CN117056898A - Unified identity authentication system based on containerization platform - Google Patents
Unified identity authentication system based on containerization platform Download PDFInfo
- Publication number
- CN117056898A CN117056898A CN202311014706.9A CN202311014706A CN117056898A CN 117056898 A CN117056898 A CN 117056898A CN 202311014706 A CN202311014706 A CN 202311014706A CN 117056898 A CN117056898 A CN 117056898A
- Authority
- CN
- China
- Prior art keywords
- management
- application
- authentication
- unit
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013475 authorization Methods 0.000 claims abstract description 24
- 238000000034 method Methods 0.000 claims abstract description 13
- 238000007726 management method Methods 0.000 claims description 114
- 238000012550 audit Methods 0.000 claims description 10
- 230000008569 process Effects 0.000 claims description 6
- 238000012795 verification Methods 0.000 claims description 6
- 230000015556 catabolic process Effects 0.000 claims description 3
- 238000006731 degradation reaction Methods 0.000 claims description 3
- 238000012217 deletion Methods 0.000 claims description 3
- 230000037430 deletion Effects 0.000 claims description 3
- 238000013461 design Methods 0.000 claims description 3
- 238000001914 filtration Methods 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 claims description 3
- 238000010276 construction Methods 0.000 abstract description 5
- 238000012423 maintenance Methods 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 6
- 238000013523 data management Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
Abstract
The invention provides a unified identity authentication system based on a containerized platform, which is used for providing functions of a permission system, workflow, task management, log management and the like through system management construction; the method comprises the steps of constructing application management for providing functions of third party application management, application authority management, authorization mode management and the like; and constructing unified authentication management for account management, authentication management, session management and other functions. The business system within the authority range can be accessed only by logging in the unified identity authentication system once, and user names and passwords do not need to be input again, so that user experience is improved, and the safety and stability of the business system are improved. By the application of the invention in enterprises, the management and maintenance cost is reduced, and the technical level of the safety construction aspect of the software system is improved.
Description
Technical Field
The invention relates to the technical field of system management, in particular to a unified identity authentication system based on a containerized platform.
Background
Unified identity authentication is an important component of enterprise software system security construction. Important support is provided for improving user experience, improving safety, reducing maintenance cost, integrating business and sharing data and developing demands in future. User experience improvement: in conventional systems, a user needs to individually authenticate for each application, and needs to remember and manage multiple usernames and passwords. The method brings inconvenience and tedious login process to the user, and reduces the user experience; and (3) safety is improved: in the conventional system, each application program has its own authentication mechanism, so that security is difficult to guarantee. The user may use a weak password or the same password in multiple applications, increasing the risk of being attacked; management and maintenance cost reduction: in conventional systems, each application needs to be independently authenticated and maintained. This increases the complexity of management and maintenance, requiring more effort and resources; business integration and data sharing: the unified identity authentication system can realize integration and data sharing among different service systems. The user can access a plurality of service systems only by logging in once, thereby facilitating the cross-system operation and information sharing of the service flow; the future development demands: as businesses evolve and business expands, more applications and users need to be faced. Traditional authentication methods have failed to meet the increasing demands. The unified identity authentication system can provide expandability and flexibility and adapt to the future development requirement.
Disclosure of Invention
The invention provides a unified identity authentication system based on a containerized platform, which aims to provide safe and reliable identity authentication service for enterprises and users.
Therefore, the present invention aims to provide a unified identity authentication system based on a containerized platform, comprising:
the system management module is used for managing the system authority, workflow, tasks and logs of the unified identity authentication platform;
the application management module is used for managing the application, the application authority and the application authorization mode of the unified identity authentication platform;
and the unified authentication management module is used for managing the account numbers, account number association and session of the unified identity authentication platform.
Wherein, the system management module includes:
the authority system unit is used for realizing system functions of creating a user, creating a menu, creating a role and a data dictionary;
the workflow unit is used for realizing the function of the custom flow of the approval flow;
the task management unit is used for realizing the functions of real-time tasks and timing tasks;
and the log management unit is used for realizing the functions of system log, exception log and operation log.
Wherein the application management module comprises:
the application management unit is used for managing the third party application, including adding, deleting and displaying the third party application and uploading application icons corresponding to the third party application;
the application authority unit is used for completing third-party application authority management according to the binding of the user roles and the application;
and the authorization mode unit is used for selecting different authorization modes according to the condition of the third party service system to finish the authorization management of the third party system.
Wherein, unified authentication management module includes:
the account unit is used for completing the management of the third party application account by adding and deleting, importing and exporting and API interfaces;
the authentication unit is used for establishing an association relation according to the single sign-on account, the application system and the third party unit account to realize the binding of the account;
and the session unit is used for showing the access time and the access mode of the single sign-on account and supporting one-key kick-out.
The session unit manages the single sign-on account including CAS management, SAML management, OAuth management, and OIDC management.
After the user inputs a user name and a password to finish login operation, the authentication unit receives identity authentication information, returns a Token according to the identity information and the authority information after verification is correct, the client side carries the Token to access the authentication unit of the unified identity authentication platform, returns an accessible application list after verification is correct, and displays the application list through a client side portal page.
When a user accesses an application, an application program initiates a request to an authentication unit to acquire a code authorization code; the authentication unit calls a redirection address of a third party application, a front end of the third party application requests a rear end interface, and the rear end of the third party application requests the authentication unit to acquire token information; the third party application back end carries token information, requests the authentication unit again, acquires authentication unit user information, generates a third party application token according to the authentication unit user information, and returns the third party application token to the third party application front end; the front end of the third party application calls the back end of the third party application to acquire a login user interface; and the third party application back end returns login user information and jumps to an access page.
The unified identity authentication system adopts a layered structure and comprises an infrastructure layer, a data access layer, a business logic layer, a service management layer, a gateway layer, a front-end service layer and a display layer; the system adopts containerized deployment and micro-service architecture to design, and splits each functional module into independent services including user service, role service, authority service, authentication service, application management service, authorization service, account service and audit service; wherein,
the infrastructure layer provides underlying support including operating systems, containerized environments, networks, storage, and computing resources;
the data access layer is responsible for interacting with the database and providing data reading and storing functions;
the business logic layer processes business logic, including account management, system authentication, application authorization and audit management;
the service management layer is responsible for managing the current limiting, fusing and degradation of the micro-service, and ensuring the high availability and performance of the system;
the gateway layer provides an external unified interface, performs routing and filtering of the request, and provides security authentication and access control functions;
the front-end service layer distributes the requests to different service instances according to the system load condition, so that the system performance and the expandability are improved;
the display layer is responsible for displaying interfaces to users, including a user login interface, a unified portal interface and a unified identity authentication background management page.
Wherein, still include the backstage management module, the backstage management module includes:
the platform management unit is used for being responsible for the registration, login and personal information of a user, the creation and distribution of roles of the user, the authority setting and the creation, editing and deleting of a system menu;
the authentication management unit is used for being responsible for three-party applications in the system, including creation, editing and deletion of the applications; account information of the user is responsible for including creation, binding and unbinding of the account; authorizing the user, and determining the resources and operations which the user can access according to the account number and the application authority of the user;
and the audit management unit is used for recording login logs, operation logs and session information in the system and monitoring and auditing.
Compared with the prior art, the unified identity authentication system based on the containerized platform provided by the invention has the functions of providing a permission system, workflow, task management, log management and the like through system management construction; the method comprises the steps of constructing application management for providing functions of third party application management, application authority management, authorization mode management and the like; and constructing unified authentication management for account management, authentication management, session management and other functions. The business system within the authority range can be accessed only by logging in the unified identity authentication system once, and user names and passwords do not need to be input again, so that user experience is improved, and the safety and stability of the business system are improved. By the application of the invention in enterprises, the management and maintenance cost is reduced, and the technical level of the safety construction aspect of the software system is improved.
Drawings
The foregoing and/or additional aspects and advantages of the invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings, in which:
fig. 1 is a schematic structural diagram of a unified identity authentication system based on a containerized platform.
Fig. 2 is a schematic diagram of a system architecture of a unified identity authentication system based on a containerized platform according to the present invention.
Fig. 3 is a schematic diagram of an authentication flow of a unified authentication system based on a containerized platform.
Fig. 4 is a schematic flow chart of single sign-on in a unified identity authentication system based on a containerized platform.
Fig. 5 is a schematic diagram of a layered structure in a unified identity authentication system based on a containerized platform provided by the invention.
Detailed Description
Embodiments of the present invention are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative and intended to explain the present invention and should not be construed as limiting the invention.
A unified identity authentication system based on a containerized platform according to an embodiment of the present invention is described below with reference to the accompanying drawings.
Fig. 1 is a schematic structural diagram of a unified identity authentication system based on a containerized platform according to an embodiment of the present invention. Fig. 2 shows a system architecture diagram. The system comprises:
the system management module 110 is configured to manage system permissions, workflows, tasks and logs of the unified identity authentication platform;
the application management module 120 is configured to manage an application, an application authority, and an application authorization mode of the unified identity authentication platform;
the unified authentication management module 130 is configured to manage an account number, an account number association, and a session of the unified identity authentication platform.
Further, the system of the present invention further comprises:
data source management, including IOT equipment management, CSV, JSON, XML and other semi-structured data management, audio and video and other binary data management;
data management, including database management, cache management and object storage management;
system management including audit management, user management, system management, application management, authorization management, and authentication management.
Authentication management, including SMS management, face management and fingerprint management.
Single sign-on management, including CAS management, SAML management, OAuth management, OIDC management.
Wherein the system management module 110 includes:
a rights system unit 111 for implementing system functions of creating a user, creating a menu, creating a character, and a data dictionary;
a workflow unit 112, configured to implement a function of a custom procedure of the approval procedure;
a task management unit 113 for implementing functions of real-time tasks and timing tasks;
the log management unit 114 is configured to implement functions of a system log, an exception log, and an operation log.
Wherein the application management module 120 includes:
an application management unit 121, configured to manage third party applications, including adding, deleting, displaying, and uploading application icons corresponding to the third party applications;
an application authority unit 122, configured to complete third party application authority management according to binding of the user role and the application;
and the authorization mode unit 123 is configured to select different authorization modes according to the situation of the third party service system, so as to complete authorization management of the third party system.
Wherein, the unified authentication management module 130 includes:
an account unit 131, configured to complete management of the third party application account by adding and deleting, importing and exporting, and API interfaces;
the authentication unit 132 is configured to establish an association relationship according to the single sign-on account, the application system, and the third party unit account, so as to implement account binding;
the session unit 133 is configured to display access time and access mode of the single sign-on account and support one-key kick.
The user logs in the unified identity authentication platform, and the identity authentication flow is shown in figure 3. After the user inputs the user name and the password to finish the login operation, the authentication unit receives the identity authentication information, returns the Token according to the identity information and the authority information after verification is error-free, the client side carries the Token to access the authentication unit of the unified identity authentication platform, returns an accessible application list after verification is error-free, and displays through a client portal page.
The user clicks the third party system through the application center of the portal page, the single sign-on flow is shown in fig. 4, and when the user accesses the application, the application program initiates a request to the authentication unit 132 to obtain a code authorization code; the authentication unit 132 calls a redirection address of the third party application, the front end of the third party application requests a rear end interface, and the rear end of the third party application requests the authentication unit 132 to acquire token information; the third party application back end carries token information, requests the authentication unit 132 again, acquires the user information of the authentication unit 132, generates a third party application token according to the user information of the authentication unit 132, and returns the third party application token to the front end of the third party application; the front end of the third party application calls the back end of the third party application to acquire a login user interface; and the third party application back end returns login user information and jumps to an access page.
As shown in fig. 5, the unified identity authentication system adopts a layered structure, and comprises an infrastructure layer, a data access layer, a business logic layer, a service management layer, a gateway layer, a front-end service layer and a display layer; the system adopts containerized deployment and micro-service architecture to design, and splits each functional module into independent services including user service, role service, authority service, authentication service, application management service, authorization service, account service and audit service; wherein,
the infrastructure layer provides underlying support including operating systems, containerized environments, networks, storage, and computing resources;
the data access layer is responsible for interacting with the database and providing data reading and storing functions;
the business logic layer processes business logic, including account management, system authentication, application authorization and audit management;
the service management layer is responsible for managing the current limiting, fusing and degradation of the micro-service, and ensuring the high availability and performance of the system;
the gateway layer provides an external unified interface, performs routing and filtering of the request, and provides security authentication and access control functions;
the front-end service layer distributes the requests to different service instances according to the system load condition, so that the system performance and the expandability are improved;
the display layer is responsible for displaying interfaces to users, including a user login interface, a unified portal interface and a unified identity authentication background management page.
Wherein, still include the backstage management module, the backstage management module includes:
the platform management unit is used for being responsible for the registration, login and personal information of a user, the creation and distribution of roles of the user, the authority setting and the creation, editing and deleting of a system menu;
the authentication management unit is used for being responsible for three-party applications in the system, including creation, editing and deletion of the applications; account information of the user is responsible for including creation, binding and unbinding of the account; authorizing the user, and determining the resources and operations which the user can access according to the account number and the application authority of the user;
and the audit management unit is used for recording login logs, operation logs and session information in the system and monitoring and auditing.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present invention, the meaning of "plurality" means at least two, for example, two, three, etc., unless specifically defined otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and additional implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order from that shown or discussed, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the embodiments of the present invention.
Claims (9)
1. A unified identity authentication system based on a containerized platform, comprising:
the system management module is used for managing the system authority, workflow, tasks and logs of the unified identity authentication platform;
the application management module is used for managing the application, the application authority and the application authorization mode of the unified identity authentication platform;
and the unified authentication management module is used for managing the account numbers, the account number association and the session of the unified identity authentication platform.
2. The containerized platform-based unified identity authentication system of claim 1, wherein the system management module comprises:
the authority system unit is used for realizing system functions of creating a user, creating a menu, creating a role and a data dictionary;
the workflow unit is used for realizing the function of the custom flow of the approval flow;
the task management unit is used for realizing the functions of real-time tasks and timing tasks;
and the log management unit is used for realizing the functions of system log, exception log and operation log.
3. The containerized platform-based unified identity authentication system of claim 1, wherein the application management module comprises:
the application management unit is used for managing the third party application, including adding, deleting and displaying the third party application and uploading application icons corresponding to the third party application;
the application authority unit is used for completing third-party application authority management according to the binding of the user roles and the application;
and the authorization mode unit is used for selecting different authorization modes according to the condition of the third party service system to finish the authorization management of the third party system.
4. A containerized platform-based unified identity authentication system of claim 3, wherein the unified authentication management module comprises:
the account unit is used for completing the management of the third party application account by adding and deleting, importing and exporting and API interfaces;
the authentication unit is used for establishing an association relation according to the single sign-on account, the application system and the third party unit account to realize the binding of the account;
and the session unit is used for showing the access time and the access mode of the single sign-on account and supporting one-key kick-out.
5. The unified identity authentication system based on a containerized platform of claim 4, wherein the session unit management of single sign-on accounts comprises CAS management, SAML management, OAuth management, and OIDC management.
6. The unified identity authentication system based on the containerized platform according to claim 4, wherein after the user inputs a user name and a password to complete the login operation, the authentication unit receives the identity authentication information, returns a Token according to the identity information and the authority information after verification is correct, the client carries the Token to access the authentication unit of the unified identity authentication platform, returns an accessible application list after verification is correct, and displays the application list through a client portal page.
7. The unified identity authentication system based on containerized platform according to claim 6 wherein the application initiates a request to the authentication unit when the user accesses the application to obtain a code authorization code; the authentication unit calls a redirection address of a third party application, a front end of the third party application requests a rear end interface, and the rear end of the third party application requests the authentication unit to acquire token information; the third party application back end carries token information, requests the authentication unit again, acquires authentication unit user information, generates a third party application token according to the authentication unit user information, and returns the third party application token to the third party application front end; the front end of the third party application calls the back end of the third party application to acquire a login user interface; and the third party application back end returns login user information and jumps to an access page.
8. The unified identity authentication system based on the containerized platform according to claim 1, wherein the unified identity authentication system adopts a layered structure, and comprises an infrastructure layer, a data access layer, a business logic layer, a service management layer, a gateway layer, a front-end service layer and a display layer; the system adopts containerized deployment and micro-service architecture to design, and splits each functional module into independent services including user service, role service, authority service, authentication service, application management service, authorization service, account service and audit service; wherein,
the infrastructure layer provides underlying support including operating systems, containerized environments, networks, storage and computing resources;
the data access layer is responsible for interacting with the database and providing data reading and storing functions;
the business logic layer processes business logic, including account management, system authentication, application authorization and audit management;
the service management layer is responsible for managing the current limiting, fusing and degradation of the micro-service, and ensuring the high availability and performance of the system;
the gateway layer provides an external unified interface, performs routing and filtering of the request, and provides security authentication and access control functions;
the front-end service layer distributes requests to different service instances according to the system load condition, so that the system performance and the expandability are improved;
the display layer is responsible for displaying interfaces to users, including a user login interface, a unified portal interface and a unified identity authentication background management page.
9. The containerized platform-based unified identity authentication system of claim 1, further comprising a background management module, the background management module comprising:
the platform management unit is used for being responsible for the registration, login and personal information of a user, the creation and distribution of roles of the user, the authority setting and the creation, editing and deleting of a system menu;
the authentication management unit is used for being responsible for three-party applications in the system, including creation, editing and deletion of the applications; account information of the user is responsible for including creation, binding and unbinding of the account; authorizing the user, and determining the resources and operations which the user can access according to the account number and the application authority of the user;
and the audit management unit is used for recording login logs, operation logs and session information in the system and monitoring and auditing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311014706.9A CN117056898A (en) | 2023-08-11 | 2023-08-11 | Unified identity authentication system based on containerization platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311014706.9A CN117056898A (en) | 2023-08-11 | 2023-08-11 | Unified identity authentication system based on containerization platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117056898A true CN117056898A (en) | 2023-11-14 |
Family
ID=88661999
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311014706.9A Pending CN117056898A (en) | 2023-08-11 | 2023-08-11 | Unified identity authentication system based on containerization platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117056898A (en) |
-
2023
- 2023-08-11 CN CN202311014706.9A patent/CN117056898A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220124081A1 (en) | System for Managing Remote Software Applications | |
| US9571479B1 (en) | Role-based access control using dynamically shared cloud accounts | |
| US9294466B2 (en) | System and/or method for authentication and/or authorization via a network | |
| US8910048B2 (en) | System and/or method for authentication and/or authorization | |
| US7647625B2 (en) | System and/or method for class-based authorization | |
| US7721322B2 (en) | Enterprise service-to-service trust framework | |
| US11102196B2 (en) | Authenticating API service invocations | |
| US8108907B2 (en) | Authentication of user database access | |
| US20070079357A1 (en) | System and/or method for role-based authorization | |
| KR20170107967A (en) | Identity infrastructure as a service | |
| US20120222093A1 (en) | Partial authentication for access to incremental data | |
| US20110145565A1 (en) | Federated authentication for mailbox replication | |
| CN113711563A (en) | Fine-grained token-based access control | |
| US11552956B2 (en) | Secure resource authorization for external identities using remote principal objects | |
| CN115698998A (en) | Secure resource authorization for external identities using remote subject objects | |
| CN117056898A (en) | Unified identity authentication system based on containerization platform | |
| WO2023075904A1 (en) | Cloud service artifact tokens | |
| US11947657B2 (en) | Persistent source values for assumed alternative identities | |
| US20230222205A1 (en) | Sharing enterprise resources with temporary users | |
| US11716316B2 (en) | Access to federated identities on a shared kiosk computing device | |
| CN115422526B (en) | Role authority management method, device and storage medium | |
| CN114374542A (en) | Social organization legal identity authentication method, device and medium | |
| CN117424726A (en) | Method for integrating keylock and ladon to carry out authority management | |
| CN116865982A (en) | Application management platform and login authentication method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |