DE10123508A1 - Method for controlling access between a company internal network and external networks in a seamless manner using an integration proxy that combines a user request with source data, e.g. user identifying data, before forwarding it - Google Patents

Abstract

Computer network comprises an internal region with users assigned to a user group and an external region. The internal group connects to the external region via an interface so that data interchange between the two regions is possible. Data exchange takes place via an integration proxy assigned to the internal group that takes a user request for external data and combines it with user data so that access can be made to an external computer. An Independent claim is made for a method for accessing an external computer via an integration proxy that processes a user request in a transparent manner.

Description

terms

Application: software application.
Application Service Provider (ASP): Company that operates applications (programs) for others and makes them available for a fee.
Extranet: system for a closed user group, based on Internet technology.
Intranet: In-house system based on internet technology.
Proxy: English for deputies. In the field of computer technology, a synonym for a system that accepts inquiries and forwards them to a third party on behalf of the user.
Transparent: Used in the field of computer technology as a synonym for "imperceptible".

Description of the invention

The invention relates to a device according to the preamble of claim 1.

Computer systems need the to limit access Authentication (identity verification, "who is the user?") Of the user. This will i. d. Usually through the following technical processes solved: username & password, chip card, user certificate.

It is initially the case that different systems are different, not to each other use compatible authentication methods. For the user, this means that he has to use multiple user names / passwords, chip cards etc.

This is a problem, especially in larger companies, because with the Identity-related business processes are time-consuming and labor-intensive. In addition, the large number of different user accounts leads to security risks and Data inconsistency (e.g. due to the fact that the user's master data is kept in several systems).

Through so-called single sign-on or single login solutions (here we mean systems in which the user authenticates (registers) once and these Identity determination is valid for all application systems.) This topic is addressed: Here i. d. As a rule, a so-called ticket (a kind of "admission ticket", which is usually valid for a certain time) (or token), on which all applications are issued To fall back on. However, today there is no uniform and widespread standard, which enables single sign-on (one application is valid for all applications) across company boundaries on the Internet.  

Which technical problem is solved by the invention? Should software applications (applications) both within a company, as to operate outside of your own IT (information technology) infrastructure must be uniform User authentication are taken into account.

As a prerequisite that external internet systems are integrated into internal company processes , it is still necessary to have the same user information and master data recourse.

The user should not notice that he is no longer using an internal, but operated an external application. Such an integration thus includes in addition to the Identity determination also the forwarding of master data, information on Group membership (user groups) and roles (function) of the user.

As long as the collaboration is only two partners, the If necessary, resolve the issue through a bilateral agreement. Should have multiple partners work together, it is hardly realistic due to the different needs a system to agree.

Disadvantages of the prior art

The following disadvantages derive from the current state of the art:

• 1. Different authentication data is required for different applications. This results in:
  • a) The approach is uncomfortable.
  • b) The approach leads to increased administration effort.
• 2. The provision of redundant master data leads to:
  • a) Inconsistent data.
  • b) Increased administrative burden.
• 3. Without a common database, software applications can
  • a) do not support common business processes,
  • (b) do not use central databases and
  • c) work insufficiently collaboratively.

Solution of the task

The above Problem is caused by the system described with the features of Claim 1 solved.

The integration proxy (the term proxy was chosen in the sense of its English meaning (performing one task instead of another). Proxies are already known in Internet technology today, but they serve a different purpose than described in this document Proxies are used to forward inquiries from a company intranet and anonymize them for security reasons. As a rule, they are connected to a cache (cache that temporarily saves requested Internet pages.) Is placed as a system on the intranet and takes certain specific Inquiries. The system prepares these inquiries and supplements necessary ones Information (e.g. the user's master data) and then guides it in its entirety an external internet system. The data transmission can optionally be encrypted to ensure data security: This allows the user to his company-internal user data securely for an externally operated application Sign in.

By transmitting the additional information, the Internet target system can be designed to be environmentally neutral, d. H. it doesn't have to be the circumstances of one certain company infrastructure to be optimized. The technical adjustment is done by made the proxy. Users without the need to connect to an intranet use the application - as usual - over the Internet. This will be a uses a unique master data record that is only kept consistently once.  

Since the system is inserted into the intranet based on internet standards, on the on the other hand, if an internet system appeals, the system can be used universally and can integrate all internet applications into intranets. Thus the user can external Use the Internet application as if it were operated locally in his company.  

Explanation

The integration proxy is placed as a system on the intranet and accepts certain specific requests (see Fig. 1). The integration proxy prepares these inquiries, supplements the necessary information (e.g. the master data of the user) and then forwards them as a whole to an external Internet system. Here, the data transmission can optionally be encrypted in order to ensure data security.

All necessary information is standardized (see FIG. 2) and transmitted to the target system. The target system can therefore be designed to be environment-neutral, which means that the target system does not have to be optimized for the conditions of a particular company infrastructure. The technical adjustment (standardization) is carried out by the proxy. Users outside of an intranet can - as usual - use the application via the Internet (see Fig. 1, right side). The state of affairs from the perspective of the user is illustrated in FIG. 4.

The user data (source system) is queried using the standard protocol LDAP (Lightweight Directory Access Protocol). It is the task of the integration proxy to standardize this data and to transmit it to the target system in a defined scheme. This standardization is achieved through a specific configuration of the integration proxy. Typical systems that hold user data include Microsoft Windows 2000, Lotus Domino and SAP. Due to different configurations, target systems can always be addressed in the same way via the integration proxy. This is shown symbolically in FIG. 2.

A comparison

The system on the Internet (e.g. a booking system, an eCommerce system ...) is one Power grid comparable available. To connect to it, the plug must be in the Socket fit. The proxy acts as a kind of adapter, but not just the connector enables, but also makes a voltage adjustment at the same time.

The application of the target system is based on internet standards in the intranet integrated (application in a web browser). Is the format (graphic design) of Adapted to the application, the user no longer recognizes the difference between in-house operated applications and applications of an application servicer Provider.

Fig. 3 shows the necessary steps for data transmission:

• 1. The user contacts his internal web server.
• 2. The web server connects to the integration proxy.
• 3. The integration proxy researches the necessary data about the user.
• 4. The target server is contacted and
• 5. The necessary information is stored.
• 6. The response of the target system will
• 7. via the integration proxy
• 8. transmitted to the user.

Further explanations 3.1. How has the problem been solved so far?

I. d. Usually through individual adaptation of the target system through project work or through Acceptance of the problem (multiple identifiers).

Proxies are already known in Internet technology today, but they fulfill another one Purpose as described in this document. The proxies known today serve the Forwarding inquiries from a company intranet and anonymizing them Security inquiries. I. d. They are usually provided with a cache connected, which stores the queried Internet pages.

The term proxy was used in the sense of its English meaning (perceiving a Task instead of another).

3.2. Embodiments of the invention

The basic technical feasibility of the concept described was within the framework tested in a feasibility study and is described in [BG 1999]. This was it a technically comparable requirement, but with a different objective.

Basic considerations for the integration of different systems can be found in [BGS 1999].

Claims (4)

1. Computer network, with which a plurality of computers are networked, comprehensive
an internal area containing computers (source system) of users assigned to a user group,
an external area that includes other computers (Ziet systems),
wherein the internal area has an interface to the external area, via which a data exchange between the external and internal area of the computer network is possible, characterized by
an integration proxy, which is arranged in the internal area and is connected to a system containing user data of the user group, and a device for preparing applications for users, which are directed to an external computer, which is designed such that the requests are supplemented based on the user data in such a way that the respective external computers can be accessed. 2. Method for operating a computer network with which one Many computers are networked, and the network one internal and one external area, wherein when a user requests an internal system from a target system the request from an integration proxy in the external area Supplement the request based on the user's stored master data in Dependency on this target system. 3. The method according to claim 2, characterized, that when preparing the request, this according to a specified Scheme of the target system is standardized. 4. The method according to claim 2 or 3,  characterized, that by processing the request for authentication to the target system is added.