WO2011017921A1 - Système et procédé permettant de visiter un fournisseur de services visité - Google Patents

Système et procédé permettant de visiter un fournisseur de services visité Download PDF

Info

Publication number
WO2011017921A1
WO2011017921A1 PCT/CN2010/071187 CN2010071187W WO2011017921A1 WO 2011017921 A1 WO2011017921 A1 WO 2011017921A1 CN 2010071187 W CN2010071187 W CN 2010071187W WO 2011017921 A1 WO2011017921 A1 WO 2011017921A1
Authority
WO
WIPO (PCT)
Prior art keywords
idp
user
visited
home
address
Prior art date
Application number
PCT/CN2010/071187
Other languages
English (en)
Chinese (zh)
Inventor
高宏伟
林兆骥
陈剑勇
滕志猛
李媛
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011017921A1 publication Critical patent/WO2011017921A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity

Definitions

  • the present invention relates to secure communication technologies in network communication systems, and more particularly to a system and method for accessing a visited service provider. Background technique
  • IdM Identity Management
  • IdM systems are still in a vertical structure independent of each other, and most of these IdM systems are established for specific application services. Interconnection between various IdM systems is impossible, and user information (such as user trust) cannot be realized. Sharing of information, authentication information).
  • the IdM system includes users, IdP (Identity Provider), SP (Service provide, Service Provider).
  • IdP Identity Provider
  • SP Service provide, Service Provider
  • the SP can confirm that the authentication information of the user identity of the IdP is authentic and reliable, and can further provide services for the user.
  • IdP acts as an independent operator, which realizes the separation of identity services and application services.
  • IdP provides users with a series of services such as identity registration, identity management and identity authentication, so as to establish the trust level expected by the service between the SP and the user, and realize the user's access to the service.
  • Step 101 A user requests a service from a service provider SP;
  • Step 102 The service provider SP requires the user to perform identity authentication.
  • Step 103 The user sends the user ID and the location IdP address to the SP.
  • Step 104 the SP forwards the received user ID and the location IdP address to the IdP;
  • Step 105 The IdP sends a message to the user, requesting the user to input the credential information;
  • Step 106 The user sends its credential information to the IdP.
  • Step 107 The IdP authenticates the identity information provided by the user.
  • Step 108 The IdP returns the authentication result to the SP.
  • Step 109 The SP provides a corresponding service to the user according to the obtained authentication result.
  • the SP of the visited place controls the user's access to its resources through the authentication of the IdP of the visited place, and the IdP of the visited place can only authenticate its own user, and when the users of other IdPs access it, , is considered an illegal user, the user must re-register, which is not convenient for the user and limits the development of the SP.
  • the technical problem to be solved by the present invention is to provide a system and method for accessing a visiting service provider, which solves the problem that users in an existing identity management system access SPs across different IdM systems.
  • the present invention provides a method for accessing a visited service provider, the method comprising:
  • the identity provider IdP of the visited place acquires the information of the user, and requests the user's home IdP through the interface between the identity provider IdP of the visited place and the IdP of the home place. Authenticate the user;
  • the interface between the IdP of the visited place and the IdP of the home place is the same as the interface between the home service provider and the home IdP.
  • the step of requesting the home IdP to perform the authentication by the visited IdP includes: the visited IdP sends an authentication request to the home IdP, where the authentication request carries the user identifier of the user;
  • the home IdP After receiving the authentication request, the home IdP requests the user's credential information from the user, then authenticates the user, and returns the authentication result to the visited place IdP.
  • the authentication result is performed. After the conversion, it is sent to the service provider of the visited place.
  • the address check is performed according to the user's home address IdP address, and if the IdP address is the visited IdP address, the authentication is directly performed, otherwise the attribution is requested. IdP is certified.
  • the present invention also provides a system for accessing a visited service provider, including a user attribution
  • the authentication request is sent to the user's home IdP through the interface between the visited IdP and the home IdP. And sending the authentication result to the service provider of the visited place after receiving the authentication result; wherein the interface between the IdP of the visited place and the IdP of the home place is the same as the interface between the home service provider and the home IdP ;
  • the home IdP is configured to authenticate the user after receiving the authentication request, and return the authentication result to the visited place IdP;
  • the service provider of the visited place is arranged to provide the service to the user based on the authentication result.
  • the visited IdP is further configured to receive the authentication result, perform format conversion on the visited result, and then send the authentication result to the service provider of the visited place.
  • the visited IdP is further configured to perform an address check according to the home address IdP address after receiving the information of the user, and if the home address IdP address is the visited IdP address, directly perform authentication. Otherwise, the home address IdP is requested to perform authentication.
  • the visited IdP is further configured to authenticate the user after receiving the information of the user, and checking that the home IdP address is the visited IdP address according to the home address IdP address, and Return the certification result to the service provider of the visited place.
  • the visited IdP is further configured to receive the information of the user, and according to the home address IdP address, it is checked that the home IdP address is not the visited IdP address, and the information of the user is carried.
  • the user identifier sends an authentication request to the home IdP through the interface between the IdP of the visited place and the IdP of the home. After receiving the authentication request, the home IdP requests the user's credential information from the user. , then authenticate the user and verify the result Return to the visited place IdP.
  • the present invention provides a system and method for accessing a visiting service provider, and solves the problem that a user accesses an SP across different IdM systems in an existing identity management system; and the method is simple and easy, and does not need to change the original IdM system authentication.
  • the general model and communication mechanism, the IdM system only needs to add the forwarding and conversion authorization mechanism, which can solve the problem of access authentication across the IdM system.
  • the invention of the method satisfies the user's needs and enables the IdM system to be more widely used. . BRIEF abstract
  • 1 is a general flowchart of a prior art IdM system for authenticating a user
  • FIG. 2 is a schematic diagram of each member instance when a user accesses an SP across different IdPs
  • FIG. 3 is a flow chart of authenticating a user when a user accesses an SP across different IdPs according to the present invention.
  • the embodiment provides a system for accessing a visited service provider.
  • the call includes the visited IdP, the home IdP, and the visited SP.
  • the visited SP requests the visited IdP. (ie, the IdP at the location of the visited SP) authenticates the user, and the visited IdP assumes the role of the IdP. Since the user does not belong to the user of the visited place, the visited IdP cannot authenticate it, and then requests the home IdP to authenticate the user.
  • the visited site IdP appears as the role of the SP. specifically:
  • the SP of the visited place is used to request the user to perform identity authentication after receiving the request for providing the service by the user, and after receiving the user ID and the home IdP address sent by the user, send an authentication request to the IdP of the SP location, and carry the user ID. And the home address IdP address; and is also used to receive the user authentication result returned by the IdP of the local location, and provide the corresponding service to the user according to the authentication result.
  • the visited IdP After receiving the authentication request, the visited IdP determines whether the user is the local user, and directly authenticates, if not, requests the IdP of the user's home location to authenticate the user ID, and carries the user ID; After the authentication result returned by the home IdP, the result is format converted, converted to a format supported by the system, and then sent to the SP of the location.
  • the home IdP After receiving the authentication request, the home IdP obtains the credential information of the user according to the user ID. Then, authentication is performed based on information such as the user ID and its credentials, and the authentication result is returned to the visited place IdP.
  • the interface between the visited IdP and the home IdP is the same as the interface between the home SP and the home IdP.
  • This embodiment provides a method for accessing a visited service provider. As shown in FIG. 3, the following steps are included:
  • Step 301 The user terminal provides a service request to the SP of the visited place.
  • Step 302 The SP server of the visited place requests the user terminal to perform identity authentication.
  • Step 303 The user provides the user ID and the IdP address of the user location according to the requirement.
  • Step 304 The SP server in the visited area receives the ID provided by the user and the registered IdP address (that is, the IdP address where the user is located), and forwards it to the IdP of the SP location to request the authenticated user.
  • the registered IdP address that is, the IdP address where the user is located
  • Step 305 The visited IdP receives the ID of the user provided by the SP of the visited place and the IdP address of the user location, and first performs an address check. If the IdP address of the user location is itself, the authentication is directly performed, and the authentication result is returned. Otherwise, go to step 306.
  • Step 306 The visited IdP system acts as an SP, and sends an authentication request to the user's home IdP, where the user ID is carried;
  • Step 307 The user home IdP receives the authentication request, and sends a message to the user corresponding to the user ID, requesting the user to input the credential information;
  • Step 308 the user sends its credential information to its home IdP;
  • Step 309 The user's home location IdP authenticates the user according to information such as the user ID and credentials.
  • Step 310 The user's home IdP returns the authentication result to the visited IdP, and carries the user ID.
  • Step 311 The visited IdP receives the authentication result of the user, and maps the authentication result to the authentication result of the visit. The mapping refers to converting the received authentication result into a format and converting the authentication result into the system format.
  • Step 312 The visited place IdP returns the converted authentication result to the visited place SP.
  • Step 313 The visited place SP provides the corresponding service for the user according to the authentication result.
  • the interface between the visited IdP and the home IdP and the home service provider and the home IdP is the same.
  • the technical solution disclosed by the present invention solves the problem that a user accesses an SP across different IdM systems in an existing identity management system, and the method is simple and easy, and does not need to change the general model and communication mechanism of the original IdM system authentication, IdM
  • the system only needs to add the forwarding and conversion authorization mechanism, which can solve the problem of access authentication across the IdM system.
  • the invention of the method satisfies the user's needs and enables the IdM system to be more widely used.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

La présente invention se rapporte à un système et à un procédé permettant de visiter un fournisseur de services (SP) visité. Lorsqu'un utilisateur visite le fournisseur SP visité, un fournisseur d'identité visité (IdP) acquiert les informations utilisateur et, ensuite, par l'intermédiaire de l'interface entre le fournisseur IdP visité et le fournisseur IdP domestique de l'utilisateur, demande au fournisseur IdP domestique d'authentifier l'utilisateur; le fournisseur IdP domestique renvoie le résultat de l'authentification au fournisseur IdP visité à la fin de l'authentification; le fournisseur IdP visité transmet le résultat de l'authentification au fournisseur SP visité; et le fournisseur SP visité offre des services à l'utilisateur selon le résultat de l'authentification, l'interface entre le fournisseur IdP visité et le fournisseur IdP domestique étant la même que l'interface entre le fournisseur SP domestique et le fournisseur IdP domestique. La solution technique divulguée dans la présente invention résout le problème du précédent système de gestion d'identité (IdM) selon lequel l'utilisateur visite un fournisseur SP au moyen de différents systèmes de gestion d'identité (IdM).
PCT/CN2010/071187 2009-08-11 2010-03-22 Système et procédé permettant de visiter un fournisseur de services visité WO2011017921A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2009101623742A CN101998398A (zh) 2009-08-11 2009-08-11 一种访问拜访地服务提供商的系统及方法
CN200910162374.2 2009-08-11

Publications (1)

Publication Number Publication Date
WO2011017921A1 true WO2011017921A1 (fr) 2011-02-17

Family

ID=43585897

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/071187 WO2011017921A1 (fr) 2009-08-11 2010-03-22 Système et procédé permettant de visiter un fournisseur de services visité

Country Status (2)

Country Link
CN (1) CN101998398A (fr)
WO (1) WO2011017921A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11330546B1 (en) 2020-12-11 2022-05-10 Cisco Technology, Inc. Controlled access to geolocation data in open roaming federations

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105592031B (zh) * 2014-11-25 2019-07-19 中国银联股份有限公司 基于身份认证的用户登陆方法及系统
CN106257862B (zh) * 2015-06-19 2019-09-17 中兴新能源汽车有限责任公司 无线充电装置认证及充电服务器认证的方法及装置
CN106059994B (zh) * 2016-04-29 2020-02-14 华为技术有限公司 一种数据传输方法及网络设备

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388773A (zh) * 2007-09-12 2009-03-18 中国移动通信集团公司 身份管理平台、业务服务器、统一登录系统及方法
WO2009074709A1 (fr) * 2007-12-10 2009-06-18 Nokia Corporation Agencement d'une authentification
CN101471777A (zh) * 2007-12-29 2009-07-01 中国科学院计算技术研究所 一种基于域名的跨域接入控制系统及方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388773A (zh) * 2007-09-12 2009-03-18 中国移动通信集团公司 身份管理平台、业务服务器、统一登录系统及方法
WO2009074709A1 (fr) * 2007-12-10 2009-06-18 Nokia Corporation Agencement d'une authentification
CN101471777A (zh) * 2007-12-29 2009-07-01 中国科学院计算技术研究所 一种基于域名的跨域接入控制系统及方法

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CHEN JIANYONG ET AL.: "Identity Management Technology and Its Development", TELECOMMUNICATIONS SCIENCE, no. 2, February 2009 (2009-02-01), pages 35 - 41 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11330546B1 (en) 2020-12-11 2022-05-10 Cisco Technology, Inc. Controlled access to geolocation data in open roaming federations

Also Published As

Publication number Publication date
CN101998398A (zh) 2011-03-30

Similar Documents

Publication Publication Date Title
CN110800331B (zh) 网络验证方法、相关设备及系统
US9549318B2 (en) System and method for delayed device registration on a network
JP2005339093A (ja) 認証方法、認証システム、認証代行サーバ、ネットワークアクセス認証サーバ、プログラム、及び記録媒体
US20160380999A1 (en) User Identifier Based Device, Identity and Activity Management System
WO2012055339A1 (fr) Système et procédé de routage d'authentification et routeur d'authentification de service d'informatique en nuage
WO2014048236A1 (fr) Procédé et appareil destinés à enregistrer un terminal
EP3308499A1 (fr) Gestion de certificat de fournisseur de services
WO2013040957A1 (fr) Procédé et système d'authentification unique, et procédé et système de traitement d'informations
WO2006097041A1 (fr) Forme d'authentification generale et procede pour mettre en place l'authentification
US20060183463A1 (en) Method for authenticated connection setup
WO2008125062A1 (fr) Procédé de détermination d'admission et de radiomessagerie d'utilisateur dans un système de communication mobile, système et dispositif apparentés
JP2020035079A (ja) システム、及びデータ処理方法
WO2019056971A1 (fr) Procédé et dispositif d'authentification
CN114189380A (zh) 一种基于零信任的物联网设备分布式认证系统及授权方法
WO2011017921A1 (fr) Système et procédé permettant de visiter un fournisseur de services visité
WO2011029296A1 (fr) Système et procédé permettant de doter un équipement machine-à-machine d'un module d'identité de communication machine
WO2013182126A1 (fr) Procédé et plate-forme de gestion et de commande unifiée pour terminal omniprésent
WO2015100874A1 (fr) Procédé et système de gestion d'accès par passerelle locale
WO2011063658A1 (fr) Procédé et système d'authentification de sécurité unifiée
WO2011015091A1 (fr) Procédé, dispositif, système et serveur d'authentification, d'autorisation et de comptabilité (aaa) permettant un accès à une station de base de nœud domestique
JP6153622B2 (ja) インターネットプロトコルマルチメディアサブシステム端末のネットワークへのアクセス方法及び装置
WO2011131002A1 (fr) Procédé et système pour la gestion d'identités
WO2007095806A1 (fr) Système d'authentification générale et procédé d'accès à la fonction d'application de réseau du système
WO2008055448A1 (fr) Procédé, appareil et système d'acquisition d'informations d'accès d'un terminal utilisateur
WO2021104152A1 (fr) Procédés d'ouverture de session d'application et application visitant un serveur d'application, et dispositif électronique

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10807866

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10807866

Country of ref document: EP

Kind code of ref document: A1