Disclosure of Invention
In view of this, the present application provides a method, apparatus and system for accessing identity data, so as to improve security of accessing identity data.
The application provides the following scheme:
in a first aspect, a method for accessing identity data is provided, which is applied to a cloud identity management service (IAM) server of a cloud system, wherein the cloud system includes an IAM Virtual Private Cloud (VPC) and a user VPC, and the cloud IAM server is located in the IAM VPC, and the method includes:
the cloud IAM server obtains network endpoint configuration information from a user;
configuring a network endpoint bound with the cloud IAM server on a user VPC corresponding to the user according to the network endpoint configuration information;
And accessing a local identity management server at the user side through the private network of the user by utilizing the network endpoint and acquiring target identity data.
According to an implementation manner of the embodiment of the present application, the network endpoint is a virtual network card created by the cloud IAM server under a virtual switch of the user VPC.
According to an implementation manner of the embodiment of the present application, the obtaining the configuration information of the network endpoint from the user includes:
providing a network endpoint configuration page to the user;
if the cloud system has created a network endpoint of the user, providing the network endpoint on the network endpoint configuration page for the user to select;
and acquiring the address of the local identity management server at the user side and the selected network endpoint, which are input by the user through a network endpoint configuration page.
According to an implementation manner of the embodiments of the present application, before providing the network endpoint configuration page to the user, or if an event of creating a network endpoint triggered by the user through the network endpoint configuration page is acquired, the method further includes:
providing a network endpoint creation page to the user;
Acquiring identification information of a network endpoint, virtual switch information of the user VPC and private network information of the user, which are input by the user through the network endpoint creation page;
and creating a virtual network card bound with the cloud IAM server as the network endpoint under the virtual switch of the user VPC in the corresponding private network according to the virtual switch information and the private network information of the user.
According to an implementation manner in the embodiment of the present application, the virtual network card includes an elastic network interface ENI bound to an elastic cloud computing service ECS instance in the cloud IAM server, and the ECS instance accesses the local identity management server on the user side through the private network of the user and obtains the target identity data.
According to an implementation manner of the embodiment of the present application, accessing, by the network endpoint, the local identity management server on the user side through the private network of the user includes:
if the local identity management server of the user side is located in the user VPC, the cloud IAM server accesses the local identity management server of the user side through the user VPC by utilizing the network endpoint; or,
If the local identity management server of the user side is located in other VPCs except the user VPC in the cloud system, the cloud IAM server accesses the local identity management server of the user side by using the network endpoint through a cloud enterprise network CEN between the user VPC and the other VPCs; or,
if the local identity management server of the user side is located outside the cloud system, the cloud IAM server accesses the local identity management server of the user side by using the network endpoint through a dedicated connection between the user VPC and the local identity management server of the user side.
According to an implementation manner in an embodiment of the present application, the method further includes: acquiring authentication information input by the user on a configuration page of a network endpoint;
the obtaining the target identity data comprises the following steps: and carrying out access authentication on the local identity management server of the user side by utilizing the authentication information, and acquiring target identity data from the local identity management server of the user side after the authentication is passed.
According to an implementation manner in the embodiment of the present application, the cloud IAM server includes: enterprise employee identity management EIAM servers or consumer identity management CIAM servers;
The local identity management server at the user side comprises a lightweight directory access protocol LDAP server.
According to an implementation manner in an embodiment of the present application, the method further includes:
and the cloud IAM server provides the target identity data to a downstream application server or provides single sign-on service for the downstream application server by utilizing the target identity data.
In a second aspect, a device for accessing identity data is provided, and the device is arranged at a cloud IAM server of a cloud system, wherein the cloud system comprises an IAM VPC and a user VPC, and the cloud IAM server is located at the IAM VPC; the device comprises:
a configuration acquisition unit configured to acquire network endpoint configuration information from a user;
the terminal configuration unit is configured to configure a network terminal bound with the cloud IAM server on a user VPC corresponding to the user according to the network terminal configuration information;
and the data synchronization unit is configured to access the local identity management server at the user side through the private network of the user by utilizing the network endpoint and acquire target identity data.
In a third aspect, a cloud system is provided, the cloud system comprising an IAM VPC and a user VPC;
The cloud IAM server is located in the IAM VPC and is configured to acquire network endpoint configuration information from a user; configuring a network endpoint bound with the cloud IAM server on a user VPC corresponding to the user according to the network endpoint configuration information; and accessing a local identity management server at the user side through the private network of the user by utilizing the network endpoint and acquiring target identity data.
In a fourth aspect, there is provided a system for accessing identity data, the system comprising: IAM VPC, user VPC and user's local identity management server;
3) In the application, the network endpoint is created in the virtual switch of the user VPC and is bound with the cloud IAM server, so that the user can configure the network endpoint through the network endpoint configuration page to access the local identity management servers, and through the configuration, a plurality of local identity management servers for serving the user through one network endpoint can be realized.
4) The method and the device are suitable for multiple deployment scenarios such as that the local identity management server and the network endpoint are located in the same user VPC, different user VPCs and cloud systems, and the acquisition of the identity data can be realized through the private network of the user under the multiple deployment scenarios.
Of course, not all of the above-described advantages need be achieved at the same time in practicing any one of the products of the present application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIGS. 1a and 1b are schematic diagrams of two system configurations for accessing identity data in a conventional implementation;
FIG. 2 is a flowchart of a method for accessing identity data according to an embodiment of the present application;
fig. 3 is a schematic diagram of a system structure for accessing identity data according to an embodiment of the present application;
fig. 4 is a schematic diagram of a network endpoint configuration page provided in an embodiment of the present application;
fig. 5 is a schematic diagram of a network endpoint creation page according to an embodiment of the present application;
FIG. 6 is a schematic diagram of another system architecture for accessing identity data according to an embodiment of the present application;
FIG. 7 is a schematic diagram of a system for accessing identity data according to an embodiment of the present application;
FIG. 8 is a schematic block diagram of an apparatus for accessing identity data provided by an embodiment of the present application;
fig. 9 is a schematic block diagram of an electronic device provided in an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application are within the scope of the protection of the present application.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be understood that the term "and/or" as used herein is merely one relationship describing the association of the associated objects, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
Depending on the context, the word "if" as used herein may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to detection". Similarly, the phrase "if determined" or "if detected (stated condition or event)" may be interpreted as "when determined" or "in response to determination" or "when detected (stated condition or event)" or "in response to detection (stated condition or event), depending on the context.
The traditional implementation manner for accessing identity data mainly comprises the following two modes:
the first is that the local identity management server at the user side opens a public network IP address through which the IAM server at the cloud accesses the local identity management server at the user side, as shown in fig. 1 a. However, the identity data belongs to data with higher security requirements, the security requirements of users cannot be met obviously when the open public network IP address transmits the identity data in the public network, and the users cannot accept the data.
The second requires that the designated connection component (Connector) be downloaded and installed on the user side as shown in fig. 1 b. The Connector component is provided by a cloud IAM server, and a local identity management server at a user side downloads and installs the Connector component to open the public network access export capability of the Connector component. And a bidirectional channel is formed by taking the Connector component as a middle bridging component, so that the cloud IAM can access the local identity management server at the user side through the channel. In this way, although the local identity management server on the user side is not required to open the public network IP address, the connection component needs to be additionally downloaded and installed on the user side, and the connection component can only correspondingly serve one local identity management server, so that the operation is complex.
In view of this, the present application proposes a new idea. Fig. 2 is a flowchart of a method for accessing identity data according to an embodiment of the present application, where the method is performed by a cloud IAM server in a cloud system. As shown in fig. 2, the method may include the steps of:
step 202: the cloud IAM server obtains network endpoint configuration information from the user.
The cloud IAM server is a server for providing IAM service, is arranged at the cloud and is used for helping a user to safely control access to the identity data.
Step 204: and configuring the network endpoint bound with the cloud IAM server on a user VPC (Virtual Private Cloud ) corresponding to the user according to the network endpoint configuration information.
Step 206: and accessing a local identity management server at the user side through the private network of the user by using the network endpoint and acquiring target identity data.
According to the above flow, the cloud IAM server configures the network endpoint on the user virtual private cloud corresponding to the user according to the network endpoint configuration information from the user, so that the cloud IAM server can access the local identity management server by using the private network of the user, thereby obtaining the target identity data. According to the method, a local identity management server is not required to open a public network IP, the cloud IAM server can acquire identity data through the private network of the user, and the safety of the identity data transmission is greatly improved.
Each step in the above-described method flow is described in detail below. As shown in fig. 3, the above method flow is applied to the cloud system. The cloud system includes an IAM VPC and a customer VPC. In the figure, the user VPC takes one example, and in an actual scene, different users can deploy respective user VPCs at the cloud. The cloud IAM server is located in the IAM VPC and is a virtual server.
The following describes the above step 202 in detail, namely, "the cloud IAM server obtains the configuration information of the network endpoint from the user" in connection with the embodiment.
The cloud IAM server may provide the user with a network endpoint configuration page. The user can open the network endpoint configuration page through any terminal equipment, and log in the network endpoint configuration page by using the account to configure the network endpoint.
As one of the possible ways, if the cloud system has created the network endpoint of the user, the network endpoint may be provided on a network endpoint configuration page for the user to select. As shown in fig. 4, after the user selects the "dedicated endpoint" option on the configuration page, the network endpoint of the user that has been created may be displayed in the form of a drop-down box for the user to select, and further, the IP address of the network endpoint, for example, the "dedicated private network exit IP" in the figure, may be simultaneously selected. The network endpoint is bound with the IAM server, and the IP address of the network endpoint is actually an intranet IP address used when the IAM server accesses the local identity management server on the user side, which will be described in detail in the subsequent creation process of the network endpoint.
In addition, on the network endpoint configuration page, the user may also input the address of the local identity management server on the user side, for example, the address of the local identity management server on the user side is input in the input box corresponding to the "server address" under the "server configuration" item in fig. 4, so as to be accessed by the cloud IAM server.
That is, the cloud IAM server may obtain, through the network endpoint configuration page, the address of the local identity management server on the user side and the selected network endpoint that are input by the user through the network endpoint configuration page. Accordingly, in step 204, the user-selected network endpoint is actually configured as the address of the user-side local identity management server used to access the user input.
If the cloud system has not created the user's network endpoint, the cloud IAM server may first provide the user with a network endpoint creation page. Or, a component for creating the network endpoint can be provided on the network endpoint configuration page, if the user triggers the component, the cloud IAM server obtains an event for creating the network endpoint triggered by the user through the network endpoint configuration page, and provides the network endpoint creation page for the user.
As shown in fig. 5, a component (in fig. 5, an input box, a drop-down box, etc. is exemplified by an input box, etc. in fig. 5) of identification information of an input network endpoint (in fig. 5, other identification information such as a number may be adopted as well), private network information of the user (for example, "select private network" in fig. 5), virtual switch information of the user VPC (for example, "select switch" in fig. 5) is provided on the network endpoint creation page, and the user may input the identification information of the network endpoint, the private network information of the user, and the virtual switch information of the user VPC. Because cloud systems are typically geographically diverse, components that select regions for selection by a user may also be included on the network endpoint creation page. That is, the cloud IAM server may acquire the identification information of the network endpoint, the virtual switch information of the user VPC, and the private network information of the user through the network endpoint creation page.
The user clicks on the "grant private access" component as shown in fig. 5, confirming that the authorization created the network endpoint. The cloud IAM server can create a virtual network card bound with the cloud IAM server as a network endpoint for a virtual switch of the user VPC in a corresponding private network according to the virtual switch information and the private network information of the user. That is, the cloud IAM server creates and holds a virtual network card in the user VPC by using the identity of the user through the user authorization, so as to access the local identity management server on the user side. As shown in fig. 3, the virtual network card is created under the virtual switch of the customer VPC, not at the local identity management server on the customer side. Because the virtual network card is held by the cloud IAM server and bound with the cloud IAM server, the cloud IAM server can be regarded as a network entity in the user VPC.
The virtual network card may be a network card implemented in a virtualized manner, such as an ENI (Elastic Network Interface ). The ENI is an elastic network interface for binding a cloud server in a private network, and one cloud server can bind a plurality of elastic network cards. In the embodiment of the application, the ENI is bound with one ECS (Elastic Compute Service, elastic cloud computing service) instance of the cloud IAM server in the creation process. ECS is a IaaS (Infrastructure as a Service) level cloud computing service. An ECS instance can be understood as a virtual ECS server, built by the cloud and provided to the user for use. In the embodiment of the application, the ECS instance bound with the ENI accesses a local identity management server at the user side through a private network of the user and acquires target identity data.
Furthermore, the network endpoint configuration page may further include a path information (not shown in fig. 4) and an authentication information input component of the target identity data, where the target identity data is the identity data that needs to be synchronized to the cloud IAM server. When the target identity data is acquired, authentication is needed through a local identity management server at the user side, so that authentication information needs to be input. The authentication information may include information such as a user name, password, etc., as shown in fig. 4. The cloud IAM server can acquire path information and authentication information of target identity data input on a user configuration page through a network endpoint.
In addition to the above embodiment, the network endpoint configuration page may be used in other manners for the user to input the network endpoint configuration information, for example, the cloud IAM server provides a configuration tool for the user, and the user may input the network endpoint configuration information on an interface corresponding to the configuration tool.
The above step 206, i.e. "access to the local identity management server on the user side and obtain the target identity data via the private network of the user using the network endpoint", is described in detail below in connection with an embodiment.
Because the cloud IAM server is authorized to hold the network endpoint (i.e., the virtual network card) by the user through the creation process of the network endpoint, the cloud IAM server can be regarded as a network entity in the user VPC, so that the cloud IAM server is equivalent to accessing the local identity management server on the user side through the private network of the user. There may be, but are not limited to, the following:
first scenario: the local identity management server at the user side is located at the user VPC, as shown in fig. 3, where the network endpoint and the local identity management server at the user side are located under the same user VPC, and the cloud IAM server can access the local identity management server at the user side directly through the user VPC.
The second scenario: the local identity management server at the user side is located at other VPCs than the user VPC in the cloud system, that is, the network endpoint and the local identity management server at the user side are located at different VPCs. As shown in fig. 6, it is assumed that the network endpoint is located at a first VPC of a subscriber and the local identity management server on the subscriber side is located at a second VPC of the subscriber. The user VPC where the network endpoint is located and the VPC where the local identity management server is located may communicate through CEN (Cloud Enterprise Network ). The cloud IAM server may access the local identity management server on the user side through the CEN using the network endpoint.
Wherein CEN is a private network on the cloud, which can interwork networks between different VPCs. Under CEN, traffic between different VPCs may be interworked through private internetworking services for building internetworking of enterprises between multiple regions or services.
It can be seen that in this scenario, the cloud IAM server also essentially has access to the local identity management server on the user side through the user's private network.
Third scenario: the local identity management server on the user side is located outside the cloud system, for example IDC (Internet Data Center ) or other cloud system located offline. As shown in fig. 7, assuming that the local identity management server on the user side is located at an IDC off-line, the user VPC and the IDC of the user may communicate through a dedicated connection, for example, through VPN (Virtual Private Network ) or the like. The cloud IAM server accesses the local identity management server of the user side through the special connection by using the network endpoint.
It can be seen that in this scenario, the cloud IAM server also essentially realizes access to the local identity management server on the user side through the private network of the user.
The cloud IAM server generally needs to be authenticated by the local identity management server on the user side in view of security when acquiring the target identity data from the local identity management server on the user side. The cloud IAM server can use authentication information (such as account and password information) input by a user on a network endpoint configuration page before to carry out access authentication on the local identity management server of the user side, and after the authentication is passed, target identity data is obtained from the local identity management server of the user side.
In addition, there may be one identity data or multiple identity data in the local identity management server on the user side. The identity data desired to be synchronized to the cloud IAM server is referred to as target identity data, so that in a previous network endpoint configuration page or other configuration pages, the user may input path information of the target identity data, so that the cloud IAM server may acquire the target identity data according to the path information.
The user referred to in the above embodiments of the present application generally refers to an enterprise, that is, the enterprise has a corresponding enterprise VPC laid on a cloud end, and by using the above manner provided by the embodiment of the present application, a network endpoint bound with a cloud end IAM server can be configured in the enterprise VPC, so that identity data related to the enterprise is synchronized from a local identity management server to the cloud end IAM server.
Further, after the above step 206, the cloud IAM server may provide the target identity data to the downstream application server after obtaining the target identity data from the local identity management server on the user side, and the downstream application server may use the target identity data according to the actual application requirement, for example, update the identity data in the application server with the target identity data, manage the user identity, perform personalized service based on the user identity data, push information, and so on.
Or after the above step 206, the cloud IAM server may provide SSO (Single Sign On) service for the downstream application server after obtaining the target identity data from the local identity management server On the user side.
SSO refers to that a user of an application service can access a plurality of application services only by logging in once in a plurality of application service scenarios of the same enterprise. The principle is mainly as follows: a user of the application service accesses the application service A for the first time and needs to log in; the server of the application service A redirects the user login information to a cloud IAM server; the cloud IAM server verifies the user login information by using the identity data acquired through the embodiment of the application, and generates a Token after verification, wherein the Token is shared among a plurality of application services; the cloud IAM server returns the Token to the server of the application service A, the server of the application service A knows that the user is logged in, and the cloud IAM server returns the requested resource to the user of the application service; when the user accesses the application service B, the application service B acquires the shared Token from the cloud IAM server to know that the user is logged in, and directly returns the requested resource to the user, so that the user does not need to log in repeatedly at the application service B.
Among other things, redirection in the SSO procedure described above can be achieved by Webhook technology. The cloud IAM server and the servers of the application services follow SCIM (cross-domain identity management system) protocols. The SCIM protocol allows an organization to manage user identities and resource access rights among multiple systems or services. It is commonly used to automatically perform the process of creating, updating and deleting user accounts and rights, and to keep these accounts and rights synchronized between different systems.
As one of the usage scenarios, the cloud IAM server may be an EIAM (Employee Identity and Access Management, enterprise identity management platform) server, that is, identity data such as an enterprise internal employee account number, authority, etc. is synchronized to the EIAM server, and the EIAM server manages the enterprise employee identity data, identity authentication, application access, etc. In this scenario, the user of the application service is an enterprise employee. For example, when using a plurality of application services such as an office system, a check-in system, a financial system, etc. of the same enterprise, an enterprise employee can log in and use the plurality of application services using one employee account.
As another usage scenario, the cloud IAM server may be a CIAM (customer identity and access management, consumer identity management) server. The method is characterized in that identity data such as account numbers, grades and the like of consumers are synchronized to a CIAM server, and the CIAM server manages the identity data, identity authentication, application access and the like of the consumers. In this scenario, the user of the application service described above is a consumer. For example, when using application services of multiple e-commerce platforms, social platforms, etc. provided by the same enterprise, a consumer may log in and use the multiple application services using one registered account number.
In the above embodiment, the local identity management server on the user side may be an LDAP (Lightweight Directory Access Protocol ) server, i.e. a structured data storage form like a directory for storing identity data. May include, but is not limited to, an AD (Active Directory) server, an OpenLDAP server, a red-cap Directory server (Redhat Directory Server), and the like. In addition to this, other servers are also possible, for example interfacing with an existing application server containing identity data and obtaining the identity data from the application server. For example, the target identity data is obtained from an instant messaging application server such as a nail by interfacing with the server of the instant messaging application such as a nail.
In the above embodiment, the network endpoint is created at the virtual switch of the VPC of the user and is bound to the cloud IAM server, so that the user can configure the network endpoint through the network endpoint configuration page to access the local identity management server, and by this configuration, a plurality of local identity management servers serving the user through one network endpoint can be realized. After creating a network endpoint with a user, the address of the local identity management server on the user side (i.e., the "server address" in fig. 4) to which the network endpoint is to access may be configured through a network endpoint configuration page such as that shown in fig. 4. When identity data synchronization of other local management servers is to be performed, the address may be modified to the address of the other local management servers without having to create a new network endpoint. Compared with the situation that one connecting component can only correspondingly serve one local identity management server in the traditional implementation mode, the method is more flexible and saves resources.
In addition, the user may delete the established network endpoint from the user VPC through the page shown in fig. 5. For example, when the user inputs information such as the name and the region of the existing network endpoint, and clicks the "delete" component, the cloud IAM server deletes the network endpoint and releases the corresponding resource. In addition, the network endpoint can also set a certain validity period, and after the validity period is exceeded, the cloud IAM server automatically deletes the network endpoint and releases corresponding resources. Other deletion mechanisms may also exist, not specifically recited herein.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
According to an embodiment of another aspect, an apparatus for accessing identity data is provided. Fig. 8 shows a schematic block diagram of a device for accessing identity data according to one embodiment, the device being provided at an IAM server of a cloud system comprising an IAM VPC and a user VPC, the cloud IAM server being located at the IAM VPC. As shown in fig. 8, the apparatus 800 includes: the configuration acquisition unit 801, the endpoint configuration unit 802, and the data synchronization unit 803 may further include: . Wherein the main functions of each constituent unit are as follows:
A configuration acquisition unit 801 configured to acquire network endpoint configuration information from a user.
The endpoint configuration unit 802 is configured to configure, according to the network endpoint configuration information, a network endpoint bound to the cloud IAM server on the user VPC corresponding to the user.
A data synchronization unit 803 configured to access the local identity management server on the user side through the user's private network using the network endpoint and obtain the target identity data.
As one of the realizations, the configuration acquisition unit 801 may be specifically configured to: providing a network endpoint configuration page to a user; if the cloud system has created a network endpoint of the user, providing the network endpoint on a network endpoint configuration page for the user to select; and acquiring the address of the local identity management server on the user side and the selected network endpoint, which are input by the user through the network endpoint configuration page.
Still further, the endpoint creation unit 804 may be configured to provide a network endpoint creation page to the user; acquiring identification information of a network endpoint, virtual switch information of a user VPC and private network information of the user, which are input by the user through a network endpoint creation page; and creating a virtual network card bound with the cloud IAM server in the corresponding private network aiming at the virtual switch of the user VPC as a network endpoint according to the virtual switch information and the private network information of the user.
As one of the possible ways, if the local identity management server on the user side is located at the user VPC, the data synchronization unit 803 accesses the local identity management server on the user side through the user VPC by using the network endpoint.
As another implementation manner, if the local identity management server on the user side is located in a cloud system other than the user VPC, the data synchronization unit 803 accesses the local identity management server on the user side by using the network endpoint through the cloud enterprise network CEN between the user VPC and the other VPC.
As yet another implementation manner, if the local identity management server on the user side is located outside the cloud system, the data synchronization unit 803 accesses the local identity management server on the user side by using the network endpoint through a dedicated connection between the user VPC and the local identity management server on the user side.
Further, the configuration obtaining unit 801 may obtain authentication information input by the user through the network endpoint configuration page.
Accordingly, the data synchronization unit 803 may perform access authentication to the local identity management server on the user side by using the authentication information, and acquire the target identity data from the local identity management server on the user side after the authentication is passed.
As one of the usage scenarios, the cloud IAM server may be an EIAM server; as another usage scenario, the cloud IAM server may be a CIAM server.
The local identity management server on the user side may be an LDAP (Lightweight DirectoryAccess Protocol ) server, i.e. a structured data storage form such as a directory for storing identity data. May include, but is not limited to, an AD (Active Directory) server, an OpenLDAP server, a red-cap Directory server (Redhat Directory Server), and the like.
Still further, the data synchronization unit 803 may be further configured to: the target identity data is provided to the downstream application server or a single sign-on service is provided to the downstream application server.
According to an embodiment of a further aspect, there is provided a system for accessing identity data, the system comprising: IAM VPC, subscriber VPC and local identity management server of the subscriber.
The local identity management server at the user side stores identity data.
The cloud IAM server is located in the IAM VPC and is configured to acquire network endpoint configuration information from a user; configuring a network endpoint bound with the cloud IAM server on a user VPC corresponding to the user according to the network endpoint configuration information; accessing a local identity management server at the user side through a private network of the user by using the network endpoint and acquiring target identity data;
The cloud IAM server and the user VPC are arranged in the same cloud system. The local identity management server on the user side is disposed in the cloud system, for example, as shown in fig. 3 and 6. Alternatively, the local identity management server on the user side is located in another system than the cloud system, such as an offline IDC (e.g., as shown in fig. 7) of the user or another cloud system.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments for relevant points. The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or fully authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region, and provide corresponding operation entries for the user to select authorization or rejection.
In addition, the embodiment of the application further provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the method of any one of the foregoing method embodiments.
And an electronic device comprising:
one or more processors; and
a memory associated with the one or more processors for storing program instructions that, when read for execution by the one or more processors, perform the steps of the method of any of the preceding method embodiments.
The present application also provides a computer program product comprising a computer program which, when executed by a processor, implements the steps of the method of any of the preceding method embodiments.
Fig. 9 illustrates an architecture of an electronic device, which may include a processor 910, a video display adapter 911, a disk drive 912, an input/output interface 913, a network interface 914, and a memory 920. The processor 910, the video display adapter 911, the disk drive 912, the input/output interface 913, the network interface 914, and the memory 920 may be communicatively connected by a communication bus 930.
The processor 910 may be implemented by a general-purpose CPU, a microprocessor, an application-specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, etc. for executing a relevant program to implement the technical solutions provided herein.
The Memory 920 may be implemented in the form of ROM (Read Only Memory), RAM (RandomAccess Memory ), static storage device, dynamic storage device, or the like. The memory 920 may store an operating system 921 for controlling the operation of the electronic device 900, and a Basic Input Output System (BIOS) 922 for controlling low-level operation of the electronic device 900. In addition, a web browser 923, a data storage management system 924, and a device 925 to access the identity of data, etc. may also be stored. The means 925 for accessing the identity of data may be an application program that specifically implements the operations of the foregoing steps in the embodiments of the present application. In general, when the technical solutions provided in the present application are implemented in software or firmware, relevant program codes are stored in the memory 920 and invoked by the processor 910 to be executed.
The input/output interface 913 is used to connect with the input/output module to realize information input and output. The input/output module may be configured as a component in a device (not shown) or may be external to the device to provide corresponding functionality. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various types of sensors, etc., and the output devices may include a display, speaker, vibrator, indicator lights, etc.
The network interface 914 is used to connect communication modules (not shown) to enable communication interactions of the present device with other devices. The communication module may implement communication through a wired manner (such as USB, network cable, etc.), or may implement communication through a wireless manner (such as mobile network, WIFI, bluetooth, etc.).
Bus 930 includes a path for transferring information between components of the device (e.g., processor 910, video display adapter 911, disk drive 912, input/output interface 913, network interface 914, and memory 920).
It is noted that although the above-described devices illustrate only the processor 910, video display adapter 911, disk drive 912, input/output interface 913, network interface 914, memory 920, bus 930, etc., the device may include other components necessary to achieve proper operation in an implementation. Furthermore, it will be understood by those skilled in the art that the above-described apparatus may include only the components necessary to implement the present application, and not all the components shown in the drawings.
From the above description of embodiments, it will be apparent to those skilled in the art that the present application may be implemented in software plus a necessary general purpose hardware platform. Based on such understanding, the technical solutions of the present application may be embodied essentially or in a part contributing to the prior art in the form of a computer program product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and include several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the embodiments or some parts of the embodiments of the present application.
The foregoing has outlined the detailed description of the preferred embodiment of the present application, and the detailed description of the principles and embodiments of the present application has been provided herein by way of example only to facilitate the understanding of the method and core concepts of the present application; also, as will occur to those of ordinary skill in the art, many modifications are possible in view of the teachings of the present application, both in the detailed description and the scope of its applications. In view of the foregoing, this description should not be construed as limiting the application.