WO2023029138A1 - Login method, electronic device and computer-readable storage medium - Google Patents

Login method, electronic device and computer-readable storage medium Download PDF

Info

Publication number
WO2023029138A1
WO2023029138A1 PCT/CN2021/121317 CN2021121317W WO2023029138A1 WO 2023029138 A1 WO2023029138 A1 WO 2023029138A1 CN 2021121317 W CN2021121317 W CN 2021121317W WO 2023029138 A1 WO2023029138 A1 WO 2023029138A1
Authority
WO
WIPO (PCT)
Prior art keywords
login
user
vpn
server
service
Prior art date
Application number
PCT/CN2021/121317
Other languages
French (fr)
Chinese (zh)
Inventor
林俊洪
Original Assignee
网宿科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 网宿科技股份有限公司 filed Critical 网宿科技股份有限公司
Publication of WO2023029138A1 publication Critical patent/WO2023029138A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Definitions

  • the present application relates to the technical field of network security, in particular to a login method, electronic equipment and a computer-readable storage medium.
  • OA office automation
  • VPN Virtual Private Network
  • the network service provider in order to identify the legitimacy of the user, the network service provider will verify the user's identity, and the business system in the intranet itself also needs to verify the legitimacy of the user's identity.
  • the network service provider will verify the user's identity, and the business system in the intranet itself also needs to verify the legitimacy of the user's identity.
  • the embodiment of the present application provides a login method, electronic equipment, and computer-readable storage medium, so that the user can log in to the VPN service and the service server at the same time only by entering the account password for logging in to the service server once, simplifying the login process and reducing the error rate. , to improve user experience.
  • the embodiment of the present application provides a login method, which is applied to a login management server deployed in a public network.
  • the method includes: after determining that the user is a legitimate user of the service server, obtaining the The identity of the user, the communication between the login management server and the service server is based on the VPN network; based on the identity of the user, it is determined whether the user is a legal user of the VPN service to generate a login response, and the login The response is used to indicate whether the user successfully logs in the service server and the VPN service through the browser of the terminal device; and the login response is sent to the terminal device.
  • obtaining the identity of the user through the service server includes: receiving a login page request sent by the user through the browser, and the The login page request is used to request to log in the service server and the VPN service; sending a redirection response to the terminal device, so that the browser sends the login page to the service server according to the redirection response request, and submit login information based on the login page fed back by the service server, so that the service server can confirm whether the user is legal; receive an adaptation page request from the browser that carries parameters for successful login; The browser sends a data stream for displaying an adaptation page, so that the browser displays the adaptation page, and requests the service server for the identity of the user according to the login success parameter.
  • the determining whether the user is a legal user of the VPN service based on the user's identity to generate a login response includes: verifying the user's identity based on locally stored legal user information, Generate the login response based on the verification result; or, send a trust request to a virtual private network VPN server deployed in the public network, the trust request carries the identity of the user, and the VPN server is used to provide the VPN service: receiving a trust response from the VPN server, and generating the login response according to the trust response.
  • the sending the login response to the terminal device includes: when the trust response carries a token for the user, sending to the browser an Displaying a login response of a successful login page, the token is used to indicate that the user is a legitimate user of the VPN service.
  • the embodiment of the present application provides a login method, which is applied to a virtual private network VPN server deployed in the public network, and the method includes: receiving a trust request from a login management server deployed in the public network, the The trust request carries the identity of the user, and the trust request is sent by the login management server after determining that the user is a legal user of the service server; the user is verified based on the identity to obtain a legal A validity verification result, the legality verification result is used to indicate whether the user is a legitimate user of the VPN service; and a trust response carrying the legality verification result is sent to the login management server.
  • the method further includes: when the legitimacy verification result indicates that the user is a legitimate user of the VPN service, generating a token for the user, and carrying the token in the trust response. said token.
  • after sending the trust response carrying the legality verification result to the login management server it further includes: receiving an authentication request sent by the terminal device through the VPN client application, the authentication request to carry the token; verify whether the token is legal to obtain a feedback result, the feedback result is used to indicate whether the user has successfully logged in the service server and the VPN service through the VPN client application; The application program VPN client application of the terminal device sends the feedback result.
  • the verifying whether the token is valid to obtain a feedback result includes: verifying whether the token is generated by the VPN server, and whether the state of the token is normal; if the If the token is generated by the VPN server and the status is normal, then generate a feedback result indicating that the token is legal; otherwise, generate a feedback result indicating that the token is invalid.
  • the VPN client application after sending the feedback result to the VPN client application, it further includes: if the feedback result indicates that the VPN client application has successfully logged in to the service server and the VPN service, communicating with the VPN client application The VPN client application establishes a VPN tunnel, so as to receive the service request sent by the user through the VPN client application through the VPN tunnel.
  • an embodiment of the present application provides a login method, which is applied to a service server deployed on an intranet.
  • the method includes: receiving a login page request sent by a user through a browser on a terminal device, wherein the login The page request is generated and sent by the browser based on the redirection response sent by the login management server; sending the data stream for displaying the login page to the terminal device; receiving the login information submitted by the terminal device based on the login page ; Verify the validity of the user according to the login information; if the user is a legal user of the service server, send a redirection response carrying a successful login parameter to the terminal device, and the redirection response uses Instructing the browser of the terminal device to send an adaptation page request carrying the login success parameter to the login management server.
  • an embodiment of the present application provides a login method applied to a terminal device.
  • the method includes: obtaining a data stream for displaying a login page through a browser and displaying the login page.
  • the login page is used to log in to a service server and VPN service; send login information to the business server based on the login page; receive a redirection response carrying a successful login parameter from the business server; send a redirection response carrying the login success parameter to the login management server through the browser
  • the adaptation page request of the login success parameter ; receive the data flow for displaying the adaptation page from the login management server and display the adaptation page; receive the login response from the login management server, the login response It is used to indicate whether the user successfully logs in the service server and the VPN service through the browser.
  • the embodiment of the present application provides an electronic device, including: a processor, a memory, and a computer program stored on the memory and operable on the processor, and when the processor executes the computer program, the The electronic device implements the above first aspect or the method described in various possible implementations of the first aspect; or, when the processor executes the computer program, the electronic device implements the above second aspect or each of the second aspect the method described in one possible implementation manner; or, when the processor executes the computer program, the electronic device implements the method described in the above third aspect or various possible implementation manners of the third aspect; or, the When the processor executes the computer program, the electronic device implements the method described in the fourth aspect or various possible implementation manners of the fourth aspect.
  • the embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium stores computer instructions, and the computer instructions are used to implement the above first aspect or the first aspect when executed by a processor.
  • the method described in various possible implementations of the second aspect; or, the computer instructions are used to implement the method described in the second aspect above or various possible implementations of the second aspect when executed by a processor; or, the When executed by a processor, the computer instructions are used to implement the method described in the above third aspect or various possible implementations of the third aspect; or, when the computer instructions are executed by a processor, they are used to implement the above fourth aspect or The method described in various possible implementation manners of the fourth aspect.
  • the embodiments of the present application provide a computer program product including a computer program, and when the computer program is executed by a processor, the method described in the above first aspect or various possible implementation modes of the first aspect is implemented; or, When the computer program is executed by the processor, it realizes the method described in the above second aspect or various possible implementation modes of the second aspect; or, when the computer program is executed by the processor, it realizes the above third aspect or the methods of the third aspect.
  • the login management server determines that the user is a legal user of the service server
  • the user's identity is obtained through the service server, and the VPN service deployed in the public network is provided.
  • the end sends a trust request carrying an identity.
  • the VPN server verifies the legitimacy of the user according to the identity and sends a trust response carrying the legitimacy verification result to the login management server.
  • the login management server sends a login response to the user's terminal device according to the trust response, and the login response is used to indicate whether the user successfully logs in to the service server and the VPN service through the browser.
  • the login management server through the interaction between the login management server, business server and VPN server, the user only needs to enter the account password for logging in to the business server once to log in to the VPN service and the business server at the same time, simplifying the login process and reducing the error rate , improve user experience.
  • the login information is independently managed by the business server, and the business server does not need to synchronize the user login information to the VPN server, thereby ensuring the security of the customer's internal data.
  • FIG. 1 is a schematic diagram of an implementation environment of a login method provided by an embodiment of the present application
  • Fig. 2 is a flow chart of the login method provided by the embodiment of the present application.
  • Fig. 3 is a schematic diagram of the interface change process of the terminal device in the login method provided by the embodiment of the present application;
  • Fig. 4 is a schematic diagram of the authentication process of the token in the login method provided by the embodiment of the present application.
  • Fig. 5 is a schematic diagram of the process of the login method provided by the embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of an electronic device provided by an embodiment of the present application.
  • the VPN system and the business system manage their own account systems independently.
  • the function module for user authentication is carried out to authenticate the user. After the identity authentication is passed, the user can use the VPN service.
  • the VPN client application includes an Android (Android) client application, an IOS client application, a window PC client application, and the like.
  • the business system After a user in the public network logs in to the VPN system, when accessing the business system in the intranet through the VPN service, the business system also needs to verify the legality of the user's identity.
  • the login information is input for the first time for authentication of the VPN system, and the login information is input for the second time for authentication of the business system.
  • the login information is input for the second time for authentication of the business system.
  • the access process first, enter the authentication information such as the account number and password of the VPN service to log in to the VPN server.
  • the homepage of some business systems of the company After successfully logging in to the VPN service, enter the homepage of some business systems of the company, and select the business system to be accessed on the homepage to log in. For example, when accessing the OA system, at this time, a login page will pop up to ask the user to input the authentication information of the OA system.
  • an embodiment of the present application provides a login method, electronic equipment, and a computer-readable storage medium, which receive and process user login requests through the login management server, so that users only need to input the login information of the business server once to log in at the same time.
  • VPN services and business servers simplify the login process, reduce error rates, and improve user experience.
  • FIG. 1 is a schematic diagram of an implementation environment of a login method provided by an embodiment of the present application.
  • this implementation environment includes: the login management server 11 that is deployed in the public network, the virtual private network (Virtual Private Network, be called for short VPN) server end 12 that is deployed in the public network, deploy in the intranet (such as the customer's local area network) ) in the service server 13 and the user's terminal equipment 14.
  • the login management server 11 and the VPN server 12 are connected through a network
  • the login management server 11 and the business server 13 communicate based on the VPN network.
  • the VPN network can be constructed based on software-defined wide area network (Software Defined Wide Area Network, referred to as SD-WAN) technology, and the VPN server 12 is deployed at a network service provider point (point-of-presence, referred to as POP) on the node server.
  • SD-WAN Software Defined Wide Area Network
  • POP network service provider point
  • the login management server 11 is a service application deployed in the public network by a network service provider for receiving and processing user login requests.
  • the VPN server 12 is a service application deployed in the public network by a network service provider for providing VPN services. In an actual application scenario, the number of VPN servers 12 may be many. Wherein, the VPN service may include forwarding the user's intranet request to the requested intranet server through the VPN tunnel.
  • the service server 13 is, for example, a server of a single sign-on (Single Sign-On, SSO) system, that is, the VPN client has realized the single sign-on function for its business service based on the SSO service.
  • SSO Single Sign-On
  • the business server 13 is the server of the SSO system
  • the user can successfully log in to the server of the VPN service and the SSO system at the same time by inputting the account password of the SSO system once, and then can directly access the SSO system based on the successful login status of the SSO system.
  • Business systems such as Office Automation (OA) system, mail system, attendance system, performance system, etc.
  • OA Office Automation
  • the service server 13 may be a server of an OA system, a server of a mail system, or the like.
  • the user can log in to the VPN service and the server of the OA system at the same time by entering the account password of the OA system once, and then can access the OA system.
  • the user can log in to the VPN service at the same time by entering the account number and password of the business system once. and business servers.
  • the login management server 11 determines that the user is a legal user of the service system, when further verifying whether the user is a legal user of the VPN service, the user's identity is obtained from the service server 13, and it can be verified based on the user's identity whether it is a VPN legitimate users of the service.
  • the login management server 11 provides the VPN server 12 with the information of the service server the user has logged in, so that the VPN service terminal determines whether to provide VPN service for the user request based on the received service server information.
  • the terminal device 14 is, for example, an electronic device such as a mobile phone, a tablet computer, and a personal computer installed with an Android operating system, a Microsoft operating system, a Symbian operating system, a Linux operating system, or an Apple iOS operating system.
  • Browser and VPN client application are installed on the terminal device 14, such as Android (Android) client application, IOS client application or window PC client application etc.
  • Fig. 2 is a flow chart of the login method provided by the embodiment of the present application. This embodiment is described from the perspective of interaction between a login management server, a VPN server, a service server, and a terminal device. This example includes:
  • Step 201 the login management server determines that the user is a legal user of the service server.
  • Step 202 the login management server acquires the user's identity through the service server, and the login management server communicates with the service server based on the VPN network.
  • the login method provided by the embodiment of the present application can be applied to the scenario where the user logs in through the VPN client application, as shown in Figure 3 for details; it can also be applied to the scenario where the user logs in directly based on the browser, that is, the user The login page can be accessed directly through the browser.
  • FIG. 3 is a schematic diagram of an interface change process of a terminal device in a login method provided by an embodiment of the present application.
  • the VPN client application is opened.
  • the user interface of the VPN client application displays two buttons of joint login and common login.
  • the common login mode is a login mode in which login information is input at least twice, and the joint login mode is the login mode provided in this embodiment of the application.
  • the VPN client application automatically invokes the browser.
  • the terminal device requests a login page from the login management server through the browser.
  • the login management server redirects the browser to the service server based on replying to the browser with a 302 jump, etc., so that the browser obtains the data stream for displaying the login page from the service server and displays the login page.
  • the access address of the login management server can be directly entered in the browser, and the login management server will respond to the user browser by replying with a 302 response after receiving the access request. , to redirect the browser to the business server.
  • the business server since the business server is deployed in the intranet, and the user browser needs to request a login page from the business server, the business server needs to provide a public network IP.
  • the business server in order to ensure that the intranet
  • the business server can be set in advance so that it only responds to the login page request sent to the public network IP, and refuses to respond to other requests.
  • the login management server sends a redirection request to the browser, it can carry a dynamically generated verification parameter for the business server to verify and identify. If the verification passes, the request is responded to, otherwise it is discarded.
  • the login information includes a login account, a password, etc., and may also include a verification code, an enterprise logo, and the like.
  • the login account and password are independently maintained by the business server.
  • the login account and password are registered and generated when the user logs in to the business server for the first time.
  • the login account can also be assigned by the enterprise for employees. .
  • the business server can collect and store the login information (except the verification code) and identification and other relevant information of the legal user.
  • the relevant information of the user can also be managed by the enterprise and sent to the business server.
  • the identity mark is the information used by the enterprise to identify the user's identity, such as the user's mobile phone number, ID number, job number, etc.
  • the specific form can be set according to the actual situation of the enterprise customer, and the present invention is not limited thereto.
  • the login management server redirects the browser to the service server, and the service server provides a login page to the user browser.
  • the user enters and submits login information such as an account password on the login page, and the service server verifies whether the user is a legitimate user according to the login information submitted by the user and sends feedback to the terminal device, and at the same time, redirects the browser to the login management server.
  • the browser reports to the login management server whether the user is a legitimate user of the service server.
  • the business server compares the stored legitimate user information with the login information submitted by the user when logging in. If the stored information contains the login information submitted by the user, then Determine that the user is a legitimate user of the service server. In addition, the service server can also verify the verification code submitted by the user to further ensure the legitimacy of the operator.
  • the service server redirects the browser to the login management server server by replying to the browser with a 302 response, etc., and carries the login success parameter in the 302 response message.
  • the browser sends an adaptation page request carrying parameters of successful login to the login management server.
  • the login management server obtains the identity of the user from the service server according to the login success parameter.
  • the login success parameter includes the service server information and the user login identifier, wherein the service server information is used to indicate the legality verification of the user.
  • the address of the business server, such as the intranet IP, and the user login ID are the unique IDs generated by the business server based on this login record.
  • the login management server can parse them to obtain the business server information and user Login ID, and based on the VPN network, request the service server pointed to by the service server information for the user's identity corresponding to the user's login ID.
  • the business server receives the request from the login management server, it can determine the user's identity based on the user's login ID. And send it to the login management server through the VPN network. Based on this, the data interaction between the login management server and the business server is transmitted based on the VPN network, which can ensure the security of data transmission, prevent information leakage, and ensure the security of user information of enterprise customers.
  • the service server triggers the browser to pop up a prompt message to prompt the user that the login fails, cannot be logged in through a joint login method, and the like.
  • buttons of joint login and common login are displayed on the user interface of the VPN client application at the same time.
  • this embodiment of the present application is not limited. In other feasible implementation manners, only a joint login button is displayed on the user interface of the VPN client application, that is, the VPN client application only provides the login method described in the embodiment of the present application.
  • the VPN client application invokes a browser to request a login page from the login management server. Users are not required to choose a federated login method.
  • Step 203 Determine whether the user is a legal user of the VPN service based on the identity of the user, so as to generate a login response, and the login response is used to indicate whether the user has successfully logged in to the VPN service through the browser of the terminal device. business server and the VPN service.
  • the login management server determines that the user is a legal user of the service server, it interacts with the service server to obtain the identity of the user. Afterwards, the login management server determines whether the user is a legitimate user of the VPN service based on the user's identity, or the login management server sends the user's identity to the VPN server that provides the VPN service for the user, and the VPN server determines whether the user is a VPN service. Legitimate users of VPN services.
  • Step 204 the login management server sends the login response to the terminal device of the user.
  • the login response is a data flow for generating a login success page, and the login response is used to indicate that the user successfully logs in to the service server and the VPN service through a browser. If the user is not a legitimate user of the VPN service, the login response is a data flow for generating a login failure page, and the login response is used to indicate that the user failed to successfully log in to the service server and the VPN service through the browser.
  • the login management server determines that the user is a legal user of the service server
  • the user's identity is obtained through the service server, and based on the user's identity, it is determined whether the user is a legal user of the VPN service to generate a login Response and send to the terminal device.
  • the login response is used to indicate whether the user successfully logs in to the service server and VPN service through the browser.
  • the login management server through the interaction between the login management server, business server and VPN server, the user only needs to enter the login information of the business server once to log in to the VPN service and the business server at the same time, simplifying the login process and reducing the error rate.
  • the login information is independently managed by the business server, and the business server does not need to synchronize the user login information to the VPN server, thereby ensuring the security of the customer's internal data.
  • the login management server or VPN server can directly verify the legitimacy of the user based on the user identity, and there is no need to maintain a separate set of user login accounts, which reduces the processing pressure.
  • the login management server verifies the identity of the user according to the legal user information, and generates the login response based on the verification result.
  • legal user information may be pre-provided by enterprise customers who purchase VPN services to VPN service providers (i.e., network service providers), and VPN service providers may store them on their own servers, such as login management server, VPN server, or other servers or clusters used to manage legitimate user information.
  • VPN service providers i.e., network service providers
  • Legitimate user information may include user identity and access rights and other related information, where access rights refer to the user's rights to access VPN services. It is understandable that when legal user information changes, corporate customers can provide the changed information to VPN Service providers to update saved legitimate user information.
  • the login management server can verify the user identity obtained from the business server based on the locally stored user legal information to determine whether the user corresponding to the user identity is Have access to the VPN service.
  • the login management server may also request to verify whether the user has the right to access the VPN service by sending the user identity to other servers storing legitimate user information.
  • the login management server determines that the user is a legitimate user of the service server and obtains the user's identity through the service server, it sends the identity to the VPN server in the trust request.
  • the VPN server receives the trust request, it compares the identity identifier in the trust request with the legal user information stored locally. If the identity identifier exists in the legitimate user information, it determines that the user is a legitimate user of the VPN service; if the stored If there is no identity identifier in the legal user information, it is determined that the user is not a legal user of the VPN service.
  • the trust request sent by the login management server needs to be transmitted based on the VPN network, which is deployed between the VPN server and the login management server.
  • the login management server may encrypt the user identity carried in the trust request based on an encryption method pre-negotiated with the VPN server, so as to further prevent leakage of user information.
  • the VPN server receives the encrypted user ID, it needs to decrypt it first.
  • the login response is used to indicate whether the user has successfully logged in to the service server and the VPN service through a browser. Since the browser and the VPN client application are two different programs, in order to improve For security, in the scenario where the user logs in through the VPN client application, the login verification on the VPN client application side needs to be further completed. For this reason, after the login management server or the VPN server determines that the user is a legal user of the VPN service, a token can be generated for the verification flow authentication shown in FIG. 4 .
  • FIG. 4 is a schematic diagram of a token authentication process in the login method provided by the embodiment of the present application. This example includes:
  • Step 401 the VPN server receives a trust request from the login management server.
  • the trust request carries the identity of the user.
  • step 402 the VPN server verifies the legality of the user based on the identity to obtain a legality verification result.
  • the validity verification result is used to indicate whether the user is a legal user of the VPN service.
  • Step 403 the VPN server generates a token for the user.
  • the VPN server finds that the user is a legal user of the VPN service, it generates a token (token) for the user, and the token is used to verify the legitimacy of the VPN client application.
  • token token
  • Step 404 the VPN server sends a trust response carrying the token to the login management server.
  • Step 405 the login management server sends a login response carrying the token to the terminal device.
  • the login management server sends the token in the login response to the browser of the terminal device.
  • Step 406 the browser of the terminal device displays a login success page.
  • Step 407 the browser of the terminal device uses the login success page to activate the VPN client application, and sends the token to the VPN client application.
  • the browser activates the VPN client application by means of running a script on the successful login page or the like.
  • the terminal device displays a successful login page through a browser.
  • the script in the successful login page is automatically run to activate the VPN client.
  • the preset duration is, for example, 3 seconds or 4 seconds. Not limited.
  • the terminal device displays a successful login page through the browser, and the user clicks the close button on the successful login page to trigger the script to run, thereby activating the VPN client.
  • Step 408 the VPN client application sends an authentication request carrying the token to the VPN server providing the VPN service.
  • the address information of the VPN server that provides the VPN service can be pre-configured in the VPN client application. After the VPN client application is activated by the browser, it will automatically send an authentication request to the VPN service based on the received token.
  • the address of the VPN server may be selected by the login management server based on a proximity principle or a load balancing policy and delivered to the user.
  • Step 409 the VPN server verifies the authentication request to obtain a feedback result.
  • the VPN server itself verifies the token carried in the authentication request.
  • the VPN server generates a token and stores the token.
  • the VPN server verifies the token carried in the authentication request based on the stored token to obtain a feedback result.
  • the feedback result is used to indicate whether the user successfully logs in the service server and the VPN service through the VPN client application.
  • the legality of the user is verified by the VPN server, and in the embodiment where the legality of the user is directly verified by the login management server, the operation of generating the token can also be completed by the login management server.
  • the token After logging in to the management server to generate a token, on the one hand, the token will be passed to the VPN client application of the user in the same way as above, and on the other hand, the token will be sent to the VPN server, so that the VPN server receives the VPN client application.
  • the user's legitimacy verification, generation and delivery of tokens are all implemented by the login management server, and the VPN server only needs to verify the token according to the received command. It only needs to verify the VPN client application with the card, thereby reducing the processing pressure on the VPN server and ensuring the processing resources of the VPN service.
  • the authentication request probably does not carry a token.
  • the VPN server directly determines that the VPN client application is illegal, that is, the user fails to successfully log in to the business server and VPN service through the VPN application.
  • the token carried in the authentication request can be verified by the VPN server to ensure the validity of the VPN client application, thereby completing the login process of the user through the VPN client application.
  • the state of the token can be set based on the validity period or other information and the token can be stored. For example, if the token has expired, the token will be set to the invalid state, and the VPN server will set the token to the invalid state when it receives the notification that the user has expired sent by the VPN client application; If the VPN service has expired, the token is set to an invalid state.
  • the token generated and stored by the VPN server is referred to as the first token.
  • the VPN client application sends an authentication request carrying a token to the VPN server, and the VPN server verifies the token carried in the authentication request according to the previously generated and stored token.
  • the previously generated and stored token is referred to as the first token
  • the token carried in the authentication request is referred to as the second token. If the VPN service end determines the same token as the second token from a plurality of stored first tokens, then determine that the second token is a token generated by the VPN service end, and further judge the state of the second token Is it normal. If the state of the second token is normal, the VPN server generates a feedback result indicating that the second token is legal. If the second token is not generated by the VPN server or the status is abnormal, such as invalid, the VPN server generates a feedback result indicating that the second token is illegal.
  • Step 410 the VPN server sends the feedback result to the VPN client application of the terminal device.
  • the VPN server determines whether to provide the VPN service for the VPN client application based on the feedback result. Specifically, if the feedback result indicates that the user has successfully logged in the service server and the VPN service through the VPN client application, step 411 is executed.
  • Step 411 the VPN server establishes a VPN tunnel with the VPN client application.
  • the VPN server normally responds to the VPN tunnel establishment request sent by the VPN client application to establish a VPN tunnel between the VPN client application and the VPN server.
  • service request from the service server; or, the VPN tunnel will be used to transmit the service request sent by the user to other service servers connected to the service server through the VPN client application.
  • the VPN server After the VPN server receives the service request from the VPN tunnel, it can Send the service request to the service server.
  • the service request sent by the user to the service server includes service requests sent by the user for all services accessing the SSO system server.
  • the VPN service end will refuse to establish a VPN tunnel with the VPN client application, thereby refusing to receive the user's intranet access request .
  • the VPN client application of the terminal device pops up a prompt message to prompt the user to fail to log in, and refuses to establish a VPN tunnel with the VPN client application.
  • the VPN client application is invoked, and the legitimacy of the VPN client application is confirmed based on the token, thereby determining whether the user successfully logs in to the service through the VPN client application.
  • Server and VPN service during the whole operation process, the switching between the VPN client application and the browser is automatically realized, without manual switching by the user. It is easy to operate and has a good experience for the user, and the user only needs to enter one login information, you can log in to the VPN service and business server through the VPN client application.
  • Fig. 5 is a schematic diagram of the process of the login method provided by the embodiment of the present application. Please refer to Fig. 5, the present embodiment includes:
  • Step 501 the terminal device recognizes the user's click operation on the VPN client application, and determines that the user selects a joint login mode.
  • the user opens the VPN client application on the desktop of the terminal device, and clicks on the user interface of the VPN client application to select the unified login mode.
  • the user opens the VPN client application on the desktop of the terminal device, and clicks on the user interface of the VPN client application to select the unified login mode.
  • FIG. 3 refers to the description of FIG. 3 , which will not be repeated here.
  • Step 502 the terminal device pops up a browser.
  • the VPN client application responds to the joint login mode operation selected by the user, automatically invokes the browser, and designates it to access the login management server, and the login management server is deployed in the public network.
  • Step 503 the browser sends a login page request to the login management server, and the login page request is used to request to log in to the service server and VPN service.
  • Step 504 the browser receives a redirection response from the login management server.
  • the login management server sends a redirection response to the browser based on replying to the browser with an http 302 jump, etc., thereby providing the browser with the access address of the business server to redirect the browser to the business server.
  • Step 505 the browser sends the login page request to the service server according to the redirection response.
  • the browser sends a login page request to the service server based on the received 302 redirection, that is, the above-mentioned redirection response.
  • Step 506 the browser receives the data stream for displaying the login page from the service server and displays the login page.
  • the service server feeds back the data flow to the browser after receiving the login page request.
  • the browser receives the data stream, it renders and displays the login page.
  • Step 507 the browser acquires the login information input by the user on the login page.
  • the user enters login information such as account number, password, enterprise ID, and verification code on the login page.
  • login information such as account number, password, enterprise ID, and verification code on the login page.
  • Step 508 the browser submits the login information to the service server.
  • Step 509 the service server performs legality verification on the user according to the login information.
  • step 510 is performed; if the user is not a valid user of the service server, the service server triggers the browser to display a prompt message to prompt the user that the login fails.
  • Step 510 the service server sends a redirection response carrying parameters of successful login to the browser.
  • the service server sends a 302 redirect to the browser, that is, a redirection response carrying a successful login parameter, thereby redirecting the browser to the login management server.
  • Step 511 the browser sends an adaptation page request carrying the login success parameter to the login management server.
  • the browser After receiving the 302 jump in step 510, the browser sends an adaptation page request to the login management server with the received login success parameter.
  • the login success parameter includes the user login ID generated by the business server according to the current user login, and is used to uniquely identify the user login record.
  • Step 512 the browser receives the data stream for displaying the adaptation page from the login management server and displays the adaptation page.
  • the browser displays "authentication in progress” and the like.
  • Step 513 the login management server acquires the user's identity from the service server.
  • the login management server acquires the user's identity from the service server according to the login success parameter, and the identity includes the user name and the like.
  • Step 514 for the legal user of the service server, log in to the management server and the VPN server to perform mutual trust authentication.
  • the login management server after the login management server obtains the user's identity from the service server, it considers that the user is a legitimate user of the service server, but cannot determine whether the user is a legitimate user of the VPN service. Therefore, for a legitimate user of the service server, the login management server further performs mutual trust authentication with the VPN server to determine whether the user is a legitimate user of the VPN service.
  • the VPN server verifies the legality of the user according to the user's identity. If the user has VPN authority, that is, the user is a legal user of the VPN service, then the VPN server executes step 515 to generate a token. If the user does not have the VPN authority, the VPN server sends a prompt message to the login management server, and the login management server sends the prompt message to the terminal device to be displayed by the terminal device, thereby prompting the user to fail to log in.
  • Step 515 the VPN server generates a token for the user and sends a trust response carrying the token to the login management server, where the token is used to verify the validity of the VPN client application of the terminal device.
  • the VPN server generates a token for this user login, and carries it to the login management server in the trust response.
  • the VPN server generates a token based on the user's identity, and the token is, for example, a character string generated according to the user's identity. Furthermore, the VPN server sets a valid period for each token, and the token is only valid within the valid period, so as to avoid security problems caused by token loss.
  • Step 516 the login management server sends a login response carrying the token to the browser.
  • Step 517 the browser activates the VPN client application based on the successful login page.
  • Step 518 the VPN client application sends an authentication request carrying the token to the VPN server providing the VPN service.
  • the VPN client application receives the token passed by the browser, and automatically carries the token in the authentication request and sends it to the VPN server.
  • the VPN server After the VPN server receives the authentication request, the VPN server verifies the validity of the token and obtains a feedback result to determine whether the VPN client application is legal.
  • Step 519 the VPN server sends the feedback result to the VPN client application to complete the login. If the feedback result indicates that the VPN client application has successfully logged in to the business server and VPN service, the VPN client application can display the successful login information and display the business service access interface for the user to operate; if the feedback result indicates that the login fails, the VPN client application Display the login failure information to the user, and reject the user's request or operation on the business access interface.
  • FIG. 6 is a schematic structural diagram of an electronic device provided by an embodiment of the present application.
  • the electronic device 600 is, for example, one of the above-mentioned login management server, VPN authentication terminal, VPN server end, service server or terminal device, and the electronic device 600 includes: a processor 601 and a memory 602;
  • the memory 602 stores computer instructions
  • the processor 601 executes the computer instructions stored in the memory 602, so that the processor 601 executes the login method implemented by the above login management server, VPN authentication end, VPN server end, service server or terminal equipment.
  • the electronic device 600 further includes a communication component 603 .
  • the processor 601 , the memory 602 and the communication component 603 may be connected through a bus 604 .
  • the embodiment of the present application also provides a computer-readable storage medium, where computer instructions are stored in the computer-readable storage medium, and when the computer instructions are executed by a processor, they are used to implement the above login management server, VPN authentication terminal, and VPN service The login method implemented by the client, service server or terminal device.
  • the embodiment of the present application also provides a computer program product, the computer program product includes a computer program, and when the computer program is executed by the processor, the login method implemented by the login management server, the VPN authentication terminal, the VPN server terminal, the service server or the terminal equipment is implemented as above .

Abstract

A login method, an electronic device, and a computer-readable storage medium, which relate to the technical field of cybersecurity. A login management server deployed in a public network: after determining a user to be a valid user of a service server, obtains an identity identifier of the user by means of the service server, and communicates with the service server on the basis of a VPN network; determines, on the basis of the identity identifier of the user, whether the user is a valid user of the VPN service, so as to generate a login response indicating whether the user successfully logs into the service server and the VPN service through a browser of a terminal device; and sends the login response to the terminal device.

Description

登录方法、电子设备及计算机可读存储介质Login method, electronic device, and computer-readable storage medium
交叉引用cross reference
本申请基于申请号为“202111012706.6”、申请日为2021年08月31日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此以引入方式并入本申请。This application is based on the Chinese patent application with the application number "202111012706.6" and the filing date is August 31, 2021, and claims the priority of the Chinese patent application. The entire content of the Chinese patent application is hereby incorporated by reference. Apply.
技术领域technical field
本申请涉及网络安全技术领域,特别涉及一种登录方法、电子设备及计算机可读存储介质。The present application relates to the technical field of network security, in particular to a login method, electronic equipment and a computer-readable storage medium.
背景技术Background technique
随着互联网技术的飞速发展,各个企业建立企业内部网络,利用企业内部网络部署多种业务系统以提高办公效率。常见的业务系统包括邮件系统、办公自动化系统(office automation,简称OA)等。With the rapid development of Internet technology, each enterprise establishes an enterprise internal network and uses the enterprise internal network to deploy various business systems to improve office efficiency. Common business systems include mail systems, office automation systems (office automation, referred to as OA), and so on.
通常情况下,用户在公司办公时,若用户想要访问某个业务系统,则输入该业务系统的账号密码进行验证,验证通过后才能进行业务访问。然而,有时候用户出差、在家时需要办公。为了方便公网用户访问企业内部网络中的各个系统的同时保证访问安全,虚拟专用网络(Virtual Private Network,简称VPN)应运而生,考虑到运营成本和服务专业度等因素,大部分企业会选择购买网络服务提供商的VPN服务来实现公网用户访问内网业务。Usually, when the user is working in the company, if the user wants to access a certain business system, he needs to enter the account password of the business system for verification, and the business access can only be performed after the verification is passed. However, sometimes users need to work while they are on a business trip and at home. In order to facilitate public network users to access various systems in the enterprise internal network while ensuring access security, a virtual private network (Virtual Private Network, referred to as VPN) came into being. Considering factors such as operating costs and service professionalism, most enterprises will choose Purchase VPN services from network service providers to enable public network users to access intranet services.
在该应用场景中,网络服务提供商为了识别用户合法性,会对用户身份进行验证,而内网中的业务系统自身也需要对用户身份进行合法性验证。如此一来,如果企业用户通过公网访问内网中的各业务系统,那么至少需要输入两次登录信息才能顺利访问,过程繁琐、容易出错,用户体验差。In this application scenario, in order to identify the legitimacy of the user, the network service provider will verify the user's identity, and the business system in the intranet itself also needs to verify the legitimacy of the user's identity. As a result, if enterprise users access various business systems in the intranet through the public network, they need to enter login information at least twice to access smoothly. The process is cumbersome, error-prone, and user experience is poor.
发明内容Contents of the invention
本申请实施例通过提供一种登录方法、电子设备及计算机可读存储介质,可使得用户只需要输入一次登录业务服务器的账号密码就能够同时登录VPN服务和业务服务器,简化登录过程,降低出错率,提升用户体验。The embodiment of the present application provides a login method, electronic equipment, and computer-readable storage medium, so that the user can log in to the VPN service and the service server at the same time only by entering the account password for logging in to the service server once, simplifying the login process and reducing the error rate. , to improve user experience.
第一方面,本申请实施例提供一种登录方法,应用于部署在公网中的登录管理服务器,所述方法包括:在确定用户为业务服务器的合法用户后,通过所述业务服务器获取所述用户的身份标识,所述登录管理服务器与所述业务服务器之间基于VPN网络进行通信;基于所述 用户的身份标识确定所述用户是否为VPN服务的合法用户,以生成登录响应,所述登录响应用于指示所述用户是否通过所述终端设备的浏览器成功登录所述业务服务器和所述VPN服务;向所述终端设备发送所述登录响应。In the first aspect, the embodiment of the present application provides a login method, which is applied to a login management server deployed in a public network. The method includes: after determining that the user is a legitimate user of the service server, obtaining the The identity of the user, the communication between the login management server and the service server is based on the VPN network; based on the identity of the user, it is determined whether the user is a legal user of the VPN service to generate a login response, and the login The response is used to indicate whether the user successfully logs in the service server and the VPN service through the browser of the terminal device; and the login response is sent to the terminal device.
在一实施例中,所述在确定用户为业务服务器的合法用户后,通过所述业务服务器获取所述用户的身份标识,包括:接收所述用户通过所述浏览器发送的登录页面请求,所述登录页面请求用于请求登录所述业务服务器和所述VPN服务;向所述终端设备发送重定向响应,以使得所述浏览器根据所述重定向响应向所述业务服务器发送所述登录页面请求,并基于所述业务服务器反馈的登录页面提交登录信息,以供所述业务服务器确认所述用户是否合法;接收来自所述浏览器的携带登录成功参数的适配页面请求;向所述浏览器发送用于显示适配页面的数据流,以使得所述浏览器显示所述适配页面,并根据所述登录成功参数向所述业务服务器请求所述用户的身份标识。In an embodiment, after determining that the user is a legal user of the service server, obtaining the identity of the user through the service server includes: receiving a login page request sent by the user through the browser, and the The login page request is used to request to log in the service server and the VPN service; sending a redirection response to the terminal device, so that the browser sends the login page to the service server according to the redirection response request, and submit login information based on the login page fed back by the service server, so that the service server can confirm whether the user is legal; receive an adaptation page request from the browser that carries parameters for successful login; The browser sends a data stream for displaying an adaptation page, so that the browser displays the adaptation page, and requests the service server for the identity of the user according to the login success parameter.
在一实施例中,所述基于所述用户的身份标识确定所述用户是否为VPN服务的合法用户以生成登录响应,包括:基于本地保存的合法用户信息对所述用户的身份标识进行验证,基于验证结果生成所述登录响应;或者,向部署在公网中的虚拟专用网络VPN服务端发送信任请求,所述信任请求携带所述用户的身份标识,所述VPN服务端用于提供所述VPN服务;接收来自所述VPN服务端的信任响应,根据所述信任响应生成所述登录响应。In an embodiment, the determining whether the user is a legal user of the VPN service based on the user's identity to generate a login response includes: verifying the user's identity based on locally stored legal user information, Generate the login response based on the verification result; or, send a trust request to a virtual private network VPN server deployed in the public network, the trust request carries the identity of the user, and the VPN server is used to provide the VPN service: receiving a trust response from the VPN server, and generating the login response according to the trust response.
在一实施例中,所述向所述终端设备发送所述登录响应,包括:当所述信任响应携带针对所述用户的令牌时,向所述浏览器发送携带所述令牌、用于显示登录成功页的登录响应,所述令牌用于指示所述用户为所述VPN服务的合法用户。In an embodiment, the sending the login response to the terminal device includes: when the trust response carries a token for the user, sending to the browser an Displaying a login response of a successful login page, the token is used to indicate that the user is a legitimate user of the VPN service.
第二方面,本申请实施例提供一种登录方法,应用于部署在公网中的虚拟专用网络VPN服务端,所述方法包括:接收来自部署在公网中的登录管理服务器的信任请求,所述信任请求携带用户的身份标识,所述信任请求是所述登录管理服务器确定所述用户为业务服务器的合法用户后发送的;基于所述身份标识对所述用户进行合法性验证,以得到合法性验证结果,所述合法性验证结果用于指示所述用户是否为所述VPN服务的合法用户;向所述登录管理服务器发送携带所述合法性验证结果的信任响应。In the second aspect, the embodiment of the present application provides a login method, which is applied to a virtual private network VPN server deployed in the public network, and the method includes: receiving a trust request from a login management server deployed in the public network, the The trust request carries the identity of the user, and the trust request is sent by the login management server after determining that the user is a legal user of the service server; the user is verified based on the identity to obtain a legal A validity verification result, the legality verification result is used to indicate whether the user is a legitimate user of the VPN service; and a trust response carrying the legality verification result is sent to the login management server.
在一实施例中,所述方法还包括:当所述合法性验证结果指示所述用户为所述VPN服务的合法用户时,针对所述用户生成令牌,并在所述信任响应中携带所述令牌。In an embodiment, the method further includes: when the legitimacy verification result indicates that the user is a legitimate user of the VPN service, generating a token for the user, and carrying the token in the trust response. said token.
在一实施例中,所述向所述登录管理服务器发送携带所述合法性验证结果的信任响应之后,还包括:接收所述终端设备通过VPN客户端应用发送的鉴权请求,所述鉴权请求携带所述令牌;验证所述令牌是否合法以得到反馈结果,所述反馈结果用于指示所述用户是否通过 所述VPN客户端应用成功登录所述业务服务器和所述VPN服务;向所述终端设备的应用程序VPN客户端应用发送所述反馈结果。In an embodiment, after sending the trust response carrying the legality verification result to the login management server, it further includes: receiving an authentication request sent by the terminal device through the VPN client application, the authentication request to carry the token; verify whether the token is legal to obtain a feedback result, the feedback result is used to indicate whether the user has successfully logged in the service server and the VPN service through the VPN client application; The application program VPN client application of the terminal device sends the feedback result.
在一实施例中,所述验证所述令牌是否合法以得到反馈结果,包括:验证所述令牌是否由所述VPN服务端生成,且所述令牌的状态是否正常;若所述令牌由所述VPN服务端生成且状态正常,则生成用于指示所述令牌合法的反馈结果;否则,生成用于指示所述令牌不合法的反馈结果。In one embodiment, the verifying whether the token is valid to obtain a feedback result includes: verifying whether the token is generated by the VPN server, and whether the state of the token is normal; if the If the token is generated by the VPN server and the status is normal, then generate a feedback result indicating that the token is legal; otherwise, generate a feedback result indicating that the token is invalid.
在一实施例中,所述向所述VPN客户端应用发送所述反馈结果之后,还包括:若所述反馈结果指示所述VPN客户端应用成功登录业务服务器和所述VPN服务,则与所述VPN客户端应用建立VPN隧道,以通过所述VPN隧道接收所述用户通过所述VPN客户端应用发送的业务请求。In an embodiment, after sending the feedback result to the VPN client application, it further includes: if the feedback result indicates that the VPN client application has successfully logged in to the service server and the VPN service, communicating with the VPN client application The VPN client application establishes a VPN tunnel, so as to receive the service request sent by the user through the VPN client application through the VPN tunnel.
第三方面,本申请实施例提供一种登录方法,应用于部署在内网中的业务服务器,所述方法包括:接收用户通过终端设备上的浏览器发送的登录页面请求,其中,所述登录页面请求是所述浏览器基于登录管理服务器发送的重定向响应生成并发出的;向所述终端设备发送用于显示登录页面的数据流;接收所述终端设备基于所述登录页面提交的登录信息;根据所述登录信息对所述用户进行合法性验证;若所述用户为所述业务服务器的合法用户,则向所述终端设备发送携带登录成功参数的重定向响应,所述重定向响应用于指示所述终端设备的浏览器向所述登录管理服务器发送携带所述登录成功参数的适配页面请求。In a third aspect, an embodiment of the present application provides a login method, which is applied to a service server deployed on an intranet. The method includes: receiving a login page request sent by a user through a browser on a terminal device, wherein the login The page request is generated and sent by the browser based on the redirection response sent by the login management server; sending the data stream for displaying the login page to the terminal device; receiving the login information submitted by the terminal device based on the login page ; Verify the validity of the user according to the login information; if the user is a legal user of the service server, send a redirection response carrying a successful login parameter to the terminal device, and the redirection response uses Instructing the browser of the terminal device to send an adaptation page request carrying the login success parameter to the login management server.
第四方面,本申请实施例提供一种登录方法,应用于终端设备,该方法包括:通过浏览器获取用于显示登录页面的数据流并显示所述登录页面,所述登录页面用于登录业务服务器和VPN服务;基于所述登录页面向所述业务服务器发送登录信息;接收来自所述业务服务器的、携带登录成功参数的重定向响应;通过所述浏览器向所述登录管理服务器发送携带所述登录成功参数的适配页面请求;接收来自所述登录管理服务器的用于显示适配页面的数据流并显示所述适配页面;接收来自所述登录管理服务器的登录响应,所述登录响应用于指示用户是否通过浏览器成功登录所述业务服务器和所述VPN服务。In a fourth aspect, an embodiment of the present application provides a login method applied to a terminal device. The method includes: obtaining a data stream for displaying a login page through a browser and displaying the login page. The login page is used to log in to a service server and VPN service; send login information to the business server based on the login page; receive a redirection response carrying a successful login parameter from the business server; send a redirection response carrying the login success parameter to the login management server through the browser The adaptation page request of the login success parameter; receive the data flow for displaying the adaptation page from the login management server and display the adaptation page; receive the login response from the login management server, the login response It is used to indicate whether the user successfully logs in the service server and the VPN service through the browser.
第五方面,本申请实施例提供一种电子设备,包括:处理器、存储器及存储在所述存储器上并可在处理器上运行的计算机程序,所述处理器执行所述计算机程序时使得所述电子设备实现如上第一方面或第一方面各种可能的实现方式所述的方法;或者,所述处理器执行所述计算机程序时使得所述电子设备实现如上第二方面或第二方面各种可能的实现方式所述的方法;或者,所述处理器执行所述计算机程序时使得所述电子设备实现如上第三方面或第三方面各种可能的实现方式所述的方法;或者,所述处理器执行所述计算机程序时使得所述电 子设备实现如上第四方面或第四方面各种可能的实现方式所述的方法。In the fifth aspect, the embodiment of the present application provides an electronic device, including: a processor, a memory, and a computer program stored on the memory and operable on the processor, and when the processor executes the computer program, the The electronic device implements the above first aspect or the method described in various possible implementations of the first aspect; or, when the processor executes the computer program, the electronic device implements the above second aspect or each of the second aspect the method described in one possible implementation manner; or, when the processor executes the computer program, the electronic device implements the method described in the above third aspect or various possible implementation manners of the third aspect; or, the When the processor executes the computer program, the electronic device implements the method described in the fourth aspect or various possible implementation manners of the fourth aspect.
第六方面,本申请实施例提供一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机指令,所述计算机指令在被处理器执行时用于实现如上第一方面或第一方面各种可能的实现方式所述的方法;或者,所述计算机指令在被处理器执行时用于实现如上第二方面或第二方面各种可能的实现方式所述的方法;或者,所述计算机指令在被处理器执行时用于实现如上第三方面或第三方面各种可能的实现方式所述的方法;或者,所述计算机指令在被处理器执行时用于实现如上第四方面或第四方面各种可能的实现方式所述的方法。In the sixth aspect, the embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium stores computer instructions, and the computer instructions are used to implement the above first aspect or the first aspect when executed by a processor. The method described in various possible implementations of the second aspect; or, the computer instructions are used to implement the method described in the second aspect above or various possible implementations of the second aspect when executed by a processor; or, the When executed by a processor, the computer instructions are used to implement the method described in the above third aspect or various possible implementations of the third aspect; or, when the computer instructions are executed by a processor, they are used to implement the above fourth aspect or The method described in various possible implementation manners of the fourth aspect.
第七方面,本申请实施例提供一种包含计算程序的计算机程序产品,所述计算机程序被处理器执行时实现如上第一方面或第一方面各种可能的实现方式所述的方法;或者,所述计算机程序被处理器执行时实现如上第二方面或第二方面各种可能的实现方式所述的方法;或者,所述计算机程序被处理器执行时实现如上第三方面或第三方面各种可能的实现方式所述的方法;或者,所述计算机程序被处理器执行时实现如上第四方面或第四方面各种可能的实现方式所述的方法。In the seventh aspect, the embodiments of the present application provide a computer program product including a computer program, and when the computer program is executed by a processor, the method described in the above first aspect or various possible implementation modes of the first aspect is implemented; or, When the computer program is executed by the processor, it realizes the method described in the above second aspect or various possible implementation modes of the second aspect; or, when the computer program is executed by the processor, it realizes the above third aspect or the methods of the third aspect. The method described in one possible implementation manner; or, when the computer program is executed by the processor, implement the method described in the fourth aspect or various possible implementation manners of the fourth aspect.
本申请实施例提供的登录方法、电子设备及计算机可读存储介质,登录管理服务器确定出用户为业务服务器的合法用户后,通过业务服务器获取用户的身份标识,向部署在公网中的VPN服务端发送携带身份标识的信任请求。VPN服务端根据身份标识对用户进行合法性验证并向登录管理服务器发送携带合法性验证结果的信任响应。登录管理服务器根据信任响应,向用户的终端设备发送登录响应,该登录响应用于指示用户是否通过浏览器成功登录业务服务器和VPN服务。采用该种方案,通过登录管理服务器、业务服务器和VPN服务端之间的交互,使得用户只需要输入一次登录业务服务器的账号密码就能够同时登录VPN服务和业务服务器,简化登录过程,降低出错率,提高用户体验。而且,登录信息为业务服务器独立管理,业务服务器无需将用户登录信息同步给VPN服务端,从而保证了客户内部数据的安全性。In the login method, electronic equipment, and computer-readable storage medium provided by the embodiments of the present application, after the login management server determines that the user is a legal user of the service server, the user's identity is obtained through the service server, and the VPN service deployed in the public network is provided. The end sends a trust request carrying an identity. The VPN server verifies the legitimacy of the user according to the identity and sends a trust response carrying the legitimacy verification result to the login management server. The login management server sends a login response to the user's terminal device according to the trust response, and the login response is used to indicate whether the user successfully logs in to the service server and the VPN service through the browser. With this solution, through the interaction between the login management server, business server and VPN server, the user only needs to enter the account password for logging in to the business server once to log in to the VPN service and the business server at the same time, simplifying the login process and reducing the error rate , improve user experience. Moreover, the login information is independently managed by the business server, and the business server does not need to synchronize the user login information to the VPN server, thereby ensuring the security of the customer's internal data.
附图说明Description of drawings
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present application. For those skilled in the art, other drawings can also be obtained based on these drawings without creative effort.
图1是本申请实施例提供的登录方法的一个实施环境示意图;FIG. 1 is a schematic diagram of an implementation environment of a login method provided by an embodiment of the present application;
图2是本申请实施例提供的登录方法的流程图;Fig. 2 is a flow chart of the login method provided by the embodiment of the present application;
图3是本申请实施例提供的登录方法中终端设备的界面变化过程示意图;Fig. 3 is a schematic diagram of the interface change process of the terminal device in the login method provided by the embodiment of the present application;
图4是本申请实施例提供的登录方法中令牌的鉴定过程示意图;Fig. 4 is a schematic diagram of the authentication process of the token in the login method provided by the embodiment of the present application;
图5是本申请实施例提供的登录方法的过程示意图;Fig. 5 is a schematic diagram of the process of the login method provided by the embodiment of the present application;
图6为本申请实施例提供的一种电子设备的结构示意图。FIG. 6 is a schematic structural diagram of an electronic device provided by an embodiment of the present application.
具体实施方式Detailed ways
为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the purpose, technical solution and advantages of the present application clearer, the implementation manners of the present application will be further described in detail below in conjunction with the accompanying drawings.
在企业客户购买网络服务提供商的VPN服务的应用场景中,为了保证数据安全,VPN系统和业务系统各自单独管理自己的账号体系,如此,用户通过VPN客户端登录VPN服务之前,VPN系统利用自带的用于用户身份认证的功能模块对用户进行身份认证。身份认证通过之后,用户才能使用VPN服务。其中,VPN客户端应用包括安卓(Android)客户端应用、IOS客户端应用、window PC客户端应用等。In the application scenario where enterprise customers purchase VPN services from network service providers, in order to ensure data security, the VPN system and the business system manage their own account systems independently. The function module for user authentication is carried out to authenticate the user. After the identity authentication is passed, the user can use the VPN service. Wherein, the VPN client application includes an Android (Android) client application, an IOS client application, a window PC client application, and the like.
公网中的用户登录VPN系统后,通过VPN服务访问内网中的业务系统时,业务系统同样需要对用户身份进行合法性验证。After a user in the public network logs in to the VPN system, when accessing the business system in the intranet through the VPN service, the business system also needs to verify the legality of the user's identity.
上述登录业务系统的过程中,第一次输入登录信息用于VPN系统的身份验证,第二次输入登录信息用于业务系统的身份验证。以用户在公网中访问公司内网中的业务系统为例,访问过程中,首先,输入VPN服务的账号、密码等认证信息登录VPN服务端。成功登录VPN服务后,进入公司的一些业务系统的主页,在主页上选择要访问的业务系统进行登录。比如,访问OA系统,此时,又会跳出登录页面要求用户输入OA系统的认证信息。In the above process of logging into the business system, the login information is input for the first time for authentication of the VPN system, and the login information is input for the second time for authentication of the business system. Take the user accessing the business system in the company's intranet from the public network as an example. During the access process, first, enter the authentication information such as the account number and password of the VPN service to log in to the VPN server. After successfully logging in to the VPN service, enter the homepage of some business systems of the company, and select the business system to be accessed on the homepage to log in. For example, when accessing the OA system, at this time, a login page will pop up to ask the user to input the authentication information of the OA system.
显然,上述登录方式过程繁琐、容易出错,用户体验差,不便于用户管理登录信息。Obviously, the above login method is cumbersome, error-prone, poor user experience, and inconvenient for users to manage login information.
基于此,本申请实施例提供一种登录方法、电子设备及计算机可读存储介质,通过登录管理服务器对用户登录请求进行接收和处理,使得用户只需要输入一次业务服务器的登录信息就能够同时登录VPN服务和业务服务器,简化登录过程,降低出错率,提升用户体验。Based on this, an embodiment of the present application provides a login method, electronic equipment, and a computer-readable storage medium, which receive and process user login requests through the login management server, so that users only need to input the login information of the business server once to log in at the same time. VPN services and business servers simplify the login process, reduce error rates, and improve user experience.
图1是本申请实施例提供的登录方法的一个实施环境示意图。请参照图1,本实施环境包括:部署在公网中的登录管理服务器11、部署在公网中的虚拟专用网络(Virtual Private Network,简称VPN)服务端12、部署在内网(如客户局域网)中的业务服务器13和用户的终端设备14。其中,登录管理服务器11和VPN服务端12之间通过网络连接,登录管理服务器11和业务服务器13之间基于VPN网络进行通信。VPN服务端12至少为一个,VPN服务端12和业务服务器13之间通过网络连接。FIG. 1 is a schematic diagram of an implementation environment of a login method provided by an embodiment of the present application. Please refer to Fig. 1, this implementation environment includes: the login management server 11 that is deployed in the public network, the virtual private network (Virtual Private Network, be called for short VPN) server end 12 that is deployed in the public network, deploy in the intranet (such as the customer's local area network) ) in the service server 13 and the user's terminal equipment 14. Wherein, the login management server 11 and the VPN server 12 are connected through a network, and the login management server 11 and the business server 13 communicate based on the VPN network. There is at least one VPN server 12, and the VPN server 12 and the business server 13 are connected through a network.
在一些实施例中,登录管理服务器11与业务服务器13之间、登录管理服务器11与VPN服务端12之间、以及VPN服务端12与业务服务器13之间基于VPN网络进行通信,以保证 数据传输的安全性。在一些实施中,VPN网络可以基于软件定义广域网(Software Defined Wide Area Network,简称SD-WAN)技术构建,VPN服务端12部署在SD-WAN网络中的网络服务提供点(point-of-presence,简称POP)节点服务器上。In some embodiments, between the login management server 11 and the business server 13, between the login management server 11 and the VPN server 12, and between the VPN server 12 and the business server 13, communication is based on a VPN network to ensure data transmission security. In some implementations, the VPN network can be constructed based on software-defined wide area network (Software Defined Wide Area Network, referred to as SD-WAN) technology, and the VPN server 12 is deployed at a network service provider point (point-of-presence, referred to as POP) on the node server.
请参照图1,登录管理服务器11是网络服务提供商部署在公网中的,用于对用户登录请求进行接收和处理的服务应用。VPN服务端12是网络服务提供商部署在公网中的、用于提供VPN服务的服务应用。在实际应用场景中,VPN服务端12的数量可以是很多的。其中,VPN服务可包含将用户的内网请求通过VPN隧道转发至所请求的内网服务器。Please refer to FIG. 1 , the login management server 11 is a service application deployed in the public network by a network service provider for receiving and processing user login requests. The VPN server 12 is a service application deployed in the public network by a network service provider for providing VPN services. In an actual application scenario, the number of VPN servers 12 may be many. Wherein, the VPN service may include forwarding the user's intranet request to the requested intranet server through the VPN tunnel.
在一应用场景中,业务服务器13例如为单点登录(Single Sign-On,简称SSO)系统的服务器等,即VPN客户已基于SSO服务对其业务服务实现了单点登录功能。当业务服务器13为SSO系统的服务器时,用户输入一次SSO系统的账号密码,就能够同时成功登录VPN服务和SSO系统的服务器,进而能够基于SSO系统的登录成功状态,直接访问已接入SSO系统的业务系统,如办公自动化(Office Automation,简称OA)系统、邮件系统、考勤系统、绩效系统等。In an application scenario, the service server 13 is, for example, a server of a single sign-on (Single Sign-On, SSO) system, that is, the VPN client has realized the single sign-on function for its business service based on the SSO service. When the business server 13 is the server of the SSO system, the user can successfully log in to the server of the VPN service and the SSO system at the same time by inputting the account password of the SSO system once, and then can directly access the SSO system based on the successful login status of the SSO system. Business systems, such as Office Automation (OA) system, mail system, attendance system, performance system, etc.
在另一应用场景中,业务服务器13可以是OA系统的服务器、邮件系统的服务器等。以OA系统为例,用户输入一次OA系统的账号密码,就能够同时登录VPN服务和OA系统的服务器,进而能够访问OA系统。In another application scenario, the service server 13 may be a server of an OA system, a server of a mail system, or the like. Taking the OA system as an example, the user can log in to the VPN service and the server of the OA system at the same time by entering the account password of the OA system once, and then can access the OA system.
另外,若一个VPN客户给内网中的多个业务系统购买了VPN服务,且尚未引入SSO系统,则对于每一个业务系统,用户输入一次该业务系统的账号和密码,就能够同时登录VPN服务和业务服务器。登录管理服务器11确定用户为该业务系统的合法用户后,在进一步验证该用户是否为VPN服务的合法用户时,向业务服务器13获取用户的身份标识,并可基于用户身份标识验证其是否为VPN服务的合法用户。在验证合法后,登录管理服务器11向VPN服务端12提供用户已登录的业务服务器的信息,使得VPN服务端基于接收到的业务服务器信息确定是否要为用户请求提供VPN服务。In addition, if a VPN customer has purchased VPN services for multiple business systems in the intranet and has not yet introduced the SSO system, for each business system, the user can log in to the VPN service at the same time by entering the account number and password of the business system once. and business servers. After the login management server 11 determines that the user is a legal user of the service system, when further verifying whether the user is a legal user of the VPN service, the user's identity is obtained from the service server 13, and it can be verified based on the user's identity whether it is a VPN legitimate users of the service. After the verification is legal, the login management server 11 provides the VPN server 12 with the information of the service server the user has logged in, so that the VPN service terminal determines whether to provide VPN service for the user request based on the received service server information.
终端设备14例如为安装有安卓操作系统、微软操作系统、塞班操作系统、Linux操作系统或苹果iOS操作系统的手机、平板电脑、个人电脑等电子设备。终端设备14上安装有浏览器和VPN客户端应用,如安卓(Android)客户端应用、IOS客户端应用或window PC客户端应用等。The terminal device 14 is, for example, an electronic device such as a mobile phone, a tablet computer, and a personal computer installed with an Android operating system, a Microsoft operating system, a Symbian operating system, a Linux operating system, or an Apple iOS operating system. Browser and VPN client application are installed on the terminal device 14, such as Android (Android) client application, IOS client application or window PC client application etc.
图2是本申请实施例提供的登录方法的流程图。本实施例是从登录管理服务器、VPN服务端、业务服务器和终端设备交互的角度进行说明。本实施例包括:Fig. 2 is a flow chart of the login method provided by the embodiment of the present application. This embodiment is described from the perspective of interaction between a login management server, a VPN server, a service server, and a terminal device. This example includes:
步骤201、登录管理服务器确定用户为业务服务器的合法用户。Step 201, the login management server determines that the user is a legal user of the service server.
步骤202、登录管理服务器通过业务服务器获取所述用户的身份标识,登录管理服务器与所述业务服务器之间基于VPN网络进行通信。Step 202, the login management server acquires the user's identity through the service server, and the login management server communicates with the service server based on the VPN network.
值得说明的是,本申请实施例所提供的登录方法可适用于用户通过VPN客户端应用登录的场景,具体可参照图3所示;也可适用于用户直接基于浏览器登录的场景,即用户可直接通过浏览器访问登录页面。It is worth noting that the login method provided by the embodiment of the present application can be applied to the scenario where the user logs in through the VPN client application, as shown in Figure 3 for details; it can also be applied to the scenario where the user logs in directly based on the browser, that is, the user The login page can be accessed directly through the browser.
图3是本申请实施例提供的登录方法中终端设备的界面变化过程示意图。请参照图3,用户点击电子设备桌面上的VPN客户端应用后,打开VPN客户端应用。VPN客户端应用的用户界面上显示联合登录和普通登录两个按钮,普通登录方式为至少输入两次登录信息的登录方式,联合登录方式为本申请实施例提供的登录方式。FIG. 3 is a schematic diagram of an interface change process of a terminal device in a login method provided by an embodiment of the present application. Referring to FIG. 3 , after the user clicks the VPN client application on the desktop of the electronic device, the VPN client application is opened. The user interface of the VPN client application displays two buttons of joint login and common login. The common login mode is a login mode in which login information is input at least twice, and the joint login mode is the login mode provided in this embodiment of the application.
用户点击联合登录按钮,从而选中本申请实施例提供的登录方式。之后,VPN客户端应用自动调起浏览器。终端设备通过浏览器向登录管理服务器请求登录页面。登录管理服务器基于向浏览器回复302跳转等方式,将浏览器重定向到业务服务器,使得浏览器从业务服务器获取用于显示登录页面的数据流并显示登录页面。The user clicks the joint login button to select the login method provided by this embodiment of the application. Afterwards, the VPN client application automatically invokes the browser. The terminal device requests a login page from the login management server through the browser. The login management server redirects the browser to the service server based on replying to the browser with a 302 jump, etc., so that the browser obtains the data stream for displaying the login page from the service server and displays the login page.
可以理解的是,在用户直接通过浏览器登录的场景下,可直接在浏览器中输入登录管理服务器的访问地址,登录管理服务器在接收到访问请求后,通过向用户浏览器回复302响应等方式,将浏览器重定向到业务服务器。It is understandable that, in the scenario where the user logs in directly through the browser, the access address of the login management server can be directly entered in the browser, and the login management server will respond to the user browser by replying with a 302 response after receiving the access request. , to redirect the browser to the business server.
值得注意的是,由于业务服务器部署在内网中,而用户浏览器需要向业务服务器请求登录页面,那么业务服务器就需要提供公网IP,在本申请所提供的实施里中,为了保证内网业务服务器的安全,可预先对业务服务器进行设置,使其仅对向公网IP发送的登录页面请求进行响应,其他请求则拒绝响应。更进一步的,登录管理服务器在向浏览器发送重定向请求时,可携带一个动态生成的验证参数,以供业务服务器进行验证识别,验证通过则对请求进行响应,否则丢弃。It is worth noting that since the business server is deployed in the intranet, and the user browser needs to request a login page from the business server, the business server needs to provide a public network IP. In the implementation provided by this application, in order to ensure that the intranet For the security of the business server, the business server can be set in advance so that it only responds to the login page request sent to the public network IP, and refuses to respond to other requests. Furthermore, when the login management server sends a redirection request to the browser, it can carry a dynamically generated verification parameter for the business server to verify and identify. If the verification passes, the request is responded to, otherwise it is discarded.
浏览器显示登录页面后,用户在登录页面通过语音、触摸等方式输入登录信息并发送给业务服务器。登录信息包括登录账号、密码等,还可以包括验证码、企业标识等。其中,登录账号和密码由业务服务器独立维护,一般来说,该登录账号和密码是用户在首次登录业务服务器时注册生成的,对于企业用户而言,登录账号也可以是企业为员工分配好的。After the browser displays the login page, the user inputs login information on the login page by voice, touch, etc. and sends it to the service server. The login information includes a login account, a password, etc., and may also include a verification code, an enterprise logo, and the like. Among them, the login account and password are independently maintained by the business server. Generally speaking, the login account and password are registered and generated when the user logs in to the business server for the first time. For enterprise users, the login account can also be assigned by the enterprise for employees. .
业务服务器可在用户注册过程中收集并存储合法用户的登录信息(验证码除外)以及身份标识等相关信息,用户的相关信息也可以是由企业统一管理,并下发给业务服务器。身份标识为企业用于标识用户身份的信息,例如为用户手机号码、身份证号码、工号等,具体形式可根据企业客户的实际情况设置,本发明并不以此为限。During the user registration process, the business server can collect and store the login information (except the verification code) and identification and other relevant information of the legal user. The relevant information of the user can also be managed by the enterprise and sent to the business server. The identity mark is the information used by the enterprise to identify the user's identity, such as the user's mobile phone number, ID number, job number, etc. The specific form can be set according to the actual situation of the enterprise customer, and the present invention is not limited thereto.
当用户通过浏览器请求登录业务服务器和VPN服务时,登录管理服务器将浏览器重定向到业务服务器,由业务服务器为向用户浏览器提供登录页面。之后,用户在登录页面输入账号密码等登录信息并提交,业务服务器根据用户提交的登录信息验证用户是否为合法用户并反馈给终端设备,同时,将浏览器重定向到登录管理服务器。之后,浏览器向登录管理服务器上报用户是否为业务服务器的合法用户。When a user requests to log in to the service server and VPN service through a browser, the login management server redirects the browser to the service server, and the service server provides a login page to the user browser. After that, the user enters and submits login information such as an account password on the login page, and the service server verifies whether the user is a legitimate user according to the login information submitted by the user and sends feedback to the terminal device, and at the same time, redirects the browser to the login management server. Afterwards, the browser reports to the login management server whether the user is a legitimate user of the service server.
具体而言,业务服务器确定用户是否为业务服务器的合法用户的过程中,基于存储的合法用户信息与用户登录时提交的登录信息进行比对,若存储的信息中存在用户提交的登录信息,则确定用户为业务服务器的合法用户。另外,业务服务器还可以对用户提交的验证码进行验证,以进一步保证操作者的合法性。Specifically, in the process of determining whether the user is a legitimate user of the business server, the business server compares the stored legitimate user information with the login information submitted by the user when logging in. If the stored information contains the login information submitted by the user, then Determine that the user is a legitimate user of the service server. In addition, the service server can also verify the verification code submitted by the user to further ensure the legitimacy of the operator.
若用户为业务服务器的合法用户,则业务服务器通过向浏览器回复302响应等方式,将浏览器重定向到登录管理服务器服务器,并在302响应报文中携带登录成功参数。浏览器基于302响应报文向登录管理服务器发送携带登录成功参数的适配页面请求。登录管理服务器根据登录成功参数向业务服务器获取用户的身份标识,在一实施例中,登录成功参数中包含业务服务器信息以及用户登录标识,其中,业务服务器信息用于指示对用户进行合法性验证的业务服务器的地址,如内网IP,用户登录标识为业务服务器根据本次登录记录生成的唯一标识,登录管理服务器在接收到登录成功参数后,可对其进行解析,以获取业务服务器信息以及用户登录标识,并基于VPN网络向业务服务器信息指向的业务服务器请求用户登录标识对应的用户的身份标识,业务服务器接收到来自登录管理服务器的请求时,可基于用户登录标识确定出用户的身份标识,并经由VPN网络发送给登录管理服务器,基于此,登录管理服务器与业务服务器之间的数据交互基于VPN网络进行传输,可保证数据传输安全,防止信息泄露,可保证企业客户的用户信息安全。If the user is a legitimate user of the service server, the service server redirects the browser to the login management server server by replying to the browser with a 302 response, etc., and carries the login success parameter in the 302 response message. Based on the 302 response message, the browser sends an adaptation page request carrying parameters of successful login to the login management server. The login management server obtains the identity of the user from the service server according to the login success parameter. In one embodiment, the login success parameter includes the service server information and the user login identifier, wherein the service server information is used to indicate the legality verification of the user. The address of the business server, such as the intranet IP, and the user login ID are the unique IDs generated by the business server based on this login record. After receiving the successful login parameters, the login management server can parse them to obtain the business server information and user Login ID, and based on the VPN network, request the service server pointed to by the service server information for the user's identity corresponding to the user's login ID. When the business server receives the request from the login management server, it can determine the user's identity based on the user's login ID. And send it to the login management server through the VPN network. Based on this, the data interaction between the login management server and the business server is transmitted based on the VPN network, which can ensure the security of data transmission, prevent information leakage, and ensure the security of user information of enterprise customers.
若用户不是业务服务器的合法用户,则业务服务器触发浏览器弹出提示信息以提示用户登录失败、无法通过联合登录方式登录等。If the user is not a legitimate user of the service server, the service server triggers the browser to pop up a prompt message to prompt the user that the login fails, cannot be logged in through a joint login method, and the like.
需要说明的是,虽然上述图3中,VPN客户端应用的用户界面上同时显示联合登录和普通登录两个按钮。然而,本申请实施例并不限制,其他可行的实现方式中,VPN客户端应用的用户界面上只显示联合登录按钮,即VPN客户端应用只提供本申请实施例所述的登录方法。此时,用户点击电子设备桌面上的VPN客户端应用并请求登录后,VPN客户端应用调起浏览器向登录管理服务器请求登录页。无需用户选择联合登录方式。It should be noted that although in the above FIG. 3 , two buttons of joint login and common login are displayed on the user interface of the VPN client application at the same time. However, this embodiment of the present application is not limited. In other feasible implementation manners, only a joint login button is displayed on the user interface of the VPN client application, that is, the VPN client application only provides the login method described in the embodiment of the present application. At this time, after the user clicks the VPN client application on the desktop of the electronic device and requests to log in, the VPN client application invokes a browser to request a login page from the login management server. Users are not required to choose a federated login method.
步骤203、基于所述用户的身份标识确定所述用户是否为VPN服务的合法用户,以生成登录响应,所述登录响应用于指示所述用户是否通过所述终端设备的浏览器成功登录所述业 务服务器和所述VPN服务。Step 203: Determine whether the user is a legal user of the VPN service based on the identity of the user, so as to generate a login response, and the login response is used to indicate whether the user has successfully logged in to the VPN service through the browser of the terminal device. business server and the VPN service.
示例性的,当登录管理服务器确定出用户为业务服务器的合法用户后,与业务服务器交互以获得用户的身份标识。之后,登录管理服务器基于用户的身份标识确定用户是否为VPN服务的合法用户,或者,登录管理服务器将用户的身份标识发送给为用户提供VPN服务的VPN服务端,由VPN服务端确定用户是否为VPN服务的合法用户。Exemplarily, after the login management server determines that the user is a legal user of the service server, it interacts with the service server to obtain the identity of the user. Afterwards, the login management server determines whether the user is a legitimate user of the VPN service based on the user's identity, or the login management server sends the user's identity to the VPN server that provides the VPN service for the user, and the VPN server determines whether the user is a VPN service. Legitimate users of VPN services.
步骤204、登录管理服务器向所述用户的终端设备发送所述登录响应。Step 204, the login management server sends the login response to the terminal device of the user.
示例性的,若用户为VPN服务的合法用户,则登录响应为用于生成登录成功页的数据流,登录响应用于指示所述用户通过浏览器成功登录所述业务服务器和所述VPN服务。若用户不是VPN服务的合法用户,则登录响应为用于生成登录失败页的数据流,登录响应用于指示所述用户未能通过浏览器成功登录业务服务器和所述VPN服务。Exemplarily, if the user is a legal user of the VPN service, the login response is a data flow for generating a login success page, and the login response is used to indicate that the user successfully logs in to the service server and the VPN service through a browser. If the user is not a legitimate user of the VPN service, the login response is a data flow for generating a login failure page, and the login response is used to indicate that the user failed to successfully log in to the service server and the VPN service through the browser.
若登录成功,则表示用户能够通过VPN服务访问业务服务器。If the login is successful, it means that the user can access the business server through the VPN service.
本申请实施例提供的登录方法,登录管理服务器确定出用户为业务服务器的合法用户后,通过业务服务器获取用户的身份标识,基于用户的身份标识确定用户是否为VPN服务的合法用户,以生成登录响应并发送给终端设备。该登录响应用于指示用户是否通过浏览器成功登录业务服务器和VPN服务。In the login method provided by the embodiment of this application, after the login management server determines that the user is a legal user of the service server, the user's identity is obtained through the service server, and based on the user's identity, it is determined whether the user is a legal user of the VPN service to generate a login Response and send to the terminal device. The login response is used to indicate whether the user successfully logs in to the service server and VPN service through the browser.
采用该种方案,通过登录管理服务器、业务服务器和VPN服务端之间的交互,使得用户只需要输入一次业务服务器的登录信息就能够同时登录VPN服务和业务服务器,简化登录过程,降低出错率,提高用户体验。而且,登录信息为业务服务器独立管理,业务服务器无需将用户登录信息同步给VPN服务端,从而保证了客户内部数据的安全性。登录管理服务器或VPN服务端可直接基于用户身份标识对用户合法性进行验证,无需再单独维护一套用户登录账号,减轻了处理压力。With this solution, through the interaction between the login management server, business server and VPN server, the user only needs to enter the login information of the business server once to log in to the VPN service and the business server at the same time, simplifying the login process and reducing the error rate. Improve user experience. Moreover, the login information is independently managed by the business server, and the business server does not need to synchronize the user login information to the VPN server, thereby ensuring the security of the customer's internal data. The login management server or VPN server can directly verify the legitimacy of the user based on the user identity, and there is no need to maintain a separate set of user login accounts, which reduces the processing pressure.
可选的,上述图2步骤203中,登录管理服务器根据合法用户信息对所述用户的身份标识进行验证,基于验证结果生成所述登录响应。Optionally, in step 203 in FIG. 2 above, the login management server verifies the identity of the user according to the legal user information, and generates the login response based on the verification result.
具体而言,合法用户信息可以是购买VPN服务的企业客户向VPN服务提供商(即网络服务提供商)预先提供的,VPN服务提供商可将其保存在自身的服务器上,例如可以是登录管理服务器、VPN服务端或其他用于管理合法用户信息的服务器或集群上。合法用户信息可包含用户身份标识以及访问权限等相关信息,其中,访问权限是指用户访问VPN服务的权限,可以理解的是,当合法用户信息发生变化时,企业客户可将变化信息提供给VPN服务提供商,以对保存的合法用户信息进行更新。Specifically, legal user information may be pre-provided by enterprise customers who purchase VPN services to VPN service providers (i.e., network service providers), and VPN service providers may store them on their own servers, such as login management server, VPN server, or other servers or clusters used to manage legitimate user information. Legitimate user information may include user identity and access rights and other related information, where access rights refer to the user's rights to access VPN services. It is understandable that when legal user information changes, corporate customers can provide the changed information to VPN Service providers to update saved legitimate user information.
基于此,当合法用户信息保存在登录管理服务器上时,登录管理服务器即可基于本地保 存的用户合法信息对从业务服务器获取到的用户身份标识进行验证,以确定该用户身份标识对应的用户是否有访问VPN服务的权限。Based on this, when the legal user information is stored on the login management server, the login management server can verify the user identity obtained from the business server based on the locally stored user legal information to determine whether the user corresponding to the user identity is Have access to the VPN service.
在另一实施中,登录管理服务器还可以通过向保存有合法用户信息的其他服务器发送用户身份标识以请求验证用户是否有访问VPN服务的权限。In another implementation, the login management server may also request to verify whether the user has the right to access the VPN service by sending the user identity to other servers storing legitimate user information.
在一个示例中,登录管理服务器确定出用户为业务服务器的合法用户并通过业务服务器获取到用户的身份标识后,将身份标识携带在信任请求中发送给VPN服务端。VPN服务端接收到信任请求后,将信任请求中的身份标识和本地存储的合法用户信息进行比对,若合法用户信息中存在该身份标识,则确定用户为VPN服务的合法用户;若存储的合法用户信息中不存在身份标识,则确定用户不是VPN服务的合法用户。In one example, after the login management server determines that the user is a legitimate user of the service server and obtains the user's identity through the service server, it sends the identity to the VPN server in the trust request. After the VPN server receives the trust request, it compares the identity identifier in the trust request with the legal user information stored locally. If the identity identifier exists in the legitimate user information, it determines that the user is a legitimate user of the VPN service; if the stored If there is no identity identifier in the legal user information, it is determined that the user is not a legal user of the VPN service.
值得注意的是,为了保证数据传输的安全性,登录管理服务器发送的信任请求需基于VPN网络进行传输,该VPN网络部署在VPN服务端与登录管理服务器之间。而且,登录管理服务器可基于与VPN服务端预先协商好的加密方式对信任请求中携带的用户身份标识进行加密,以进一步防止用户信息的外泄。相应的,VPN服务端在接收到加密的用户身份标识时,需先对其进行解密。It is worth noting that, in order to ensure the security of data transmission, the trust request sent by the login management server needs to be transmitted based on the VPN network, which is deployed between the VPN server and the login management server. Moreover, the login management server may encrypt the user identity carried in the trust request based on an encryption method pre-negotiated with the VPN server, so as to further prevent leakage of user information. Correspondingly, when the VPN server receives the encrypted user ID, it needs to decrypt it first.
可选的,上述实施例中,所述登录响应用于指示用户是否通过浏览器成功登录所述业务服务器和所述VPN服务,由于浏览器和VPN客户端应用是两个不同的程序,为了提高安全性,在用户通过VPN客户端应用登录的场景中,需进一步完成VPN客户端应用侧的登录验证。为此,登录管理服务器或VPN服务端在确定用户为VPN服务的合法用户后可生成一个令牌,用于图4所示的验证流程认证。Optionally, in the above embodiment, the login response is used to indicate whether the user has successfully logged in to the service server and the VPN service through a browser. Since the browser and the VPN client application are two different programs, in order to improve For security, in the scenario where the user logs in through the VPN client application, the login verification on the VPN client application side needs to be further completed. For this reason, after the login management server or the VPN server determines that the user is a legal user of the VPN service, a token can be generated for the verification flow authentication shown in FIG. 4 .
示例性的,请参照图4,图4是本申请实施例提供的登录方法中令牌的鉴定过程示意图。本实施例包括:For example, please refer to FIG. 4 , which is a schematic diagram of a token authentication process in the login method provided by the embodiment of the present application. This example includes:
步骤401、VPN服务端接收来自登录管理服务器的信任请求。其中,信任请求携带用户的身份标识。Step 401, the VPN server receives a trust request from the login management server. Wherein, the trust request carries the identity of the user.
步骤402、VPN服务端基于身份标识对用户进行合法性验证,以得到合法性验证结果。该合法性验证结果用于指示所述用户是否为所述VPN服务的合法用户。In step 402, the VPN server verifies the legality of the user based on the identity to obtain a legality verification result. The validity verification result is used to indicate whether the user is a legal user of the VPN service.
步骤403、VPN服务端针对用户生成令牌。Step 403, the VPN server generates a token for the user.
示例性的,VPN服务端发现用户为VPN服务的合法用户后,针对该用户生成一个令牌(token),令牌用于验证VPN客户端应用的合法性。Exemplarily, after the VPN server finds that the user is a legal user of the VPN service, it generates a token (token) for the user, and the token is used to verify the legitimacy of the VPN client application.
步骤404、VPN服务端向登录管理服务器发送携带令牌的信任响应。Step 404, the VPN server sends a trust response carrying the token to the login management server.
步骤405、登录管理服务器向终端设备发送携带令牌的登录响应。Step 405, the login management server sends a login response carrying the token to the terminal device.
示例性的,登录管理服务器将令牌携带在登录响应中发送给终端设备的浏览器。Exemplarily, the login management server sends the token in the login response to the browser of the terminal device.
步骤406、终端设备的浏览器显示登录成功页。Step 406, the browser of the terminal device displays a login success page.
步骤407、终端设备的浏览器利用所述登录成功页激活所述VPN客户端应用,并将所述令牌发送给所述VPN客户端应用。Step 407, the browser of the terminal device uses the login success page to activate the VPN client application, and sends the token to the VPN client application.
本申请实施例中,浏览器通过登录成功页中的运行脚本等方式激活VPN客户端应用。例如,终端设备通过浏览器显示登录成功页,显示预设时长后,自动运行登录成功页中的脚本从而激活VPN客户端,其中,预设时长比如是3秒、4秒等,本申请实施例并不限制。In the embodiment of the present application, the browser activates the VPN client application by means of running a script on the successful login page or the like. For example, the terminal device displays a successful login page through a browser. After displaying a preset duration, the script in the successful login page is automatically run to activate the VPN client. The preset duration is, for example, 3 seconds or 4 seconds. Not limited.
再如,终端设备通过浏览器显示登录成功页,用户点击登录成功页上的关闭按钮触发脚本运行,从而激活VPN客户端。For another example, the terminal device displays a successful login page through the browser, and the user clicks the close button on the successful login page to trigger the script to run, thereby activating the VPN client.
步骤408、VPN客户端应用向提供所述VPN服务的VPN服务端发送携带所述令牌的鉴权请求。Step 408, the VPN client application sends an authentication request carrying the token to the VPN server providing the VPN service.
示例性的,提供VPN服务的VPN服务端的地址信息可预先配置在VPN客户端应用中,VPN客户端应用被浏览器激活后,将基于接收到的令牌自动向VPN服务发送鉴权请求。在另一示例中,VPN服务端的地址可以是由登录管理服务器基于就近原则或负载均衡策略选择并下发给用户的。Exemplarily, the address information of the VPN server that provides the VPN service can be pre-configured in the VPN client application. After the VPN client application is activated by the browser, it will automatically send an authentication request to the VPN service based on the received token. In another example, the address of the VPN server may be selected by the login management server based on a proximity principle or a load balancing policy and delivered to the user.
步骤409、VPN服务端验证所述鉴权请求以得到反馈结果。Step 409, the VPN server verifies the authentication request to obtain a feedback result.
示例性的,VPN服务端自身对鉴权请求携带的令牌进行验证。Exemplarily, the VPN server itself verifies the token carried in the authentication request.
例如,VPN服务端生成令牌并保存该令牌。当VPN服务端接收到VPN客户端应用向VPN服务端发送的鉴权请求时,VPN服务端基于存储的令牌,对鉴权请求携带的令牌进行验证以得到反馈结果。其中,所述反馈结果用于指示所述用户是否通过所述VPN客户端应用成功登录所述业务服务器和所述VPN服务。For example, the VPN server generates a token and stores the token. When the VPN server receives the authentication request sent by the VPN client application to the VPN server, the VPN server verifies the token carried in the authentication request based on the stored token to obtain a feedback result. Wherein, the feedback result is used to indicate whether the user successfully logs in the service server and the VPN service through the VPN client application.
图4所示的实施例中,由VPN服务端对用户的合法性进行验证,在由登录管理服务器直接对用户合法性验证的实施例中,生成令牌的操作也可由登录管理服务器完成,当登录管理服务器生成令牌后一方面会将令牌以上述相同的方式传递给用户的VPN客户端应用,另一方面,会将令牌发送给VPN服务端,使得VPN服务端在接收到VPN客户端应有的令牌验证请求时对其进行验证,在该实施例中,用户的合法性验证、令牌的生成与传递均由登录管理服务器统一实现,VPN服务端仅需根据接收到的令牌对VPN客户端应用进行验证即可,从而减轻VPN服务端的处理压力,保证了VPN服务的处理资源。In the embodiment shown in Figure 4, the legality of the user is verified by the VPN server, and in the embodiment where the legality of the user is directly verified by the login management server, the operation of generating the token can also be completed by the login management server. After logging in to the management server to generate a token, on the one hand, the token will be passed to the VPN client application of the user in the same way as above, and on the other hand, the token will be sent to the VPN server, so that the VPN server receives the VPN client application. In this embodiment, the user's legitimacy verification, generation and delivery of tokens are all implemented by the login management server, and the VPN server only needs to verify the token according to the received command. It only needs to verify the VPN client application with the card, thereby reducing the processing pressure on the VPN server and ensuring the processing resources of the VPN service.
另外,鉴权请求中很有可能并未携带令牌,此时,VPN服务端直接确定VPN客户端应用非法,即用户未能通过VPN应用成功登录业务服务器和VPN服务。In addition, the authentication request probably does not carry a token. At this time, the VPN server directly determines that the VPN client application is illegal, that is, the user fails to successfully log in to the business server and VPN service through the VPN application.
采用该种方案,通过VPN服务端对鉴权请求携带的令牌进行验证,可保证VPN客户端应用的合法性,从而完成用户通过VPN客户端应用的登录过程。With this solution, the token carried in the authentication request can be verified by the VPN server to ensure the validity of the VPN client application, thereby completing the login process of the user through the VPN client application.
可选的,上述实施例中,登录管理服务器或VPN服务端生成令牌后,可基于有效期或其他信息设置令牌的状态并存储该令牌。比如,令牌已过期,则将令牌设置为失效状态、VPN服务端接收到VPN客户端应用发送的用户已失效的通知,则将令牌设置为失效状态;再如,用户所在公司购买的VPN服务已到期,则将令牌设置为失效状态。以下将VPN服务端生成并存储的令牌称之为第一令牌。Optionally, in the above embodiment, after the token is generated by the login management server or the VPN server, the state of the token can be set based on the validity period or other information and the token can be stored. For example, if the token has expired, the token will be set to the invalid state, and the VPN server will set the token to the invalid state when it receives the notification that the user has expired sent by the VPN client application; If the VPN service has expired, the token is set to an invalid state. Hereinafter, the token generated and stored by the VPN server is referred to as the first token.
之后,VPN客户端应用向VPN服务端发送携带令牌的鉴权请求,VPN服务端根据之前生成并存储的令牌对鉴权请求携带的令牌进行验证。以下,将之前生成并存储的令牌称之为第一令牌,将鉴权请求中携带的令牌称之为第二令牌。若VPN服务端从存储的多个第一令牌中确定出与第二令牌相同的令牌,则确定第二令牌为VPN服务端生成的令牌,并进一步判断第二令牌的状态是否正常。若第二令牌状态正常,VPN服务端生成用于指示第二令牌合法的反馈结果。若第二令牌不是VPN服务端生成或状态异常,如已失效,则VPN服务端生成用于指示第二令牌不合法的反馈结果。Afterwards, the VPN client application sends an authentication request carrying a token to the VPN server, and the VPN server verifies the token carried in the authentication request according to the previously generated and stored token. Hereinafter, the previously generated and stored token is referred to as the first token, and the token carried in the authentication request is referred to as the second token. If the VPN service end determines the same token as the second token from a plurality of stored first tokens, then determine that the second token is a token generated by the VPN service end, and further judge the state of the second token Is it normal. If the state of the second token is normal, the VPN server generates a feedback result indicating that the second token is legal. If the second token is not generated by the VPN server or the status is abnormal, such as invalid, the VPN server generates a feedback result indicating that the second token is illegal.
采用该种方案,通过进一步验证令牌的状态是否正常,可实现实时、准确的验证令牌的合法性的目的。By adopting this scheme, by further verifying whether the status of the token is normal, the purpose of real-time and accurate verification of the legitimacy of the token can be realized.
步骤410、VPN服务端向所述终端设备的VPN客户端应用发送所述反馈结果。Step 410, the VPN server sends the feedback result to the VPN client application of the terminal device.
VPN服务端基于反馈结果确定是否为该VPN客户端应用提供VPN服务。具体而言,若反馈结果指示用户通过所述VPN客户端应用成功登录所述业务服务器和所述VPN服务,则执行步骤411。The VPN server determines whether to provide the VPN service for the VPN client application based on the feedback result. Specifically, if the feedback result indicates that the user has successfully logged in the service server and the VPN service through the VPN client application, step 411 is executed.
步骤411、VPN服务端与所述VPN客户端应用建立VPN隧道。Step 411, the VPN server establishes a VPN tunnel with the VPN client application.
VPN服务端对VPN客户端应用发出的VPN隧道建立请求进行正常响应,以建立VPN客户端应用与VPN服务端之间的VPN隧道,该VPN隧道将用于传输用户通过VPN客户端应用发出的针对业务服务器的业务请求;或者,VPN隧道将用于传输用户通过VPN客户端应用向接入业务服务器的其他业务服务器发送的业务请求,VPN服务端从VPN隧道接收到业务请求后,可基于VPN网络将业务请求发送至所述业务服务器。The VPN server normally responds to the VPN tunnel establishment request sent by the VPN client application to establish a VPN tunnel between the VPN client application and the VPN server. service request from the service server; or, the VPN tunnel will be used to transmit the service request sent by the user to other service servers connected to the service server through the VPN client application. After the VPN server receives the service request from the VPN tunnel, it can Send the service request to the service server.
可以理解的是,在业务服务器为SSO系统服务器的场景下,用户针对业务服务器发出的业务请求包含用户针对接入SSO系统服务器的所有业务发出的业务请求。It can be understood that, in the scenario where the service server is an SSO system server, the service request sent by the user to the service server includes service requests sent by the user for all services accessing the SSO system server.
若反馈结果指示用户并未通过所述VPN客户端应用成功登录所述业务服务器和所述VPN服务,则VPN服务端将拒绝与VPN客户端应用建立VPN隧道,从而拒绝接收用户的内网访 问请求。同时,终端设备的VPN客户端应用弹出提示信息以提示用户登录失败,并拒绝与VPN客户端应用建立VPN隧道。If the feedback result indicates that the user has not successfully logged into the service server and the VPN service through the VPN client application, the VPN service end will refuse to establish a VPN tunnel with the VPN client application, thereby refusing to receive the user's intranet access request . At the same time, the VPN client application of the terminal device pops up a prompt message to prompt the user to fail to log in, and refuses to establish a VPN tunnel with the VPN client application.
上述实施例中,用户通过浏览器成功登录业务服务器和VPN服务后,调起VPN客户端应用,并基于令牌确认VPN客户端应用的合法性,从而确定用户是否通过VPN客户端应用成功登录业务服务器和VPN服务,整个操作过程中,VPN客户端应用与浏览器之间的切换均为自动实现的,无需用户手动切换,对于用户来说操作简单,体验度好,且用户只需输入一次登录信息即可通过VPN客户端应用登录VPN服务和业务服务器。In the above-mentioned embodiment, after the user successfully logs in to the service server and VPN service through the browser, the VPN client application is invoked, and the legitimacy of the VPN client application is confirmed based on the token, thereby determining whether the user successfully logs in to the service through the VPN client application. Server and VPN service, during the whole operation process, the switching between the VPN client application and the browser is automatically realized, without manual switching by the user. It is easy to operate and has a good experience for the user, and the user only needs to enter one login information, you can log in to the VPN service and business server through the VPN client application.
以下将结合图5对基于VPN客户端应用实现登录的完整过程进行示例说明。The complete process of implementing login based on the VPN client application will be illustrated below with reference to FIG. 5 .
图5是本申请实施例提供的登录方法的过程示意图。请参照图5,本实施例包括:Fig. 5 is a schematic diagram of the process of the login method provided by the embodiment of the present application. Please refer to Fig. 5, the present embodiment includes:
步骤501、终端设备识别出用户在VPN客户端应用上的点击操作,确定用户选中联合登录方式。Step 501 , the terminal device recognizes the user's click operation on the VPN client application, and determines that the user selects a joint login mode.
示例性的,用户打开终端设备桌面上的VPN客户端应用,在VPN客户端应用的用户界面上点击以选中联合登录方式。具体可参见图3的描述,此处不再赘述。Exemplarily, the user opens the VPN client application on the desktop of the terminal device, and clicks on the user interface of the VPN client application to select the unified login mode. For details, refer to the description of FIG. 3 , which will not be repeated here.
步骤502、终端设备弹出浏览器。Step 502, the terminal device pops up a browser.
示例性的,VPN客户端应用响应于用户选择的联合登录方式操作,自动调起浏览器,指定其访问登录管理服务器,登录管理服务器部署在公网中。Exemplarily, the VPN client application responds to the joint login mode operation selected by the user, automatically invokes the browser, and designates it to access the login management server, and the login management server is deployed in the public network.
步骤503、浏览器向登录管理服务器发送登录页面请求,所述登录页面请求用于请求登录业务服务器和VPN服务。Step 503, the browser sends a login page request to the login management server, and the login page request is used to request to log in to the service server and VPN service.
步骤504、浏览器接收来自所述登录管理服务器的重定向响应。Step 504, the browser receives a redirection response from the login management server.
示例性的,登录管理服务器基于向浏览器回复http 302跳转等方式,向浏览器发送重定向响应,从而向浏览器提供业务服务器的访问地址,以将浏览器重定向到业务服务器。Exemplarily, the login management server sends a redirection response to the browser based on replying to the browser with an http 302 jump, etc., thereby providing the browser with the access address of the business server to redirect the browser to the business server.
步骤505、浏览器根据所述重定向响应向所述业务服务器发送所述登录页面请求。示例性的,浏览器基于接收到的302跳转,即上述的重定向响应,向业务服务器发送登录页面请求。Step 505, the browser sends the login page request to the service server according to the redirection response. Exemplarily, the browser sends a login page request to the service server based on the received 302 redirection, that is, the above-mentioned redirection response.
步骤506、浏览器接收来自所述业务服务器的、用于显示登录页面的数据流并显示所述登录页面。Step 506, the browser receives the data stream for displaying the login page from the service server and displays the login page.
示例性的,业务服务器接收到登录页面请求后向浏览器反馈数据流。浏览器接收到数据流后,渲染并显示登录页面。Exemplarily, the service server feeds back the data flow to the browser after receiving the login page request. After the browser receives the data stream, it renders and displays the login page.
步骤507、浏览器获取用户在登录页面输入的登录信息。Step 507, the browser acquires the login information input by the user on the login page.
示例性的,用户在登录页面输入账号、密码、企业标识、验证码等登录信息。Exemplarily, the user enters login information such as account number, password, enterprise ID, and verification code on the login page.
步骤508、浏览器向业务服务器提交登录信息。Step 508, the browser submits the login information to the service server.
步骤509、业务服务器根据登录信息对用户进行合法性验证。Step 509, the service server performs legality verification on the user according to the login information.
示例性的,若用户是业务服务器的合法用户,则执行步骤510;若用户不是业务服务器的合法用户,则业务服务器触发浏览器显示提示信息,以提示用户登录失败。Exemplarily, if the user is a valid user of the service server, step 510 is performed; if the user is not a valid user of the service server, the service server triggers the browser to display a prompt message to prompt the user that the login fails.
步骤510、业务服务器向浏览器发送携带登录成功参数的重定向响应。Step 510, the service server sends a redirection response carrying parameters of successful login to the browser.
示例性的,若用户是业务服务器的合法用户,业务服务器向浏览器发送302跳转,即携带登录成功参数的重定向响应,从而将浏览器重定向到登录管理服务器。Exemplarily, if the user is a legitimate user of the service server, the service server sends a 302 redirect to the browser, that is, a redirection response carrying a successful login parameter, thereby redirecting the browser to the login management server.
步骤511、浏览器向所述登录管理服务器发送携带所述登录成功参数的适配页面请求。Step 511, the browser sends an adaptation page request carrying the login success parameter to the login management server.
浏览器接收到步骤510中的302跳转后,携带接收到登录成功参数向登录管理服务器发送适配页面请求。登录成功参数包含业务服务器根据本次用户登录生成的用户登录标识,用于唯一识别用户登录记录。After receiving the 302 jump in step 510, the browser sends an adaptation page request to the login management server with the received login success parameter. The login success parameter includes the user login ID generated by the business server according to the current user login, and is used to uniquely identify the user login record.
步骤512、浏览器接收来自所述登录管理服务器的用于显示适配页面的数据流并显示所述适配页面。Step 512, the browser receives the data stream for displaying the adaptation page from the login management server and displays the adaptation page.
示例性的,浏览器显示“认证中”等。Exemplarily, the browser displays "authentication in progress" and the like.
步骤513、登录管理服务器向业务服务器获取用户的身份标识。Step 513, the login management server acquires the user's identity from the service server.
示例性的,登录管理服务器根据登录成功参数从业务服务器获取用户的身份标识,身份标识包含用户名等。Exemplarily, the login management server acquires the user's identity from the service server according to the login success parameter, and the identity includes the user name and the like.
步骤514、针对业务服务器的合法用户,登录管理服务器和VPN服务端进行互信认证。Step 514, for the legal user of the service server, log in to the management server and the VPN server to perform mutual trust authentication.
示例性的,登录管理服务器从业务服务器获取到用户的身份标识后,认为用户是业务服务器的合法用户,但是无法确定用户是否为VPN服务的合法用户。因此,对于业务服务器的合法用户,登录管理服务器进一步和VPN服务端进行互信认证,以确定用户是否为VPN服务的合法用户。Exemplarily, after the login management server obtains the user's identity from the service server, it considers that the user is a legitimate user of the service server, but cannot determine whether the user is a legitimate user of the VPN service. Therefore, for a legitimate user of the service server, the login management server further performs mutual trust authentication with the VPN server to determine whether the user is a legitimate user of the VPN service.
VPN服务端根据用户的身份标识对用户进行合法性验证。若用户具有VPN权限,即用户是VPN服务的合法用户,则VPN服务端执行步骤515生成token。若用户不具有VPN权限,则VPN服务端向登录管理服务器发送提示信息,登录管理服务器将该提示信息发送给终端设备由终端设备显示,从而提示用户登录失败。The VPN server verifies the legality of the user according to the user's identity. If the user has VPN authority, that is, the user is a legal user of the VPN service, then the VPN server executes step 515 to generate a token. If the user does not have the VPN authority, the VPN server sends a prompt message to the login management server, and the login management server sends the prompt message to the terminal device to be displayed by the terminal device, thereby prompting the user to fail to log in.
步骤515、VPN服务端针对用户生成令牌并向登录管理服务器发送携带令牌的信任响应,该令牌用于对所述终端设备的VPN客户端应用进行合法性验证。Step 515, the VPN server generates a token for the user and sends a trust response carrying the token to the login management server, where the token is used to verify the validity of the VPN client application of the terminal device.
示例性的,VPN服务端针对本次用户登录生成一个token,并携带在信任响应中传递 给登录管理服务器。Exemplarily, the VPN server generates a token for this user login, and carries it to the login management server in the trust response.
VPN服务端基于用户的身份标识等生成令牌,令牌例如为根据用户身份标识生成的字符串。更进一步地,VPN服务端针对每个令牌设定一个有效时长,令牌仅在有效时长内有效,以避免因令牌丢失而引起的安全问题。The VPN server generates a token based on the user's identity, and the token is, for example, a character string generated according to the user's identity. Furthermore, the VPN server sets a valid period for each token, and the token is only valid within the valid period, so as to avoid security problems caused by token loss.
步骤516、登录管理服务器向浏览器发送携带令牌的登录响应。Step 516, the login management server sends a login response carrying the token to the browser.
步骤517、浏览器基于所述登录成功页激活所述VPN客户端应用。Step 517, the browser activates the VPN client application based on the successful login page.
浏览器显示登录成功页后,通过运行页面中的脚本激活VPN客户端应,其中,登录成功页中的脚本通过浏览器内置方法调起VPN客户端应用并带上令牌,从而将令牌传递给VPN客户端应用。其中,浏览器内置方法示例如下:appName://truthLogin?Token=123456。After the browser displays the successful login page, activate the VPN client application by running the script on the page, wherein the script on the successful login page uses the built-in method of the browser to invoke the VPN client application and bring the token, so as to pass the token to the VPN client application. Among them, the browser built-in method example is as follows: appName://truthLogin? Token=123456.
步骤518、VPN客户端应用向提供VPN服务的VPN服务端发送携带令牌的鉴权请求。Step 518, the VPN client application sends an authentication request carrying the token to the VPN server providing the VPN service.
示例性的,VPN客户端应用被激活后,接收到浏览器传递的令牌,自动将令牌携带在鉴权请求中发送给VPN服务端。Exemplarily, after the VPN client application is activated, it receives the token passed by the browser, and automatically carries the token in the authentication request and sends it to the VPN server.
VPN服务端接收到鉴权请求后,VPN服务端对令牌进行有效性验证得到反馈结果,以确定VPN客户端应用是否合法。After the VPN server receives the authentication request, the VPN server verifies the validity of the token and obtains a feedback result to determine whether the VPN client application is legal.
步骤519、VPN服务端向VPN客户端应用发送该反馈结果,以完成登录。若反馈结果指示VPN客户端应用成功登录业务服务器和VPN服务,则VPN客户端应用可显示登录成功信息,并展示业务服务访问界面,供用户操作;若反馈结果指示登录失败,则VPN客户端应用向用户展示登录失败信息,并拒绝用户针对业务访问界面的请求或操作。Step 519, the VPN server sends the feedback result to the VPN client application to complete the login. If the feedback result indicates that the VPN client application has successfully logged in to the business server and VPN service, the VPN client application can display the successful login information and display the business service access interface for the user to operate; if the feedback result indicates that the login fails, the VPN client application Display the login failure information to the user, and reject the user's request or operation on the business access interface.
图6为本申请实施例提供的一种电子设备的结构示意图。如图6所示,该电子设备600例如为上述的登录管理服务器、VPN认证端、VPN服务端、业务服务器或终端设备中的一种,该电子设备600包括:处理器601和存储器602;FIG. 6 is a schematic structural diagram of an electronic device provided by an embodiment of the present application. As shown in FIG. 6, the electronic device 600 is, for example, one of the above-mentioned login management server, VPN authentication terminal, VPN server end, service server or terminal device, and the electronic device 600 includes: a processor 601 and a memory 602;
所述存储器602存储计算机指令;The memory 602 stores computer instructions;
所述处理器601执行所述存储器602存储的计算机指令,使得所述处理器601执行如上登录管理服务器、VPN认证端、VPN服务端、业务服务器或终端设备实现的登录方法。The processor 601 executes the computer instructions stored in the memory 602, so that the processor 601 executes the login method implemented by the above login management server, VPN authentication end, VPN server end, service server or terminal equipment.
处理器601的具体实现过程可参见上述方法实施例,其实现原理和技术效果类似,本实施例此处不再赘述。For the specific implementation process of the processor 601, reference may be made to the foregoing method embodiments, and the implementation principles and technical effects thereof are similar, and details are not repeated here in this embodiment.
可选地,该电子设备600还包括通信部件603。其中,处理器601、存储器602以及通信部件603可以通过总线604连接。Optionally, the electronic device 600 further includes a communication component 603 . Wherein, the processor 601 , the memory 602 and the communication component 603 may be connected through a bus 604 .
本申请实施例还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机指令,所述计算机指令被处理器执行时用于实现如上登录管理服务器、VPN认证端、 VPN服务端、业务服务器或终端设备实现的登录方法。The embodiment of the present application also provides a computer-readable storage medium, where computer instructions are stored in the computer-readable storage medium, and when the computer instructions are executed by a processor, they are used to implement the above login management server, VPN authentication terminal, and VPN service The login method implemented by the client, service server or terminal device.
本申请实施例还提供一种计算机程序产品,该计算机程序产品包含计算机程序,计算机程序被处理器执行时实现如上登录管理服务器、VPN认证端、VPN服务端、业务服务器或终端设备实现的登录方法。The embodiment of the present application also provides a computer program product, the computer program product includes a computer program, and when the computer program is executed by the processor, the login method implemented by the login management server, the VPN authentication terminal, the VPN server terminal, the service server or the terminal equipment is implemented as above .
本领域技术人员在考虑说明书及实践这里公开的发明后,将容易想到本申请的其它实施方案。本申请旨在涵盖本申请的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本申请的一般性原理并包括本申请未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本申请的真正范围和精神由下面的权利要求书指出。Other embodiments of the present application will be readily apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any modification, use or adaptation of the application, these modifications, uses or adaptations follow the general principles of the application and include common knowledge or conventional technical means in the technical field not disclosed in the application . The specification and examples are to be considered exemplary only, with a true scope and spirit of the application indicated by the following claims.
应当理解的是,本申请并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。本申请的范围仅由所附的权利要求书来限制。It should be understood that the present application is not limited to the precise constructions which have been described above and shown in the accompanying drawings, and various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (16)

  1. 一种登录方法,应用于部署在公网中的登录管理服务器,所述方法包括:A login method applied to a login management server deployed in a public network, the method comprising:
    在确定用户为业务服务器的合法用户后,通过所述业务服务器获取所述用户的身份标识,所述登录管理服务器与所述业务服务器之间基于VPN网络进行通信;After determining that the user is a legitimate user of the service server, the identity of the user is obtained through the service server, and the login management server communicates with the service server based on a VPN network;
    基于所述用户的身份标识确定所述用户是否为VPN服务的合法用户,以生成登录响应,所述登录响应用于指示所述用户是否通过终端设备的浏览器成功登录所述业务服务器和所述VPN服务;Based on the identity of the user, determine whether the user is a legal user of the VPN service to generate a login response, and the login response is used to indicate whether the user successfully logs in to the service server and the VPN service;
    向所述终端设备发送所述登录响应。Send the login response to the terminal device.
  2. 根据权利要求1所述的方法,其中,所述在确定用户为业务服务器的合法用户后,通过所述业务服务器获取所述用户的身份标识,包括:The method according to claim 1, wherein after determining that the user is a legal user of the service server, obtaining the identity of the user through the service server includes:
    接收所述用户通过所述浏览器发送的登录页面请求,所述登录页面请求用于请求登录所述业务服务器和所述VPN服务;receiving a login page request sent by the user through the browser, where the login page request is used to request to log in to the service server and the VPN service;
    向所述终端设备发送重定向响应,以使得所述浏览器根据所述重定向响应向所述业务服务器发送所述登录页面请求,并基于所述业务服务器反馈的登录页面提交登录信息,以供所述业务服务器确认所述用户是否合法;sending a redirection response to the terminal device, so that the browser sends the login page request to the service server according to the redirection response, and submits login information based on the login page fed back by the service server, for The service server confirms whether the user is legal;
    接收来自所述浏览器的携带登录成功参数的适配页面请求;receiving an adaptation page request from the browser carrying successful login parameters;
    向所述浏览器发送用于显示适配页面的数据流,以使得所述浏览器显示所述适配页面,并根据所述登录成功参数向所述业务服务器请求所述用户的身份标识。Sending a data stream for displaying an adaptation page to the browser, so that the browser displays the adaptation page, and requests the service server for the identity of the user according to the login success parameter.
  3. 根据权利要求1所述的方法,其中,所述基于所述用户的身份标识确定所述用户是否为VPN服务的合法用户以生成登录响应,包括:The method according to claim 1, wherein the determining whether the user is a legal user of the VPN service based on the identity of the user to generate a login response includes:
    基于本地保存的合法用户信息对所述用户的身份标识进行验证,基于验证结果生成所述登录响应;或者,Verifying the identity of the user based on legal user information stored locally, and generating the login response based on the verification result; or,
    向部署在公网中的虚拟专用网络VPN服务端发送信任请求,所述信任请求携带所述用户的身份标识,所述VPN服务端用于提供所述VPN服务;接收来自所述VPN服务端的信任响应,根据所述信任响应生成所述登录响应。Send a trust request to a virtual private network VPN service end deployed in the public network, the trust request carries the identity of the user, and the VPN service end is used to provide the VPN service; receive the trust from the VPN service end Response, generating the login response according to the trust response.
  4. 根据权利要求3所述的方法,其中,所述向所述终端设备发送所述登录响应,包括:The method according to claim 3, wherein the sending the login response to the terminal device comprises:
    当所述信任响应携带针对所述用户的令牌时,向所述浏览器发送携带所述令牌、用于显示登录成功页的登录响应,所述令牌用于指示所述用户为所述VPN服务的合法用户。When the trust response carries a token for the user, send a login response carrying the token to the browser for displaying a successful login page, the token is used to indicate that the user is the Legitimate users of VPN services.
  5. 一种登录方法,应用于部署在公网中的虚拟专用网络VPN服务端,所述方法包括:A login method applied to a virtual private network (VPN) service end deployed in a public network, said method comprising:
    接收来自部署在公网中的登录管理服务器的信任请求,所述信任请求携带用户的身份标 识,所述信任请求是所述登录管理服务器确定所述用户为业务服务器的合法用户后发送的;Receive a trust request from a login management server deployed in the public network, the trust request carries the identity of the user, and the trust request is sent by the login management server after determining that the user is a legal user of the service server;
    基于所述身份标识对所述用户进行合法性验证,以得到合法性验证结果,所述合法性验证结果用于指示所述用户是否为所述VPN服务的合法用户;performing legality verification on the user based on the identity to obtain a legality verification result, where the legality verification result is used to indicate whether the user is a legal user of the VPN service;
    向所述登录管理服务器发送携带所述合法性验证结果的信任响应。Sending a trust response carrying the legality verification result to the login management server.
  6. 根据权利要求5所述的方法,所述方法还包括:The method according to claim 5, said method further comprising:
    当所述合法性验证结果指示所述用户为所述VPN服务的合法用户时,针对所述用户生成令牌,并在所述信任响应中携带所述令牌。When the legitimacy verification result indicates that the user is a legal user of the VPN service, generate a token for the user, and carry the token in the trust response.
  7. 根据权利要求6所述的方法,其中,所述向所述登录管理服务器发送携带所述合法性验证结果的信任响应之后,还包括:The method according to claim 6, wherein after sending the trust response carrying the legitimacy verification result to the login management server, further comprising:
    接收终端设备通过VPN客户端应用发送的鉴权请求,所述鉴权请求携带所述令牌;receiving the authentication request sent by the terminal device through the VPN client application, the authentication request carrying the token;
    验证所述令牌是否合法以得到反馈结果,所述反馈结果用于指示所述用户是否通过所述VPN客户端应用成功登录所述业务服务器和所述VPN服务;Verifying whether the token is valid to obtain a feedback result, the feedback result is used to indicate whether the user has successfully logged in the service server and the VPN service through the VPN client application;
    向所述终端设备的应用程序VPN客户端应用发送所述反馈结果。Send the feedback result to the application VPN client application of the terminal device.
  8. 根据权利要求7所述的方法,其中,所述验证所述令牌是否合法以得到反馈结果,包括:The method according to claim 7, wherein said verifying whether said token is legal to obtain a feedback result comprises:
    验证所述令牌是否由所述VPN服务端生成,且所述令牌的状态是否正常;verifying whether the token is generated by the VPN server, and whether the state of the token is normal;
    若所述令牌由所述VPN服务端生成且状态正常,则生成用于指示所述令牌合法的反馈结果;If the token is generated by the VPN server and the status is normal, then generate a feedback result indicating that the token is legal;
    否则,生成用于指示所述令牌不合法的反馈结果。Otherwise, generate a feedback result indicating that the token is invalid.
  9. 根据权利要求7或8所述的方法,其中,所述向所述VPN客户端应用发送所述反馈结果之后,还包括:The method according to claim 7 or 8, wherein, after sending the feedback result to the VPN client application, further comprising:
    若所述反馈结果指示所述VPN客户端应用成功登录业务服务器和所述VPN服务,则与所述VPN客户端应用建立VPN隧道,以通过所述VPN隧道接收所述用户通过所述VPN客户端应用发送的业务请求。If the feedback result indicates that the VPN client application has successfully logged into the service server and the VPN service, then establish a VPN tunnel with the VPN client application, so as to receive the user through the VPN tunnel through the VPN client. The service request sent by the application.
  10. 一种登录方法,应用于部署在内网中的业务服务器,所述方法包括:A login method applied to a service server deployed in an intranet, the method comprising:
    接收用户通过终端设备上的浏览器发送的登录页面请求,其中,所述登录页面请求是所述浏览器基于登录管理服务器发送的重定向响应生成并发出的;receiving a login page request sent by the user through a browser on the terminal device, wherein the login page request is generated and sent by the browser based on the redirection response sent by the login management server;
    向所述终端设备发送用于显示登录页面的数据流;sending a data stream for displaying a login page to the terminal device;
    接收所述终端设备基于所述登录页面提交的登录信息;receiving login information submitted by the terminal device based on the login page;
    根据所述登录信息对所述用户进行合法性验证;Verifying the legitimacy of the user according to the login information;
    若所述用户为所述业务服务器的合法用户,则向所述终端设备发送携带登录成功参数的重定向响应,所述重定向响应用于指示所述终端设备的浏览器向所述登录管理服务器发送携带所述登录成功参数的适配页面请求。If the user is a legal user of the service server, send a redirection response carrying a login success parameter to the terminal device, and the redirection response is used to instruct the browser of the terminal device to log in to the management server Send an adaptation page request carrying the login success parameter.
  11. 一种登录方法,应用于终端设备,所述方法包括:A login method applied to a terminal device, the method comprising:
    通过浏览器获取用于显示登录页面的数据流并显示所述登录页面,所述登录页面用于登录业务服务器和VPN服务;Obtaining a data stream for displaying a login page through a browser and displaying the login page, the login page being used to log in to the service server and the VPN service;
    基于所述登录页面向所述业务服务器发送登录信息;sending login information to the service server based on the login page;
    接收来自所述业务服务器的、携带登录成功参数的重定向响应;Receiving a redirection response from the service server that carries a successful login parameter;
    通过所述浏览器向所述登录管理服务器发送携带所述登录成功参数的适配页面请求;sending an adaptation page request carrying the login success parameter to the login management server through the browser;
    接收来自所述登录管理服务器的用于显示适配页面的数据流并显示所述适配页面;receiving a data stream for displaying an adaptation page from the login management server and displaying the adaptation page;
    接收来自所述登录管理服务器的登录响应,所述登录响应用于指示用户是否通过浏览器成功登录所述业务服务器和所述VPN服务。Receive a login response from the login management server, where the login response is used to indicate whether the user has successfully logged in the service server and the VPN service through the browser.
  12. 根据权利要求11所述的方法,其中,所述通过浏览器获取用于显示登录页面的数据流并显示所述登录页面,包括:The method according to claim 11, wherein said obtaining the data stream for displaying the login page through the browser and displaying the login page comprises:
    通过浏览器向登录管理服务器发送登录页面请求,所述登录页面请求用于请求登录业务服务器和VPN服务;Send a login page request to the login management server through the browser, and the login page request is used to request the login service server and VPN service;
    接收来自所述登录管理服务器的重定向响应;receiving a redirection response from the login management server;
    根据所述重定向响应向所述业务服务器发送所述登录页面请求;sending the login page request to the service server according to the redirection response;
    接收来自所述业务服务器的用于显示登录页面的数据流并显示所述登录页面。receiving the data stream for displaying the login page from the service server and displaying the login page.
  13. 根据权利要求11或权利要求12所述的方法,其中,所述接收来自所述登录管理服务器的登录响应之后,还包括:The method according to claim 11 or claim 12, wherein, after receiving the login response from the login management server, further comprising:
    当所述登录响应携带令牌时,根据所述登录响应从所述适配页面切换到登录成功页,所述登录成功页携带所述令牌;When the login response carries a token, switch from the adaptation page to a successful login page according to the login response, and the successful login page carries the token;
    利用所述登录成功页激活应用程序VPN客户端应用;Activate the application VPN client application using the login success page;
    利用所述VPN客户端应用向提供所述VPN服务的VPN服务端发送携带所述令牌的鉴权请求;Using the VPN client application to send an authentication request carrying the token to the VPN server providing the VPN service;
    接收来自所述VPN服务端的反馈结果,所述反馈结果用于指示所述用户是否通过所述VPN客户端应用成功登录所述业务服务器和所述VPN服务。Receive a feedback result from the VPN server, where the feedback result is used to indicate whether the user has successfully logged in the service server and the VPN service through the VPN client application.
  14. 根据权利要求13所述的方法,其中,所述接收来自所述VPN服务端的反馈结果之后,还包括:The method according to claim 13, wherein, after receiving the feedback result from the VPN server, further comprising:
    若所述反馈结果指示所述用户通过所述VPN客户端应用成功登录所述业务服务器和所述VPN服务,则通过所述VPN客户端应用请求与所述VPN服务端建立VPN隧道;If the feedback result indicates that the user successfully logs in to the service server and the VPN service through the VPN client application, request to establish a VPN tunnel with the VPN server through the VPN client application;
    通过所述VPN隧道向所述VPN服务端发送业务请求。Sending a service request to the VPN server through the VPN tunnel.
  15. 一种电子设备,包括处理器、存储器及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时使得所述电子设备实现如权利要求1至14任一所述的方法。An electronic device, comprising a processor, a memory, and a computer program stored on the memory and operable on the processor, when the processor executes the computer program, the electronic device realizes claim 1 to the method described in any one of 14.
  16. 一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现如权利要求1至14任一所述的方法。A computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method according to any one of claims 1 to 14 is implemented.
PCT/CN2021/121317 2021-08-31 2021-09-28 Login method, electronic device and computer-readable storage medium WO2023029138A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111012706.6A CN113922982A (en) 2021-08-31 2021-08-31 Login method, electronic device and computer-readable storage medium
CN202111012706.6 2021-08-31

Publications (1)

Publication Number Publication Date
WO2023029138A1 true WO2023029138A1 (en) 2023-03-09

Family

ID=79233639

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/121317 WO2023029138A1 (en) 2021-08-31 2021-09-28 Login method, electronic device and computer-readable storage medium

Country Status (2)

Country Link
CN (1) CN113922982A (en)
WO (1) WO2023029138A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116506237A (en) * 2023-06-30 2023-07-28 深圳市今天国际物流技术股份有限公司 Remote identity verification and transmission method completely off-line
CN116962088A (en) * 2023-09-20 2023-10-27 上海金电网安科技有限公司 Login authentication method, zero trust controller and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388774A (en) * 2008-10-24 2009-03-18 焦点科技股份有限公司 Method for automatically authenticate and recognize customer identity between different customers and login
CN101651666A (en) * 2008-08-14 2010-02-17 中兴通讯股份有限公司 Method and device for identity authentication and single sign-on based on virtual private network
US20160156592A1 (en) * 2014-12-01 2016-06-02 Intermedia.Net, Inc. Native application single sign-on
CN106330918A (en) * 2016-08-26 2017-01-11 杭州迪普科技有限公司 Multi-system login method and device
CN106850517A (en) * 2015-12-04 2017-06-13 北京京东尚科信息技术有限公司 A kind of method, apparatus and system for solving intranet and extranet repeat logon

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104767621B (en) * 2015-04-16 2018-04-10 深圳市高星文网络科技有限公司 A kind of Mobile solution accesses the one-point safety authentication method of business data
US10387980B1 (en) * 2015-06-05 2019-08-20 Acceptto Corporation Method and system for consumer based access control for identity information
US11012441B2 (en) * 2017-06-30 2021-05-18 Open Text Corporation Hybrid authentication systems and methods
US11163424B2 (en) * 2018-06-25 2021-11-02 Citrix Systems, Inc. Unified display for virtual resources
US11516202B2 (en) * 2019-12-26 2022-11-29 Vmware, Inc. Single sign on (SSO) capability for services accessed through messages

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101651666A (en) * 2008-08-14 2010-02-17 中兴通讯股份有限公司 Method and device for identity authentication and single sign-on based on virtual private network
CN101388774A (en) * 2008-10-24 2009-03-18 焦点科技股份有限公司 Method for automatically authenticate and recognize customer identity between different customers and login
US20160156592A1 (en) * 2014-12-01 2016-06-02 Intermedia.Net, Inc. Native application single sign-on
CN106850517A (en) * 2015-12-04 2017-06-13 北京京东尚科信息技术有限公司 A kind of method, apparatus and system for solving intranet and extranet repeat logon
CN106330918A (en) * 2016-08-26 2017-01-11 杭州迪普科技有限公司 Multi-system login method and device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116506237A (en) * 2023-06-30 2023-07-28 深圳市今天国际物流技术股份有限公司 Remote identity verification and transmission method completely off-line
CN116506237B (en) * 2023-06-30 2023-09-22 深圳市今天国际物流技术股份有限公司 Remote identity verification and transmission method completely off-line
CN116962088A (en) * 2023-09-20 2023-10-27 上海金电网安科技有限公司 Login authentication method, zero trust controller and electronic equipment
CN116962088B (en) * 2023-09-20 2023-11-28 上海金电网安科技有限公司 Login authentication method, zero trust controller and electronic equipment

Also Published As

Publication number Publication date
CN113922982A (en) 2022-01-11

Similar Documents

Publication Publication Date Title
JP6987931B2 (en) Secure single sign-on and conditional access for client applications
US9871791B2 (en) Multi factor user authentication on multiple devices
EP1484894B1 (en) Method and system for connecting a remote client to a local client desktop via an Intranet server
US6934848B1 (en) Technique for handling subsequent user identification and password requests within a certificate-based host session
US9654508B2 (en) Configuring and providing profiles that manage execution of mobile applications
US6976164B1 (en) Technique for handling subsequent user identification and password requests with identity change within a certificate-based host session
US8966594B2 (en) Proxy authentication
US8769291B2 (en) Certificate generation for a network appliance
US7797372B2 (en) Serving software applications from servers for client computers
KR100800339B1 (en) Method and system for user-determined authentication and single-sign-on in a federated environment
US8191123B2 (en) Provisioning a network appliance
US20100197293A1 (en) Remote computer access authentication using a mobile device
US8191122B2 (en) Provisioning a network appliance
US20070199049A1 (en) Broadband network security and authorization method, system and architecture
US20100199086A1 (en) Network transaction verification and authentication
US20060212934A1 (en) Identity and access management system and method
WO2023029138A1 (en) Login method, electronic device and computer-readable storage medium
US11838285B2 (en) Single sign-on from desktop to network
CN113614691A (en) Connection leasing system for use with legacy virtual delivery devices and related methods
CN113746811A (en) Login method, device, equipment and readable storage medium
JPWO2014091576A1 (en) Relay device, relay method, and program
US20080271129A1 (en) Single sign-on functionality for secure communications over insecure networks
US8671442B2 (en) Modifying a user account during an authentication process
US8621027B2 (en) Automatically providing identity information for a network appliance
US20060122936A1 (en) System and method for secure publication of online content

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21955667

Country of ref document: EP

Kind code of ref document: A1