CN117459245A - Method, device and system for accessing identity data - Google Patents
Method, device and system for accessing identity data Download PDFInfo
- Publication number
- CN117459245A CN117459245A CN202311134138.6A CN202311134138A CN117459245A CN 117459245 A CN117459245 A CN 117459245A CN 202311134138 A CN202311134138 A CN 202311134138A CN 117459245 A CN117459245 A CN 117459245A
- Authority
- CN
- China
- Prior art keywords
- user
- cloud
- server
- iam
- network endpoint
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 206010047289 Ventricular extrasystoles Diseases 0.000 claims description 10
- 238000005129 volume perturbation calorimetry Methods 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 abstract description 4
- 238000007726 management method Methods 0.000 description 110
- 238000010586 diagram Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 6
- 230000001360 synchronised effect Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 230000004044 response Effects 0.000 description 4
- 238000013475 authorization Methods 0.000 description 3
- 238000013500 data storage Methods 0.000 description 3
- 238000013523 data management Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0895—Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application discloses a method, a device and a system for accessing identity data. The cloud IAM server is applied to a cloud system comprising an IAM (identity management service) VPC (virtual private cloud) and a user VPC, and the cloud IAM server is located in the IAM VPC. The method comprises the following steps: the cloud IAM server obtains network endpoint configuration information from a user; configuring a network endpoint bound with a cloud IAM server on a user VPC corresponding to a user according to the network endpoint configuration information; and accessing a local identity management server at the user side through a private network of the user by using the network endpoint and acquiring target identity data. According to the method, a local identity management server is not required to open a public network IP, the cloud IAM server can acquire identity data through the private network of the user, and the safety of the identity data transmission is greatly improved.
Description
Technical Field
The present disclosure relates to the field of cloud services, and in particular, to a method, an apparatus, and a system for accessing identity data.
Background
With the development of cloud computing technology and the continuous improvement of enterprise management demands, cloud unified identity data management services (abbreviated as cloud identity management services) have been generated. Such as EIAM (Enterprise Identity & Access Management, enterprise identity management) services, CIAM (Customer Identity & Access Management, customer identity management) services, and the like. The cloud identity data management service can uniformly manage the identity data of the user, helps to integrate the identity data of the user system deployed at the cloud, and realizes the service that one account opens up multiple applications.
The cloud IAM (Identity & Access Management) server needs to access the local Identity management server on the user side, and acquire Identity data from the local Identity management server on the user side. The identity data belongs to data with higher security requirements, and how to ensure the security of the identity data transmission when the cloud IAM server acquires the identity data from a local identity management server at a user side becomes a problem to be solved urgently.
Disclosure of Invention
In view of this, the present application provides a method, apparatus and system for accessing identity data, so as to improve security of accessing identity data.
The application provides the following scheme:
in a first aspect, a method for accessing identity data is provided, which is applied to a cloud identity management service (IAM) server of a cloud system, wherein the cloud system includes an IAM Virtual Private Cloud (VPC) and a user VPC, and the cloud IAM server is located in the IAM VPC, and the method includes:
the cloud IAM server obtains network endpoint configuration information from a user;
configuring a network endpoint bound with the cloud IAM server on a user VPC corresponding to the user according to the network endpoint configuration information;
And accessing a local identity management server at the user side through the private network of the user by utilizing the network endpoint and acquiring target identity data.
According to an implementation manner of the embodiment of the present application, the network endpoint is a virtual network card created by the cloud IAM server under a virtual switch of the user VPC.
According to an implementation manner of the embodiment of the present application, the obtaining the configuration information of the network endpoint from the user includes:
providing a network endpoint configuration page to the user;
if the cloud system has created a network endpoint of the user, providing the network endpoint on the network endpoint configuration page for the user to select;
and acquiring the address of the local identity management server at the user side and the selected network endpoint, which are input by the user through a network endpoint configuration page.
According to an implementation manner of the embodiments of the present application, before providing the network endpoint configuration page to the user, or if an event of creating a network endpoint triggered by the user through the network endpoint configuration page is acquired, the method further includes:
providing a network endpoint creation page to the user;
Acquiring identification information of a network endpoint, virtual switch information of the user VPC and private network information of the user, which are input by the user through the network endpoint creation page;
and creating a virtual network card bound with the cloud IAM server as the network endpoint under the virtual switch of the user VPC in the corresponding private network according to the virtual switch information and the private network information of the user.
According to an implementation manner in the embodiment of the present application, the virtual network card includes an elastic network interface ENI bound to an elastic cloud computing service ECS instance in the cloud IAM server, and the ECS instance accesses the local identity management server on the user side through the private network of the user and obtains the target identity data.
According to an implementation manner of the embodiment of the present application, accessing, by the network endpoint, the local identity management server on the user side through the private network of the user includes:
if the local identity management server of the user side is located in the user VPC, the cloud IAM server accesses the local identity management server of the user side through the user VPC by utilizing the network endpoint; or,
If the local identity management server of the user side is located in other VPCs except the user VPC in the cloud system, the cloud IAM server accesses the local identity management server of the user side by using the network endpoint through a cloud enterprise network CEN between the user VPC and the other VPCs; or,
if the local identity management server of the user side is located outside the cloud system, the cloud IAM server accesses the local identity management server of the user side by using the network endpoint through a dedicated connection between the user VPC and the local identity management server of the user side.
According to an implementation manner in an embodiment of the present application, the method further includes: acquiring authentication information input by the user on a configuration page of a network endpoint;
the obtaining the target identity data comprises the following steps: and carrying out access authentication on the local identity management server of the user side by utilizing the authentication information, and acquiring target identity data from the local identity management server of the user side after the authentication is passed.
According to an implementation manner in the embodiment of the present application, the cloud IAM server includes: enterprise employee identity management EIAM servers or consumer identity management CIAM servers;
The local identity management server at the user side comprises a lightweight directory access protocol LDAP server.
According to an implementation manner in an embodiment of the present application, the method further includes:
and the cloud IAM server provides the target identity data to a downstream application server or provides single sign-on service for the downstream application server by utilizing the target identity data.
In a second aspect, a device for accessing identity data is provided, and the device is arranged at a cloud IAM server of a cloud system, wherein the cloud system comprises an IAM VPC and a user VPC, and the cloud IAM server is located at the IAM VPC; the device comprises:
a configuration acquisition unit configured to acquire network endpoint configuration information from a user;
the terminal configuration unit is configured to configure a network terminal bound with the cloud IAM server on a user VPC corresponding to the user according to the network terminal configuration information;
and the data synchronization unit is configured to access the local identity management server at the user side through the private network of the user by utilizing the network endpoint and acquire target identity data.
In a third aspect, a cloud system is provided, the cloud system comprising an IAM VPC and a user VPC;
The cloud IAM server is located in the IAM VPC and is configured to acquire network endpoint configuration information from a user; configuring a network endpoint bound with the cloud IAM server on a user VPC corresponding to the user according to the network endpoint configuration information; and accessing a local identity management server at the user side through the private network of the user by utilizing the network endpoint and acquiring target identity data.
In a fourth aspect, there is provided a system for accessing identity data, the system comprising: IAM VPC, user VPC and user's local identity management server;
the local identity management server of the user side stores identity data;
the cloud IAM server is located in the IAM VPC and is configured to acquire network endpoint configuration information from a user; configuring a network endpoint bound with the cloud IAM server on a user VPC corresponding to the user according to the network endpoint configuration information; accessing a local identity management server at the user side through a private network of the user by using the network endpoint and acquiring target identity data;
the cloud IAM server and the user VPC are arranged in the same cloud system, and the local identity management server of the user side is arranged in the cloud system or other systems outside the cloud system.
According to a fifth aspect, there is provided a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the method of any of the first aspects described above.
According to a sixth aspect, there is provided an electronic device comprising:
one or more processors; and
a memory associated with the one or more processors, the memory for storing program instructions that, when read for execution by the one or more processors, perform the steps of the method of any of the first aspects above.
According to a specific embodiment provided by the application, the application discloses the following technical effects:
1) In the application, the cloud IAM server configures a network endpoint on a user virtual private cloud corresponding to a user according to network endpoint configuration information from the user, so that the cloud IAM server can access a local identity management server by utilizing the private network of the user to acquire target identity data. According to the method, a local identity management server is not required to open a public network IP, the cloud IAM server can acquire identity data through the private network of the user, and the safety of the identity data transmission is greatly improved.
2) In the application, the cloud IAM server is authorized by a user to create a page through a network endpoint, and a virtual network card is created and held as the network endpoint at a virtual switch of the user VPC, namely, the cloud IAM server is automatically deployed after the user is authorized, so that the user does not need to additionally download a connection component at a local identity management server, and the user does not need to provide a server, and the user operation is greatly simplified.
3) In the application, the network endpoint is created in the virtual switch of the user VPC and is bound with the cloud IAM server, so that the user can configure the network endpoint through the network endpoint configuration page to access the local identity management servers, and through the configuration, a plurality of local identity management servers for serving the user through one network endpoint can be realized.
4) The method and the device are suitable for multiple deployment scenarios such as that the local identity management server and the network endpoint are located in the same user VPC, different user VPCs and cloud systems, and the acquisition of the identity data can be realized through the private network of the user under the multiple deployment scenarios.
Of course, not all of the above-described advantages need be achieved at the same time in practicing any one of the products of the present application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIGS. 1a and 1b are schematic diagrams of two system configurations for accessing identity data in a conventional implementation;
FIG. 2 is a flowchart of a method for accessing identity data according to an embodiment of the present application;
fig. 3 is a schematic diagram of a system structure for accessing identity data according to an embodiment of the present application;
fig. 4 is a schematic diagram of a network endpoint configuration page provided in an embodiment of the present application;
fig. 5 is a schematic diagram of a network endpoint creation page according to an embodiment of the present application;
FIG. 6 is a schematic diagram of another system architecture for accessing identity data according to an embodiment of the present application;
FIG. 7 is a schematic diagram of a system for accessing identity data according to an embodiment of the present application;
FIG. 8 is a schematic block diagram of an apparatus for accessing identity data provided by an embodiment of the present application;
fig. 9 is a schematic block diagram of an electronic device provided in an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application are within the scope of the protection of the present application.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be understood that the term "and/or" as used herein is merely one relationship describing the association of the associated objects, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
Depending on the context, the word "if" as used herein may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to detection". Similarly, the phrase "if determined" or "if detected (stated condition or event)" may be interpreted as "when determined" or "in response to determination" or "when detected (stated condition or event)" or "in response to detection (stated condition or event), depending on the context.
The traditional implementation manner for accessing identity data mainly comprises the following two modes:
the first is that the local identity management server at the user side opens a public network IP address through which the IAM server at the cloud accesses the local identity management server at the user side, as shown in fig. 1 a. However, the identity data belongs to data with higher security requirements, the security requirements of users cannot be met obviously when the open public network IP address transmits the identity data in the public network, and the users cannot accept the data.
The second requires that the designated connection component (Connector) be downloaded and installed on the user side as shown in fig. 1 b. The Connector component is provided by a cloud IAM server, and a local identity management server at a user side downloads and installs the Connector component to open the public network access export capability of the Connector component. And a bidirectional channel is formed by taking the Connector component as a middle bridging component, so that the cloud IAM can access the local identity management server at the user side through the channel. In this way, although the local identity management server on the user side is not required to open the public network IP address, the connection component needs to be additionally downloaded and installed on the user side, and the connection component can only correspondingly serve one local identity management server, so that the operation is complex.
In view of this, the present application proposes a new idea. Fig. 2 is a flowchart of a method for accessing identity data according to an embodiment of the present application, where the method is performed by a cloud IAM server in a cloud system. As shown in fig. 2, the method may include the steps of:
step 202: the cloud IAM server obtains network endpoint configuration information from the user.
The cloud IAM server is a server for providing IAM service, is arranged at the cloud and is used for helping a user to safely control access to the identity data.
Step 204: and configuring the network endpoint bound with the cloud IAM server on a user VPC (Virtual Private Cloud ) corresponding to the user according to the network endpoint configuration information.
Step 206: and accessing a local identity management server at the user side through the private network of the user by using the network endpoint and acquiring target identity data.
According to the above flow, the cloud IAM server configures the network endpoint on the user virtual private cloud corresponding to the user according to the network endpoint configuration information from the user, so that the cloud IAM server can access the local identity management server by using the private network of the user, thereby obtaining the target identity data. According to the method, a local identity management server is not required to open a public network IP, the cloud IAM server can acquire identity data through the private network of the user, and the safety of the identity data transmission is greatly improved.
Each step in the above-described method flow is described in detail below. As shown in fig. 3, the above method flow is applied to the cloud system. The cloud system includes an IAM VPC and a customer VPC. In the figure, the user VPC takes one example, and in an actual scene, different users can deploy respective user VPCs at the cloud. The cloud IAM server is located in the IAM VPC and is a virtual server.
The following describes the above step 202 in detail, namely, "the cloud IAM server obtains the configuration information of the network endpoint from the user" in connection with the embodiment.
The cloud IAM server may provide the user with a network endpoint configuration page. The user can open the network endpoint configuration page through any terminal equipment, and log in the network endpoint configuration page by using the account to configure the network endpoint.
As one of the possible ways, if the cloud system has created the network endpoint of the user, the network endpoint may be provided on a network endpoint configuration page for the user to select. As shown in fig. 4, after the user selects the "dedicated endpoint" option on the configuration page, the network endpoint of the user that has been created may be displayed in the form of a drop-down box for the user to select, and further, the IP address of the network endpoint, for example, the "dedicated private network exit IP" in the figure, may be simultaneously selected. The network endpoint is bound with the IAM server, and the IP address of the network endpoint is actually an intranet IP address used when the IAM server accesses the local identity management server on the user side, which will be described in detail in the subsequent creation process of the network endpoint.
In addition, on the network endpoint configuration page, the user may also input the address of the local identity management server on the user side, for example, the address of the local identity management server on the user side is input in the input box corresponding to the "server address" under the "server configuration" item in fig. 4, so as to be accessed by the cloud IAM server.
That is, the cloud IAM server may obtain, through the network endpoint configuration page, the address of the local identity management server on the user side and the selected network endpoint that are input by the user through the network endpoint configuration page. Accordingly, in step 204, the user-selected network endpoint is actually configured as the address of the user-side local identity management server used to access the user input.
If the cloud system has not created the user's network endpoint, the cloud IAM server may first provide the user with a network endpoint creation page. Or, a component for creating the network endpoint can be provided on the network endpoint configuration page, if the user triggers the component, the cloud IAM server obtains an event for creating the network endpoint triggered by the user through the network endpoint configuration page, and provides the network endpoint creation page for the user.
As shown in fig. 5, a component (in fig. 5, an input box, a drop-down box, etc. is exemplified by an input box, etc. in fig. 5) of identification information of an input network endpoint (in fig. 5, other identification information such as a number may be adopted as well), private network information of the user (for example, "select private network" in fig. 5), virtual switch information of the user VPC (for example, "select switch" in fig. 5) is provided on the network endpoint creation page, and the user may input the identification information of the network endpoint, the private network information of the user, and the virtual switch information of the user VPC. Because cloud systems are typically geographically diverse, components that select regions for selection by a user may also be included on the network endpoint creation page. That is, the cloud IAM server may acquire the identification information of the network endpoint, the virtual switch information of the user VPC, and the private network information of the user through the network endpoint creation page.
The user clicks on the "grant private access" component as shown in fig. 5, confirming that the authorization created the network endpoint. The cloud IAM server can create a virtual network card bound with the cloud IAM server as a network endpoint for a virtual switch of the user VPC in a corresponding private network according to the virtual switch information and the private network information of the user. That is, the cloud IAM server creates and holds a virtual network card in the user VPC by using the identity of the user through the user authorization, so as to access the local identity management server on the user side. As shown in fig. 3, the virtual network card is created under the virtual switch of the customer VPC, not at the local identity management server on the customer side. Because the virtual network card is held by the cloud IAM server and bound with the cloud IAM server, the cloud IAM server can be regarded as a network entity in the user VPC.
The virtual network card may be a network card implemented in a virtualized manner, such as an ENI (Elastic Network Interface ). The ENI is an elastic network interface for binding a cloud server in a private network, and one cloud server can bind a plurality of elastic network cards. In the embodiment of the application, the ENI is bound with one ECS (Elastic Compute Service, elastic cloud computing service) instance of the cloud IAM server in the creation process. ECS is a IaaS (Infrastructure as a Service) level cloud computing service. An ECS instance can be understood as a virtual ECS server, built by the cloud and provided to the user for use. In the embodiment of the application, the ECS instance bound with the ENI accesses a local identity management server at the user side through a private network of the user and acquires target identity data.
Furthermore, the network endpoint configuration page may further include a path information (not shown in fig. 4) and an authentication information input component of the target identity data, where the target identity data is the identity data that needs to be synchronized to the cloud IAM server. When the target identity data is acquired, authentication is needed through a local identity management server at the user side, so that authentication information needs to be input. The authentication information may include information such as a user name, password, etc., as shown in fig. 4. The cloud IAM server can acquire path information and authentication information of target identity data input on a user configuration page through a network endpoint.
In addition to the above embodiment, the network endpoint configuration page may be used in other manners for the user to input the network endpoint configuration information, for example, the cloud IAM server provides a configuration tool for the user, and the user may input the network endpoint configuration information on an interface corresponding to the configuration tool.
The above step 206, i.e. "access to the local identity management server on the user side and obtain the target identity data via the private network of the user using the network endpoint", is described in detail below in connection with an embodiment.
Because the cloud IAM server is authorized to hold the network endpoint (i.e., the virtual network card) by the user through the creation process of the network endpoint, the cloud IAM server can be regarded as a network entity in the user VPC, so that the cloud IAM server is equivalent to accessing the local identity management server on the user side through the private network of the user. There may be, but are not limited to, the following:
first scenario: the local identity management server at the user side is located at the user VPC, as shown in fig. 3, where the network endpoint and the local identity management server at the user side are located under the same user VPC, and the cloud IAM server can access the local identity management server at the user side directly through the user VPC.
The second scenario: the local identity management server at the user side is located at other VPCs than the user VPC in the cloud system, that is, the network endpoint and the local identity management server at the user side are located at different VPCs. As shown in fig. 6, it is assumed that the network endpoint is located at a first VPC of a subscriber and the local identity management server on the subscriber side is located at a second VPC of the subscriber. The user VPC where the network endpoint is located and the VPC where the local identity management server is located may communicate through CEN (Cloud Enterprise Network ). The cloud IAM server may access the local identity management server on the user side through the CEN using the network endpoint.
Wherein CEN is a private network on the cloud, which can interwork networks between different VPCs. Under CEN, traffic between different VPCs may be interworked through private internetworking services for building internetworking of enterprises between multiple regions or services.
It can be seen that in this scenario, the cloud IAM server also essentially has access to the local identity management server on the user side through the user's private network.
Third scenario: the local identity management server on the user side is located outside the cloud system, for example IDC (Internet Data Center ) or other cloud system located offline. As shown in fig. 7, assuming that the local identity management server on the user side is located at an IDC off-line, the user VPC and the IDC of the user may communicate through a dedicated connection, for example, through VPN (Virtual Private Network ) or the like. The cloud IAM server accesses the local identity management server of the user side through the special connection by using the network endpoint.
It can be seen that in this scenario, the cloud IAM server also essentially realizes access to the local identity management server on the user side through the private network of the user.
The cloud IAM server generally needs to be authenticated by the local identity management server on the user side in view of security when acquiring the target identity data from the local identity management server on the user side. The cloud IAM server can use authentication information (such as account and password information) input by a user on a network endpoint configuration page before to carry out access authentication on the local identity management server of the user side, and after the authentication is passed, target identity data is obtained from the local identity management server of the user side.
In addition, there may be one identity data or multiple identity data in the local identity management server on the user side. The identity data desired to be synchronized to the cloud IAM server is referred to as target identity data, so that in a previous network endpoint configuration page or other configuration pages, the user may input path information of the target identity data, so that the cloud IAM server may acquire the target identity data according to the path information.
The user referred to in the above embodiments of the present application generally refers to an enterprise, that is, the enterprise has a corresponding enterprise VPC laid on a cloud end, and by using the above manner provided by the embodiment of the present application, a network endpoint bound with a cloud end IAM server can be configured in the enterprise VPC, so that identity data related to the enterprise is synchronized from a local identity management server to the cloud end IAM server.
Further, after the above step 206, the cloud IAM server may provide the target identity data to the downstream application server after obtaining the target identity data from the local identity management server on the user side, and the downstream application server may use the target identity data according to the actual application requirement, for example, update the identity data in the application server with the target identity data, manage the user identity, perform personalized service based on the user identity data, push information, and so on.
Or after the above step 206, the cloud IAM server may provide SSO (Single Sign On) service for the downstream application server after obtaining the target identity data from the local identity management server On the user side.
SSO refers to that a user of an application service can access a plurality of application services only by logging in once in a plurality of application service scenarios of the same enterprise. The principle is mainly as follows: a user of the application service accesses the application service A for the first time and needs to log in; the server of the application service A redirects the user login information to a cloud IAM server; the cloud IAM server verifies the user login information by using the identity data acquired through the embodiment of the application, and generates a Token after verification, wherein the Token is shared among a plurality of application services; the cloud IAM server returns the Token to the server of the application service A, the server of the application service A knows that the user is logged in, and the cloud IAM server returns the requested resource to the user of the application service; when the user accesses the application service B, the application service B acquires the shared Token from the cloud IAM server to know that the user is logged in, and directly returns the requested resource to the user, so that the user does not need to log in repeatedly at the application service B.
Among other things, redirection in the SSO procedure described above can be achieved by Webhook technology. The cloud IAM server and the servers of the application services follow SCIM (cross-domain identity management system) protocols. The SCIM protocol allows an organization to manage user identities and resource access rights among multiple systems or services. It is commonly used to automatically perform the process of creating, updating and deleting user accounts and rights, and to keep these accounts and rights synchronized between different systems.
As one of the usage scenarios, the cloud IAM server may be an EIAM (Employee Identity and Access Management, enterprise identity management platform) server, that is, identity data such as an enterprise internal employee account number, authority, etc. is synchronized to the EIAM server, and the EIAM server manages the enterprise employee identity data, identity authentication, application access, etc. In this scenario, the user of the application service is an enterprise employee. For example, when using a plurality of application services such as an office system, a check-in system, a financial system, etc. of the same enterprise, an enterprise employee can log in and use the plurality of application services using one employee account.
As another usage scenario, the cloud IAM server may be a CIAM (customer identity and access management, consumer identity management) server. The method is characterized in that identity data such as account numbers, grades and the like of consumers are synchronized to a CIAM server, and the CIAM server manages the identity data, identity authentication, application access and the like of the consumers. In this scenario, the user of the application service described above is a consumer. For example, when using application services of multiple e-commerce platforms, social platforms, etc. provided by the same enterprise, a consumer may log in and use the multiple application services using one registered account number.
In the above embodiment, the local identity management server on the user side may be an LDAP (Lightweight Directory Access Protocol ) server, i.e. a structured data storage form like a directory for storing identity data. May include, but is not limited to, an AD (Active Directory) server, an OpenLDAP server, a red-cap Directory server (Redhat Directory Server), and the like. In addition to this, other servers are also possible, for example interfacing with an existing application server containing identity data and obtaining the identity data from the application server. For example, the target identity data is obtained from an instant messaging application server such as a nail by interfacing with the server of the instant messaging application such as a nail.
In the above embodiment, the network endpoint is created at the virtual switch of the VPC of the user and is bound to the cloud IAM server, so that the user can configure the network endpoint through the network endpoint configuration page to access the local identity management server, and by this configuration, a plurality of local identity management servers serving the user through one network endpoint can be realized. After creating a network endpoint with a user, the address of the local identity management server on the user side (i.e., the "server address" in fig. 4) to which the network endpoint is to access may be configured through a network endpoint configuration page such as that shown in fig. 4. When identity data synchronization of other local management servers is to be performed, the address may be modified to the address of the other local management servers without having to create a new network endpoint. Compared with the situation that one connecting component can only correspondingly serve one local identity management server in the traditional implementation mode, the method is more flexible and saves resources.
In addition, the user may delete the established network endpoint from the user VPC through the page shown in fig. 5. For example, when the user inputs information such as the name and the region of the existing network endpoint, and clicks the "delete" component, the cloud IAM server deletes the network endpoint and releases the corresponding resource. In addition, the network endpoint can also set a certain validity period, and after the validity period is exceeded, the cloud IAM server automatically deletes the network endpoint and releases corresponding resources. Other deletion mechanisms may also exist, not specifically recited herein.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
According to an embodiment of another aspect, an apparatus for accessing identity data is provided. Fig. 8 shows a schematic block diagram of a device for accessing identity data according to one embodiment, the device being provided at an IAM server of a cloud system comprising an IAM VPC and a user VPC, the cloud IAM server being located at the IAM VPC. As shown in fig. 8, the apparatus 800 includes: the configuration acquisition unit 801, the endpoint configuration unit 802, and the data synchronization unit 803 may further include: . Wherein the main functions of each constituent unit are as follows:
A configuration acquisition unit 801 configured to acquire network endpoint configuration information from a user.
The endpoint configuration unit 802 is configured to configure, according to the network endpoint configuration information, a network endpoint bound to the cloud IAM server on the user VPC corresponding to the user.
A data synchronization unit 803 configured to access the local identity management server on the user side through the user's private network using the network endpoint and obtain the target identity data.
As one of the realizations, the configuration acquisition unit 801 may be specifically configured to: providing a network endpoint configuration page to a user; if the cloud system has created a network endpoint of the user, providing the network endpoint on a network endpoint configuration page for the user to select; and acquiring the address of the local identity management server on the user side and the selected network endpoint, which are input by the user through the network endpoint configuration page.
Still further, the endpoint creation unit 804 may be configured to provide a network endpoint creation page to the user; acquiring identification information of a network endpoint, virtual switch information of a user VPC and private network information of the user, which are input by the user through a network endpoint creation page; and creating a virtual network card bound with the cloud IAM server in the corresponding private network aiming at the virtual switch of the user VPC as a network endpoint according to the virtual switch information and the private network information of the user.
As one of the possible ways, if the local identity management server on the user side is located at the user VPC, the data synchronization unit 803 accesses the local identity management server on the user side through the user VPC by using the network endpoint.
As another implementation manner, if the local identity management server on the user side is located in a cloud system other than the user VPC, the data synchronization unit 803 accesses the local identity management server on the user side by using the network endpoint through the cloud enterprise network CEN between the user VPC and the other VPC.
As yet another implementation manner, if the local identity management server on the user side is located outside the cloud system, the data synchronization unit 803 accesses the local identity management server on the user side by using the network endpoint through a dedicated connection between the user VPC and the local identity management server on the user side.
Further, the configuration obtaining unit 801 may obtain authentication information input by the user through the network endpoint configuration page.
Accordingly, the data synchronization unit 803 may perform access authentication to the local identity management server on the user side by using the authentication information, and acquire the target identity data from the local identity management server on the user side after the authentication is passed.
As one of the usage scenarios, the cloud IAM server may be an EIAM server; as another usage scenario, the cloud IAM server may be a CIAM server.
The local identity management server on the user side may be an LDAP (Lightweight DirectoryAccess Protocol ) server, i.e. a structured data storage form such as a directory for storing identity data. May include, but is not limited to, an AD (Active Directory) server, an OpenLDAP server, a red-cap Directory server (Redhat Directory Server), and the like.
Still further, the data synchronization unit 803 may be further configured to: the target identity data is provided to the downstream application server or a single sign-on service is provided to the downstream application server.
According to an embodiment of a further aspect, there is provided a system for accessing identity data, the system comprising: IAM VPC, subscriber VPC and local identity management server of the subscriber.
The local identity management server at the user side stores identity data.
The cloud IAM server is located in the IAM VPC and is configured to acquire network endpoint configuration information from a user; configuring a network endpoint bound with the cloud IAM server on a user VPC corresponding to the user according to the network endpoint configuration information; accessing a local identity management server at the user side through a private network of the user by using the network endpoint and acquiring target identity data;
The cloud IAM server and the user VPC are arranged in the same cloud system. The local identity management server on the user side is disposed in the cloud system, for example, as shown in fig. 3 and 6. Alternatively, the local identity management server on the user side is located in another system than the cloud system, such as an offline IDC (e.g., as shown in fig. 7) of the user or another cloud system.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments for relevant points. The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or fully authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region, and provide corresponding operation entries for the user to select authorization or rejection.
In addition, the embodiment of the application further provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the method of any one of the foregoing method embodiments.
And an electronic device comprising:
one or more processors; and
a memory associated with the one or more processors for storing program instructions that, when read for execution by the one or more processors, perform the steps of the method of any of the preceding method embodiments.
The present application also provides a computer program product comprising a computer program which, when executed by a processor, implements the steps of the method of any of the preceding method embodiments.
Fig. 9 illustrates an architecture of an electronic device, which may include a processor 910, a video display adapter 911, a disk drive 912, an input/output interface 913, a network interface 914, and a memory 920. The processor 910, the video display adapter 911, the disk drive 912, the input/output interface 913, the network interface 914, and the memory 920 may be communicatively connected by a communication bus 930.
The processor 910 may be implemented by a general-purpose CPU, a microprocessor, an application-specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, etc. for executing a relevant program to implement the technical solutions provided herein.
The Memory 920 may be implemented in the form of ROM (Read Only Memory), RAM (RandomAccess Memory ), static storage device, dynamic storage device, or the like. The memory 920 may store an operating system 921 for controlling the operation of the electronic device 900, and a Basic Input Output System (BIOS) 922 for controlling low-level operation of the electronic device 900. In addition, a web browser 923, a data storage management system 924, and a device 925 to access the identity of data, etc. may also be stored. The means 925 for accessing the identity of data may be an application program that specifically implements the operations of the foregoing steps in the embodiments of the present application. In general, when the technical solutions provided in the present application are implemented in software or firmware, relevant program codes are stored in the memory 920 and invoked by the processor 910 to be executed.
The input/output interface 913 is used to connect with the input/output module to realize information input and output. The input/output module may be configured as a component in a device (not shown) or may be external to the device to provide corresponding functionality. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various types of sensors, etc., and the output devices may include a display, speaker, vibrator, indicator lights, etc.
The network interface 914 is used to connect communication modules (not shown) to enable communication interactions of the present device with other devices. The communication module may implement communication through a wired manner (such as USB, network cable, etc.), or may implement communication through a wireless manner (such as mobile network, WIFI, bluetooth, etc.).
Bus 930 includes a path for transferring information between components of the device (e.g., processor 910, video display adapter 911, disk drive 912, input/output interface 913, network interface 914, and memory 920).
It is noted that although the above-described devices illustrate only the processor 910, video display adapter 911, disk drive 912, input/output interface 913, network interface 914, memory 920, bus 930, etc., the device may include other components necessary to achieve proper operation in an implementation. Furthermore, it will be understood by those skilled in the art that the above-described apparatus may include only the components necessary to implement the present application, and not all the components shown in the drawings.
From the above description of embodiments, it will be apparent to those skilled in the art that the present application may be implemented in software plus a necessary general purpose hardware platform. Based on such understanding, the technical solutions of the present application may be embodied essentially or in a part contributing to the prior art in the form of a computer program product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and include several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the embodiments or some parts of the embodiments of the present application.
The foregoing has outlined the detailed description of the preferred embodiment of the present application, and the detailed description of the principles and embodiments of the present application has been provided herein by way of example only to facilitate the understanding of the method and core concepts of the present application; also, as will occur to those of ordinary skill in the art, many modifications are possible in view of the teachings of the present application, both in the detailed description and the scope of its applications. In view of the foregoing, this description should not be construed as limiting the application.
Claims (14)
1. The method for accessing identity data is applied to a cloud identity management service (IAM) server of a cloud system, wherein the cloud system comprises an IAM Virtual Private Cloud (VPC) and a user VPC, and the cloud IAM server is located in the IAM VPC, and is characterized by comprising the following steps:
acquiring network endpoint configuration information from a user;
configuring a network endpoint bound with the cloud IAM server on a user VPC corresponding to the user according to the network endpoint configuration information;
and accessing a local identity management server at the user side through the private network of the user by utilizing the network endpoint and acquiring target identity data.
2. The method of claim 1, wherein the network endpoint is a virtual network card created by the cloud IAM server under a virtual switch of the customer VPC.
3. The method of claim 1, wherein the obtaining network endpoint configuration information from the user comprises:
providing a network endpoint configuration page to the user;
if the cloud system has created a network endpoint of the user, providing the network endpoint on the network endpoint configuration page for the user to select;
And acquiring the address of the local identity management server at the user side and the selected network endpoint, which are input by the user through a network endpoint configuration page.
4. A method according to claim 3, wherein prior to providing a network endpoint configuration page to the user, or if an event is obtained that the user triggers creation of a network endpoint via the network endpoint configuration page, the method further comprises:
providing a network endpoint creation page to the user;
acquiring identification information of a network endpoint, virtual switch information of the user VPC and private network information of the user, which are input by the user through the network endpoint creation page;
and creating a virtual network card bound with the cloud IAM server as the network endpoint under the virtual switch of the user VPC in the corresponding private network according to the virtual switch information and the private network information of the user.
5. A method according to claim 2 or 3, wherein the virtual network card comprises an elastic network interface ENI bound to an elastic cloud computing service ECS instance in the cloud IAM server, and the ECS instance accesses the local identity management server on the user side through the private network of the user and obtains the target identity data.
6. The method of claim 1, wherein accessing the local identity management server on the user side over the user's private network with the network endpoint comprises:
if the local identity management server of the user side is located in the user VPC, the cloud IAM server accesses the local identity management server of the user side through the user VPC by utilizing the network endpoint; or,
if the local identity management server of the user side is located in other VPCs except the user VPC in the cloud system, the cloud IAM server accesses the local identity management server of the user side by using the network endpoint through a cloud enterprise network CEN between the user VPC and the other VPCs; or,
if the local identity management server of the user side is located outside the cloud system, the cloud IAM server accesses the local identity management server of the user side by using the network endpoint through a dedicated connection between the user VPC and the local identity management server of the user side.
7. A method according to claim 3, characterized in that the method further comprises: acquiring authentication information input by the user on a configuration page of a network endpoint;
The obtaining the target identity data comprises the following steps: and carrying out access authentication on the local identity management server of the user side by utilizing the authentication information, and acquiring target identity data from the local identity management server of the user side after the authentication is passed.
8. The method of any one of claims 1 to 4, 6 and 7, wherein the cloud IAM server comprises: enterprise employee identity management EIAM servers or consumer identity management CIAM servers;
the local identity management server at the user side comprises a lightweight directory access protocol LDAP server.
9. The method according to any one of claims 1 to 4, 6 and 7, further comprising:
and the cloud IAM server provides the target identity data to a downstream application server or provides single sign-on service for the downstream application server by utilizing the target identity data.
10. The device for accessing the identity data is arranged at a cloud IAM server of a cloud system, the cloud system comprises an IAM VPC and a user VPC, and the cloud IAM server is located at the IAM VPC; characterized in that the device comprises:
a configuration acquisition unit configured to acquire network endpoint configuration information from a user;
The terminal configuration unit is configured to configure a network terminal bound with the cloud IAM server on a user VPC corresponding to the user according to the network terminal configuration information;
and the data synchronization unit is configured to access the local identity management server at the user side through the private network of the user by utilizing the network endpoint and acquire target identity data.
11. A cloud system, wherein the cloud system comprises an IAM VPC and a user VPC;
the cloud IAM server is located in the IAM VPC and is configured to acquire network endpoint configuration information from a user; configuring a network endpoint bound with the cloud IAM server on a user VPC corresponding to the user according to the network endpoint configuration information; and accessing a local identity management server at the user side through the private network of the user by utilizing the network endpoint and acquiring target identity data.
12. A system for accessing identity data, the system comprising: IAM VPC, user VPC and user's local identity management server;
the local identity management server of the user side stores identity data;
the cloud IAM server is located in the IAM VPC and is configured to acquire network endpoint configuration information from a user; configuring a network endpoint bound with the cloud IAM server on a user VPC corresponding to the user according to the network endpoint configuration information; accessing a local identity management server at the user side through a private network of the user by using the network endpoint and acquiring target identity data;
The cloud IAM server and the user VPC are arranged in the same cloud system, and the local identity management server of the user side is arranged in the cloud system or other systems outside the cloud system.
13. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the steps of the method according to any one of claims 1 to 9.
14. An electronic device, comprising:
one or more processors; and
a memory associated with the one or more processors for storing program instructions that, when read for execution by the one or more processors, perform the steps of the method of any of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311134138.6A CN117459245A (en) | 2023-09-04 | 2023-09-04 | Method, device and system for accessing identity data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311134138.6A CN117459245A (en) | 2023-09-04 | 2023-09-04 | Method, device and system for accessing identity data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117459245A true CN117459245A (en) | 2024-01-26 |
Family
ID=89588055
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311134138.6A Pending CN117459245A (en) | 2023-09-04 | 2023-09-04 | Method, device and system for accessing identity data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117459245A (en) |
-
2023
- 2023-09-04 CN CN202311134138.6A patent/CN117459245A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10666669B2 (en) | Securing services in a networked computing environment | |
| CN111033502B (en) | Authentication using biometric data and irreversible functions via blockchain | |
| US10762193B2 (en) | Dynamically generating and injecting trusted root certificates | |
| CN105379223A (en) | Validating the identity of a mobile application for mobile application management | |
| EP2239677A1 (en) | Integration of a non-token-based relying party into a token-based information card system | |
| CN110351269A (en) | The method for logging in open platform by third-party server | |
| CN108965250B (en) | Digital certificate installation method and system | |
| CN106844489A (en) | A kind of file operation method, device and system | |
| CN109067785A (en) | Cluster authentication method, device | |
| US10547612B2 (en) | System to resolve multiple identity crisis in indentity-as-a-service application environment | |
| CN112202744B (en) | Multi-system data communication method and device | |
| CN109962892A (en) | A kind of authentication method and client, server logging in application | |
| US11477187B2 (en) | API key access authorization | |
| CN110035099B (en) | Multisystem management method, terminal equipment and storage medium | |
| US11368459B2 (en) | Providing isolated containers for user request processing | |
| CN112788017B (en) | Security verification method, device, equipment and medium | |
| CN117459245A (en) | Method, device and system for accessing identity data | |
| CN112350982B (en) | Resource authentication method and device | |
| CN108471409B (en) | The application programming interfaces authentication configuration method and system of voice dialogue platform | |
| CN107105046B (en) | Remotely access the method and system of big data | |
| CN113541981A (en) | Member management method and system for network slices | |
| CN114448668B (en) | Method and device for realizing cloud platform docking security service | |
| US11798001B2 (en) | Progressively validating access tokens | |
| CN109729214B (en) | Negative one-screen display and authentication method, device and apparatus | |
| US20220150250A1 (en) | Account delegation via browser supplement module |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |