WO2011060834A1 - Service access control - Google Patents
Service access control Download PDFInfo
- Publication number
- WO2011060834A1 WO2011060834A1 PCT/EP2009/065609 EP2009065609W WO2011060834A1 WO 2011060834 A1 WO2011060834 A1 WO 2011060834A1 EP 2009065609 W EP2009065609 W EP 2009065609W WO 2011060834 A1 WO2011060834 A1 WO 2011060834A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user
- credentials
- request
- application
- additional credentials
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/40—User authentication by quorum, i.e. whereby two or more security principals are required
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
Definitions
- the present invention relates to authentication, service access control and identity management.
- Federated identity management or the "federation" of identity, describes technologies that serve to enable the portability of identity information across otherwise
- a goal of identity federation is to enable users of one domain to access data or systems of another domain seamlessly and securely, and without the need for redundant user administration. Eliminating the need for repeated login procedures each time a new application or account is accessed can substantially improve the user experience .
- SAML Security Assertion Markup Language
- SAML is used for exchanging assertion data between an identity provider (a producer of assertions) and a service provider (a consumer of assertions) .
- SAML is a specification defined by the OASIS (Organization for the Advancement of Structured Information Standards) .
- FIG. 1 is a block diagram, indicated generally by the reference numeral 2, showing a known system in which elements of the present invention may be used.
- the system 2 comprises a user browser 4, an application 8 and an identity provider 10.
- the user browser 4, application 8 and identity provider 10 are each coupled to the Internet 6, or some other network, and are able to communicate with each other via the Internet.
- Figure 2 is a message sequence, indicated generally by the reference numeral 20, showing an exemplary use of the system 2 to provide a user at the user browser 4 with access to the application 8.
- the message sequence 20 starts with a service access request 22 being sent from the user browser 4 to the application 8.
- the application 8 requires credentials for the user to be provided before granting the user access to the application. Accordingly, the application 8 sends a credentials request 24 to the identity provider 10.
- the identity provider 10 provides a message 26 including user credentials to the application 8. Assuming that the user credentials are acceptable to the application 8, the application provides access to the user browser 4 in a service access message 28.
- the message 24 may be implemented using a SAML Request that is sent from the application 8 to the identity provider 10 via the user browser 4 using redirection.
- the message 26 may be implemented using a SAML Response that is sent from the identity provider 10 to the application 8 via the user browser 4 using redirection.
- the skilled person will be aware of many alternative mechanisms that could be used.
- the message sequence 20 can work well when a particular user has a single account at a particular application. However, this is not always the case.
- the user may be both an administrator and a user of a particular application or service.
- the user may be acting as a stand-in for another user. For example, when a first user is on vacation, a second user may be given access to the first user's account for the duration of the vacation.
- the user may have access to a personal bank account, a joint bank account with a partner, and the bank accounts of his or her children. All of those bank accounts may be provided by the same service provider.
- mail may be collected by a person other than the addressee of the mail. This might be a permanent arrangement or a temporary arrangement (e.g. to ensure that mail is received during a vacation) .
- the message sequence 20 does not enable a user with multiple accounts to control access to those accounts.
- the present invention seeks to address at least some of the problems outlined above.
- a method comprising: receiving first user
- the additional credentials data for the user may comprise an indication that no
- the additional credentials data for the user may comprise additional user credentials for that user.
- a service provider comprising: a first input for receiving (e.g. from an identity provider) user credentials for a user; a first output for sending (to the identity provider) a request for additional credentials for the user (from the identity provider) ; and a second input for
- different inputs may share the same physical inputs of a device
- different outputs may share the same physical outputs of a device
- some inputs and outputs may share the same physical input-output of a device.
- the invention enables a user to use single-sign-on methodologies to obtain access to a service where that user has more than one account.
- the invention enables the application to request and obtain further credentials for that user (if available) in order to enable the user to gain access to the desired user account.
- the request for additional credentials for the user may be sent on request by the user.
- the additional credentials request is always performed.
- credentials request could be issued for any user who has asked for an additional credentials request to be made before, or where the application is aware that the user has multiple accounts at the application (or has had in the past), or in specific circumstances, such as when the user is accessing an administrator account (indicating that the user may have a non-administrator account) .
- a third input may be provided that is adapted to enable the user to request said additional credentials for the user.
- the user may be able to prompt a service provider to obtain additional credentials for the user, thereby enabling the user to obtain access to a different account at the application.
- the invention may include presenting the user with a list of options (e.g. accounts) available to the user on the basis of the first credentials and the additional credentials for the user.
- the invention may include the user selecting one of the said options.
- the options may relate to different bank accounts that the user has access to (e.g. a personal bank account, a joint bank account with a partner, a bank account of a child of the user etc.) .
- a second output may be provided that is adapted to provide a message enabling the user to be presented with a list of options (e.g. accounts) available to the user on the basis of the first credentials and the additional credentials for the user.
- a user may request access to his email account.
- the email server may prompt the user to indicate whether he wishes to access his own account, the account of his boss (which he has permanent access to) or the account of his colleague (which he has temporary access to whilst that colleague is on vacation) .
- a fourth input may be provided for receiving a selection (typically from the user) based on the list of options available to the user.
- a selection typically from the user
- the user may be able to indicate to the application, which of a number of available accounts he wishes to use.
- the said first user credentials for the user may be provided by the identity provider (e.g. in a single-sign-on
- the first user credentials are obtained in response to a request by the user to access a service that requires user authentication.
- a method comprising: receiving a request from a service provider for additional credentials for a user (typically a user logged-in at the service provider) ;
- an identity provider comprising: a first input for receiving a request from a service provider for additional credentials for a user (typically a user logged-in at the service provider); a first processor (or some other means) for determining whether additional credentials are stored for the user (e.g. in accordance with a policy); and a first output for providing an additional credentials response to the service provider.
- the additional credentials response may comprise the
- the additional credentials response may comprise simply an indication that no such additional credentials are found.
- the additional credentials may be stored as a policy at an identity provider.
- a means may be provided for modifying the said policy.
- the invention may include means for providing or modifying stored additional credentials.
- a policy defining such additional credentials may be stored at the identity provider and means may be provided for modifying the stored policy. Providing policies that can readily be modified at the identity provider provides control and flexibility for the users.
- the additional credentials response may be dependent on the identity of the service provider.
- a computer program comprising: code (or some other means) for receiving first user credentials for a user; code (or some other means) for sending a request to an identity provider (typically either directly or using redirection) for additional credentials for the user; and code (or some other means) for receiving additional
- the computer program may be a computer program product comprising a computer-readable medium bearing computer program code embodied therein for use with a computer.
- a computer program comprising: code (or some other means) for receiving a request from a service provider for additional credentials for a user (typically a user that is logged-in at the service provider) ; code (or some other means) for determining additional credentials for the user (typically in accordance with a policy) ; and code (or some other means) for providing the determined additional
- the computer program may be a computer program product comprising a computer-readable medium bearing computer program code embodied therein for use with a computer.
- Figure 1 is a block diagram of a system in which the present invention may be used
- Figure 2 is a message sequence showing a use of the system of Figure 1;
- Figure 3 is a message sequence showing an exemplary use of the system of Figure 1 in accordance with a first aspect of the present invention.
- Figure 4 is a message sequence showing an exemplary use of the system of Figure 1 in accordance with a second aspect of the present invention.
- Figure 3 is a message sequence, indicated generally by the reference numeral 30, showing an exemplary use of the system 10 in accordance with an exemplary embodiment of the present invention.
- the message sequence 30 starts with a service access request 32 sent from the user browser 4 to the application 8.
- the application 8 requires credentials for the user to be provided before granting the user access to the application. Accordingly, the application 8 sends a credentials request 34 to the identity provider 10.
- the identity provider 10 provides a message 36 including user credentials to the application 8.
- the messages 32, 34 and 36 are the same as the messages 22, 24 and 26 of the message sequence 20 described above.
- the messages 34 and 36 may be transmitted via the user browser 4 using redirection and may be SAML Request and SAML Response messages respectively.
- the application 8 on receipt of the credentials messages 36, the application 8 asks the identity provider to indicate whether there are any further user credentials stored at the identity provider for that user that might be relevant. Thus, the application 8 can determine whether the user has more than one account at the application.
- application 8 requests additional credential information for the user. This request is implemented by sending an
- the message 38 may be sent directly from the application 8 to the identity provider 10. Alternatively, the message 38 may be sent from the application 8 to the identity provider 10 via the user browser 4 using redirection.
- the message 38 might contain the following information:
- the message might contain further information, such as :
- the identity provider 10 In response to receiving the additional credentials message 38, the identity provider 10 checks the user's profile stored at the identity provider to determine whether the user has any further accounts at the application 8. If so, the identity provider 10 checks the user' s policies to determine what information should be provided to the application 8.
- the identity provider 10 prepares a response to the request 38 depending on the user data and policies stored at the identity provider and sends that response to the application 8 as an additional credentials response 40.
- an exemplary policy stored at a particular user' s identity provider may have the following rules : 1. User "colleague A" can answer my emails from 1 November 2009 to 20 November 2009.
- My secretary can post information to my social networking site, at any time, using my name.
- the additional credentials response 40 might, for example, contain only a "success status" signal in the event that the user has no further accounts at the application 8.
- the additional credentials response 40 may also contain a list of subjects under which the user is also known at the
- application 8 may further contain further information, such as an indication that a particular account of the user is only temporary.
- the application 8 prompts the user to indicate which account should be used. This is achieved by sending a profile selection request 42 from the application 8 to the user browser 4.
- the profile selection request 42 may instruct the browser to display a prompt to the user.
- the user indicates which account should be used and this is sent as a profile selection response 44 from the browser 4 to the application 8.
- the steps 42 and 44 might be omitted.
- the application 8 and/or the identity provider 10 may decide which account should be used, such that the messages 42 and 44 may be omitted.
- account selection could be informed. For example, there may be a policy that indicates that when a user is using a particular device to access the application 8, then a particular account should be preferred. Also, a user could select between accounts using an
- the application 8 has received an indication of which user account should be used.
- the user credentials for that account can be checked and, if the credentials are appropriate, access to the service is granted to the user and this is confirmed in a service response 46 that is sent from the application 8 to the browser 4.
- the various messages shown in the message sequence 30 do not necessarily need to follow immediately one after the after; rather, there may be a significant delay between some of the messages. For example, there may be a delay between the user credentials being received in message 36, and additional user credentials being requested in message 38.
- One possible reason for this, as discussed below with reference to Figure 4, is that the additional credentials request 40 might only be sent in response to a user prompt. However, there are other possible reasons for delays .
- the additional credentials request 38 is always sent, regardless of the identity of the user. In other forms of the invention, the additional credentials request 38 is sent only when the application 8 has some reason for suspecting that the user may have additional credentials. This may be, for example, because the same user has previously used different user credentials, because the user has previously indicated that he has multiple user credentials, or because the user has indicated in the service request 32 that he has multiple user
- the profile selection request 42 might ask the user to indicate whether he wants to access the application 8 in his capacity as a user or in his capacity as an administrator.
- the initial service request 32 might indicate that the user wishes to access the application 8 in a particular mode. In that event, the application 8, on receiving multiple account details, can simply select the appropriate account and the messages 42 and 44 are not required.
- the profile selection request 42 may simply prompt the user to indicate which bank account he wishes to access.
- An advantage of the present invention is the delegation permissions, such as email access when a user is on vacation, can be readily granted and revoked at the identity provider 10, as required. There is no need for either user to interact directly with the application.
- delegated authority can be passed along a chain of users. For example, consider the situation where users A and B both grant user C access to their email inbox. This can readily be recorded at the identity provider 10. Consider now that the user C is unavailable on a particular day. The user C can readily delegate access to his own email inbox and the inbox of user A to user D, whilst delegating access to user B' s inbox to user E.
- the present invention provides a significant amount of flexibility.
- FIG. 4 shows a message sequence, indicated generally by the reference numeral 50, showing an exemplary use of the system 10 in accordance with an alternative embodiment of the present invention.
- the message sequence 50 starts with a service access request 52 being sent from the user browser 4 to the application 8.
- the application 8 requires credentials for the user to be provided before granting the user access to the application. Accordingly, the application 8 sends a credentials request 54 to the identity provider 10.
- the identity provider 10 provides a message 56 including user credentials to the application 8.
- the application 8 checks the user credentials and, if they are acceptable, provides the user with access to the application 8 and indicates this in a message 58 provided to the user browser 4. Accordingly, the messages 52, 54, 56 and 58 are the same as the messages 22, 24, 26 and 28 of the message sequence 20 described above with reference to Figure 2.
- the user indicates that an alternative account should be used at the application 8. The user may, for example, press a button at the browser 4. In response to this indication from the user, an additional service request message 60 is sent from the user browser 4 to the application 8.
- application 8 requests additional credentials information for the user. This request is implemented by sending an
- the message 62 may be the same as the message 38 described above.
- the identity provider 10 In response to receiving the additional credentials message 62, the identity provider 10 checks the user's profile stored at the identity provider to determine whether the user has any further accounts at the application 8. If so, the identity provider 10 checks the user' s policies to determine what information should be provided to the application 8.
- the identity provider 10 prepares a response to the request 62 depending on the user data and policies stored at the identity provider and sends that response to the application 8 as an additional credentials response 64.
- the additional credentials response 64 may be the same as the additional credentials response 40 described above.
- the application 8 prompts the user to indicate which account should be used. This is achieved by sending a profile selection request 66 from the application 8 to the user browser 4.
- the profile selection request 66 may instruct the browser to display a prompt to the user.
- the user indicates which account should be used and this is sent as a profile selection response 68 from the browser 4 to the application 8.
- the messages 66 and 68 may be the same as the messages 42 and 44 described above. As discussed above with reference to Figure 3, in some forms of the invention, the messages 66 and 68 may be omitted.
- the application 8 has received an indication of which user account should be used.
- the user credentials for that account can be checked and, if the credentials are appropriate, access to the service is granted to the user and this is confirmed in a service response 69 that is sent from the application 8 to the browser 4.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention enables a user to use single-sign-on methodologies to obtain access to a service where that user has more than one account. In addition to querying an identity provider to obtain user credentials in the usual way, the invention enables an application to request and obtain further credentials for that user in order to enable the user to gain access to the desired user account. The user may then be prompted to select which of the available accounts should be used at the application.
Description
Description
Title
Service Access Control
The present invention relates to authentication, service access control and identity management.
More and more services and applications are becoming
available on the Internet or via other networks and many of these services and applications require user authentication. One approach that has been developed to assist users to access multiple services and applications, each requiring separate authentication procedures, involves the use of identity federation.
Federated identity management, or the "federation" of identity, describes technologies that serve to enable the portability of identity information across otherwise
autonomous security domains. A goal of identity federation is to enable users of one domain to access data or systems of another domain seamlessly and securely, and without the need for redundant user administration. Eliminating the need for repeated login procedures each time a new application or account is accessed can substantially improve the user experience .
Security Assertion Markup Language (SAML) is an XML
(extensible Markup Language) standard for exchanging
authentication and authorisation data between security domains. For example, SAML is used for exchanging assertion data between an identity provider (a producer of assertions) and a service provider (a consumer of assertions) . SAML is a specification defined by the OASIS (Organization for the Advancement of Structured Information Standards) . Some embodiments of the invention may make use of OASIS features,
but this is not essential to all embodiments of the
invention .
Figure 1 is a block diagram, indicated generally by the reference numeral 2, showing a known system in which elements of the present invention may be used. The system 2 comprises a user browser 4, an application 8 and an identity provider 10. The user browser 4, application 8 and identity provider 10 are each coupled to the Internet 6, or some other network, and are able to communicate with each other via the Internet.
Figure 2 is a message sequence, indicated generally by the reference numeral 20, showing an exemplary use of the system 2 to provide a user at the user browser 4 with access to the application 8. The message sequence 20 starts with a service access request 22 being sent from the user browser 4 to the application 8. The application 8 requires credentials for the user to be provided before granting the user access to the application. Accordingly, the application 8 sends a credentials request 24 to the identity provider 10. In response, the identity provider 10 provides a message 26 including user credentials to the application 8. Assuming that the user credentials are acceptable to the application 8, the application provides access to the user browser 4 in a service access message 28.
Mechanisms for implementing the credentials messages 24 and 26 are well known in the art. For example, the message 24 may be implemented using a SAML Request that is sent from the application 8 to the identity provider 10 via the user browser 4 using redirection. Similarly, the message 26 may be implemented using a SAML Response that is sent from the identity provider 10 to the application 8 via the user browser 4 using redirection. The skilled person will be aware of many alternative mechanisms that could be used.
The message sequence 20 can work well when a particular user has a single account at a particular application. However, this is not always the case.
There are many reasons why a user may have multiple accounts at a particular application. For example:
1. The user may be both an administrator and a user of a particular application or service.
2. The user may be acting as a stand-in for another user. For example, when a first user is on vacation, a second user may be given access to the first user's account for the duration of the vacation.
3. The user may have access to a personal bank account, a joint bank account with a partner, and the bank accounts of his or her children. All of those bank accounts may be provided by the same service provider.
4. In the case of registered mail, mail may be collected by a person other than the addressee of the mail. This might be a permanent arrangement or a temporary arrangement (e.g. to ensure that mail is received during a vacation) .
The message sequence 20 does not enable a user with multiple accounts to control access to those accounts.
The present invention seeks to address at least some of the problems outlined above.
In accordance with an aspect of the invention, there is provided a method comprising: receiving first user
credentials for a user; sending a request to an identity provider (typically either directly or using redirection) for additional credentials for the user; and receiving additional credentials data for the user. The additional credentials data for the user may comprise an indication that no
additional credentials are stored for that user.
Alternatively, the additional credentials data for the user may comprise additional user credentials for that user.
In accordance with an aspect of the present invention, there is provided a service provider comprising: a first input for receiving (e.g. from an identity provider) user credentials for a user; a first output for sending (to the identity provider) a request for additional credentials for the user (from the identity provider) ; and a second input for
receiving additional credentials data for the user (in response to the request for additional credentials) . In this (and all) embodiments of the invention described herein, different inputs may share the same physical inputs of a device, different outputs may share the same physical outputs of a device, and some inputs and outputs may share the same physical input-output of a device.
Thus, the invention enables a user to use single-sign-on methodologies to obtain access to a service where that user has more than one account. The invention enables the application to request and obtain further credentials for that user (if available) in order to enable the user to gain access to the desired user account.
The request for additional credentials for the user may be sent on request by the user. In an alternative embodiment, the additional credentials request is always performed.
Other alternatives exist, for example an additional
credentials request could be issued for any user who has asked for an additional credentials request to be made before, or where the application is aware that the user has multiple accounts at the application (or has had in the past), or in specific circumstances, such as when the user is accessing an administrator account (indicating that the user may have a non-administrator account) . A third input may be provided that is adapted to enable the user to request said additional credentials for the user. Thus, the user may be able to prompt a service provider to obtain additional credentials for the user, thereby enabling the user to obtain access to a different account at the application.
The invention may include presenting the user with a list of options (e.g. accounts) available to the user on the basis of the first credentials and the additional credentials for the user. The invention may include the user selecting one of the said options. For example, the options may relate to different bank accounts that the user has access to (e.g. a personal bank account, a joint bank account with a partner, a bank account of a child of the user etc.) .
A second output may be provided that is adapted to provide a message enabling the user to be presented with a list of options (e.g. accounts) available to the user on the basis of the first credentials and the additional credentials for the user. For example, a user may request access to his email account. In response, the email server may prompt the user to indicate whether he wishes to access his own account, the account of his boss (which he has permanent access to) or the account of his colleague (which he has temporary access to whilst that colleague is on vacation) .
A fourth input may be provided for receiving a selection (typically from the user) based on the list of options available to the user. Thus, the user may be able to indicate to the application, which of a number of available accounts he wishes to use.
The said first user credentials for the user may be provided by the identity provider (e.g. in a single-sign-on
procedure) .
In some forms of the invention, the first user credentials are obtained in response to a request by the user to access a service that requires user authentication.
In accordance with an aspect of the invention, there is provided a method comprising: receiving a request from a service provider for additional credentials for a user
(typically a user logged-in at the service provider) ;
determining whether additional credentials are stored (e.g. at an identity provider) for the user (e.g. in accordance with a policy) ; and providing an additional credentials response to the service provider.
In accordance with an aspect of the invention, there is provided an identity provider comprising: a first input for receiving a request from a service provider for additional credentials for a user (typically a user logged-in at the service provider); a first processor (or some other means) for determining whether additional credentials are stored for the user (e.g. in accordance with a policy); and a first output for providing an additional credentials response to the service provider.
The additional credentials response may comprise the
determined additional credentials, in the event that such credentials are found. The additional credentials response may comprise simply an indication that no such additional credentials are found.
The additional credentials may be stored as a policy at an identity provider. A means may be provided for modifying the said policy. The invention may include means for providing or modifying stored additional credentials. For example, a policy defining such additional credentials may be stored at the identity provider and means may be provided for modifying the stored policy. Providing policies that can readily be modified at the identity provider provides control and flexibility for the users.
The additional credentials response may be dependent on the identity of the service provider.
In accordance with a further aspect of the invention, there is provided a computer program comprising: code (or some other means) for receiving first user credentials for a user;
code (or some other means) for sending a request to an identity provider (typically either directly or using redirection) for additional credentials for the user; and code (or some other means) for receiving additional
credentials data for the user. The computer program may be a computer program product comprising a computer-readable medium bearing computer program code embodied therein for use with a computer. In accordance with a further aspect of the invention, there is provided a computer program comprising: code (or some other means) for receiving a request from a service provider for additional credentials for a user (typically a user that is logged-in at the service provider) ; code (or some other means) for determining additional credentials for the user (typically in accordance with a policy) ; and code (or some other means) for providing the determined additional
credentials to the service provider. The computer program may be a computer program product comprising a computer-readable medium bearing computer program code embodied therein for use with a computer.
Embodiments of the invention are described below, by way of example only, with reference to the following schematic drawings .
Figure 1 is a block diagram of a system in which the present invention may be used;
Figure 2 is a message sequence showing a use of the system of Figure 1;
Figure 3 is a message sequence showing an exemplary use of the system of Figure 1 in accordance with a first aspect of the present invention; and
Figure 4 is a message sequence showing an exemplary use of the system of Figure 1 in accordance with a second aspect of the present invention.
Figure 3 is a message sequence, indicated generally by the reference numeral 30, showing an exemplary use of the system 10 in accordance with an exemplary embodiment of the present invention. The message sequence 30 starts with a service access request 32 sent from the user browser 4 to the application 8. The application 8 requires credentials for the user to be provided before granting the user access to the application. Accordingly, the application 8 sends a credentials request 34 to the identity provider 10. In response, the identity provider 10 provides a message 36 including user credentials to the application 8.
Accordingly, the messages 32, 34 and 36 are the same as the messages 22, 24 and 26 of the message sequence 20 described above. As described above with reference to the message sequence 20, the messages 34 and 36 may be transmitted via the user browser 4 using redirection and may be SAML Request and SAML Response messages respectively.
In the message sequence 30, on receipt of the credentials messages 36, the application 8 asks the identity provider to indicate whether there are any further user credentials stored at the identity provider for that user that might be relevant. Thus, the application 8 can determine whether the user has more than one account at the application.
Thus, on receipt of the credentials message 36, the
application 8 requests additional credential information for the user. This request is implemented by sending an
additional credentials request 38 to the identity provider 10. The message 38 may be sent directly from the application 8 to the identity provider 10. Alternatively, the message 38 may be sent from the application 8 to the identity provider 10 via the user browser 4 using redirection. The message 38 might contain the following information:
• an indication of the issuer (i.e. identifying the
application 8); and
• a subject (i.e. identifying the user at the user browser 4) .
In addition, the message might contain further information, such as :
• a specific context (for which special functions of the service may the user act as a different person) ; and
• a specific date range (between which dates may the user act as a different person) .
In response to receiving the additional credentials message 38, the identity provider 10 checks the user's profile stored at the identity provider to determine whether the user has any further accounts at the application 8. If so, the identity provider 10 checks the user' s policies to determine what information should be provided to the application 8.
The identity provider 10 prepares a response to the request 38 depending on the user data and policies stored at the identity provider and sends that response to the application 8 as an additional credentials response 40. By way of example, an exemplary policy stored at a particular user' s identity provider may have the following rules : 1. User "colleague A" can answer my emails from 1 November 2009 to 20 November 2009.
2. User "colleague B" can access a tool called "MyWorkTool" in my name from 10 November 2009 to 20 November 2009.
3. My wife can access my bank account at any time.
4. My secretary can post information to my social networking site, at any time, using my name.
The additional credentials response 40 might, for example, contain only a "success status" signal in the event that the user has no further accounts at the application 8. The additional credentials response 40 may also contain a list of subjects under which the user is also known at the
application 8 and may further contain further information,
such as an indication that a particular account of the user is only temporary.
In the message sequence 30, it is assumed that the additional credentials response 40 reveals that the user at the user browser 4 has multiple accounts at the application 8. In response to receiving this information, the application 8 prompts the user to indicate which account should be used. This is achieved by sending a profile selection request 42 from the application 8 to the user browser 4. The profile selection request 42 may instruct the browser to display a prompt to the user. In response to the request 42, the user indicates which account should be used and this is sent as a profile selection response 44 from the browser 4 to the application 8.
Of course, if the user has only one account at the
application 8, then the steps 42 and 44 might be omitted. Also, even in the event that the user has multiple accounts at the application, the application 8 and/or the identity provider 10 may decide which account should be used, such that the messages 42 and 44 may be omitted. Furthermore, there are many other ways in which account selection could be informed. For example, there may be a policy that indicates that when a user is using a particular device to access the application 8, then a particular account should be preferred. Also, a user could select between accounts using an
InformationCard . At this stage, the application 8 has received an indication of which user account should be used. The user credentials for that account can be checked and, if the credentials are appropriate, access to the service is granted to the user and this is confirmed in a service response 46 that is sent from the application 8 to the browser 4.
It should be noted that the various messages shown in the message sequence 30 do not necessarily need to follow
immediately one after the after; rather, there may be a significant delay between some of the messages. For example, there may be a delay between the user credentials being received in message 36, and additional user credentials being requested in message 38. One possible reason for this, as discussed below with reference to Figure 4, is that the additional credentials request 40 might only be sent in response to a user prompt. However, there are other possible reasons for delays .
In some forms of the invention, the additional credentials request 38 is always sent, regardless of the identity of the user. In other forms of the invention, the additional credentials request 38 is sent only when the application 8 has some reason for suspecting that the user may have additional credentials. This may be, for example, because the same user has previously used different user credentials, because the user has previously indicated that he has multiple user credentials, or because the user has indicated in the service request 32 that he has multiple user
credentials. Of course, other scenarios are possible. For example, in the event that an administrator logs into an application, the application can issue an additional
credentials request simply because it is quite common for an administrator to have a separate user account at such a service .
As discussed above, there are many reasons why a user might have multiple accounts at a particular service provider or application. The use of the present invention in some of the scenarios referred to above is discussed below.
In the event that the user is both an administrator and a user of a particular application or service, the profile selection request 42 might ask the user to indicate whether he wants to access the application 8 in his capacity as a user or in his capacity as an administrator. Alternatively, the initial service request 32 might indicate that the user
wishes to access the application 8 in a particular mode. In that event, the application 8, on receiving multiple account details, can simply select the appropriate account and the messages 42 and 44 are not required.
Similarly, in the event that the user has access to a personal bank account, a joint bank account with a partner, and the bank accounts of his or her children, the profile selection request 42 may simply prompt the user to indicate which bank account he wishes to access.
In the event that the user is acting as a stand-in for another user whilst that other user is on vacation, the profile selection request 42 might ask the user to indicate whether he wants to access his own account or the account of the user that is on vacation. An advantage of the present invention is the delegation permissions, such as email access when a user is on vacation, can be readily granted and revoked at the identity provider 10, as required. There is no need for either user to interact directly with the application. A further advantage is that delegated authority can be passed along a chain of users. For example, consider the situation where users A and B both grant user C access to their email inbox. This can readily be recorded at the identity provider 10. Consider now that the user C is unavailable on a particular day. The user C can readily delegate access to his own email inbox and the inbox of user A to user D, whilst delegating access to user B' s inbox to user E. Thus, the present invention provides a significant amount of flexibility.
Figure 4 shows a message sequence, indicated generally by the reference numeral 50, showing an exemplary use of the system 10 in accordance with an alternative embodiment of the present invention. The message sequence 50 starts with a service access request 52 being sent from the user browser 4 to the application 8. The application 8 requires credentials for the user to be provided before granting the user access
to the application. Accordingly, the application 8 sends a credentials request 54 to the identity provider 10. In response, the identity provider 10 provides a message 56 including user credentials to the application 8.
In the message sequence 50, on receipt of the credentials message 56, the application 8 checks the user credentials and, if they are acceptable, provides the user with access to the application 8 and indicates this in a message 58 provided to the user browser 4. Accordingly, the messages 52, 54, 56 and 58 are the same as the messages 22, 24, 26 and 28 of the message sequence 20 described above with reference to Figure 2. At some point, the user indicates that an alternative account should be used at the application 8. The user may, for example, press a button at the browser 4. In response to this indication from the user, an additional service request message 60 is sent from the user browser 4 to the application 8.
On receipt of the additional service request 60, the
application 8 requests additional credentials information for the user. This request is implemented by sending an
additional credentials request 62 to the identity provider 10. The message 62 may be the same as the message 38 described above.
In response to receiving the additional credentials message 62, the identity provider 10 checks the user's profile stored at the identity provider to determine whether the user has any further accounts at the application 8. If so, the identity provider 10 checks the user' s policies to determine what information should be provided to the application 8.
The identity provider 10 prepares a response to the request 62 depending on the user data and policies stored at the identity provider and sends that response to the application
8 as an additional credentials response 64. The additional credentials response 64 may be the same as the additional credentials response 40 described above. In the event that the message 64 indicates that the user has multiple accounts at the application 8, the application 8 prompts the user to indicate which account should be used. This is achieved by sending a profile selection request 66 from the application 8 to the user browser 4. The profile selection request 66 may instruct the browser to display a prompt to the user. In response to the request 66, the user indicates which account should be used and this is sent as a profile selection response 68 from the browser 4 to the application 8. Thus, the messages 66 and 68 may be the same as the messages 42 and 44 described above. As discussed above with reference to Figure 3, in some forms of the invention, the messages 66 and 68 may be omitted.
At this stage, the application 8 has received an indication of which user account should be used. The user credentials for that account can be checked and, if the credentials are appropriate, access to the service is granted to the user and this is confirmed in a service response 69 that is sent from the application 8 to the browser 4.
The embodiments of the invention described above are
illustrative rather than restrictive. It will be apparent to those skilled in the art that the above devices and methods may incorporate a number of modifications without departing from the general scope of the invention. It is intended to include all such modifications within the scope of the invention insofar as they fall within the scope of the appended claims .
Claims
1. A method comprising:
receiving first user credentials for a user;
sending a request to an identity provider for additional credentials for the user; and
receiving additional credentials data for the user.
2. A method as claimed in claim 1, wherein sending a request for additional credentials for the user is performed on request by the user.
3. A method as claimed in claim 1 or claim 2, wherein said first user credentials for the user are provided by the identity provider.
4. A method as claimed in any one of claims 1 to 3, further comprising presenting the user with a list of options available to the user on the basis of the first credentials and the additional credentials data for the user.
5. A method as claimed in any preceding claim, further comprising receiving an indication from the user regarding which of a plurality of available user accounts should be used.
6. A method as claimed in any preceding claim, wherein the first user credentials are obtained in response to a request by the user to access a service that requires user
authentication.
7. A method comprising:
receiving a request from a service provider for
additional credentials for a user;
determining whether additional credentials are stored for the user; and
providing an additional credentials response to the service provider .
8. A service provider comprising:
a first input for receiving user credentials for a user; a first output for sending a request for additional credentials for the user; and
a second input for receiving additional credentials data for the user.
9. A service provider as claimed in claim 8, further comprising a third input adapted to enable the user to request said additional credentials for the user.
10. A service provider as claimed in claim 8 or claim 9, further comprising a second output for providing a message enabling the user to be presented with a list of options available to the user on the basis of the first credentials and the additional credentials data for the user.
11. An identity provider comprising:
a first input for receiving a request from a service provider for additional credentials for a user;
a first processor for determining whether additional credentials are available for the user; and
a first output for providing an additional credentials response to the service provider.
12. An identity provider as claimed in claim 11, wherein the additional credentials response is dependent on the identity of the service provider.
13. An identity provider as claimed in claim 11 or claim 12, further comprising means for providing or modifying the additional credentials stored for a user.
14. A computer program product comprising:
means for receiving first user credentials for a user; means for sending a request to an identity provider for additional credentials for the user; and means for receiving additional credentials data for the user .
15. A computer program product comprising:
means for receiving a request from a service provider for additional credentials for a user;
means for determining whether additional credentials are available for the user; and
means for providing the determined additional credentials to the service provider.
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP09775131A EP2504967A1 (en) | 2009-11-23 | 2009-11-23 | Service access control |
PCT/EP2009/065609 WO2011060834A1 (en) | 2009-11-23 | 2009-11-23 | Service access control |
US13/511,192 US20120240210A1 (en) | 2009-11-23 | 2009-11-23 | Service access control |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/EP2009/065609 WO2011060834A1 (en) | 2009-11-23 | 2009-11-23 | Service access control |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011060834A1 true WO2011060834A1 (en) | 2011-05-26 |
Family
ID=42671866
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2009/065609 WO2011060834A1 (en) | 2009-11-23 | 2009-11-23 | Service access control |
Country Status (3)
Country | Link |
---|---|
US (1) | US20120240210A1 (en) |
EP (1) | EP2504967A1 (en) |
WO (1) | WO2011060834A1 (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8832271B2 (en) * | 2010-12-03 | 2014-09-09 | International Business Machines Corporation | Identity provider instance discovery |
US8875268B2 (en) * | 2012-08-09 | 2014-10-28 | Google Inc. | Browser session privacy lock |
CN107147617A (en) * | 2017-04-01 | 2017-09-08 | 北京五八信息技术有限公司 | A kind of single-point logging method and device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001011450A1 (en) * | 1999-08-05 | 2001-02-15 | Sun Microsystems, Inc. | Single sign-on framework with trust-level mapping to authentication requirements |
US20050177731A1 (en) * | 2004-02-09 | 2005-08-11 | International Business Machines Corporation | Secure management of authentication information |
US7039714B1 (en) * | 2000-01-19 | 2006-05-02 | International Business Machines Corporation | Method of enabling an intermediary server to impersonate a client user's identity to a plurality of authentication domains |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7877790B2 (en) * | 2005-10-31 | 2011-01-25 | At&T Intellectual Property I, L.P. | System and method of using personal data |
US8418234B2 (en) * | 2005-12-15 | 2013-04-09 | International Business Machines Corporation | Authentication of a principal in a federation |
US20080244710A1 (en) * | 2007-03-28 | 2008-10-02 | Telefonaktiebolaget Lm Ericsson (Publ) | Methods and systems for authentication using ip multimedia services identity modules |
US9735964B2 (en) * | 2008-06-19 | 2017-08-15 | Microsoft Technology Licensing, Llc | Federated realm discovery |
-
2009
- 2009-11-23 EP EP09775131A patent/EP2504967A1/en not_active Withdrawn
- 2009-11-23 US US13/511,192 patent/US20120240210A1/en not_active Abandoned
- 2009-11-23 WO PCT/EP2009/065609 patent/WO2011060834A1/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001011450A1 (en) * | 1999-08-05 | 2001-02-15 | Sun Microsystems, Inc. | Single sign-on framework with trust-level mapping to authentication requirements |
US7039714B1 (en) * | 2000-01-19 | 2006-05-02 | International Business Machines Corporation | Method of enabling an intermediary server to impersonate a client user's identity to a plurality of authentication domains |
US20050177731A1 (en) * | 2004-02-09 | 2005-08-11 | International Business Machines Corporation | Secure management of authentication information |
Also Published As
Publication number | Publication date |
---|---|
EP2504967A1 (en) | 2012-10-03 |
US20120240210A1 (en) | 2012-09-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8819784B2 (en) | Method for managing access to protected resources and delegating authority in a computer network | |
US10673985B2 (en) | Router-host logging | |
US9239932B2 (en) | Secure handling of user related information between web applications | |
US9542540B2 (en) | System and method for managing application program access to a protected resource residing on a mobile device | |
US10270741B2 (en) | Personal authentication and access | |
EP2689372B1 (en) | User to user delegation service in a federated identity management environment | |
US9311679B2 (en) | Enterprise social media management platform with single sign-on | |
US7926089B2 (en) | Router for managing trust relationships | |
US8595494B2 (en) | Method for managing access to protected resources in a computer network, physical entities and computer programs therefor | |
US8632003B2 (en) | Multiple persona information cards | |
US20110137817A1 (en) | System and method for aggregating and disseminating personal data | |
CN104685511B (en) | Policy management system, ID suppliers system and tactical comment device | |
CN107172054A (en) | A kind of purview certification method based on CAS, apparatus and system | |
WO2013141902A1 (en) | System and method for providing a certificate based on granted permissions | |
WO2010040393A1 (en) | Method for providing access to a service | |
EP3100195B1 (en) | Access control system | |
EP3794476B1 (en) | System and method for the management of multi-domain access credentials of a user able to access a plurality of domains | |
US20120240210A1 (en) | Service access control | |
EP2731308A1 (en) | Method to generate a confidential user token | |
CN101601022B (en) | The supply of digital identity representations | |
Bekara et al. | Enabling user privacy in identity management systems | |
WO2009072801A2 (en) | System for managing identity with privacy policy using number and method thereof | |
Encheva et al. | Sharing protected web resources using distributed role-based modeling | |
Sundar | Study of Facebook’s application architecture |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 09775131 Country of ref document: EP Kind code of ref document: A1 |
|
REEP | Request for entry into the european phase |
Ref document number: 2009775131 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2009775131 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13511192 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |