WO2011017921A1 - System and method for visiting a visited service provider - Google Patents

System and method for visiting a visited service provider Download PDF

Info

Publication number
WO2011017921A1
WO2011017921A1 PCT/CN2010/071187 CN2010071187W WO2011017921A1 WO 2011017921 A1 WO2011017921 A1 WO 2011017921A1 CN 2010071187 W CN2010071187 W CN 2010071187W WO 2011017921 A1 WO2011017921 A1 WO 2011017921A1
Authority
WO
WIPO (PCT)
Prior art keywords
idp
user
visited
home
address
Prior art date
Application number
PCT/CN2010/071187
Other languages
French (fr)
Chinese (zh)
Inventor
高宏伟
林兆骥
陈剑勇
滕志猛
李媛
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011017921A1 publication Critical patent/WO2011017921A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity

Definitions

  • the present invention relates to secure communication technologies in network communication systems, and more particularly to a system and method for accessing a visited service provider. Background technique
  • IdM Identity Management
  • IdM systems are still in a vertical structure independent of each other, and most of these IdM systems are established for specific application services. Interconnection between various IdM systems is impossible, and user information (such as user trust) cannot be realized. Sharing of information, authentication information).
  • the IdM system includes users, IdP (Identity Provider), SP (Service provide, Service Provider).
  • IdP Identity Provider
  • SP Service provide, Service Provider
  • the SP can confirm that the authentication information of the user identity of the IdP is authentic and reliable, and can further provide services for the user.
  • IdP acts as an independent operator, which realizes the separation of identity services and application services.
  • IdP provides users with a series of services such as identity registration, identity management and identity authentication, so as to establish the trust level expected by the service between the SP and the user, and realize the user's access to the service.
  • Step 101 A user requests a service from a service provider SP;
  • Step 102 The service provider SP requires the user to perform identity authentication.
  • Step 103 The user sends the user ID and the location IdP address to the SP.
  • Step 104 the SP forwards the received user ID and the location IdP address to the IdP;
  • Step 105 The IdP sends a message to the user, requesting the user to input the credential information;
  • Step 106 The user sends its credential information to the IdP.
  • Step 107 The IdP authenticates the identity information provided by the user.
  • Step 108 The IdP returns the authentication result to the SP.
  • Step 109 The SP provides a corresponding service to the user according to the obtained authentication result.
  • the SP of the visited place controls the user's access to its resources through the authentication of the IdP of the visited place, and the IdP of the visited place can only authenticate its own user, and when the users of other IdPs access it, , is considered an illegal user, the user must re-register, which is not convenient for the user and limits the development of the SP.
  • the technical problem to be solved by the present invention is to provide a system and method for accessing a visiting service provider, which solves the problem that users in an existing identity management system access SPs across different IdM systems.
  • the present invention provides a method for accessing a visited service provider, the method comprising:
  • the identity provider IdP of the visited place acquires the information of the user, and requests the user's home IdP through the interface between the identity provider IdP of the visited place and the IdP of the home place. Authenticate the user;
  • the interface between the IdP of the visited place and the IdP of the home place is the same as the interface between the home service provider and the home IdP.
  • the step of requesting the home IdP to perform the authentication by the visited IdP includes: the visited IdP sends an authentication request to the home IdP, where the authentication request carries the user identifier of the user;
  • the home IdP After receiving the authentication request, the home IdP requests the user's credential information from the user, then authenticates the user, and returns the authentication result to the visited place IdP.
  • the authentication result is performed. After the conversion, it is sent to the service provider of the visited place.
  • the address check is performed according to the user's home address IdP address, and if the IdP address is the visited IdP address, the authentication is directly performed, otherwise the attribution is requested. IdP is certified.
  • the present invention also provides a system for accessing a visited service provider, including a user attribution
  • the authentication request is sent to the user's home IdP through the interface between the visited IdP and the home IdP. And sending the authentication result to the service provider of the visited place after receiving the authentication result; wherein the interface between the IdP of the visited place and the IdP of the home place is the same as the interface between the home service provider and the home IdP ;
  • the home IdP is configured to authenticate the user after receiving the authentication request, and return the authentication result to the visited place IdP;
  • the service provider of the visited place is arranged to provide the service to the user based on the authentication result.
  • the visited IdP is further configured to receive the authentication result, perform format conversion on the visited result, and then send the authentication result to the service provider of the visited place.
  • the visited IdP is further configured to perform an address check according to the home address IdP address after receiving the information of the user, and if the home address IdP address is the visited IdP address, directly perform authentication. Otherwise, the home address IdP is requested to perform authentication.
  • the visited IdP is further configured to authenticate the user after receiving the information of the user, and checking that the home IdP address is the visited IdP address according to the home address IdP address, and Return the certification result to the service provider of the visited place.
  • the visited IdP is further configured to receive the information of the user, and according to the home address IdP address, it is checked that the home IdP address is not the visited IdP address, and the information of the user is carried.
  • the user identifier sends an authentication request to the home IdP through the interface between the IdP of the visited place and the IdP of the home. After receiving the authentication request, the home IdP requests the user's credential information from the user. , then authenticate the user and verify the result Return to the visited place IdP.
  • the present invention provides a system and method for accessing a visiting service provider, and solves the problem that a user accesses an SP across different IdM systems in an existing identity management system; and the method is simple and easy, and does not need to change the original IdM system authentication.
  • the general model and communication mechanism, the IdM system only needs to add the forwarding and conversion authorization mechanism, which can solve the problem of access authentication across the IdM system.
  • the invention of the method satisfies the user's needs and enables the IdM system to be more widely used. . BRIEF abstract
  • 1 is a general flowchart of a prior art IdM system for authenticating a user
  • FIG. 2 is a schematic diagram of each member instance when a user accesses an SP across different IdPs
  • FIG. 3 is a flow chart of authenticating a user when a user accesses an SP across different IdPs according to the present invention.
  • the embodiment provides a system for accessing a visited service provider.
  • the call includes the visited IdP, the home IdP, and the visited SP.
  • the visited SP requests the visited IdP. (ie, the IdP at the location of the visited SP) authenticates the user, and the visited IdP assumes the role of the IdP. Since the user does not belong to the user of the visited place, the visited IdP cannot authenticate it, and then requests the home IdP to authenticate the user.
  • the visited site IdP appears as the role of the SP. specifically:
  • the SP of the visited place is used to request the user to perform identity authentication after receiving the request for providing the service by the user, and after receiving the user ID and the home IdP address sent by the user, send an authentication request to the IdP of the SP location, and carry the user ID. And the home address IdP address; and is also used to receive the user authentication result returned by the IdP of the local location, and provide the corresponding service to the user according to the authentication result.
  • the visited IdP After receiving the authentication request, the visited IdP determines whether the user is the local user, and directly authenticates, if not, requests the IdP of the user's home location to authenticate the user ID, and carries the user ID; After the authentication result returned by the home IdP, the result is format converted, converted to a format supported by the system, and then sent to the SP of the location.
  • the home IdP After receiving the authentication request, the home IdP obtains the credential information of the user according to the user ID. Then, authentication is performed based on information such as the user ID and its credentials, and the authentication result is returned to the visited place IdP.
  • the interface between the visited IdP and the home IdP is the same as the interface between the home SP and the home IdP.
  • This embodiment provides a method for accessing a visited service provider. As shown in FIG. 3, the following steps are included:
  • Step 301 The user terminal provides a service request to the SP of the visited place.
  • Step 302 The SP server of the visited place requests the user terminal to perform identity authentication.
  • Step 303 The user provides the user ID and the IdP address of the user location according to the requirement.
  • Step 304 The SP server in the visited area receives the ID provided by the user and the registered IdP address (that is, the IdP address where the user is located), and forwards it to the IdP of the SP location to request the authenticated user.
  • the registered IdP address that is, the IdP address where the user is located
  • Step 305 The visited IdP receives the ID of the user provided by the SP of the visited place and the IdP address of the user location, and first performs an address check. If the IdP address of the user location is itself, the authentication is directly performed, and the authentication result is returned. Otherwise, go to step 306.
  • Step 306 The visited IdP system acts as an SP, and sends an authentication request to the user's home IdP, where the user ID is carried;
  • Step 307 The user home IdP receives the authentication request, and sends a message to the user corresponding to the user ID, requesting the user to input the credential information;
  • Step 308 the user sends its credential information to its home IdP;
  • Step 309 The user's home location IdP authenticates the user according to information such as the user ID and credentials.
  • Step 310 The user's home IdP returns the authentication result to the visited IdP, and carries the user ID.
  • Step 311 The visited IdP receives the authentication result of the user, and maps the authentication result to the authentication result of the visit. The mapping refers to converting the received authentication result into a format and converting the authentication result into the system format.
  • Step 312 The visited place IdP returns the converted authentication result to the visited place SP.
  • Step 313 The visited place SP provides the corresponding service for the user according to the authentication result.
  • the interface between the visited IdP and the home IdP and the home service provider and the home IdP is the same.
  • the technical solution disclosed by the present invention solves the problem that a user accesses an SP across different IdM systems in an existing identity management system, and the method is simple and easy, and does not need to change the general model and communication mechanism of the original IdM system authentication, IdM
  • the system only needs to add the forwarding and conversion authorization mechanism, which can solve the problem of access authentication across the IdM system.
  • the invention of the method satisfies the user's needs and enables the IdM system to be more widely used.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The present invention provides a system and method for visiting a visited service provider (SP). When a user visits the visited SP, a visited identity provider (IdP) acquires the user information and then, via the interface between the visited IdP and the home IdP of the user, requests the home IdP to authenticate the user; the home IdP returns the authentication result to the visited IdP after completing the authentication; the visited IdP transmits the authentication result to the visited SP; and the visited SP provides services for the user according to the authentication result; therein, the interface between the visited IdP and the home IdP is the same as the interface between the home SP and the home IdP. The technical solution disclosed in the present invention solves the problem of the user visiting an SP across different identity management (IdM) systems in the prior IdM system.

Description

一种访问拜访地服务提供商的系统及方法 技术领域  System and method for accessing a visiting service provider
本发明涉及网络通信系统中的安全通信技术, 尤其涉及一种访问拜访地 服务提供商的系统及方法。 背景技术  The present invention relates to secure communication technologies in network communication systems, and more particularly to a system and method for accessing a visited service provider. Background technique
身份管理(IdM, Identity Management )是指以网络和相关支持技术为基 础, 对用户身份的生命周期 (使用过程) , 以及用户身份与网络应用服务之 间的关系进行管理。 例如, 对访问和应用资源的用户进行认证或授权等。 目 前, IdM系统之间还处于一种相互独立的垂直结构, 且这些 IdM系统大多是 针对特定的应用服务建立起来的, 各个 IdM系统之间无法实现互联互通, 无 法实现用户信息 (如用户的信任信息、 认证信息) 的共享。  IdM (Identity Management) refers to the management of the user's identity life cycle (usage process) and the relationship between user identity and network application services based on the network and related support technologies. For example, authenticate or authorize users accessing and applying resources. At present, IdM systems are still in a vertical structure independent of each other, and most of these IdM systems are established for specific application services. Interconnection between various IdM systems is impossible, and user information (such as user trust) cannot be realized. Sharing of information, authentication information).
IdM 系统包括用户、 IdP (身份提供商) 、 SP ( Service provide, 服务提 供商) 。 在认证过程中, 只有当 SP和 IdP之间存在信任关系时, SP才能确 认 IdP对用户身份的认证信息是真实可靠的, 才能进一步为用户提供服务。 在 IdM系统中, IdP作为独立运营商, 实现了身份服务与应用服务的分离。 通过一系列的查询 /应答消息, IdP为用户提供身份注册、 身份管理和身份认 证等一系列服务,从而在 SP和用户之间建立服务所期望的信任等级, 实现用 户对服务的访问。  The IdM system includes users, IdP (Identity Provider), SP (Service provide, Service Provider). In the authentication process, only when there is a trust relationship between the SP and the IdP, the SP can confirm that the authentication information of the user identity of the IdP is authentic and reliable, and can further provide services for the user. In the IdM system, IdP acts as an independent operator, which realizes the separation of identity services and application services. Through a series of query/response messages, IdP provides users with a series of services such as identity registration, identity management and identity authentication, so as to establish the trust level expected by the service between the SP and the user, and realize the user's access to the service.
如图 1所示是现有技术 IdM系统对用户进行认证的通用流程: 步骤 101 , 用户向服务提供商 SP请求提供服务;  As shown in FIG. 1 , a general process for authenticating a user in an IdM system in the prior art: Step 101: A user requests a service from a service provider SP;
步骤 102, 服务提供商 SP要求用户进行身份认证;  Step 102: The service provider SP requires the user to perform identity authentication.
步骤 103 , 用户向 SP发送用户 ID以及所在地的 IdP地址;  Step 103: The user sends the user ID and the location IdP address to the SP.
步骤 104, SP将接收的用户 ID以及所在地的 IdP地址转发至 IdP;  Step 104, the SP forwards the received user ID and the location IdP address to the IdP;
步骤 105, IdP向用户发送消息, 请求用户输入凭证信息;  Step 105: The IdP sends a message to the user, requesting the user to input the credential information;
步骤 106, 用户向 IdP发送其凭证信息; 步骤 107, IdP对用户提供的身份信息进行认证。 Step 106: The user sends its credential information to the IdP. Step 107: The IdP authenticates the identity information provided by the user.
步骤 108, IdP向 SP返回认证结果。  Step 108: The IdP returns the authentication result to the SP.
步骤 109, SP根据得到的认证结果为用户提供相应的服务。  Step 109: The SP provides a corresponding service to the user according to the obtained authentication result.
在通用的 IdM系统中,拜访地的 SP通过拜访地的 IdP的认证来控制用户 对其资源的访问, 而拜访地的 IdP只能对其自身的用户进行认证, 而当其它 IdP的用户访问时, 则被认为是非法用户, 用户必须重新进行注册, 这样既不 方便用户也限制了 SP的发展。  In the general IdM system, the SP of the visited place controls the user's access to its resources through the authentication of the IdP of the visited place, and the IdP of the visited place can only authenticate its own user, and when the users of other IdPs access it, , is considered an illegal user, the user must re-register, which is not convenient for the user and limits the development of the SP.
发明内容 Summary of the invention
本发明要解决的技术问题是提供一种访问拜访地服务提供商的系统及方 法, 解决了现有身份管理系统中用户跨越不同 IdM系统访问 SP的问题。  The technical problem to be solved by the present invention is to provide a system and method for accessing a visiting service provider, which solves the problem that users in an existing identity management system access SPs across different IdM systems.
为了解决上述问题, 本发明提供了一种访问拜访地服务提供商的方法, 该方法包括:  In order to solve the above problems, the present invention provides a method for accessing a visited service provider, the method comprising:
用户访问拜访地的服务提供商时, 所述拜访地的身份提供商 IdP获取用 户的信息后, 通过拜访地的身份提供商 IdP与归属地的 IdP之间的接口, 请 求所述用户归属地 IdP对所述用户进行认证;  When the user accesses the service provider of the visited place, the identity provider IdP of the visited place acquires the information of the user, and requests the user's home IdP through the interface between the identity provider IdP of the visited place and the IdP of the home place. Authenticate the user;
所述归属
Figure imgf000004_0001
The attribution
Figure imgf000004_0001
其中, 所述拜访地的 IdP与归属地的 IdP之间的接口和归属地服务提供 商与归属地 IdP之间的接口相同。  The interface between the IdP of the visited place and the IdP of the home place is the same as the interface between the home service provider and the home IdP.
上述方法中, 所述拜访地 IdP请求所述归属地 IdP进行认证的步骤包括: 拜访地 IdP向归属地 IdP发送认证请求, 该认证请求中携带所述用户的 用户标识; 以及  In the above method, the step of requesting the home IdP to perform the authentication by the visited IdP includes: the visited IdP sends an authentication request to the home IdP, where the authentication request carries the user identifier of the user;
所述归属地 IdP收到所述认证请求后, 向所述用户索取该用户的凭证信 息, 然后对所述用户进行认证, 并将认证结果返回至拜访地 IdP。  After receiving the authentication request, the home IdP requests the user's credential information from the user, then authenticates the user, and returns the authentication result to the visited place IdP.
上述方法中, 所述拜访地 IdP收到认证结果后, 将所述认证结果进行格 式转换后发送至所述拜访地的服务提供商。 In the above method, after the visited site IdP receives the authentication result, the authentication result is performed. After the conversion, it is sent to the service provider of the visited place.
上述方法中, 所述拜访地 IdP获取所述用户的信息后, 根据其中的用户 归属地 IdP地址进行地址检查,若该 IdP地址为拜访地 IdP地址, 则直接进行 认证, 否则请求所述归属地 IdP进行认证。  In the above method, after the visited IdP obtains the information of the user, the address check is performed according to the user's home address IdP address, and if the IdP address is the visited IdP address, the authentication is directly performed, otherwise the attribution is requested. IdP is certified.
本发明还提供一种访问拜访地服务提供商的系统, 其包括用户归属地 The present invention also provides a system for accessing a visited service provider, including a user attribution
IdP、 拜访地 IdP及拜访地的服务提供商; 其中 IdP, visiting IdP and the service provider of the visited place;
所述拜访地 IdP设置为收到用户的信息后, 若用户不是所述拜访地 IdP 所在地的用户, 则通过拜访地的 IdP与归属地的 IdP之间的接口向该用户归 属地 IdP发送认证请求; 并在收到认证结果后将其发送至拜访地的服务提供 商; 其中所述拜访地的 IdP与归属地的 IdP之间的接口和归属地服务提供商 与归属地 IdP之间的接口相同;  After the visited IdP is set to receive the information of the user, if the user is not the user of the location of the visited IdP, the authentication request is sent to the user's home IdP through the interface between the visited IdP and the home IdP. And sending the authentication result to the service provider of the visited place after receiving the authentication result; wherein the interface between the IdP of the visited place and the IdP of the home place is the same as the interface between the home service provider and the home IdP ;
所述归属地 IdP设置为收到认证请求后对用户进行认证, 并将认证结果 返回至所述拜访地 IdP;  The home IdP is configured to authenticate the user after receiving the authentication request, and return the authentication result to the visited place IdP;
所述拜访地的服务提供商设置为根据所述认证结果向所述用户提供服 务。  The service provider of the visited place is arranged to provide the service to the user based on the authentication result.
上述系统中, 所述拜访地 IdP还设置为收到认证结果后, 将该认证结果 进行格式转换后发送至所述拜访地的服务提供商。  In the above system, the visited IdP is further configured to receive the authentication result, perform format conversion on the visited result, and then send the authentication result to the service provider of the visited place.
上述系统中, 所述拜访地 IdP还设置为收到用户的信息后, 根据其中的 归属地 IdP地址进行地址检查,若所述归属地 IdP地址为所述拜访地 IdP地址, 则直接进行认证, 否则请求所述归属地 IdP进行认证。  In the above system, the visited IdP is further configured to perform an address check according to the home address IdP address after receiving the information of the user, and if the home address IdP address is the visited IdP address, directly perform authentication. Otherwise, the home address IdP is requested to perform authentication.
上述系统中, 所述拜访地 IdP还设置为在收到用户的信息, 并根据其中 的归属地 IdP地址检查出所述归属地 IdP地址为所述拜访地 IdP地址后,对用 户进行认证, 并将认证结果返回给拜访地的服务提供商。  In the above system, the visited IdP is further configured to authenticate the user after receiving the information of the user, and checking that the home IdP address is the visited IdP address according to the home address IdP address, and Return the certification result to the service provider of the visited place.
上述系统中, 所述拜访地 IdP还设置为收到用户的信息, 并根据其中的 归属地 IdP地址检查出所述归属地 IdP地址不是所述拜访地 IdP地址后,携带 所述用户的信息中的用户标识, 通过拜访地的 IdP与归属地的 IdP之间的接 口, 向归属地 IdP发送认证请求, 所述归属地 IdP收到所述认证请求后, 向 所述用户索取该用户的凭证信息, 然后对所述用户进行认证, 并将认证结果 返回至拜访地 IdP。 In the above system, the visited IdP is further configured to receive the information of the user, and according to the home address IdP address, it is checked that the home IdP address is not the visited IdP address, and the information of the user is carried. The user identifier sends an authentication request to the home IdP through the interface between the IdP of the visited place and the IdP of the home. After receiving the authentication request, the home IdP requests the user's credential information from the user. , then authenticate the user and verify the result Return to the visited place IdP.
本发明提供了一种访问拜访地服务提供商的系统及方法, 解决了现有身 份管理系统中用户跨越不同 IdM系统访问 SP的问题; 且该方法简单易行, 不需更改原有 IdM系统认证的通用模型和通信机制, IdM系统只需要添加转 发与转换授权机制, 就能很好的解决跨 IdM系统访问认证的问题, 该方法的 发明满足了用户需求, 能够使 IdM系统得到更广泛的使用。 附图概述  The present invention provides a system and method for accessing a visiting service provider, and solves the problem that a user accesses an SP across different IdM systems in an existing identity management system; and the method is simple and easy, and does not need to change the original IdM system authentication. The general model and communication mechanism, the IdM system only needs to add the forwarding and conversion authorization mechanism, which can solve the problem of access authentication across the IdM system. The invention of the method satisfies the user's needs and enables the IdM system to be more widely used. . BRIEF abstract
图 1是现有技术 IdM系统对用户进行认证的通用流程图;  1 is a general flowchart of a prior art IdM system for authenticating a user;
图 2是用户跨不同 IdP访问 SP时的各成员实例示意图;  2 is a schematic diagram of each member instance when a user accesses an SP across different IdPs;
图 3是本发明用户跨不同 IdP访问 SP时对用户进行认证的流程图。  FIG. 3 is a flow chart of authenticating a user when a user accesses an SP across different IdPs according to the present invention.
本发明的较佳实施方式 Preferred embodiment of the invention
本实施例提供一种访问拜访地服务提供商的系统, 如图 2所示, 包括拜 访地 IdP、 归属地 IdP、 拜访地的 SP; 当用户访问拜访地 SP时, 拜访地 SP 请求拜访地 IdP (即拜访地 SP所在地的 IdP )对用户进行认证, 拜访地 IdP 承担 IdP的作用; 由于用户不属于该拜访地的用户, 拜访地 IdP无法对其进 行认证, 于是请求归属地 IdP对用户进行认证, 此时, 拜访地 IdP表现为 SP 的角色。 具体地:  The embodiment provides a system for accessing a visited service provider. As shown in FIG. 2, the call includes the visited IdP, the home IdP, and the visited SP. When the user visits the visited SP, the visited SP requests the visited IdP. (ie, the IdP at the location of the visited SP) authenticates the user, and the visited IdP assumes the role of the IdP. Since the user does not belong to the user of the visited place, the visited IdP cannot authenticate it, and then requests the home IdP to authenticate the user. At this time, the visited site IdP appears as the role of the SP. specifically:
拜访地的 SP用于收到用户提供服务的请求后请求该用户进行身份认证, 以及收到用户发来的用户 ID和归属地 IdP地址后向该 SP所在地的 IdP发送 认证请求, 携带该用户 ID和归属地 IdP地址; 还用于收到其所在地的 IdP返 回的用户认证结果后根据该认证结果向用户提供相应服务。  The SP of the visited place is used to request the user to perform identity authentication after receiving the request for providing the service by the user, and after receiving the user ID and the home IdP address sent by the user, send an authentication request to the IdP of the SP location, and carry the user ID. And the home address IdP address; and is also used to receive the user authentication result returned by the IdP of the local location, and provide the corresponding service to the user according to the authentication result.
拜访地 IdP用于收到认证请求后, 判断用户是否为所在地的用户, 是则 直接进行认证, 若不是则请求该用户归属地的 IdP对其进行认证, 携带该用 户 ID; 还用于收到归属地 IdP返回的认证结果后, 将该结果进行格式转换, 转换成本系统支持的格式后发送至所在地的 SP。  After receiving the authentication request, the visited IdP determines whether the user is the local user, and directly authenticates, if not, requests the IdP of the user's home location to authenticate the user ID, and carries the user ID; After the authentication result returned by the home IdP, the result is format converted, converted to a format supported by the system, and then sent to the SP of the location.
归属地 IdP用于收到认证请求后, 根据用户 ID获取该用户的凭证信息, 之后根据用户 ID和其凭证等信息进行认证,并将认证结果返回至拜访地 IdP。 拜访地 IdP与归属地 IdP之间的接口是和归属地的 SP与归属地 IdP之间 的接口相同。 After receiving the authentication request, the home IdP obtains the credential information of the user according to the user ID. Then, authentication is performed based on information such as the user ID and its credentials, and the authentication result is returned to the visited place IdP. The interface between the visited IdP and the home IdP is the same as the interface between the home SP and the home IdP.
本实施例提供一种访问拜访地服务提供商的方法, 如图 3所示, 包括以 下步骤: This embodiment provides a method for accessing a visited service provider. As shown in FIG. 3, the following steps are included:
步骤 301 , 用户终端向拜访地的 SP提出提供服务请求。  Step 301: The user terminal provides a service request to the SP of the visited place.
步骤 302, 拜访地的 SP服务器要求用户终端进行身份认证。  Step 302: The SP server of the visited place requests the user terminal to perform identity authentication.
步骤 303 , 用户根据要求提供用户 ID和用户所在地 IdP地址。  Step 303: The user provides the user ID and the IdP address of the user location according to the requirement.
步骤 304, 拜访地的 SP服务器收到用户提供的 ID和注册 IdP地址 (即 用户所在 IdP地址) , 并转发给该 SP所在地的 IdP, 请求认证用户。  Step 304: The SP server in the visited area receives the ID provided by the user and the registered IdP address (that is, the IdP address where the user is located), and forwards it to the IdP of the SP location to request the authenticated user.
步骤 305, 拜访地 IdP收到拜访地的 SP提供的用户的 ID和用户所在地 IdP地址, 首先进行地址检查, 如果用户所在地 IdP地址是自身, 则直接进行 认证, 并返回认证结果。 否则, 转向步骤 306。  Step 305: The visited IdP receives the ID of the user provided by the SP of the visited place and the IdP address of the user location, and first performs an address check. If the IdP address of the user location is itself, the authentication is directly performed, and the authentication result is returned. Otherwise, go to step 306.
步骤 306, 拜访地 IdP系统作为 SP的角色, 向用户归属地 IdP发送认证 请求, 其中携带该用户 ID;  Step 306: The visited IdP system acts as an SP, and sends an authentication request to the user's home IdP, where the user ID is carried;
步骤 307, 用户归属地 IdP收到认证请求, 向该用户 ID对应的用户发送 消息, 请求其输入凭证信息;  Step 307: The user home IdP receives the authentication request, and sends a message to the user corresponding to the user ID, requesting the user to input the credential information;
步骤 308, 用户向其归属地 IdP发送其凭证信息;  Step 308, the user sends its credential information to its home IdP;
步骤 309, 用户归属地 IdP根据用户 ID和凭证等信息对用户进行认证。 步骤 310, 用户归属地 IdP向拜访地 IdP返回认证结果, 携带用户 ID。 步骤 311 ,拜访地 IdP收到用户的认证结果, 并将此认证结果映射为拜访 地认证结果, 该映射是指将接收的认证结果进行格式转换, 转换为本系统格 式的认证结果。  Step 309: The user's home location IdP authenticates the user according to information such as the user ID and credentials. Step 310: The user's home IdP returns the authentication result to the visited IdP, and carries the user ID. Step 311: The visited IdP receives the authentication result of the user, and maps the authentication result to the authentication result of the visit. The mapping refers to converting the received authentication result into a format and converting the authentication result into the system format.
步骤 312, 拜访地 IdP向拜访地 SP返回转换后的认证结果。  Step 312: The visited place IdP returns the converted authentication result to the visited place SP.
步骤 313 , 拜访地 SP根据认证结果为该用户提供相应服务。  Step 313: The visited place SP provides the corresponding service for the user according to the authentication result.
拜访地 IdP与归属地 IdP之间的接口和归属地服务提供商与归属地 IdP 之间的接口相同。 The interface between the visited IdP and the home IdP and the home service provider and the home IdP The interface between them is the same.
工业实用性 本发明公开的技术方案解决了现有身份管理系统中用户跨越不同 IdM系 统访问 SP的问题, 并且该方法简单易行, 不需更改原有 IdM系统认证的通 用模型和通信机制, IdM 系统只需要添加转发与转换授权机制, 就能很好的 解决跨 IdM系统访问认证的问题,该方法的发明满足了用户需求,能够使 IdM 系统得到更广泛的使用。 INDUSTRIAL APPLICABILITY The technical solution disclosed by the present invention solves the problem that a user accesses an SP across different IdM systems in an existing identity management system, and the method is simple and easy, and does not need to change the general model and communication mechanism of the original IdM system authentication, IdM The system only needs to add the forwarding and conversion authorization mechanism, which can solve the problem of access authentication across the IdM system. The invention of the method satisfies the user's needs and enables the IdM system to be more widely used.

Claims

权 利 要 求 书 Claim
1、 一种访问拜访地服务提供商的方法, 其包括:  1. A method of accessing a visiting service provider, comprising:
用户访问拜访地的服务提供商时, 拜访地身份提供商 IdP获取用户的信 息后,通过所述拜访地 IdP与归属地 IdP之间的接口,请求所述归属地 IdP对 所述用户进行认证;  When the user accesses the service provider of the visited place, the visited identity provider IdP obtains the information of the user, and requests the home address IdP to authenticate the user through the interface between the visited IdP and the home IdP;
Figure imgf000009_0001
Figure imgf000009_0001
其中, 所述拜访地 IdP与归属地 IdP之间的接口和归属地服务提供商与 所述归属地 IdP之间的接口相同。  The interface between the visited IdP and the home IdP and the interface between the home service provider and the home IdP are the same.
2、 如权利要求 1所述的方法, 其中,  2. The method of claim 1 wherein
所述拜访地 IdP请求所述归属地 IdP进行认证的步骤包括:  The step of the visited IdP requesting the home IdP to perform authentication includes:
所述拜访地 IdP向所述归属地 IdP发送认证请求, 所述认证请求中携带 所述用户的用户标识; 以及  The visited IdP sends an authentication request to the home IdP, where the authentication request carries the user identifier of the user;
所述归属地 IdP收到所述认证请求后, 向所述用户索取所述用户的凭证 信息, 收到所述用户的凭证信息后对所述用户进行认证。  After receiving the authentication request, the home IdP requests the user's credential information from the user, and authenticates the user after receiving the credential information of the user.
3、 如权利要求 2所述的方法, 其还包括:  3. The method of claim 2, further comprising:
所述拜访地 IdP收到所述认证结果后, 将所述认证结果进行格式转换后 发送至所述拜访地的服务提供商。  After receiving the authentication result, the visited IdP performs format conversion and sends the authentication result to the service provider of the visited place.
4、 如权利要求 1所述的方法, 其还包括:  4. The method of claim 1 further comprising:
所述拜访地 IdP获取所述用户的信息后, 根据其中的用户归属地 IdP地 址进行地址检查, 若所述用户归属地 IdP地址为拜访地 IdP地址, 则直接进 行认证, 否则请求所述归属地 IdP进行认证。  After obtaining the information of the user, the visited IdP performs an address check according to the user's home address IdP address, and if the user's home IdP address is the visited IdP address, the authentication is directly performed, otherwise the attribution is requested. IdP is certified.
5、 一种访问拜访地服务提供商的系统, 其包括:  5. A system for accessing a visiting service provider, comprising:
用户归属地身份提供商 IdP、 拜访地 IdP及拜访地的服务提供商, 其中, 所述拜访地 IdP设置为收到用户的信息后, 若用户不是所述拜访地 IdP所在 地的用户, 则通过所述拜访地 IdP与所述归属地 IdP之间的接口向所述用户 归属地 IdP发送认证请求; 并在收到认证结果后将所述认证结果发送至所述 拜访地的服务提供商; 其中所述拜访地 IdP与归属地 IdP之间的接口和归属 地服务提供商与所述归属地 IdP之间的接口相同; a service provider of the user's home address provider IdP, the visited place IdP, and the visited place, wherein the visited place IdP is set to receive the information of the user, and if the user is not the user of the location of the visited place IdP, Defining an interface between the visited IdP and the home IdP to the user The home IdP sends an authentication request; and after receiving the authentication result, the authentication result is sent to the service provider of the visited place; wherein the interface between the visited IdP and the home IdP and the home service provider The same interface as the home address IdP;
所述归属地 IdP设置为收到所述认证请求后对所述用户进行认证, 并将 认证结果返回至所述拜访地 IdP;  The home IdP is configured to authenticate the user after receiving the authentication request, and return the authentication result to the visited place IdP;
所述拜访地的服务提供商设置为根据所述认证结果向所述用户提供服 务。  The service provider of the visited place is arranged to provide the service to the user based on the authentication result.
6、 如权利要求 5所述的系统, 其中,  6. The system of claim 5, wherein
所述拜访地 IdP还设置为在收到所述认证结果后, 将所述认证结果进行 格式转换后发送至所述拜访地的服务提供商。  The visited place IdP is further configured to, after receiving the authentication result, formatally convert the authentication result to the service provider of the visited place.
7、 如权利要求 5所述的系统, 其中,  7. The system of claim 5, wherein
所述拜访地 IdP还设置为在收到用户的信息后, 根据其中的归属地 IdP 地址进行地址检查, 若所述归属地 IdP地址为拜访地 IdP地址, 则直接进行 认证, 否则请求所述归属地 IdP进行认证。  The visited IdP is further configured to perform an address check according to the home address IdP address after receiving the information of the user, and if the home address IdP address is the visited IdP address, directly perform authentication, otherwise request the attribution. The ground IdP is certified.
8、 如权利要求 7所述的系统, 其中,  8. The system of claim 7, wherein
所述拜访地 IdP还设置为在收到用户的信息, 并根据其中的归属地 IdP 地址检查出所述归属地 IdP地址为所述拜访地 IdP地址后, 对所述用户进行 认证, 并将认证结果返回给所述拜访地的服务提供商。  The visited IdP is further configured to: after receiving the information of the user, and checking, according to the home address IdP address, that the home address IdP address is the visited IdP address, authenticating the user, and authenticating the user The result is returned to the service provider of the visited place.
9、 如权利要求 7所述的系统, 其中,  9. The system of claim 7, wherein
所述拜访地 IdP还设置为在收到用户的信息, 并根据其中的归属地 IdP 地址检查出所述归属地 IdP地址不是所述拜访地 IdP地址后, 携带所述用户 的信息中的用户标识, 通过所述拜访地 IdP与所述归属地 IdP之间的接口, 向所述归属地 IdP发送认证请求, 所述归属地 IdP收到所述认证请求后, 向 所述用户索取所述用户的凭证信息, 然后对所述用户进行认证, 并将认证结 果返回至所述拜访地 IdP。  The visited IdP is further configured to: after receiving the information of the user, and checking, according to the home address IdP address, that the home IdP address is not the visited IdP address, carrying the user identifier in the information of the user And sending, by the interface between the visited IdP and the home IdP, an authentication request to the home IdP, where the home IdP receives the authentication request, and requests the user from the user The credential information is then authenticated to the user and the authentication result is returned to the visited place IdP.
PCT/CN2010/071187 2009-08-11 2010-03-22 System and method for visiting a visited service provider WO2011017921A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2009101623742A CN101998398A (en) 2009-08-11 2009-08-11 System and method for accessing service provider in accessing place
CN200910162374.2 2009-08-11

Publications (1)

Publication Number Publication Date
WO2011017921A1 true WO2011017921A1 (en) 2011-02-17

Family

ID=43585897

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/071187 WO2011017921A1 (en) 2009-08-11 2010-03-22 System and method for visiting a visited service provider

Country Status (2)

Country Link
CN (1) CN101998398A (en)
WO (1) WO2011017921A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11330546B1 (en) 2020-12-11 2022-05-10 Cisco Technology, Inc. Controlled access to geolocation data in open roaming federations

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105592031B (en) * 2014-11-25 2019-07-19 中国银联股份有限公司 The user log-in method and system of identity-based certification
CN106257862B (en) * 2015-06-19 2019-09-17 中兴新能源汽车有限责任公司 The method and device of wireless charging device certification and charging server certification
CN106059994B (en) * 2016-04-29 2020-02-14 华为技术有限公司 Data transmission method and network equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388773A (en) * 2007-09-12 2009-03-18 中国移动通信集团公司 Identity management platform, service server, uniform login system and method
WO2009074709A1 (en) * 2007-12-10 2009-06-18 Nokia Corporation Authentication arrangement
CN101471777A (en) * 2007-12-29 2009-07-01 中国科学院计算技术研究所 Access control system and method between domains based on domain name

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388773A (en) * 2007-09-12 2009-03-18 中国移动通信集团公司 Identity management platform, service server, uniform login system and method
WO2009074709A1 (en) * 2007-12-10 2009-06-18 Nokia Corporation Authentication arrangement
CN101471777A (en) * 2007-12-29 2009-07-01 中国科学院计算技术研究所 Access control system and method between domains based on domain name

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CHEN JIANYONG ET AL.: "Identity Management Technology and Its Development", TELECOMMUNICATIONS SCIENCE, no. 2, February 2009 (2009-02-01), pages 35 - 41 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11330546B1 (en) 2020-12-11 2022-05-10 Cisco Technology, Inc. Controlled access to geolocation data in open roaming federations

Also Published As

Publication number Publication date
CN101998398A (en) 2011-03-30

Similar Documents

Publication Publication Date Title
CN110800331B (en) Network verification method, related equipment and system
US9549318B2 (en) System and method for delayed device registration on a network
US20160380999A1 (en) User Identifier Based Device, Identity and Activity Management System
JP2005339093A (en) Authentication method, authentication system, authentication proxy server, network access authenticating server, program, and storage medium
WO2012055339A1 (en) Authentication routing system, method and authentication router of cloud computing service
WO2014048236A1 (en) Method and apparatus for registering terminal
EP3308499A1 (en) Service provider certificate management
WO2013040957A1 (en) Single sign-on method and system, and information processing method and system
US20060183463A1 (en) Method for authenticated connection setup
WO2008125062A1 (en) Method of admittance judgment and paging user in mobile communication system, system and device thereof
JP2020035079A (en) System and data processing method
WO2019056971A1 (en) Authentication method and device
CN114189380A (en) Zero-trust-based distributed authentication system and authorization method for Internet of things equipment
WO2011017921A1 (en) System and method for visiting a visited service provider
WO2011029296A1 (en) System and method for providing machine-to-machine equipment with machine communication identity module
WO2013182126A1 (en) Unified management and control method and platform for ubiquitous terminal
WO2015100874A1 (en) Home gateway access management method and system
WO2011063658A1 (en) Method and system for unified security authentication
WO2011015091A1 (en) Method, device, system and authentication authorization accounting (aaa) server for home node base station accessing
JP6153622B2 (en) Method and apparatus for accessing network of internet protocol multimedia subsystem terminal
WO2011131002A1 (en) Method and system for identity management
WO2007095806A1 (en) A general authentication system and a method for accessing the network application facility of the system
WO2008055448A1 (en) A method, an apparatus and a system for acquiring access information of a user terminal
JP4009273B2 (en) Communication method
WO2011029297A1 (en) System and method for providing a machine communication identity module to a machine to machine equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10807866

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10807866

Country of ref document: EP

Kind code of ref document: A1