KR102619805B1 - Virtual private network integrated authentication method for access to virtual desktop environment - Google Patents

Abstract

A virtual private network integrated authentication method for accessing a virtual desktop infrastructure, performed by an electronic device according to various embodiments of the present disclosure, includes linking with a virtual desktop infrastructure system and a user terminal. Receiving a first request to create a virtual desktop environment from a device and a second request to apply for telecommuting, in response to the first request, creating the virtual desktop environment for a user, and providing the user with the virtual desktop environment. It may include granting access to a desktop environment and, in response to the second request, granting permission to an SSL (Secure Sockets Layer)-based virtual private network to the user.

Description

Virtual private network integrated authentication method for accessing a virtual desktop environment {VIRTUAL PRIVATE NETWORK INTEGRATED AUTHENTICATION METHOD FOR ACCESS TO VIRTUAL DESKTOP ENVIRONMENT}

The present invention relates to virtual private network integrated authentication technology for accessing a virtual desktop environment.

In the prior art related to the present invention, there are various methods of operating a virtual desktop system. Patent Document 1 relates to a data redirection method in a virtual desktop system. A virtual desktop system in which multiple virtual desktops can be used as one virtual desktop by automatically converting the operating system to an operating system that matches the application. Discloses a data redirection method. Patent Document 2 relates to a host device and method for supporting multiple screens in a virtual desktop infrastructure environment. In a VDI environment, encoder sessions are used to a minimum to reduce the load on the host server, while maximizing available capacity and providing low latency. Technology for providing multi-screen is disclosed. Patent Document 3 relates to a method of monitoring a session of an open OS virtual desktop in a VDI environment and an open OS monitoring system in a VDI environment to which the same is applied. In a VDI environment, session information of a user's virtual desktop is periodically acquired to monitor the virtual desktop. We disclose a method for monitoring sessions of an open OS virtual desktop in a VDI environment that can provide basic technology for an optimized system environment, and a technology for providing an open OS monitoring system in a VDI environment to which this is applied. Patent Document 4 relates to a virtual desktop system that can provide an environment at a specific point in time and a data processing method thereof, and discloses a technology for providing a virtual desktop system and a data processing method for the convenience of using the virtual desktop for any user. .

Patent Document 1: Registered Patent Publication No. 10-2521786 B1 Patent Document 2: Public Patent Publication No. 10-2022-0147439 A Patent Document 3: Publication of Patent Publication No. 10-2022-0129882 A Patent Document 4: Registered Patent Publication No. 10-2314221 B1

According to an embodiment of the present disclosure, by introducing a Secure Sockets Layer (SSL) VPN (virtual private network) for encryption of communication sections and an account integrated authentication solution, high access terminal security and automation and convenience of the VDI (virtual desktop infrastructure) system are achieved. Improving the technical solution is a task.

In one embodiment disclosed in this document, a virtual private network integrated authentication method for accessing a virtual desktop environment, performed by an electronic device, includes the steps of linking with a virtual desktop infrastructure system; Receiving a first request for creating a virtual desktop environment and a second request for applying for telecommuting from the user's terminal device; In response to the first request, creating the virtual desktop environment for the user and granting the user access to the virtual desktop environment; And in response to the second request, it may include granting permission for a Secure Sockets Layer (SSL)-based virtual private network to the user.

According to one embodiment, the virtual private network integrated authentication method includes receiving a third request for accessing the virtual desktop environment from the user's terminal device; In response to the third request, requesting the user's authentication information from the user's terminal device; Receiving the user's authentication information from the user's terminal device; Using the user's authentication information, performing integrated authentication that integrates active directory-based authentication and OTP authentication for the user; And in response to the integrated authentication being successful, the method may further include connecting the user's terminal device to the virtual desktop environment through the SSL-based virtual private network for the user.

According to one embodiment, the virtual private network integrated authentication method is, when there is no record of the user's terminal device accessing the virtual desktop environment for a preset period of time after creating the virtual desktop environment for the user, It may further include the step of revoking access rights and rights of the SSL-based virtual private network.

According to one embodiment, the virtual private network integrated authentication method includes, in response to creating the virtual desktop environment for the user, transmitting a notification message indicating that the virtual desktop environment has been created to the user's terminal device. It may further include.

According to one embodiment, in response to the integrated authentication being successful, connecting the user to the virtual desktop environment through the SSL-based virtual private network for the user includes using a single sign on (SSO) system. , connecting the user to the virtual desktop environment through the SSL-based virtual private network for the user without additional authentication for the user, wherein the user's authentication information includes the IP address of the user's terminal device and the user It may include ID information.

The device according to one embodiment may be combined with hardware and controlled by a computer program stored in a medium to execute any one of the above-described methods.

According to an embodiment of the present disclosure, by introducing a Secure Sockets Layer (SSL) VPN (virtual private network) for encryption of communication sections and an account integrated authentication solution, high access terminal security and automation and convenience of the VDI (virtual desktop infrastructure) system are achieved. can be improved.

1 is a diagram illustrating a system that performs a virtual private network integrated authentication method for accessing a virtual desktop infrastructure according to various embodiments of the present disclosure.
2 is an exemplary diagram of the configuration of an electronic device according to various embodiments of the present disclosure.
3 is a flowchart of an operation of an electronic device according to various embodiments of the present disclosure.
4 is a flowchart of an operation of an electronic device according to various embodiments of the present disclosure.
Figure 5 is a diagram illustrating a system according to various embodiments of the present disclosure.

Hereinafter, embodiments will be described in detail with reference to the attached drawings. However, various changes can be made to the embodiments, so the scope of the patent application is not limited or limited by these embodiments. It should be understood that all changes, equivalents, or substitutes for the embodiments are included in the scope of rights.

Specific structural or functional descriptions of the embodiments are disclosed for illustrative purposes only and may be modified and implemented in various forms. Accordingly, the embodiments are not limited to the specific disclosed form, and the scope of the present specification includes changes, equivalents, or substitutes included in the technical spirit.

Terms such as first or second may be used to describe various components, but these terms should be interpreted only for the purpose of distinguishing one component from another component. For example, a first component may be named a second component, and similarly, the second component may also be named a first component.

When a component is referred to as being “connected” to another component, it should be understood that it may be directly connected or connected to the other component, but that other components may exist in between.

The terms used in the examples are for descriptive purposes only and should not be construed as limiting. Singular expressions include plural expressions unless the context clearly dictates otherwise. In this specification, terms such as “comprise” or “have” are intended to designate the presence of features, numbers, steps, operations, components, parts, or combinations thereof described in the specification, but are not intended to indicate the presence of one or more other features. It should be understood that this does not exclude in advance the possibility of the existence or addition of elements, numbers, steps, operations, components, parts, or combinations thereof.

Unless otherwise defined, all terms used herein, including technical or scientific terms, have the same meaning as generally understood by a person of ordinary skill in the technical field to which the embodiments belong. Terms defined in commonly used dictionaries should be interpreted as having a meaning consistent with the meaning in the context of the related technology, and unless explicitly defined in the present application, should not be interpreted in an ideal or excessively formal sense. No.

In addition, when describing with reference to the accompanying drawings, identical components will be assigned the same reference numerals regardless of the reference numerals, and overlapping descriptions thereof will be omitted. In describing the embodiments, if it is determined that detailed descriptions of related known technologies may unnecessarily obscure the gist of the embodiments, the detailed descriptions are omitted.

Embodiments may be implemented in various types of products such as personal computers, laptop computers, tablet computers, smart phones, televisions, smart home appliances, intelligent vehicles, kiosks, and wearable devices.

FIG. 1 is a diagram illustrating a system 10 that performs a virtual private network integrated authentication method for accessing a virtual desktop infrastructure according to various embodiments of the present disclosure.

The system 10 according to various embodiments may include an electronic device 110 and a plurality of user terminal devices 120. The electronic device 110 may be wired or wirelessly connected to the terminal devices 120 of a plurality of users (eg, employees) through a communication network. In this disclosure, a user may be an employee of a company to use a virtual desktop environment. The terminal devices 120 of the plurality of users may be terminal devices used by each of the plurality of employees.

The electronic device 110 according to various embodiments may be a server device that operates the above-described service. The service may be operated through an application or a website. A detailed description of the service will be provided later. The electronic device 110 may be composed of two or more server devices. By duplicating servers, it is possible to overcome a failure in one server.

In this drawing, the number of terminal devices 120 of a plurality of users is shown as four (e.g., the first user's terminal device 120a, the second user's terminal device 120b, and the third user's terminal device 120c). ) and the fourth user's terminal device 120d), this is an example, and of course, the number of terminal devices 120 of a plurality of users may increase or decrease in proportion to the number of users.

FIG. 2 is an exemplary diagram of the configuration of an electronic device 110 according to various embodiments.

The electronic device 110 according to one embodiment includes a processor 111, a memory 113, a communication circuit 115, and a database 117. The electronic device 110 according to one embodiment may be a server device for operating the above-described system. The processor 111 may include at least one device disclosed in this document or may perform at least one method disclosed in this document. The memory 113 may store information related to the above-described method or store a program implementing the above-described method. The memory 113 may be a volatile memory 113 or a non-volatile memory 113.

The processor 111 can execute programs and control the electronic device 110. The code of the program executed by the processor 111 may be stored in the memory 113. The electronic device 110 may be connected to an external device (eg, a personal computer or a network) through an input/output device (not shown) and exchange data. The processor 111 may be operatively connected to components of the electronic device 110. The processor 111 may load commands or data received from other components of the electronic device 110 into the memory 113, process the commands or data stored in the memory 113, and store the resulting data.

The communication circuit 115 may establish a communication channel with an external device (e.g., a plurality of users' terminal devices 120) and transmit and receive various data with the external device. According to various embodiments, the communication circuit 115 may include a cellular communication module and be configured to connect to a cellular network (eg, 3G, LTE, 5G, Wibro, or Wimax). According to various embodiments, the communication circuit 115 includes a short-range communication module and can transmit and receive data with an external device using short-range communication (e.g., Wi-Fi, Bluetooth, Bluetooth Low Energy (BLE), UWB). However, it is not limited to this.

The database 117 can store various information. The database 117 may store various user information under the control of the processor 111.

The electronic device 110 according to various embodiments may further include an input device (not shown). The input device may receive commands or data to be used for components of the electronic device 110 from outside the electronic device 110 (eg, a buyer or a seller). Input devices may include, for example, a microphone, mouse, keyboard, or digital pen.

3 is a flowchart 300 of an electronic device 110 according to various embodiments of the present disclosure. Figure 3 is specifically a flowchart of the operation of creating (or assigning) a virtual desktop environment to a user and granting permission thereto.

Referring to the flowchart 300, in step 310, the processor 111 of the electronic device 110 according to one embodiment may interact with a virtual desktop environment system. For example, the electronic device 110 may interact with a virtual desktop environment system to control and manage the virtual system environment system. A virtual desktop environment may refer to an environment (or solution) that provides a virtual desktop and data storage space for each user by utilizing the resources of a server operating in virtualization on a central server (e.g., electronic device 110).

In step 320, the processor 111 according to an embodiment may receive a first request for creating a virtual desktop environment and a second request for applying to work from home from the user's terminal device 120. For example, in order to use the company's network through the user's terminal device 120, the user may input a request to create a virtual desktop environment into the terminal device 120. The user's terminal device 120 may transmit a first request for creating a virtual desktop environment for the user to the electronic device 110. Additionally, the user may transmit a second request for applying for telecommuting to the electronic device 110 through the terminal device 120 so that the user can perform telecommuting using a virtual desktop environment.

In step 330, in response to the first request, the processor 111 according to one embodiment may create the virtual desktop environment for the user and grant access to the virtual desktop environment to the user. . In response to receiving the first request, the processor 111 may create a virtual desktop environment to be assigned to the user. The processor 111 may grant access to the created virtual desktop environment only to the user. As a result, the user can use the virtual desktop environment created (assigned) to the user through the user's terminal device 120.

In step 340, the processor 111 according to an embodiment may grant SSL (Secure Sockets Layer)-based virtual private network permission to the user in response to the second request. The processor 111 may grant SSL-based virtual private network permission to the user so that the user can work from home through the terminal device 120. SSL is a term meaning Secure Socket Layer and is an Internet communication protocol for safely transmitting data on the Internet. A virtual private network is a type of security solution and can refer to a corporate communication service that can significantly reduce line costs by using a public network such as the Internet network as a private network. An SSL-based virtual private network may be a virtual private network that can access the network inside the server regardless of location or type of terminal device 120. SSL can be a security solution with the ability to protect the contents of information even if the information is leaked through hacking during communication between the web browser and the server. SSL-based VPN allows internal system resources to be safely used via the Internet from a remote location. The processor 111 may assign a static IP to the virtual desktop environment. SSL-based VPN can prevent unnecessary performance degradation by establishing a simple zone-based firewall policy, and can strengthen security by setting detailed policies between zones. SSL-based VPN is an additional configuration of user policy based on the user's ID, which can strengthen security functions, improve convenience, and provide ID-based firewall logs and various statistical information.

According to one embodiment, the processor 111 connects the first user's terminal device 120 (120a) to a blockchain network formed with each of the plurality of users' terminal devices 120 as nodes. Information about the authority of the SSL-based virtual private network can be stored in the form of a block in the node. Compensation may be paid with coins mined based on information about the SSL-based virtual private network authority and delivered to a cryptocurrency wallet allocated to the first user's terminal device 120 (120a).

FIG. 4 is a flowchart 400 of the operation of the electronic device 110 according to an embodiment of the present disclosure. FIG. 4 is specifically a flowchart of an operation of connecting a user's terminal device 120 to a virtual desktop environment assigned (or created) to the user.

Referring to the operation flowchart 400, in step 410, the processor 111 of the electronic device 110 according to one embodiment receives a third request for accessing the virtual desktop environment from the user's terminal device 120. You can. In order to access the virtual desktop environment created (or assigned) to the user, the user may transmit a third request for accessing the virtual desktop environment to the electronic device 110 through the terminal device 120.

In step 420, the processor 111 according to one embodiment may request the user's authentication information from the user's terminal device 120 in response to the third request. When receiving the third request, the electronic device 110 may request the user's authentication information from the user's terminal device 120. The user's authentication information may include, for example, the IP address of the user's terminal device 120 and the user's ID information.

In step 430, the processor 111 according to an embodiment may receive the user's authentication information from the user's terminal device 120. The user's terminal device 120 may transmit the IP address of the user's terminal device 120 and the user's ID information to the electronic device 110.

In step 440, the processor 111 according to an embodiment may perform integrated authentication that integrates Active Directory-based authentication and OTP authentication for the user using the user's authentication information. Active Directory is one of the directory services with well-defined protocols and formats, and can enable centralized resource management by providing a powerful, flexible, and convenient API. Active Directory service can provide step-by-step classification of various servers and various naming methods, query, management, registration, and interpretation services. OTP (one time password) relates to a user authentication method that uses a randomly generated one-time password instead of a fixed password. It may be a user authentication method that uses a randomly generated one-time password of a random number. The processor 111 can provide a complex integrated authentication service that integrates Active Directory-based authentication and OTP authentication for the user into one.

In step 450, in response to the integrated authentication being successful, the processor 111 according to an embodiment may connect the user to the virtual desktop environment through the SSL-based virtual private network for the user. The processor 111 may use a single sign on (SSO) system to connect the user to the virtual desktop environment through the SSL-based virtual private network without additional authentication for the user. That is, the user can easily and easily access the virtual desktop through the single integrated authentication without additional authentication using the SSO system, without the need to perform multiple authentications in order to access the virtual desktop.

According to one embodiment, if there is no record of the user's terminal device 120 accessing the virtual desktop environment during a preset period after creating the virtual desktop environment for the user, the access rights and the SSL The authority of the underlying virtual private network can be revoked. In other words, the processor 111 can continuously monitor whether a virtual desktop environment is used even after assigning it to a user. If the virtual desktop environment is not used for a preset period (eg, one year), the processor 111 may automatically retrieve and discard the rights granted to the user. The processor 111 is capable of managing the overall life cycle of the virtual desktop environment.

FIG. 5 is a diagram illustrating a system 10 according to one embodiment of the present disclosure.

Referring to FIG. 5, the electronic device 110 according to one embodiment may include an in-house server and a DMZ server. A neutral zone (DMZ) can refer to a host or network that establishes a kind of neutral zone between a company's internal network and external network. The electronic device 110 may interact with a virtual desktop environment system.

A user can access the Internet through the terminal device 120. Users can request the creation of a virtual desktop environment via the Internet and apply to work from home. The user's terminal device 120 may transmit a first request for creating a virtual desktop environment and a second request for applying for telecommuting to the electronic device 110 based on the user's input. The first request and the second request may be transmitted to the integrated authentication portal 513 of the DMZ server through an external firewall. The integrated authentication portal 513 may create a virtual desktop environment for the user in response to the first request and grant access to the virtual desktop environment to the user. The integrated authentication portal 513 may grant permission to the SSL-based VPN 511 to the user in response to the second request. The integrated authentication portal 513 can transmit authority information for the virtual desktop environment assigned (created) to the user to the in-house server through the internal firewall. The authority information can be transmitted to the VDI portal 525 by accessing the VDI system. When accessing the integrated authentication portal 513, installation of a VDI connection program, VPN Agent, portal Agent, and security software can be supported on the user's terminal device 120.

Users can request access to a virtual desktop environment assigned to them (or created) via the Internet. The request can be sent directly to the in-house server through VPN tunneling (SSL ciphertext communication). In response to receiving the request, the in-house server may request and receive the user's authentication information from the user's terminal device 120. The in-house server can perform integrated authentication that combines Active Directory-based authentication using the Active Directory authentication server 521 and OTP authentication using the OTP server 523 for the user through the user's authentication information. In response to successful integrated authentication, the VDI portal 525 of the in-house server may connect the user's terminal device 120 to the virtual desktop environment (VDI) 527 through an SSL-based VPN for the user. .

The embodiments described above may be implemented with hardware components, software components, and/or a combination of hardware components and software components. For example, the devices, methods, and components described in the embodiments may include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, and a field programmable gate (FPGA). It may be implemented using one or more general-purpose or special-purpose computers, such as an array, programmable logic unit (PLU), microprocessor, or any other device capable of executing and responding to instructions. A processing device may execute an operating system (OS) and one or more software applications that run on the operating system. Additionally, a processing device may access, store, manipulate, process, and generate data in response to the execution of software. For ease of understanding, a single processing device may be described as being used; however, those skilled in the art will understand that a processing device includes multiple processing elements and/or multiple types of processing elements. It can be seen that it may include. For example, a processing device may include a plurality of processors or one processor and one controller. Additionally, other processing configurations, such as parallel processors, are possible.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded on a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, etc., singly or in combination. Program instructions recorded on the medium may be specially designed and configured for the embodiment or may be known and available to those skilled in the art of computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic media such as floptical disks. -Includes optical media (magneto-optical media) and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, etc. Examples of program instructions include machine language code, such as that produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter, etc. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

Software may include a computer program, code, instructions, or a combination of one or more of these, which may configure a processing unit to operate as desired, or may be processed independently or collectively. You can command the device. Software and/or data may be used on any type of machine, component, physical device, virtual equipment, computer storage medium or device to be interpreted by or to provide instructions or data to a processing device. , or may be permanently or temporarily embodied in a transmitted signal wave. Software may be distributed over networked computer systems and stored or executed in a distributed manner. Software and data may be stored on one or more computer-readable recording media.

Although the embodiments have been described with limited drawings as described above, those skilled in the art can apply various technical modifications and variations based on the above. For example, the described techniques are performed in a different order than the described method, and/or components of the described system, structure, device, circuit, etc. are combined or combined in a different form than the described method, or other components are used. Alternatively, appropriate results may be achieved even if substituted or substituted by an equivalent.

Therefore, other implementations, other embodiments, and equivalents of the claims also fall within the scope of the following claims.

Claims (3)

In a virtual private network integrated authentication method for accessing a virtual desktop infrastructure, performed by an electronic device,
Linking with a virtual desktop infrastructure system;
Receiving a first request for creating a virtual desktop environment and a second request for applying for telecommuting from the user's terminal device;
In response to the first request, creating the virtual desktop environment for the user and granting the user access to the virtual desktop environment;
In response to the second request, granting permission for a Secure Sockets Layer (SSL)-based virtual private network to the user;
Receiving a third request for accessing the virtual desktop environment from the user's terminal device;
In response to the third request, requesting the user's authentication information from the user's terminal device;
Receiving the user's authentication information from the user's terminal device;
Using the user's authentication information, performing integrated authentication that integrates active directory-based authentication and OTP authentication for the user;
In response to the integrated authentication being successful, connecting the user's terminal device to the virtual desktop environment through the SSL-based virtual private network for the user;
If there is no record of the user's terminal device accessing the virtual desktop environment during a preset period after creating the virtual desktop environment for the user, the access rights and the SSL-based virtual private network rights are revoked. step; and
In response to creating the virtual desktop environment for the user, transmitting a notification message indicating that the virtual desktop environment has been created to the user's terminal device,
In response to the integrated authentication being successful, connecting the user to the virtual desktop environment through the SSL-based virtual private network for the user, comprising:
Using a single sign on (SSO) system, connecting the user to the virtual desktop environment through the SSL-based virtual private network for the user without additional authentication for the user,
The user's authentication information includes the IP address of the user's terminal device and the user's ID information. delete delete