CN103023856B - Method, system and the information processing method of single-sign-on, system - Google Patents

Method, system and the information processing method of single-sign-on, system Download PDF

Info

Publication number
CN103023856B
CN103023856B CN201110279495.2A CN201110279495A CN103023856B CN 103023856 B CN103023856 B CN 103023856B CN 201110279495 A CN201110279495 A CN 201110279495A CN 103023856 B CN103023856 B CN 103023856B
Authority
CN
China
Prior art keywords
user
identity
information
identity provider
service providing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201110279495.2A
Other languages
Chinese (zh)
Other versions
CN103023856A (en
Inventor
夏正雪
韦银星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201110279495.2A priority Critical patent/CN103023856B/en
Priority to CN201610833474.3A priority patent/CN106254386B/en
Priority to PCT/CN2012/079709 priority patent/WO2013040957A1/en
Publication of CN103023856A publication Critical patent/CN103023856A/en
Application granted granted Critical
Publication of CN103023856B publication Critical patent/CN103023856B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of method of single-sign-on, the system of single-sign-on, information processing unit, identity provider and service providing servers, wherein the method for single-sign-on includes:Identity provider confirms that user passes through access authentication;The identity provider generates the information of asserting to user according to itself shared key between the user service providing server to be accessed, and asserts information to described in service providing server transmission.The embodiment of the present invention has been well solved the problem of user accesses the multiple authentication registration in internet, has been played the role of protection to privacy of user by generating assumed name, avoid the leakage of privacy of user by huge profit access authentication.

Description

Method, system and the information processing method of single-sign-on, system
Technical field
The present invention relates to network communication field more particularly to a kind of method of single-sign-on, the system of single-sign-on, information Processing unit, identity provider and service providing server.
Background technology
In transmission control protocol (TCP)/Internet protocol (IP) system, the most core be network layer IP agreement, lead to Cross the mutual access between IP address realization user.Various applications, such as web browsing, mail transmission/reception, instant messaging, all carry On application layer protocol.
The basic network that user must be provided before using these business by telecom operators accesses internet, different User may have a different access ways, such as various types digital subscriber line (xDSL), optical fiber, mobile access.One As in the case of, as soon as user terminal can all get an IP address, hereafter user is accessed by this IP address on internet Various applications, this IP address are equivalent to the temporary identity of user.
Since the prefix part of IP address indicates the subnet that user is currently located, when user location changes, it is necessary to Different IP address is distributed, otherwise data packet correctly can not be transmitted to user by router.And because IP address has identity With the double attribute of position, while the IP address that user gets every time is not necessarily identical, to can not be as the long-term of user Identity, therefore the necessary self-built a set of User Identity system of application system on internet, i.e., usually said user Account system.
It can be seen that user access internet on application when there are re-authentications the case where, operator connects in user Primary certification is carried out when entering internet, the application system on internet carries out the certification of itself when user accesses.
With the fast development of information technology and network technology, the application system on internet is also more and more.Due to this A little application systems are mutual indepedent, and user must first be registered before using each system, and according to corresponding body Part is logged in, and user must remember the username and password of each application system thus, this brings prodigious fiber crops to user It is tired.In this case, the concept of single-sign-on is proposed out, and is applied.
Single-sign-on (SSO, Single-Sign On) is a kind of technology for facilitating user to access multiple application systems, user It only needs to carry out primary certification when logging in, so that it may with the free access between multiple application systems, it is not necessary to repeatedly input user Name and password confirm identity.
In existing internet single-sign-on system, user is before using single-sign-on, it is necessary in identity provider It is registered at (IdP, Identity Provider), the business of service provider (SP, Service Provider) carries Authentication result for server dependent on the identity provider of identity provider IdP provides a user business.Additionally due to The identity provider IdP of internet is typically to disperse deployment, thus, if service provider SP uses single-sign-on mode, So its business development scale will largely depend on the quantity for the IdP registration users that it is relied on.Single-sign-on relates to And major technique have:Open identity (OpenID), Passport (pass), Liberty Alliance (Liberty Alliance) Deng.Here, OpenID is easy to use, but there are security risks, cannot take precautions against " fishing " attack well;Passport is easy to make With safety is slightly higher, but is only applicable to use inside service provider SP at present;Liberty Alliance have certain safety Property, but deployment is not easy, and user's use is also inconvenient.
Since user is before accessing the Internet, applications, need access carrier network, thus can using operator as Identity provider IdP.Operator has following advantage as identity provider IdP:It, can be very by the access authentication of operator Good guarantee safety, meanwhile, operator will not need user and re-start registration as identity provider IdP, be easy to It uses, and operator, as identity provider IdP, relative to the identity provider IdP of internet, there are one high-quality maturations Customer consumption group.
Currently, IP address has the defect of double attribute, brings mobility and safety issue, has become restriction The bottleneck that Internet industry further develops.In order to solve this problem, industry proposes HIP (Host Identity Protocol, host identity protocol) and LISP (Locator/Identifier Separation Protocol, position/mark Separated protocol) technology etc..The common ground of these technologies is the introduction of two classes coding:Represent identity coding and the representative of user identity User location it is position encoded, not only there are one identity codings by each user again there are one position encoded, user's identity-based volume Code and opposite end communicate, and when user location changes, the identity coding of user remains unchanged, and user's is position encoded It will change therewith.In this way, user can be corresponded to always by user identity coding, without that there are IP address is ambiguous Problem.
But in existing identity position separation network technology, user identity coding is served only in Network Layer identities user's body Part, thus user accesses Internet application system and still needs multiple authentication registration.On the other hand, since user is a large amount of different Internet application system in register account number, for the sake of convenience, the account of user's registration has certain regularity, that It is easy for causing the privacy of identities information of user to be leaked.
Invention content
The present invention provides a kind of method of single-sign-on, the system of single-sign-on, information processing method, information processing apparatus It sets, identity provider, service providing server and name mapping server, Internet application system is accessed to solve user The problem of need to carrying out multiple authentication registration.
The present invention provides a kind of method of single-sign-on, this method includes:
Identity provider confirms that user passes through access authentication;
The identity provider is shared close between the user service providing server to be accessed according to itself Key generates the information of asserting to user, and asserts information to described in service providing server transmission.
Preferably, the identity provider according to itself between the user service providing server to be accessed Shared key generate to user assert information before, the method further includes:
The identity provider is receiving the certification request or the user that the service providing server is sent After the Operational Visit request of transmission, the shared key is checked for, if being not present, in the service providing server After certification, the shared key is generated.
Preferably, the identity provider generate to user assert information before, the method further includes:
The identity provider is that the user obtains assumed name and life cycle corresponding with the assumed name.
Preferably, the identity provider is that the user obtains assumed name and life cycle corresponding with the assumed name, Including:
The identity provider is sent according to the anonymous service requests of the user to name mapping server (NMS) Anonymous Identity is asked, and receive the user requested to generate according to the anonymous Identity that the NMS is returned assumed name and with The assumed name corresponding life cycle.
Preferably, the identity provider be the user obtain assumed name and life cycle corresponding with the assumed name it Afterwards, the method further includes:
The identity provider receives the anonymity for carrying designated user's name and corresponding life cycle that the user sends Update request, and the anonymous update request is sent to the NMS, and receive the update result that the NMS is returned.
Preferably, described assert carries random number, the identity information of the identity provider, the industry in information Business provide the identity information of server, the identity information of the user, signature algorithm and the identity provider according to The calculated signature result of shared key;Wherein, the identity information of the user includes the assumed name or the specified use Name in an account book.
The present invention also provides a kind of method of single-sign-on, this method includes:
Service providing server receive identity provider send to being intended to access the use of the service providing server Assert information in family;
The service providing server according to itself between the identity provider shared key verification described in Assert information.
Preferably, the service providing server is tested according to itself shared key between the identity provider After asserting information described in card, the method further includes:
If the verification passes, then the service providing server creates and the identity for asserting the user for including in information The corresponding entry of information, and provide business to the user;The identity information of the user is the assumed name or specified of the user User name.
Preferably, what the service providing server received that identity provider sends provides being intended to access the business The user of server assert information before, the method further includes:
After the service providing server receives the Operational Visit request that the user sends, random number is generated, and The certification request for carrying the random number is sent to the identity provider.
Preferably, described assert carries the random number, the identity information of the identity provider, institute in information State the identity information of service providing server, the identity information of the user, signature algorithm and the identity provider According to the calculated signature result of the shared key;
The service providing server according to itself between the identity provider shared key verification described in Assert information, including:
Identity information of the service providing server according to the identity provider, the service providing server Identity information, the user identity information, the signature algorithm and the shared key calculate signature result, and compare Whether oneself calculated signature result and the calculated signature result of the identity provider are consistent;And
Judge whether the generated time of the random number is whether the current nearest and described random number is unique.
The present invention also provides a kind of information processing method, this method includes:
Name mapping server (NMS) receives the anonymous Identity request that identity provider is sent, the anonymous Identity The identity of user is carried in request;
The NMS according to the anonymous Identity request to generate user corresponding with the identity assumed name and with the vacation Name corresponding life cycle, and return to the assumed name of the user and existence corresponding with the assumed name to the identity provider Phase.
Preferably, the NMS sends the assumed name of the user and corresponding with the assumed name to the identity provider Life cycle after, the method further includes:
Carrying designated user name from the user that the NMS receives that the identity provider sends and corresponding The anonymous update request of life cycle is updated processing according to anonymity update request, and returns to update result.
The present invention also provides a kind of identity provider, which includes:
Confirmation module, for confirming that user passes through access authentication;
Message processing module is asserted, after in confirmation module confirmation user by access authentication, according to the body Part provides the shared key generation between server and the user service providing server to be accessed and asserts information to user, And assert information to described in service providing server transmission.
Preferably, the identity provider further includes:
Key production module, for assert message processing module generate to user assert information before, receiving After the Operational Visit request that the certification request or the user that the service providing server is sent are sent, institute is checked for Shared key is stated, if being not present, after the service providing server is by certification, generates the shared key.
Preferably, the identity provider further includes:
Module is obtained, it is described to assert information after confirming the user by access authentication in the confirmation module Processing module generate to user assert information before, obtain assumed name and life cycle corresponding with the assumed name for the user.
Preferably, the acquisition module, be for according to the anonymous service requests of the user to name mapping server (NMS) anonymous Identity request is sent, and receives the user's requested to generate according to the anonymous Identity that the NMS is returned Assumed name and life cycle corresponding with the assumed name.
Preferably, the acquisition module is additionally operable to receive the carrying designated user name and corresponding existence that the user sends The anonymous update request of phase, and the anonymous update request is sent to the NMS, and receive the update knot that the NMS is returned Fruit.
Preferably, described assert carries random number, the identity information of the identity provider, the industry in information Business provide the identity information of server, the identity information of the user, signature algorithm and the identity provider according to The calculated signature result of shared key;Wherein, the identity information of the user includes the assumed name or the specified use Name in an account book.
The present invention also provides a kind of service providing server, which includes:
Receiving module, for receive identity provider transmission to being intended to access the user of the service providing server Assert information;
Authentication module, for according to the shared key between the service providing server and the identity provider Information is asserted described in verification.
Preferably, the service providing server further includes:
Business provides module, for the authentication module be verified it is described assert information after, create and assert letter with described The corresponding entry of identity information for the user for including in breath, and provide business to the user.
The present invention provides a kind of name mapping server (NMS), which includes:
Receiving module, the anonymous Identity request for receiving identity provider transmission, in the anonymous Identity request Carry the identity of user;
Sending module is generated, the anonymous Identity for being received according to the receiving module requests to generate and the identity mark Know the assumed name of corresponding user and life cycle corresponding with the assumed name, and the user is returned to the identity provider Assumed name and life cycle corresponding with the assumed name.
Preferably, the generation sending module, is additionally operable to receive that the identity provider sends comes from the use The anonymous update request for carrying designated user's name and corresponding life cycle at family, processing is updated according to anonymity update request, and Return to update result.
The present invention also provides a kind of information processing unit, which includes above-mentioned identity provider and above-mentioned name Mapping server.
The present invention also provides a kind of single-node login system, which includes above-mentioned identity provider and above-mentioned business Server is provided.
The present invention also provides a kind of single-node login system, which includes above-mentioned identity provider, above-mentioned name Mapping server and above-mentioned service providing server.
The embodiment of the present invention has been well solved user and has accessed internet and repeatedly register and recognized by huge profit access authentication The problem of card, plays the role of protection to privacy of user by generating assumed name, avoids the leakage of privacy of user.
Description of the drawings
Fig. 1 is the network element configuration diagram involved by the embodiment of the present invention;
Fig. 2 is the flow chart of single-point logging method embodiment of the present invention;
Fig. 3 is the signaling process figure for the single-point logging method embodiment that the present invention is initiated by service providing server;
Fig. 4 is the signaling process figure for the single-point logging method embodiment that the present invention is initiated by identity provider;
Fig. 5 is the structural schematic diagram of identity provider embodiment of the present invention;
Fig. 6 is the structural schematic diagram of service providing server embodiment of the present invention;
Fig. 7 is the structural schematic diagram of name mapping server embodiment of the present invention;
Fig. 8 is the structural schematic diagram of information processing unit embodiment of the present invention;
Fig. 9 is the structural schematic diagram of single-node login system embodiment of the present invention.
Specific implementation mode
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with attached drawing to the present invention Embodiment be described in detail.It should be noted that in the absence of conflict, in the embodiment and embodiment in the application Feature mutually can arbitrarily combine.
For a better understanding of the present invention, the network element framework involved by the embodiment of the present invention is introduced first, such as Fig. 1 institutes Show, the framework include user terminal (Mobile Node, MN) 101, access service node (Access Service Node, ASN) 102, authentication center 103, identity provider (Identity Provider, IdP) identity provider 104, name Mapping server (Name Mapping Server, NMS) 105, interconnection services node (Interconnect Service Node, ISN) 106 and service provider (Service Provider, SP) service providing server 107, wherein:
It can be one or more in mobile terminal, fixed terminal to access the MN of network, such as mobile phone, fixed-line telephone, electricity Brain and application server etc.;
ASN, the connection for providing access service, maintenance terminal and network for user terminal, for terminal distribution routing mark Know (Routing Identifier, RID), and is registered to identity position register (ILR)/message forwarding capability entity (PTF) The RID of registration and inquiry terminal safeguards access mark (Access Identifier, AID)-RID map informations, and realizes The routing and forwarding of data message;
Authentication center is used for the attribute information such as class of subscriber, authentication information and user service etc. of the minute book network user Grade etc., the access authentication of complete paired terminal and mandate can also have billing function.Authentication center supports terminal and internetwork pair To certification, the user security information for certification, integrity protection and Confidentiality protection can be generated;
Identity provider provides the information of asserting to user to service providing server, and to service providing server It is authenticated, checks the legitimacy of service providing server;Believed by attribute corresponding with the interface polls user of authentication center Breath, by the interface with NMS, provides the assumed name service of user;
NMS generates assumed name according to the user identity that identity provider provides, and as the replacement identity of user, and creates Assumed name and subscriber identity information, service providing server uniform resource locator (URL), life cycle (lifetime) corresponding item Mesh, if user changes the lifetime of assumed name and assumed name, NMS is asked in the anonymous update for receiving identity provider After asking, also this information is updated;
Wherein, NMS and identity provider can be disposed individually, can also provide service using NMS as identity The function module of device is disposed;
ISN, the AID-RID map informations for inquiring, safeguarding present networks terminal, encapsulation, routing and forwarding present networks with The function that interconnects between data message, realization present networks and the traditional IP come and gone between traditional IP, wherein wrapping Format converting module is included, the IPv4/IPv6 for the present networks terminal for including in the data message for sending traditional IP Location is converted into corresponding AID, and after the AID of present networks terminal is converted into IPv4/IPv6 address formats, re-sends to tradition The terminal of IP network;
Service providing server is the application system for providing business on internet to the user.
An embodiment of the present invention provides a kind of method of single-sign-on, this method is retouched from identity provider side It states, this method includes:
Step 11, identity provider confirm that user passes through access authentication;
Identity provider confirms that user passes through access authentication according to the identity of user;
Step 12, the identity provider are according to itself between the user service providing server to be accessed Shared key generates the information of asserting to user, and asserts information to described in service providing server transmission.
The embodiment of the present invention additionally provides a kind of method of single-sign-on, and this method provides server side from business and retouched It states, this method includes:
What step 21, service providing server received that identity provider sends provides service to being intended to access the business The user's of device asserts information;
Step 22, the service providing server are tested according to itself shared key between the identity provider Information is asserted described in card.
Above-mentioned service providing server asserts that information is authenticated using what identity provider was sent so that Yong Hufang Ask that Internet application system need not carry out multiple authentication registration, meanwhile, in order to avoid privacy of user is revealed, the embodiment of the present invention A kind of information processing method is provided again, and this method is described from name mapping server side, and this method includes:
Step 31, name mapping server (NMS) receive the anonymous Identity request that identity provider is sent, described to hide The identity of user is carried in name identity request;
Step 32, the NMS according to the anonymous Identity request to generate user corresponding with the identity assumed name and Life cycle corresponding with the assumed name, and to the identity provider return the user assumed name and with the assumed name pair The life cycle answered.
In order to more clearly describe the single-point logging method of the embodiment of the present invention, below from identity provider, business The angle for providing server and name mapping server three interaction is described, as shown in Fig. 2, being single-sign-on side of the present invention The flow chart of method embodiment, the described method comprises the following steps:
Step 201, identity provider are in the certification request for receiving service providing server or the business of user After access request, the shared key Ks between own and service providing server is checked for, if it does not exist, then certification Service providing server generates shared key Ks after certification success;
Further, the authentication method includes but not limited to:Wildcard, TLS, public key infrastructure (PKI), association The technologies such as safety (IPsec) are discussed, since it is the prior art, which is not described herein again.
Step 202, identity provider confirm user by access authentication, and logical according to the anonymous service requests of user The mode for crossing name mapping server generation assumed name protects user identity, while being generated to this for service providing server User's asserts information;
Step 203, service providing server receive identity provider transmission assert information after, to asserting information It is verified, if the verification passes, then creates the corresponding entry of user's assumed name, and provide a user business.
Above-mentioned single-point logging method has well solved user and has accessed internet by huge profit access authentication and assumed name The problem of application system needs multiple authentication registration and privacy of identities to reveal.
As shown in figure 3, the signaling process for the single-point logging method embodiment initiated by service providing server for the present invention Figure, the method includes:
Access authentication is carried out between step 301, MN, ASN and authentication center, after certification passes through, identity position separate mesh Network is that user distributes access mark AID;
Hereafter, the message that user terminal is sent is transmitted by AID, and ASN is that user distributes RID, and is carried out by RID Route selection finds ISN, and ISN obtains the AID of user from message, and is converted into the addresses IPv4/IPv6 and is sent to traditional IP network Network.
Step 302, MN initiate Operational Visit request to service providing server;
Step 303, user select identity provider, service providing server root on the service providing server page Random number nonce is generated according to current time stamp, as user in the temporary identifier of service providing server, and builds certification request Message carries service providing server URL, identity provider URL and random number nonce in message;
Authentication request message is redirected to by step 304, service providing server by hypertext transfer protocol (HTTP) Identity provider;
Step 305, user send anonymous service requests by terminal to identity provider;
Step 306, identity provider obtain the access mark AID of user from message, confirm that user passes through access Certification;And check and whether there is shared key Ks between own and service providing server, if it does not exist, then authentication business carries For server shared key Ks is generated after certification success;It determines and the corresponding assumed name of user or corresponding assumed name life cycle is not present (lifetime) expired;
Wherein, identity provider authentication business provide server mode include but not limited to wildcard, PKI, TLS or IPsec etc. authentication mode.Since it is the prior art, which is not described herein again;
Step 307, identity provider send anonymous Identity request message to NMS, carry user's in request message The URL of AID, service providing server;
After step 308, NMS receive anonymous Identity request message, the random number R and and lifetime of acquiescence is generated, Assumed names of the Rand as relative users, and build AID, the service providing server URL and Rand, lifetime correspondence of a MN Entry, as shown in table 1;
The corresponding entries of table 1MN
Step 309, NMS send anonymous Identity response message to identity provider, carry user's in response message AID, service providing server URL and random number R and and lifetime;
Step 310, identity provider send anonymous service response message to user terminal, and industry is carried in response message Business provides server URL, random number R and and lifetime;
Step 311, user send specified user name and its lifetime by terminal to identity provider;
Random number R and can be revised as specified user name and it is expected the user name showed by user, and specified desired lifetime;
Step 312, identity provider send anonymous update request message to NMS, carried in message user AID, The assumed name and lifetime that random number R and, user specify;
After assumed name and update lifetime that step 313, NMS are specified in addition user, sent to identity provider Anonymity updates response message, and the result for being updated successfully or failing is carried in message;
Step 314, identity provider build authentication response message, include to assert information in authentication response message, should It asserts and carries the assumed name that random number nonce, service providing server URL, identity provider URL, NMS generate in information The signature result of user name, signature algorithm and Ks that Rand or user specify;
Signature result herein is identity provider according to service providing server URL, identity provider User name, the shared key that the assumed name Rand or user of URL, NMS generation are specified use the calculated signature of signature algorithm to tie Fruit;
Identity provider URL representative capacities in the present embodiment provide the identity information of server;Business provides clothes Business device URL represents the identity information of service providing server;The user name that the assumed name Rand or user that NMS is generated are specified represents The identity information of user;Random number nonce is for preventing Replay Attack;
Authentication response message is sent to business by HTTP redirection and provides service by step 315, identity provider Device;
Step 316, service providing server are asserted by the shared key Ks verifications between identity provider Integrality, and check whether nonce is newly generated, if repeat etc.;
Service providing server is according to asserting the service providing server URL carried in information, identity provider The user name and the shared key use negotiated with identity provider that the assumed name Rand or user that URL, NMS are generated are specified It asserts that the signature algorithm carried in information calculates signature result, and by the signature result and asserts the signature knot carried in information Fruit is compared, if the two is consistent, asserts complete;Meanwhile judging whether it is newly generated according to the generated time of nonce And whether repeat;If being newly generated and not repeating, then it is verified.
Step 317, after above-mentioned be verified, service providing server is that user MN creates random number R and or specified The entry of user name;
Step 318, service providing server return to Operational Visit response to user, using Rand or user name as user Business is provided a user in the mark of service providing server.
As shown in figure 4, the signaling process for the single-point logging method embodiment initiated by identity provider for the present invention Figure, this approach includes the following steps:
Access authentication is carried out between step 401, MN, ASN and authentication center, after certification passes through, identity position separate mesh Network is that user distributes access mark AID;
Hereafter, the message that user terminal is sent is transmitted by AID, and ASN is that user distributes RID, and is carried out by RID Route selection finds ISN, and ISN obtains the AID of user from message, and is converted into the addresses IPv4/IPv6 and is sent to traditional IP network Network.
Step 402, MN initiate Operational Visit request to identity provider;
Step 403, MN select the business that will be accessed on the identity provider page, and to identity provider Send anonymous service requests;
Step 404, identity provider get the access mark AID of user from message, confirm user by connecing Enter certification;And check and whether there is shared key Ks between own and service providing server, if it does not exist, then authentication business Server is provided, after certification passes through, generates shared key Ks.It checks and the corresponding assumed names of AID or corresponding assumed name is not present Lifetime is expired;
Step 405, identity provider send anonymous Identity request to NMS and disappear according to the anonymous service requests of user It ceases, AID, the service providing server URL of user is carried in request message;
After step 406, NMS receive anonymous Identity request message, the random number R and and lifetime of acquiescence is generated, As the assumed name of relative users, and build AID, the service providing server URL and the corresponding item of Rand, lifetime of a MN Mesh, as shown in table 1;
Step 407, NMS send anonymous Identity response message to identity provider, carry user's in response message AID, service providing server URL, random number R and and lifetime;
Step 408, identity provider send anonymous service response message to user, and carrying business in response message carries For server URL, random number R and and lifetime;
Step 409, user send specified user name and its lifetime by terminal to identity provider;
Random number R and can be revised as specified user name and it is expected the user name showed by user, and specified desired lifetime;
Step 410, identity provider send anonymous update request message to NMS, carried in message user AID, The assumed name and lifetime that random number R and, user specify;
Step 411, NMS are in the assumed name specified of addition user and after update lifetime, to identity provider hair Anonymous update response message is sent, the result for being updated successfully or failing is carried in message;
Step 412, identity provider generate random number nonce according to current time stamp, build authentication response message, Comprising information is asserted in authentication response message, this, which is asserted, carries random number nonce, service providing server URL, identity in information The signature knot of the assumed name Rand that server URL, NMS are generated or user name, signature algorithm and Ks that user specifies are provided Fruit;
Authentication response message is sent to business by HTTP redirection and provides service by step 413, identity provider Device;
Step 414, service providing server are asserted by the shared key Ks verifications between identity provider Integrality, and check whether nonce is newly generated, if repeat etc.;
Step 415, after above-mentioned be verified, service providing server is that user MN creates random number R and or specified The entry of user name;
Step 416, service providing server return to Operational Visit response to user, using Rand or user name as user Business is provided a user in the mark of service providing server.
It is similar with the processing of step 305-318 in above-described embodiment by step 403-416 in this present embodiment, therefore It is repeated no more in the present embodiment.
As shown in figure 5, for the structural schematic diagram of identity provider embodiment of the present invention, the identity provider packet It includes confirmation module 51 and asserts message processing module 52, wherein:
Confirmation module, for confirming that user passes through access authentication;
Message processing module is asserted, after in confirmation module confirmation user by access authentication, according to the body Part provides the shared key generation between server and the user service providing server to be accessed and asserts information to user, And assert information to described in service providing server transmission.
In addition, the identity provider further includes:Key production module, for asserting message processing module generation To user assert information before, receiving certification request that the service providing server is sent or the user sends After Operational Visit request, the shared key is checked for, if being not present, in the service providing server by recognizing After card, the shared key is generated.
In order to avoid the identity information leakage of user, the identity provider further includes:Module is obtained, in institute It is described to assert that message processing module generation asserts letter to user after the confirmation module confirmation user is stated by access authentication Before breath, assumed name and life cycle corresponding with the assumed name are obtained for the user.Specifically, the acquisition module, is to be used for Anonymous Identity request is sent to name mapping server (NMS) according to the anonymous service requests of the user, and described in reception The assumed name for the user requested to generate according to the anonymous Identity that NMS is returned and life cycle corresponding with the assumed name.In addition, User can also change user name, therefore the acquisition module, be additionally operable to receive carrying designated user name that the user sends and The anonymous update request of corresponding life cycle, and the anonymous update request is sent to the NMS, and receive the NMS and return Update result.
Wherein, described assert carries random number, the identity information of the identity provider, the business in information The identity information of server, the identity information of the user, signature algorithm and the identity provider are provided according to institute State the calculated signature result of shared key;Wherein, the identity information of the user includes the assumed name or the designated user Name.
Above-mentioned service providing server is provided to service providing server to the use after confirming user by access authentication Assert information in family so that user does not need input authentication information and be possibly realized when access service provides server.
As shown in fig. 6, for the structural schematic diagram of service providing server embodiment of the present invention, the service providing server packet Receiving module 61 and authentication module 62 are included, wherein:
Receiving module, for receive identity provider transmission to being intended to access the user of the service providing server Assert information;
Authentication module, for according to the shared key between the service providing server and the identity provider Information is asserted described in verification.
In addition, the service providing server further includes:Business provides module, and institute is verified for the authentication module It states after asserting information, creates and assert the corresponding entry of the identity information for the user for including in information with described, and to the user Offer business.
Above-mentioned authentication module according to assert the service providing server URL carried in information, identity provider URL, The assumed name Rand or user's user name specified and the shared key use negotiated with identity provider that NMS is generated are asserted The signature algorithm carried in information calculates signature result, and the signature result that the signature result and asserting is carried in information into Row compares, if the two is consistent, asserts complete;Meanwhile judging whether it is to be newly generated and be according to the generated time of nonce No repetition;If being newly generated and not repeating, then it is verified.
Above-mentioned service providing server asserts that information completes user's according to what identity provider was sent to user Single-sign-on, and the effective protection privacy of user.
As shown in fig. 7, for the structural schematic diagram of name mapping server embodiment of the present invention, which includes receiving module 71 and generate sending module 72, wherein:
Receiving module, the anonymous Identity request for receiving identity provider transmission, in the anonymous Identity request Carry the identity of user;
Sending module is generated, the anonymous Identity for being received according to the receiving module requests to generate and the identity mark Know the assumed name of corresponding user and life cycle corresponding with the assumed name, and the user is returned to the identity provider Assumed name and life cycle corresponding with the assumed name.
In addition, in order to modify to the assumed name of user, the generation sending module is additionally operable to receive the identity The anonymous update request for carrying designated user's name and corresponding life cycle from the user that server is sent is provided, according to hideing Name update request is updated processing, and returns to update result.
Further, name mapping server shown in Fig. 7 and identity provider shown in fig. 5, which can close, sets, and two Person closes the device after setting as shown in figure 8, the function of correlation module is identical as the function of corresponding module in Fig. 5 and Fig. 7 in the device, Details are not described herein again.
The single-point logging method of corresponding above-mentioned privacy enhancing, the embodiment of the present invention additionally provide a kind of single-node login system, As shown in figure 9, the system includes service providing server 91, identity provider 92 and name mapping server 93, this is The function of correlation module is identical as the function of corresponding module in Fig. 5-Fig. 7 in system, and details are not described herein again.
In short, in the embodiment of the present invention, identity provider in the certification request for receiving service providing server or After the Operational Visit request of person user, shared key Ks is checked for, if it does not exist, then authentication business provides service Device after certification passes through, generates shared key Ks, and identity provider confirms that user passes through access according to the identity of user Certification, and generated by name mapping server (NMS, Name Mapping Server) according to the anonymous service requests of user The mode of assumed name protects user identity, while the information of asserting of the user is generated for service providing server, and business carries For server receive identity provider assert information after, the legitimacy of information is asserted in verification, if the verification passes, then The corresponding entry of assumed name is created, and provides a user business.
Certainly, if only needing to solve the problems, such as multiple certification, name mapping server can not included in above system, Correspondingly, also need not include to obtain module in identity provider.
One of ordinary skill in the art will appreciate that all or part of step in the above method can be instructed by program Related hardware is completed, and above procedure can be stored in computer readable storage medium, such as read-only memory, disk or CD Deng.Optionally, all or part of step of above-described embodiment can also be realized using one or more integrated circuits.Accordingly Ground, the form that hardware may be used in each module/unit in above-described embodiment are realized, the shape of software function module can also be used Formula is realized.The present invention is not limited to the combinations of the hardware and software of any particular form.
The above examples are only used to illustrate the technical scheme of the present invention and are not limiting, reference only to preferred embodiment to this hair It is bright to be described in detail.It will be understood by those of ordinary skill in the art that can modify to technical scheme of the present invention Or equivalent replacement should all cover the claim model in the present invention without departing from the spirit of the technical scheme of the invention and range In enclosing.

Claims (21)

1. a kind of method of single-sign-on, this method include:
Identity provider confirms that user passes through access authentication;
The identity provider is given birth to according to itself shared key between the user service providing server to be accessed Pairs of user's asserts information, and asserts information to described in service providing server transmission;
It is described to assert that random number, the identity information of the identity provider, the business are carried in information provides service The identity information of device, the identity information of the user, signature algorithm and signature result;
Identity information of the signature result by the identity provider according to the identity provider, the business The identity information of server, the identity information and shared key of the user are provided, are calculated using signature algorithm;
Wherein, the identity information of the user includes assumed name or designated user's name.
2. according to the method described in claim 1, it is characterized in that:
The identity provider is given birth to according to itself shared key between the user service providing server to be accessed Pairs of user assert information before, the method further includes:
The identity provider is receiving the certification request or user transmission that the service providing server is sent Operational Visit request after, check for the shared key, if being not present, pass through in the service providing server After certification, the shared key is generated.
3. method according to claim 1 or 2, it is characterised in that:
The identity provider generate to user assert information before, the method further includes:
The identity provider is that the user obtains assumed name and life cycle corresponding with the assumed name.
4. according to the method described in claim 3, it is characterized in that:
The identity provider obtains assumed name and life cycle corresponding with the assumed name for the user, including:
The identity provider sends anonymous body according to the anonymous service requests of the user to name mapping server NMS Part request, and receive the user requested to generate according to the anonymous Identity that the NMS is returned assumed name and with the vacation Name corresponding life cycle.
5. according to the method described in claim 4, it is characterized in that:
The identity provider is for user acquisition assumed name and after life cycle corresponding with the assumed name, the method Further include:
The identity provider receives the anonymous update for carrying designated user's name and corresponding life cycle that the user sends Request, and the anonymous update request is sent to the NMS, and receive the update result that the NMS is returned.
6. a kind of method of single-sign-on, this method include:
Service providing server receive identity provider send to being intended to access the user's of the service providing server Assert information;
The service providing server according to itself between the identity provider shared key verification described in assert Information;
It is described to assert that random number, the identity information of the identity provider, the business are carried in information provides service The identity information of device, the identity information of user, signature algorithm and signature result;
Identity information of the signature result by the identity provider according to the identity provider, the business The identity information of server, the identity information and shared key of the user are provided, are calculated using signature algorithm;
Wherein, the identity information of the user includes assumed name or designated user's name.
7. according to the method described in claim 6, it is characterized in that:
The service providing server according to itself between the identity provider shared key verification described in assert After information, the method further includes:
If the verification passes, then the service providing server creates and the identity information for asserting the user for including in information Corresponding entry, and provide business to the user;The identity information of the user is assumed name or the designated user of the user Name.
8. the method described according to claim 6 or 7, it is characterised in that:
The service providing server receive that identity provider sends to being intended to access the use of the service providing server Family assert information before, the method further includes:
After the service providing server receives the Operational Visit request that the user sends, random number is generated, and to institute It states identity provider and sends the certification request for carrying the random number.
9. according to the method described in claim 8, it is characterized in that:
The service providing server according to itself between the identity provider shared key verification described in assert Information, including:
The service providing server is according to the identity information of the identity provider, the body of the service providing server Part information, the identity information of the user, the signature algorithm and the shared key calculate signature result, and compare oneself Whether calculated signature result and the calculated signature result of the identity provider are consistent;And
Judge whether the generated time of the random number is whether the current nearest and described random number is unique.
10. a kind of identity provider, the identity provider include:
Confirmation module, for confirming that user passes through access authentication;
Message processing module is asserted, for after the confirmation module confirms user by access authentication, being carried according to the identity For the shared key generation between server and the user service providing server to be accessed to the information of asserting of user, and to The service providing server asserts information described in sending;
It is described to assert that random number, the identity information of the identity provider, the business are carried in information provides service The identity information of device, the identity information of user, signature algorithm and signature result;
Identity information of the signature result by the identity provider according to the identity provider, the business The identity information of server, the identity information and shared key of the user are provided, are calculated using signature algorithm;
Wherein, the identity information of the user includes assumed name or designated user's name.
11. identity provider according to claim 10, which is characterized in that the identity provider is also wrapped It includes:
Key production module, for assert message processing module generate to user assert information before, it is described receiving After the Operational Visit request that the certification request or the user that service providing server is sent are sent, check for described total Key is enjoyed, if being not present, after the service providing server is by certification, generates the shared key.
12. identity provider according to claim 11, which is characterized in that the identity provider is also wrapped It includes:
Module is obtained, it is described to assert information processing after confirming the user by access authentication in the confirmation module Module generate to user assert information before, obtain assumed name and life cycle corresponding with the assumed name for the user.
13. identity provider according to claim 12, it is characterised in that:
The acquisition module is for being hidden to name mapping server (NMS) transmission according to the anonymous service requests of the user Name identity request, and receive the user requested to generate according to the anonymous Identity that the NMS is returned assumed name and with institute State assumed name corresponding life cycle.
14. identity provider according to claim 13, it is characterised in that:
The acquisition module is additionally operable to receive the anonymous update for carrying designated user's name and corresponding life cycle that the user sends Request, and the anonymous update request is sent to the NMS, and receive the update result that the NMS is returned.
15. a kind of service providing server, the service providing server include:
Receiving module, for receive identity provider transmission to being intended to access the disconnected of the user of the service providing server Say information;
Authentication module, for being verified according to the shared key between the service providing server and the identity provider It is described to assert information;
It is described to assert that random number, the identity information of the identity provider, the business are carried in information provides service The identity information of device, the identity information of user, signature algorithm and signature result;
Identity information of the signature result by the identity provider according to the identity provider, the business The identity information of server, the identity information and shared key of the user are provided, are calculated using signature algorithm;
Wherein, the identity information of the user includes assumed name or designated user's name.
16. service providing server according to claim 15, which is characterized in that the service providing server is also wrapped It includes:
Business provides module, for the authentication module be verified it is described assert information after, create and asserted in information with described Including user the corresponding entry of identity information, and to the user provide business.
17. a kind of information processing unit, which includes that the identity described in claim 10-14 any claims provides service Device and name mapping server NMS, wherein the NMS includes:
Receiving module, the anonymous Identity request for receiving identity provider transmission carry in the anonymous Identity request There is the identity of user;
Sending module is generated, the anonymous Identity for being received according to the receiving module requests to generate and the identity pair The assumed name of the user answered and life cycle corresponding with the assumed name, and return to the identity provider vacation of the user Name and life cycle corresponding with the assumed name.
18. according to claim 17 described information processing unit, it is characterised in that:
The generation sending module of the NMS is additionally operable to receive the taking from the user that the identity provider is sent Anonymous update request with designated user's name and corresponding life cycle is updated processing according to anonymity update request, and returns more New result.
19. a kind of single-node login system, which includes that the identity described in claim 10-14 any claims provides service Service providing server described in device and claim 15-16 any claims.
20. a kind of single-node login system, which includes that the identity described in claim 13-15 any claims provides service Service providing server described in device, claim 15-16 any claims and name mapping server NMS, wherein described NMS includes:
Receiving module, the anonymous Identity request for receiving identity provider transmission carry in the anonymous Identity request There is the identity of user;
Sending module is generated, the anonymous Identity for being received according to the receiving module requests to generate and the identity pair The assumed name of the user answered and life cycle corresponding with the assumed name, and return to the identity provider vacation of the user Name and life cycle corresponding with the assumed name.
21. according to single-node login system described in claim 20, it is characterised in that:
The generation sending module of the NMS is additionally operable to receive the taking from the user that the identity provider is sent Anonymous update request with designated user's name and corresponding life cycle is updated processing according to anonymity update request, and returns more New result.
CN201110279495.2A 2011-09-20 2011-09-20 Method, system and the information processing method of single-sign-on, system Active CN103023856B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN201110279495.2A CN103023856B (en) 2011-09-20 2011-09-20 Method, system and the information processing method of single-sign-on, system
CN201610833474.3A CN106254386B (en) 2011-09-20 2011-09-20 A kind of information processing method and name mapping server
PCT/CN2012/079709 WO2013040957A1 (en) 2011-09-20 2012-08-06 Single sign-on method and system, and information processing method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110279495.2A CN103023856B (en) 2011-09-20 2011-09-20 Method, system and the information processing method of single-sign-on, system

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN201610833474.3A Division CN106254386B (en) 2011-09-20 2011-09-20 A kind of information processing method and name mapping server

Publications (2)

Publication Number Publication Date
CN103023856A CN103023856A (en) 2013-04-03
CN103023856B true CN103023856B (en) 2018-07-13

Family

ID=47913855

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201610833474.3A Active CN106254386B (en) 2011-09-20 2011-09-20 A kind of information processing method and name mapping server
CN201110279495.2A Active CN103023856B (en) 2011-09-20 2011-09-20 Method, system and the information processing method of single-sign-on, system

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN201610833474.3A Active CN106254386B (en) 2011-09-20 2011-09-20 A kind of information processing method and name mapping server

Country Status (2)

Country Link
CN (2) CN106254386B (en)
WO (1) WO2013040957A1 (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106416188B (en) * 2014-03-31 2020-11-24 德国电信股份公司 Method, system and network for protecting user identity and/or user data
WO2018014535A1 (en) * 2016-07-16 2018-01-25 华为技术有限公司 Network verification method and associated apparatus and system
CN107623668A (en) 2016-07-16 2018-01-23 华为技术有限公司 A kind of method for network authorization, relevant device and system
CN110088758B (en) * 2016-12-28 2023-04-07 索尼公司 Server apparatus, information management method, information processing apparatus, information processing method, and computer readable medium
CN106790272A (en) * 2017-02-16 2017-05-31 济南浪潮高新科技投资发展有限公司 A kind of system and method for single-sign-on, a kind of application server
CN106713367A (en) * 2017-03-02 2017-05-24 山东浪潮云服务信息科技有限公司 Authentication method, authentication platform, business system and authentication system
CN107770183B (en) * 2017-10-30 2020-11-20 新华三信息安全技术有限公司 Data transmission method and device
CN110351721A (en) * 2018-04-08 2019-10-18 中兴通讯股份有限公司 Access method and device, the storage medium, electronic device of network slice
FR3090259A1 (en) 2018-12-18 2020-06-19 Orange Method and system for authenticating a client terminal by a target server, by triangulation via an authentication server.
CN110378135A (en) * 2019-07-08 2019-10-25 武汉东湖大数据交易中心股份有限公司 Intimacy protection system and method based on big data analysis and trust computing

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399671A (en) * 2008-11-18 2009-04-01 中国科学院软件研究所 Cross-domain authentication method and system thereof
CN101771722A (en) * 2009-12-25 2010-07-07 中兴通讯股份有限公司 System and method for WAPI terminal to access Web application site
CN101938465A (en) * 2010-07-05 2011-01-05 北京广电天地信息咨询有限公司 Method and system based on webservice authentication
CN101998407A (en) * 2009-08-31 2011-03-30 中国移动通信集团公司 WLAN access authentication based method for accessing services

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7836305B2 (en) * 2004-05-06 2010-11-16 Telefonaktiebolaget L M Ericsson (Publ) Method of and system for storage of I-WLAN temporary identities
EP1754391A1 (en) * 2004-05-28 2007-02-21 Koninklijke Philips Electronics N.V. Privacy-preserving information distributing system
US9490984B2 (en) * 2009-09-14 2016-11-08 Interdigital Patent Holdings, Inc. Method and apparatus for trusted authentication and logon

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399671A (en) * 2008-11-18 2009-04-01 中国科学院软件研究所 Cross-domain authentication method and system thereof
CN101998407A (en) * 2009-08-31 2011-03-30 中国移动通信集团公司 WLAN access authentication based method for accessing services
CN101771722A (en) * 2009-12-25 2010-07-07 中兴通讯股份有限公司 System and method for WAPI terminal to access Web application site
CN101938465A (en) * 2010-07-05 2011-01-05 北京广电天地信息咨询有限公司 Method and system based on webservice authentication

Also Published As

Publication number Publication date
CN106254386B (en) 2019-07-05
CN106254386A (en) 2016-12-21
CN103023856A (en) 2013-04-03
WO2013040957A1 (en) 2013-03-28

Similar Documents

Publication Publication Date Title
CN103023856B (en) Method, system and the information processing method of single-sign-on, system
CN1977514B (en) Authenticating users
CN101069402B (en) Method and system for transparently authenticating a mobile user to access web services
US7221935B2 (en) System, method and apparatus for federated single sign-on services
US8261078B2 (en) Access to services in a telecommunications network
EP3120591B1 (en) User identifier based device, identity and activity management system
CN109511115A (en) A kind of authorization method and network element
US20060195893A1 (en) Apparatus and method for a single sign-on authentication through a non-trusted access network
CN103067337B (en) Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system
KR102299865B1 (en) Method and system related to authentication of users for accessing data networks
CN105763658B (en) For being addressed method, addressable server and the system of equipment dynamic IP addressing
CN102420808A (en) Method for realizing single signon on telecom on-line business hall
US20130183934A1 (en) Methods for initializing and/or activating at least one user account for carrying out a transaction, as well as terminal device
KR101506594B1 (en) Method and system for subscriber to log in internet content provider(icp) website in identity/location separation network and login device thereof
WO2013023475A1 (en) Method for sharing user data in network and identity providing server
WO2011063658A1 (en) Method and system for unified security authentication
CN103200147B (en) The requesting method and device of third party's business
WO2011131002A1 (en) Method and system for identity management
CN106330894B (en) SAVI proxy authentication system and method based on link-local address
KR101869584B1 (en) Method and system for cloud-based identity management (c-idm) implementation
JP4579592B2 (en) Information providing service system and method
WO2014187423A1 (en) Method and device for processing identification information
KR100904004B1 (en) Authenticating users
TWI246300B (en) Method and apparatus enabling reauthentication in a cellular communication system
Stakenburg Managing the Client-side Risks of IEEE 802.11 Networks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant