CN101562627A - User attribute inquiry method, method providing service and equipment - Google Patents
User attribute inquiry method, method providing service and equipment Download PDFInfo
- Publication number
- CN101562627A CN101562627A CNA2008100937894A CN200810093789A CN101562627A CN 101562627 A CN101562627 A CN 101562627A CN A2008100937894 A CNA2008100937894 A CN A2008100937894A CN 200810093789 A CN200810093789 A CN 200810093789A CN 101562627 A CN101562627 A CN 101562627A
- Authority
- CN
- China
- Prior art keywords
- user
- attribute
- information
- provider equipment
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
Abstract
The invention discloses a user attribute inquiry method, a method providing service and equipment. In the embodiment, attribute provider equipment receives an attribute inquiry request which is transmitted by service provider equipment and is for a second user; the attribute inquiry request comprises first user identity information and second user identity information; the attribute provider equipment judges whether a first user has authority to inquire the attribute of the second user or not; and if the judgment result is as follows: the first user has authority to inquire the attribute of the second user, the attribute provider equipment performs attribute inquiry and returns the inquired attribute information of the second user to the service provider equipment. By the technical scheme of the embodiment, the inquiry of the attribute information of a user and other users can be realized, one user can help other users finish the corresponding service, the diversity of SP providing service for users is increased, the user experience is increased and the service efficiency is improved.
Description
Technical field
The present invention relates to the communications field, be specifically related to user attribute inquiry method, service method and equipment are provided.
Background technology
The Web service network (OMA Web Service, OWSER) 1.1 be situated between fixed as how Web Service technology open, find and use the OMA application program.OMA Web Service1.1 lists the parameter of relevant access, authentication and authorization, makes the developer be guaranteed the transmission of data integrity and secret confidential data.In addition, the user can not find registered true form and Service Description by OMA Web Service1.1 yet.Web service network identity (OMA Web Service Network Identify, OWSER NI) 1.0 provides variety of protocol and service, makes the services and applications of OMA have the associating identity in the Ligerty web services environment.
Web Service architecture mutual based between three kinds of roles (ISP, service register center and service requester).Relate to issue alternately, search and bindings.These roles and operation one react on the Web service member: Web service software module and description thereof.In typical case, ISP's trustship can be by the software module (realization of Web service) of access to netwoks.The ISP defines the service describing of Web service and it is published to service requester or service register center.Service requester uses search operation to come from this locality or the service register center retrieval service is described, and uses service describing and ISP to bind then, and called Web service realization or mutual with it.ISP and service requestor roles are logical constructions, thereby service can show two specific characters.Figure below has shown these operations, and the assembly of these operations and mutual between them are provided.
For the application program of utilizing Web service, following three behaviors must take place: issuing service is described, is inquired about or search service describing and binds or call service according to service describing.These behaviors can single or appearance repeatedly.These operations are specially:
Issue:, need the issuing service description so that service requester can be searched it in order to make service addressable.The position that issuing service is described can change according to the requirement of application program.
Search: in search operation, the direct retrieval service of service requester is described or the desired COS of inquiry in service register center.For service requester, may involve search operation in two different life cycle phases: the interface of the retrieval service for program development is described in when design, and when operation in order to call the binding and the location expression of retrieval service.
Binding: need the service of calling at last.In bindings, service requester uses the binding details in the service describing to locate, get in touch and call service, thus run time call or start with service alternately.
In the prior art scheme, when user uses certain SP to finish a certain business, need be by the authentication of Idp, and the inquiry of finishing user property.
In research and practice process to prior art, the inventor finds that there is following problem in prior art: when a user finishes a certain service by SP, be need be to the inquiry inquiry of attribute provider, the content of inquiry be the relevant information of this login user; Because the current service that provides can only be inquired about my correlation attribute information, can't inquire about other attribute of user information.And actually, the demand that user replaces another user to order a certain business or product exists, for example: user A replaces user B to order a situation such as film ticket on network, but because this order can't inquire the relevant information of user B, can't finish order.
Summary of the invention
The technical problem that the embodiment of the invention solves provide user attribute inquiry method, the method and apparatus of Web service is provided, can realize the inquiry to other customer attribute informations to the user.
The embodiment of the invention provides a kind of method of user attribute inquiry, comprising:
Receive that service provider equipment sends to the second attribute of user query requests; Described attribute query request comprises first user's subscriber identity information and second user's subscriber identity information;
Judge whether described first user has authority to inquire about described second attribute of user; If, then carrying out the second attribute of user information that attribute query also will inquire for authority is arranged, the result of described judgement returns to described service provider equipment.
A kind of service method that provides is provided the embodiment of the invention, it is characterized in that, comprising:
What receive first user transmission is the service request that second user carries out; Comprise first user's subscriber identity information and second user's subscriber identity information in the described service request;
Send the second attribute of user query requests to the attribute provider equipment; Described attribute query request comprises described first user's subscriber identity information and second user's subscriber identity information;
Receive when the attribute provider equipment and judge the second attribute of user information that described first user returns when having authority to inquire about described second attribute of user;
Provide service according to described second customer attribute information for described second user.
The embodiment of the invention provides a kind of attribute provider equipment, comprising: query requests receiving element, judging unit, attribute query unit and feedback unit;
The query requests receiving element is used to receive that service provider equipment sends to the second attribute of user query requests; Described attribute query request comprises first user's subscriber identity information and second user's subscriber identity information;
Judging unit is used to judge whether described first user has authority to inquire about described second attribute of user; If the result of described judgement is for there being authority, then described second attribute of user is inquired about in the inquiry of notification properties query unit;
The attribute query unit is used for carrying out attribute query according to the notice of described judging unit;
Feedback unit is used for the second attribute of user information that just described attribute query unit inquires and returns to described service provider equipment.
The embodiment of the invention provides a kind of identity to differentiate provider equipment, comprising: identity discriminating unit, memory cell and feedback information unit;
The identity discriminating unit is used for user's identity is authenticated, and receives the request by the user of authentication; At least two users' identity information is united, and preserve united information to memory cell;
Described memory cell is used to preserve united information;
The feedback information unit is used for searching described user and whether have united information in described memory cell when receiving that service provider equipment is differentiated request to user's identity, if exist, then described user's united information is returned to described service provider equipment.
The embodiment of the invention provides a kind of Web service that system is provided, and comprising: service provider equipment and attribute provider equipment;
Described service provider equipment is used to receive that first user sends is the service request that second user carries out; Comprise first user's subscriber identity information and second user's subscriber identity information in the described service request; And send the second attribute of user query requests to the attribute provider equipment; Described attribute query request comprises described first user's subscriber identity information and second user's subscriber identity information; Described service provider equipment also is used for after the described second attribute of user information that acquisition attribute provider equipment is returned, and is that described second user serves according to the described second user side volume attribute information;
Described attribute provider equipment is used to judge whether described first user has authority to inquire about described second attribute of user; If, then carrying out the second attribute of user information that attribute query also will inquire about for authority is arranged, the result of described judgement returns to described service provider equipment.
Adopt technique scheme, embodiment of the invention beneficial technical effects is:
In the embodiment of the invention, the attribute provider equipment receive that service provider equipment sends to the second attribute of user query requests; Described attribute query request comprises first user's subscriber identity information and second user's subscriber identity information; The attribute provider equipment judges whether described first user has authority to inquire about described second attribute of user; If the result of described judgement is for there being authority, then the attribute provider equipment is carried out the second attribute of user information that attribute query also will inquire and is returned to described service provider equipment.Technical scheme by the embodiment of the invention, can realize the inquiry to other customer attribute informations to the user, and then a user can help other users to finish corresponding service, having increased SP provides diversity of operations for the user, strengthen user experience, improved efficiency of service.
Description of drawings
Fig. 1 is the flow chart of the method for the embodiment of the invention one user attribute inquiry;
Fig. 2 is the flow chart of the method for the embodiment of the invention two user's attribute queries;
Fig. 3 provides the flow chart of the method for Web service for the embodiment of the invention three;
Fig. 4 is the logical construction schematic diagram of the embodiment of the invention four attribute provider equipment;
Fig. 5 is a kind of logical construction schematic diagrames of the embodiment of the invention four judging units;
Fig. 6 is the another kind of logical construction schematic diagrames of the embodiment of the invention four judging units;
Fig. 7 is another logical construction schematic diagram of the embodiment of the invention four embodiment four judging units;
Fig. 8 is the logical construction schematic diagram that embodiment of the invention kind on May Day identity is differentiated provider equipment;
Fig. 9 is the logical construction schematic diagram of 61 kinds of service provider systems of the embodiment of the invention;
Figure 10 is the signaling diagram of inter-entity of the method for the embodiment of the invention seven user attribute inquiries;
Figure 11 is the signaling diagram of inter-entity of the method for the embodiment of the invention eight user attribute inquiries;
Figure 12 is the signaling diagram of inter-entity of the method for the embodiment of the invention nine user attribute inquiries.
Embodiment
The embodiment of the invention provide user attribute inquiry method, service method and equipment are provided, can realize the inquiry to other customer attribute informations to the user.
Below to user attribute inquiry method provided by the invention, provide service method and equipment to be described in detail.
Embodiment one, a kind of method of user attribute inquiry, and flow chart comprises as shown in Figure 1:
B1, the attribute provider equipment receive that service provider equipment sends to the second attribute of user query requests; Described attribute query request comprises first user's subscriber identity information and second user's subscriber identity information;
B2, the attribute provider equipment judges whether described first user has authority to inquire about described second attribute of user; If then continue step B3; If not, then continue step B4.
B3, the attribute provider equipment is carried out attribute query and the second attribute of user information that will inquire returns to described service provider equipment.
B4 notifies described service provider equipment not have authority, can't inquire about.
The embodiment of the invention one technical scheme can realize the inquiry to other customer attribute informations to the user, and then a user can be behind login SP, can help other users to finish corresponding service and provide corresponding business for other users, increased SP and provide diversity of operations for the user, strengthen user experience, improved efficiency of service.
Embodiment two, a kind of method of user attribute inquiry, and flow chart comprises as shown in Figure 2:
What C1, service provider equipment received first user transmission is the service request that second user carries out; Comprise second subscriber identity information in the described service request;
C2, described service provider equipment and identity differentiate that provider equipment carries out alternately, and described first user's identity information is authenticated, if authentication is passed through, then continue step C4, as if authentification failure, then continue step C3;
In the embodiment of the invention, the described process that described first user's identity information is authenticated comprises:
Differentiate that to user identity provider equipment sends user authentication request to service provider equipment;
User identity discriminating provider equipment is carried out authentication to this described first user, and the return authentication result.
C3, to notifying described first user authentication failure, it is professional that refusal provides.
C4, service provider equipment sends the second attribute of user query requests to the attribute provider equipment; Described attribute query request comprises described second user's identity information;
Be understandable that the service provider can obtain the address of attribute provider equipment with finding server interaction.What the present invention emphasized is, existing service provider equipment has the ability to obtain the address of attribute provider equipment, and communicates with it, and the mode that specifically how to get access to attribute provider can adopt usual manner to realize, does not do herein and gives unnecessary details.
C5, the attribute provider equipment judges whether described first user has authority to inquire about described second attribute of user; If then continue step C6; If not, then continue step C7.
In the embodiment of the invention, describedly judge whether described first user has authority can take multiple mode:
Enumerate several feasible modes below, concrete mode is not construed as limiting the invention.
Mode one:
Described attribute provider equipment sends authentication request to described second user; Described authentication request comprises described first user's subscriber identity information;
Described second user judges whether described first subscriber equipment has the authority querying attributes; And the result that will judge returns to described attribute provider equipment.
In the aforesaid way one, the attribute provider equipment, can be carried out the signaling conversion by interactive server and communicate between attribute provider equipment and described second subscriber equipment to the search access right that described second user confirms first user.
Mode two: the attribute provider equipment compares described first user's identity information and described second user's association attributes list of access rights; If described first user's identity information belongs to described association attributes list of access rights, judge that then described first user has the authority inquiry.
Be understandable that, be kept at the attribute provider equipment for described association attributes list of access rights, the user can be configured described association attributes list of access rights alternately with the attribute provider equipment, specifically comprises:
Described first user and described second user authentication of holding consultation, after the authentication, described second user disposes the association attributes list of access rights for described first user through consultation; Described association attributes access list is kept at the attribute provider equipment.The configuration here can be generate to the association attributes access list or to existing association attributes access list add, operation such as modification.
The manifestation mode of more detailed association attributes access list can be referring to embodiment nine.
Mode three:
Described attribute provider equipment judge that described service provider equipment sends to whether comprising the united information that described first user and described second user unite in the second attribute of user query requests;
If comprise, judge that then described first user has authority.
Be understandable that it is pre-configured that described first user and described second user's united information can be that the user passes through specific channel, for example:
What described service provider equipment received first user transmission is that the service request that second user carries out comprises before:
Described identity differentiate identity information that provider equipment will described first user and described second user and identity information set up associating and preservation united information;
The united information here can be used to prove the trusting relationship between described second user and first user; Can comprise in the united information: the binding relationship of first user's the identity information and second user's identity information; Can also comprise: described second user is to the type of the open attribute information of described first user etc.
Described step C2 service provider equipment and identity differentiate that provider equipment carries out alternately, may further include in the process that described first user is authenticated:
Described identity discriminating provider equipment is searched described first user and whether is had united information; Then united information is returned to described service provider equipment if exist;
Described reception service provider equipment send to comprising described united information in the second attribute of user query requests.
C6, the attribute provider equipment is carried out attribute query and the second attribute of user information that will inquire returns to described service provider equipment.
C7 notifies described service provider equipment not have authority, can't inquire about.
In the embodiment of the invention, if the attribute that the user consults when certain attribute of user is inquired about is to need the user to agree the content that just can consult, the trust that fully takes into account between the user is confirmed problem.If the user in consulting the process of other customer attribute informations, has provided the search access right of three kinds of concrete preferred implementations to the user, the constraint of the trusting relationship between the user is illustrated.Better realized technical solution of the present invention.
Embodiment three, a kind of service method that provides, and flow chart comprises as shown in Figure 3:
What D1, service provider equipment received first user transmission is the service request that second user carries out; Comprise first user's subscriber identity information and second user's subscriber identity information in the described service request;
Be understandable that described reception first user sends is further to comprise after second user service request of carrying out: service provider equipment authenticates described first user's identity information, if authentication is passed through, continues described step D2.
Specifically the process that first user is authenticated can comprise:
Differentiate that to user identity provider equipment sends user authentication request;
User identity discriminating provider equipment is carried out authentication to this described first user, and the return authentication result.
Be understandable that described after user identity differentiates that provider equipment sends user authentication request, the embodiment of the invention may further include:
Receive and describedly differentiate provider when identity and search the united information of uniting of giving described first user and described second user that returns when there is united information in described first user;
In sending the second attribute of user query requests, the attribute provider equipment comprises described united information.Generally speaking, described united information can be with described first user's authentication result is returned.
D2, service provider equipment sends the second attribute of user query requests to the attribute provider equipment; Described attribute query request comprises described first user's subscriber identity information and second user's subscriber identity information;
D3, the attribute provider equipment judges whether described first user has authority to inquire about described second attribute of user; If, then continue step D5, then continue step D4 if not;
D4, to notifying described first user authentication failure, it is professional that refusal provides.
D5, the attribute provider equipment is carried out attribute query and the second attribute of user information that will inquire about returns to described service provider equipment;
After D6, described service provider equipment obtain the described second attribute of user information, be that described second user serves according to the described second user side volume attribute information.
Be understandable that can comprise after the described step D6: described attribute provider equipment is returned the result of service to described first user.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to finish by program, described program can be stored in a kind of computer-readable recording medium, this program comprises the steps: when carrying out
The attribute provider equipment receive that service provider equipment sends to the second attribute of user query requests; Described attribute query request comprises first user's subscriber identity information and second user's subscriber identity information;
The attribute provider equipment judges whether described first user has authority to inquire about described second attribute of user; If the result of described judgement is for there being authority, then the attribute provider equipment is carried out the second attribute of user information that attribute query also will inquire and is returned to described service provider equipment.
The above-mentioned storage medium of mentioning can be a read-only memory, disk or CD etc.
Embodiment four, a kind of attribute provider equipment 500, and the logical construction schematic diagram comprises as shown in Figure 4: query requests receiving element 510, judging unit 520, attribute query unit 530 and feedback unit 540;
Query requests receiving element 510 is used to receive that service provider equipment sends to the second attribute of user query requests; Described attribute query request comprises first user's subscriber identity information and second user's subscriber identity information;
Judging unit 520 is used for judging according to described whether described first user has authority to inquire about described second attribute of user; If the result of described judgement is for there being authority, then described second attribute of user is inquired about in 530 inquiries of notification properties query unit;
In the present embodiment, described judging unit 520 can be taked different judgment modes.
Consult Fig. 5 in the lump, be 520 1 kinds of logical construction schematic diagrames of described judging unit;
Described judging unit 520 can comprise: unit 521 and comparing unit 522 are preserved in tabulation;
Described comparing unit 522, be used for the association attributes list of access rights that second user who preserves unit 521 is preserved in described first user's identity information and described tabulation is compared, if described first user's identity information belongs to described association attributes list of access rights, judge that then described first user has the authority inquiry.
Consult Fig. 6 in the lump, be the another kind of logical construction schematic diagram in the inside of described judging unit;
Described judging unit comprises 520: authentication request unit 523 and Authentication Response receiving element 524;
Described authentication request unit 523 is used for sending authentication request to described second user; Described authentication request comprises described first user's subscriber identity information;
Described authentication request response unit 524 is used to receive the authenticating result that second subscriber equipment returns; Whether described authenticating result indicates described first user to have authority to inquire about described second attribute of user.
Consult Fig. 7 in the lump, be another logical construction schematic diagram of inside of described judging unit;
Described judging unit comprises 520: united information inspection unit 525 and decision package 526;
Described united information inspection unit 525 is used for checking that described query requests receiving element receives whether the second attribute of user query requests is comprised the united information that described first user and described second user unite; And check result sent to decision package;
Described decision package 526 is used in the check result of described inspection unit notifying described query unit to carry out the inquiry of second attribute of user when having united information.
Embodiment five, and a kind of identity is differentiated provider equipment 900, and structural representation comprises as shown in Figure 8: identity discriminating unit 910, memory cell 920 and feedback information unit 930;
Described memory cell 920 is used to preserve united information;
Embodiment six, a kind of service provider system, and the logical construction schematic diagram comprises as shown in Figure 9: service provider equipment 1010 and attribute provider equipment 1020;
Described service provider equipment 1010 is used to receive that first user sends is the service request that second user carries out; Comprise first user's subscriber identity information and second user's subscriber identity information in the described service request; And send the second attribute of user query requests to attribute provider equipment 1020; Described attribute query request comprises described first user's subscriber identity information and second user's subscriber identity information; Described service provider equipment also is used for after the described second attribute of user information that acquisition attribute provider equipment 1020 is returned, and is that described second user serves according to the described second user side volume attribute information;
Described attribute provider equipment 1020 is used to judge whether described first user has authority to inquire about described second attribute of user; If, then carrying out the second attribute of user information that attribute query also will inquire about for authority is arranged, the result of described judgement returns to described service provider equipment 1010.
Below in conjunction with concrete application scenarios technical solution of the present invention is described in detail, in following examples, all is implemented in the OWSER NI network.
Embodiment seven, a kind of method of user attribute inquiry, pass through this programme, user A can land at SP, authentication by Idp then, provide the attribute service merchant address of the required user of consulting B by the service of finding again, by the authentication of user B, user A can obtain user B by SP and allow some attribute of consulting.
The main thought of present embodiment scheme is that user A can serve for user B by SP.OWSER NI on the ordinary meaning is that the user provides service for self by the SP querying attributes, but just need inquire about the user property of required service when occur needing by certain user terminal for the situation of other users' services when generation is served.Usually our said attribute all is to be kept in the logical address that is called the attribute service merchant.For example user position information is exactly a kind of attribute, provides the service provider of this attribute just may go to search home subscriber server equipment such as (HSS) so, determines user position information.Consider the problem of privacy aspect, some attribute of user can not directly offer other people, therefore just needs this user to agree when consulting some attribute.
The precondition of present embodiment is the authentication that user A and B have passed through Idp.Belong to prior art alternately in the present embodiment between user A/B and service provider SP and the interactive service,, still show in the drawings here, distinguish with a/b/c/d respectively for can be more complete process be showed.
The signaling diagram of inter-entity comprises as shown in figure 10:
F1, user A lands service provider SP;
Service provider SP proposes the request that attribute is searched to attribute provider;
The service provider can use the mechanism of Liberty Data Service Template (DST) definition to come to initiate inquiry to attribute provider.In this case, a service provider must use<Query〉element, and the necessary use<QueryResponse in to ISP's response of attribute provider element.Be one<Query below〉example, its resource is with resource IDhttp: //OWSER-attributeprovider.com/u6gh8jlx90bt8h1o is as sign., to name and home address as inquiry:
<Query>
<ResourceID>http://OWSER-attribute-provider.com/u6gh8jlx90bt8h1o</R
esource?ID>
<QueryItem?itemID=″name″>
<Select>/pp:PP/pp:CommonName</Select>
</QueryItem>
<QueryItem?itemID=″home″>
<Select>/pp:PP/pp:AddressCard[pp:AddressType=″urn:liberty:id-sis-pp:ad
drType:home″]</Select>
</QueryItem>
</Query>
F2, attribute service provider need send request to other users by interactive service in order to obtain other user's authentication;
Attribute service provider is by transmissions<InteractionRequest〉element arrives interactive service.Be one<InteractionRequest below〉example:
<InteractionRequest″>
<ResourceID>http://OWSER-attribute-provider.com/u6gh8jlx90bt8h1o</R
esource?ID>
<Inquiry?title=″attribute-provider?question″>
<Help?moreLink=″http://pip.example.com/help/attribute/r?ead/consent″>
example.com?is?requesting?your?address.We?do?not?have?a?rule?that
instructs?us?how?you?want?us?to?process?this?request.Please?pick?one?of
the?given?options.Note?that?the?last?two?options?do?prevent?you?from?being
prompted?this?question?when?example.com?asks?for?your?address?again.
</Help>
<Select?name=″addresschoice″>
<Label>Do?you?want?to?share?your?address?with?attribute-provider.co
m?</Label>
<Value>no</Value>
<Item?label=″Not?this?time″value=″no″/>
<Item?label=″Yes,once″value=″yes″/>
<Item?label=″No,never″value=″never″>
<Hint>We?won’t?give?out?your?address?and?won’t?ask?you?again</Hint>
</Item>
<Item?label=″Yes,always″value=″always″>
<Hint>We?will?share?your?address?now?and?in?the?future?with-641
service-provider.com</Hint>
</Item>
</Select>
</Inquiry>
</InteractionRequest>
Top example is exactly the request of attribute service provider to the inquiring user B address properties that interactive service proposed.
F4, interactive service sends message to user B, and whether inquiry agrees that attribute is inquired about;
Interactive service can send to user B with apply for information by HTTP, and whether inquiry B allows the inquiring user attribute.What for example, search in this example is user name and address.
F5, the user is to the response of feedback interactive server feedback query;
If the user agrees the inquiry to name and address, then, the user can feed back to interactive service by HTTP POST method.
F6, interactive service will feed back to attribute service provider to the inquiry response result of user B;
Interactive service sends by mutual back and contains<InteractionResponse〉response message of element is to attribute service provider.
<InteractionResponse>
<Status?code=″is:success″/>
<InteractionStatement>
<Inquiry?title=″Profile?Provider?Question″id=″inquiry-3d4e2f8a37213b″>
<Select?name=″addresschoice″>
<Label>Do?you?want?to?share?your?address?with-753
service-provider.com?</Label>
<Value>always</Value>
</Select>
</Inquiry>
<ds:Signature>
....<ds:Reference>#inquiry-3d4e2f8a37213b</ds:Refere?nce>....
</ds:Signature>
</InteractionStatement>
</InteractionResponse>
F7, attribute service device are according to the Query Result of interactive server, to the result of SP feedback query;
If described user B agrees the attribute of user A inquiring user B, then this step attribute service device returns the attribute of the user B that inquires.
Be below one be used for the response above<Query request<QueryResponse example.The public name return value of resource is Dr.Genie Wunderkid, and another optional public name is Dr.Genie Wunder.Resource address also provides.
<QueryResponse>
<Status?code=″OK″/>
<Data?itemIDRef=″name″>
<CommonName>
<CN>Genie?Wunderkid</CN>
<AnalyzedName?nameScheme=″firstlast″>
<FN>Genie</FN>
<SN>Wunderkid</SN>
<PersonalTitle>Dr.</PersonalTitle>
</AnalyzedName>
<AltCN>Genie?Wunder</AltCN>
</CommonName>
</Data>
<Data?itemIDRef=″home″>
<AddressCard?id=’9812’>
<AddressType>urn:liberty:id-sis-pp:addrType:home<AddressType>
<Address>
<PostalAddress>c/o?Senthil?Sengodan$12278?Scripps?Summit
Drive</PostalAddress>
<PostalCode>92131-2341</PostalCode>
<L>San?Diego</L>
<ST>ca</ST>
<C>us</C>
</Address>
</AddressCard>
</Data>
</QueryResponse>
F8, SP is to user A feedback response;
The attribute service device is confirmed to visit and can be finished by other conventional implementation the attribute of user B in the present embodiment, and concrete mode is not construed as limiting the invention.
Embodiment eight, a kind of method of user attribute inquiry, and user A provides the scheme of service in the present embodiment for user B by SP.By this scheme, user A provides service for user B after landing SP.User A authenticated with user B before some attribute of inquiring user B, and the result is that user B agrees that user A consults some attribute of oneself.
The main thought of this scheme is, when user A need provide service for user B by SP, needs user A earlier by the authentication of user B, and like this, user A just can use some attribute of user B.Next user A just can no longer need verification process in the time of the association attributes of the user B that the getattr service provider provides, and only need make things convenient for as the own operation of user B by landing SP and then authentication.
Signaling process in figure below present embodiment between the entity is as shown in figure 11:
To all expressions by a dotted line of authentication part, the solid line part is for providing service in the present embodiment.
G1. user A sends authentication to Idp;
User A will provide service for user B, and user A just at first needs the authentication by Idp so.Just show in this circles of trust it is a legal users by user A after the authentication of Idp.
G2.Idp carries out authentication to user A;
Idp is a kind of special service provider role, and it generates, maintenance and management user's identity information, and can provide certification statement for other service providers in the authenticated domain (even a circles of trust).After the authentication by Idp, subject user A is exactly the trusted user in this circles of trust.
G3. user A initiates the request authentication to user B;
When user A sends the authentication of request B, the information of indicate identifications such as ID of self need be sent to user B in the lump.Idp need be sent to user B to the authenticating result of user A, to tell the user B, user A is the validated user by the circles of trust authentication.
G4. user B carries out authentication to Idp.This verification process can comprise and connect a process;
At first, user B carries out the authentication of identity to Idp, and after authentication, the authentication information of B can be kept at when Idp goes up for follow-up service and use;
Secondly, user B can send to Idp with the identity information of the identity information associating oneself of the user A that is subjected to.By this step, Idp can note down A and B needs associating.Here concrete integrated processes can be multiple mode for example to be one, but its thought is consistent.It can be a incident process during user B carrying out verification process that the identity of user A and user B is united registration at Idp.
G5.Idp authenticates user B, and user A and user B are united record;
Through after the authentication of Idp, the party B-subscriber confirms as this circles of trust legal users, and the information of A and B can be helped decide in Idp, has passed through the authentication of Idp to tell these two users of later service, and is the fixed relation of group between them.
G6. user B sends key power message to user A;
User A is after sending authentication message to user B, and user B feeds back an authentication message.Through such authentication, user B whether need on earth can determine A to help oneself to finish some service.
G7. user A lands SP, obtains service;
Land SP and belong to the prior art category.Can finish by modes such as HTTP.Here the description of exceeding.What should be noted that a bit is, user A needs and will be brought in the lump with the united information of B among the SP landing SP, and SP is that user A will assist B to obtain service with notice.
G8.SP authenticates A;
SP consults Idp, obtains the record of A and B associating.
G9.Idp feeds back the authentication record of A and B and unites record;
G10.SP is according to A required service inquiry association attributes;
The attribute that SP inquired about may be the attribute of user B, therefore need look for the attribute of B in attribute service provider there.This step has been omitted SP and has been obtained the process of AP information to the service of finding.SP can send to AP in the lump with the united information of A and B.
G11.AP feeds back to user A relevant information according to the user B attribute that A looked into;
The united information that AP confirms according to Idp confirm that A is the validated user by the authentication of B, so the attribute service device of user B can provide such attribute query for A.
After the G12.SP getattr information, handle, and final service result is sent to user A.
Result's transmission can be in several ways, for example can by the mode in PS territory or CS territory.Here do not do detailed explanation.
In the present embodiment user A and uniting just of user B are illustrated, if other mode is arranged, for example can reach such purpose by telephone number/addresses of items of mail/modes such as userID, alternate manner also can reach identical purpose, and principle is consistent.
Embodiment nine, a kind of method of user attribute inquiry, and this user A provides the scheme of service in the present embodiment for user B by SP.By this scheme, user B can be provided with an association attributes list of access rights on Ap, and listed user can obtain the access rights of some B attribute in the table.By this mode, the access rights of some attribute during user A can obtain to show.
The main thought of this scheme is, user A is before obtaining some service by SP for user B, can with the B authentication of holding consultation, by such authentication, B can generate the tabulation of association attributes access rights for A, user B can send to this tabulation the preservation of attribute service device simultaneously, uses for follow-up service.
The signaling process of inter-entity comprises as shown in figure 12:
The prerequisite of present embodiment is the authentication that user B has passed through Idp.
H1, user A is in order to realize that landing SP finishes the authentication that service at first needs to obtain user B for user B;
This verification process can be finished in several ways.For example can make user B know that the requestor is user A by sending solicited message;
H2, user B lands SP1;
The mode of landing can be used modes such as HTTP, does not do detailed explanation here;
H3, SP1 check the authentication state of user B by Idp;
H4, Idp replys request, comprises an authentication assertion of describing user authentication status;
H5, SP1 provide the modification attribute service;
About the trusted list object of user B, this tabulation can be by SP proposition modification in the place's maintenance of attribute provider among the SP1 proposition modification AP.The service provider must use<Modify〉element, and the necessary use<ModifyResponse in to ISP's response of attribute provider element.
User B can the trust object tabulation may have following table 1 similar form:
Table 1
| User B attribute | User B trusted object |
| Name | ?A |
| The address | ?A |
| The position | ?C,D |
| ?...... | ?...... |
Top trusted list object only is one gives an example, if there are other forms to represent, its principle also is consistent.
H6, attribute provider feedback trusted list object is revised the result;
Amended the possibility of result is the form of table 2.
Table 2
| User B attribute | User B trusted object |
| Name | ?A |
| The address | ?A |
| The position | ?A,C,D |
| ...... | ?...... |
Wherein increased the authority of obtaining about calling party B position attribution to user A.
H7, the result that SP1 will revise feeds back to user B, and the mode of feedback can be multiple;
H8, user B feedback user A authentication response;
After user B some attribute rights of using, feed back to user A result through increase user A.
H9, user A initiate the Idp authentication;
H10, Idp feedback authentication result is given user A;
H11, user A lands service provider SP 2;
The result that user A lands behind the SP2 wishes and can finish some service for user B; ,
H12, SP2 check the authentication state of user A;
H13, Idp feed back to the authentication state of SP2 user A, return an authentication assertion;
H14, in order to finish the attribute that the service of user B is needed certain user B, so SP2 searches some attribute of user B on AP;
Because user B joins user A in the authority obtained of some attribute, so user A can obtain the attribute that those user B provide.But this process need AP obtains object with attribute and compares with the association attributes list of access rights.
H15, if AP finds the address information that user A can obtain user B, AP will feed back to SP2 with the result so;
H16, SP2 feeds back to user A with final service result, and the result of feedback can be a various ways, for example the mode by HTTP.
Association attributes list of access rights in the present embodiment and AP go up maintenance that can the association attributes list of access rights are all illustrated, if similar mode is arranged, its principle also makes consistent.
Can be immediately, originally be among the embodiment, and user B can be open with some attribute of oneself, so just can allow other users that oneself is carried out some operation or service.
The main thought of this scheme is that user B just is disclosed in attribute service merchant there with some general information of oneself in advance, and like this, other users can not need just can finish some operation or service to user B through the authentication of user B.Present embodiment replenishes as embodiment's three, and it is open that difference is that some attribute is set to everyone.Just on the preservation information of attribute, carry out some modifications.
Modification may concentrate on the AP of attribute provider and go up the attribute information of safeguarding.For example can have form as following table 3:
Table 3
| User B attribute | User B trusted object | Object has authority |
| Name | ?C | Readable |
| Sex | ?C | Readable |
| The address | All users (Anybody) | Readable |
| The position | ?C,D,E | Readable |
| ?...... | ?...... | ...... |
The a plurality of such user properties of the last maintenance of AP tabulations, this table can be revised by user B, but need authenticate by Idp, and finishes by the service provider.Can see that from top table the name for user B can allow anyone see, and be read-only, then show for address information to allow anyone consult.If therefore the attribute service merchant safeguards that other user consults some attribute of user B if desired after such table, so only need in access attribute provider, consult such tabulation, find out whether the user agrees to authorize just passable.
User B is identical to the maintenance of this tabulation or modification and a last embodiment.
Listed attribute service merchant's user property tabulation only is one and illustrates in the present embodiment, if there is other mode can preserve attribute information, perhaps finishes similar property operations, and its principle is consistent, all in protection range.
More than to the method for user attribute inquiry provided by the present invention, service method and equipment are provided.Be described in detail, wherein:
In one embodiment of the invention, the attribute provider equipment receive that service provider equipment sends to the second attribute of user query requests; Described attribute query request comprises first user's subscriber identity information and second user's subscriber identity information; The attribute provider equipment judges whether described first user has authority to inquire about described second attribute of user; If the result of described judgement is for there being authority, then the attribute provider equipment is carried out the second attribute of user information that attribute query also will inquire and is returned to described service provider equipment.Technical scheme by the embodiment of the invention, can realize the inquiry to other customer attribute informations to the user, and then a user can be behind login SP, can help other users to finish corresponding service and provide corresponding business for other users, increased SP and provide diversity of operations for the user, strengthen user experience, improved efficiency of service.
And in the other embodiments of the invention, if the attribute that the user consults when certain attribute of user is inquired about is to need the user to agree the content that just can consult, the trust that fully takes into account between the user is confirmed problem.If the user in consulting the process of other customer attribute informations, has provided the search access right of three kinds of concrete preferred implementations to the user, the constraint of the trusting relationship between the user is illustrated.Better realized technical solution of the present invention.
For one of ordinary skill in the art, according to the thought of the embodiment of the invention, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (18)
1, a kind of method of user attribute inquiry is characterized in that, comprising:
Receive that service provider equipment sends to the second attribute of user query requests; Described attribute query request comprises first user's subscriber identity information and second user's subscriber identity information;
Judge whether described first user has authority to inquire about described second attribute of user; If, then carrying out the second attribute of user information that attribute query also will inquire for authority is arranged, the result of described judgement returns to described service provider equipment.
2, the method for user attribute inquiry as claimed in claim 1 is characterized in that, the described step of judging whether described first user has authority to inquire about described second attribute of user comprises:
Send authentication request to described second user; Described authentication request comprises described first user's subscriber identity information;
Described second user judges whether described first subscriber equipment has the authority querying attributes; And the result that will judge returns.
3, the method for user attribute inquiry as claimed in claim 1 is characterized in that, judges that the step whether described first user has authority to inquire about described second attribute of user comprises:
Described first user's identity information and described second user's association attributes list of access rights are compared; If described first user's identity information belongs to described association attributes list of access rights, judge that then described first user has the authority inquiry.
4, the method for user attribute inquiry as claimed in claim 3 is characterized in that, also comprises:
Described first user and described second user authentication of holding consultation, after the authentication, described second user disposes the association attributes list of access rights for described first user through consultation; Described association attributes access list is kept at the attribute provider equipment.
5, the method for user attribute inquiry as claimed in claim 4 is characterized in that, also comprises:
Described first user and described second user authentication of holding consultation, after the authentication, described second user disposes the association attributes list of access rights for described first user through consultation; Described association attributes access list is kept at the attribute provider equipment.
6, the method for user attribute inquiry as claimed in claim 1 is characterized in that, the described step of judging whether described first user has authority to inquire about described second attribute of user comprises:
Judge that described service provider equipment sends to whether comprising the united information that described first user and described second user unite in the second attribute of user query requests;
If comprise, judge that then described first user has authority.
As the method for any described user attribute inquiry of claim 1 to 5, it is characterized in that 7, the described second attribute of user information that will inquire comprises after returning to described service provider equipment:
Described service provider equipment sends to described first user with the described second attribute of user information.
8, a kind of service method that provides is characterized in that, comprising:
What receive first user transmission is the service request that second user carries out; Comprise first user's subscriber identity information and second user's subscriber identity information in the described service request;
Send the second attribute of user query requests to the attribute provider equipment; Described attribute query request comprises described first user's subscriber identity information and second user's subscriber identity information;
Receive when the attribute provider equipment and judge the second attribute of user information that described first user returns when having authority to inquire about described second attribute of user;
Provide service according to described second customer attribute information for described second user.
9, the service method that provides as claimed in claim 8, it is characterized in that, described reception first user sends is further to comprise after second user service request of carrying out: described identity information to described first user authenticates, if authentication is passed through, continue described to the step of attribute provider equipment transmission to the second attribute of user query requests.
10, the service method that provides as claimed in claim 9 is characterized in that, the step that described first user's identity information is authenticated comprises:
Differentiate that to user identity provider equipment sends user authentication request;
User identity discriminating provider equipment is carried out authentication to this described first user, and the return authentication result.
11, as the method for user attribute inquiry as described in the claim 9, its feature in, differentiate after provider equipment sends user authentication request to user identity further to comprise:
Receive and describedly differentiate provider when identity and search the united information of uniting of giving described first user and described second user that returns when there is united information in described first user;
In sending the second attribute of user query requests, the attribute provider equipment comprises described united information.
12, as any described method that Web service is provided of claim 8 to 11, it is characterized in that, described according to described second customer attribute information for described second user provide the service after comprise:
Described attribute provider equipment is returned the result of service to described first user.
13, a kind of attribute provider equipment is characterized in that, comprising: query requests receiving element, judging unit, attribute query unit and feedback unit;
The query requests receiving element is used to receive that service provider equipment sends to the second attribute of user query requests; Described attribute query request comprises first user's subscriber identity information and second user's subscriber identity information;
Judging unit is used to judge whether described first user has authority to inquire about described second attribute of user; If the result of described judgement is for there being authority, then described second attribute of user is inquired about in the inquiry of notification properties query unit;
The attribute query unit is used for carrying out attribute query according to the notice of described judging unit;
Feedback unit is used for the second attribute of user information that just described attribute query unit inquires and returns to described service provider equipment.
14, attribute provider equipment as claimed in claim 13 is characterized in that, described judging unit comprises: unit and comparing unit are preserved in tabulation;
The unit is preserved in described tabulation, is used to preserve described second user's association attributes list of access rights;
Described comparing unit, be used for the association attributes list of access rights that second user who preserves the unit is preserved in described first user's identity information and described tabulation is compared, if described first user's identity information belongs to described association attributes list of access rights, judge that then described first user has the authority inquiry.
15, attribute provider equipment as claimed in claim 13 is characterized in that, described judging unit comprises: authentication request unit and Authentication Response receiving element;
Described authentication request unit is used for sending authentication request to described second user; Described authentication request comprises described first user's subscriber identity information;
Described authentication request response unit is used to receive the authenticating result that second subscriber equipment returns; Whether described authenticating result indicates described first user to have authority to inquire about described second attribute of user.
16, attribute provider equipment as claimed in claim 13 is characterized in that, described judging unit comprises: united information inspection unit and decision package;
Described united information inspection unit is used for checking that described query requests receiving element receives whether the second attribute of user query requests is comprised the united information that described first user and described second user unite; And check result sent to decision package;
Described decision package is used in the check result of described inspection unit notifying described query unit to carry out the inquiry of second attribute of user when having united information.
17, a kind of identity is differentiated provider equipment, it is characterized in that, comprising: identity discriminating unit, memory cell and feedback information unit;
The identity discriminating unit is used for user's identity is authenticated, and receives the request by the user of authentication; At least two users' identity information is united, and preserve united information to memory cell;
Described memory cell is used to preserve united information;
The feedback information unit is used for searching described user and whether have united information in described memory cell when receiving that service provider equipment is differentiated request to user's identity, if exist, then described user's united information is returned to described service provider equipment.
18, a kind of service provider system is characterized in that, comprising: service provider equipment and attribute provider equipment;
Described service provider equipment is used to receive that first user sends is the service request that second user carries out; Comprise first user's subscriber identity information and second user's subscriber identity information in the described service request; And send the second attribute of user query requests to the attribute provider equipment; Described attribute query request comprises described first user's subscriber identity information and second user's subscriber identity information; Described service provider equipment also is used for after the described second attribute of user information that acquisition attribute provider equipment is returned, and is that described second user serves according to the described second user side volume attribute information;
Described attribute provider equipment is used to judge whether described first user has authority to inquire about described second attribute of user; If, then carrying out the second attribute of user information that attribute query also will inquire about for authority is arranged, the result of described judgement returns to described service provider equipment.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100937894A CN101562627A (en) | 2008-04-18 | 2008-04-18 | User attribute inquiry method, method providing service and equipment |
| PCT/CN2009/071342 WO2009127163A1 (en) | 2008-04-18 | 2009-04-17 | Method for user attribute query, method and equipment for providing service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100937894A CN101562627A (en) | 2008-04-18 | 2008-04-18 | User attribute inquiry method, method providing service and equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101562627A true CN101562627A (en) | 2009-10-21 |
Family
ID=41198790
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008100937894A Pending CN101562627A (en) | 2008-04-18 | 2008-04-18 | User attribute inquiry method, method providing service and equipment |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101562627A (en) |
| WO (1) | WO2009127163A1 (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112769672B (en) * | 2019-11-01 | 2022-07-29 | 腾讯科技(深圳)有限公司 | Data communication method and device and communication configuration method and device |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6092201A (en) * | 1997-10-24 | 2000-07-18 | Entrust Technologies | Method and apparatus for extending secure communication operations via a shared list |
| CN100433736C (en) * | 2005-11-01 | 2008-11-12 | 中国移动通信集团公司 | Method for sharing instant news data |
| CN100442694C (en) * | 2006-01-26 | 2008-12-10 | 华为技术有限公司 | Virtual image realizing method and system |
| CN100490409C (en) * | 2006-06-08 | 2009-05-20 | 腾讯科技(深圳)有限公司 | Method for implementing social network service in network communication |
-
2008
- 2008-04-18 CN CNA2008100937894A patent/CN101562627A/en active Pending
-
2009
- 2009-04-17 WO PCT/CN2009/071342 patent/WO2009127163A1/en active Application Filing
Also Published As
| Publication number | Publication date |
|---|---|
| WO2009127163A1 (en) | 2009-10-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200380534A1 (en) | Proxy-Based Profile Management to Deliver Personalized Services | |
| US10333941B2 (en) | Secure identity federation for non-federated systems | |
| US8245051B2 (en) | Extensible account authentication system | |
| US7221935B2 (en) | System, method and apparatus for federated single sign-on services | |
| US7865173B2 (en) | Method and arrangement for authentication procedures in a communication network | |
| CN1901448B (en) | Access identification system in communication network and realizing method | |
| US7913291B2 (en) | Means and method for control of personal data | |
| US20070033644A1 (en) | System and method for the secure enrollment of devices with a clearinghouse server for internet telephony and multimedia communications | |
| US20090019517A1 (en) | Method and System for Restricting Access of One or More Users to a Service | |
| RU2509360C1 (en) | Method of creating payment system | |
| CN101867589A (en) | Network identification authentication server and authentication method and system thereof | |
| Alsaleh et al. | Enhancing consumer privacy in the liberty alliance identity federation and web services frameworks | |
| WO2011032471A1 (en) | Method and system for subscriber to log in internet content provider (icp) website in identity/location separation network and login device thereof | |
| CN101562627A (en) | User attribute inquiry method, method providing service and equipment | |
| Pandey et al. | Online Identity Management techniques: identification and analysis of flaws and standard methods |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20091021 |
|
| RJ01 | Rejection of invention patent application after publication |