WO2010149222A1 - Gestion d'attributs - Google Patents

Gestion d'attributs Download PDF

Info

Publication number
WO2010149222A1
WO2010149222A1 PCT/EP2009/058060 EP2009058060W WO2010149222A1 WO 2010149222 A1 WO2010149222 A1 WO 2010149222A1 EP 2009058060 W EP2009058060 W EP 2009058060W WO 2010149222 A1 WO2010149222 A1 WO 2010149222A1
Authority
WO
WIPO (PCT)
Prior art keywords
attribute
manage
user
request
value
Prior art date
Application number
PCT/EP2009/058060
Other languages
English (en)
Inventor
Markus Bauer-Hermann
Robert Seidl
Original Assignee
Nokia Siemens Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Siemens Networks Oy filed Critical Nokia Siemens Networks Oy
Priority to PCT/EP2009/058060 priority Critical patent/WO2010149222A1/fr
Publication of WO2010149222A1 publication Critical patent/WO2010149222A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • H04L67/306User profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Definitions

  • the present invention relates to attribute management in an identity management system.
  • Federated identity management or the "federation" of identity, describes technologies that serve to enable the portability of identity information across otherwise autonomous security domains.
  • a goal of identity federation is to enable users of one domain to access data or systems of another do- main seamlessly and securely, and without the need for redundant user administration. Eliminating the need for repeated login procedures each time a new application or account is accessed can substantially improve the user experience.
  • SAML Security Assertion Markup Language
  • XML Extensible Markup Language
  • SAML is used for exchanging assertion data between an identity provider (a producer of assertions) and a service provider (a consumer of assertions) .
  • SAML is a specification defined by the OASIS (Organization for the Advancement of Structured Information standards) .
  • the SAML protocol currently provides two methods that enable a service provider to retrieve attributes relating to a user that has been authenticated by an identity provider.
  • the first method is an Attribute-Push-Method in which the identity provider can send attribute information within the SAML assertion provided in response to the service provider' s user authentication request.
  • the second method is an Attribute-Pull-Method in which the service provider can use an AttributeAuthority message or an AttributeQuery message to retrieve information regarding user attributes from the identity provider once the user has been authenticated by the identity provider.
  • the service provider can only obtain information relating to the attributes of the user logged into the service provider.
  • a problem with the conventional systems and methods is that there currently exists no mechanism to enable a service provider to transmit user attributes to be stored at the identity provider. This is particularly disadvantageous as the user cannot reuse a single profile containing user attributes, such as layout, preferred e-mail address etc, for different service providers. In current systems and methods the user will only be able to store attributes and change those attributes locally at each service provider meaning that the user will have to enter and change the same attributes multiple times in order to ensure they are consistent for each of the different service providers the user has an account with. However, a further problem can arise when storing attributes at the service provider.
  • a user creates a temporary or transient account with a service provider then the user can- not reuse the attributes relating to the temporary or transient account when the user next logs on to the service provider. This is because by the very nature of a temporary or transient account the next time the user logs on to the service provider the user will have a different username and so the service provider will not be able to link the attributes for a user' s temporary account with the user' s permanent account .
  • the present invention seeks to address at least some of the problems outlined above.
  • a method comprising the steps of: transmitting a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and receiving a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, and wherein said at least one attribute relates to a user's profile.
  • many of the embodiments of the present invention pro- vide a new mechanism that enables attribute values for one or more attributes to be transmitted to an identity provider where the identity provider may store the attribute values for the attributes.
  • a service provider may transmit the attribute values to the identity provider in a manage attribute request which requests the identity provider stores the attribute values for the at least one attribute.
  • a response will be received from the identity provider that includes the stored attribute values for the attributes.
  • the method may further comprise the step of: receiving a request from a user to store at the identity provider the attribute value for at least one attribute.
  • a user can initiate the process of storing specific attribute values at the identity provider.
  • a user may, for example, fill in a form via a web browser on a user device identifying the attributes and the corresponding attribute value that the user wishes to change or store at the identity provider.
  • the method may further comprise the step of: determining if the stored attribute value for the at least one attribute included in the manage attribute response matches the attribute value for the at least one attribute included in the manage attribute request.
  • the manage attribute response from the identity provider includes the attribute values that have been stored then it can be determined whether the attribute values for the attributes have been stored correctly or successfully. For example, if the stored attribute values do not match the attribute values that were included in the manage attribute request then it may be determined that an error has occurred in storing the attribute values at the identity provider.
  • the method may further comprise transmitting a message to a user device where the message informs the user whether or not at- tributes were successfully stored.
  • a user of a service provider may have a profile that includes several attributes.
  • the profile will include attributes relating to the user and attributes relating to the service provider that the user has an account with.
  • User related attributes may define aspects relating to the user, for example, given name, family name, nickname, telephone number, e- mail address, postal address, hair colour, eye colour, height and so on.
  • Service provider related attributes may define aspects that are specific to a particular service provider or general to all service provider accounts that a user may have, for example, the attributes may include preferred language, preferred layout, preferred means of communication and so on .
  • the manage attribute request may be compatible with, or in accordance with, the Security Assertion Markup Language protocol; and the manage attribute response may be compatible with, or in accordance with, the Security Assertion Markup Language protocol.
  • an appratus comprising: an output adapted to transmit a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and a first input adapted to receive a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, and wherein said at least one attribute relates to a user' s profile .
  • an apparatus adapted to transmit a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one at- tribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and receive a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one at- tribute, and wherein said at least one attribute relates to a user's profile.
  • the apparatus may be further adapted, for example, by comprising a second input, to receive a request from a user to store at the identity provider the attribute value for at least one attribute.
  • the apparatus may be further adapted, for example, by comprising a processor, to determine if the stored attribute value for the at least one attribute included in the manage attribute response matches the attribute value for the at least one attribute included in the manage attribute request.
  • the apparatus may be further adapted, for example, by comprising a second output, to transmit a message to the user where the message indicates whether or not the attribute values were successfully or correctly stored at the identity provider.
  • the apparatus may be a server or a computing device.
  • the apparatus may be operated by a service provider .
  • the first input and the second input may be the same input or different inputs to the apparatus.
  • the first output and the second output may be the same output or different outputs of the apparatus
  • the apparatus may be adapted to perform the functions in many different ways.
  • the apparatus may be adapted by installing and executing on the apparatus the appropriate and corre- sponding computer readable executable code in order to enable the apparatus to perform the necessary functions and tasks.
  • a computer program or a computer program product comprising computer readable executable code for: transmitting a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and receiving a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, and wherein said at least one attribute relates to a user's profile.
  • the computer program product may further comprise computer readable executable code for: receiving a request from a user to store at the identity provider the attribute value for at least one attribute.
  • the computer program product may further comprise computer readable executable code for: determining if the stored attribute value for the at least one attribute included in the manage attribute response matches the attribute value for the at least one attribute included in the manage attribute request .
  • the computer program product may further comprise computer readable executable code for performing any or all of the functions in accordance with the aspects of the invention.
  • a method comprising the steps of: receiving a manage attribute request from a service provider wherein the manage attribute request includes an attribute value for at least one attribute; storing the attribute value for the at least one attribute in a database; and transmitting a manage attribute response to the service provider wherein the manage attribute response includes the stored attribute value for the at least one attribute, and wherein the at least one attribute relates to a user's profile.
  • many of the embodiments of the present invention pro- vide a new mechanism that enables attribute values for one or more attributes to be received from a service provider which are then stored in a database. Once the attribute values have been stored in the database a manage attribute response may be generated and transmitted to the service provider where the response includes the stored attribute values.
  • An identity provider may receive the manage attribute request from the service provider, the database may be located at the identity provider and the identity provider may generate and transmit the manage attribute response.
  • the manage attribute request may be in accordance with Security Assertion Markup Language protocol; and the manage attribute response may be in accordance with Security Assertion Markup Language protocol .
  • an apparatus comprising an input adapted to receive a manage attribute request from a service provider wherein said manage attribute request includes an attribute value for at least one attribute; a processor adapted to store said attribute value for said at least one attribute in a database; and an output adapted to transmit a manage attribute response to said service provider wherein said manage attribute response includes said stored attribute value for said at least one attribute, and wherein said at least one attribute relates to a user's profile.
  • an apparatus adapted to: receive a manage attrib- ute request from a service provider wherein the manage attribute request includes an attribute value for at least one attribute; store the attribute value for the at least one attribute in a database; and transmit a manage attribute response to the service provider wherein the manage attribute response includes the stored attribute value for the at least one attribute, and wherein the at least one attribute relates to a user's profile.
  • the apparatus may be a server or a computing device.
  • the ap- paratus may be operated by an identity provider.
  • the apparatus may be adapted to perform the functions in many different ways.
  • the apparatus may be adapted by install- ing and executing on the apparatus the appropriate and corresponding computer readable executable code in order to enable the apparatus to perform the necessary functions and tasks.
  • a computer program or computer program product comprising computer readable executable code for: receiving a manage attribute request from a service provider wherein the manage attribute request includes an attribute value for at least one attribute; storing the attribute value for the at least one attribute in a database; and transmitting a manage attribute response to the service provider wherein the manage attribute response includes the stored attribute value for the at least one attribute, and wherein the at least one at- tribute relates to a user's profile.
  • the computer program product may further comprise computer readable executable code for performing any or all of the functions in accordance with the aspects of the invention.
  • An advantage of many embodiments of the present invention is that a new mechanism is provided which enables user attributes to be stored in a database of the identity provider where the process is initiated by a service provider.
  • a fur- ther advantage of many embodiments of the present invention is that by storing user attributes in a database of the identity provider then the user can reuse the attributes for several different service providers without having to enter and provide the user attributes to each service provider inde- pendently.
  • the user attributes stored in a database of the identity provider to be changed then the user does not have to manually change the same attribute for each of the service providers with which the user has an account as the changed attribute values at the identity provider may be used by all service providers .
  • FIG. 1 is a block diagram of an identity management system in accordance with the aspects of the present invention.
  • FIG. 2 shows a message sequence in accordance with aspects of the present invention.
  • Figure 1 shows a system, indicated generally by the reference numeral 101, comprising an end user 105, a user device 102, a service provider 103 and an identity provider 104.
  • the end user 105 of the system 101 wants to access a secure resource, service or application at the service provider 103, and the service provider 103 requires the user's identity to be authenticated, the identity provider 104 can be used to provide the required authentication information to the service provider 103.
  • the user device may comprise an inputs and outputs 106 in or- der to receive and transmit messages and data.
  • the user device may be a computing device, such as a computer or a mobile device, such as a mobile phone, personal digital assistant.
  • the service provider 103 may include a server or computing device that may comprise inputs and outputs 107 and processors 108.
  • the identity provider 104 may include a server or computing device that may comprise inputs and outputs 109 and processors 110.
  • SAML assumes that the user 105 has enrolled with at least one identity provider (such as the identity provider 104) .
  • the identity provider 104 is expected to provide local authentication services to the user 105.
  • the service provider 103 relies on the identity provider 104 to identify the user 105.
  • the service provider 103 When a user 105 wants to access a service that is provided by a service provider 103 who has a contract with the identity provider 104 (i.e. the service provider 103 and the identity provider 104 form at least part of a circle of trust) , the service provider 103 requests a user authentication from the identity provider 104. In response to the service provider's request, the identity provider 104 passes a SAML assertion to the service provider 103. On the basis of this assertion, the ser- vice provider 103 can make decisions, for example, the service provider 103 can decide whether to grant access to the resources, services or applications requested by the user 105.
  • the user 105 If the user 105 has been authenticated then the user 105 is logged in to the service provider 103 and can access the services, resources and/or applications that the user 105 wishes to use.
  • the embodiments of the present invention provide a new mechanism to enable the user 105 to store and/or change user specific attributes and user's service provider attributes in an identity provider's database via the service provider.
  • a user 105 will have a profile that includes several attributes.
  • the profile will include attributes relating to the user and attributes relating to each of the service providers that the user has an account with.
  • User related attributes may define aspects relating to the user, for example, given name, family name, nickname, telephone number, e-mail address, postal address, hair colour, eye colour, height and so on.
  • Service provider related attributes may define aspects that are specific to a particular service provider or general to all service provider accounts that a user may have, for example, the attributes may include preferred language, preferred layout, preferred means of communication and so on.
  • the attributes defining a user profile may be stored in a database at the identity provider. If an attribute value does not exist in the database for a particular attribute then this can be created by storing an attribute value for the particular attribute. If an attribute doesn't exist then an attribute can be created by storing the attribute along with a corresponding attribute value in the database. If an attribute value for a particular attribute exits and a user wishes to change the attribute value then this can be performed by storing the new attribute value in place of the previous attribute value for a particular attribute in a database. In other words, the user may add or change any attribute relating to the user or to the user' s account with a service provider by storing the appropriate attribute value in a database at the identity provider.
  • Figure 2 shows an exemplary message sequence, indicated generally by the reference numeral 201, demonstrating the process of storing attribute values relating to a user' s profile at the identity provider in accordance with the embodiments.
  • the message sequence 201 starts with the end user 105 sending a message 202 to the service provider 103 via a user device 102 (for example using a web browser) requesting to add or change an attribute of the user's profile.
  • the user 105 may request to change or add attributes by, for example, entering data into a form on the service provider 103.
  • the service provider 103 will then generate a new mes- sage called ManageAttributeRequest which will include an At- tributeStatement block which includes at least one attribute value for one or more attributes that the user 105 wishes to change or store at the identity provider 104.
  • ManageAttributeRequest message is given below.
  • the message given below is only an example of the format and content of a ManageAttributeRequest message. As a person skilled in the art will appreciate the message may include different, fewer or more blocks. Similarly, the message may also include different, fewer or more tags .
  • xmlns :x500 "urn: oasis: names : tc : SAML : 2.0 :profiles : attribute :X5 00"
  • x500:Encoding "LDAP"
  • NameFormat "urn : oasis : names : tc : SAML : 2.0 : attrname- format :uri"
  • NameFormat "urn : oasis : names : tc : SAML : 2.0 : attrname- format :uri"
  • Name "urn:oid:1.3.6.1.4.1.1466.115.121.1.26”
  • FriendlyName "mail"> ⁇ saml : AttributeValue
  • the service provider passes 203 the ManageAttributeRequest to the identity provider 104.
  • the ManageAttributeRequest may be passed to the identity provider as an HTTP redirect via the user device 102.
  • the identity provider 104 on receipt of the ManageAttributeRequest will process 204 the request and store the identified attribute values for the identified user attributes in a database of the identity provider 104.
  • An attribute value may be changed by storing the new attribute value in place of the previous attribute value for the par- ticular attribute.
  • the identity provider 104 will generate a ManageAttributeResponse message that includes an At- tributeStatement block.
  • the AttributeStatement block will include the attribute values of the attributes that have been stored in the database of the identity provider 104.
  • An example ManageAttributeResponse message is given below. The message given below is only an example of the format and con- tent of a ManageAttributeResponse message. As a person skilled in the art will appreciate the message may include different, fewer or more blocks. Similarly, the message may also include different, fewer or more tags.
  • NameFormat "urn : oasis : names : tc : SAML : 2.0 : attrname- format :uri"
  • the identity provider 104 passes 205 the ManageAttributeRe- sponse to the service provider 103.
  • the ManageAttributeRe- sponse may be passed to the service provider 103 as an HTTP redirect via the user device 102.
  • the service provider 103 on receipt of the ManageAttributeResponse can check and verify 206 that the attributes have been correctly stored in the database of the identity provider 104.
  • the attribute values for the user attributes included in the ManageAttributeRe- sponse from the identity provider 104 were retrieved from the database of the identity provider after the attribute values were stored in the database.
  • the service provider can determine that the correct attribute values were stored in the identity provider's database.
  • the service provider 103 may then send 207 a message to the user device 102 to inform the user 105 that the attribute values of the user attributes the user requested to change or store were successfully (or not) stored at the identity pro- vider 104.
  • the embodiments of the present invention provide a new mechanism that enables user attributes to be stored in a database of the identity provider rather than stored by the service provider.
  • the embodiments also provide a new mechanism for editing or changing specific attributes stored in a database of the identity provider.
  • the embodiments of the present invention provide sev- eral advantages over the conventional systems which, as discussed hereinabove, do not enable a user of a service provider to store attributes directly to the identity provider' s database or enable a user to change specific attributes stored in the identity provider' s database via a service pro- vider.
  • One advantage is that by storing user attributes in a database of the identity provider then the user can reuse the attributes for several different service providers without hav- ing to enter and provide the user attributes to each service provider independently. Furthermore, by providing the capability for a user to change attributes stored in a database of the identity provider then the user does not have to manually change the same attribute for each of the service pro- viders with which the user has an account.

Abstract

L'invention concerne des procédés et un appareil qui permettent de stocker des attributs utilisateur et de les gérer sur un fournisseur d'identité (104). Un fournisseur de services (103) peut passer (203) une demande d'attribut de gestion qui comprend les valeurs d'attribut d'au moins un attribut au fournisseur d'identité (104). Ledit fournisseur d'identité (104) stocke (204) les valeurs d'attribut et renvoie (205) un message de réponse d'attribut de gestion au fournisseur de services.
PCT/EP2009/058060 2009-06-26 2009-06-26 Gestion d'attributs WO2010149222A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2009/058060 WO2010149222A1 (fr) 2009-06-26 2009-06-26 Gestion d'attributs

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2009/058060 WO2010149222A1 (fr) 2009-06-26 2009-06-26 Gestion d'attributs

Publications (1)

Publication Number Publication Date
WO2010149222A1 true WO2010149222A1 (fr) 2010-12-29

Family

ID=42040338

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2009/058060 WO2010149222A1 (fr) 2009-06-26 2009-06-26 Gestion d'attributs

Country Status (1)

Country Link
WO (1) WO2010149222A1 (fr)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014039882A1 (fr) * 2012-09-07 2014-03-13 Oracle International Corporation Système de gestion d'identité dans le nuage multiabonné par protocole ldap
US9015114B2 (en) 2012-09-07 2015-04-21 Oracle International Corporation Data synchronization in a cloud infrastructure
US9053302B2 (en) 2012-06-08 2015-06-09 Oracle International Corporation Obligation system for enterprise environments
US9253113B2 (en) 2012-09-07 2016-02-02 Oracle International Corporation Customizable model for throttling and prioritizing orders in a cloud environment
US9276942B2 (en) 2012-09-07 2016-03-01 Oracle International Corporation Multi-tenancy identity management system
US9467355B2 (en) 2012-09-07 2016-10-11 Oracle International Corporation Service association model
US9542400B2 (en) 2012-09-07 2017-01-10 Oracle International Corporation Service archive support
US9608958B2 (en) 2013-03-12 2017-03-28 Oracle International Corporation Lightweight directory access protocol (LDAP) join search mechanism
US9621435B2 (en) 2012-09-07 2017-04-11 Oracle International Corporation Declarative and extensible model for provisioning of cloud based services
US9667470B2 (en) 2012-09-07 2017-05-30 Oracle International Corporation Failure handling in the execution flow of provisioning operations in a cloud environment
US10148530B2 (en) 2012-09-07 2018-12-04 Oracle International Corporation Rule based subscription cloning
US10164901B2 (en) 2014-08-22 2018-12-25 Oracle International Corporation Intelligent data center selection
US10521746B2 (en) 2012-09-07 2019-12-31 Oracle International Corporation Recovery workflow for processing subscription orders in a computing infrastructure system
EP3928211A4 (fr) * 2019-02-19 2022-11-02 CloudBlue LLC Système et procédé d'attribution massive de service d'utilisateur à l'aide d'un fichier csv

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030149781A1 (en) * 2001-12-04 2003-08-07 Peter Yared Distributed network identity
US20040128378A1 (en) * 2002-12-31 2004-07-01 International Business Machines Corporation Method and system for user-determined attribute storage in a federated environment
US20060236382A1 (en) * 2005-04-01 2006-10-19 Hinton Heather M Method and system for a runtime user account creation operation within a single-sign-on process in a federated computing environment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030149781A1 (en) * 2001-12-04 2003-08-07 Peter Yared Distributed network identity
US20040128378A1 (en) * 2002-12-31 2004-07-01 International Business Machines Corporation Method and system for user-determined attribute storage in a federated environment
US20060236382A1 (en) * 2005-04-01 2006-10-19 Hinton Heather M Method and system for a runtime user account creation operation within a single-sign-on process in a federated computing environment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
OASIS: "Security Assertion Markup Language(SAML) V2.0 Technical Overview", vol. Committee Draft 02, 25 March 2008 (2008-03-25), http://www.oasis-open.org/, XP002578461, Retrieved from the Internet <URL:http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.pdf> [retrieved on 20100414] *
SHOICHIROU FUJIWARA ET AL: "A Privacy Oriented Extension of Attribute Exchange in Shibboleth", APPLICATIONS AND THE INTERNET WORKSHOPS, 2007. SAINT WORKSHOPS 2007. I NTERNATIONAL SYMPOSIUM ON, IEEE, PI, 1 January 2007 (2007-01-01), pages 28 - 28, XP031044122, ISBN: 978-0-7695-2757-4 *

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9053302B2 (en) 2012-06-08 2015-06-09 Oracle International Corporation Obligation system for enterprise environments
US9058471B2 (en) 2012-06-08 2015-06-16 Oracle International Corporation Authorization system for heterogeneous enterprise environments
US10009219B2 (en) 2012-09-07 2018-06-26 Oracle International Corporation Role-driven notification system including support for collapsing combinations
WO2014039882A1 (fr) * 2012-09-07 2014-03-13 Oracle International Corporation Système de gestion d'identité dans le nuage multiabonné par protocole ldap
US9621435B2 (en) 2012-09-07 2017-04-11 Oracle International Corporation Declarative and extensible model for provisioning of cloud based services
US9203866B2 (en) 2012-09-07 2015-12-01 Oracle International Corporation Overage framework for cloud services
US9219749B2 (en) 2012-09-07 2015-12-22 Oracle International Corporation Role-driven notification system including support for collapsing combinations
US9253113B2 (en) 2012-09-07 2016-02-02 Oracle International Corporation Customizable model for throttling and prioritizing orders in a cloud environment
US9276942B2 (en) 2012-09-07 2016-03-01 Oracle International Corporation Multi-tenancy identity management system
US9319269B2 (en) 2012-09-07 2016-04-19 Oracle International Corporation Security infrastructure for cloud services
US9397884B2 (en) 2012-09-07 2016-07-19 Oracle International Corporation Workflows for processing cloud services
US9467355B2 (en) 2012-09-07 2016-10-11 Oracle International Corporation Service association model
US9501541B2 (en) 2012-09-07 2016-11-22 Oracle International Corporation Separation of pod provisioning and service provisioning
US9542400B2 (en) 2012-09-07 2017-01-10 Oracle International Corporation Service archive support
US9069979B2 (en) 2012-09-07 2015-06-30 Oracle International Corporation LDAP-based multi-tenant in-cloud identity management system
US11075791B2 (en) 2012-09-07 2021-07-27 Oracle International Corporation Failure handling in the execution flow of provisioning operations in a cloud environment
US10581867B2 (en) 2012-09-07 2020-03-03 Oracle International Corporation Multi-tenancy identity management system
US9667470B2 (en) 2012-09-07 2017-05-30 Oracle International Corporation Failure handling in the execution flow of provisioning operations in a cloud environment
US9734224B2 (en) 2012-09-07 2017-08-15 Oracle International Corporation Data synchronization in a cloud infrastructure
US9792338B2 (en) 2012-09-07 2017-10-17 Oracle International Corporation Role assignments in a cloud infrastructure
US9838370B2 (en) 2012-09-07 2017-12-05 Oracle International Corporation Business attribute driven sizing algorithms
US9015114B2 (en) 2012-09-07 2015-04-21 Oracle International Corporation Data synchronization in a cloud infrastructure
US10148530B2 (en) 2012-09-07 2018-12-04 Oracle International Corporation Rule based subscription cloning
US9619540B2 (en) 2012-09-07 2017-04-11 Oracle International Corporation Subscription order generation for cloud services
US10212053B2 (en) 2012-09-07 2019-02-19 Oracle International Corporation Declarative and extensible model for provisioning of cloud based services
US10521746B2 (en) 2012-09-07 2019-12-31 Oracle International Corporation Recovery workflow for processing subscription orders in a computing infrastructure system
US9608958B2 (en) 2013-03-12 2017-03-28 Oracle International Corporation Lightweight directory access protocol (LDAP) join search mechanism
US10164901B2 (en) 2014-08-22 2018-12-25 Oracle International Corporation Intelligent data center selection
EP3928211A4 (fr) * 2019-02-19 2022-11-02 CloudBlue LLC Système et procédé d'attribution massive de service d'utilisateur à l'aide d'un fichier csv

Similar Documents

Publication Publication Date Title
WO2010149222A1 (fr) Gestion d&#39;attributs
EP1700416B1 (fr) Contrôle d&#39;accès pour des identités fédérées
US8117459B2 (en) Personal identification information schemas
US8104074B2 (en) Identity providers in digital identity system
US8060632B2 (en) Method and system for user-determined attribute storage in a federated environment
US8707412B2 (en) Application identity design
CN106716960B (zh) 用户认证方法和系统
CN106716918B (zh) 用户认证方法和系统
US20100077467A1 (en) Authentication service for seamless application operation
CN101426009A (zh) 身份管理平台、业务服务器、统一登录系统及方法
CN104255007A (zh) Oauth框架
CN103004244A (zh) 结合Web应用和网页的通用引导架构使用
JP5422753B1 (ja) ポリシ管理システム、idプロバイダシステム及びポリシ評価装置
US20130185809A1 (en) System for delegation of authority, access management service system, medium, and method for controlling the system for delegation of authority
WO2004006130A1 (fr) Procede et systeme de gestion de temoins conformement a une politique de confidentialite
JP2013137588A (ja) 認証連携システムおよびidプロバイダ装置
WO2003091861A9 (fr) Systeme de gestion efficace de l&#39;identite au moyen d&#39;un navigateur, fournissant un controle personnel et l&#39;anonymat
US20160212123A1 (en) System and method for providing a certificate by way of a browser extension
JP5565408B2 (ja) Id認証システム、id認証方法、認証サーバ、端末装置、認証サーバの認証方法、端末装置の通信方法、及びプログラム
JP2016148919A (ja) ユーザ属性情報管理システムおよびユーザ属性情報管理方法
US20100250607A1 (en) Personal information management apparatus and personal information management method
JP2011197874A (ja) サーバ装置およびプログラム
WO2014070269A1 (fr) Procédés et systèmes pour gérer des informations de répertoire
CN113411324B (zh) 基于cas与第三方服务器实现登录认证的方法和系统
CN107864114B (zh) 团险账户登录方法和系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09779977

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09779977

Country of ref document: EP

Kind code of ref document: A1