WO2010149223A1 - Identity management - Google Patents

Identity management Download PDF

Info

Publication number
WO2010149223A1
WO2010149223A1 PCT/EP2009/058062 EP2009058062W WO2010149223A1 WO 2010149223 A1 WO2010149223 A1 WO 2010149223A1 EP 2009058062 W EP2009058062 W EP 2009058062W WO 2010149223 A1 WO2010149223 A1 WO 2010149223A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
identifier
service provider
request
name
Prior art date
Application number
PCT/EP2009/058062
Other languages
French (fr)
Inventor
Robert Seidl
Markus Bauer-Hermann
Original Assignee
Nokia Siemens Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Siemens Networks Oy filed Critical Nokia Siemens Networks Oy
Priority to PCT/EP2009/058062 priority Critical patent/WO2010149223A1/en
Publication of WO2010149223A1 publication Critical patent/WO2010149223A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2115Third party
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2117User registration

Definitions

  • the present invention relates to identity management.
  • Federated identity management or the "federation" of identity, describes technologies that serve to enable the port- ability of identity information across otherwise autonomous security domains.
  • a goal of identity federation is to enable users of one domain to access data or systems of another domain seamlessly and securely, and without the need for redundant user administration. Eliminating the need for repeated login procedures each time a new application or account is accessed can substantially improve the user experience.
  • SAML Security Assertion Markup Language
  • XML Extensible Markup Language
  • SAML is used for exchanging assertion data between an identity provider (a producer of assertions) and a service provider (a consumer of assertions) .
  • SAML is a specification defined by the OASIS (Organization for the Advancement of Structured Information standards) .
  • an identity provider can be used to pro- vide the required authentication information to the service provider so that the service provider can decide whether to grant access to the resources/services as requested by the user .
  • the service provider will have a contract with the identity provider to provide authentication services.
  • the service provider and the identity provider will form at least part of a circle of trust.
  • a user will request ac- cess to a particular application provided by the service provider.
  • the service provider requires user credentials, which credentials are not provided in the request.
  • the service provider sends a SAML authentication request to the identity provider.
  • the identity provider If the user is known to the identity provider for the service provider, the identity provider returns a SAML authentication response providing credentials, including a unique identifier, for the user.
  • the identity provider may either respond to the SAML authentication request with an error message or may respond to the SAML authentication request with a randomly generated, but unique, identifier according to the identity provider.
  • the service provider should identify that the service provider' s user has not been recognised by the identity provider and therefore the service provider will request the user provide their credentials and then inform the identity provider of the actual identifier to be used to identify the user in the future.
  • further problems can occur in the latter case where the identity provider generates and provides the service provider with a random identifier for the user of the service provider.
  • a further different user of the service provider may exist that has an identifier equal to the randomly generated identifier by the identity provider. In this case, the service provider will use the wrong identity to log in and provide services to the user.
  • the present invention seeks to address at least some of the problems outlined above.
  • a method comprising: receiving a name identifier request from an identity provider for an identifier (typically a unique identifier) for a user of a service provider; validating the user; generating a name identifier response to the name identifier request wherein the response includes an identifier (typically a unique identifier) for the validated user for the service provider; and transmitting the name identifier response to the identity provider.
  • an identifier typically a unique identifier
  • many of the embodiments of the present invention enable a service provider to effectively register "on-the-fly" unique identifiers for a user of the service provider with an identity provider. For example, if the service provider is new to the circle-of-trust of the identity provider then the identity provider will not know of the unique identifier for a user of the service provider which is required in order for the identity provider to be able to authenticate a user of the service provider. Accordingly, a name identifier request will be received from the identity provider as the identity provider does not have a unique identifier for the user for the service provider. The user will then be validated. For example, the user may be validated by prompting the user to log in to the service provider and based on the received user login details the user can be validated by the service pro- vider.
  • a name identifier response may be generated which includes a unique identifier that the identity provider may use in the future to authenticate the user of the service provider.
  • the name identifier response may then be transmitted to the identity provider.
  • a user may request a service, resource or application from the service provider. Before the service provider grants access to any services, resources or applications the service provider requires that the user is authenticated.
  • the method may therefore further include receiving a request from a user for a service, resource or application.
  • the method may fur- ther comprise transmitting an authentication request to the identity provider to authenticate the user of the service provider.
  • the method may also further comprise receiving an authentication response from the identity provider after the identity provider has been informed of the unique identifier for the user.
  • the step of receiving user login details may comprise receiving a username and password combination for the user.
  • the name identifier request may be compatible with, or in accordance with, the Security Assertion Markup Language protocol; and the name identifier response may be compatible with, or in accordance with, the Security Assertion Markup Language protocol .
  • an apparatus comprising: a first input adapted to receive a name identifier request from an identity provider for an identifier (typically a unique identifier) for a user of a service provider; a first processor adapted to validate the user; a second processor adapted to generate a name identifier response to the name identifier request wherein the response includes an identifier (typically a unique identi- fier) for the validated user for the service provider; and a first output adapted to transmit the name identifier response to the identity provider.
  • an apparatus adapted to: receive a name identifier request from an identity provider for an identifier (typically a unique identifier) for a user of a service provider; validate the user; generate a name identifier response to the name identifier request wherein the response includes an identifier (typically a unique identifier) for the validated user for the service provider; and transmit the name identifier response to the identity provider.
  • an identity provider for an identifier (typically a unique identifier) for a user of a service provider; validate the user; generate a name identifier response to the name identifier request wherein the response includes an identifier (typically a unique identifier) for the validated user for the service provider; and transmit the name identifier response to the identity provider.
  • an identifier typically a unique identifier
  • the apparatus may further comprise a second output adapted to prompt the user to log in; and a second input adapted to receive user login details.
  • the login details may be a user- name and password combination for the user.
  • the apparatus may be a server or computing device and may be operated by a service provider.
  • the first and second input may be the same input or different inputs.
  • the first and second outputs may be the same outputs or different outputs.
  • the first and second processors may be the same processor or different processors.
  • the apparatus may be adapted to perform the functions in many different ways. For example, the apparatus may be adapted by installing and executing on the apparatus the appropriate and corre- sponding computer readable executable code in order to enable the apparatus to perform the necessary functions and tasks.
  • a computer program or a computer program product comprising computer readable executable code for: receiving a name identifier request from an identity provider for an identifier (typically a unique identifier) for a user of a service provider; validating the user; generating a name identifier response to the name identifier request wherein the response includes an identifier (typically a unique identifier) for the validated user for the service provider; and transmitting the name identifier response to the identity provider .
  • an identifier typically a unique identifier
  • the computer program product may further comprise computer readable executable code for performing any or all of the functions in accordance with the aspects of the invention.
  • a method comprising the steps of: receiving an authentication request from a service provider wherein the authentication request requests an identifier (typically a unique identifier) for a user of the service provider; determining no unique identifier exists for the user for the ser- vice provider; generating a name identifier request wherein the name identifier request requests a unique identifier for the user for the service provider; transmitting the name identifier request to the service provider; receiving a name identifier response from the service provider wherein the name identifier response includes a unique identifier for the user for the service provider; and storing the unique identifier for the user for the service provider.
  • an identifier typically a unique identifier
  • many of the embodiment of the present invention enable a unique identifier for a user of a service provider to be stored, preferably at an identity provider, when it is determined that no unique identifier exists for the user of the service provider.
  • An authentication request will be received, preferably at an identity provider, from the service provider and it may be determined that no unique identifier exists for the user of the service provider.
  • a name identifier request will be generated which requests the service provider to supply or inform the identity provider of the unique identifier for a user of the service provider.
  • a name identifier response will be received from a service provider which includes a unique identifier for the user of the service provider. The unique identifier will then be stored so that in the future the user of the service provider can be automatically authenticated by the identity provider.
  • the step of determining may comprise: checking whether the requested unique identifier in the authentication request for the user for the service provider is in a database; and the step of storing comprises: adding the unique identifier re- ceived in the name identifier response for the user for the service provider to the database.
  • the method may further comprise sending an authentication response to the original authentication request once the unique identifier has been stored.
  • the authentication request may be compatible with, or in accordance with, the Security Assertion Markup Language protocol; the name identifier request may be in accordance with Security Assertion Markup Language protocol; and the name identifier response may be compatible with, or in accordance with, the Security Assertion Markup Language protocol.
  • an apparatus comprising: a first input adapted to receive an authentication request from a service provider wherein the authentication request requests an identifier (typically a unique identifier) for a user of the service provider; a first processor adapted to determine if no unique identifier exists for the user for the service provider; a second processor adapted to generate a name identifier re- quest wherein the name identifier request requests a unique identifier for the user for the service provider; an output means adapted to transmit the name identifier request to the service provider; a second input means adapted to receive a name identifier response from the service provider wherein the name identifier response includes a unique identifier for the user for the service provider; and a third processor adapted to store the unique identifier for the user for the service provider.
  • a first input adapted to receive an authentication request from a service provider wherein the authentication request requests an identifier (typically a unique identifier) for a user of the service provider
  • a first processor adapted to determine
  • the first processor is further adapted to check whether the requested unique identifier in the authentication request for the user for the service provider is in a database; and the third processor is further adapted to add the unique identi- bomb received in the name identifier response for the user for the service provider to the database.
  • an apparatus adapted to: receive an authentication request from a service provider wherein the authentication request requests an identifier (typically a unique identifier) for a user of the service provider; determine no unique identifier exists for the user for the service pro- vider; generate a name identifier request wherein the name identifier request requests a unique identifier for the user for the service provider; transmit the name identifier request to the service provider; receive a name identifier response from the service provider wherein the name identifier response includes a unique identifier for the user for the service provider; and store the unique identifier for the user for the service provider.
  • an identifier typically a unique identifier
  • the apparatus may be adapted to perform the functions in many different ways.
  • the apparatus may be adapted by installing and executing on the apparatus the appropriate and corresponding computer readable executable code in order to enable the apparatus to perform the necessary functions and tasks.
  • the first and second inputs may be the same input or different inputs.
  • the first, second and third processors may be the same processor, different processors or any combination of processors.
  • the apparatus may be a server or computing device and may be operated by an identity provider.
  • a computer program or a computer program product comprising computer readable executable code for: receiving an authentication request from a service provider wherein the authentication request requests an identifier (typically a unique identifier) for a user of the service provider; determining no unique identifier exists for the user for the ser- vice provider; generating a name identifier request wherein the name identifier request requests a unique identifier for the user for the service provider; transmitting the name identifier request to the service provider; receiving a name identifier response from the service provider wherein the name identifier response includes a unique identifier for the user for the service provider; and storing the unique identifier for the user for the service provider.
  • an identifier typically a unique identifier
  • the computer program product may further comprise computer readable executable code for performing any or all of the functions in accordance with the aspects of the invention.
  • An advantage if many of the embodiments of the present invention is that when a service provider is added to the circle- of-trust of an identity provider there is no need for the service provider to import all of their users into the identity provider as this registration of the users of the service provider with the identity provider can be performed on- the-fly.
  • Another advantage of many of the embodiments is that there is no need to synchronise the service provider and identity provider as this process may now also be performed on-the-fly using the new mechanism of the embodiments of the invention .
  • Figure 1 is a block diagram demonstrating the use of identity management in accordance with aspects of the invention.
  • FIG. 2 shows a message sequence in accordance with aspects of the invention.
  • a service provider may use an identity provider for Single Sign On (SSO) and Account Provisioning for web services and web applications provided by the service provider.
  • SSO Single Sign On
  • Account Provisioning for web services and web applications provided by the service provider.
  • the system 101 comprises a user device 102, an identity provider 104 and a service provider 103.
  • the user device 102 may, for example, be a computer or a mobile device such as a mobile telephone, Personal Digital Assistant (PDA) and so on.
  • the user device 102 can communicate with the service provider 103 via a network 105 such as the Internet, a wireless network and so on.
  • a user 106 may request a service, the use of a service, application or resource from the service provider 103 by con- necting with the service provider 103 over the network 105.
  • the user 106 may request a service by directing a web browser on the user device 103 to a particular Universal Resource Locater (URL) for the service, application or resource .
  • URL Universal Resource Locater
  • the service provider 103 requires that the user 106 is authenticated.
  • the identity pro- vider 104 can be used to provide the necessary user authentication thereby enabling the user 106 to access the service or resource without having to remember and enter the username and password combination for the specific service or resource provided by the service provider 103.
  • the service provider 103 is configured to establish trust between itself and the identity provider 104 according to the SAML standard.
  • the identity provider 104 is built to provide federated identities for service providers, including the service provider 103. SAML is used as the protocol between the identity provider 104 and service providers.
  • the user device 102 may comprise inputs and outputs 107 in order to receive and transmit data to and from the network.
  • the service provider 103 may comprise inputs and outputs 108 and processors 109 in order to receive data, transmit data and process or perform functions.
  • the identity provider 104 may comprise inputs and outputs 111 and processors 110 in or- der to receive data, transmit data and process data or perform functions.
  • Figure 2 is a message sequence diagram showing a message sequence 201 according to the embodiments of the present inven- tion.
  • the message sequence 201 begins with the user device 102 issuing a service access request 202 to the service provider 103 that is in accordance with the SAML protocol.
  • the ser- vice access request requests access to a secure service, but does not include the required user credentials.
  • the service provider 103 responds to the request by generating an authentication request that is in accordance with the SAML protocol.
  • the authentication request may be passed 203 to the identity provider 104 via the user device 102 using redirection .
  • the identity provider will determine 204 that it does not have an identifier stored in its database for the user for the given service provider .
  • the identity provider would respond to the authorisation request with an error message or a randomly generated identifier which is disadvantageous and problematic as discussed above. Accordingly, the embodiments of the pre- sent invention provide a new mechanism to overcome these problems with the conventional methods and apparatus.
  • the NameldentifierRequest may take a format that is compatible with the SAML protocol and indeed the NameldentifierRequest may be included in the SAML protocol.
  • An example of the NameldentifierRequest is shown below.
  • the message given below is only an example of the format and content of a NameldentifierRequest message. As a person skilled in the art will appreciate the message may include different, fewer or more blocks. Similarly, the message may also in- elude different, fewer or more tags.
  • IssueInstant 2006-07-17T20:31:40Z
  • Issuer Format Urn : oasis : names : tc : SAML : 1.1 : nameid- format :unspecified”> http : //idm. nsn . com ⁇ /saml : Issuer> ⁇ /samlp :NameIdentifierRequest>
  • the NameldentifierRequest is passed 205 to the service provider 103.
  • the service provider 103 on receipt of the NameldentifierRequest will recognise that the identity provider 104 does not have an identifier for combination of the user and the service provider.
  • the service provider 103 will then validate the user of the service provider 103. For example, the service provider 103 may prompt or request 206 the user to log in to the service provider.
  • the service provider may therefore provide 207 the user with a login page and request that the user provide their username and password combination for the service, resource or application the user wishes to use.
  • the service provider may al- ternatively provide the user with a registration page allowing the user to register with the service provider and provide details to be used as the user's credentials.
  • the NameldentifierResponse may take a format that is compatible with the SAML protocol and indeed the NameldentifierResponse may be included in the SAML protocol.
  • NameldentifierResponse is shown below.
  • the message given below is only an example of the format and content of a NameldentifierResponse message. As a person skilled in the art will appreciate the message may include different, fewer or more blocks. Similarly, the message may also include different, fewer or more tags.
  • NameFormat "urn : oasis : names : tc : SAML : 2.0 : attrname- format :uri"
  • Name "urn:oid:1.3.6.1.4.1.1466.115.121.1.26”
  • the NameldentifierResponse is passed 209 to the identity provider 104.
  • the NameldentifierResponse will include the identifier of the user for the service provider which is to be used by the identity provider in any future communications and authentication processes.
  • the identity pro- vider 104 can store 210 the identifier for the user for the specific service provider in the identity management system, such as in a database.
  • the identity provider 104 will then generate an authentication response to the original authentication request that was received from the service provider 103.
  • the authentication response will include the identifier of the user for the service provider and may be in accordance with the known SAML protocol.
  • the authentication response is passed 211 to the service provider where the user is logged on.
  • the service provider 103 will then provide 212 the user with access to the service, resource or application the user requested from the service provider 103.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Methods and apparatus are described which enable an identity provider (104) to request (205) an identifier of a user of a particular service provider (103) from the service provider (103). The service provider will request the user to log in (206) to the service provider (103). The service provider (103) can then inform (209) the identity provider (104) of the identifier for the user of the service provider. The identity provider can then store (210) the identifier which may be used to authenticate the user of the service provider in the future.

Description

Identity Management
The present invention relates to identity management.
More and more services and applications are becoming available on the Internet, and many of these services and applications require authentication. One approach that has been developed to assist users to access multiple services and ap- plications, each requiring separate authentication procedures, involves the use of identity federation.
Federated identity management, or the "federation" of identity, describes technologies that serve to enable the port- ability of identity information across otherwise autonomous security domains. A goal of identity federation is to enable users of one domain to access data or systems of another domain seamlessly and securely, and without the need for redundant user administration. Eliminating the need for repeated login procedures each time a new application or account is accessed can substantially improve the user experience.
Security Assertion Markup Language (SAML) is an XML (extensible Markup Language) standard for exchanging authentication and authorisation data between security domains. For example, SAML is used for exchanging assertion data between an identity provider (a producer of assertions) and a service provider (a consumer of assertions) . SAML is a specification defined by the OASIS (Organization for the Advancement of Structured Information standards) .
If a user wants to access a secure resource at a service provider, and the service provider requires the user' s identity to be authenticated, an identity provider can be used to pro- vide the required authentication information to the service provider so that the service provider can decide whether to grant access to the resources/services as requested by the user .
The service provider will have a contract with the identity provider to provide authentication services. Thus, the service provider and the identity provider will form at least part of a circle of trust. Typically, a user will request ac- cess to a particular application provided by the service provider. The service provider requires user credentials, which credentials are not provided in the request. In order to obtain user credentials, the service provider sends a SAML authentication request to the identity provider.
If the user is known to the identity provider for the service provider, the identity provider returns a SAML authentication response providing credentials, including a unique identifier, for the user.
However, if the service provider has been newly added to the circle-of-trust of the identity provider then a problem arises in that the identity provider may not know the unique user identifier for the particular service provider. In this case, the identity provider may either respond to the SAML authentication request with an error message or may respond to the SAML authentication request with a randomly generated, but unique, identifier according to the identity provider. In both cases the service provider should identify that the service provider' s user has not been recognised by the identity provider and therefore the service provider will request the user provide their credentials and then inform the identity provider of the actual identifier to be used to identify the user in the future. However, further problems can occur in the latter case where the identity provider generates and provides the service provider with a random identifier for the user of the service provider. In particular, a further different user of the service provider may exist that has an identifier equal to the randomly generated identifier by the identity provider. In this case, the service provider will use the wrong identity to log in and provide services to the user.
The present invention seeks to address at least some of the problems outlined above.
According to a first aspect of the present invention there is provided a method comprising: receiving a name identifier request from an identity provider for an identifier (typically a unique identifier) for a user of a service provider; validating the user; generating a name identifier response to the name identifier request wherein the response includes an identifier (typically a unique identifier) for the validated user for the service provider; and transmitting the name identifier response to the identity provider.
Thus, many of the embodiments of the present invention enable a service provider to effectively register "on-the-fly" unique identifiers for a user of the service provider with an identity provider. For example, if the service provider is new to the circle-of-trust of the identity provider then the identity provider will not know of the unique identifier for a user of the service provider which is required in order for the identity provider to be able to authenticate a user of the service provider. Accordingly, a name identifier request will be received from the identity provider as the identity provider does not have a unique identifier for the user for the service provider. The user will then be validated. For example, the user may be validated by prompting the user to log in to the service provider and based on the received user login details the user can be validated by the service pro- vider.
Once the user has been validated by, for example, the service provider, then a name identifier response may be generated which includes a unique identifier that the identity provider may use in the future to authenticate the user of the service provider. The name identifier response may then be transmitted to the identity provider.
A user may request a service, resource or application from the service provider. Before the service provider grants access to any services, resources or applications the service provider requires that the user is authenticated. The method may therefore further include receiving a request from a user for a service, resource or application. The method may fur- ther comprise transmitting an authentication request to the identity provider to authenticate the user of the service provider. The method may also further comprise receiving an authentication response from the identity provider after the identity provider has been informed of the unique identifier for the user.
The step of receiving user login details may comprise receiving a username and password combination for the user.
The name identifier request may be compatible with, or in accordance with, the Security Assertion Markup Language protocol; and the name identifier response may be compatible with, or in accordance with, the Security Assertion Markup Language protocol . According to a second aspect of the present invention there is provided an apparatus comprising: a first input adapted to receive a name identifier request from an identity provider for an identifier (typically a unique identifier) for a user of a service provider; a first processor adapted to validate the user; a second processor adapted to generate a name identifier response to the name identifier request wherein the response includes an identifier (typically a unique identi- fier) for the validated user for the service provider; and a first output adapted to transmit the name identifier response to the identity provider.
According to a third aspect of the present invention there is provided an apparatus adapted to: receive a name identifier request from an identity provider for an identifier (typically a unique identifier) for a user of a service provider; validate the user; generate a name identifier response to the name identifier request wherein the response includes an identifier (typically a unique identifier) for the validated user for the service provider; and transmit the name identifier response to the identity provider.
The apparatus may further comprise a second output adapted to prompt the user to log in; and a second input adapted to receive user login details. The login details may be a user- name and password combination for the user. The apparatus may be a server or computing device and may be operated by a service provider.
The first and second input may be the same input or different inputs. The first and second outputs may be the same outputs or different outputs. The first and second processors may be the same processor or different processors. As a skilled person in the art will appreciate, the apparatus may be adapted to perform the functions in many different ways. For example, the apparatus may be adapted by installing and executing on the apparatus the appropriate and corre- sponding computer readable executable code in order to enable the apparatus to perform the necessary functions and tasks.
According to a fourth aspect of the present invention there is provided a computer program or a computer program product comprising computer readable executable code for: receiving a name identifier request from an identity provider for an identifier (typically a unique identifier) for a user of a service provider; validating the user; generating a name identifier response to the name identifier request wherein the response includes an identifier (typically a unique identifier) for the validated user for the service provider; and transmitting the name identifier response to the identity provider .
The computer program product may further comprise computer readable executable code for performing any or all of the functions in accordance with the aspects of the invention.
According to a fifth aspect of the present invention there is provided a method comprising the steps of: receiving an authentication request from a service provider wherein the authentication request requests an identifier (typically a unique identifier) for a user of the service provider; determining no unique identifier exists for the user for the ser- vice provider; generating a name identifier request wherein the name identifier request requests a unique identifier for the user for the service provider; transmitting the name identifier request to the service provider; receiving a name identifier response from the service provider wherein the name identifier response includes a unique identifier for the user for the service provider; and storing the unique identifier for the user for the service provider.
Thus, many of the embodiment of the present invention enable a unique identifier for a user of a service provider to be stored, preferably at an identity provider, when it is determined that no unique identifier exists for the user of the service provider. This is advantageous when, for example, the service provider is new to the circle-of-trust of the identity provider as the identity provider may not know or have stored a unique identity provider for all users of a service provider. An authentication request will be received, preferably at an identity provider, from the service provider and it may be determined that no unique identifier exists for the user of the service provider. In this case, a name identifier request will be generated which requests the service provider to supply or inform the identity provider of the unique identifier for a user of the service provider. A name identifier response will be received from a service provider which includes a unique identifier for the user of the service provider. The unique identifier will then be stored so that in the future the user of the service provider can be automatically authenticated by the identity provider.
The step of determining may comprise: checking whether the requested unique identifier in the authentication request for the user for the service provider is in a database; and the step of storing comprises: adding the unique identifier re- ceived in the name identifier response for the user for the service provider to the database. The method may further comprise sending an authentication response to the original authentication request once the unique identifier has been stored.
The authentication request may be compatible with, or in accordance with, the Security Assertion Markup Language protocol; the name identifier request may be in accordance with Security Assertion Markup Language protocol; and the name identifier response may be compatible with, or in accordance with, the Security Assertion Markup Language protocol.
According to a sixth aspect of the present invention there is provided an apparatus comprising: a first input adapted to receive an authentication request from a service provider wherein the authentication request requests an identifier (typically a unique identifier) for a user of the service provider; a first processor adapted to determine if no unique identifier exists for the user for the service provider; a second processor adapted to generate a name identifier re- quest wherein the name identifier request requests a unique identifier for the user for the service provider; an output means adapted to transmit the name identifier request to the service provider; a second input means adapted to receive a name identifier response from the service provider wherein the name identifier response includes a unique identifier for the user for the service provider; and a third processor adapted to store the unique identifier for the user for the service provider.
The first processor is further adapted to check whether the requested unique identifier in the authentication request for the user for the service provider is in a database; and the third processor is further adapted to add the unique identi- fier received in the name identifier response for the user for the service provider to the database.
According to a seventh aspect of the present invention there is provided an apparatus adapted to: receive an authentication request from a service provider wherein the authentication request requests an identifier (typically a unique identifier) for a user of the service provider; determine no unique identifier exists for the user for the service pro- vider; generate a name identifier request wherein the name identifier request requests a unique identifier for the user for the service provider; transmit the name identifier request to the service provider; receive a name identifier response from the service provider wherein the name identifier response includes a unique identifier for the user for the service provider; and store the unique identifier for the user for the service provider.
As a skilled person in the art will appreciate, the apparatus may be adapted to perform the functions in many different ways. For example, the apparatus may be adapted by installing and executing on the apparatus the appropriate and corresponding computer readable executable code in order to enable the apparatus to perform the necessary functions and tasks.
The first and second inputs may be the same input or different inputs. The first, second and third processors may be the same processor, different processors or any combination of processors. The apparatus may be a server or computing device and may be operated by an identity provider.
According to an eighth aspect of the present invention there is provided a computer program or a computer program product comprising computer readable executable code for: receiving an authentication request from a service provider wherein the authentication request requests an identifier (typically a unique identifier) for a user of the service provider; determining no unique identifier exists for the user for the ser- vice provider; generating a name identifier request wherein the name identifier request requests a unique identifier for the user for the service provider; transmitting the name identifier request to the service provider; receiving a name identifier response from the service provider wherein the name identifier response includes a unique identifier for the user for the service provider; and storing the unique identifier for the user for the service provider.
The computer program product may further comprise computer readable executable code for performing any or all of the functions in accordance with the aspects of the invention.
An advantage if many of the embodiments of the present invention is that when a service provider is added to the circle- of-trust of an identity provider there is no need for the service provider to import all of their users into the identity provider as this registration of the users of the service provider with the identity provider can be performed on- the-fly. Another advantage of many of the embodiments is that there is no need to synchronise the service provider and identity provider as this process may now also be performed on-the-fly using the new mechanism of the embodiments of the invention .
Embodiments of the present invention will now be described, by way of example only, and with reference to the accompanying drawings in which: Figure 1 is a block diagram demonstrating the use of identity management in accordance with aspects of the invention.
Figure 2 shows a message sequence in accordance with aspects of the invention.
A service provider may use an identity provider for Single Sign On (SSO) and Account Provisioning for web services and web applications provided by the service provider.
With reference to Figure 1, the system 101 comprises a user device 102, an identity provider 104 and a service provider 103. The user device 102 may, for example, be a computer or a mobile device such as a mobile telephone, Personal Digital Assistant (PDA) and so on. In the system 101, the user device 102 can communicate with the service provider 103 via a network 105 such as the Internet, a wireless network and so on. A user 106 may request a service, the use of a service, application or resource from the service provider 103 by con- necting with the service provider 103 over the network 105. For example, the user 106 may request a service by directing a web browser on the user device 103 to a particular Universal Resource Locater (URL) for the service, application or resource .
However, before the user is granted access to a service, application or resource provided by the service provider, the service provider 103 requires that the user 106 is authenticated. In the embodiments of the invention the identity pro- vider 104 can be used to provide the necessary user authentication thereby enabling the user 106 to access the service or resource without having to remember and enter the username and password combination for the specific service or resource provided by the service provider 103. The service provider 103 is configured to establish trust between itself and the identity provider 104 according to the SAML standard. The identity provider 104 is built to provide federated identities for service providers, including the service provider 103. SAML is used as the protocol between the identity provider 104 and service providers.
The user device 102 may comprise inputs and outputs 107 in order to receive and transmit data to and from the network. The service provider 103 may comprise inputs and outputs 108 and processors 109 in order to receive data, transmit data and process or perform functions. The identity provider 104 may comprise inputs and outputs 111 and processors 110 in or- der to receive data, transmit data and process data or perform functions.
Figure 2 is a message sequence diagram showing a message sequence 201 according to the embodiments of the present inven- tion.
The message sequence 201 begins with the user device 102 issuing a service access request 202 to the service provider 103 that is in accordance with the SAML protocol. The ser- vice access request requests access to a secure service, but does not include the required user credentials. Accordingly, the service provider 103 responds to the request by generating an authentication request that is in accordance with the SAML protocol. The authentication request may be passed 203 to the identity provider 104 via the user device 102 using redirection .
However, as described hereinabove, if the service provider is new to the circle-of-trust of the identity provider then on receipt of the authentication request 203 the identity provider will determine 204 that it does not have an identifier stored in its database for the user for the given service provider .
Conventionally, the identity provider would respond to the authorisation request with an error message or a randomly generated identifier which is disadvantageous and problematic as discussed above. Accordingly, the embodiments of the pre- sent invention provide a new mechanism to overcome these problems with the conventional methods and apparatus.
Thus, if the identity provider 104 determines or recognises that no identifier for the user for the specific service pro- vider is stored in an identity provider's database then the identity provider will generate a new message called a Namel- dentifierRequest . The NameldentifierRequest may take a format that is compatible with the SAML protocol and indeed the NameldentifierRequest may be included in the SAML protocol. An example of the NameldentifierRequest is shown below. The message given below is only an example of the format and content of a NameldentifierRequest message. As a person skilled in the art will appreciate the message may include different, fewer or more blocks. Similarly, the message may also in- elude different, fewer or more tags.
<samlp :NameIdentifierRequest xmlns : saml="urn : oasis : names : tc : SAML : 2.0 : assertion" xmlns : samlp="urn : oasis : names : tc : SAML : 2.0 :protocol" ID="aaf23196-1773-2113-474a-fell4412ab72" Version="2.0"
IssueInstant="2006-07-17T20:31:40Z"> <saml : Issuer Format="urn : oasis : names : tc : SAML : 1.1 : nameid- format :unspecified"> http : //idm. nsn . com </saml : Issuer> </samlp :NameIdentifierRequest>
The NameldentifierRequest is passed 205 to the service provider 103. The service provider 103 on receipt of the NameldentifierRequest will recognise that the identity provider 104 does not have an identifier for combination of the user and the service provider. The service provider 103 will then validate the user of the service provider 103. For example, the service provider 103 may prompt or request 206 the user to log in to the service provider.
The service provider may therefore provide 207 the user with a login page and request that the user provide their username and password combination for the service, resource or application the user wishes to use. The service provider may al- ternatively provide the user with a registration page allowing the user to register with the service provider and provide details to be used as the user's credentials.
Once the user has successfully entered and provided 208 their login details and the service provider 103 has validated the data entered by the user then the service provider 103 will generate a new message called a NameldentifierResponse . The NameldentifierResponse may take a format that is compatible with the SAML protocol and indeed the NameldentifierResponse may be included in the SAML protocol. An example of the
NameldentifierResponse is shown below. The message given below is only an example of the format and content of a NameldentifierResponse message. As a person skilled in the art will appreciate the message may include different, fewer or more blocks. Similarly, the message may also include different, fewer or more tags.
<samlp :NameIdentifierResponse xmlns : saml="urn : oasis : names : tc : SAML : 2.0 : assertion" xmlns : samlp="urn : oasis : names : tc : SAML : 2.0 :protocol" ID="aaf23196-1773-2113-474a-fell4412ab72" Version="2.0"
IssueInstant="2006-07-17T20:31:40Z">
<saml : Assertion
MajorVersion="l" MinorVersion="0" AssertionID="128.9.167.32.12345678" Issuer="Smith Corporation"> <saml: Issuer
Format="urn : oasis : names : tc : SAML : 1.1 : nameid- format:X509SubjectName">
C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc . edu </saml : Issuer>
<saml : Subj ect> <saml :NameID
Format="urn : oasis : names : tc : SAML : 1.1 : nameid- format :unspecified"> torn. smith
</saml :NameID> </saml : Subject> <saml : AttributeStatement>
<saml : Attribute
xmlns :x500="urn: oasis: names : tc : SAML : 2.0 :profiles : attribute :X5 00" x500 :Encoding="LDAP" NameFormat="urn : oasis : names : tc : SAML : 2.0 : attrname- format :uri"
Name="urn:oid:2.5.4.42" FriendlyName="givenName"> <saml : AttributeValue xsi : type="xs : string">Tom</saml : AttributeValue> </saml : Attribute> <saml : Attribute
xmlns :x500="urn: oasis: names : tc : SAML : 2.0 :profiles : attribute :X5 00" x500 :Encoding="LDAP"
NameFormat="urn : oasis : names : tc : SAML : 2.0 : attrname- format :uri" Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26"
FriendlyName="mail"> <saml : AttributeValue
xsi : type="xs : string">trscavo@gmail . com</saml : AttributeValue> </saml:Attribute>
</saml : AttributeStatement> </saml : Assertion> <samlp: Status xmlns : samlp="urn : oasis : names : tc : SAML : 2.0 :protocol"> <samlp: StatusCode xmlns : samlp="urn : oasis : names : tc : SAML : 2.0 : protocol" Value="urn : oasis : names : tc : SAML : 2.0 : status : Success">
</samlp : StatusCode> </samlp : Status> </samlp :NameIdentifierResponse>
The NameldentifierResponse is passed 209 to the identity provider 104. The NameldentifierResponse will include the identifier of the user for the service provider which is to be used by the identity provider in any future communications and authentication processes.
On receipt of the NameldentifierResponse the identity pro- vider 104 can store 210 the identifier for the user for the specific service provider in the identity management system, such as in a database. The identity provider 104 will then generate an authentication response to the original authentication request that was received from the service provider 103. The authentication response will include the identifier of the user for the service provider and may be in accordance with the known SAML protocol. The authentication response is passed 211 to the service provider where the user is logged on. The service provider 103 will then provide 212 the user with access to the service, resource or application the user requested from the service provider 103.
While preferred embodiments of the invention have been shown and described, it will be understood that such embodiments are described by way of example only. Numerous variations, changes and substitutions will occur to those skilled in the art without departing from the scope of the present invention as defined by the appended claims. For example, although the invention has been described with reference to the SAML stan- dard, other possible implementations are possible. Accordingly, it is intended that the following claims cover all such variations or equivalents as fall within the spirit and the scope of the invention.

Claims

Claims :
1. A method comprising: receiving a name identifier request from an identity provider for an identifier for a user of a service provider; validating said user; generating a name identifier response to said name identifier request wherein said response includes an identifier for said validated user for said service provider; and transmitting said name identifier response to said identity provider.
2. The method as claimed in claim 1 in which said step of validating said user comprises: prompting said user to log in; and receiving user login details.
3. The method as claimed in claim 1 or 2 in which said name identifier request is compatible with Security Assertion Markup Language protocol; and said name identifier response is compatible with Security Assertion Markup Language protocol .
4. An apparatus comprising: a first input adapted to receive a name identifier request from an identity provider for an identifier for a user of a service provider; a first processor adapted to validate said user; a second processor adapted to generate a name identifier response to said name identifier request wherein said response includes an identifier for said validated user for said service provider; and a first output adapted to transmit said name identifier response to said identity provider.
5. The apparatus as claimed in claim 4 further comprising: a second output adapted to prompt said user to log in; and a second input adapted to receive user login details .
6. A computer program product comprising computer readable executable code for: receiving a name identifier request from an identity provider for an identifier for a user of a service provider; validating said user; generating a name identifier response to said name identifier request wherein said response includes an identifier for said validated user for said service provider; and transmitting said name identifier response to said identity provider.
7. A method comprising the steps of: receiving an authentication request from a service provider wherein said authentication request requests an identifier for a user of said service provider; determining no identifier exists for said user for said service provider; generating a name identifier request wherein said name identifier request requests an identifier for said user for said service provider; transmitting said name identifier request to said service provider; receiving a name identifier response from said service provider wherein said name identifier response includes an identifier for said user for said service provider; and storing said identifier for said user for said service provider.
8. The method as claimed in claim 7 in which said step of determining comprises: checking whether said requested identifier in said au- thentication request for said user for said service provider is in a database; and said step of storing comprises: adding said identifier received in said name identifier response for said user for said service provider to said database .
9. The method as claimed in claim 7 or 8 in which said authentication request is compatible with Security Assertion Markup Language protocol; said name identifier request is compatible with Security Assertion Markup Language protocol; and said name identifier response is in accordance with Security Assertion Markup Language protocol.
10. An apparatus comprising: a first input adapted to receive an authentication re- quest from a service provider wherein said authentication request requests an identifier for a user of said service provider; a first processor adapted to determine if no identifier exists for said user for said service provider; a second processor adapted to generate a name identifier request wherein said name identifier request requests an identifier for said user for said service provider in the event that the first processor determines that no identifier exists for said user for said service provider; an output adapted to transmit said name identifier request to said service provider; a second input adapted to receive a name identifier response from said service provider wherein said name identi- fier response includes an identifier for said user for said service provider; and a third processor adapted to store said identifier for said user for said service provider.
11. The apparatus as claimed in claim 10 in which said first processor is further adapted to check whether said requested identifier in said authentication request for said user for said service provider is in a database; and said third proc- essor is further adapted to add said identifier received in said name identifier response for said user for said service provider to said database.
12. A computer program product comprising computer readable executable code for: receiving an authentication request from a service provider wherein said authentication request requests an identifier for a user of said service provider; determining no identifier exists for said user for said service provider; generating a name identifier request wherein said name identifier request requests an identifier for said user for said service provider; transmitting said name identifier request to said service provider; receiving a name identifier response from said service provider wherein said name identifier response includes an identifier for said user for said service provider; and storing said identifier for said user for said ser- vice provider.
PCT/EP2009/058062 2009-06-26 2009-06-26 Identity management WO2010149223A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2009/058062 WO2010149223A1 (en) 2009-06-26 2009-06-26 Identity management

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2009/058062 WO2010149223A1 (en) 2009-06-26 2009-06-26 Identity management

Publications (1)

Publication Number Publication Date
WO2010149223A1 true WO2010149223A1 (en) 2010-12-29

Family

ID=41785941

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2009/058062 WO2010149223A1 (en) 2009-06-26 2009-06-26 Identity management

Country Status (1)

Country Link
WO (1) WO2010149223A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109726533A (en) * 2018-12-24 2019-05-07 北京百度网讯科技有限公司 User account judgment method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1610528A2 (en) * 2004-06-24 2005-12-28 Vodafone Group PLC System and method of asserting identities in a telecommunications network
WO2006103176A1 (en) * 2005-04-01 2006-10-05 International Business Machines Corporation Method for a runtime user account creation operation

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1610528A2 (en) * 2004-06-24 2005-12-28 Vodafone Group PLC System and method of asserting identities in a telecommunications network
WO2006103176A1 (en) * 2005-04-01 2006-10-05 International Business Machines Corporation Method for a runtime user account creation operation

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
WATANABE R ET AL: "Federated Authentication Mechanism using Cellular Phone - Collaboration with OpenID", INFORMATION TECHNOLOGY: NEW GENERATIONS, 2009. ITNG '09. SIXTH INTERNATIONAL CONFERENCE ON, IEEE, PISCATAWAY, NJ, USA, 27 April 2009 (2009-04-27), pages 435 - 442, XP031472297, ISBN: 978-1-4244-3770-2 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109726533A (en) * 2018-12-24 2019-05-07 北京百度网讯科技有限公司 User account judgment method and device

Similar Documents

Publication Publication Date Title
US10810515B2 (en) Digital rights management (DRM)-enabled policy management for an identity provider in a federated environment
EP2689372B1 (en) User to user delegation service in a federated identity management environment
JP6057666B2 (en) Image forming apparatus, information processing method, and program
JP6198477B2 (en) Authority transfer system, authorization server system, control method, and program
US9736153B2 (en) Techniques to perform federated authentication
EP2359576B1 (en) Domain based authentication scheme
US8196177B2 (en) Digital rights management (DRM)-enabled policy management for a service provider in a federated environment
EP1839224B1 (en) Method and system for secure binding register name identifier profile
JP7382753B2 (en) Method and program for single sign-on originating from a Security Assertion Markup Language (SAML) service provider
JP6061633B2 (en) Device apparatus, control method, and program thereof.
US20100077208A1 (en) Certificate based authentication for online services
WO2010149222A1 (en) Attribute management
US20100077467A1 (en) Authentication service for seamless application operation
WO2005032041A1 (en) Access control for federated identities
EP2310977B1 (en) An apparatus for managing user authentication
CN103004244A (en) Generic bootstrapping architecture usage with web applications and web pages
CN101426009A (en) Identity management platform, service server, uniform login system and method
KR20110003353A (en) Handling expired passwords
JP2014157480A (en) Information processor, program, and control method
US20100250607A1 (en) Personal information management apparatus and personal information management method
US9544312B2 (en) Methods and systems for managing directory information
WO2010149223A1 (en) Identity management
JP2018037025A (en) Program, authentication system, and authentication cooperative system
KR101042484B1 (en) Apparatus and method of service interaction for single login and logout
JP5749222B2 (en) Access permission control system and access permission control method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09779978

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09779978

Country of ref document: EP

Kind code of ref document: A1