12 / F, building B, 88 Hongcao Road, Xuhui District, Shanghai

Patentee after: Star link information technology (Shanghai) Co.,Ltd.

Address before: 200233 11-12 / F, building B, 88 Hongcao Road, Xuhui District, Shanghai

Patentee before: TRANSWARP TECHNOLOGY (SHANGHAI) Co.,Ltd.