DE102005061632B4 - Method and apparatus for authorization - Google Patents

Abstract

The invention relates to a method for answering authorization requests (A) from a utilization system (S1) to at least one service system (S2), having an intermediary system (S3) having access to the authorization information (A), comprising the following steps: - forwarding ( B) the authorization request from the service system (S2) to the intermediary system (S3); - Acceptance (B) of the authorization request, by the intermediary system (S3) only if the service system (S2) is in a trust relationship to the intermediary system (S3), - Mutual transfer of target parameters between (S2) and S (3) via (B ), for the purpose of redirecting the utilization system (S1) to the mediator system (S3), - Through the redirect there is a communication (C) of the mediator system (S3) with the utilization system (S1). In the communication (C), the usage system (S1) is authenticated indirectly or directly and with the aid of rules in (S3) and / or with the aid of at least one (S4). - If the authentication is positive, the utilization system (1) is redirected back to (S2). The basis for this was the destination parameter transfer in (B) during the authorization request from (S2) to (S3). At the same time, in (S3), based on the authentication of (S1) by the communication in (C) and the authorization request of (S2), the result of the authorization is determined. The result is exchanged via the trust relationship (B). The result of the authorization request can then be fetched by the service system (S2) from the agent system (S3) or the switching system (S3) informs the service system (S2). Then, the service system (S2) can allow the access system (S1) to access (A) and communicate with it so that both the authorization request and the response thereto are made directly between the service system (S2) and the usage system (S3) (B). and the utilization system (S1) does not act as a mediator. The method can be carried out both transaction-based, session-based or also from combinations of both methods with one another and / or one another.

Description

The invention relates to an apparatus and a method for switching and answering AAA requests (authentication, authorization and accouting) for a user instance in distributed DV architectures (data processing architectures) based on raw data from distributed DV source systems.

Field of the invention:

The specialization of providers of goods or services whose offerings are accessible via distributed systems (eg Internet) to their core competence of providing or delivering results in being forced to external sources to authenticate and authorize their users or buyer to use. Authentication, authorization and access control are essential for most Internet service providers. This is necessary if the service itself is not to be openly accessible to any user, or if payment is necessary, and if the service itself does not hold the data for authorization.

Today's procedures z. For example, in the context of ISPs (Internet Service Providers) for authentication and authorization are based mostly on the RADIUS (Remote Authentication Dial-In Service) protocol and provide access to services that centralize the administration and validation of authentication and authorization information for a Provide usernames.

Today's procedures offer providers of services or goods the opportunity to connect to various ISPs or account providers. These account providers provide information on the authenticity and authorisability of users based on different protocols, proprietary interfaces and data objects. It is the task of the provider of services and goods, to adapt to the interfaces of the account provider, which leads to heavy expenses in the development and maintenance of interfaces, if the service provider wants to offer its services or goods to the users of several account providers , For each customer and contract-managing client (Operations Support Systems, hereinafter referred to as OSS or Business Support Systems, hereinafter referred to as BSS) of the account provider, the processing IT system of the service provider must process and evaluate the source data differently with regard to the authorization information. In addition, depending on the data model and the information content of the account provider, the service provider has to implement various logics for evaluating the information supplied in order to be able to make a statement about the authorization for a user. Often, this leads to additional and unnecessary system load on the service provider, since its technology is not designed for a high-performance settlement of authorization issues to distributed source systems of account providers, but focuses on the provision of services. This can lead to a user having to go through cumbersome procedures for authentication and authorization. B. for the medium Internet unusually long waiting times or query dialogues must be accepted.

In terms of security and trustworthiness, the systems of the service provider and the account provider must directly authenticate against each other and authorize (eg exchange of credentials such as UN / PW or certificates). This possibly means for the service provider and the account provider a system-side technical integration per connection.

The "Liberty Alliance" defines a framework for interfaces and basic communication logics between distributed systems. This standard forms the basis for a possible method of authenticating (eg, single sign-on) usage instances in federated networks. The authorization and the provision of positive answers are not dealt with in this standard. This is due to the fact that unlike the method described here, the Liberty Alliance does not deal with the process logic for possible customer and contract-leading backend systems and their technical and optimized mapping to systems. This is a major challenge in order to realize the integration of different backend systems with authorization information in addition to the interfaces in the federated world of Liberty Alliance compatible partners.

From the OASIS: Security Assertion Markup Language (SAML) 2.0 Technical Overview. Working Draft 03, 20 February 2005 URL: http://xml.coverpages.org/SAML-TechOverview20v03-11511.pdf A method is known in which an authorization of the service takes place, but the service with the access information or authorization information is supplied.

The US 2005/026202 A1 discloses a method of redirecting for authorization.

The US 2002/0162027 A1 discloses a method in which access control to a service is performed.

From the WO 2005/072382 A2 and WO 0103083 A1 Methods are known for secure telephone and computer transactions.

The publication US 2001/0018748 also discloses a service for authorizing a transaction. Here, vital information about the user is stored to confirm the identity of the user. By comparing the vital information with the information stored by the network, authentication information is obtained. If the comparison of the vital information with the entered information was successful, the financial transaction is carried out.

The invention of the US 2001/0018748 Significantly relies on comparing the vital information with the information provided by the user. This approach is not used in the present invention and is far from the approach of the present invention, so that the present invention is also inventive in this view.

From the EP 1531398 A1 a method for authentication is known, wherein the authentication is performed by a plugin in a browser. Here, the plugin is used to make an authentication request to an authentication server. There is thus an indirect diversion. Not the service server, as in the present invention, forwards the request to an authentication server, but rather the service server controls a plug-in in the browser by means of a specific data format, which then in turn performs an authentication at an authentication server. This is also an elegant approach that is completely transparent to the user; however, it assumes that a plugin is installed in the browser.

Overview of the invention

As more and more value-added services are offered over the Internet, it becomes increasingly important to provide a device and method that reduces complexity, increases reusability, reduces interfaces and relocates data processing to specialized systems. The intermediary entity process, optimized for processing authorization requests, as well as retrieving and processing raw authorization data from distributed source systems, reduces the turnaround time for the process of authorization. In addition, a reliable system is provided to the service provider and the account provider, which enables secure communication and ensures a low default rate, taking into account lower implementation and maintenance costs for the merchant / service provider. The increased performance is achieved by optimizing the interfaces to the account providers and the knowledge and processing of their data structures centrally in the data processing system by means of their own object model. This relieves the service provider's system resources and makes processing more efficient on the specialized computerized mediator system.

The invention relates to an apparatus and a method for switching and answering AAA requests, in particular authorization and / or authentication requests for a user instance in distributed DV architectures (data processing architectures) based on raw data from distributed DV source systems.

Ask z. If, for example, a user instance in a data processing system determines a service or the delivery of goods, the IT system must check whether the user instance has the necessary authorizations (characteristics for authorization) prior to service provision or delivery. The result of an authorization request provides the requesting computer system with the information as to whether it is authorized for a particular user instance to provide the requested service or to deliver a good. So z. For example, in a music sales portal, the usage instance is a web front-end that offers the user a variety of MPEG songs. The user now intends to purchase one of these songs. For this, the requesting computer system must check whether the user is authorized.

These requesting DP systems, which share an authorization request for a usage instance, address a DV mediator system via a unified interface. The user instance is then transferred via a so-called "redirect" from the requesting data processing system to the data processing system. Authentication for the use instance is usually carried out there first, so that the authorization process can be initiated. For the above. For example, this means that the intermediary system has a link with a unique identifier, such as a. A transaction ID, which is then forwarded by the requesting system to the user's browser, which is thereby redirected to the intermediary system to complete the authorization there.

The IT agent system is characterized by its own object model, its own data structures and its own data processing for checking the authorization on the basis of existing raw data, which are assigned to the user instances from the DV source systems. This raw data is retrieved from the DV mediator system from the DV source systems and combined and checked in the DV mediator system. If the raw data are not completely available, the user instance can be transferred to other IT systems in order to transfer raw data that is necessary for business transaction-specific processes to the IT systems Register source systems (according to the principle: "creating positive answers"). Alternatively, the user instance can also be transferred to a further IT-mediator system, provided that a response to the authorization requests can be expected there. The combination of the raw data of the DV source systems finally generates the answer for the requesting DV system.

After the authorization result is generated, the usage instance may be recognized by the DV mediator system and associated with the original, open authorization requests. This can be z. B. in a specific technical mapping on the basis of certificates or cookies that are stored on the systems. The user instance is handed over again by the intermediary system through a "redirect" to the requesting computer system. The requesting DV system can query the result of the request at the DV mediator system via the standard interface, and the user instance can make use of a service or deliver a good.

• – Entgegennahme einer Autorisierungsanfrage von einem anfragenden DV-System;
• – Übergabe von Zielparametern für die Nutzungsinstanz an das anfragende DV-System für einen Redirect durch die Nutzungsinstanz. Es ist auch denkbar, dass das Vermittlersystem die Nutzungsinstanz direkt kontaktiert, wenn vorher die Adresse mitgeteilt wurde;
• – Entgegennahme der Nutzungsinstanz und Zuordnung der Nutzungsinstanz zur Transaktion der Autorisierungsanfrage;
• – Überprüfung der Vollständigkeit der Authentifizierungsinformationen der Nutzungsinstanz und ggf. Übergabe an Systeme zur Authentifizierung und anschließenden Entgegennahme der Nutzungsinstanz. Dies kann immer dann auftreten, wenn die Nutzungsinstanz dem DV-Vermittlersystem zwar bekannt ist, aber für die Anforderungen des anfragenden DV-Systems nicht hinreichend authentifiziert (d. h. die ”Vollständigkeit der Authentifizierungsinformationen” ist im Sinne der Güte nicht gegeben), so wird versucht, die Nutzungsinstanz z. B. gemäß Liberty Alliance oder beliebiger anderer Verfahren hinreichend zu authentifizieren. (Dabei können weitere Systeme zur Abwicklung der Authentifizierung genutzt werden bzw. die Nutzungsinstanz an diese zum Zwecke der Authentifizierung übergeben werden.)

In detail, in one possible embodiment, the steps may look like this:
The following are the following in the apparatus and corresponding method for providing arbitration and response of authorization requests for a use instance and at least one service in distributed DV architectures, wherein the use instance and the service are provided with the ability to connect to a common computer network Steps performed by one or more computerized mediator systems.

• - receiving an authorization request from a requesting computer system;
• - Transfer of target parameters for the user instance to the requesting computer system for a redirect by the user instance. It is also conceivable that the intermediary system contacted the user instance directly, if the address was previously communicated;
• - Acceptance of the user instance and assignment of the user instance to the transaction of the authorization request;
• - Verification of the completeness of the authentication information of the user instance and, if necessary, transfer to systems for authentication and subsequent acceptance of the user instance. This can always occur if the user instance is known to the IT agent system but is not adequately authenticated for the requirements of the requesting computer system (ie the "completeness of the authentication information" is not given in terms of quality), then an attempt is made to the use instance z. B. according to Liberty Alliance or any other method sufficient to authenticate. (In this case, further systems can be used to process the authentication or the usage instance can be passed to it for the purpose of authentication.)

• – Prüfung der Zuordenbarkeit der Nutzungsinstanz zu Backend-Systemen und ggf. Übergabe der Nutzungsinstanz an Drittsysteme zur Generierung von Autorisierungsinformationen und anschließende Entgegennahme der Nutzungsinstanz;
• – Identifizierung der für die Nutzungsinstanz zuständigen Backend-Systeme mit Informationen zur Autorisierung Anfrage von Profilen und Rechten zu der Nutzungsinstanz an die Backend-Systeme;
• – Empfang von Profildaten und Rechten zu der Nutzungsinstanz aus den Backend-Systemen;
• – Kombination der Profildaten und Rechte mit den Anforderungen des anfragenden-DV-Systems
• – Bestimmen von Autorisierungsergebnissen und ggfs. Bestimmen von alternativen Möglichkeiten für die Generierung von weiteren Autorisierungsinformationen, falls diese notwendig sein sollten, und ggf. Übergabe der Nutzungsinstanz an Drittsysteme zur Generierung von Autorisierungsinformationen und anschließende Entgegennahme der Nutzungsinstanz;
• – Erneute Identifizierung der für die Nutzungsinstanz zuständigen Backend-Systeme mit Informationen zur Autorisierung;
• – Anfrage von Profilen und Rechten zu der Nutzungsinstanz an die alternativen Backend-Systeme;
• – Empfang von Profildaten und Rechten zu der Nutzungsinstanz aus den alternativen Backend-Systemen;
• – Kombination der Profildaten und Rechte mit den Anforderungen des anfragenden DV-Systems;
• – Bestimmen von Autorisierungsergebnissen und Zuordnung zur Transaktion des anfragenden Systems;
• – Übergabe von Zielparametern für das anfragende System an die Nutzungsinstanz; somit erfolgt die aggregierte Übergabe von definierten Informationen (Zielparametern) an das anfragende System. (Zielparameter sind hierbei nicht unbedingt Parameter über das Ziel, sondern eher die Werte, die durch das Verfahren dem anfragenden System zur Verfügung gestellt werden);
• – Entgegennahme von Ergebnisanfragen durch das anfragende System, Auslieferung des Ergebnisses und weiterer Informationen aus der Anfrage an das Back-End-System an das anfragende System.

If the usage instance is not authenticatable (ie the "completeness of the authentication information" is not given at all in the sense of missing information), it can be routed by the IT agent system into a registration process with any system. Afterwards, the user instance can be authenticated and possibly data for authorization has been set up.

• - checking the assignability of the user instance to back-end systems and, if necessary, transferring the user instance to third-party systems for the generation of authorization information and subsequent acceptance of the user instance;
• - identification of the backend systems responsible for the usage instance with information on authorization request of profiles and rights to the usage instance to the backend systems;
• - receiving profile data and rights to the usage instance from the backend systems;
• - Combination of profile data and rights with the requirements of the requesting DV system
• Determining authorization results and, if appropriate, determining alternative possibilities for generating further authorization information, if necessary, and if necessary transferring the usage instance to third-party systems for generating authorization information and subsequently accepting the usage instance;
• - Re-identification of the user instance responsible backend systems with information for authorization;
• Requesting profiles and rights to the usage instance to the alternative backend systems;
• - receiving profile data and rights to the usage instance from the alternative backend systems;
• - Combination of the profile data and rights with the requirements of the requesting computer system;
• Determining authorization results and assigning to the transaction of the requesting system;
• - transfer of target parameters for the requesting system to the user instance; thus the aggregated transfer of defined information (target parameters) to the requesting system takes place. (Target parameters are not necessarily parameters about the target, but rather the values provided by the method to the requesting system);
• - Acceptance of result requests by the requesting system, delivery of the result and further information from the request to the back-end system to the requesting system.

The method described here optimizes the performance for the execution of authorization requests by means of a central high-performance component and thus reduces response times. In addition, the number of process steps of the overall system is also reduced in comparison to the direct approach of the requesting services to the account provider. The provider of a service or a good is thus independent of the variety of physical interfaces to the account providers.

Unlike middleware, the device and associated method described herein does not merely govern the mediation between different software. The technology described here uses its own data models, which, together with its own query, combination and checking mechanisms, allow an authorization request to be answered in an optimized manner and, if necessary, initiate necessary intermediate processes.

The apparatus and method for switching and responding to authorization requests for a use instance in distributed DV architectures is characterized by the systems described below.

The usage instance refers to a person, a name entity (group name) or machine that has another data processing system, eg. B. would like to use an Internet shop, Internet service or network element. In the case of a person this means z. For example, it uses a computer on which it uses applications to use other computer systems. These can be standard applications such as a web browser or other applications. In the case of a machine, this directly uses other systems. Such a machine can be, for example, a computer (PC, set-top box, mobile terminal with SIM, etc.) that has its own authentication features that have been stored on it.

The user instance has functions for requesting delivery of a good or provision of a service by a computer system. For communication, adequate standardized interface protocols are used, eg. HTTP, FTP, POP3, IMAP, SMTP (possibly in combination with SSL encryption).

Commonly used designations are user, user, customer, buyer, consumer, end customer, end device.

The DP systems that are addressed by the user instance are referred to as requesting computer systems. Requesting data processing systems are characterized by the fact that they deliver a good in digital form to the user instance, initiate a delivery or allow the user instance to access the requesting computer system in order to use an application or a network element there. Common to these usage scenarios of the requesting computer system is that the successful handling of delivery and access is only permitted for authorized users. The requesting system itself does not have the necessary authorization information.

A middleware organizes the transport of complex data (so-called messaging), conveys function calls between the components (so-called remote procedure calls), establishes transaction security via otherwise independent subsystems (function as a transaction monitor), etc.

Examples of requesting computer systems are communication services, web-based services, media services, network elements.

The requesting DV system and its built-in logic has the following features:
Provision of a service or delivery of a digital good to the user authority;
Exchange of identifying data records (exchange of eg certificates for authentication);
Query of further computer systems (DV mediator system);
Passing parameters for the specification of the authorization request transfer of the user instance to the IT agent system (redirect).

Conducting transactions; the usage instance should be able to be reassigned to the original request after authorization to deliver the requested good or to allow the requested access to the service provision. The assignment of transactions within the individual systems takes place via the exchange of transaction identifiers, which allows a temporarily valid and unique assignment of requests from other systems to their own transactions.

Possible protocols between the systems and instances are z. B. HTTP with or without SSL encryption. In addition, XML messages can be exchanged via SOAP. The key here is the exchange of the transaction ID in order to Linking processes via the systems and unambiguously allocating data exchange to the transactions of the individual systems.

Commonly used terms are Service Provider, Service Provider, Application Service Provider (ASP), Service, Internet Service, Shop, Merchant, Merchant, Provider, Merchant System, Content Provider, Content Aggregator, Network Element.

The DV Broker system means a computer that accepts the requests of the requesting DV system, if the requesting DV system is allowed to perform these requests. The logic for accepting the requests, storage, conversion and interpretation of records from the request is made by the agent application. Likewise, the logic for retrieving data from the source systems and, if necessary, transitioning the use instance to establish raw data is performed by the mediator application. Alternatively, the intermediary system may also transfer the usage instance to other DV mediator systems to perform the request for raw data from the attached DV source systems (The associated method of determining this data is not discussed because there are interfaces to a variety of systems The explanation is that the first DV-mediator system will act as a requesting DV-system compared to the second DV-mediator system, because the DV-mediator system also has the functions of the requesting DV-system.).

The DV mediator system and the logic integrated in the mediator application has functions for:
Communication with other computer systems;
Authentication of other computer systems;
Storage of transaction data and requests;
Identification of source systems belonging to the user instance;
Identification of the necessary raw data;
Combination and evaluation of raw data;
Determining the business transaction on the basis of existing information from the request data record and source systems;
Determining the steps necessary to bring about a positive response for the requesting system;
Redirect capabilities ie receipt and redirection of the user instance to other IT systems while preserving context information (transaction management).

For communication, adequate standardized interface protocols are used, eg. B. HTTP (possibly in combination with SSL encryption), SOAP, RADIUS, LDAP. For mutual authentication of the systems standardized authentication mechanisms are used, eg. Credentials (Application1D / ApplicatignSecret) or certificates.

The DV source system consists of one or more computer systems with authorization-relevant information regarding the user instance. This raw data can be queried by the intermediary system or transmitted to the DV mediator system upon request. Most of the raw data comes from OSS or BSS.

In DV source systems, raw data can also be created or stored in a transaction-oriented manner during the response to the authorization request. B. takes place in a payment or a confirmation of a request to take over a claim.

The DV source system has a number of features:
Function for communication with other systems; Function for storing data in arbitrary structures; Creating, changing and deleting data; Function for optional retrieval of data from other computer systems; Function for the optional direct or indirect entry, modification or deletion of data by means of further applications; Functions for the determination of access rights for computerized switchboard systems.

For communication, adequate standardized interface protocols are used, eg. B. HTTP (possibly in combination with SSL encryption), SOAP, RADIUS, LDAP. For mutual authentication of the systems standardized authentication mechanisms are used, eg. Credentials (Application1D / ApplicationSecret) or certificates.

Commonly used designations are account providers, ISP, MNO, backend systems with user data, OSS, BSS, billing systems, customer master, customer catalog, customer database; Contract Database, Presence Service Session Controller.

The following section deals with the other IT systems involved. The user instance is connected to the infrastructure of a network operator via a network access point (so-called access point). The network access point with its usual protocols and layers (data link, network, transport, application layer) is not shown and explained, since it is well known.

The systems can use a domain name service to resolve IP addresses. This is not shown.

There are various solutions, systems and standards for authentication and single sign-on, such as: B. SAML (used in the Liberty Alliance project). These components for authentication can be integrated into the DP switching system or lie outside of the components considered here and are not shown further.

Description of the figures:

The figure serves to illustrate an embodiment which is intended to facilitate the understanding of the invention.

1 shows the procedure with the communication between the individual components;

Preferred embodiment:

The 1 Figure 5 shows the method taking into account corresponding devices for switching and answering authorization requests for a use instance in distributed DV architectures with the corresponding steps.

For the usage request, the use entity S1 in (A) requests from the requesting DP system S2 either the delivery of a good or the use of a computer application or a network element. If it is not clear in S2 on the basis of its own information whether it is entitled to deliver or provide services to S1, then an authorization is necessary. For these purposes, S2 uses the DV mediator system S3 to make an authorization request. In response, the requesting computer system expects a logical yes or no and an associated usage instance name. Optionally, further information can be transferred.

In the authorization request, S2 sends a request (B) to S3 for authorization. The request is only allowed if S2 is known at S3 and can be authenticated (example IR address, exchange of secrets such as UN / PW, certificates, etc.). The request contains information about the request type (authorization) and optionally about identifiers (eg name, product groups, numbers, price information, QoS parameters, etc.) of the goods or service. Upon request by a legitimate requesting computer system, the computer system internally opens a transaction which is completed when the answer to the question has been delivered or after a defined period of time.

So that S3 can determine for which user instance it must answer the authorization request, a so-called redirect to S1 is carried out. This redirect is characterized by the transfer of target parameters to S3, which passes them on to the user instance. The usage instance S1 uses these target parameters to establish a connection with S3 in (C). Based on the target parameters, the usage instance S1 can be assigned to the requesting DP system S2. The target parameters are between the DV-Vermittlersystem S3 and the requesting computer system S2, z. For example, in a server to server communication, in a message describing the incident such. B. transmitted a SOAP message. According to the characteristics of the requesting computer system S2, the target parameters z. B. in a web service (S2 as a web service) in the form of an HTTP redirect to the browser of the user instance S1 are passed or also by means of SOAP messages between computer systems.

The following assumptions apply to the source data query. Assuming the usage instance is known to S3, ie already authenticated, S3 can identify the associated DV source systems based on the identifier (eg user name, domain name, email address, etc.) of S1. In (D), all available data in a server for server communication are requested for the usage instance and delivered by the source systems. For each DV source system, the corresponding protocol and the associated interface are operated, regardless of the degree of distribution of the data.

CASE STUDY 1: If a user instance is not authenticated (that is, does not carry a known authentication feature), S3 identifies this and the user instance is used, for example. B. authenticated according to Liberty Alliance or any other method. In this case, further systems can be used to process the authentication or the user instance to be passed to them for the purpose of authentication. These steps of the implicit authentication or registration and possibly communication with other systems is not shown here.

FALL DISTINCTION 2: Is the usage instance (also in other systems) still not authentifiable? It can be passed from, S3 into a registration process with any system. Afterwards, the user instance can be authenticated and possibly data for authorization has been set up. An alternative to this is a generic privilege associated with an unauthentic use instance of S3 as a function of S2. Further dependencies are possible and are determined by S3. A second alternative is to initiate a process whereby the user instance acquires the rights so that they are subsequently available for the authorization query. This acquisition of rights can z. Example, by a payment to another system, so that are set up for the user of use in source systems that are connected to S3, as part of the overall transaction raw data. For this device or payment, the usage instance in (E) is transferred by means of a redirect to a source system. There, in step (F), S1 acquires the establishment of the source data in a source-data-specific method which is of no significance to the system S3 and is not shown here. After completion of these configuration dialogs, the usage instance is transferred back to S3 first in (F) and then in (E) by means of a redirect.

The source data is stored in S3 on the basis of a descriptive document such. B. an XML file and compared compared to the system S2 stored rules and a descriptive document. The rules state which characteristic of information must be present in the S3 own object model for the use instance, so that the authorization can be positively answered. The result of the comparison is stored "as an authorization response" to the transaction.

CASE STUDY 3: If the response to the authorization request after evaluation of the raw data is negative for a use instance, then S1 from S3, if this is permitted for the requesting system S2 (deposited in a descriptive document), is transferred to an alternative process according to CASE STUDY 2 (Redirect in (E) and (F) for setting up raw data in source systems). Subsequently, the new raw data are re-evaluated for their authorization information and a response for S2 is generated.

In the case of the redirect response, the usage instance is redirected to the requesting DP system S2 via a redirect in the same method as under "Redirect request" with the target parameters for S2 of S3. In this case, the information is also passed in the target parameters to which transaction the original request or query of the authorization results is assigned.

On the basis of the target parameters from the previous method step, the system S2, the result of the authorization in a server to server communication z. B. with a SOAP message at S3 query (B) and receives in this way the result of the authorization in response. The query of the response is based on the same interface as the request for the authorization in the DV-mediator system. This allows the requesting DV system a uniform interface regardless of the necessary steps to generate a response and regardless of the distribution of data. Optionally to the authorization result z. For example, additional data about the use instance may be provided (this must be supported by the protocol).

The requesting DP system S2 provides the power in (A) depending on the response. The usage instance can be assigned to the original usage request in another method.

Claims (18)

A method for answering authorization requests (A) from a utilization system (S1) to at least one service system (S2) by means of http / https, with an intermediary system (S3) having access to the authorization information (A) and being responsible for the authorization, comprising the following steps: - forwarding via a connection (B) of the authorization request from the service system (S2) to the intermediary system (S3); Acceptance via the connection (B) of the authorization request, by the intermediary system (S3) only if the service system (S2) is in trust with the intermediary system (S3), - transfer of target parameters between the service system (S2) and the intermediary system ( S3) via the connection (B), for the purpose of redirecting the utilization system (S1) to the mediator system (S3), - by the redirect, a communication (C) of the mediator system (S3) with the utilization system (S1); in communication (C), the usage system (S1) is authenticated indirectly or directly and with the aid of rules in the intermediary system (S3) and / or with the aid of at least one source system (S4); - If the authentication is positive, the usage system (S1) is again redirected to the service system (S2), as the basis for the Zielparameterübergabe in connection (B) in the authorization request from the service system (S2) to the intermediary system (S3), at the same time in the mediator system (S3) determines the result of the authorization on the basis of the authentication from the utilization system (S1) by the communication (C) and the authorization request from the service system (S2), the result is exchanged over the connection (B), the result of the authorization request can then the service system (S2) from the intermediary system (S3) pick up, or the switching system (S3) tells the service system (S2), then allows the service system (S2) the use system (S1) the access (A) and communicates with this, so that both the authorization request and the response to it between the service system (S2) and the utilization system (S3) take place directly via the connection (B) and the utilization system (S1) does not act as a mediator. The method of the preceding claim, wherein the mediation system determines, based on rules, the authorization question, and / or the service system, how to authorize, and on the basis of the determined steps, executes a transaction within which the authorization is made. The method according to one or more of the preceding claims, wherein the mediator system consists of one or more mediator systems and / or back-end systems providing the authorization data through secure communication and policies. The method according to one or more of the preceding claims, wherein the authorization data represent profile data and / or rights. The method of one or more of the preceding claims, wherein upon a failed first authorization, the mediation system makes alternative authorization attempts based on the rules. The method according to one or more of the preceding claims, wherein the intermediary system uses its own data models, which allow it, together with its own query, combination, and checking mechanisms to answer an authorization request optimized and initiate necessary intermediate processes if necessary. The method according to one or more of the preceding claims, wherein the authorization data are compared on the basis of a descriptive document with the rules deposited for the usage system. The method according to one or more of the preceding claims, wherein a check of the assignability of the user instance to backend systems takes place and possibly a transfer of the user instance to third party systems for the generation of authorization information and a subsequent acceptance of the user instance takes place. Apparatus characterized by means arranged such that a method sequence according to one or more of the preceding claims can be carried out. Device, in particular mediator system (S3), for answering (A) authorization requests from a utilization system (S1) to at least one service system (S2) by means of http / https, with means and a device that perform the following procedure: - forwarding via a connection (B) of the authorization request from the service system (S2) to the intermediary system (S3); Acceptance via a connection (B) of the authorization request, by the intermediary system (S3) only if the service system (S2) is in a trust relationship with the intermediary system (S3), Transfer of target parameters between the service system (S2) and the intermediary system (S3) via the connection (B), for the purpose of redirecting the utilization system (S1) to the intermediary system (S3), - Through the redirect there is a communication (C) of the intermediary system (S3) with the utilization system (S1); in the communication (C) the utilization system (S1) is authenticated indirectly or directly and with the aid of rules in the intermediary system (S3) and / or with the aid of at least one source system (S4), - If the authentication is positive, the usage system (S1) is again redirected to the service system (S2), the basis for this is the destination parameter transfer in (B) during the authorization request from the service system (S2) to the intermediary system (S3); at the same time, the result of the authorization is determined in the intermediary system (S3) on the basis of the authentication from the utilization system (S1) by the communication (C) and the authorization request from the service system (S2), the result is exchanged over the connection (B), the result of Authorization request may then pick up the service system (S2) from the broker system (S3) or the switching system (S3) notifies the service system (S2) then the service system (S2) allows the usage system (S1) access (A) and communicates with it, so that both the authorization request and the response to it occur between the service system (S2) and the usage system (S3) directly via the connection (B) and the usage system (S1) does not act as a mediator. The device according to the preceding device claim is determined by means such as on the basis of rules, the authorization question and / or the service system itself, how the authorization has to be made, and on the basis of the determined steps a transaction is carried out within which Authorization takes place. The apparatus of one or more of the preceding apparatus claims, wherein the mediator system consists of one or more mediator systems and / or back-end systems that provide the authorization data through secure communication and policies. The device according to one or more of the preceding device claims, wherein means are provided for interpreting the authorization data in the form of profile data and / or rights. The apparatus of one or more of the preceding apparatus claims, wherein there are means whereby, in the event of a failed first authorization, the mediator system makes alternative authorization attempts based on the rules. The device according to one or more of the preceding device claims, wherein means are provided to use own data models that allow, together with own query, combination, and checking mechanisms to answer an authorization request optimized and initiate necessary intermediate processes if necessary. The device according to one or more of the preceding device claims, wherein means are provided for comparing the authorization data based on a descriptive document with the rules deposited for the utilization system. The device according to one or more of the preceding device claims, wherein means are provided which perform a check of the assignability of the user instance to back-end systems and if necessary have a transfer of the user instance to third-party systems for generating authorization information and a subsequent acceptance of the user instance. A data carrier having a data structure that when loaded into a random access memory of a computer performs a method according to one or more of the preceding method claims.

Images