CN115996128A - Identity recognition method based on trust - Google Patents
Identity recognition method based on trust Download PDFInfo
- Publication number
- CN115996128A CN115996128A CN202211631155.6A CN202211631155A CN115996128A CN 115996128 A CN115996128 A CN 115996128A CN 202211631155 A CN202211631155 A CN 202211631155A CN 115996128 A CN115996128 A CN 115996128A
- Authority
- CN
- China
- Prior art keywords
- metadata
- idp
- account number
- personal
- reader
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a trust-based identity recognition method, which comprises the following steps: constructing a university/institution external access system; constructing a reader personal Identity (ID) according to the IdP return value; associating the reader personal account number with the institution account number by using the reader personal identity ID; authorizing readers to log in the system by using the personal account number, and then authorizing resources by an access mechanism; the authority administrator manages the binding relationship of the personal account number of the unit. According to the invention, under the condition that readers log in through a university/institution external access system, personal account numbers of readers are associated with institution account numbers, and after association, the personal account numbers can log in the system directly to use institution authorized resources; by simplifying the authentication step, the use experience of readers outside the universities/institutions is effectively improved.
Description
Technical Field
The invention belongs to the technical field of computer application, relates to an identity recognition technology, and in particular relates to an identity recognition method based on trust
Background
In the digital publishing industry, digital resource vendors typically limit the access scope of the organization readers by setting IP scope or geographic location scope in order to prevent widespread use when authorizing electronic resources to the organization users. After the reader of the organization exceeds the access range, such as business trip or home, the electronic resources purchased by the organization cannot be accessed; in addition, under some factors of unreliability, such as epidemic outbreaks, the institutional reader will have to work and learn beyond the access range for a long period of time. The shiibole-based university/institutional external access system can solve this problem. Shiibole provides a complete set of open-source Saml SSO solutions, wherein the main two products Service Provider (SP), identity Provider (IdP) are equivalent to a client and a server; the SP is installed on a resource provider, and the IdP is installed on a mechanism user side; in the authentication interaction process through the Saml protocol, a trusted 'middle party' is needed, the middle party is used for checking and verifying information of each SP and IdP entity, the middle party is generally called as a 'Saml alliance', and the authentication interaction process can be realized by adding an alliance website operated by a third party or self-research software. When readers access the electronic resources outside the range of the mechanism, firstly, the readers pass through the IdP system, after the personal account number authentication of the authentication system in the mechanism passes, the IdP system carries authentication result information to jump to the electronic resource website, and after the authentication is completed, the SP authorizes the readers to access the electronic resources by using the authority of the mechanism. In the whole authentication process, readers need to select different login entries in an electronic resource website, and need to jump for a plurality of times, so that the authentication process is complicated and the experience of readers is poor.
Disclosure of Invention
In order to solve the technical problems, the invention aims to provide an identity recognition method based on trust.
The aim of the invention is achieved by the following technical scheme:
a trust-based identity recognition method, comprising:
A. constructing a university/institution external access system;
B. constructing a reader personal Identity (ID) according to the IdP return value;
C. associating the reader personal account number with the institution account number by using the reader personal identity ID;
D. authorizing readers to log in the system by using the personal account number, and then authorizing resources by an access mechanism;
E. the authority administrator manages the binding relationship of the personal account number of the unit.
One or more embodiments of the present invention may have the following advantages over the prior art:
after the readers perform one-time authentication association, the readers can directly log in the authorized resources of the access mechanism by using personal account numbers of the readers in the electronic resource websites within/outside the mechanism access range for a long time; the organization administrator can manage the management relationship of the personal account number through the known personal identity ID of the reader; by simplifying the authentication step, the use experience of readers outside the universities/institutions is effectively improved.
Drawings
FIG. 1 is a flow chart of a trust-based identification method.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the following examples and the accompanying drawings.
As shown in fig. 1, the method for identifying identity based on trust comprises the following steps:
1. building university/institution external access system
The construction university/institution external access system includes: building Service Provider, developing IdP/SP metadata management and parsing system, developing login portal and authentication jump web site, interfacing Identity Provider. The method specifically comprises the following steps:
(1) Construction Service Provider
The shiibole SP open source component is installed and integrated into the Web server. Accessing an http:// localhost/shibbole.sso/Metadata page, and storing the xml data of the page to the local as an available Metadata file. Selecting and adding a Saml alliance, and using a metadata file to complete registration to obtain an alliance metadata address; and registering the metadata file to a self-developed IdP/SP metadata management analysis system to obtain a self-analysis metadata address. Two metadata addresses are configured into the MetadataProvider node in the shibbole configuration file.
(2) Research and development IdP/SP metadata management analysis system
An IdP/SP metadata management analysis system is developed based on the Saml protocol. The resource provider or colleges/institutions can register account numbers, issue SP/IdP metadata information, set contacts, logo and other basic information in the system. The system generates self-parsing metadata information according to the registration information and provides a download service of the self-parsing metadata. The IdP/SP metadata management analysis system realizes the function similar to the Saml alliance, and realizes the management of the metadata information of the IdP/SP.
(3) Web site for developing login entry and authentication jump
Mainly realizes the functions of two aspects. Firstly, the accessed universities/institutions are displayed in the form of pages, so that readers can access the pages conveniently. After the reader selects the mechanism, the system finds the corresponding IdP entity address according to the mutual information metadata, and initiates an authentication request to the IdP in a safe ciphertext mode. And secondly, according to the processing result of the SP, authentication is completed in the authentication system of the resource party, and the user jumps to the designated address.
(4) Butt joint Identity Provider
Identity Provider, namely the shibblerth IdP, is generally deployed inside a university/institution unit and can be realized by installing a shibblerth IdP open source component and docking with the existing unified authentication system of the university/institution. Accessing an http:// localhost/shibbole.sso/Metadata page, and storing the xml data of the page to the local as an available Metadata file. Registering the metadata file to a Saml alliance or an IdP/SP metadata management analysis system, acquiring an alliance metadata address or a self-analysis metadata address, and configuring the alliance metadata address or the self-analysis metadata address to a metadata provider node in a shibballeth configuration file.
2. Constructing reader personal Identity (ID) according to IdP return value
According to the Saml protocol, attribute information, including EPPN, EPTID, persistent-ID, is obtained from the results returned by the IdP system, which can identify the personal identity of the reader inside the university/institution. Wherein EPPN is plaintext information, which is convenient for universities/institutions to quickly check the identity of readers; EPTID carries colleges/institutions information; the persistence-ID is a string of encrypted characters. For operation and maintenance convenience, according to the authorization of IdP, acquiring attribute information according to the priority order of EPPN, EPTID, persistent-ID, and constructing the personal ID of the reader after encryption and coding.
3. Associating reader personal account numbers with institution account numbers using reader personal identity IDs
Associating the reader personal account number with the institution account number using the reader personal identity ID includes: obtaining personal account information, obtaining reader mechanism account information and obtaining reader mechanism account information. The method specifically comprises the following steps:
(1) Acquiring personal account information
When a reader owns a personal account, an account password is directly input through a system page; when the reader does not have a personal account, registering the personal account according to the system page prompt.
(2) Obtaining account information of reader mechanism
In the university/institution external access system, the system obtains the institution identification from the IdP return value, and finds the corresponding institution account number in the university/institution list according to the institution identification. Therefore, after readers pass through the university/institution external access system authentication, the system has identified the institution account information of readers.
(3) Associating reader personal account numbers with institution account numbers using reader personal identity IDs
And associating the reader personal account number with the mechanism account number by using the reader personal identity ID, storing the association relationship of the reader personal account number, the reader personal identity ID and the mechanism account number into a system, and setting the validity period according to the service requirement. After expiration, the reader may reassociate according to system cues.
4. Access mechanism authorized resource after authorizing reader to log in system using personal account number
After readers log in and correlate personal account numbers through the university/institution external access system, when the personal account numbers are used for logging in the system, the system directly authorizes the authorization resources of the reader personal account number access mechanism according to the correlation information without single-point authentication system authentication of the university/institution; the system sets validity period to control timeliness of the associated information according to actual service conditions. The method specifically comprises the following steps:
(1) Checking whether a personal account number is associated with an institution account number
When a reader logs in the personal account, the system searches whether the associated mechanism account exists in the association relation of the personal account of the reader, the personal identity ID of the reader and the mechanism account according to the personal account. If yes, taking out relevant information such as the account number of the mechanism, the validity period, the association time and the like and returning the information; if not, it is indicated that the personal account number is not associated with the institution account number.
(2) Checking whether account association is within effective time limit
And checking the validity period of the association relationship of the reader personal account number, the reader personal ID and the mechanism account number, and when the association relationship is out of date, guiding the reader to carry out the operation of the association mechanism account number again by the system.
(3) Checking whether the institution account has available authority
After verifying that the state and the valid expiration of the organization account number associated with the personal account number of the reader are sufficient, the authentication system ignores the limitation of the organization IP range, and allows the personal account number to use the authorized resources of the organization account number outside the IP range.
5. Authority manager manages binding relation of personal account number of unit
The organization account administrator can log in the system to manage the binding relationship of the personal account according to information such as personal Identity (ID) of readers, association time, association IP and the like. Wherein, the personal ID of the reader is one of EPPN, EPTID or Persistent-ID in the IdP system of the organization, is decided by the university/organization side and is configured when the IdP is accessed, and can be corresponding to specific individuals inside the organization.
Although the embodiments of the present invention are described above, the embodiments are only used for facilitating understanding of the present invention, and are not intended to limit the present invention. Any person skilled in the art can make any modification and variation in form and detail without departing from the spirit and scope of the present disclosure, but the scope of the present disclosure is still subject to the scope of the appended claims.
Claims (8)
1. A trust-based identification method, comprising:
A. constructing a university/institution external access system;
B. constructing a reader personal Identity (ID) according to the IdP return value;
C. associating the reader personal account number with the institution account number by using the reader personal identity ID;
D. authorizing readers to log in the system by using the personal account number, and then authorizing resources by an access mechanism;
E. the authority administrator manages the binding relationship of the personal account number of the unit.
2. The trust-based identification method as claimed in claim 1, wherein the building of the university/institutional external access system based on Saml protocol, shiibole component in a specifically comprises:
a1, constructing a Service Provider;
a2, constructing an IdP/SP metadata management analysis system for managing the IdP metadata information of the universities/institutions;
a3 interfaces with the university/institution's IdP system through a login portal and a web site that authenticates the jump.
3. The trust-based identification method of claim 2, wherein A1 comprises:
storing xml data in a metadata page to obtain an available metadata file, and registering the xml data by using the metadata file through a Saml alliance to obtain an alliance metadata address;
registering the metadata file to an IdP/SP metadata management analysis system to obtain a self-analysis metadata address;
the federation metadata address and the self-resolved metadata address are configured into a MetadataProvider node in the shibballeth configuration file.
4. The trust-based identification method of claim 2, wherein the A2 specifically comprises:
building an IdP/SP metadata management analysis system based on a Saml protocol;
the IdP/SP metadata management analysis system generates self-analysis metadata information according to the registration information and provides downloading service of the self-analysis metadata;
and managing the metadata information of the IdP/SP through an IdP/SP metadata management analysis system.
5. The trust-based identification method of claim 1, wherein B comprises: based on the Saml protocol, attribute information capable of identifying personal identity is obtained from a result returned by the IdP system, wherein the attribute information comprises plaintext information EPPN, colleges and universities/institutions carrying information EPTID and a string of encrypted characters Persistent-ID, and the personal identity ID of a reader is constructed after the attribute information is encrypted.
6. The trust-based identification method of claim 1, wherein C comprises:
acquiring personal account information;
acquiring account information of a reader mechanism; obtaining a mechanism identifier from the IdP return value by a university/mechanism external access system, and finding a corresponding mechanism account number in a university/mechanism list according to the mechanism identifier;
and storing the association relation of the reader personal account number, the reader personal ID and the mechanism account number into a system, and setting the validity period according to the service requirement.
7. A trust-based identity recognition method in accordance with claim 1, wherein D comprises: setting validity of the effective period control associated information by a colleges and universities/institution external access system according to actual service conditions; the method specifically comprises the following steps:
checking whether the personal account number is associated with the institution account number;
checking whether the account association is within the effective time limit;
checking whether the institution account has available rights.
8. The trust-based identification method of claim 1, wherein in E, an organization administrator accesses the system through the university/organization outside and manages the binding relationship of the personal account number according to the reader's personal identity ID, association time, association IP.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211631155.6A CN115996128A (en) | 2022-12-19 | 2022-12-19 | Identity recognition method based on trust |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211631155.6A CN115996128A (en) | 2022-12-19 | 2022-12-19 | Identity recognition method based on trust |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115996128A true CN115996128A (en) | 2023-04-21 |
Family
ID=85989778
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211631155.6A Pending CN115996128A (en) | 2022-12-19 | 2022-12-19 | Identity recognition method based on trust |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115996128A (en) |
-
2022
- 2022-12-19 CN CN202211631155.6A patent/CN115996128A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9026788B2 (en) | Managing credentials | |
| US8683565B2 (en) | Authentication | |
| US7024689B2 (en) | Granting access rights to unattended software | |
| US8635679B2 (en) | Networked identity framework | |
| US7571473B1 (en) | Identity management system and method | |
| JP4913457B2 (en) | Federated authentication method and system for servers with different authentication strengths | |
| US10270774B1 (en) | Electronic credential and analytics integration | |
| CN103986584A (en) | Double-factor identity verification method based on intelligent equipment | |
| KR20030091237A (en) | User authentication method using user's e-mail address and hardware information | |
| US9059987B1 (en) | Methods and systems of using single sign-on for identification for a web server not integrated with an enterprise network | |
| CN102073822A (en) | Method and system for preventing user information from leaking | |
| US20170104748A1 (en) | System and method for managing network access with a certificate having soft expiration | |
| CN116668190A (en) | Cross-domain single sign-on method and system based on browser fingerprint | |
| US11784994B2 (en) | Management device, management system, and non-transitory computer readable medium | |
| US7356711B1 (en) | Secure registration | |
| JP4932154B2 (en) | Method and system for providing user authentication to a member site in an identity management network, method for authenticating a user at a home site belonging to the identity management network, computer readable medium, and system for hierarchical distributed identity management | |
| US12061686B2 (en) | Pre-registration of authentication devices | |
| JP2005267529A (en) | Login authentication method, login authentication system, authentication program, communication program, and storage medium | |
| JP2009093580A (en) | User authentication system | |
| JP2012208941A (en) | User confirmation device, method and program | |
| CN114006751B (en) | Campus system single sign-on method using temporary authentication code | |
| KR20100040413A (en) | Method for authenticating single sign on id supporting openid | |
| CN115996128A (en) | Identity recognition method based on trust | |
| JP2013251000A (en) | User verification device, method, and program | |
| KR20060067732A (en) | Method of service logout in single sign on service using federated identity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |