CN111294364B - Campus digital information system - Google Patents

Campus digital information system Download PDF

Info

Publication number
CN111294364B
CN111294364B CN202010355285.6A CN202010355285A CN111294364B CN 111294364 B CN111294364 B CN 111294364B CN 202010355285 A CN202010355285 A CN 202010355285A CN 111294364 B CN111294364 B CN 111294364B
Authority
CN
China
Prior art keywords
user
information
access
access management
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010355285.6A
Other languages
Chinese (zh)
Other versions
CN111294364A (en
Inventor
黄希
聂贻俊
刘翼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Paiwo Zhitong Technology Co ltd
Original Assignee
Chengdu Paiwo Zhitong Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Paiwo Zhitong Technology Co ltd filed Critical Chengdu Paiwo Zhitong Technology Co ltd
Priority to CN202010355285.6A priority Critical patent/CN111294364B/en
Publication of CN111294364A publication Critical patent/CN111294364A/en
Application granted granted Critical
Publication of CN111294364B publication Critical patent/CN111294364B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services
    • G06Q50/20Education
    • G06Q50/205Education administration or guidance
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/146Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding

Abstract

The invention provides a campus digital information system, comprising one or more client devices, one or more data centers, an identity authentication system, and an access management system communicatively coupled to each other via a communication network; the client device is used for initiating an access request and/or an analog request to one or more resources in the digital information system by a user, and the one or more resources are distributed on one or more data centers; the access management system includes an access management server for performing authentication and authorization in relation to access requests and/or simulated requests, which is configured to authenticate users by comparing credentials provided by one or more users with user information stored in a data store, facilitating management of student information, improving its confidentiality.

Description

Campus digital information system
Technical Field
The invention belongs to the technical field of education information management, and particularly relates to a campus digital information system.
Background
The campus information management is based on the Internet of things, takes various application service systems as carriers, and fully integrates teaching, scientific research, management and campus life. Along with the convenience of network technology, the messy information of students brings great inconvenience to the education work of schools, and the information management of students is convenient for colleges, parents or some companies to call the relevant information in time so as to examine the study history of students, so as to be used as the reference for the future development of students, if the information is distorted, the unfair phenomenon also exists for other students, if the information is recorded by paper, the problem of storage places exists, the usability is reduced, and the information cannot be permanently stored, therefore, the internet of things is applied to the student information management, the electronic file is uploaded, and the electronic file is converted, signed and stored, so as to form a safe campus digital information system, the student information is conveniently managed, the difficulty of management is reduced, the accuracy of management is improved, the confidentiality is improved, and the information is prevented from being distorted by people, the waste of human resources is avoided.
Disclosure of Invention
The invention aims to provide a campus digital information system to solve the problems in the background technology.
In order to achieve the purpose, the invention provides the following technical scheme: a campus digital information system comprising one or more client devices, one or more data centers, an identity authentication system, and an access management system communicatively coupled to each other via a communication network; the client device is used for initiating an access request and/or an analog request to one or more resources in the digital information system by a user, and the one or more resources are distributed on one or more data centers;
the access management system comprises an access management server for performing authentication and authorization in relation to access requests and/or simulated requests, configured to authenticate a user by comparing credentials provided by one or more users with user information stored in a data store; the access management server includes one or more of an authentication engine, an authorization engine, a policy manager, and a simulation processor; the access management server is communicatively coupled to a network portal configured to intercept requests from client devices and redirect the requests to the access management server for processing;
the authentication engine is configured to perform authentication of the user based on a comparison of one or more user-provided credentials to stored user credentials; the authorization engine is configured to perform authorization; a policy manager configured to manage a set of policies that control access to resources within the digital information system; the simulation processor is configured to communicate with a particular identity authentication system associated with the simulation process based on the simulation policy;
operating one or more identity storages by an identity authentication system to perform comparison of user credentials, wherein the identity storages store user information of the client devices, and the user information in the identity storages comprises information used for authenticating users; the identity authentication system comprises a storage service part, a receiving service part, a certification service part, an information database and an original document/certificate storage part.
Further, the access request and/or the simulated request are created in response to a user's explicit request for a particular resource, or through a user's interaction with an application on the client device.
Further, the access management server creates a session for the user in response to successful authentication based on one or more user-provided credentials, the session creation including generating session information, a session ID, a session validity period, and associating the session with the user.
Further, the user information in the identity store also includes simulation attributes including a time that allows a particular user to be simulated, a user that simulates the user, a time that allows the particular user to simulate another user, and resources accessed by the particular user during the simulation session.
Further, the authorization engine is configured to perform authorization, including looking up an authorization policy applicable to the requested resource and determining whether the authorization policy allows the user to access the requested resource.
Further, the custody service part receives the electronic files uploaded by the user from the client device, and performs registration, storage, transfer and abandonment processing; the receiving service part is connected with the storage service part and is used for receiving and confirming the electronic files stored in the storage service part, managing the state/history, preventing forgery/repudiation and connecting and circulating the electronic files when handing over; the certification service part is connected with the receiving service part and is used for certifying, issuing/reissuing and managing certification information of the file output by the receiving service part and verifying the validity of the certificate; the information database stores information required by the identity authentication system; the original/certificate storage portion holds an original and a certificate of an electronic file received by the authentication system from the client device.
Drawings
FIG. 1 is a schematic diagram of the overall structure of a digital information system according to the present invention;
fig. 2 is a schematic structural diagram of an identity authentication system according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
FIG. 1 is a simplified block diagram of a digitized information system 10 according to an exemplary embodiment. The digital information system network 10 is an integrated system and includes a plurality of systems communicatively coupled to each other via one or more communication networks 15. The digital information system in fig. 1 includes one or more client devices 11, one or more data centers 18, an identity authentication system 12, and an access management system 13 communicatively coupled to each other via a communication network 15.
The communication network 15 facilitates communication between the various systems shown in FIG. 1 the communication network 15 may be of various types including, but not limited to, the Internet, a Wide Area Network (WAN), a local area network (L AN), AN Ethernet, a public or private network, a wired network, a wireless network, and the like, and combinations thereof, different communication protocols may be used to facilitate communication, including wired and wireless protocols, and the communication network 15 may include any infrastructure that facilitates communication between the various systems shown in FIG. 1.
Each of the systems and computing devices in fig. 1 may include data processing components (e.g., one or more processors) and one or more memory resources (e.g., volatile and/or non-volatile memory). The processor may include a single-core or multi-core processor. The processor may comprise a general purpose microprocessor, and memory resources may be provided for storing instructions and/or data associated with the operating system and applications or processes executed by the processor.
Client device 11 may be any computing device configured to initiate a simulation request in the manner described herein. For example, the client device 11 may be a desktop or laptop computer running an application (e.g., a Web browser) through which access requests and/or simulation requests are sent to the access management system 13. The access request may be in response to an explicit request by the user for a particular resource or may be created by the user interacting with an application on the client device.
An application executing within the digital information system 10 may use and/or request access to one or more resources 18-1 through 18-N. These resources may be distributed virtually in the digital information system 10. For example, the plurality of resources 18-1 through 18-N may be distributed across one or more data centers 18 and may include protected resources and unprotected resources. Although only one data center 18 is depicted in fig. 1, the digital information system 10 may include multiple data centers, possibly in different geographic locations. Each data center may contain multiple types of resources. The access management system 13 may control the use and access of these resources.
The access management system 13 may include one or more computing devices responsible for performing authentication and authorization associated with access requests and/or emulation requests. For example, may include an access management server 50 configured to authenticate a user by comparing credentials provided by one or more users with stored user information. At least a portion of the authentication process may be delegated to the identity authentication system 12, as described below. Thus, the identity authentication system 12 may perform the comparison of the user credentials on behalf of the access management server 50.
Some user credentials may be stored in a default identification store 16 accessible to the access management system 13. Other user credentials may be stored in a data store that is not accessible to the access management system 13. For example, the identity authentication system 12 may manage at least some user credentials. Access management server 50 may create a session for the user based on credentials provided by one or more users in response to successful authentication. Session creation may include generating session information 17, including generating a session ID, determining a session validity period, etc., and associating the session with the user, etc.
The access management server 50 may be communicatively coupled to a network portal 14, the network portal 14 being configured to intercept requests (e.g., simulated requests) from the client devices 11 and redirect the requests to the access management server 50 for processing. For example, a simulated request may be initiated by the user's browser, intercepted by web portal 14, and redirected to access management server 50 for processing by web portal 14 determining that the simulated request is associated with a protected resource. There may be multiple web portals in communication with the same access management server, each intercepting requests for respective resources.
The identity authentication system 12 may operate one or more identity stores 22, the identity store 22 storing user information for the client device 11. The user information in the identity store 22 may include information (e.g., username, password, and/or other credentials) for authenticating the user. The identity store 22 may include one or more directories, such as a lightweight directory access protocol directory. In some embodiments, identity store 22 may include information of users of one or more organizations (e.g., school organizations and their children). The user information in the identity store 22 may also include simulated attributes 24. Examples of simulation attributes include allowing a particular user to be simulated, the user that can simulate the user, the time that a particular user is allowed to simulate another user, and which resources a particular user can access during a simulation session. Thus, identity store 22 may also include simulation attributes associated with a simulator.
The access management server 50 may include a set of components that perform authentication, authorization, and emulation processes. For example, the access management server 50 may include an authentication engine 52, an authorization engine 54, a policy manager 56, and a simulation processor 58. Each of the authentication engine 52, authorization engine 54, policy manager 56, and simulation processor 58 may be implemented in hardware, software, or a combination thereof. For example, the simulation processor 58 may be a software application or module executed by one or more physical processors of the access management server 15.
The authentication engine 52 may be configured to perform authentication of a user based on a comparison of one or more user-provided credentials with stored user credentials. As previously described, credentials may be stored in the default identification store 16 and/or the identity store 22. In some embodiments, at least some of the authentication processing is delegated to the identity authentication system 12, e.g., authentication processing for a user whose information is stored in the identity store 22. Thus, the authentication engine 52 may send an authentication request to the identity authentication system 12. In turn, the identity authentication system 12 may verify one or more user-supplied credentials to send a response back to the authentication engine 52 indicating whether the user has been successfully authenticated. In this case, although the access management server 50 does not directly perform authentication, the access management server 50 is still an entity responsible for protecting resources from the perspective of the web portal 14.
In some embodiments, when access management system 13 receives a request (e.g., a simulated request) requiring authentication, access management server 50 may delegate authentication to authentication system 12, authentication system 12 may generate a login screen for the user to submit one or more credentials, authenticate the user based on the credentials, and send the attributes of the user to access management server 50. The identity authentication system 12 may send the user attributes to the access management server 50 without sending user credentials. In this manner, access management server 50 may determine which permissions a user has to access resources, but access management server 50 does not have the credentials to access the user (e.g., the user's password).
Authorization engine 54 may be configured to perform authorization, including, for example, looking up an authorization policy applicable to the requested resource and determining whether the authorization policy allows the user to access the requested resource. Authorization engine 54 may also be configured to initiate a simulation session in response to receiving an indication from simulation processor 58 that the requirements to initiate a simulation session have been met. Authorization engine 54 may be responsible for switching users associated with the current session. In particular, the current session may be a simulation program established session. To initiate a mock session, authorization engine 54 may switch the user associated with the current session to the mock. This enables the simulation program to assume the identity of the simulated person during the session.
Policy manager 56 may be configured to manage a set of policies that control access to resources within digital information system 10. For example, policy manager 56 may access various security-related policies, such as authentication policies, authorization policies, consent policies, and simulation policies. The consent policy may specify which types of information are provided to the user when the requesting user agrees to begin the simulation session. For example, the consent policy may specify that a particular consent page be displayed to the user to confirm the user's intent to initiate a simulated session. The emulation policy may be used to determine which authentication system to use to authenticate the user. In embodiments having multiple authentication systems, a separate emulation policy may be defined for each authentication system. The emulation policy can also be used to specify the type of authentication required to emulate a request.
The emulation processor 58 can be configured to communicate with the particular authentication system 12 associated with the emulation process based on the emulation policy. For example, emulation processor 58 can request emulation attributes from identity authentication system 12 and process the emulation attributes to configure an emulation session. The simulation processor 58 may also be configured to process the consent policy, for example, to present a consent page requesting the user to confirm that a simulation session should be initiated.
The identity authentication system 12 responsible for authenticating the user further includes a storage service part 31, a reception service part 32, a certification service part 33, an information database 34 and an original/certificate storage part 35;
the storage service unit 31 receives the electronic document uploaded by the client device 11, and registers, stores, hands over, and discards the electronic document. The storage service unit 31 mainly performs the following functions: determining whether the client has the registration authority to confirm, if not, limiting the registration of the user, notifying when the client registration is successful, checking whether the uploaded electronic file has virus and grammar errors, classifying and storing according to the attribute information of the uploaded electronic file, confirming the storage period in the transfer process through the storage service part 31, and deleting the uploaded file when the storage period is over.
The receiving service unit 32 is connected to the storage service unit 31, and receives and confirms electronic documents stored in the storage service unit 31, manages status and history, prevents falsification and denial, and communicates with other storage facilities and distributes them. The functions performed by the receiving service part 32 are mainly as follows: the electronic file received from the storage service unit 31 is confirmed, converted, and output as a certificate file including an electronic signature, a high-density two-dimensional barcode, and a copy prevention flag.
The certification service part 33 is connected to the reception service part 32, and performs certification, issuance/reissue, certification information management, and certification validity verification on the certificate file output from the reception service part 32. The certification service part 33 mainly performs the following functions: when the electronic file is issued to a third party, a certificate file having user education history information is provided.
The information database 31 stores information required by the identity authentication system 12;
the original/certificate storage section 35 also holds the original and the certificate of the electronic file received by the authentication system 12 from the client device 11.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and all simple modifications and equivalent variations of the above embodiments according to the technical spirit of the present invention are included in the scope of the present invention.

Claims (5)

1. A campus digital information system, characterized in that: comprising one or more client devices, one or more data centers, an identity authentication system, and an access management system communicatively coupled to each other via a communication network; the client device is used for initiating an access request and/or an analog request to one or more resources in the digital information system by a user, and the one or more resources are distributed on one or more data centers;
the access management system comprises an access management server for performing authentication and authorization in relation to access requests and/or simulated requests, configured to authenticate a user by comparing credentials provided by one or more users with user information stored in a data store; the access management server includes one or more of an authentication engine, an authorization engine, a policy manager, and a simulation processor; the access management server is communicatively coupled to a network portal configured to intercept requests from client devices and redirect the requests to the access management server for processing;
the authentication engine is configured to perform authentication of the user based on a comparison of one or more user-provided credentials to stored user credentials; the authorization engine is configured to perform authorization; a policy manager configured to manage a set of policies that control access to resources within the digital information system; the simulation processor is configured to communicate with a particular identity authentication system associated with the simulation process based on the simulation policy;
operating one or more identity storages by an identity authentication system to perform comparison of user credentials, wherein the identity storages store user information of the client devices, and the user information in the identity storages comprises information used for authenticating users; the identity authentication system comprises a keeping service part, a receiving service part, a proving service part, an information database and an original document/certificate storage part;
the custody service part receives the electronic files uploaded by the user from the client equipment, and performs registration, storage, transfer and abandonment processing; the receiving service part is connected with the storage service part and is used for receiving and confirming the electronic files stored in the storage service part, managing the state/history, preventing forgery/repudiation and connecting and circulating the electronic files during transfer; the certification service part is connected with the receiving service part and is used for certifying, issuing/reissuing and managing certification information of the file output by the receiving service part and verifying the validity of the certificate; the information database stores information required by the identity authentication system; the original/certificate storage portion holds an original and a certificate of an electronic file received by the authentication system from the client device.
2. The campus digital information system as claimed in claim 1, wherein: the access request and/or the simulated request are created in response to a user's explicit request for a particular resource, or through a user's interaction with an application on the client device.
3. The campus digital information system as claimed in claim 1, wherein: the access management server creates a session for the user in response to successful authentication based on credentials provided by one or more users, the session creation including generating session information, a session ID, a session validity period, and associating the session with the user.
4. The campus digital information system as claimed in claim 1, wherein: the user information in the identity store also includes impersonation attributes including a time allowed to impersonate a particular user, impersonate the user of the user, allow a particular user to impersonate another user, and resources accessed by a particular user during a impersonation session.
5. The campus digital information system as claimed in claim 1, wherein: the authorization engine is configured to perform authorization, including looking up an authorization policy applicable to the requested resource, and determining whether the authorization policy allows the user to access the requested resource.
CN202010355285.6A 2020-04-29 2020-04-29 Campus digital information system Active CN111294364B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010355285.6A CN111294364B (en) 2020-04-29 2020-04-29 Campus digital information system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010355285.6A CN111294364B (en) 2020-04-29 2020-04-29 Campus digital information system

Publications (2)

Publication Number Publication Date
CN111294364A CN111294364A (en) 2020-06-16
CN111294364B true CN111294364B (en) 2020-07-24

Family

ID=71027658

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010355285.6A Active CN111294364B (en) 2020-04-29 2020-04-29 Campus digital information system

Country Status (1)

Country Link
CN (1) CN111294364B (en)

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050165797A1 (en) * 2004-01-16 2005-07-28 Girish Nair Profile verification system
CN102143178A (en) * 2011-03-30 2011-08-03 天津大学 Network teaching management system
WO2013025428A2 (en) * 2011-08-12 2013-02-21 School Improvement Network, Llc Prescription of electronic resources based on observational assessments
CN103810549A (en) * 2012-11-08 2014-05-21 无锡津天阳激光电子有限公司 Internet of Things intelligent campus
CN103400067B (en) * 2013-03-29 2016-08-10 青岛海信电器股份有限公司 Right management method, system and server
CN103810530A (en) * 2014-03-11 2014-05-21 邓鸣凤 Digital campus scheme
CN104240035A (en) * 2014-09-25 2014-12-24 重庆文润科技有限公司 Digitalized campus cloud platform
CN110223031A (en) * 2019-05-13 2019-09-10 安徽澳视科技有限公司 A kind of high-adaptability Digital Campus platform

Also Published As

Publication number Publication date
CN111294364A (en) 2020-06-16

Similar Documents

Publication Publication Date Title
US20210273931A1 (en) Decentralized authentication anchored by decentralized identifiers
EP1436682B1 (en) System and method for specifying security, privacy, and access control to information used by others
JP5052523B2 (en) Authenticating principals in a federation
RU2463715C2 (en) Providing digital identification presentations
US9300653B1 (en) Delivery of authentication information to a RESTful service using token validation scheme
JP5694344B2 (en) Authentication using cloud authentication
US7865931B1 (en) Universal authorization and access control security measure for applications
JP7196174B2 (en) Authentication methods, systems and programs using delegated identities
CN106992988B (en) Cross-domain anonymous resource sharing platform and implementation method thereof
US11329968B2 (en) Authentication across decentralized and centralized identities
US20140130142A1 (en) Method and Cloud Security Framework for Implementing Tenant License Verification
US20040139319A1 (en) Session ticket authentication scheme
US20220321357A1 (en) User credential control system and user credential control method
CA3024158C (en) Method and apparatus for issuing a credential for an incident area network
CN112966253B (en) Third party application integration login method, login device and platform
CN116415217A (en) Instant authorization system based on zero trust architecture
CN114422258A (en) Single sign-on method, medium and electronic equipment based on multiple authentication protocols
EP3847779B1 (en) Hardware security module that enforces signature requirements
CN111294364B (en) Campus digital information system
CN113994630A (en) Presentation interruption for DID attestation
Gao et al. An OAuth2. 0-based unified authentication system for secure services in the smart campus environment
KR100432103B1 (en) An authentication and authorization service system
Zic et al. Towards a cloud-based integrity measurement service
Madsen et al. Challenges to supporting federated assurance
Berbecaru et al. Federating e-identities across Europe, or how to build cross-border e-services

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant