CN102811210A - Information card authenticating method and system based on WS protocol - Google Patents
Information card authenticating method and system based on WS protocol Download PDFInfo
- Publication number
- CN102811210A CN102811210A CN2011101499780A CN201110149978A CN102811210A CN 102811210 A CN102811210 A CN 102811210A CN 2011101499780 A CN2011101499780 A CN 2011101499780A CN 201110149978 A CN201110149978 A CN 201110149978A CN 102811210 A CN102811210 A CN 102811210A
- Authority
- CN
- China
- Prior art keywords
- identity
- release
- user
- module
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses an information card authenticating method based on a WS protocol. The method comprises the steps that users login a Relying Party, and the Relying Party requests a token from an Identity Selector Client and confirms a strategy; the users use the Identity Selector Client to pass the identity authentication of an Identity Selector Server, and then login the Identity Selector Client; and the Identity Selector Client submits an information card to an Identity Provider to authenticates and receives the token, and returns the token to the Relying Party. The invention further discloses an information card authenticating system based on a WS protocol, and the system solves the problems of confidentiality, integrity and identity identification in the process of information transmission.
Description
Technical field
The present invention relates to the authentification of message technology in the network information security, particularly relate to a kind of release authentication method and system based on Web service (WS) agreement.
Background technology
Internet (Internet) is for user and business, and it is worth still in sustainable growth.Increasing people need use network in daily life, from shopping, handling bank business, Pay Bill to multimedia and abstract the recreational consumption.
Yet along with the increment of online operation, it is more complicated, under attack and dangerous more more easily that Internet self has become.People improve constantly the degree of concern of the stealing of online identity, swindle and privacy; Therefore; Just introduce many Digital IDs system, still, do not had system can satisfy the needs of different digital identification schemes at present; So people are still using many different tag systems respectively at present, and are continually developing more system.As a result, the state of Digital ID is inharmonic hodgepodge on the current Internet, becomes the user's who has different user experience on each Web website burden; And, owing to a little less than the Digital ID system that provides is highly brittle, also limited the more complete realization of ecommerce.
In order to address the above problem; Industry has been introduced sign metasystem, and so-called sign metasystem is based on the interoperability framework of digital identity, the release model of under sign metasystem, setting up; Allow the user to have and manage a series of digital identity based on different technologies, different implementation methods and different providers; Use this model, the user can continue to use existing Identity Management infrastructure, and selects the most suitable their identity technology.But; Sign metasystem development is ripe not enough, and limitation is also very big in practical application, such as: because in the existing release modelling system; Have only equipment of identity selector (IdentitySelector) to preserve release to a user; So after release downloaded on this equipment, the user can only login from this fixing equipment, use causes very large inconvenience to reality; In addition, because domestic consumer can create release, do not have the restriction of authority, Any user can both touch release easily, and this makes the fail safe of release and confidentiality receive very big influence.
In addition; The release model that sign is set up under the metasystem is at present to Simple Object Access Protocol (SOAP) message encryption of WS; Mainly be to use the HTTPS method of secure socket layer (ssl): HTTPS provides point-to-point safeguard protection and there are a lot of problems in the method, comprising; HTTPS provides safety guarantee in transport layer, rather than in the message aspect, causes reaching the requirement of the needed flexibility of message safety; HTTPS do not use digital signature technology in the time of pass-along message, and this function is indispensable in ecommerce exactly after distributing and sharing key.
Summary of the invention
In view of this, the object of the present invention is to provide a kind of release authentication method and system, the problem that confidentiality, integrality, the identity that occurs in ability solution information foundation and the transmission course differentiated based on the WS agreement.
For achieving the above object, technical scheme of the present invention is achieved in that
The invention provides a kind of release authentication method based on the WS agreement, this method comprises:
The user logins dependence side (Relying Party), and Relying Party is to identity selector client (Identity Selector Client) request token and confirm strategy; The user uses Identity Selector Client through login IdentitySelector Client behind identity selector server (the Identity Selector Server) identity verification; Identity Selector Client submits to sign provider (IdentityProvider) with release and carries out authentication and receive token, and token is returned to Relying Party.
In the such scheme; This method also comprises: after Identity Selector Client receives the information of request token, require the user to import username and password login Identity Selector Client, and username and password is uploaded to Identity Selector Server verify; If checking is not passed through; Then refusing user's continues operation, if checking is passed through, then continues operation.
In the such scheme; Said Identity Selector Client submits to Identity Provider with release and is: Identity Selector Client is written as SOAP information with the relevant information in the release; And this SOAP information carried out XML signature and XML encryption, send to Identity Provider afterwards.
In the such scheme, said token is returned to Relying Party after, this method also comprises: RelyingParty carries out the XML signatures match to the token that receives, and carries out the XML deciphering after the XML signatures match, allows user access behind the successful decryption.
In the such scheme; Said user logins before the Relying Party; This method also comprises: the user from all user names that Identity Provider is managed, selectes the user name that will set up release for it with keeper's identity login Identity Provider; For selected user name is created release; The user is a selected user distributing information card with keeper's identity.
The present invention also provides a kind of release Verification System based on the WS agreement, and this system comprises: IdentityProvider, Identity Selector Client, Identity Selector Server and Relying Party; Wherein,
Identity Provider is used for the release that Identity Selector Client submits to is carried out authentication, and returns token to Identity Selector Client;
Identity Selector Client; Be used to receive the information of Relying Party request token; Confirm strategy with RelyingParty; To Identity Selector Server requests verification login user identity and Receipt Validation result, submit to release to carry out authentication and receive token to Identity Provider, token is returned to RelyingParty;
Identity Selector Server is used to receive the information of Identity Selector Client requests verification login user identity, and returns the checking result to Identity Selector Client;
Relying Party is used for to Identity Selector Client request token, and confirms strategy with Identity SelectorClient, receives the token that Identity Selector Client returns.
In the such scheme, said Identity Selector Client also is used for to customer requirements input username and password, again username and password is write the request that becomes checking login user identity and sends to IdentitySelector Server;
Said Identity Selector Server also is used for the request of Receipt Validation login user identity.
In the such scheme, said Identity Selector Client, the relevant information of the release that also is used for the user is selected is written as SOAP information, and after SOAP information carried out XML signature and XML encryption, sends to Identity Provider;
Said Identity Provider is used to also to receive that Identity Selector Client submits to resolves and do authentication through the XML signature release that encryption is written as SOAP information with XML.
In the such scheme, said Relying Party also is used for the token that receives is carried out the XML signatures match, carries out the XML deciphering after the signatures match, could allow user access behind the successful decryption.
In the such scheme, said Identity Provider, the synchronize data of system storehouse sync database that also is used for Yu is inserted, and the initial password of resulting user name is set.
In the such scheme; Said Identity Provider; Also be used to create release, whether the state of inquiry selected user name is online and receive user state information from Identity SelectorServer, when User Status when being online; The IP address of the Identity SelectorClient that inquiry selected user name belongs to from Identity Selector Server also receives the IP address; According to the IP address release is sent to Identity SelectorClient, when the user name state when not online, release is dealt into Identity Selector Server;
Accordingly; Said Identity Selector Server; Also be used to receive the whether online inquiry of Identity Selector Client at the selected user name place of Identity Provider; And return user state information to it; Receive afterwards Identity Provider selected user name place Identity Selector Client the IP address inquiry and return the IP address, when Identity Provider selected user is not online, receives and also preserve the release that Identity Provider sends;
Said Identity Selector Client also is used to receive the release that Identity Provider sends, and Identity Selector Server is uploaded and be kept to release.
In the such scheme, said Identity Provider comprises and issues token module, simultaneous user's module, management certificate module, creates release module and distributing information card module; Wherein,
Issue token module, what receive Identity Selector Client submission encrypts the release that is written as SOAP information through XML signature and XML, and release is resolved and authentication, returns token to Identity SelectorClient;
Simultaneous user's module, be used for to the system that will insert obtain database, the user selects the selected user name that will set up release from sync database, the user profile of selected user name is sent to create the release module;
The management certificate module is used for storing X 509 certificates, and receive to create the release module set up the certificate instruction, set up the X509 certificate, to creating the release module X509 is provided certificate;
Create the release module, be used to receive the user profile that simultaneous user's module is sent, for this user name is created release; If establishment is the release of X509 certificate type, check earlier then whether the selected user name has the X509 certificate in the management certificate module; If exist; Then directly read the X509 certificate, for the selected user name is set up release, if do not exist from the management certificate module; Then send the instruction of setting up certificate, read the X509 certificate and use this X509 certificate to set up release afterwards as the selected user name to the management certificate module; If create the release of usemame/password type, then directly create the release of usemame/password type creating the release module for the selected user name, at last release is sent to the distributing information card module;
The distributing information card module; Be used to receive and preserve the release of creating the transmission of release module; Receiving the user is the instruction of selected user name distributing information card; Obtain the state information of doing the selected user name from Identity Selector Server, inquire about the IP address of the IdentitySelector Client at selected user name place afterwards from Identity Selector Server, release is sent to Identity Selector Client according to the IP address; When selected user name state when not online, release is dealt into Identity Selector Server.
In the such scheme, said Identity Selector Client comprises: Registering modules, and login module is uploaded release module, download message card module, authentication information card module and authorization information card module; Wherein,
Registering modules is used to receive the notice of login module, sends log-on message to Identity Selector Server;
Login module; Be used to receive the request token information of Relying Party; Require the user to import the username and password login; Username and password is uploaded to Identity Selector Server carry out subscriber authentication, whether the state that also is used for the recording user name is online, and gives Registering modules with state notifying;
Upload the release module, be used for choosing release and uploading to Identity Selector Server from the download message card module according to user's instruction;
The download message card module; Be used to receive and store the release that Identity Provider sends; The release of choosing from Identity Selector Server download user; Also be used to receive the subscriber authentication result of Identity SelectorServer, the user selects behind the release release to be sent to the authorization information card module, also is used for sending to and uploading the release module uploading release that the release module chooses;
The authorization information card module; Be used to receive the release that the download message card module sends, the release password that receives user's input verifies, and will verify that the release that passes through submits to the authentication information card module; Also be used to receive the instruction of user's modification release password; User's Old Password is sent to Identity Provider do checking, after the notice that Receipt Validation passes through, user's new password is sent to Identity Provider; If the notice of Receipt Validation failure, then the user can't revise password;
The authentication information card module; The relevant information of the release that is used for the authorization information card module is submitted to is written as SOAP information; And carry out XML signature and XML encrypting and transmitting to Identity Provider; Receive the token that Identity Provider returns, at last token is sent to Relying Party.
In the such scheme, said Identity Selector Server further comprises: registered user's module, checking line module, reception release module, release information card module; Wherein,
Registered user's module is used to receive the log-on message of Identity Selector Client, and the state of recording user produces user profile, state information and user profile is provided for the checking line module;
The checking line module; Be used to receive the state of user inquiry of Identity Provider; Obtain after the state information of user name state information from the selected user name to Identity Provider that return from registered user's module; Also be used to receive the solicited message of IP address of the employed Identity Selector of the user name Client of Identity Provider; Obtain user profile and from user profile, extract the IP address from Registering modules; Return the IP address of the employed Identity Selector of user name Client to Identity Provider, the username and password that also is used to receive Identity Selector Client is verified it and is returned the checking result to Identity SelectorClient;
Receive the release module; Be used to receive and preserve the release that Identity Provider sends; Also be used to receive and preserve the release that Identity Selector Client uploads; Receive the release query statement of release information card module, user-selected release is sent to the release information card module;
The release information card module is used for the download request according to Identity Selector Client, and release is issued Identity Selector Client.
In the such scheme, said Relying Party comprises: activate Identity Selector Client module and checking token module; Wherein,
Activate Identity Selector Client module; Be used to receive user's access request; Send the information of request token to IdentitySelector Client; And definite tactful with Identity Selector Client, the permission user access information of Receipt Validation token module receives user's visit;
The checking token module is used to receive the token that Identity Selector Client sends, and verifies, after checking was passed through, notice activated Identity Selector Client module and allows user capture.
Can find out that by above-mentioned implementation release authentication method and system based on the WS agreement provided by the present invention have following advantage and characteristics:
1) use the XML signature to realize two-way authentication among the present invention between Identity Provider and the Relying Party; The cipher mode that soap message between Identity Selector Client and the Identity Provider adopts XML signature and XML to encrypt, thus the problem of the confidentiality that occurs in the message transmitting procedure, integrality, identity discriminating solved.
2) release of the present invention is created and is distributed fully and created and distribution by the keeper, and domestic consumer does not have authority that release is operated, thereby has guaranteed the fail safe and the confidentiality of release.
3) Identity Selector Client provided by the invention and Identity Selector Server; Make the user according to actual needs some release uploaded to Identity Selector Server; When IdentitySelector Client end does not have needed release; The user can select to download from Identity SelectorServer, thereby has solved the problem that release can only be logined on particular device.
Description of drawings
Fig. 1 is the structural representation that the present invention is based on the release Verification System of WS agreement;
Fig. 2 is the schematic flow sheet that the present invention is based on the release authentication method of WS agreement.
Embodiment
Basic thought of the present invention is: the user logins Relying Party, and Relying Party is to IdentitySelector Client request token and confirm strategy; The user uses Identity Selector Client through login Identity Selector Client behind identity selector server (the Identity Selector Server) identity verification; Checking is passed through, and Identity Selector Client submits to Identity Provider with release and carries out authentication and receive token, by Identity Selector Client token is returned to Relying Party at last.
Wherein, Said definite strategy is meant the information format that Relying Party and Identity Selector Client send when confirming information interaction each other, and the content that comprises in the information of being sent between the equipment that definite Identity Selector Client follows and it is mutual and the form of information.
Below in conjunction with accompanying drawing and specific embodiment the present invention is remake further detailed explanation.
It is as shown in Figure 1 to the invention provides a kind of release Verification System based on the WS agreement, comprises Identity Provider 11, Identity Selector Client 12, Identity Selector Server 13 and Relying Party 14; Wherein,
Identity Provider 11 is used for the release that Identity Selector Client 12 submits to is carried out authentication, and returns token to Identity Selector Client 12;
Wherein, after said token refers to verified by 11 pairs of releases of Identity Provider, the authentication security information of returning, release is divided into two types: usemame/password formula release and X509 certificate formula release;
Saidly release is carried out authentication refer to, what 11 couples of Identity Selector of Identity Provider Client 12 submitted to resolves and does authentication through the XML signature release that encryption is written as SOAP information with XML;
Wherein, Saidly to Identity Selector Server 13 requests verification login user identity be: IdentitySelector Client 12 is to customer requirements input username and password; Again username and password is write the request that becomes checking login user identity, and send to the login authentication that Identity Selector Server 13 carries out the user;
If the checking result that Identity Selector Server 13 returns passes through for checking; Then the user can use the user name of input to proceed the authentication operation of release; If the checking result that Identity Selector Server 13 returns is an authentication failed, then refusing user's uses the user name of input to continue operation.
Saidly send releases to Identity Provider 11 and be: the user checks the release that is had under the user name of its input at Identity Selector Client 12; Selected release; Again the relevant information in the release is written as SOAP information; And after this SOAP information carried out XML signature and XML encryption, send to Identity Provider 11; Here, the relevant information in the said release is by confirming that with Relying Party 14 strategy determines.
Said Identity Selector Client 12; The browser support information card authentication mode of self; Said browser is present spendable most of browser, such as: the above version of IE7.0, the browser etc. of roaming, temporary transient unsupported browser is the FireFox browser;
All interactive information between said Identity Selector Client 12 and Identity Provider 11 and the Relying Party 14 all adopt XML signature and XML to encrypt;
Here; Said Identity Selector Server 13; Be further used for whether correct the login user identity carried out username and password checking; Notice IdentitySelector Client 12 checkings are passed through if username and password is correct, otherwise notice Identity Selector Client 12 authentication faileds.
Relying Party 14 is used for the 12 request tokens to Identity Selector Client, and confirms strategy with IdentitySelector Client 12, receives the token that Identity Selector Client 12 returns.
The token that said reception Identity Selector Client 12 returns; Also comprise: token is verified; Be specially 14 pairs of tokens that receive of Relying Party and carry out the XML signatures match, carry out the XML deciphering after the signatures match, could allow user access behind the successful decryption; Said XML deciphering is carried out the XML deciphering for using the Relying Party 14 inner Public keys that produce.
Relying Party 14 is further used for receiving user's access request;
Here, said Relying Party 14 is interface equipments of the actual system that is visited, uses system provided by the present invention can insert the system of actual access through Relying Party 14.
Identity Provider 11, the synchronize data of system storehouse sync database that also is used for Yu is inserted, and the initial password of resulting user name is set, for example initial password is made as 111111;
Identity Provider 11; Also be used to create release; Whether the state of inquiry selected user name is online and receive user state information from Identity Selector Server 13; When User Status when being online, the IP address of the Identity Selector Client 12 at inquiry selected user name place also receives the IP address from Identity Selector Server 13, according to the IP address release is sent to Identity Selector Client 12; When the user name state when not online, release is dealt into Identity Selector Server 13;
Accordingly; Said Identity Selector Server 13; Also be used to receive the whether online inquiry of Identity Selector Client 12 at the selected user name place of Identity Provider 11; And return user state information to it; Receive afterwards Identity Provider 11 selected user name place IdentitySelector Client 12 the IP address inquiry and return the IP address, when Identity Provider 11 selected users are not online, receive and also preserve the release that Identity Provider 11 sends;
Said Identity Selector Client 12 also is used to receive the release that Identity Provider 11 sends, and also can select release to upload and be kept at Identity Selector Server.
Said establishment release comprises: if create the release of usemame/password type, then be the selected user name is directly created the usemame/password type at Identity Provider 11 release; If establishment is the release of X509 certificate type; Check earlier then whether selected user has the X509 certificate among the Identity Provider 11, if exist; Then directly use the X509 certificate to set up the selected user release; If do not exist, be selected user name creation X509 certificate then at Identity Provider11, use this X509 certificate to set up release afterwards.
Said Identity Provider 11 further comprises: issue token module, simultaneous user's module, management certificate module, create release module and distributing information card module; Wherein,
Issue token module, what receive Identity Selector Client 12 submissions encrypts the release that is written as SOAP information through XML signature and XML, and release is resolved and authentication, returns token to IdentitySelector Client 12;
Simultaneous user's module, be used for to the system that will insert obtain database, the user selects the selected user name that will set up release from sync database, the user profile of selected user name is sent to create the release module;
The management certificate module is used for storing X 509 certificates, and receive to create the release module set up the certificate instruction, set up the X509 certificate, to creating the release module X509 is provided certificate;
Create the release module, be used to receive the user profile that simultaneous user's module is sent, for this user name is created release; If establishment is the release of X509 certificate type, check earlier then whether the selected user name has the X509 certificate in the management certificate module; If exist; Then directly read the X509 certificate, for the selected user name is set up release, if do not exist from the management certificate module; Then send the instruction of setting up certificate, read the X509 certificate and use this X509 certificate to set up release afterwards as the selected user name to the management certificate module; If create the release of usemame/password type, then directly create the release of usemame/password type creating the release module for the selected user name, at last release is sent to the distributing information card module;
The distributing information card module; Be used to receive and preserve the release of creating the transmission of release module; Receiving the user is the instruction of selected user name distributing information card; Obtain the state information of selected user name from Identity Selector Server 13, from the IP address of the IdentitySelector Client 12 at Identity Selector Server 13 inquiry selected user names places, release is sent to Identity Selector Client12 afterwards according to the IP address; When selected user name state when not online, release is dealt into Identity Selector Server 13.
Said Identity Selector Client 12 further comprises: Registering modules, and login module is uploaded release module, download message card module, authentication information card module and authorization information card module; Wherein,
Registering modules is used to receive the notice of login module, sends log-on messages to Identity Selector Server 13;
Here, said log-on message refers to information and the IP address such as password, department under the user-selected fixed user's name.
Login module; Be used to receive the request token information of Relying Party 14; Require the user to import the username and password login; Username and password is uploaded to Identity Selector Server 13 carry out subscriber authentication, whether the state that also is used for the recording user name is online, and gives Registering modules with state notifying;
Upload the release module, be used for choosing release and uploading to Identity Selector Server 13 from the download message card module according to user's instruction;
The download message card module; Be used to receive and store the release that Identity Provider 11 sends; The release of choosing from Identity Selector Server 13 download user; Also be used to receive the subscriber authentication result of Identity SelectorServer 13, the user selects behind the release release to be sent to the authorization information card module, also is used for sending to and uploading the release module uploading release that the release module chooses;
The authorization information card module; Be used to receive the release that the download message card module sends, the release password that receives user's input verifies, and will verify that the release that passes through submits to the authentication information card module; Also be used to receive the instruction of user's modification release password; User's Old Password is sent to Identity Provider 11 do checking, Receipt Validation is through after the information, and user's new password is sent to Identity Provider 11; If the information of Receipt Validation failure, then the user can't revise password;
Wherein, the release Old Password of said user's input is in order to verify the legitimacy of user's modification release password.
The authentication information card module; The relevant information of the release that is used for the authorization information card module is submitted to is written as SOAP information; And carry out XML signature and XML encrypting and transmitting to Identity Provider 11; Receive the token that Identity Provider 11 returns, at last token is sent to Relying Party 14.
Said Identity Selector Server 13 further comprises: registered user's module, checking line module, reception release module, release information card module; Wherein,
Registered user's module is used to receive the log-on message of Identity Selector Client 12, and the state of recording user produces user profile, state information and user profile is provided for the checking line module;
Wherein, said user profile refers to the IP address of the Identity Selector Client 12 at information such as password, department and this user name place under the user-selected fixed user's name; State information refers to whether the user is online.
The checking line module; Be used to receive the state of user inquiry of Identity Provider11; Obtain after the state information of user name state information from the selected user name to Identity Provider 11 that return from registered user's module; Also be used to receive the solicited message of IP address of the employed Identity Selector of the user name Client12 of Identity Provider 11; Obtain user profile and from user profile, extract the IP address from Registering modules; Return the IP address of the employed Identity Selector of user name Client 12 to Identity Provider 11, the username and password that also is used to receive Identity Selector Client 12 is verified it and is returned the checking result to Identity Selector Client 12;
Receive the release module; Be used to receive and preserve the release that Identity Provider 11 sends; Also be used to receive and preserve the release that Identity Selector Client 12 uploads; Receive the release query statement of release information card module, user-selected release is sent to the release information card module;
Here; The release that said reception and preservation Identity Provider11 send is meant if the Identity Selector Client12 of the release information card of wanting is not online, so release is provided the reception release module to Identity SelectorServer 13.
The release information card module is used for the download request according to Identity Selector Client12, and release is issued Identity Selector Client 12.
Said Relying Party 14 further comprises: activate Identity Selector Client module and checking token module; Wherein,
Activate Identity Selector Client module, be used to receive user's access request, send the information of asking token, and confirm strategy with Identity Selector Client 12 to IdentitySelector Client 12;
The checking token module is used to receive the token that Identity Selector Client 12 sends, and token is carried out the XML signatures match, carries out the XML deciphering after the signatures match, could allow user access behind the successful decryption; Said XML deciphering is carried out after the XML decryption verification passes through for using the Relying Party 14 inner keys that produce, and notice activates Identity Selector Client module and allows user capture.
As shown in Figure 2, the present invention is based on the release authentication method of WS agreement, may further comprise the steps:
Step 201: when the user logins certain type of resource of Relying Party visit, the information that Relying Party sends the request token to IdentitySelector Client, both sides confirm strategy.
Here, after said token refers to by Identity Provider user's release verified, the authentication security information of returning, release is divided into two types: usemame/password formula release and X509 certificate formula release.
After step 202:Identity Selector Client receives the information of request token; To customer requirements input username and password; The username and password that Identity Selector Client imports the user who receives uploads to Identity Selector Server and verifies, if checking is not passed through, then refusing user's uses the user name of input to continue to operate; If checking is passed through, then get into step 203.
Step 203: the user uses the user name of input successfully to login Identity Selector Client, the release of checking under the user name to be had, selected release.
Here, the release that is had under user name can have a plurality of, and can be the different kinds of information card, and said different kinds of information card is meant: the release of usemame/password type and X509 certificate type release.
Said selected release also comprises: the user checks the information of release under the user name of its input at Identity Selector Client; When confirming to use one of them release, the input information clip pin, such as: the type of selected information card is X509; So behind the input information clip pin; Can confirm to use this release, otherwise can require the user's input information clip pin, realize the authentication of usemame/password.
Wherein, Said release password can be revised on Identity Selector Client; Modification process specifically comprises: after the user sent the instruction of revising the release password to Identity Selector Client, IdentitySelector Client required user's input information card Old Password; Sending to Identity Provider behind the Old Password of Identity Selector Client with user's input verifies; If verify successfully; Then return the notice that checking is passed through to IdentitySelector Client; Identity Selector Client requires the user to import new password, and Identity Selector Client sends to Identity Provider preservation with the new password of user's input; Otherwise authentication failed is then returned the notice of authentication failed to Identity Selector Client, the user can't revise password.
Step 204:Identity Selector Client is written as SOAP information with the relevant information in the release, and after this SOAP information carried out XML signature and XML encryption, sends to Identity Provider.
Here, the relevant information in the said release is determined by the strategy of confirming in the step 201.
Step 205:Identity Provider does authentication after the release that carries out XML signature and XML encryption and be written as SOAP information is resolved, and after authentication is passed through, returns token to Identity Selector Client.
Step 206:Identity Selector Client receives token, and token is sent to Relying Party.
This step specifically comprises: Identity Selector Client receives token and sends token to Relying Party from Identity Provider, and all transmission information are all passed through the XML signature and XML encrypts.
After step 207:Relying Party receives token, the checking token, checking allows user access resources through the back.
Here, said checking token further comprises: Relying Party carries out the XML signatures match to the token that receives, and carries out the XML deciphering after the signatures match, could allow user access behind the successful decryption; Said XML deciphering is carried out the XML deciphering for using the inner key that produces of Relying Party.
In the above-mentioned processing procedure, before step 201, this method is further comprising the steps of:
Step a: the user from all user names that Identity Provider is managed, selectes the user name that will set up release for it with keeper's identity.
Here, said keeper's identity refers to access management person's number of the account and password login;
Said all user names are meant all user names that obtain behind the sync database; Said sync database is from the database of the system that is connected, to obtain all user names, and the initial password of resulting user name is set, and for example initial password is made as 111111.
All user names of said management are Identity Provider when using some keeper's number of the account logins, all user names under this keeper's identity.
Step b: the user is that selected user name Identity Provider creates release with keeper's identity.
Here, said establishment release comprises: if create the release of usemame/password type, then directly create the release of usemame/password type at Identity Provider for the selected user name; If establishment is the release of X509 certificate type; Check earlier then whether selected user has the X509 certificate among the Identity Provider, if exist; Then directly use the X509 certificate to set up the selected user release; If do not exist, be selected user name creation X509 certificate then at Identity Provider, use this X509 certificate to set up release afterwards.
Step c: the user is a selected user name distributing information card with keeper's identity.
Here; Said distributing information card is for showing the Identity SelectorClient distributing information card that uses when online to the selected user name; The selected user name is shown as when not online, and release is distributed to IdentitySelector Server, is saved in selected user under one's name.
Said step c further comprises: the user sends the instruction to selected user name distributing information card with keeper's identity to Identity Provider; Whether Identity Provider inquires about the state of selected user name from Identity Selector Server online; When online; Identity Provider obtains the IP address of the Identity Selector Client at selected user name place from Identity Selector Server; According to the IP address; IdentityProvider is sent to Identity Selector Client with release, and Identity Selector Client also can select release to upload and be kept at Identity Selector Server; When selected user name state when not online; Identity Provider is dealt into Identity Selector Server with release and preserves; The user can select release and download from Identity Selector Server after using this user name login Identity Selector Client.
The above is merely preferred embodiment of the present invention, is not to be used to limit protection scope of the present invention.
Claims (15)
1. release authentication method based on the WS agreement is characterized in that this method comprises:
The user logins dependence side (Relying Party), and Relying Party is to identity selector client (Identity Selector Client) request token and confirm strategy;
The user uses Identity Selector Client through login Identity Selector Client behind identity selector server (Identity SelectorServer) identity verification;
Identity Selector Client submits to sign provider (Identity Provider) with release and carries out authentication and receive token, and token is returned to Relying Party.
2. method according to claim 1 is characterized in that, this method also comprises: after Identity SelectorClient receives the information of request token; Require the user to import username and password login Identity SelectorClient; And username and password is uploaded to Identity Selector Server verify, if checking is not passed through, then refusing user's continues operation; If checking is passed through, then continue operation.
3. method according to claim 1; It is characterized in that; Said Identity Selector Client submits to Identity Provider with release and is: Identity Selector Client is written as Simple Object Access Protocol (SOAP) information with the relevant information in the release; And this SOAP information carried out XML signature and XML encryption, send to Identity Provider afterwards.
4. method according to claim 1; It is characterized in that; Said token is returned to RelyingParty after; This method also comprises: Relying Party carries out the XML signatures match to the token that receives, and carries out the XML deciphering after the XML signatures match, allows user access behind the successful decryption.
5. method according to claim 1; It is characterized in that; Said user logins before the Relying Party; This method also comprises: the user from all user names that IdentityProvider managed, selectes the user name that will set up release for it with keeper's identity login Identity Provider; For selected user name is created release; The user is a selected user distributing information card with keeper's identity.
6. the release Verification System based on the WS agreement is characterized in that this system comprises: Identity Provider, Identity Selector Client, Identity Selector Server and Relying Party; Wherein,
Identity Provider is used for the release that Identity Selector Client submits to is carried out authentication, and returns token to Identity Selector Client;
Identity Selector Client; Be used to receive the information of Relying Party request token; Confirm strategy with RelyingParty; To Identity Selector Server requests verification login user identity and Receipt Validation result, submit to release to carry out authentication and receive token to Identity Provider, token is returned to RelyingParty;
Identity Selector Server is used to receive the information of Identity Selector Client requests verification login user identity, and returns the checking result to Identity Selector Client;
Relying Party is used for to Identity Selector Client request token, and confirms strategy with Identity SelectorClient, receives the token that Identity Selector Client returns.
7. system according to claim 6; It is characterized in that; Said Identity Selector Client also is used for to customer requirements input username and password, again username and password is write the request that becomes checking login user identity and sends to Identity Selector Server;
Said Identity Selector Server also is used for the request of Receipt Validation login user identity.
8. system according to claim 6; It is characterized in that, said Identity Selector Client, the relevant information of the release that also is used for the user is selected is written as SOAP information; And after SOAP information carried out XML signature and XML encryption, send to Identity Provider;
Said Identity Provider is used to also to receive that Identity Selector Client submits to resolves and do authentication through the XML signature release that encryption is written as SOAP information with XML.
9. system according to claim 6 is characterized in that, said Relying Party also is used for the token that receives is carried out the XML signatures match, carries out the XML deciphering after the signatures match, could allow user access behind the successful decryption.
10. system according to claim 6 is characterized in that, said Identity Provider, and the synchronize data of system storehouse sync database that also is used for Yu is inserted, and the initial password of resulting user name is set.
11. system according to claim 10; It is characterized in that said Identity Provider also is used to create release; Whether the state of inquiry selected user name is online and receive user state information from Identity Selector Server; When User Status when being online, the IP address of the Identity Selector Client at inquiry selected user name place also receives the IP address from Identity Selector Server, according to the IP address release is sent to Identity Selector Client; When the user name state when not online, release is dealt into Identity Selector Server;
Accordingly; Said Identity Selector Server; Also be used to receive the whether online inquiry of Identity Selector Client at the selected user name place of Identity Provider; And return user state information to it; Receive afterwards Identity Provider selected user name place Identity Selector Client the IP address inquiry and return the IP address, when Identity Provider selected user is not online, receives and also preserve the release that Identity Provider sends;
Said Identity Selector Client also is used to receive the release that Identity Provider sends, and Identity Selector Server is uploaded and be kept to release.
12. system according to claim 11 is characterized in that, said Identity Provider comprises and issues token module, simultaneous user's module, management certificate module, creates release module and distributing information card module; Wherein,
Issue token module, what receive Identity Selector Client submission encrypts the release that is written as SOAP information through XML signature and XML, and release is resolved and authentication, returns token to Identity SelectorClient;
Simultaneous user's module, be used for to the system that will insert obtain database, the user selects the selected user name that will set up release from sync database, the user profile of selected user name is sent to create the release module;
The management certificate module is used for storing X 509 certificates, and receive to create the release module set up the certificate instruction, set up the X509 certificate, to creating the release module X509 is provided certificate;
Create the release module, be used to receive the user profile that simultaneous user's module is sent, for this user name is created release; If establishment is the release of X509 certificate type, check earlier then whether the selected user name has the X509 certificate in the management certificate module; If exist; Then directly read the X509 certificate, for the selected user name is set up release, if do not exist from the management certificate module; Then send the instruction of setting up certificate, read the X509 certificate and use this X509 certificate to set up release afterwards as the selected user name to the management certificate module; If create the release of usemame/password type, then directly create the release of usemame/password type creating the release module for the selected user name, at last release is sent to the distributing information card module;
The distributing information card module; Be used to receive and preserve the release of creating the transmission of release module; Receiving the user is the instruction of selected user name distributing information card; Obtain the state information of doing the selected user name from Identity Selector Server, inquire about the IP address of the IdentitySelector Client at selected user name place afterwards from Identity Selector Server, release is sent to Identity Selector Client according to the IP address; When selected user name state when not online, release is dealt into Identity Selector Server.
13. system according to claim 11 is characterized in that, said Identity Selector Client comprises: Registering modules, and login module is uploaded release module, download message card module, authentication information card module and authorization information card module; Wherein,
Registering modules is used to receive the notice of login module, sends log-on message to Identity Selector Server;
Login module; Be used to receive the request token information of Relying Party; Require the user to import the username and password login; Username and password is uploaded to Identity Selector Server carry out subscriber authentication, whether the state that also is used for the recording user name is online, and gives Registering modules with state notifying;
Upload the release module, be used for choosing release and uploading to Identity Selector Server from the download message card module according to user's instruction;
The download message card module; Be used to receive and store the release that Identity Provider sends; The release of choosing from Identity Selector Server download user; Also be used to receive the subscriber authentication result of Identity SelectorServer, the user selects behind the release release to be sent to the authorization information card module, also is used for sending to and uploading the release module uploading release that the release module chooses;
The authorization information card module; Be used to receive the release that the download message card module sends, the release password that receives user's input verifies, and will verify that the release that passes through submits to the authentication information card module; Also be used to receive the instruction of user's modification release password; User's Old Password is sent to Identity Provider do checking, after the notice that Receipt Validation passes through, user's new password is sent to Identity Provider; If the notice of Receipt Validation failure, then the user can't revise password;
The authentication information card module; The relevant information of the release that is used for the authorization information card module is submitted to is written as SOAP information; And carry out XML signature and XML encrypting and transmitting to Identity Provider; Receive the token that Identity Provider returns, at last token is sent to Relying Party.
14. system according to claim 11 is characterized in that, said Identity Selector Server further comprises: registered user's module, checking line module, reception release module, release information card module; Wherein,
Registered user's module is used to receive the log-on message of Identity Selector Client, and the state of recording user produces user profile, state information and user profile is provided for the checking line module;
The checking line module; Be used to receive the state of user inquiry of Identity Provider; Obtain after the state information of user name state information from the selected user name to Identity Provider that return from registered user's module; Also be used to receive the solicited message of IP address of the employed Identity Selector of the user name Client of Identity Provider; Obtain user profile and from user profile, extract the IP address from Registering modules; Return the IP address of the employed Identity Selector of user name Client to Identity Provider, the username and password that also is used to receive Identity Selector Client is verified it and is returned the checking result to Identity SelectorClient;
Receive the release module; Be used to receive and preserve the release that Identity Provider sends; Also be used to receive and preserve the release that Identity Selector Client uploads; Receive the release query statement of release information card module, user-selected release is sent to the release information card module;
The release information card module is used for the download request according to Identity Selector Client, and release is issued Identity S elector Client.
15. system according to claim 11 is characterized in that, said Relying Party comprises: activate Identity Selector Client module and checking token module; Wherein,
Activate Identity Selector Client module; Be used to receive user's access request; Send the information of request token to IdentitySelector Client; And definite tactful with Identity Selector Client, the permission user access information of Receipt Validation token module receives user's visit;
The checking token module is used to receive the token that Identity Selector Client sends, and verifies, after checking was passed through, notice activated Identity Selector Client module and allows user capture.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110149978.0A CN102811210B (en) | 2011-06-03 | 2011-06-03 | Information card authenticating method and system based on WS protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110149978.0A CN102811210B (en) | 2011-06-03 | 2011-06-03 | Information card authenticating method and system based on WS protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102811210A true CN102811210A (en) | 2012-12-05 |
| CN102811210B CN102811210B (en) | 2015-05-27 |
Family
ID=47234788
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110149978.0A Expired - Fee Related CN102811210B (en) | 2011-06-03 | 2011-06-03 | Information card authenticating method and system based on WS protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102811210B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103001775A (en) * | 2012-12-27 | 2013-03-27 | 北京邮电大学 | Enterprise service bus (ESB) based system and method for safety management |
| CN103166969A (en) * | 2013-03-12 | 2013-06-19 | 南京邮电大学 | Security access method for cloud controller based on cloud computing platform |
| CN104486343A (en) * | 2014-12-18 | 2015-04-01 | 广东粤铁科技有限公司 | Method and system for double-factor bidirectional authentication |
| CN106534167A (en) * | 2016-12-06 | 2017-03-22 | 郑州云海信息技术有限公司 | Network encryption transmission method based on XML and system |
| CN110245472A (en) * | 2019-01-16 | 2019-09-17 | 腾讯科技(深圳)有限公司 | Identity identifying method, personal security's core nodes and medium |
| CN111628867A (en) * | 2020-05-26 | 2020-09-04 | 牛津(海南)区块链研究院有限公司 | Identity management method, device and related components |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1812403A (en) * | 2005-01-28 | 2006-08-02 | 广东省电信有限公司科学技术研究院 | Single-point logging method for realizing identification across management field |
| CN101043478A (en) * | 2007-04-20 | 2007-09-26 | 北京航空航天大学 | Service gateway and method for realizing message safe process |
| CN101964791A (en) * | 2010-09-27 | 2011-02-02 | 北京神州泰岳软件股份有限公司 | Communication authenticating system and method of client and WEB application |
-
2011
- 2011-06-03 CN CN201110149978.0A patent/CN102811210B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1812403A (en) * | 2005-01-28 | 2006-08-02 | 广东省电信有限公司科学技术研究院 | Single-point logging method for realizing identification across management field |
| CN101043478A (en) * | 2007-04-20 | 2007-09-26 | 北京航空航天大学 | Service gateway and method for realizing message safe process |
| CN101964791A (en) * | 2010-09-27 | 2011-02-02 | 北京神州泰岳软件股份有限公司 | Communication authenticating system and method of client and WEB application |
Non-Patent Citations (1)
| Title |
|---|
| DAVID CHAPPELL: "Windows Card Space 介绍", 《HTTP://WWW.MICROSOFT.COM/CHINA/MSDN/LIBRARY/WINDEV/WINDOWSVISTA/AA480189.MSPX?MFR=TRUE》, 6 June 2007 (2007-06-06) * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103001775A (en) * | 2012-12-27 | 2013-03-27 | 北京邮电大学 | Enterprise service bus (ESB) based system and method for safety management |
| CN103001775B (en) * | 2012-12-27 | 2016-01-13 | 北京邮电大学 | A kind of safety management system based on ESB and method |
| CN103166969A (en) * | 2013-03-12 | 2013-06-19 | 南京邮电大学 | Security access method for cloud controller based on cloud computing platform |
| CN104486343A (en) * | 2014-12-18 | 2015-04-01 | 广东粤铁科技有限公司 | Method and system for double-factor bidirectional authentication |
| CN104486343B (en) * | 2014-12-18 | 2018-06-19 | 广东粤铁科技有限公司 | A kind of method and system of double factor two-way authentication |
| CN106534167A (en) * | 2016-12-06 | 2017-03-22 | 郑州云海信息技术有限公司 | Network encryption transmission method based on XML and system |
| CN110245472A (en) * | 2019-01-16 | 2019-09-17 | 腾讯科技(深圳)有限公司 | Identity identifying method, personal security's core nodes and medium |
| WO2020147709A1 (en) * | 2019-01-16 | 2020-07-23 | 腾讯科技(深圳)有限公司 | Identity authentication method, personal security kernel node, device and medium |
| CN110245472B (en) * | 2019-01-16 | 2021-05-11 | 腾讯科技(深圳)有限公司 | Identity authentication method, personal security kernel node, and medium |
| CN111628867A (en) * | 2020-05-26 | 2020-09-04 | 牛津(海南)区块链研究院有限公司 | Identity management method, device and related components |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102811210B (en) | 2015-05-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210367795A1 (en) | Identity-Linked Authentication Through A User Certificate System | |
| US10885501B2 (en) | Accredited certificate issuance system based on block chain and accredited certificate issuance method based on block chain using same, and accredited certificate authentication system based on block chain and accredited certificate authentication method based on block chain using same | |
| CN102457507B (en) | Cloud computing resources secure sharing method, Apparatus and system | |
| CN111970129B (en) | Data processing method and device based on block chain and readable storage medium | |
| US11568396B2 (en) | Method for using and revoking authentication information and blockchain-based server using the same | |
| CN108781161B (en) | Method for controlling and distributing blockchain implementation of digital content | |
| CN104021333B (en) | Mobile security watch bag | |
| CN103051628B (en) | Obtain the method and system of authentication token based on server | |
| CN101527633B (en) | Method for intelligent key devices to obtain digital certificates | |
| CN101605137B (en) | Safe distribution file system | |
| US20090187980A1 (en) | Method of authenticating, authorizing, encrypting and decrypting via mobile service | |
| CN109450843B (en) | SSL certificate management method and system based on block chain | |
| US9100171B1 (en) | Computer-implemented forum for enabling secure exchange of information | |
| US9847874B2 (en) | Intermediary organization account asset protection via an encoded physical mechanism | |
| JP2018038068A (en) | Method for confirming identification information of user of communication terminal and related system | |
| CN103051453A (en) | Digital certificate-based mobile terminal network security trading system and digital certificate-based mobile terminal network security trading method | |
| CN102811210B (en) | Information card authenticating method and system based on WS protocol | |
| CN102457509A (en) | Safe access method, device and system of cloud computing resource | |
| CN100365974C (en) | Device and method for controlling computer access | |
| MX2012011105A (en) | Certificate authority. | |
| CN112653556B (en) | TOKEN-based micro-service security authentication method, device and storage medium | |
| CN105075219A (en) | Network system comprising a security management server and a home network, and method for including a device in the network system | |
| CN104125230A (en) | Short message authentication service system and authentication method | |
| CN104301288A (en) | Method and system for online identity authentication, online transaction certification, and online certification protection | |
| CN102299927A (en) | Content security supervision system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150527 Termination date: 20170603 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |