TWI696932B - System for providing multi-authentication management in a multi-tenant environment and method thereof - Google Patents

System for providing multi-authentication management in a multi-tenant environment and method thereof Download PDF

Info

Publication number
TWI696932B
TWI696932B TW107140395A TW107140395A TWI696932B TW I696932 B TWI696932 B TW I696932B TW 107140395 A TW107140395 A TW 107140395A TW 107140395 A TW107140395 A TW 107140395A TW I696932 B TWI696932 B TW I696932B
Authority
TW
Taiwan
Prior art keywords
authentication
tenant
input data
pass
terminal
Prior art date
Application number
TW107140395A
Other languages
Chinese (zh)
Other versions
TW202018559A (en
Inventor
張鈞彥
劉啟祥
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW107140395A priority Critical patent/TWI696932B/en
Publication of TW202018559A publication Critical patent/TW202018559A/en
Application granted granted Critical
Publication of TWI696932B publication Critical patent/TWI696932B/en

Links

Images

Abstract

A system for providing multi-authentication management in a multi-tenant environment and a method thereof are disclosed, including: seting up different authentication terminals for each domain, so that a user can be guided to the authentication terminal of a corresponding domain to perform identity authentication through the authentication management device before entering the corresponding domain.

Description

多租戶管理之系統與方法 Multi-tenant management system and method

本發明係有關一種雲端系統,尤指一種多租戶管理之雲端系統與方法。 The invention relates to a cloud system, in particular to a cloud system and method for multi-tenant management.

在雲端運算系統之私有雲商業模式中,會遇到使用者需要有不同認證機制架構,而在雲端運算系統之公有雲商業模式中,租戶之帳號因涉及費用計算,租戶需提供必要的機密資訊,因此也必須有特定的租戶帳號的認證機制。 In the private cloud business model of the cloud computing system, users will need to have different authentication mechanism structures. In the public cloud business model of the cloud computing system, the tenant's account needs to provide necessary confidential information due to the cost calculation. Therefore, there must also be a specific tenant account authentication mechanism.

然而,傳統系統後端只能使用單一種認證來源方式來認證系統使用者的身分,此種方式無法輕易隔離及使用不同身份認證機制。 However, the traditional system backend can only use a single authentication source method to authenticate the identity of the system user. This method cannot easily isolate and use different authentication mechanisms.

因此,如何提供通用的機制,使私有或公有的雲端運算系統後續可介接到不同的認證機制,即為本發明所要解決之技術問題。 Therefore, how to provide a general mechanism to enable private or public cloud computing systems to be subsequently connected to different authentication mechanisms is the technical problem to be solved by the present invention.

為克服習知技術之缺失,本發明係提供一種多租戶管理之系統,係包括:複數領域,係提供邏輯服務;複數認 證端,係分別提供進入各該領域的認證機制,其中,各該認證端係對應不同的該領域,且各該認證端係具有不同的認證機制;以及認證管理裝置,係包含:認證關聯模組,係接收使用者的輸入資料,依據該輸入資料找出所關聯的該認證端,以將該輸入資料傳送至該關聯的該認證端進行認證;及領域通行模組,係傳送一領域通行證給通過該關聯的認證端之認證的使用者,其中,該領域通行證係允許該使用者進入該關聯的該認證端所對應的該領域。 In order to overcome the shortcomings of the conventional technology, the present invention provides a multi-tenant management system, which includes: plural field, providing logical services; plural recognition The certificate terminal provides an authentication mechanism to enter each field, wherein each authentication terminal corresponds to a different field, and each authentication terminal has a different authentication mechanism; and the authentication management device includes: an authentication association module The group receives the input data of the user, finds the associated authentication terminal based on the input data, and sends the input data to the associated authentication terminal for authentication; and the domain pass module transmits a domain pass For users who are authenticated by the associated authentication terminal, the domain pass permits the user to enter the domain corresponding to the associated authentication terminal.

於一實施例中,該系統更包括:轉接器,係介接於該認證管理裝置與各該認證端之間,以將該輸入資料傳送至該關聯的該認證端進行認證,其中,當認證通過時,向該認證關聯模組通知認證成功。 In one embodiment, the system further includes: an adapter that is connected between the authentication management device and each authentication terminal to transmit the input data to the associated authentication terminal for authentication, wherein, when When the authentication is passed, the authentication related module is notified of the successful authentication.

於一實施例中,該輸入資料包含該領域,而該認證管理裝置更包含:認證設定資料庫,係儲存認證設定資料,該認證設定資料包含該領域及該領域所對應的該認證端,以供該認證關聯模組找出與該輸入資料的該領域相關聯的該證設定資料,俾令該相關聯的該證設定資料中所指的該認證端為該關聯的認證端。 In an embodiment, the input data includes the field, and the authentication management device further includes: an authentication setting database that stores authentication setting data. The authentication setting data includes the field and the authentication terminal corresponding to the field. The authentication association module finds the certificate setting data associated with the field of the input data, so that the authentication terminal referred to in the associated certificate setting data is the associated authentication terminal.

於一實施例中,該使用者包含具有該領域之使用權的一般用戶或具有該領域之管理權的租戶。 In one embodiment, the user includes a general user who has the right to use the field or a tenant who has the right to manage the field.

於一實施例中,該系統更包括:公共租戶區域,係為各該領域的租戶進入所屬的該領域前的中繼端;租戶認證端,係提供各該領域的租戶進入該公共租戶區域的認證機制;以及該認證管理裝置更包含:區域通行模組,係傳送 一區域通行證給通過該租戶認證端之認證的該租戶,其中,該區域通行證係允許該租戶進入該公共租戶區域或提供該租戶向該領域通行模組換取得以進入該租戶所屬的該領域的領域通行證,其中,該認證關聯模組在接收該使用者的輸入資料時更包括判斷輸入該輸入資料的該使用者為該一般用戶或該租戶,當輸入該輸入資料的該使用者為該一般用戶時,依據該輸入資料找出該關聯的該認證端,俾將該輸入資料傳送至該關聯的認證端進行該認證機制,而當輸入該輸入資料的該使用者為該租戶時,將該輸入資料傳送至該租戶認證端進行該認證機制。 In an embodiment, the system further includes: a public tenant area, which is a relay terminal before each tenant in the field enters the field to which it belongs; a tenant authentication terminal, which provides each tenant in the field to enter the public tenant area Authentication mechanism; and the authentication management device further includes: a regional access module, which transmits An area pass to the tenant who is authenticated by the tenant authentication terminal, where the area pass permits the tenant to enter the public tenant area or provides the tenant to obtain a pass to the area pass module to enter the area of the area to which the tenant belongs A pass, wherein, when receiving the input data of the user, the authentication-related module further includes determining that the user who inputs the input data is the general user or the tenant, and when the user who inputs the input data is the general user At the time, find the associated authentication terminal based on the input data, so as to send the input data to the associated authentication terminal for the authentication mechanism, and when the user who inputs the input data is the tenant, the input The data is sent to the tenant authentication terminal for the authentication mechanism.

本發明另提供一種多租戶管理之方法,係包括下列執行步驟:(1)接收使用者的輸入資料;(2)依據該輸入資料找出所關聯的該認證端;(3)將該輸入資料傳送至該關聯的該認證端進行認證;(4)當該輸入資料通過該關聯的該認證端之認證後,傳送一領域通行證給通過該關聯的認證端之認證的使用者;以及(5)令該使用者依據該領域通行證進入該領域通行證所對應的領域。 The present invention also provides a multi-tenant management method, which includes the following steps: (1) receiving user input data; (2) finding the authentication terminal associated with the input data; (3) the input data Send to the associated authentication terminal for authentication; (4) After the input data passes the authentication of the associated authentication terminal, send a domain pass to the user who passed the authentication of the associated authentication terminal; and (5) The user is allowed to enter the field corresponding to the field pass according to the field pass.

於一實施例中,該輸入資料包含該領域,而該步驟(2)係從認證設定資料中找出與該輸入資料的該領域相關聯的認證設定資料,以令該相關聯的該認證設定資料中所指的認證端為該關聯的認證端。 In an embodiment, the input data includes the field, and the step (2) is to find the authentication setting data associated with the field of the input data from the authentication setting data, so that the associated authentication setting The authentication terminal referred to in the data is the associated authentication terminal.

於一實施例中,於該步驟(1)在接收到該使用者的輸入資料時更包括下列步驟:(1-1)判斷是否有公共租戶區域,若無,則從該步驟(2)開始執行。 In one embodiment, the step (1) further includes the following steps when receiving the user's input data: (1-1) judging whether there is a public tenant area, if not, starting from the step (2) carried out.

於一實施例中,該使用者包含具有該領域之使用權的一般用戶或具有該領域之管理權的租戶,且當判斷出是有該公共租戶區域時,則進行下列執行步驟:(1-2)判斷該使用者是否為租戶,若否,則從該步驟(2)開始執行,若是,則將該輸入資料傳送至租戶認證端進行認證;(1-3)當該輸入資料通過該租戶認證端之認證後,傳送一區域通行證給通過該租戶認證端之認證的該租戶;(1-4)令該租戶以該區域通行證換取得以進入該租戶所屬的該領域的領域通行證;以及(1-5)令該租戶依據該領域通行證進入該租戶所屬的該領域。 In an embodiment, the user includes a general user who has the right to use the field or a tenant who has the right to manage the field, and when it is determined that there is the public tenant area, the following steps are performed: (1- 2) Determine whether the user is a tenant, if not, then start from step (2), if yes, send the input data to the tenant authentication terminal for authentication; (1-3) When the input data passes the tenant After the authentication of the authentication terminal, an area pass is sent to the tenant who has passed the authentication of the tenant authentication end; (1-4) the tenant is exchanged for the area pass to enter the area of the field to which the tenant belongs; and (1 -5) Make the tenant enter the field to which the tenant belongs based on the field pass.

於一實施例中,該步驟(1-4)更包括在換取得以進入該租戶所屬的該領域的領域通行證之前,令該租戶依據該區域通行證進入一公共租戶區域。 In one embodiment, the step (1-4) further includes, before exchanging the domain pass obtained to enter the domain to which the tenant belongs, allowing the tenant to enter a public tenant area based on the area pass.

由上述可得知,本發明透過認證設定資料的設定,提供各個領域之間具有不同的使用者之認證端,可整合企業既有的多種認證方式,進而解決傳統系統平台之使用者的認證僅能介接與信任單一認證端的舊有技術架構問題。 It can be known from the above that the present invention provides authentication terminals with different users in various fields through the setting of authentication setting data, which can integrate multiple authentication methods existing in enterprises, thereby solving the problem of authentication of users of traditional system platforms. The old technical architecture that can interface and trust a single authentication terminal.

因此,本發明有以下技術優點: Therefore, the present invention has the following technical advantages:

1.提供相同系統下,領域的租戶與使用者採用不同認證來源,並提供集中租戶以同一種認證來源後,該租戶在其專屬領域之邏輯範圍內可自主管控另一種認證來源的使用者及該專屬領域之資源的權限。 1. Under the same system, tenants and users in different domains use different authentication sources, and after providing centralized tenants with the same authentication source, the tenant can automatically control users and users of another authentication source within the logical scope of their exclusive domain. Permission for resources in this exclusive domain.

2.每個租戶有自己專屬的領域之邏輯範圍,在專屬領域中有獨立的權限政策,調整時不影響其他領域。 2. Each tenant has its own logical scope of exclusive domain, and has independent authority policy in the exclusive domain, and adjustments will not affect other domains.

1‧‧‧使用者 1‧‧‧ user

2‧‧‧認證管理裝置 2‧‧‧ certification management device

3‧‧‧轉接器 3‧‧‧Adapter

4‧‧‧認證端 4‧‧‧Certificate

5‧‧‧領域 5‧‧‧ Domain

6‧‧‧租戶認證端 6‧‧‧ Tenant authentication terminal

7‧‧‧公共租戶區域 7‧‧‧Public tenant area

21‧‧‧認證設定資料庫 21‧‧‧ Authentication Setting Database

22‧‧‧認證關聯模組 22‧‧‧Certification related module

23‧‧‧領域通行模組 23‧‧‧Access module

24‧‧‧區域通行模組 24‧‧‧ Regional Access Module

51‧‧‧租戶 51‧‧‧ tenant

52‧‧‧授權管理模組 52‧‧‧Authorization Management Module

53‧‧‧權限政策 53‧‧‧ Authority Policy

54‧‧‧一般用戶 54‧‧‧General users

55‧‧‧資源 55‧‧‧Resources

S61~S65,S71~S76‧‧‧步驟 S61~S65,S71~S76‧‧‧Step

第1圖為本發明之多租戶管理之系統之第一實施例之示意圖;第2圖為本發明之認證管理裝置之第一實施例之示意圖;第3圖為本發明之領域之示意圖;第4圖為本發明之多租戶管理之系統之第二實施例之示意圖;第5圖為本發明之認證管理裝置之第二實施例之示意圖;第6圖為本發明之多租戶管理之方法之第一實施例之步驟流程圖;以及第7圖為本發明之多租戶管理之方法之第二實施例之步驟流程圖。 Figure 1 is a schematic diagram of the first embodiment of the multi-tenant management system of the present invention; Figure 2 is a schematic diagram of the first embodiment of the authentication management device of the present invention; Figure 3 is a schematic diagram of the field of the present invention; 4 is a schematic diagram of a second embodiment of the multi-tenant management system of the present invention; FIG. 5 is a schematic diagram of the second embodiment of the authentication management device of the present invention; FIG. 6 is a method of multi-tenant management of the present invention Step flowchart of the first embodiment; and FIG. 7 is a step flowchart of the second embodiment of the multi-tenant management method of the present invention.

以下藉由特定的具體實施例說明本發明之實施方式,熟悉此技藝之人士可由本說明書所揭示之內容輕易地瞭解本發明之其他優點及功效。 The following describes the implementation of the present invention by specific specific examples. Those skilled in the art can easily understand other advantages and effects of the present invention from the contents disclosed in this specification.

須知,本說明書所附圖式所繪示之結構、比例、大小等,均僅用以配合說明書所揭示之內容,以供熟悉此技藝之人士之瞭解與閱讀,並非用以限定本發明可實施之限定條件,故不具技術上之實質意義,任何結構之修飾、比例關係之改變或大小之調整,在不影響本發明所能產生之功 效及所能達成之目的下,均應仍落在本發明所揭示之技術內容得能涵蓋之範圍內。 It should be noted that the structure, proportion, size, etc. shown in the drawings of this specification are only used to match the contents disclosed in the specification, for those who are familiar with this skill to understand and read, not to limit the implementation of the present invention The limited conditions, so it does not have the technical significance, any modification of the structure, the change of the proportional relationship or the adjustment of the size, does not affect the power of the invention Both the effectiveness and the objectives that can be achieved should still fall within the scope of the technical content disclosed by the present invention.

請參閱第1圖,係本發明之多租戶管理之系統之第一實施例之示意圖。該系統係包括複數使用者1、認證管理裝置2、轉接器3、複數認證端4及複數領域5。 Please refer to FIG. 1, which is a schematic diagram of the first embodiment of the multi-tenant management system of the present invention. The system includes plural users 1, an authentication management device 2, an adapter 3, plural authentication terminals 4, and plural fields 5.

複數使用者1,係透過行動裝置或電腦輸入一輸入資料至認證管理裝置2。 The plural users 1 input an input data to the authentication management device 2 through a mobile device or a computer.

於一實施例中,複數使用者1包含具有該領域之使用權的一般用戶及具有該領域之管理權的租戶。 In one embodiment, the plural users 1 include general users who have the right to use the field and tenants who have the right to manage the field.

於一實施例中,該輸入資料係包含網址、領域5及帳號/密碼,但不以此為限。 In an embodiment, the input data includes a web address, field 5, and account/password, but not limited to this.

轉接器3,係介接於認證管理裝置2與各該認證端4之間,以進行認證管理裝置2與各該認證端4之間的資料傳輸。 The adapter 3 is interposed between the authentication management device 2 and each authentication terminal 4 to perform data transmission between the authentication management device 2 and each authentication terminal 4.

複數領域5,係提供邏輯服務。在一實施例中,該邏輯服務可例如是網站的邏輯服務,但不以此為限。 The complex field 5 provides logic services. In an embodiment, the logical service may be a logical service of a website, but not limited thereto.

複數認證端4,係分別提供進入各該領域5的認證機制,其中,各認證端4係對應不同的該領域5,且各認證端4具有不同的認證機制。 The plural authentication terminals 4 respectively provide an authentication mechanism for entering each field 5, wherein each authentication terminal 4 corresponds to a different field 5, and each authentication terminal 4 has a different authentication mechanism.

認證管理裝置2,係接收各該使用者1的輸入資料,將該輸入資料透過轉接器3傳送至與該輸入資料相關聯的認證端4進行認證,其中,當該輸入資料通過該關聯的認證端4的認證時,該關聯的認證端4再透過轉接器3向認證管理裝置2通知認證成功之訊息,以令認證管理裝置2 依據該認證成功之訊息允許輸入該輸入資料的使用者1進入該關聯的認證端4所對應的領域5。 The authentication management device 2 receives each input data of the user 1 and transmits the input data to the authentication terminal 4 associated with the input data through the adapter 3 for authentication, wherein, when the input data passes the associated When the authentication terminal 4 authenticates, the associated authentication terminal 4 notifies the authentication management device 2 of the successful authentication message via the adapter 3, so that the authentication management device 2 According to the successful authentication message, the user 1 who inputs the input data is allowed to enter the field 5 corresponding to the associated authentication terminal 4.

請參閱第2圖,係本發明之認證管理裝置2之第一實施例之示意圖。認證管理裝置2係包括認證設定資料庫21、認證關聯模組22及領域通行模組23。 Please refer to FIG. 2, which is a schematic diagram of the first embodiment of the authentication management device 2 of the present invention. The authentication management device 2 includes an authentication setting database 21, an authentication related module 22, and a domain pass module 23.

認證設定資料庫21,係儲存認證設定資料,其中,該認證設定資料包含領域5及領域5所對應的認證端4。 The authentication setting database 21 stores authentication setting data, where the authentication setting data includes the field 5 and the authentication terminal 4 corresponding to the field 5.

認證關聯模組22,係接收各該使用者1的輸入資料及向認證設定資料庫21讀取該認證設定資料,以令該認證設定資料中的領域5與該輸入資料的領域5相同的該認證設定資料為相關聯的該證設定資料,以令該相關聯的該證設定資料中所指的認證端4為該關聯的認證端4,俾將該輸入資料透過轉接器3傳送至該關聯的認證端4進行認證。 The authentication association module 22 receives the input data of each user 1 and reads the authentication setting data from the authentication setting database 21, so that the field 5 in the authentication setting data is the same as the field 5 of the input data. The authentication setting data is the associated certificate setting data, so that the authentication terminal 4 referred to in the associated certificate setting data is the associated authentication terminal 4, so that the input data is transmitted to the The associated authentication terminal 4 performs authentication.

領域通行模組23,係傳送一領域通行證給通過該關聯的認證端4之認證的使用者1,其中,該領域通行證係允許使用者1進入該關聯的該認證端所對應的該領域。 The domain pass module 23 transmits a domain pass to the user 1 who is authenticated by the associated authentication terminal 4, wherein the domain pass allows the user 1 to enter the domain corresponding to the associated authentication terminal.

於一實施例中,當該輸入資料通過該關聯的認證端4的認證時,該關聯的認證端4透過轉接器3向認證關聯模組22傳送認證通過之訊息,以令認證關聯模組22控制領域通行模組23傳送一領域通行證給通過該關聯的認證端之認證的使用者1,但不以此為限。 In an embodiment, when the input data passes the authentication of the associated authentication terminal 4, the associated authentication terminal 4 transmits the authentication-passed message to the authentication associated module 22 through the adapter 3, so that the authentication associated module 22 The control domain pass module 23 transmits a domain pass to the user 1 authenticated by the associated authentication terminal, but not limited to this.

請參閱第3圖,係本發明之領域5之示意圖。領域5係包括租戶51、授權管理模組52、複數權限政策53、複數一般用戶54及複數資源55,其中,使用者1依據該領域通行證進入所屬領域5時,使用者1係依據該輸入資料中的帳號區分是租戶51或一般用戶54,其中,租戶51為具有管理領域5之權限的管理者,而一般用戶54為無法管理領域5之權限的一般使用者。 Please refer to FIG. 3, which is a schematic diagram of Field 5 of the present invention. Domain 5 includes tenant 51, authorization management module 52, plural authority policy 53, plural general users 54 and plural resources 55, wherein when user 1 enters domain 5 according to the pass of the domain, user 1 is based on the input data The account division in is the tenant 51 or the general user 54. Among them, the tenant 51 is an administrator who has the authority to manage the domain 5, and the general user 54 is a general user who cannot manage the authority of the domain 5.

授權管理模組52,係提供租戶51對複數權限政策53的變更、移除或使用,以及提供租戶51指派複數權限政策53給一般用戶54使用。 The authorization management module 52 provides the tenant 51 to change, remove, or use the plural authority policy 53 and provides the tenant 51 to assign the plural authority policy 53 to the general user 54 for use.

複數權限政策53,係提供租戶51或一般用戶54使用領域5的權限,及提供租戶51或一般用戶54存取資源55的權限。 The plural permission policy 53 is to provide the tenant 51 or the general user 54 with the right to use the domain 5, and to provide the tenant 51 or the general user 54 with the right to access the resource 55.

複數資源5,係包含任何用於該邏輯服務的資源。 The plural resource 5 includes any resource used for the logical service.

領域5中的一般用戶54或租戶51在認證關聯模組22在接收使用者1的輸入資料時,就會依據該輸入資料中的帳號判斷輸入該輸入資料的使用者1為該一般用戶54或該租戶51。 When the general user 54 or the tenant 51 in the field 5 receives the input data of the user 1 when the authentication association module 22 receives the input data of the user 1, the user 1 inputting the input data is determined to be the general user 54 or The tenant 51.

於一實施例中,認證管理裝置2更包括提供使用者1申請成為系統中現有領域5的一般用戶54,或提供使用者1申請建立領域5並成為領域5的租戶51,其中,各領域52所對應的認證端4及認證設定資料庫21的認證設定資料係由租戶51向認證管理裝置2申請建立領域時所設定完成,但不以此為限。 In an embodiment, the authentication management device 2 further includes providing user 1 to apply to become a general user 54 of the existing domain 5 in the system, or providing user 1 to apply to establish domain 5 and become a tenant 51 of domain 5, wherein each domain 52 The corresponding authentication setting data of the authentication terminal 4 and the authentication setting database 21 is set when the tenant 51 applies to the authentication management device 2 to establish a domain, but it is not limited to this.

請參閱第4圖,係本發明之多租戶管理之系統之第二實施例之示意圖。本實施例與第一實施例之差異在於租戶認證端6及公共租戶區域7,故以下將說明相異處,而不 再贅述相同處。 Please refer to FIG. 4 for a schematic diagram of a second embodiment of the multi-tenant management system of the present invention. The difference between this embodiment and the first embodiment is the tenant authentication terminal 6 and the public tenant area 7, so the following will explain the differences, but not Repeat the same points.

公共租戶區域7,係為各領域5的租戶進入所屬的領域5前的中繼端,其中,公共租戶區域7亦提供該邏輯服務。 The public tenant area 7 is a relay end before the tenants in each area 5 enter the area 5 to which they belong. The public tenant area 7 also provides this logical service.

租戶認證端6,係提供各領域5的租戶進入公共租戶區域7的認證機制。 The tenant authentication terminal 6 provides an authentication mechanism for tenants in various fields 5 to enter the public tenant area 7.

請參閱第5圖,係本發明之認證管理裝置2之第二實施例之示意圖。本實施例與第一實施例之差異在於區域通行模組24,故以下將說明相異處,而不再贅述相同處。 Please refer to FIG. 5, which is a schematic diagram of a second embodiment of the authentication management device 2 of the present invention. The difference between this embodiment and the first embodiment lies in the area passage module 24, so the differences will be described below, and the similarities will not be repeated.

區域通行模組24,係傳送一區域通行證給通過租戶認證端6之認證的租戶51,其中,該區域通行證係允許租戶51進入公共租戶區域7或提供租戶51向領域通行模組23換取得以進入租戶51所屬的領域5的領域通行證。 The area pass module 24 transmits an area pass to the tenant 51 who has been authenticated by the tenant authentication terminal 6. The area pass permits the tenant 51 to enter the public tenant area 7 or provides the tenant 51 to the domain pass module 23 to obtain the entry The domain pass of the domain 5 to which the tenant 51 belongs.

認證關聯模組22在接收使用者1的輸入資料時,會依據該輸入資料中的帳號判斷輸入該輸入資料的使用者1為該一般用戶54或該租戶51,當輸入該輸入資料的使用者1為該一般用戶54時,依據該輸入資料找出該關聯的該認證端4,俾將該輸入資料透過轉接器3傳送至該關聯的認證端4進行該認證機制,而當輸入該輸入資料的使用者1為租戶51時,將該輸入資料透過轉接器3傳送至租戶認證端6進行該認證機制。 When the authentication association module 22 receives the input data of the user 1, the user 1 inputting the input data is determined to be the general user 54 or the tenant 51 according to the account number in the input data. When the user inputting the input data 1 is the general user 54, finds the associated authentication terminal 4 according to the input data, so that the input data is transmitted to the associated authentication terminal 4 through the adapter 3 for the authentication mechanism, and when the input is input When the user 1 of the data is the tenant 51, the input data is transmitted to the tenant authentication terminal 6 through the adapter 3 to perform the authentication mechanism.

請參閱第6圖,係本發明之多租戶管理之方法之第一實施例之步驟流程圖。該方法係包括下列執行步驟。 Please refer to FIG. 6, which is a flowchart of steps of the first embodiment of the multi-tenant management method of the present invention. The method includes the following execution steps.

在步驟S61中,接收使用者的輸入資料,其中,令認 證關聯模組22接收使用者1的輸入資料。 In step S61, the user's input data is received, where The certificate association module 22 receives the input data of the user 1.

在步驟S62中,依據該輸入資料找出所關聯的認證端4,其中,令認證關聯模組22從認證設定資料庫21找出與該輸入資料的領域5相關聯的該證設定資料,以令該相關聯的該證設定資料中所指的認證端4為該關聯的認證端4。 In step S62, the associated authentication terminal 4 is found according to the input data, wherein the authentication related module 22 is caused to find the certificate setting data associated with the field 5 of the input data from the authentication setting database 21, to Let the authentication terminal 4 referred to in the associated certificate setting data be the associated authentication terminal 4.

在步驟S63中,將該輸入資料傳送至該關聯的該認證端進行認證,其中,令認證關聯模組22將該輸入資料透過轉接器3傳送至與該輸入資料相關聯的認證端4進行認證。 In step S63, the input data is transmitted to the associated authentication terminal for authentication, wherein the authentication association module 22 is caused to transmit the input data to the authentication terminal 4 associated with the input data through the adapter 3 Certification.

在步驟S64中,當該輸入資料通過該關聯的認證端4之認證後,傳送一領域通行證給通過該關聯的認證端4之認證的使用者1,其中,令領域通行模組23傳送該領域通行證給通過該關聯的認證端4之認證的使用者1。 In step S64, after the input data passes the authentication of the associated authentication terminal 4, a domain pass is sent to the user 1 authenticated by the associated authentication terminal 4, wherein the domain pass module 23 transmits the domain The pass is to the user 1 who is authenticated by the associated authentication terminal 4.

在步驟S65中,令使用者1依據該領域通行證進入該領域通行證所對應的領域5,取得使用者1於該所對應的領域5下的權限政策53,以令使用者1依據權限政策53操作領域5的各種功能或資源55。 In step S65, the user 1 is allowed to enter the field 5 corresponding to the field pass according to the field pass, and the user 1 obtains the permission policy 53 under the corresponding field 5 to make the user 1 operate according to the permission policy 53 Various functions or resources 55 of the domain 5.

請參閱第7圖,係本發明之多租戶管理之方法之第二實施例之步驟流程圖。該方法係包括下列執行步驟。 Please refer to FIG. 7, which is a flow chart of the steps of the second embodiment of the multi-tenant management method of the present invention. The method includes the following execution steps.

在步驟S71中,接收使用者1的輸入資料,其中,令多租戶管理系統中的認證關聯模組22接收各使用者1的輸入資料。 In step S71, the input data of the user 1 is received, wherein the authentication association module 22 in the multi-tenant management system is caused to receive the input data of each user 1.

在步驟S72中,判斷是否有公共租戶區域7,若無, 則從該步驟S62開始執行,若是,則進行下列步驟S73。 In step S72, it is determined whether there is a public tenant area 7, if not, Then it is executed from this step S62, and if it is, then the following step S73 is performed.

於一實施例中,該步驟S72係令認證關聯模組22判斷該多租戶管理系統中是否有公共租戶區域。 In one embodiment, the step S72 causes the authentication association module 22 to determine whether there is a public tenant area in the multi-tenant management system.

在步驟S73中,判斷使用者1是否為租戶,若否,則從該步驟S62開始執行,若是,則將該輸入資料傳送至租戶認證端6進行認證。 In step S73, it is determined whether the user 1 is a tenant. If not, the process starts from step S62. If yes, the input data is sent to the tenant authentication terminal 6 for authentication.

於一實施例中,該步驟S73係令認證關聯模組22依據該輸入資料中的帳號判斷輸入該輸入資料的使用者1為一般用戶54或租戶51,且當輸入該輸入資料的使用者1為租戶51時,將該輸入資料透過轉接器3傳送至租戶認證端6進行該認證機制。 In one embodiment, the step S73 causes the authentication association module 22 to determine that the user 1 who inputs the input data is a general user 54 or a tenant 51 according to the account number in the input data, and when the user 1 who inputs the input data When it is the tenant 51, the input data is transmitted to the tenant authentication terminal 6 through the adapter 3 to perform the authentication mechanism.

在步驟S74中,當該輸入資料通過租戶認證端6之認證後,傳送一區域通行證給通過租戶認證端6之認證的租戶51。 In step S74, after the input data passes the authentication of the tenant authentication terminal 6, an area pass is sent to the tenant 51 that has passed the authentication of the tenant authentication terminal 6.

於一實施例中,當該輸入資料通過租戶認證端6之認證後,租戶認證端6向認證關聯模組22傳送認證成功之訊息,此時,認證關聯模組22控制區域通行模組24傳送一區域通行證給通過租戶認證端6之認證的租戶51。 In an embodiment, after the input data passes the authentication of the tenant authentication terminal 6, the tenant authentication terminal 6 transmits a message of successful authentication to the authentication association module 22. At this time, the authentication association module 22 controls the area pass module 24 to transmit An area pass is given to the tenant 51 who is authenticated by the tenant authentication terminal 6.

在步驟S75中,令租戶51以該區域通行證換取得以進入該租戶所屬的該領域的領域通行證,其中,令租戶51以該區域通行證向領域通行模組23換取得以進入租戶51所屬的領域5的領域通行證。 In step S75, the tenant 51 is exchanged for the area pass obtained to enter the domain of the area to which the tenant belongs, wherein the tenant 51 is exchanged for the area pass module 23 with the area pass to enter the area 5 of the tenant 51 Domain Pass.

於一實施例中,該步驟S75在租戶51以該區域通行證換取得以進入該租戶所屬的領域5的領域通行證之前,更 包括令租戶51依據該區域通行證進入公共租戶區域7,其中,租戶51在公共租戶區域7時,可隨時以該區域通行證向領域通行模組23換取得以進入租戶51所屬的領域5的領域通行證。 In an embodiment, in step S75, before the tenant 51 obtains the area pass in exchange for the area pass to enter the area pass of the area 5 to which the tenant belongs, This includes making the tenant 51 enter the public tenant area 7 based on the area pass, where the tenant 51 can exchange the area pass with the area pass module 23 to obtain the area pass to enter the area 5 of the tenant 51 at any time when the tenant 51 is in the public tenant area 7.

在步驟S76中,令租戶51依據該領域通行證進入租戶51所屬的領域5,以令租戶51依據授權管理模組52及權限政策53該所屬的領域5下的各種功能、資源55及一般用戶54。 In step S76, the tenant 51 is allowed to enter the domain 5 to which the tenant 51 belongs according to the domain pass, so that the tenant 51 is based on the authorization management module 52 and the authority policy 53 to the various functions, resources 55 and general users 54 in the domain 5 to which it belongs .

上述本發明之多租戶管理之系統與方法之第一實施例係為私有雲端運算系統的多租戶認證授權管理架構,而本發明之多租戶管理之系統與方法之第二實施例係為公有雲端運算系統的多租戶認證授權管理架構,該第二實施例透過租戶認證端6公共租戶區戶7集結各領域5之租戶51使用同一種認證來源的租戶認證端6,進而使各領域5之租戶51能使用公有雲營運商的認證來源(即租戶認證端6)驗證身份。 The first embodiment of the above multi-tenant management system and method of the present invention is a multi-tenant authentication and authorization management architecture of a private cloud computing system, and the second embodiment of the multi-tenant management system and method of the present invention is a public cloud The multi-tenant authentication and authorization management architecture of the computing system. In this second embodiment, the tenant authentication terminal 6 through the tenant authentication terminal 6 and the common tenant area user 7 gathers tenants 51 in various fields 5 to use the same tenant authentication terminal 6 from the same authentication source, thereby enabling tenants in various fields 5 51 can use the public cloud operator's authentication source (that is, tenant authentication terminal 6) to verify its identity.

於一實施例中,本發明之多租戶管理之系統與方法之第一及二實施例中的各模組(如認證管理裝置2及領域5中的模組)係為應用程式,且本發明之第一及二實施例的多租戶管理之系統係為雲端伺服器,其中,該雲端伺服器的儲存裝置係儲存各該模組的應用程式,以供該雲端伺服器的處理器執行各該模組中的應用程式,但不以此為限。 In an embodiment, each module in the first and second embodiments of the multi-tenant management system and method of the present invention (such as the authentication management device 2 and the module in the field 5) is an application program, and the present invention The multi-tenant management system of the first and second embodiments is a cloud server, wherein the storage device of the cloud server stores the application programs of each module for the processor of the cloud server to execute each The application in the module, but not limited to this.

由上述可得知,本發明透過認證設定資料的設定,提供各個領域之間具有不同的使用者之認證端,可整合企業 既有的多種認證方式,進而解決傳統系統平台之使用者的認證僅能介接與信任單一認證端的舊有技術架構問題。 As can be seen from the above, the present invention provides authentication terminals with different users in various fields through the setting of authentication setting data, which can integrate enterprises The existing multiple authentication methods can solve the problem of the old technical architecture that the authentication of users of traditional system platforms can only interface and trust a single authentication terminal.

上述實施例係用以例示性說明本發明之原理及其功效,而非用於限制本發明。任何熟習此項技藝之人士均可在不違背本發明之精神及範疇下,對上述實施例進行修改。因此本發明之權利保護範圍,應如後述之申請專利範圍所列。 The above embodiments are used to exemplify the principles and effects of the present invention, rather than to limit the present invention. Anyone who is familiar with this skill can modify the above embodiments without violating the spirit and scope of the present invention. Therefore, the scope of protection of the rights of the present invention should be as listed in the scope of patent application mentioned later.

1‧‧‧使用者 1‧‧‧ user

2‧‧‧認證管理裝置 2‧‧‧ certification management device

3‧‧‧轉接器 3‧‧‧Adapter

4‧‧‧認證端 4‧‧‧Certificate

5‧‧‧領域 5‧‧‧ Domain

Claims (7)

一種多租戶管理之系統,係包括:複數領域,係各該領域提供專屬的邏輯服務,該邏輯服務為網站的邏輯服務;公共租戶區域,係為各該領域的租戶進入所屬的該領域前的中繼端;複數認證端,係分別提供進入各該領域的認證機制,其中,各該認證端係對應不同的該領域,且各該認證端具有不同的認證機制;租戶認證端,係提供各該領域的租戶進入該公共租戶區域的認證機制;以及認證管理裝置,係包含:認證關聯模組,係接收使用者的輸入資料,依據該輸入資料找出所關聯的該認證端或該租戶認證端,以將該輸入資料傳送至關聯的該認證端或該租戶認證端進行認證,其中,該使用者包含具有該領域之使用權的一般用戶或具有該領域之管理權的租戶;領域通行模組,係傳送一領域通行證給通過關聯的該認證端之認證的該一般用戶,其中,該領域通行證係允許該一般用戶進入該關聯的該認證端所對應的該領域;及區域通行模組,係傳送一區域通行證給通過該租戶認證端之認證的該租戶,其中,該區域通行 證係允許該租戶進入該公共租戶區域或提供該租戶向該領域通行模組換取得以進入該租戶所屬的該領域的領域通行證;其中,該認證關聯模組在接收該使用者的輸入資料時更包括判斷輸入該輸入資料的該使用者為該一般用戶或該租戶,當輸入該輸入資料的該使用者為該一般用戶時,依據該輸入資料找出關聯的該認證端,俾將該輸入資料傳送至關聯的該認證端進行該認證機制,而當輸入該輸入資料的該使用者為該租戶時,將該輸入資料傳送至該租戶認證端進行該認證機制。 A multi-tenant management system includes: multiple domains, which provide dedicated logical services for each domain, and the logical services are logical services for websites; public tenant areas, which are for each tenant in this domain before entering the domain to which they belong Relay terminal; plural authentication terminals provide authentication mechanisms to enter each field respectively, wherein each authentication terminal corresponds to different fields, and each authentication terminal has a different authentication mechanism; tenant authentication terminal provides each The authentication mechanism for tenants in the field to enter the public tenant area; and the authentication management device, including: an authentication association module, which receives user input data, and finds the associated authentication terminal or tenant authentication based on the input data Terminal to send the input data to the associated authentication terminal or the tenant authentication terminal for authentication, where the user includes a general user with the right to use the field or a tenant with the management right to the field; domain pass mode Group, is to pass a domain pass to the general user who is authenticated by the associated authentication terminal, wherein the domain pass allows the general user to enter the domain corresponding to the associated authentication terminal; and the regional pass module, Pass an area pass to the tenant who is authenticated by the tenant authentication terminal, where the area passes The permit system allows the tenant to enter the public tenant area or provide the tenant with the domain pass module to obtain a domain pass to enter the domain to which the tenant belongs; wherein, the authentication association module is more effective when receiving the user's input data It includes determining that the user who inputs the input data is the general user or the tenant. When the user who inputs the input data is the general user, find the associated authentication terminal according to the input data, so that the input data The authentication mechanism is sent to the associated authentication terminal, and when the user who inputs the input data is the tenant, the input data is transmitted to the tenant authentication terminal for the authentication mechanism. 如申請專利範圍第1項所述之系統,該系統更包括:轉接器,係介接於該認證管理裝置與各該認證端之間,以將該輸入資料傳送至該關聯的該認證端進行認證,其中,當認證通過時,向該認證關聯模組通知認證成功。 As in the system described in item 1 of the patent application scope, the system further includes: an adapter that is connected between the authentication management device and each authentication terminal to transmit the input data to the associated authentication terminal Perform authentication, wherein, when the authentication is passed, the authentication-related module is notified of successful authentication. 如申請專利範圍第1項所述之系統,其中,該輸入資料包含該領域,而該認證管理裝置更包含:認證設定資料庫,係儲存認證設定資料,該認證設定資料包含該領域及該領域所對應的該認證端,以供該認證關聯模組找出與該輸入資料的該領域相關聯的該證設定資料,俾令該相關聯的該證設定資料中所指的該認證端為該關聯的認證端。 The system as described in item 1 of the patent application scope, wherein the input data includes the field, and the authentication management device further includes: an authentication setting database that stores authentication setting data, and the authentication setting data includes the field and the field The corresponding authentication terminal for the authentication related module to find the certificate setting data associated with the field of the input data, so that the authentication terminal referred to in the associated certificate setting data is the The associated authentication terminal. 一種多租戶管理之方法,係包括下列執行步驟:(1)接收使用者的輸入資料; (2)判斷是否有公共租戶區域,若無,則從該步驟(3)開始執行;(3)依據該輸入資料找出所關聯的該認證端;(4)將該輸入資料傳送至該關聯的該認證端進行認證;(5)當該輸入資料通過該關聯的該認證端之認證後,傳送一領域通行證給通過該關聯的認證端之認證的使用者;以及(6)令該使用者依據該領域通行證進入該領域通行證所對應的領域。 A multi-tenant management method includes the following steps: (1) Receive user input data; (2) Determine whether there is a public tenant area, if not, start from step (3); (3) Find the associated authentication terminal based on the input data; (4) Send the input data to the association The authentication terminal of the authentication; (5) After the input data passes the authentication of the associated authentication terminal, send a domain pass to the user who passed the authentication of the associated authentication terminal; and (6) Make the user Enter the field corresponding to the pass in this field based on the pass in this field. 如申請專利範圍第4項所述之方法,其中,該輸入資料包含該領域,而該步驟(3)係從認證設定資料中找出與該輸入資料的該領域相關聯的認證設定資料,以令該相關聯的該認證設定資料中所指的認證端為該關聯的認證端。 The method as described in item 4 of the patent application scope, wherein the input data includes the field, and the step (3) is to find the authentication setting data associated with the field of the input data from the authentication setting data, to Let the authentication terminal referred to in the associated authentication setting data be the associated authentication terminal. 如申請專利範圍第4項所述之方法,其中,該使用者包含具有該領域之使用權的一般用戶或具有該領域之管理權的租戶,且當判斷出是有該公共租戶區域時,則進行下列執行步驟:(2-1)判斷該使用者是否為租戶,若否,則從該步驟(3)開始執行,若是,則將該輸入資料傳送至租戶認證端進行認證;(2-2)當該輸入資料通過該租戶認證端之認證後,傳送一區域通行證給通過該租戶認證端之認證的該租 戶;(2-3)令該租戶以該區域通行證換取得以進入該租戶所屬的該領域的領域通行證;以及(2-4)令該租戶依據該領域通行證進入該租戶所屬的該領域。 The method as described in item 4 of the patent application scope, where the user includes a general user who has the right to use the field or a tenant who has the right to manage the field, and when it is determined that there is the public tenant area, then Perform the following steps: (2-1) determine whether the user is a tenant, if not, start from step (3), if yes, then send the input data to the tenant authentication terminal for authentication; (2-2 ) After the input data passes the authentication of the tenant authentication terminal, send an area pass to the tenant who has passed the authentication of the tenant authentication terminal (2-3) order the tenant to obtain the area pass in exchange for the area pass to enter the area to which the tenant belongs; and (2-4) order the tenant to enter the area to which the tenant belongs based on the area pass. 如申請專利範圍第6項所述之方法,其中,該步驟(2-3)更包括在換取得以進入該租戶所屬的該領域的領域通行證之前,令該租戶依據該區域通行證進入一公共租戶區域。 The method as described in item 6 of the patent application scope, wherein the step (2-3) further includes making the tenant enter a public tenant area based on the area pass before redeeming the area pass to enter the area to which the tenant belongs .
TW107140395A 2018-11-14 2018-11-14 System for providing multi-authentication management in a multi-tenant environment and method thereof TWI696932B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW107140395A TWI696932B (en) 2018-11-14 2018-11-14 System for providing multi-authentication management in a multi-tenant environment and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW107140395A TWI696932B (en) 2018-11-14 2018-11-14 System for providing multi-authentication management in a multi-tenant environment and method thereof

Publications (2)

Publication Number Publication Date
TW202018559A TW202018559A (en) 2020-05-16
TWI696932B true TWI696932B (en) 2020-06-21

Family

ID=71895768

Family Applications (1)

Application Number Title Priority Date Filing Date
TW107140395A TWI696932B (en) 2018-11-14 2018-11-14 System for providing multi-authentication management in a multi-tenant environment and method thereof

Country Status (1)

Country Link
TW (1) TWI696932B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1485746A (en) * 2002-09-27 2004-03-31 鸿富锦精密工业(深圳)有限公司 Management system and method for user safety authority limit
US20070036289A1 (en) * 2005-07-27 2007-02-15 Fu Guo K Voice authentication system and method using a removable voice id card
CN102546529A (en) * 2010-12-14 2012-07-04 许德武 Control server used for voice domain names and voice search
TW201327440A (en) * 2011-12-16 2013-07-01 Chih-Wen Cheng Cloud-computing based digital rights products commercial platform and digital rights management method
CN104283875A (en) * 2014-09-28 2015-01-14 深圳市中科无软件有限公司 Cloud disk authority management method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1485746A (en) * 2002-09-27 2004-03-31 鸿富锦精密工业(深圳)有限公司 Management system and method for user safety authority limit
US20070036289A1 (en) * 2005-07-27 2007-02-15 Fu Guo K Voice authentication system and method using a removable voice id card
CN102546529A (en) * 2010-12-14 2012-07-04 许德武 Control server used for voice domain names and voice search
TW201327440A (en) * 2011-12-16 2013-07-01 Chih-Wen Cheng Cloud-computing based digital rights products commercial platform and digital rights management method
CN104283875A (en) * 2014-09-28 2015-01-14 深圳市中科无软件有限公司 Cloud disk authority management method

Also Published As

Publication number Publication date
TW202018559A (en) 2020-05-16

Similar Documents

Publication Publication Date Title
US11063928B2 (en) System and method for transferring device identifying information
US8875166B2 (en) Method and cloud security framework for implementing tenant license verification
CN105577665B (en) Identity and access control management system and method under a kind of cloud environment
CN106411857B (en) A kind of private clound GIS service access control method based on virtual isolation mech isolation test
CN108964885B (en) Authentication method, device, system and storage medium
US9172544B2 (en) Systems and methods for authentication between networked devices
US9294468B1 (en) Application-level certificates for identity and authorization
US8819801B2 (en) Secure machine enrollment in multi-tenant subscription environment
CN103560888B (en) Digital certificate-based unified authentication login method for integrating multiple application systems
CN110069908A (en) A kind of authority control method and device of block chain
CN103259663A (en) User unified authentication method in cloud computing environment
CN113612740B (en) Authority management method and device, computer readable medium and electronic equipment
WO2022247359A1 (en) Cluster access method and apparatus, electronic device, and medium
CN111327568B (en) Identity authentication method and system
US11874905B2 (en) Establishing access sessions
JP7403010B2 (en) Shared resource identification
CN113765655A (en) Access control method, device, equipment and storage medium
WO2022262322A1 (en) Authentication method, apparatus and system, electronic device, and storage medium
CN114844656A (en) Network access method, device, system, equipment and storage medium
CN112836199A (en) Tool and method for realizing unified authentication
TWI696932B (en) System for providing multi-authentication management in a multi-tenant environment and method thereof
CN114065238B (en) Data management method and device and electronic equipment
CN113901428A (en) Login method and device of multi-tenant system
CN111064695A (en) Authentication method and authentication system
CN106027535A (en) Campus network security authentication system and method