The content of the invention
The invention provides the method for user data, service providing server, identity in a kind of shared network to provide service
Device and user equipment, the user data of telecom operators can not be safely shared to solve existing service providing server and is asked
Topic.
The invention provides a kind of method of user data in shared network, this method includes:
The network includes identity provider and Resource Server (RS), and this method includes:
Service providing server receives the access of user equipment (UE);
The service providing server directly or indirectly obtains the users to share data of user's mandate from the RS.
Preferably, before the service providing server receives UE access, methods described also includes:
The service providing server is done directly or indirectly the service access certification to the UE.
Preferably, the service access certification that the service providing server is done directly into UE includes:
The service providing server obtains user security parameters from the identity provider, is pacified according to the user
Population parameter completes the service access certification to the UE.
Preferably, the service access certification that the service providing server is completed to UE indirectly includes:
The service providing server obtains the identity provider to the UE from the identity provider
Service access authentication result.
Preferably, the user security parameters are the identity providers according to access of the network to the UE
What authentication result obtained.
Preferably, the service access authentication result be the identity provider according to the network to the UE
What access authentication result was completed.
Preferably, the service providing server directly obtains the users to share packet of user's mandate from the RS
Include:
The service providing server obtains token from the identity provider, straight from the RS according to the token
Ground connection obtains the users to share data that user authorizes.
Preferably, the service providing server obtains the users to share packet of user's mandate from the RS indirectly
Include:
The service providing server obtains the users to share data of user's mandate by the identity provider.
Present invention also offers a kind of service providing server, the service providing server includes:
Receiving module, for receiving user equipment (UE) access;
Acquisition module, for directly or indirectly obtaining the users to share data of user's mandate from Resource Server (RS).
Preferably, the service providing server also includes:
Service access authentication module, for before receiving module reception UE access, being done directly or indirectly
Service access certification to the UE.
Preferably, the service access authentication module, it is to be used to obtain user security parameters, root from identity provider
The service access certification to the UE is completed according to the user security parameters;Or obtain institute from the identity provider
State service authentication result of the identity provider to the UE.
Preferably, the user security parameters are the identity providers according to access of the network to the UE
What authentication result obtained;Or
The service authentication result is access authentication knot of the identity provider according to the network to the UE
What fruit was completed.
Preferably, the acquisition module, be used for from the identity provider obtain token, according to the token from
The RS directly obtains the users to share data of user's mandate;Or user is obtained by the identity provider and authorized
Users to share data.
Present invention also offers a kind of identity provider, the identity provider includes:
Network access authentication module, for being authenticated to user equipment (UE) access network, and obtain user security ginseng
Number;
Service access authentication module, for the user security parameters completion pair obtained according to the network access authentication module
The service access certification of the UE, and service access authentication result is sent to service providing server.
Preferably, the identity provider also includes:
Sending module, the user security parameters for the network access authentication module to be obtained are sent to the business and carried
For server.
Preferably, the user security parameters include session key.
Preferably, the identity provider also includes:
Data transmission blocks, in the service access authentication module by service access authentication result or the transmission
After the user security parameters are sent to service providing server by module, the number that the service providing server is sent is received
According to request, the users to share data that user authorizes are obtained from Resource Server (RS) according to the request of data, and by the use
Family shared data is sent to the service providing server.
Preferably, the data transmission blocks, it is additionally operable to service access certification knot in the service access authentication module
After the user security parameters are sent to service providing server by fruit or the sending module, receive the business and provide
The token request that server is sent, asked to send token to the service providing server according to the token, so as to the industry
Business provides the users to share data that server obtains user's mandate according to the token from the RS.
Present invention also offers a kind of user equipment (UE), the UE includes:
Access modules, server is provided for access service;
Data processing module, please for receiving the data that identity provider is sent according to the service providing server
The user data authorization requests of transmission are sought, according to user to the mandate knot of the user data carried in the user data authorization requests
Fruit, the users to share data of user's mandate are returned to the identity provider.
Preferably, the access modules, it is to be successfully accessed network for the UE using mark and obtain the business to carry
After the service access certification of server, the service providing server is accessed.
Method, service providing server, identity provider and the user equipment of user data in above-mentioned shared network,
So that service providing server safely shares the user data of telecom operators.
Embodiment
For the object, technical solutions and advantages of the present invention are more clearly understood, below in conjunction with accompanying drawing to the present invention
Embodiment be described in detail.It should be noted that in the case where not conflicting, in the embodiment and embodiment in the application
Feature can mutually be combined.
As shown in figure 1, it is the schematic diagram of a scenario of user data in the shared network of the present invention, in this embodiment, social network
Network safely shares the data of user in a network, such as contacts list, and the shared procedure includes:
Step 10, user 100 are linked into network 102, have passed through the certification of network 102;
Step 12, user 100 access social network sites 104;
Without the identity information of user 100, social network sites 104 find net according to configuration information for step 14, social network sites 104
Network 102 finds network 102 using Dynamic Discovery agreement;
Step 16, network 102 contact user 100, authorize whether share user data, such as contacts list by user 100;
After step 18, user 100 authorize shared user data, processing below is continued by network 102;
Step 20, network 102 return to the shared information of user 100, such as contacts list to social networks 104;
Step 22, user 106 by network 102 access social network sites 104 when, using user 100 share user data,
Such as contacts list.
As shown in Fig. 2 for the configuration diagram of user data embodiment one in the shared network of the present invention, network passes through access
Service node (ASN, Access Serving Node) completes the route of packet;User equipment (UE) 200 is identified with ID.
In a network, user equipment 200 is authenticated by identity provider, supported from Resource Server (Resource
Server, RS) 206 directly obtain users to share data, or by identity provider 204 obtain users to share number
According to.Described network includes but is not limited to mobile communications network, identifies net.The UE 200 and service providing server 208 it
Between certification be the result based on access authentication of user.In the framework, the security credence of user will not be delivered to business by network
Server 208 is provided, so as to which service providing server 208 directly can not be authenticated, it is necessary to pass through UE to user equipment 200
Interface between 200 and identity provider 204 is completed to user authentication.
User equipment 200 refers to user node, such as mobile phone, PC;User equipment is pre-configured with or from Network Capture
Identify ID;User equipment possesses security credence, with network pre-share root key, or setting digital certificate.In mobile radio communication
In network, the ID of user equipment can use international mobile subscriber identity (IMSI) or mobile user comprehensive service digital net
(MSISDN) identify;In mark is netted, the ID of user equipment is accessing identifier (Access Identifier, AID).With
The ability of family equipment includes but is not limited to:Support HTTP (HTTP) summary (Digest) authentication protocol;Support meeting
Talk about initiation protocol (SIP) Digest authentication protocols;Support Extensible Authentication Protocol (Extensible Authentication
Protocol, EAP) and EAP authentication method;New key material can be derived.
Access service node 202 is located at the boundary of network, for providing access service for user equipment 200, safeguarding eventually
End and the connection of network, realize the functions such as route and the forwarding of data message, coordinate with identity provider 204 and complete to UE
200 access authentication.In the mobile communication network, access service node is GPRS serving GPRS support nodes (Serving GPRS
SUPPORT NODE, SGSN) and/or Gateway GPRS Support Node (Gateway GPRS Support Node, GGSN), marking
Know in net, access service node is ASN.
Identity provider 204 is using user identity ID as core in a network, is responsible for creating, safeguards, management user
Identity information, there is provided subscriber authentication service.The ability of identity provider 204 includes but is not limited to:Network is provided
Access authentication service;Service access authentication service is provided;Support EAP function;User profile can be obtained from RS;Specific implementation
When the function of Identity Management can be realized to the enhancing of the function of authentication center, such as support Web functions, HTTP (Hypertext
Transfer Protocol, HTTP), HTTP digest authentications agreement, security assertion markup language (Security
Assertion Markup Language, SAML).
Resource Server (RS) 206 stores the security information of user, there is provided the attribute data of user and other data, such as joins
It is list, head portrait, photo, video etc..
Service providing server 208 provides business to user node 200, can be Web class business, such as portal website, electricity
Sub- store, this kind of business generally use Hyper text transfer markup language (HTML)/HTTP;Can also be non-Web classes business, such as electricity
Sub- mail, instant messaging, this kind of business are typically based on the agreement of transport layer, such as transmission control protocol (Transmission
Control Protocol, TCP).
Each interface in Fig. 2 is introduced below:
Interface A:Between UE 200 and ASN 202, there is provided UE 200 and ASN 202 two-way authentication, support but not
It is limited to EAP protocol;
Interface B:Between ASN 202 and identity provider 204, main meeting is transmitted from identity provider 204
Key is talked about to ASN 202;Support but be not limited by discriminating mandate charging (AAA) agreement transmission EAP load;
Interface C:Between identity provider 204 and RS 206, identity provider 204 is connect by C 214
Mouth obtains the security information and other users data of user.The agreement of the interface includes but is not limited to:Support Diameter associations
View.
Interface D:Between UE 200 and identity provider 204, the single-sign-on services of user are supported, support peace
Full shared data.The agreement of the interface includes but is not limited to:Support HTTP Digest agreements;Support SIP Digest agreements;Branch
Hold SAML agreements.
Interface E:Between UE 200 and service providing server 208, UE 200 is provided by the interface access service
The business that server 208 provides, the agreement of the interface include but is not limited to:Support http protocol;Transport layer protocol is supported, such as
TCP;Support SAML agreements;Support Diameter;Support HTTPS agreements.
Interface F:Between identity provider 204 and service providing server 208, there is provided single-sign-on services,
Support safe shared data.The agreement of the interface includes but is not limited to:Http protocol is supported, supports aaa protocol.
Interface G:Between service providing server 208 and RS 206, service providing server 208 is obtained by the interface
Take user related data.The agreement of the interface includes but is not limited to:Support Diameter.
As shown in figure 3, for the configuration diagram of user data embodiment two in the shared network of the present invention, the Organization Chart and figure
The difference of Organization Chart shown in 2 is in the Organization Chart in the present embodiment, do not have interface between UE and identity provider;But
User security information can be delivered to service providing server by network (such as mark, master session key, key lifetimes etc.)
208, so as to which service providing server 208 directly can be authenticated to user equipment 200.Wherein, the UE 200 carries with business
It is the result of the network access authentication based on user for user security information used in the certification between server 208.
As shown in figure 4, for the signaling process figure of user data embodiment one in the shared network of the present invention, the flow chart is base
Complete in framework shown in Fig. 2, in this embodiment, UE 200 is authenticated by identity provider 204, business provides
Server 208 obtains token from identity provider 204, and the data of users to share are directly obtained from RS 206, and identity provides
Server 204 and RS 206 have been pre-configured with the shared template of user data, specifically share which data is awarded by user
Power.
The precondition that the flow is carried out is link between UE 200 and ASN202 it has been established that UE200 matches somebody with somebody in advance
The identity ID of user is put;User data process includes in the shared network:
Step 220, ASN 202 send identity request to UE 200;
Step 222, UE 200 send response to ASN 202, in the response carrying user identity ID;
Step 224, ASN 202 send the response message to identity provider 204, the message and carry user's body
Part ID;
Step 226, identity provider 204 send carry ID message to RS 206 ask key material;
Step 228, RS 206 are to the " return " key" material of identity provider 204;
Step 230, UE 200 and identity provider 204 consult security parameter, including the security protocol that both sides support
And session key;
Above-mentioned steps 220-230 is access authentication procedure of the network to UE;
Step 232, the access services of UE 200 provide the business of server 208, and service providing server 208 is matched somebody with somebody by static state
Put or the position of Dynamic Discovery identity provider 204;
Step 234, service providing server 208, which are sent, redirects message to UE 200, and UE 200 is according to redirection message
The address of identity provider sends the message to identity provider 204 in head;
Step 236, identity provider 204 send unauthorized message to UE 200;
Step 238, UE200 are used as user name, session to the forward abstract certification message of identity provider 204 by the use of ID
Key is as password;
Step 240, identity provider 204 receive the identity of checking user after digest authentication message;
Step 242, identity provider 204 ask user data list to RS 206, carry user's in the request
Identity;
Step 244, RS 206 return to user list to identity provider 204;
Step 246, identity provider 204 pass through the list to UE200 transmission user data, request user authorization;
Step 248, UE 200 return to user authorization result to identity provider 204;
Step 250, identity provider 204, which are sent, redirects message to UE 200, and UE 200 is according in message header
Address contacts service providing server 208, and the message includes index and authorization code;
Step 252, service providing server 208 ask access token to identity provider 204, are wrapped in the request
Containing index and authorization code;
Step 254, identity provider 204 are to the backward reference token of service providing server 208, and the token packet is containing close
The information such as key, key lifetimes;
Step 256, service providing server 208 obtain shared user data in batches from RS206, and RS206 counts to these
According to safeguard protection is carried out, such as Confidentiality protection, integrity protection;After service providing server 208 receives these user data, use
Access token reads these protected datas;
Step 258, the returning result message of service providing server 208 to UE 200.
Below by taking EAP, AAA, HTTP and SAML agreement as an example, customer traffic in network is shared to the safety shown in Fig. 4
Journey is described in the form of application example:
Step 220a, ASN 202 sends EAP-Identity identity requests to UE 200;
Step 222a, UE 200 sends EAP-Identity and responds the identity for ASN 202, carrying user in the response
Type-Data is arranged to ID in ID, wherein EAP-Identity response;
Step 224a, ASN 202 sends EAP load (EAP-Payload) to identity provider by aaa protocol
204.For Diameter, using the EAP-Payload AVP (Attribute- of Diameter-EAP-Request message
Value Pair, attribute-value to) encapsulate EAP-Identity load;For remote customer dialing authentication service (RADIUS)
Agreement, EAP-Identity load is encapsulated using the EAP-Message attributes of RADIUSAccess-Request message;
Step 226a, identity provider 204 sends ID to RS 206 by Diameter and obtains key material,
Can specifically multimedia authorisation request (Multimedia-Auth-Request, MAR) be used to carry ID;
Step 228a, RS 206 specifically may be used by Diameter to the " return " key" material of identity provider 204
Key material is carried using Multimedia Authentication Answer (Multimedia-Auth-Answer, MAA) message, wherein ID is mapped as using
Name in an account book (User-Name) attribute;
Step 230a, UE 200 and identity provider 204 consult security parameter:(1) EAP methods are consulted
(Method), such as EAP- Authentication and Key Agreements (AKA), EAK- safe transmissions layer protocol (TLS) etc., assisted for Diameter
View, using EAP-Payload AVP (Attribute-Value Pair, the attribute-value of Diameter-EAP-Request message
It is right) encapsulate the load such as EAP-AKA, EAP-TLS;For radius protocol, using RADIUS Access-Challenge and
Access-Accept encapsulates the load such as EAP-AKA, EAP-TLS.(2) UE 200 and identity provider 204 consult MSK
(Master Session Key, master session key), for Diameter, using Diameter-EAP-Request message
EAP-Master-Session-Key AVP carry key material;For radius protocol, disappeared by RADIUS Accept
VSA (Vendor service providing server ecific Attribute, specific vendor attribute) carries MSK in breath;
Step 232a, UE 200 sends HTTP request to service providing server 208, in service providing server 208
Selection is logged in by identity provider 204.The URL of identity provider is carried in the head field of HTTP request
(Uniform Resource Locator, URL) address, service providing server 208 by static configuration or
The URL addresses of Dynamic Discovery identity provider 204, carry in the request message<lib:AuthnRequest>;
Step 234a, service providing server 208 sends HTTP redirection message to UE 200, and UE200 is according to HTTP weights
The URL addresses of identity provider send the message to identity provider 204 in directed message head;
Step 236a, identity provider 204 sends the unauthorizeds of HTTP 401 (Unauthorized) to UE 200 and disappeared
Breath;
Step 238a, UE200 sends HTTP request message to identity provider 204, and user name, MSK are used as by the use of ID
As password, HTTP Digest certifications are carried out;
Step 240a, after identity provider 204 receives HTTP digest authentication message, local ID/ is checked according to ID
MSK, same HTTP Digest identifying algorithms are carried out, when the result of calculating is consistent, are then verified;
Step 242a, identity provider 204 sends ID to RS 206 by Diameter and asks user data
List, the list of user data, wherein ID mappings are carried using Push-Profile-Request message User Data attributes
For User-Name attributes;
Step 244a, RS 206 returns to user data list by Diameter to identity provider 204, adopts
The list of user data is carried with Push-Profile-Answer message User Data attributes, wherein ID is mapped as User-
Name attributes;
Step 246a, identity provider 204 by HTTPS send user data list to UE200 ask user
Authorize;
Step 248a, user authorization data list is back to identity provider 204 by UE 200 after user authorizes;
Step 250a, identity provider 204 generates SAML Artifact (workpiece) and authorization code, passes through HTTPS handles
Message is redirected to UE 200, URL contact service providing servers 208 of the UE 200 in message header, wherein SAML
Artifact points to the structural data objects of SAML protocol messages, and SAML Artifact are smaller, can be embedded in HTTP message
In;
Step 252a, service providing server 208 sends HTTP GET requests extremely from identity provider by HTTPS
204, SAML Artifact and authorization code are included in the message;
Step 254a, identity provider 204 is returned to service providing server 208 by HTTPS response messages and visited
Token is asked, the token packet is containing information such as key, key lifetimes;
Step 256a, service providing server 208 obtains shared user in batches by Diameter from RS 206
Data, subscription request (Push-Profile-Request)/response (Answer) message User Data are pushed using Diameter
Attribute obtains the data of users to share in batches.RS 206 carries out safeguard protection to these data, such as Confidentiality protection, integrality
Protection;After service providing server 208 receives these user data, these protected datas are read with access token;
Step 258a, service providing server returns to HTTP 200OK message to UE 200.
Above-mentioned flow is applied to the access that ADSL, WLAN and Ethernet etc. support EAP authentication.Come for 3G access procedures
Say, using AKA verification process, verification process sets MSK=CK after terminating | | IK.
Identity position separation network support is compatible with existing terminal and access technology, i.e., does not change terminal and access network.
In this case, UE 200 accesses network according to existing mode, and after access authentication, network connects to user equipment distribution
Inlet identity ID, now user equipment and network share session key.Follow-up handling process is completely the same.
As shown in figure 5, for the signaling process figure of user data embodiment two in the shared network of the present invention, the embodiment is also
Completed based on framework shown in Fig. 2, in this embodiment, UE 200 is authenticated by identity provider 204, business carries
The data of users to share are obtained by identity provider 204 for server 208, specifically share which data is awarded by user
Power, the true identity information of user can not be revealed to service providing server.
The precondition that the flow is carried out is link between UE 200 and ASN 202 it has been established that UE200 matches somebody with somebody in advance
Put the identity ID of user or distribute ID to user by network;User data process includes in the shared network:
Step 302, UE 200 have passed through the access authentication of network, and certification terminates rear UE 200 and identity provider
204 shared session keys;
Step 302 can specifically include the step 220- steps 230 in Fig. 4, and here is omitted;
Step 304, the access services of UE 200 provide the business of server 208, and service providing server 208 is matched somebody with somebody by static state
Put or the position of Dynamic Discovery identity provider 204;
Step 306, service providing server 208, which are sent, redirects message to UE 200, and UE 200 is according to redirection message
The address of identity provider sends the message to identity provider 204 in head;
Step 308, identity provider 204 send unauthorized message to UE 200;
Step 310, UE200 are used as user name, session to the forward abstract certification message of identity provider 204 by the use of ID
Key is as password;
Step 312, identity provider 204 receive the identity of checking user after digest authentication message;
Step 314, identity provider 204 are sent to service providing server 208 redirects message, the message package
Include index;
Step 316, service providing server 208 are sent to identity provider 204 asks with the identity of certification user,
Message includes index;
Step 318, identity provider 204 are to the return authentication result of service providing server 208;
Step 320, service providing server 208 ask users to share data, the message to identity provider 204
Including index;
Step 322, identity provider 204 ask user data to RS 208, and the request includes ID;
Step 324, RS 206 return to user data to identity provider;
Step 326, identity provider 204 send a request to UE 200, request user authorization data;
Step 328, UE 200 return to the data of user's mandate to identity provider 204;
Step 330, identity provider 204 return to the data of user's mandate to service providing server 208;
Step 332, the returning result message of service providing server 208 to UE 200.
Below by taking HTTP and SAML agreements as an example, user data flow is shared in network to the safety shown in Fig. 5 to apply
The form of example is described:
Step 302a, UE 200 has passed through the access authentication of network, and certification terminates rear UE 200 and identity provider
204 shared session key MSK;
Step 304a, UE 200 sends HTTP request to service providing server 208, in service providing server 208
Selection is logged in by identity provider 204.The URL of identity provider is carried in the head field of HTTP request
(Uniform Resource Locator, URL) address, service providing server 208 by static configuration or
The URL addresses of Dynamic Discovery identity provider 204, carry<lib:AuthnRequest>;
Step 306a, service providing server 208 sends HTTP redirection message to UE 200, and UE200 is according to HTTP weights
The URL addresses of identity provider send the message to identity provider 204 in directed message head;
Step 308a, identity provider 204 sends the Unauthorized message of HTTP 401 to UE 200;
Step 310a, UE 200 sends HTTP request message to identity provider 204, and user name, MSK are used as by the use of ID
As password, HTTP Digest certifications are carried out;
Step 312a, after identity provider 204 receives HTTP digest authentication message, local ID/ is checked according to ID
MSK, same HTTP Digest identifying algorithms are carried out, when the result of calculating is consistent, are then verified;
Step 314a, identity provider 204 generates SAML Artifact, is sent to service providing server 208
HTTPS redirects message, and SAML Artifact are carried in message, and wherein SAMLArtifact points to the knot of SAML protocol messages
Structure data object, SAML Artifact are smaller, can be embedded in HTTP message;
Step 316a, after service providing server 208 receives SAML Artifact, sent to identity provider 204
HTTPS request, SAML Artifact are carried in message;After identity provider 204 receives the message, construction SAML is asserted;
Step 318a, identity provider 204 asserts SAML returns to service providing server 208 by HTTPS;
Step 320a, after service providing server 208 verifies the signature that SAML is asserted, send HTTPS request to identity and carry
For server 204, shared user data is asked, SAML Artifact are carried in message;
Step 322a, identity provider 204 obtains ID, passes through Diameter Push- according to SAML Artifact
Profile-Request asks users to share data to RS206;
Step 324a, RS206 returns to users to share data to identity provider 204, passes through Diameter Push-
Profile-Answer message User Data attributes carry user data;
Step 326a, identity provider 204 sends HTTPS request to UE 200, the shared number of request user authorization
According to;
Step 328a, after user authorizes shared user data, identity provider 204 is as a result returned;
Step 330a, after user authorizes, return to user to service providing server 208 from identity provider 204 and award
The data of power;
Step 332a, service providing server 208 returns to HTTP 200OK message to UE 200.
As shown in fig. 6, be the signaling process figure of user data embodiment three in the shared network of present invention safety, the flow chart
It is to be completed based on framework shown in Fig. 3, in this embodiment, access authentication is carried out to UE 200 by identity provider 204,
Service providing server 208 verifies user identity, then carries out user data process in the shared network of safety.
The precondition that the flow is carried out is link between UE 200 and ASN 202 it has been established that UE200 matches somebody with somebody in advance
Put the identity ID of user or distribute ID to user by network;The process includes:
Step 402, UE 200 have passed through the access authentication of network, and certification terminates rear UE 200 and identity provider
204 shared session keys;
Step 404, the access services of UE 200 provide the business of server 208, and service providing server 208 is matched somebody with somebody by static state
Put or the position of Dynamic Discovery identity provider 204;
Step 406, service providing server 208 send unauthorized message to UE 200;
Step 408, UE200 are used as user name, session to the forward abstract certification message of service providing server 208 by the use of ID
Key is as password;
Step 410, service providing server 208 ask the security parameter of user to identity provider 204;
Step 412, identity provider 204 return to the security parameter of user to service providing server 208;
Step 414, service providing server 208 verify the identity of user, and the verification process is recognized according to the summary received
Demonstrate,prove message and the security parameter of user;
Step 416, service providing server 208, RS 206, identity provider 204 and UE 200 are carried out safely altogether
Enjoy user data process in network.
Wherein, the process of safe shared data can be identical with the step 252-258 in Fig. 4, can also be with the step in Fig. 5
Rapid 320-332 is identical, and here is omitted.
Present invention also offers a kind of service providing server, the service providing server includes:
Receiving module, for receiving user equipment (UE) access;
Acquisition module, for directly or indirectly obtaining the users to share data of user's mandate from Resource Server (RS).
In addition, the service providing server can also include:Service access authentication module, in the receiving module
Before the access for receiving UE, the service access certification to the UE is done directly or indirectly.
Specifically, the service access authentication module, it is to be used to obtain user security parameters, root from identity provider
The service access certification to the UE is completed according to the user security parameters;Or obtain institute from the identity provider
State service authentication result of the identity provider to the UE.Wherein, the user security parameters are that the identity provides clothes
It is engaged in what device obtained according to the network to the access authentication result of the UE;The service authentication result is that the identity provides clothes
It is engaged in what device was completed according to the network to the access authentication result of the UE.
Further, the acquisition module, it is to be used to obtain token from the identity provider, according to the token
The users to share data of user's mandate are directly obtained from the RS;Or user is obtained by the identity provider and awarded
The users to share data of power.
The service providing server can share the users to share data that user authorizes in network, and specific implementation process can join
See Fig. 4-Fig. 6, here is omitted.
Present invention also offers a kind of identity provider, the identity provider includes:
Network access authentication module, for being authenticated to user equipment (UE) access network, and obtain user security ginseng
Number;
Service access authentication module, for the user security parameters completion pair obtained according to the network access authentication module
The service access certification of the UE, and service access authentication result is sent to service providing server.
Wherein, the user security parameters include session key.
In addition, the identity provider can also include:Sending module, for by the network access authentication module
The user security parameters of acquisition are sent to the service providing server.
Further, the identity provider can also include:Data transmission blocks, in the service access
The user security parameters are sent to business and provide clothes by service access authentication result or the sending module by authentication module
It is engaged in after device, receives the request of data that the service providing server is sent, according to the request of data from Resource Server
(RS) the users to share data that user authorizes are obtained, and the users to share data are sent to the service providing server.
The data transmission blocks, it is additionally operable to service access authentication result or the transmission mould in the service access authentication module
After the user security parameters are sent to service providing server by block, the token that the service providing server is sent is received
Request, according to the token ask to the service providing server send token, so as to the service providing server according to
The token obtains the users to share data of user's mandate from the RS.
The identity provider is laid a good foundation to realize that UE access services provide server, meanwhile, also carried for business
User's users to share data authorized are provided for server, or, provide token for service providing server so that business provides
Server can obtain the users to share data of user's mandate according to token.
Present invention also offers a kind of user equipment (UE), the UE includes:
Access modules, server is provided for access service;
Data processing module, please for receiving the data that identity provider is sent according to the service providing server
The user data authorization requests of transmission are sought, according to user to the mandate knot of the user data carried in the user data authorization requests
Fruit, the users to share data of user's mandate are returned to the identity provider.
Specifically, the access modules, it is to be successfully accessed network for the UE using mark and obtain the business to carry
After the service access certification of server, the service providing server is accessed.
The UE can be after being successfully accessing network and obtaining the service access certification of service providing server, access service
Server is provided, and authorizes service providing server to share which of network data by oneself, then business provides clothes
Business device can share the users to share data that user is authorized by UE in network, and specific interaction can be found in Fig. 4-Fig. 6.
One of ordinary skill in the art will appreciate that all or part of step in the above method can be instructed by program
Related hardware is completed, and said procedure can be stored in computer-readable recording medium, such as read-only storage, disk or CD
Deng.Alternatively, all or part of step of above-described embodiment can also be realized using one or more integrated circuits.Accordingly
Ground, each module/unit in above-described embodiment can be realized in the form of hardware, can also use the shape of software function module
Formula is realized.The present invention is not restricted to the combination of the hardware and software of any particular form.
The above embodiments are merely illustrative of the technical solutions of the present invention and it is unrestricted, reference only to preferred embodiment to this hair
It is bright to be described in detail.It will be understood by those within the art that technical scheme can be modified
Or equivalent substitution, without departing from the spirit and scope of technical solution of the present invention, the claim model in the present invention all should be covered
Among enclosing.