CN102938757B - The method and identity provider of user data in shared network - Google Patents

The method and identity provider of user data in shared network Download PDF

Info

Publication number
CN102938757B
CN102938757B CN201110233110.9A CN201110233110A CN102938757B CN 102938757 B CN102938757 B CN 102938757B CN 201110233110 A CN201110233110 A CN 201110233110A CN 102938757 B CN102938757 B CN 102938757B
Authority
CN
China
Prior art keywords
user
providing server
service providing
identity provider
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201110233110.9A
Other languages
Chinese (zh)
Other versions
CN102938757A (en
Inventor
韦银星
符涛
吴强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Yanxin Automobile Industry Investment Development Co.,Ltd.
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201110233110.9A priority Critical patent/CN102938757B/en
Priority to PCT/CN2012/076275 priority patent/WO2013023475A1/en
Publication of CN102938757A publication Critical patent/CN102938757A/en
Application granted granted Critical
Publication of CN102938757B publication Critical patent/CN102938757B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention provides method, service providing server, identity provider and the user equipment of user data in a kind of shared network, wherein, the network includes identity provider and Resource Server (RS), and this method includes:Service providing server receives the access of user equipment (UE);The service providing server directly or indirectly obtains the users to share data of user's mandate from the RS.Method, service providing server, identity provider and the user equipment of user data in above-mentioned shared network so that service providing server safely shares the user data of telecom operators.

Description

The method and identity provider of user data in shared network
Technical field
The present invention relates to a kind of method of user data in communication field and internet arena, more particularly to shared network, Service providing server, identity provider and user equipment.
Background technology
With the popularization of network and the development of information technology, people commence business work in cyberspace more and more It is dynamic, such as shopping online, the networking telephone, Email, blog, instant messaging.Generally, by telecom operators and service provider Service is provided a user, wherein telecom operators possess the infrastructure of communication network, provide the user abundant access way, Such as Asymmetrical Digital Subscriber Line (Asymmetric Digital Subscriber Line, ADSL) access, the third generation (The Third Generation, 3G) mobile communication access, WLAN (Wireless Local Area Network, WLAN) Access, Ethernet access etc.;Service provider provides a user abundant business, such as traditional portal website, ecommerce, net Network communication, Web bank and social networks etc..
Service provider's scale differs on internet, although some can provide the business of innovation, number of users hair Exhibition is slower, and number of users usually becomes the bottleneck of business development.In recent years, the confession of a kind of offer identity service is provided on internet Answer business, referred to as identity provider (Identity Provider, identity provider).The identity that identity provider provides carries Generally there are huger user resources for server, the clothes such as authentication can be provided for other users or service provider Business.The number of users of telecom operators is huge, possesses the ability of natural identity provider, but with open internet Compare, communication network relative closure, class of business is single.In order to strengthen the competitiveness of telecom operators, rather than it is only Service provider provides pipeline, and telecom operators are necessary the part as service value chain:As identity provider Identity service, shared user profile are provided, believable security service is provided, mobile payment ability etc. is provided;Service provider can To reuse the various abilities that telecom operators provide as far as possible, the business of core competitiveness is absorbed in;For user, it can enjoy Seamless business experience simultaneously lifts safety and individual privacy.
In existing technology, application server in IP multimedia subsystem (IP Multimedia System, IMS) (Application Server, AS) can directly access home subscriber server (Home Subscriber Server, HSS) The subscription data of middle user.User determines which data shared by changing signing information.For service provider on internet For, its is large number of, and new service provider continuously emerges, and is difficult to define subscription data in advance.Therefore this scheme Scalability problem be present.In addition, for third party AS, ensure to obtain user's signing from HSS according to trusting relationship Data, but access of the AS to user contracting data can not be neatly controlled at present.
In current Identity Management (Identity Management, IdM), it is related to three roles:User, business Provider and identity provider, current solution mainly solve Single Sign, such as open identity (OpenID), Liberty Alliance (Liberty Alliance), card space (Card Space), generic authentication architecture (Generic Authentication Architecture, GAA) and Kerberos models etc., definition of these schemes to user identity is not It is unified, respective complete independently.The diversity of identity is still made troubles to user using the business of internet.
The open mandate for authorizing (Open Authorization, OAuth) to solve user resources data in internet accesses Agreement, be not identified, there is no definition of how together with the resource of telecom operators by the way of unified for user To use.
In current network, the identity of user is used for identification of the Internet to user, can be used for service provider couple The identification of user, a unified identity is provided the user.But effective method is also lacked at present and realizes service provider Service providing server safely share telecom operators user data, this also limits the development of new business.
The content of the invention
The invention provides the method for user data, service providing server, identity in a kind of shared network to provide service Device and user equipment, the user data of telecom operators can not be safely shared to solve existing service providing server and is asked Topic.
The invention provides a kind of method of user data in shared network, this method includes:
The network includes identity provider and Resource Server (RS), and this method includes:
Service providing server receives the access of user equipment (UE);
The service providing server directly or indirectly obtains the users to share data of user's mandate from the RS.
Preferably, before the service providing server receives UE access, methods described also includes:
The service providing server is done directly or indirectly the service access certification to the UE.
Preferably, the service access certification that the service providing server is done directly into UE includes:
The service providing server obtains user security parameters from the identity provider, is pacified according to the user Population parameter completes the service access certification to the UE.
Preferably, the service access certification that the service providing server is completed to UE indirectly includes:
The service providing server obtains the identity provider to the UE from the identity provider Service access authentication result.
Preferably, the user security parameters are the identity providers according to access of the network to the UE What authentication result obtained.
Preferably, the service access authentication result be the identity provider according to the network to the UE What access authentication result was completed.
Preferably, the service providing server directly obtains the users to share packet of user's mandate from the RS Include:
The service providing server obtains token from the identity provider, straight from the RS according to the token Ground connection obtains the users to share data that user authorizes.
Preferably, the service providing server obtains the users to share packet of user's mandate from the RS indirectly Include:
The service providing server obtains the users to share data of user's mandate by the identity provider.
Present invention also offers a kind of service providing server, the service providing server includes:
Receiving module, for receiving user equipment (UE) access;
Acquisition module, for directly or indirectly obtaining the users to share data of user's mandate from Resource Server (RS).
Preferably, the service providing server also includes:
Service access authentication module, for before receiving module reception UE access, being done directly or indirectly Service access certification to the UE.
Preferably, the service access authentication module, it is to be used to obtain user security parameters, root from identity provider The service access certification to the UE is completed according to the user security parameters;Or obtain institute from the identity provider State service authentication result of the identity provider to the UE.
Preferably, the user security parameters are the identity providers according to access of the network to the UE What authentication result obtained;Or
The service authentication result is access authentication knot of the identity provider according to the network to the UE What fruit was completed.
Preferably, the acquisition module, be used for from the identity provider obtain token, according to the token from The RS directly obtains the users to share data of user's mandate;Or user is obtained by the identity provider and authorized Users to share data.
Present invention also offers a kind of identity provider, the identity provider includes:
Network access authentication module, for being authenticated to user equipment (UE) access network, and obtain user security ginseng Number;
Service access authentication module, for the user security parameters completion pair obtained according to the network access authentication module The service access certification of the UE, and service access authentication result is sent to service providing server.
Preferably, the identity provider also includes:
Sending module, the user security parameters for the network access authentication module to be obtained are sent to the business and carried For server.
Preferably, the user security parameters include session key.
Preferably, the identity provider also includes:
Data transmission blocks, in the service access authentication module by service access authentication result or the transmission After the user security parameters are sent to service providing server by module, the number that the service providing server is sent is received According to request, the users to share data that user authorizes are obtained from Resource Server (RS) according to the request of data, and by the use Family shared data is sent to the service providing server.
Preferably, the data transmission blocks, it is additionally operable to service access certification knot in the service access authentication module After the user security parameters are sent to service providing server by fruit or the sending module, receive the business and provide The token request that server is sent, asked to send token to the service providing server according to the token, so as to the industry Business provides the users to share data that server obtains user's mandate according to the token from the RS.
Present invention also offers a kind of user equipment (UE), the UE includes:
Access modules, server is provided for access service;
Data processing module, please for receiving the data that identity provider is sent according to the service providing server The user data authorization requests of transmission are sought, according to user to the mandate knot of the user data carried in the user data authorization requests Fruit, the users to share data of user's mandate are returned to the identity provider.
Preferably, the access modules, it is to be successfully accessed network for the UE using mark and obtain the business to carry After the service access certification of server, the service providing server is accessed.
Method, service providing server, identity provider and the user equipment of user data in above-mentioned shared network, So that service providing server safely shares the user data of telecom operators.
Brief description of the drawings
Fig. 1 is the schematic diagram of a scenario of user data in the shared network of the present invention;
Fig. 2 is the configuration diagram of user data embodiment one in the shared network of the present invention;
Fig. 3 is the configuration diagram of user data embodiment two in the shared network of the present invention;
Fig. 4 is the signaling process figure of user data embodiment one in the shared network of the present invention;
Fig. 5 is the signaling process figure of user data embodiment two in the shared network of the present invention;
Fig. 6 is the signaling process figure of user data embodiment three in the shared network of the present invention.
Embodiment
For the object, technical solutions and advantages of the present invention are more clearly understood, below in conjunction with accompanying drawing to the present invention Embodiment be described in detail.It should be noted that in the case where not conflicting, in the embodiment and embodiment in the application Feature can mutually be combined.
As shown in figure 1, it is the schematic diagram of a scenario of user data in the shared network of the present invention, in this embodiment, social network Network safely shares the data of user in a network, such as contacts list, and the shared procedure includes:
Step 10, user 100 are linked into network 102, have passed through the certification of network 102;
Step 12, user 100 access social network sites 104;
Without the identity information of user 100, social network sites 104 find net according to configuration information for step 14, social network sites 104 Network 102 finds network 102 using Dynamic Discovery agreement;
Step 16, network 102 contact user 100, authorize whether share user data, such as contacts list by user 100;
After step 18, user 100 authorize shared user data, processing below is continued by network 102;
Step 20, network 102 return to the shared information of user 100, such as contacts list to social networks 104;
Step 22, user 106 by network 102 access social network sites 104 when, using user 100 share user data, Such as contacts list.
As shown in Fig. 2 for the configuration diagram of user data embodiment one in the shared network of the present invention, network passes through access Service node (ASN, Access Serving Node) completes the route of packet;User equipment (UE) 200 is identified with ID. In a network, user equipment 200 is authenticated by identity provider, supported from Resource Server (Resource Server, RS) 206 directly obtain users to share data, or by identity provider 204 obtain users to share number According to.Described network includes but is not limited to mobile communications network, identifies net.The UE 200 and service providing server 208 it Between certification be the result based on access authentication of user.In the framework, the security credence of user will not be delivered to business by network Server 208 is provided, so as to which service providing server 208 directly can not be authenticated, it is necessary to pass through UE to user equipment 200 Interface between 200 and identity provider 204 is completed to user authentication.
User equipment 200 refers to user node, such as mobile phone, PC;User equipment is pre-configured with or from Network Capture Identify ID;User equipment possesses security credence, with network pre-share root key, or setting digital certificate.In mobile radio communication In network, the ID of user equipment can use international mobile subscriber identity (IMSI) or mobile user comprehensive service digital net (MSISDN) identify;In mark is netted, the ID of user equipment is accessing identifier (Access Identifier, AID).With The ability of family equipment includes but is not limited to:Support HTTP (HTTP) summary (Digest) authentication protocol;Support meeting Talk about initiation protocol (SIP) Digest authentication protocols;Support Extensible Authentication Protocol (Extensible Authentication Protocol, EAP) and EAP authentication method;New key material can be derived.
Access service node 202 is located at the boundary of network, for providing access service for user equipment 200, safeguarding eventually End and the connection of network, realize the functions such as route and the forwarding of data message, coordinate with identity provider 204 and complete to UE 200 access authentication.In the mobile communication network, access service node is GPRS serving GPRS support nodes (Serving GPRS SUPPORT NODE, SGSN) and/or Gateway GPRS Support Node (Gateway GPRS Support Node, GGSN), marking Know in net, access service node is ASN.
Identity provider 204 is using user identity ID as core in a network, is responsible for creating, safeguards, management user Identity information, there is provided subscriber authentication service.The ability of identity provider 204 includes but is not limited to:Network is provided Access authentication service;Service access authentication service is provided;Support EAP function;User profile can be obtained from RS;Specific implementation When the function of Identity Management can be realized to the enhancing of the function of authentication center, such as support Web functions, HTTP (Hypertext Transfer Protocol, HTTP), HTTP digest authentications agreement, security assertion markup language (Security Assertion Markup Language, SAML).
Resource Server (RS) 206 stores the security information of user, there is provided the attribute data of user and other data, such as joins It is list, head portrait, photo, video etc..
Service providing server 208 provides business to user node 200, can be Web class business, such as portal website, electricity Sub- store, this kind of business generally use Hyper text transfer markup language (HTML)/HTTP;Can also be non-Web classes business, such as electricity Sub- mail, instant messaging, this kind of business are typically based on the agreement of transport layer, such as transmission control protocol (Transmission Control Protocol, TCP).
Each interface in Fig. 2 is introduced below:
Interface A:Between UE 200 and ASN 202, there is provided UE 200 and ASN 202 two-way authentication, support but not It is limited to EAP protocol;
Interface B:Between ASN 202 and identity provider 204, main meeting is transmitted from identity provider 204 Key is talked about to ASN 202;Support but be not limited by discriminating mandate charging (AAA) agreement transmission EAP load;
Interface C:Between identity provider 204 and RS 206, identity provider 204 is connect by C 214 Mouth obtains the security information and other users data of user.The agreement of the interface includes but is not limited to:Support Diameter associations View.
Interface D:Between UE 200 and identity provider 204, the single-sign-on services of user are supported, support peace Full shared data.The agreement of the interface includes but is not limited to:Support HTTP Digest agreements;Support SIP Digest agreements;Branch Hold SAML agreements.
Interface E:Between UE 200 and service providing server 208, UE 200 is provided by the interface access service The business that server 208 provides, the agreement of the interface include but is not limited to:Support http protocol;Transport layer protocol is supported, such as TCP;Support SAML agreements;Support Diameter;Support HTTPS agreements.
Interface F:Between identity provider 204 and service providing server 208, there is provided single-sign-on services, Support safe shared data.The agreement of the interface includes but is not limited to:Http protocol is supported, supports aaa protocol.
Interface G:Between service providing server 208 and RS 206, service providing server 208 is obtained by the interface Take user related data.The agreement of the interface includes but is not limited to:Support Diameter.
As shown in figure 3, for the configuration diagram of user data embodiment two in the shared network of the present invention, the Organization Chart and figure The difference of Organization Chart shown in 2 is in the Organization Chart in the present embodiment, do not have interface between UE and identity provider;But User security information can be delivered to service providing server by network (such as mark, master session key, key lifetimes etc.) 208, so as to which service providing server 208 directly can be authenticated to user equipment 200.Wherein, the UE 200 carries with business It is the result of the network access authentication based on user for user security information used in the certification between server 208.
As shown in figure 4, for the signaling process figure of user data embodiment one in the shared network of the present invention, the flow chart is base Complete in framework shown in Fig. 2, in this embodiment, UE 200 is authenticated by identity provider 204, business provides Server 208 obtains token from identity provider 204, and the data of users to share are directly obtained from RS 206, and identity provides Server 204 and RS 206 have been pre-configured with the shared template of user data, specifically share which data is awarded by user Power.
The precondition that the flow is carried out is link between UE 200 and ASN202 it has been established that UE200 matches somebody with somebody in advance The identity ID of user is put;User data process includes in the shared network:
Step 220, ASN 202 send identity request to UE 200;
Step 222, UE 200 send response to ASN 202, in the response carrying user identity ID;
Step 224, ASN 202 send the response message to identity provider 204, the message and carry user's body Part ID;
Step 226, identity provider 204 send carry ID message to RS 206 ask key material;
Step 228, RS 206 are to the " return " key" material of identity provider 204;
Step 230, UE 200 and identity provider 204 consult security parameter, including the security protocol that both sides support And session key;
Above-mentioned steps 220-230 is access authentication procedure of the network to UE;
Step 232, the access services of UE 200 provide the business of server 208, and service providing server 208 is matched somebody with somebody by static state Put or the position of Dynamic Discovery identity provider 204;
Step 234, service providing server 208, which are sent, redirects message to UE 200, and UE 200 is according to redirection message The address of identity provider sends the message to identity provider 204 in head;
Step 236, identity provider 204 send unauthorized message to UE 200;
Step 238, UE200 are used as user name, session to the forward abstract certification message of identity provider 204 by the use of ID Key is as password;
Step 240, identity provider 204 receive the identity of checking user after digest authentication message;
Step 242, identity provider 204 ask user data list to RS 206, carry user's in the request Identity;
Step 244, RS 206 return to user list to identity provider 204;
Step 246, identity provider 204 pass through the list to UE200 transmission user data, request user authorization;
Step 248, UE 200 return to user authorization result to identity provider 204;
Step 250, identity provider 204, which are sent, redirects message to UE 200, and UE 200 is according in message header Address contacts service providing server 208, and the message includes index and authorization code;
Step 252, service providing server 208 ask access token to identity provider 204, are wrapped in the request Containing index and authorization code;
Step 254, identity provider 204 are to the backward reference token of service providing server 208, and the token packet is containing close The information such as key, key lifetimes;
Step 256, service providing server 208 obtain shared user data in batches from RS206, and RS206 counts to these According to safeguard protection is carried out, such as Confidentiality protection, integrity protection;After service providing server 208 receives these user data, use Access token reads these protected datas;
Step 258, the returning result message of service providing server 208 to UE 200.
Below by taking EAP, AAA, HTTP and SAML agreement as an example, customer traffic in network is shared to the safety shown in Fig. 4 Journey is described in the form of application example:
Step 220a, ASN 202 sends EAP-Identity identity requests to UE 200;
Step 222a, UE 200 sends EAP-Identity and responds the identity for ASN 202, carrying user in the response Type-Data is arranged to ID in ID, wherein EAP-Identity response;
Step 224a, ASN 202 sends EAP load (EAP-Payload) to identity provider by aaa protocol 204.For Diameter, using the EAP-Payload AVP (Attribute- of Diameter-EAP-Request message Value Pair, attribute-value to) encapsulate EAP-Identity load;For remote customer dialing authentication service (RADIUS) Agreement, EAP-Identity load is encapsulated using the EAP-Message attributes of RADIUSAccess-Request message;
Step 226a, identity provider 204 sends ID to RS 206 by Diameter and obtains key material, Can specifically multimedia authorisation request (Multimedia-Auth-Request, MAR) be used to carry ID;
Step 228a, RS 206 specifically may be used by Diameter to the " return " key" material of identity provider 204 Key material is carried using Multimedia Authentication Answer (Multimedia-Auth-Answer, MAA) message, wherein ID is mapped as using Name in an account book (User-Name) attribute;
Step 230a, UE 200 and identity provider 204 consult security parameter:(1) EAP methods are consulted (Method), such as EAP- Authentication and Key Agreements (AKA), EAK- safe transmissions layer protocol (TLS) etc., assisted for Diameter View, using EAP-Payload AVP (Attribute-Value Pair, the attribute-value of Diameter-EAP-Request message It is right) encapsulate the load such as EAP-AKA, EAP-TLS;For radius protocol, using RADIUS Access-Challenge and Access-Accept encapsulates the load such as EAP-AKA, EAP-TLS.(2) UE 200 and identity provider 204 consult MSK (Master Session Key, master session key), for Diameter, using Diameter-EAP-Request message EAP-Master-Session-Key AVP carry key material;For radius protocol, disappeared by RADIUS Accept VSA (Vendor service providing server ecific Attribute, specific vendor attribute) carries MSK in breath;
Step 232a, UE 200 sends HTTP request to service providing server 208, in service providing server 208 Selection is logged in by identity provider 204.The URL of identity provider is carried in the head field of HTTP request (Uniform Resource Locator, URL) address, service providing server 208 by static configuration or The URL addresses of Dynamic Discovery identity provider 204, carry in the request message<lib:AuthnRequest>;
Step 234a, service providing server 208 sends HTTP redirection message to UE 200, and UE200 is according to HTTP weights The URL addresses of identity provider send the message to identity provider 204 in directed message head;
Step 236a, identity provider 204 sends the unauthorizeds of HTTP 401 (Unauthorized) to UE 200 and disappeared Breath;
Step 238a, UE200 sends HTTP request message to identity provider 204, and user name, MSK are used as by the use of ID As password, HTTP Digest certifications are carried out;
Step 240a, after identity provider 204 receives HTTP digest authentication message, local ID/ is checked according to ID MSK, same HTTP Digest identifying algorithms are carried out, when the result of calculating is consistent, are then verified;
Step 242a, identity provider 204 sends ID to RS 206 by Diameter and asks user data List, the list of user data, wherein ID mappings are carried using Push-Profile-Request message User Data attributes For User-Name attributes;
Step 244a, RS 206 returns to user data list by Diameter to identity provider 204, adopts The list of user data is carried with Push-Profile-Answer message User Data attributes, wherein ID is mapped as User- Name attributes;
Step 246a, identity provider 204 by HTTPS send user data list to UE200 ask user Authorize;
Step 248a, user authorization data list is back to identity provider 204 by UE 200 after user authorizes;
Step 250a, identity provider 204 generates SAML Artifact (workpiece) and authorization code, passes through HTTPS handles Message is redirected to UE 200, URL contact service providing servers 208 of the UE 200 in message header, wherein SAML Artifact points to the structural data objects of SAML protocol messages, and SAML Artifact are smaller, can be embedded in HTTP message In;
Step 252a, service providing server 208 sends HTTP GET requests extremely from identity provider by HTTPS 204, SAML Artifact and authorization code are included in the message;
Step 254a, identity provider 204 is returned to service providing server 208 by HTTPS response messages and visited Token is asked, the token packet is containing information such as key, key lifetimes;
Step 256a, service providing server 208 obtains shared user in batches by Diameter from RS 206 Data, subscription request (Push-Profile-Request)/response (Answer) message User Data are pushed using Diameter Attribute obtains the data of users to share in batches.RS 206 carries out safeguard protection to these data, such as Confidentiality protection, integrality Protection;After service providing server 208 receives these user data, these protected datas are read with access token;
Step 258a, service providing server returns to HTTP 200OK message to UE 200.
Above-mentioned flow is applied to the access that ADSL, WLAN and Ethernet etc. support EAP authentication.Come for 3G access procedures Say, using AKA verification process, verification process sets MSK=CK after terminating | | IK.
Identity position separation network support is compatible with existing terminal and access technology, i.e., does not change terminal and access network. In this case, UE 200 accesses network according to existing mode, and after access authentication, network connects to user equipment distribution Inlet identity ID, now user equipment and network share session key.Follow-up handling process is completely the same.
As shown in figure 5, for the signaling process figure of user data embodiment two in the shared network of the present invention, the embodiment is also Completed based on framework shown in Fig. 2, in this embodiment, UE 200 is authenticated by identity provider 204, business carries The data of users to share are obtained by identity provider 204 for server 208, specifically share which data is awarded by user Power, the true identity information of user can not be revealed to service providing server.
The precondition that the flow is carried out is link between UE 200 and ASN 202 it has been established that UE200 matches somebody with somebody in advance Put the identity ID of user or distribute ID to user by network;User data process includes in the shared network:
Step 302, UE 200 have passed through the access authentication of network, and certification terminates rear UE 200 and identity provider 204 shared session keys;
Step 302 can specifically include the step 220- steps 230 in Fig. 4, and here is omitted;
Step 304, the access services of UE 200 provide the business of server 208, and service providing server 208 is matched somebody with somebody by static state Put or the position of Dynamic Discovery identity provider 204;
Step 306, service providing server 208, which are sent, redirects message to UE 200, and UE 200 is according to redirection message The address of identity provider sends the message to identity provider 204 in head;
Step 308, identity provider 204 send unauthorized message to UE 200;
Step 310, UE200 are used as user name, session to the forward abstract certification message of identity provider 204 by the use of ID Key is as password;
Step 312, identity provider 204 receive the identity of checking user after digest authentication message;
Step 314, identity provider 204 are sent to service providing server 208 redirects message, the message package Include index;
Step 316, service providing server 208 are sent to identity provider 204 asks with the identity of certification user, Message includes index;
Step 318, identity provider 204 are to the return authentication result of service providing server 208;
Step 320, service providing server 208 ask users to share data, the message to identity provider 204 Including index;
Step 322, identity provider 204 ask user data to RS 208, and the request includes ID;
Step 324, RS 206 return to user data to identity provider;
Step 326, identity provider 204 send a request to UE 200, request user authorization data;
Step 328, UE 200 return to the data of user's mandate to identity provider 204;
Step 330, identity provider 204 return to the data of user's mandate to service providing server 208;
Step 332, the returning result message of service providing server 208 to UE 200.
Below by taking HTTP and SAML agreements as an example, user data flow is shared in network to the safety shown in Fig. 5 to apply The form of example is described:
Step 302a, UE 200 has passed through the access authentication of network, and certification terminates rear UE 200 and identity provider 204 shared session key MSK;
Step 304a, UE 200 sends HTTP request to service providing server 208, in service providing server 208 Selection is logged in by identity provider 204.The URL of identity provider is carried in the head field of HTTP request (Uniform Resource Locator, URL) address, service providing server 208 by static configuration or The URL addresses of Dynamic Discovery identity provider 204, carry<lib:AuthnRequest>;
Step 306a, service providing server 208 sends HTTP redirection message to UE 200, and UE200 is according to HTTP weights The URL addresses of identity provider send the message to identity provider 204 in directed message head;
Step 308a, identity provider 204 sends the Unauthorized message of HTTP 401 to UE 200;
Step 310a, UE 200 sends HTTP request message to identity provider 204, and user name, MSK are used as by the use of ID As password, HTTP Digest certifications are carried out;
Step 312a, after identity provider 204 receives HTTP digest authentication message, local ID/ is checked according to ID MSK, same HTTP Digest identifying algorithms are carried out, when the result of calculating is consistent, are then verified;
Step 314a, identity provider 204 generates SAML Artifact, is sent to service providing server 208 HTTPS redirects message, and SAML Artifact are carried in message, and wherein SAMLArtifact points to the knot of SAML protocol messages Structure data object, SAML Artifact are smaller, can be embedded in HTTP message;
Step 316a, after service providing server 208 receives SAML Artifact, sent to identity provider 204 HTTPS request, SAML Artifact are carried in message;After identity provider 204 receives the message, construction SAML is asserted;
Step 318a, identity provider 204 asserts SAML returns to service providing server 208 by HTTPS;
Step 320a, after service providing server 208 verifies the signature that SAML is asserted, send HTTPS request to identity and carry For server 204, shared user data is asked, SAML Artifact are carried in message;
Step 322a, identity provider 204 obtains ID, passes through Diameter Push- according to SAML Artifact Profile-Request asks users to share data to RS206;
Step 324a, RS206 returns to users to share data to identity provider 204, passes through Diameter Push- Profile-Answer message User Data attributes carry user data;
Step 326a, identity provider 204 sends HTTPS request to UE 200, the shared number of request user authorization According to;
Step 328a, after user authorizes shared user data, identity provider 204 is as a result returned;
Step 330a, after user authorizes, return to user to service providing server 208 from identity provider 204 and award The data of power;
Step 332a, service providing server 208 returns to HTTP 200OK message to UE 200.
As shown in fig. 6, be the signaling process figure of user data embodiment three in the shared network of present invention safety, the flow chart It is to be completed based on framework shown in Fig. 3, in this embodiment, access authentication is carried out to UE 200 by identity provider 204, Service providing server 208 verifies user identity, then carries out user data process in the shared network of safety.
The precondition that the flow is carried out is link between UE 200 and ASN 202 it has been established that UE200 matches somebody with somebody in advance Put the identity ID of user or distribute ID to user by network;The process includes:
Step 402, UE 200 have passed through the access authentication of network, and certification terminates rear UE 200 and identity provider 204 shared session keys;
Step 404, the access services of UE 200 provide the business of server 208, and service providing server 208 is matched somebody with somebody by static state Put or the position of Dynamic Discovery identity provider 204;
Step 406, service providing server 208 send unauthorized message to UE 200;
Step 408, UE200 are used as user name, session to the forward abstract certification message of service providing server 208 by the use of ID Key is as password;
Step 410, service providing server 208 ask the security parameter of user to identity provider 204;
Step 412, identity provider 204 return to the security parameter of user to service providing server 208;
Step 414, service providing server 208 verify the identity of user, and the verification process is recognized according to the summary received Demonstrate,prove message and the security parameter of user;
Step 416, service providing server 208, RS 206, identity provider 204 and UE 200 are carried out safely altogether Enjoy user data process in network.
Wherein, the process of safe shared data can be identical with the step 252-258 in Fig. 4, can also be with the step in Fig. 5 Rapid 320-332 is identical, and here is omitted.
Present invention also offers a kind of service providing server, the service providing server includes:
Receiving module, for receiving user equipment (UE) access;
Acquisition module, for directly or indirectly obtaining the users to share data of user's mandate from Resource Server (RS).
In addition, the service providing server can also include:Service access authentication module, in the receiving module Before the access for receiving UE, the service access certification to the UE is done directly or indirectly.
Specifically, the service access authentication module, it is to be used to obtain user security parameters, root from identity provider The service access certification to the UE is completed according to the user security parameters;Or obtain institute from the identity provider State service authentication result of the identity provider to the UE.Wherein, the user security parameters are that the identity provides clothes It is engaged in what device obtained according to the network to the access authentication result of the UE;The service authentication result is that the identity provides clothes It is engaged in what device was completed according to the network to the access authentication result of the UE.
Further, the acquisition module, it is to be used to obtain token from the identity provider, according to the token The users to share data of user's mandate are directly obtained from the RS;Or user is obtained by the identity provider and awarded The users to share data of power.
The service providing server can share the users to share data that user authorizes in network, and specific implementation process can join See Fig. 4-Fig. 6, here is omitted.
Present invention also offers a kind of identity provider, the identity provider includes:
Network access authentication module, for being authenticated to user equipment (UE) access network, and obtain user security ginseng Number;
Service access authentication module, for the user security parameters completion pair obtained according to the network access authentication module The service access certification of the UE, and service access authentication result is sent to service providing server.
Wherein, the user security parameters include session key.
In addition, the identity provider can also include:Sending module, for by the network access authentication module The user security parameters of acquisition are sent to the service providing server.
Further, the identity provider can also include:Data transmission blocks, in the service access The user security parameters are sent to business and provide clothes by service access authentication result or the sending module by authentication module It is engaged in after device, receives the request of data that the service providing server is sent, according to the request of data from Resource Server (RS) the users to share data that user authorizes are obtained, and the users to share data are sent to the service providing server. The data transmission blocks, it is additionally operable to service access authentication result or the transmission mould in the service access authentication module After the user security parameters are sent to service providing server by block, the token that the service providing server is sent is received Request, according to the token ask to the service providing server send token, so as to the service providing server according to The token obtains the users to share data of user's mandate from the RS.
The identity provider is laid a good foundation to realize that UE access services provide server, meanwhile, also carried for business User's users to share data authorized are provided for server, or, provide token for service providing server so that business provides Server can obtain the users to share data of user's mandate according to token.
Present invention also offers a kind of user equipment (UE), the UE includes:
Access modules, server is provided for access service;
Data processing module, please for receiving the data that identity provider is sent according to the service providing server The user data authorization requests of transmission are sought, according to user to the mandate knot of the user data carried in the user data authorization requests Fruit, the users to share data of user's mandate are returned to the identity provider.
Specifically, the access modules, it is to be successfully accessed network for the UE using mark and obtain the business to carry After the service access certification of server, the service providing server is accessed.
The UE can be after being successfully accessing network and obtaining the service access certification of service providing server, access service Server is provided, and authorizes service providing server to share which of network data by oneself, then business provides clothes Business device can share the users to share data that user is authorized by UE in network, and specific interaction can be found in Fig. 4-Fig. 6.
One of ordinary skill in the art will appreciate that all or part of step in the above method can be instructed by program Related hardware is completed, and said procedure can be stored in computer-readable recording medium, such as read-only storage, disk or CD Deng.Alternatively, all or part of step of above-described embodiment can also be realized using one or more integrated circuits.Accordingly Ground, each module/unit in above-described embodiment can be realized in the form of hardware, can also use the shape of software function module Formula is realized.The present invention is not restricted to the combination of the hardware and software of any particular form.
The above embodiments are merely illustrative of the technical solutions of the present invention and it is unrestricted, reference only to preferred embodiment to this hair It is bright to be described in detail.It will be understood by those within the art that technical scheme can be modified Or equivalent substitution, without departing from the spirit and scope of technical solution of the present invention, the claim model in the present invention all should be covered Among enclosing.

Claims (15)

1. a kind of method of user data in shared network, the network includes identity provider and Resource Server RS, This method includes:
Service providing server receives the access of user equipment (UE);
The service providing server directly or indirectly obtains the users to share data of user's mandate from the RS;
Wherein, the service providing server from the RS directly obtain user mandate users to share data include:
The service providing server from the identity provider obtain token, according to the token from the RS directly Obtain the users to share data that user authorizes;
The users to share data that the service providing server obtains user's mandate from the RS indirectly include:
The service providing server obtains the users to share data of user's mandate by the identity provider.
2. according to the method for claim 1, it is characterised in that:
Before the service providing server receives UE access, methods described also includes:
The service providing server is done directly or indirectly the service access certification to the UE.
3. according to the method for claim 2, it is characterised in that:
The service access certification that the service providing server is done directly into UE includes:
The service providing server obtains user security parameters from the identity provider, is joined according to the user security Count up to paired UE service access certification.
4. according to the method for claim 2, it is characterised in that:
The service access certification that the service providing server completes to UE indirectly includes:
The service providing server obtains industry of the identity provider to the UE from the identity provider Business access authentication result.
5. according to the method for claim 3, it is characterised in that:
The user security parameters are that the identity provider obtains according to the network to the access authentication result of the UE .
6. according to the method for claim 4, it is characterised in that:
The service access authentication result is access authentication knot of the identity provider according to the network to the UE What fruit was completed.
7. a kind of service providing server, the service providing server includes:
Receiving module, for receiving the access of user equipment (UE);
Acquisition module, for directly or indirectly obtaining the users to share data of user's mandate from Resource Server RS;
Wherein, the acquisition module, it is to be used to obtain token from identity provider, it is direct from the RS according to the token Ground obtains the users to share data that user authorizes;Or the users to share of user's mandate is obtained by the identity provider Data.
8. service providing server according to claim 7, it is characterised in that the service providing server also includes:
Service access authentication module, for before receiving module reception UE access, being done directly or indirectly to institute State UE service access certification.
9. service providing server according to claim 8, it is characterised in that:
The service access authentication module, it is to be used to obtain user security parameters from identity provider, according to the user Security parameter completes the service access certification to the UE;Or obtain the identity from the identity provider and provide Service authentication result of the server to the UE.
10. service providing server according to claim 9, it is characterised in that:
The user security parameters are that the identity provider obtains according to network to the access authentication result of the UE; Or
The service authentication result is that the identity provider is complete to the access authentication result of the UE according to the network Into.
11. a kind of identity provider, the identity provider includes:
Network access authentication module, for being authenticated to user equipment (UE) access network, and obtain user security parameters;
Service access authentication module, the user security parameters for being obtained according to the network access authentication module are completed to described UE service access certification, and service access authentication result is sent to service providing server;
Sending module, the user security parameters for the network access authentication module to be obtained are sent to the business and provide clothes Business device;
Data transmission blocks, in the service access authentication module by service access authentication result or the sending module After the user security parameters are sent into service providing server, receive the data that the service providing server is sent and ask Ask, obtain the users to share data of user's mandate from Resource Server RS according to the request of data, and by the users to share Data are sent to the service providing server.
12. identity provider according to claim 11, it is characterised in that:
The user security parameters include session key.
13. identity provider according to claim 11, it is characterised in that:
The data transmission blocks, it is additionally operable to service access authentication result or the hair in the service access authentication module Send after the user security parameters are sent to service providing server by module, receive what the service providing server was sent Token is asked, and is asked to send token to the service providing server according to the token, so as to the service providing server The users to share data of user's mandate are obtained from the RS according to the token.
14. a kind of user equipment (UE), the UE includes:
Access modules, server is provided for access service;
Data processing module, sent out for receiving the request of data that identity provider is sent according to the service providing server The user data authorization requests sent, according to user to the Authorization result of the user data carried in the user data authorization requests, The users to share data of user's mandate are returned to the identity provider.
15. UE according to claim 14, it is characterised in that:
The access modules, it is to be successfully accessed network for UE use marks and obtain the industry of the service providing server It is engaged in after access authentication, accesses the service providing server.
CN201110233110.9A 2011-08-15 2011-08-15 The method and identity provider of user data in shared network Active CN102938757B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201110233110.9A CN102938757B (en) 2011-08-15 2011-08-15 The method and identity provider of user data in shared network
PCT/CN2012/076275 WO2013023475A1 (en) 2011-08-15 2012-05-30 Method for sharing user data in network and identity providing server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110233110.9A CN102938757B (en) 2011-08-15 2011-08-15 The method and identity provider of user data in shared network

Publications (2)

Publication Number Publication Date
CN102938757A CN102938757A (en) 2013-02-20
CN102938757B true CN102938757B (en) 2017-12-08

Family

ID=47697626

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110233110.9A Active CN102938757B (en) 2011-08-15 2011-08-15 The method and identity provider of user data in shared network

Country Status (2)

Country Link
CN (1) CN102938757B (en)
WO (1) WO2013023475A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8959358B2 (en) * 2012-05-08 2015-02-17 Qualcomm Incorporated User-based identification system for social networks
CN104361519B (en) * 2014-10-31 2018-05-18 中国建设银行股份有限公司 A kind of implementation method of social networking service platform and social networking service platform
CN107241293A (en) * 2016-03-28 2017-10-10 杭州萤石网络有限公司 A kind of resource access method, apparatus and system
CN109033774B (en) * 2018-08-31 2020-08-07 阿里巴巴集团控股有限公司 Method and device for acquiring and feeding back user resources and electronic equipment
WO2021062793A1 (en) * 2019-09-30 2021-04-08 华为技术有限公司 Communication method, device and system, and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1856155A (en) * 2005-04-18 2006-11-01 华为技术有限公司 Method for user accessing information in next generation network
US7207058B2 (en) * 2002-12-31 2007-04-17 American Express Travel Related Services Company, Inc. Method and system for transmitting authentication context information
CN101686425A (en) * 2008-09-27 2010-03-31 中兴通讯股份有限公司 Method for providing service to whole network and service network system
CN101809584A (en) * 2007-09-25 2010-08-18 日本电气株式会社 Certificate generating/distributing system, certificate generating/distributing method and certificate generating/distributing program

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020013827A1 (en) * 2000-05-18 2002-01-31 Edstrom Claes G.R. Personal service environment management apparatus and methods
US7454508B2 (en) * 2002-06-28 2008-11-18 Microsoft Corporation Consent mechanism for online entities
CN100517162C (en) * 2003-12-17 2009-07-22 甲骨文国际公司 Method and apparatus for personalization and identity management
US8418234B2 (en) * 2005-12-15 2013-04-09 International Business Machines Corporation Authentication of a principal in a federation
CN101771677B (en) * 2008-12-31 2013-08-07 华为技术有限公司 Method for providing resource for access user, server and system thereof
US8078870B2 (en) * 2009-05-14 2011-12-13 Microsoft Corporation HTTP-based authentication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7207058B2 (en) * 2002-12-31 2007-04-17 American Express Travel Related Services Company, Inc. Method and system for transmitting authentication context information
CN1856155A (en) * 2005-04-18 2006-11-01 华为技术有限公司 Method for user accessing information in next generation network
CN101809584A (en) * 2007-09-25 2010-08-18 日本电气株式会社 Certificate generating/distributing system, certificate generating/distributing method and certificate generating/distributing program
CN101686425A (en) * 2008-09-27 2010-03-31 中兴通讯股份有限公司 Method for providing service to whole network and service network system

Also Published As

Publication number Publication date
WO2013023475A1 (en) 2013-02-21
CN102938757A (en) 2013-02-20

Similar Documents

Publication Publication Date Title
JP5313200B2 (en) Key generation method and apparatus in communication system
CN101150594B (en) Integrated access method and system for mobile cellular network and WLAN
US20070178885A1 (en) Two-phase SIM authentication
US20130007846A1 (en) Methods and Arrangements for Authorizing and Authentication Interworking
CN106465120A (en) Method and nodes for integrating networks
CN102938757B (en) The method and identity provider of user data in shared network
CN103023856B (en) Method, system and the information processing method of single-sign-on, system
CN110049492A (en) The unified certification frame of heterogeneous network
KR20060067263A (en) Fast re-authentication method when handoff in wlan-umts interworking network
CA2530891A1 (en) Apparatus and method for a single sign-on authentication through a non-trusted access network
CN101212374A (en) Method and system for remote access to campus network resources
WO2008095444A1 (en) A method and system for authenticating users
WO2007104245A1 (en) An identity web service framework system and authentication method thereof
KR20100085185A (en) Inter-working function for a communication system
CN101426190A (en) Service access authentication method and system
CN109391937A (en) Acquisition methods, equipment and the system of public key
CN106686589A (en) VoWiFi business achieving method, system and AAA server
CN110191458A (en) A kind of netsurfing interoperability methods, device and system
WO2009074073A1 (en) Accessing and controlling method, device and communication system
CN103702328B (en) UIM clampings enter the authentication method and system of EPC networks
CN103781026B (en) The authentication method of common authentication mechanism
CN104509144B (en) Security association is realized during terminal is attached to access net
CN102694779B (en) Combination attestation system and authentication method
CN102905258B (en) Own service authentication method and system
CN103563419B (en) The security association of universal guiding structure type is realized for the terminal in mobile telecom network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20201230

Address after: No.66 Lijiang Road, Yancheng Economic and Technological Development Zone, Jiangsu Province 224000

Patentee after: Jiangsu New Energy Vehicle Research Institute Co.,Ltd.

Address before: 518057 Ministry of justice, Zhongxing building, South Science and technology road, Nanshan District hi tech Industrial Park, Shenzhen, Guangdong

Patentee before: ZTE Corp.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20210714

Address after: Room 309, building 1, No.69, Donghuan South Road, Yancheng Economic and Technological Development Zone, Jiangsu 224000

Patentee after: Jiangsu Yanxin Automobile Industry Investment Development Co.,Ltd.

Address before: No.66 Lijiang Road, Yancheng Economic and Technological Development Zone, Jiangsu Province 224000

Patentee before: Jiangsu New Energy Vehicle Research Institute Co.,Ltd.