WO2011131002A1 - Method and system for identity management - Google Patents

Method and system for identity management Download PDF

Info

Publication number
WO2011131002A1
WO2011131002A1 PCT/CN2010/078832 CN2010078832W WO2011131002A1 WO 2011131002 A1 WO2011131002 A1 WO 2011131002A1 CN 2010078832 W CN2010078832 W CN 2010078832W WO 2011131002 A1 WO2011131002 A1 WO 2011131002A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
identity
server
service
idp server
Prior art date
Application number
PCT/CN2010/078832
Other languages
French (fr)
Chinese (zh)
Inventor
孙翼舟
黄兵
江华
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011131002A1 publication Critical patent/WO2011131002A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/53Network services using third party service providers

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to an identity management method and system.
  • IDM Identity management
  • IDP identity provider
  • SPs service providers
  • IDP provides identity authentication services for SPs and is responsible for managing user identity information. For example, the user's registration request is accepted, and the user's identity attribute is managed (identity attribute change, revocation, etc.) to ensure the security of the user identity information.
  • the identity services provided by IDP include the following four categories: 1) Identification.
  • the identity can be any tag that can be used to represent an entity's identity. For example: user ID, email address, pseudonym, group name, and so on.
  • Identity security credentials usually used to identify the security parameters of a claimed identity.
  • the credential can be a password, a token, a security prompt, or a PKI.
  • key authentication, signature authentication, and password information.
  • An identity attribute is a description of an entity's characteristics, such as the entity type, preferred IP address, domain name, address information, phone number, and so on. Attributes can also include permissions, proxy lists, and some special restrictions.
  • the identity mode refers to the user's reputation, reputation, trust record, and historical access record.
  • the user requests a service or resource from the SP and provides IDP related information.
  • the SP requests the IDM supervision center to perform address resolution on the domain name of the IDP server submitted by the user, and obtains the network address of the user IDP.
  • the IDM Supervisory Center sends the IDP network address to the SP.
  • the SP locates the IDP based on the network address.
  • IDP sends a login interface to the user, allowing the user to enter an account number and password, as well as other login information for the risk certificate.
  • the user enters an account number and password, and other login information.
  • the SP provides the requested service to the user.
  • an unresolved main problem of the IDM system is what is used as an identity identifier.
  • User ID can be used with user ID, email address, pseudonym, group name, and randomness. There is no uniform identifier.
  • the IDP logo is used for the IDP supervision center, SP, and user addressing of the IDP server.
  • the IDM standard discussion group proposes to use the URL (Uniform I Universal Resource Locator, also known as the web address) for IDP. Addressing, but the URL is based on the DNS domain name resolution system. The resolution of the global root domain name is in the United States. The United States can monitor IDP activities in other countries and endanger national information security. Therefore, it is necessary to establish a user identity and an IDP identifier that are automatically controlled by each country.
  • the TCP/IP protocol widely used on the existing Internet does not support mobility.
  • the terminal IP address will change, causing an interruption in the application and connection.
  • the essential reason why the IP protocol does not support mobility is that the IP address contains both the identity and location attributes.
  • IP address In the TCP/IP protocol stack, the IP address is used to identify the communication peer;
  • the IP address represents which network segment the user is on and is the basis of the route. In a fixed network, there is no problem in the location and identity of the IP address. Because the location of the terminal is unchanged, the IP address will not change and the identity attribute will not change.
  • the movement of the terminal location causes the IP address to change. If it does not change, it cannot be routed. The change of the IP address will cause the upper layer TCP/UDP connection to be disconnected and the service will be interrupted. It is unacceptable for many applications.
  • the concept of the identification network is to separate the terminal IP address into an identity by identity attribute and location attribute.
  • the IP address of the edge router where the terminal is located is used as the location identifier of the terminal, which is called the RID of the terminal.
  • the RID changes.
  • the terminal only perceives its own AID and the AID of the communication peer, and does not perceive the RID information. All upper layer connections are established based on the AID. That is, TCP/AID and UDP/AID are used instead of TCP/IP and UDP/IP. 4)
  • the terminal sends the data packet with the destination AID and the source AID as the destination and the source address, and the edge router converts the AID into the RID after receiving the data packet; the RID is the format of the IP address, and can be addressed to the communication on the existing Internet.
  • the peer edge router the peer edge router converts the RID in the packet into an AID and sends it to the other terminal.
  • the AID encoding format can be defined by the service provider or government agency, but it can be used but is not limited to: IPv4/IPv6.
  • IPv4/IPv6 IPv4/IPv6.
  • the present invention provides an identity management method and system to simplify identity management.
  • the present invention provides an identity management method, characterized in that the method is implemented based on an identification network, and the terminal and identity management (IDP) server of the identification network has an identity (AID) indicating an identity in the identification network.
  • the method includes: when the terminal initiates the identity service process, the access service node (ASN) of the identity network sends the identity service request of the terminal to the IDP of the terminal by using the terminal and the AID of the IDP server to which the terminal belongs.
  • the server by which the IDP server to which the terminal belongs, implements identity management of the terminal according to the identity service request.
  • the terminal and the AID of the IDP server to which the terminal belongs may be provided to the ASN by the terminal when transmitting the identity service request.
  • the AID of the terminal may be provided by the terminal to the ASN when the identity service request is sent, and the ASN may query the monitoring center (IDM) for the IDP server that provides the identity service for the terminal, and obtain the identity of the terminal.
  • the AID of the IDP server may be provided by the terminal to the ASN when the identity service request is sent, and the ASN may query the monitoring center (IDM) for the IDP server that provides the identity service for the terminal, and obtain the identity of the terminal.
  • the AID of the IDP server may be provided by the terminal to the ASN when the identity service request is sent, and the ASN may query the monitoring center (IDM) for the IDP server that provides the identity service for the terminal, and obtain the identity of the terminal.
  • IDM monitoring center
  • the IDP server to which the terminal belongs may perform the process of identity management on the terminal by: sending a login indication to the terminal, inputting identity information in the terminal, performing identity verification according to the input identity information, and sending an identity service response to the terminal through the ASN, where Validation results.
  • the identity service may include any one or more of identity authentication, identity information query, identity information modification, identity information registration, and identity information revocation.
  • the method may further include: when the terminal submits a service request to the service server, the service server initiates an identity authentication process, where the identity authentication process includes: (a) The service server sends an identity authentication request to the IDP to which the terminal belongs, where the terminal carries
  • the IDP server to which the terminal belongs checks whether the terminal has passed the verification according to the AID of the terminal, and if it has passed the verification, step (e) is performed, and if the verification fails, the authentication challenge is sent to the terminal;
  • the IDP server to which the terminal belongs sends an identity authentication response to the service server, where the terminal carries the AID and the identity authentication result;
  • the service server determines whether to authorize the service request of the terminal according to the identity authentication result of the terminal.
  • the present invention also provides an identity management system, which is implemented based on an identification network, including an ASN, a terminal, and an identity management (IDP) server, where:
  • the terminal has an identity (AID) indicating an identity in the network, and the terminal is configured to: send an identity service request to the IDP server to which the terminal belongs by using the ASN, where the identity service request carries the AID of the terminal; And sending identity information to the home IDP server; the ASN is configured to implement an identity service request and an identity service response route between the terminal and the home IDP server according to the AID of the terminal and the AID of the IDP server to which the terminal belongs.
  • AID identity
  • the IDP server has an AID indicating an identity in the identification network, and the IDP server is configured to: receive an identity service request forwarded by the ASN, verify identity information sent by a terminal that belongs to the IDP server, and send the identity information to the ASN.
  • the identity service response carries the AID and the verification result information of the terminal belonging to the IDP server.
  • the identity service request sent by the terminal may also carry the AID of the IDP server to which the terminal belongs.
  • the system may further include a monitoring center (IDM), the IDM may be configured to manage a correspondence between the IDP server and a terminal belonging to the IDP server; the ASN may also be configured to: if the terminal does not know the owned IDP server, according to The AID of the terminal in the identity service request queries the IDM for the IDP server that provides the identity service for the terminal, and obtains the identity of the IDP server to which the terminal belongs. logo.
  • IDM monitoring center
  • the identity service may include any one or more of identity authentication, identity information query, identity information modification, identity information registration, and identity information revocation.
  • the system may further include a service server, where the service server may be configured to send an identity authentication request to the IDP server to which the terminal belongs when the terminal requests the service, where the AID of the terminal is carried; and the identity authentication response sent by the IDP server to which the terminal belongs is received.
  • the IDP server may also be configured to, when receiving the identity authentication request sent by the service server, according to the attribution to the present.
  • the AID of the terminal of the IDP server determines whether to initiate an authentication challenge to the terminal.
  • the IDP server checks whether the identity authentication result information of the terminal belonging to the IDP server is already present, and if yes, may directly send an identity authentication response to the service server according to the identity authentication result information, and if not, may initiate authentication to the terminal. challenge.
  • the terminal may be configured to send the identity information to the home IDP server according to the login indication or authentication challenge sent by the home IDP server.
  • the method and system of the present invention are implemented based on an identification network, and the AID representing the identity is used as the identity management identifier, which can simplify the management of the identity management system.
  • FIG. 1 Schematic diagram of the IDM system
  • Figure 2 Business flow chart of the user applying for identity service
  • Figure 3 is a schematic diagram of identity management based on the identification network
  • Figure 4 is based on the identification network IDM system service flow chart 1;
  • Figure 5 is based on the identification network IDM system service flow chart 2;
  • FIG. 6 Single sign-on service flow chart.
  • the identity management method and system of the present invention is implemented based on an identification network.
  • the terminal and identity management (IDP) server has an identity (AID) indicating an identity within the identity network, and the access service node (ASN) of the identity network utilizes the terminal and the IDP server.
  • the AID implements an identity service interaction between the terminal and the IDP server, and the IDP implements identity management of the terminal according to the identity information provided by the terminal.
  • the topographical schematic shown in Figure 3 depicts key features of the system architecture associated with the present invention.
  • the main network elements and functional entities of the identity network management system based on the identification network technology include:
  • ASN Access Service Node, access service node.
  • the ASN maintains the connection relationship between the terminal and the network, allocates RIDs to the terminals, processes the handover process, processes the registration process, processes the accounting and authentication processes, and maintains and queries the AID-RID mapping relationship of the communication peer.
  • the ASN encapsulates, routes, and forwards data packets sent by the terminal or terminal.
  • the ASN When receiving the data packet sent by the terminal MN, the ASN queries the AID-RID mapping table in the local cache according to the AIDc of the destination CN in the data packet: If the AIDc-RIDc mapping entry corresponding to the AIDc is found, The RIDc is encapsulated in the packet header as the destination address, and the RIDm corresponding to the MN source address AIDm is encapsulated in the packet header and forwarded to the generalized forwarding plane. If the AIDc-RIDc mapping entry corresponding to the AIDc is not found, The data packet is encapsulated and then forwarded to the mapping forwarding plane, and the process of querying the AIDc-RIDc mapping relationship is sent to the mapping forwarding plane.
  • the ASN When receiving the data packet sent by the network to the terminal, the ASN decapsulates the data packet, strips the RID encapsulation of the data packet header, and retains the AID as the data packet header to be sent to the terminal.
  • CR Common Router, general purpose router. Routes and forwards data packets with the RID format as the source or destination address. The function of this general purpose router is no different from that of the prior art routers.
  • ILR/PTF Identity Location Register/Packet Transfer Function
  • ILR is an identity location register that maintains and saves the AID-RID mapping relationship of users in the architecture network. Implement the registration function and process the location query process of the communication peer. Broke ILR is mainly used to visit ILR and attribution Signaling between transit ILRs when there is no direct connection between ILRs.
  • the PTF is a packet forwarding function. After receiving the data packet sent by the ASN, the mapping forwarding plane routes and forwards the PTF according to the destination AID in the mapping forwarding plane. After the PTF node in the mapping forwarding plane finds the mapping relationship of the destination AID-RID, the RID information corresponding to the mapping relationship is encapsulated in the data packet header and forwarded to the generalized forwarding plane, which is routed by the generalized forwarding plane and forwarded to the communication peer. .
  • IDP Identity provider, identity service provider.
  • the IDP records user attributes of the network, including user categories, authentication information, and user service levels, and generates user security information for authentication, integrity protection, and encryption, and performs access control and authorization when the user accesses.
  • IDP supports two-way authentication between the terminal and the network.
  • IDM Monitoring Center IDM's regulatory entity provides IDP query services for users and service providers (SPs), namely IDP discovery, and is also responsible for authorizing IDP server qualifications.
  • SPs service providers
  • the identity management system of the present invention is implemented based on an identification network, including an ASN, a terminal, and an identity management (IDP) server, where:
  • the terminal has an identity (AID) indicating an identity within the identification network, and is set to:
  • the ASN sends an identity service request to the IDP server, where the identity service request carries the AID of the terminal; and sends identity information to the IDP server;
  • the ASN is configured to implement an identity service request and an identity service response route forwarding between the terminal and the IDP server according to the AID of the terminal and the AID of the IDP server;
  • the specific route forwarding method is determined according to the specific network mechanism of the identification network, and the present invention is not specifically described herein.
  • the IDP server has an AID that identifies an identity in the network, and is configured to: receive an identity service request forwarded by the ASN, verify identity information sent by the terminal, and send an identity service response to the ASN, where the identifier is carried.
  • the AID of the terminal and the verification result information is carried.
  • the identity service request sent by the terminal further carries the AID of the IDP server to which the terminal belongs.
  • the system further includes a monitoring center (IDM), and the IDM is configured to: manage a correspondence between the IDP server and a terminal belonging to the IDP server;
  • the ANS is further configured to: if the terminal does not know the IDP server to which the terminal belongs, query the IDM for the IDP server that provides the identity service for the terminal according to the AID of the terminal in the identity service request, and obtain the AID of the IDP server.
  • the identity service includes any one or more of identity authentication, identity information query, identity information modification, identity information registration, and identity information revocation.
  • the system of the present invention further includes a service server, the service server is configured to: when the terminal makes a service request, send an identity authentication request to the IDP server to which the terminal belongs, where the AID of the terminal is carried; and the receiving IDP server sends The identity authentication response, wherein the AID of the terminal and the identity authentication result of the terminal are carried; the service server is further configured to determine whether to request authorization for the service of the terminal according to the identity authentication result of the terminal; the IDP server It is further arranged to decide whether to initiate an authentication challenge to the terminal according to the AID of the terminal.
  • the IDP server checks whether the identity authentication result information of the terminal is already present, and if yes, directly sends an identity authentication response to the service server according to the identity authentication result information, and if not, sends the identity authentication response to the terminal. Certification challenge.
  • the terminal sends the identity information to the IDP server according to the login indication sent by the IDP server or the authentication challenge sent by the IDP server.
  • the identity management method of the present invention is implemented based on an identification network.
  • the terminal and identity management (IDP) server has an identity (AID) indicating an identity within the identity network.
  • the access service node (ASN) of the identity network utilizes The AID of the terminal and the IDP server sends the identity service request of the terminal to the IDP server to which the terminal belongs, and the IDP server to which the terminal belongs implements identity management of the terminal according to the identity service request.
  • the identity identifier AID of the terminal user during the valid legal existence period remains unchanged.
  • IDP's authentication method for user identity uses different methods according to different network systems. It can directly authenticate the user access identifier AID, or it can identify other types of users that identify users in the network (for example, international mobile users). Identify IMSI, network user identification NAI, etc. for authentication. After the user passes the authentication of the IDP server, the user can enter the legal user list of the ASN to access the network resources.
  • users can also apply to IDP for other identity services, such as querying, modifying, registering, and revoking identity information.
  • the process of identity management of the terminal by the IDP server includes:
  • the IDP server sends a login indication to the terminal, the terminal inputs the identity information, and the IDP server performs identity verification according to the identity information input by the terminal;
  • the IDP server sends an identity service response to the terminal through the ASN, which carries the verification result.
  • Application example 1
  • the terminal and the AID of the IDP server to which the terminal belongs are provided to the ASN by the terminal when transmitting the identity service request.
  • the business process of the terminal applying for identity service is shown in Figure 4, including:
  • the terminal M requests an identity service from the ASN, and provides the identity identifier of the terminal, AIDm, and the identity identifier AIDn of the IDP server to which the terminal belongs;
  • the ASN requests an identity service from an IDP server to which the terminal belongs.
  • the IDP server sends a login indication to the terminal M, and causes the terminal M to input an account number and password, and other identity information for verification.
  • Terminal M enters an account number and password, and other identity information.
  • the IDP server After the IDP server verifies the information input by the terminal, it sends an instruction to the ASN to verify (reject).
  • the ASN provides the requested service to the terminal M.
  • the AID of the terminal is provided by the terminal to the ASN when the identity service request is sent, and the ASN queries the regulatory center (IDM) to provide an identity service for the terminal.
  • the IDP server obtains the AID of the IDP to which the terminal belongs.
  • the business process of the terminal applying for identity service is shown in Figure 5, including:
  • the terminal M requests an identity service from the ASN, and provides an identity of the terminal, AIDm.
  • the ASN requests the IDM supervisory center to find the IDP that provides the identity service for the terminal M, and obtains the identity identifier AIDn of the IDP server.
  • the IDM Supervisory Center sends the ID AID of the IDP server to the ASN.
  • the ASN requests an identity service from the IDP server according to the identifier AIDn.
  • the IDP server sends a login indication to the terminal M, and causes the terminal M to input an account number and password, and other login information for verification.
  • Terminal M Enter the account number and password, and other login information.
  • the IDP server After the IDP server verifies the information input by the terminal, it sends an instruction to the ASN to verify (reject).
  • the ASN provides the requested service to the terminal M.
  • the identity management system architecture of the present invention can also implement the single sign-on function, that is, after the terminal passes the identity authentication of the IDP, the terminal can access multiple services without logging in to the network during the effective validity of the terminal identity.
  • the method further includes: when the terminal submits a service request to the service server, the service server initiates an identity authentication process, where the identity authentication process includes:
  • the IDP server checks whether the terminal has passed the verification according to the AID of the terminal, and if the verification has passed, the step (e) is performed, and if the verification fails, the authentication challenge is sent to the terminal;
  • the IDP server sends an identity authentication response to the service server, where the AID of the terminal and the identity authentication result of the terminal are carried;
  • the terminal submits a service request to the service server of the service C (such as the IPTV service), and the carried parameter includes the identity identifier AID of the terminal;
  • the service server of the service C requests the identity authentication service from the IDP server, and the carried parameter includes the identity identifier AID of the terminal;
  • the IDP server issues an authentication challenge to the terminal
  • the terminal requests authentication from the IDP server, and carries the identity information such as the identity AID, password, and credential of the terminal;
  • the IDP server feeds back the authentication result of the terminal to the service server of the service C, and carries the identity AID of the terminal with the parameter;
  • the service server of the service C determines whether the service request of the terminal is authorized according to the authentication result of the IDP server;
  • the terminal further requests the service B (such as the data service), and the terminal sends a service request to the service server of the service B, and the parameter carried by the terminal has the identity identifier AID of the terminal;
  • the service B such as the data service
  • the service server of the service B requests the identity authentication service from the IDP server, and the carried parameter has the identity identifier AID of the terminal;
  • the IDP server checks whether the AID of the terminal has been verified
  • the IDP server feeds back the authentication result of the terminal user to the service server of the service B, and carries the parameter AID of the terminal;
  • the service server of service B determines whether the service request of the terminal is authorized according to the verification result of the IDP server;
  • the terminal further requests the service A (such as the VOIP service), and the terminal sends a service request to the service server of the service A, and the parameter carried by the terminal has the identity identifier AID of the terminal;
  • the service server of the service A requests the identity authentication service from the IDP server, and the parameter carried is the identity identifier AID of the terminal;
  • the IDP server checks whether the AID of the terminal has been verified
  • the IDP server feeds back the authentication result of the terminal user to the service server of the service A, and carries the parameter AID of the terminal;
  • the service server of service A establishes an access link of the terminal to the service server of service A according to the verification result of the IDP server;
  • the user identifier has no unified form, and may be a user name, an email address, or a mobile phone number that the user himself takes.
  • Different identity management systems have different forms of user identification. Therefore, the method of the present invention Uniformity with the system uses the AID that represents the identity as an identifier, which simplifies the management of the identity management system.
  • the IDP identifier in the existing identity management system is located in the URL and DNS domain name service system, and the final control right is in the United States. The ID is used to identify the IDP, which can ensure the national information security.
  • the user identity and IDP identifier of the existing identity management system cannot be used for addressing on the Internet, and the AID of the present invention can be used in the form of IPv4/IPv6, that is, the identifier of the IDP is encoded by the AID, and can be directly used for Internet search. site.
  • the invention is implemented based on the identification network, and the AID representing the identity is used as the identity management identifier, which can simplify the management of the identity management system.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method and a system for identity management are provided in the present invention, the method and system are realized based on the identification network, the terminals and identity management IDP server of said identification network have identity identifiers AIDs for indicating the identity in the identification network; said method includes: when a terminal originates an identity service flow, an access service node ASN of said identification network using the AID of the terminal and the AID of the IDP server to which the terminal belongs sends the identity service request of the terminal to the IDP server to which the terminal belongs, the IDP server to which the terminal belongs implements the identity management of the terminal according to the identity service request. The present invention can simplify the management of the identity management system.

Description

身份管理方法及系统  Identity management method and system
技术领域 Technical field
本发明涉及通信技术领域, 尤其涉及一种身份管理方法及系统。  The present invention relates to the field of communications technologies, and in particular, to an identity management method and system.
背景技术 Background technique
身份管理系统  Identity management system
身份管理系统(identity management, IDM ) 不是一个新的事物, 当今社 会生活息息相关的户籍身份证管理、 护照管理、 企业组织机构代码管理、 设 备编号管理, 都属于 IDM。 现在互联网上的 IDM系统, 绝大部分是由服务提 供商或企业提供, 如电信运营商的营帐系统、 淘宝网的支付宝、 网络游戏运 营商的帐号管理系统等等, 不同企业和不同业务的 IDM系统不同。  Identity management (IDM) is not a new thing. Today's social life-related household identity card management, passport management, enterprise organization code management, and device number management are all IDMs. Most of the IDM systems on the Internet are now provided by service providers or enterprises, such as the telecom operator's account management system, Taobao's Alipay, online game operator's account management system, etc. IDM for different enterprises and different businesses. The system is different.
这种由服务提供商或企业提供的 IDM系统, 存在一些问题:  There are some problems with this IDM system provided by a service provider or enterprise:
1 )安全隐患。 用户不使用真实身份, 不可溯源, 有安全隐患。 另外企业 对用户的隐私信息保护不够重视, 经常造成用户身份信息泄露。  1) Security risks. Users do not use real identity, are not traceable, and have security risks. In addition, enterprises do not pay enough attention to the protection of users' private information, which often causes user identity information to be leaked.
2 )重复注册。 各个企业各个服务, 用户需要分别注册, 使用麻烦。  2) Repeat registration. Each company's various services, users need to register separately, use trouble.
3 ) IDM系统之间信息不共享, 不交互。 一个 IDM系统的某个用户信息 发生改变, 无法同步到其他 IDM系统。  3) Information between IDM systems is not shared and does not interact. A user information of an IDM system has changed and cannot be synchronized to other IDM systems.
为此, ITU-T标准组织在 2006年的 SG17会议上成立了 IDM焦点工作组, 提出了通用的 IDM功能架构。 其核心思想是在互联网上除了用户、 服务提供 商 (service provider, SP )夕卜, 再引入身份提供商 (identity provider, IDP ) 的概念, IDP专门为用户和 SP提供用户的身份服务。 IDM的系统示意图见图 1。  To this end, the ITU-T standards organization established the IDM Focus Working Group at the 2006 SG17 meeting to propose a common IDM functional architecture. The core idea is to introduce the concept of identity provider (IDP) on the Internet in addition to users and service providers (SPs). IDP provides users and SPs with identity services. The schematic diagram of IDM's system is shown in Figure 1.
IDP为 SP提供身份认证服务,此外还负责对用户身份信息的管理。例如, 接受用户的注册请求, 对用户的身份属性进行管理(身份属性的变更、 撤销 等) , 保证用户身份信息的安全性。  IDP provides identity authentication services for SPs and is responsible for managing user identity information. For example, the user's registration request is accepted, and the user's identity attribute is managed (identity attribute change, revocation, etc.) to ensure the security of the user identity information.
IDP提供的身份服务, 包括如下四类: 1 )标识。 标识可以是任何可以用来代表一个实体身份的标记。 例如: 用 户 ID、 email地址、 假名、 组名等等。 The identity services provided by IDP include the following four categories: 1) Identification. The identity can be any tag that can be used to represent an entity's identity. For example: user ID, email address, pseudonym, group name, and so on.
2 )信任状。身份安全凭证,通常用来鉴别一个被声明的身份的安全参数。 信任状可以是密码、 令牌、 安全提示或 PKI等相关信息。 例如: 密钥、 认证、 签名认证和密码信息等。  2) Trust. Identity security credentials, usually used to identify the security parameters of a claimed identity. The credential can be a password, a token, a security prompt, or a PKI. For example: key, authentication, signature authentication, and password information.
3 )属性。 身份属性是实体特征的一些描述, 比如实体类型、 首选 IP地 址、 域名、 地址信息、 电话号码等。 属性也可以包括权限、 代理列表和一些 特殊限制。  3) Properties. An identity attribute is a description of an entity's characteristics, such as the entity type, preferred IP address, domain name, address information, phone number, and so on. Attributes can also include permissions, proxy lists, and some special restrictions.
4 )身份模式。 身份模式是指用户的声誉、 名誉、 信任记录以及历史访问 记录。 4) Identity mode. The identity mode refers to the user's reputation, reputation, trust record, and historical access record.
在有多个 IDP系统的情况下, 用户和 SP不知道找哪个 IDP提供身份服 务, 此时需要有一个 IDP发现系统, 找到合适的 IDP为用户提供服务。 另夕卜, 身份信息不但涉及到用户的隐私, 而且涉及到社会安全和国家安全, 必须对 IDP系统进行有效监管。因此,必须设立政府层面的 IDM监管中心,提供 IDP 发现系统功能, 并承担对 IDP监管的责任。 用户申请身份服务的业务流程见图 2:  In the case of multiple IDP systems, the user and the SP do not know which IDP to provide identity service. In this case, an IDP discovery system is needed to find a suitable IDP to provide services for the user. In addition, identity information not only involves the privacy of users, but also involves social security and national security. The IDP system must be effectively supervised. Therefore, it is necessary to establish a government-level IDM supervision center to provide IDP discovery system functions and assume responsibility for IDP supervision. The business process for users to apply for identity services is shown in Figure 2:
( 201 )用户向 SP请求服务或资源, 并提供 IDP相关信息。  (201) The user requests a service or resource from the SP and provides IDP related information.
( 202 ) SP请求 IDM监管中心对用户提交的 IDP服务器的域名进行地址 解析, 得出用户 IDP的网络地址。  (202) The SP requests the IDM supervision center to perform address resolution on the domain name of the IDP server submitted by the user, and obtains the network address of the user IDP.
( 203 ) IDM监管中心将 IDP网络地址发给 SP。  ( 203 ) The IDM Supervisory Center sends the IDP network address to the SP.
( 204 ) SP根据网络地址, 定位到 IDP。  ( 204 ) The SP locates the IDP based on the network address.
( 205 ) IDP向用户发送登陆界面, 让用户输入帐号和密码, 以及其它登 录信息, 以进行险证。  ( 205 ) IDP sends a login interface to the user, allowing the user to enter an account number and password, as well as other login information for the risk certificate.
( 206 )用户输入帐号和密码, 以及其它登录信息。  (206) The user enters an account number and password, and other login information.
( 207 ) IDP验证通过后, 向 SP发送验证通过(拒绝 ) 的指令。  (207) After the IDP verification is passed, an instruction to verify the pass (reject) is sent to the SP.
( 208 ) SP向用户提供请求的服务。  (208) The SP provides the requested service to the user.
目前 IDM系统一个尚未解决的主要问题是釆用什么做为身份的标识, 包 括用户身份标识和 IDP标识。 用户身份标识可以用用户 ID、 email地址、 假 名、 组名, 随意性 4艮大, 没有统一的标识。 另外, IDP标识用于 IDP监管中 心、 SP、用户对 IDP服务器的寻址,现在 IDM标准讨论小组拟建议釆用 URL ( Uniform I Universal Resource Locator , 统一资源定位符, 又称网页地址)用 于 IDP寻址, 但 URL是以 DNS域名解析系统作为基础, 全球根域名的解析 权在美国, 美国能够对其它国家 IDP活动进行监控, 危害国家信息安全。 因 此有必有建立各国自控的用户身份标识和 IDP标识。 At present, an unresolved main problem of the IDM system is what is used as an identity identifier. Includes user ID and IDP ID. User ID can be used with user ID, email address, pseudonym, group name, and randomness. There is no uniform identifier. In addition, the IDP logo is used for the IDP supervision center, SP, and user addressing of the IDP server. Now the IDM standard discussion group proposes to use the URL (Uniform I Universal Resource Locator, also known as the web address) for IDP. Addressing, but the URL is based on the DNS domain name resolution system. The resolution of the global root domain name is in the United States. The United States can monitor IDP activities in other countries and endanger national information security. Therefore, it is necessary to establish a user identity and an IDP identifier that are automatically controlled by each country.
标识网技术与身份标识 Identification network technology and identity
现有因特网广泛使用的 TCP/IP协议不支持移动性。 当终端位置发生移动 时, 终端 IP地址将发生变化, 会导致应用和连接的中断。 IP协议不支持移动 性的本质原因在于 IP地址包含了身份和位置双重属性。  The TCP/IP protocol widely used on the existing Internet does not support mobility. When the terminal location moves, the terminal IP address will change, causing an interruption in the application and connection. The essential reason why the IP protocol does not support mobility is that the IP address contains both the identity and location attributes.
IP地址的身份属性: 在 TCP/IP协议栈中, IP地址用来标识通信对端; Identity attribute of the IP address: In the TCP/IP protocol stack, the IP address is used to identify the communication peer;
IP地址的位置属性: IP地址代表用户处于哪一个网段, 是路由的基础。 固定网络中, IP地址的位置、 身份属性合一是没有问题的, 因为终端的 位置不变, IP地址就不会变化, 身份属性也不会变化。 Location attribute of the IP address: The IP address represents which network segment the user is on and is the basis of the route. In a fixed network, there is no problem in the location and identity of the IP address. Because the location of the terminal is unchanged, the IP address will not change and the identity attribute will not change.
而到了移动互联网, 终端位置的移动, 导致 IP地址必须变化, 若未变化 则没法路由; 而 IP地址的变化会导致其上层的 TCP/UDP连接必须断掉重连, 从而导致业务中断, 这对于很多应用程序来说是不能接受的。  When it comes to the mobile Internet, the movement of the terminal location causes the IP address to change. If it does not change, it cannot be routed. The change of the IP address will cause the upper layer TCP/UDP connection to be disconnected and the service will be interrupted. It is unacceptable for many applications.
标识网的概念,是将终端 IP地址按身份属性和位置属性分离成身份标识 The concept of the identification network is to separate the terminal IP address into an identity by identity attribute and location attribute.
AID和位置标识 RID , 具体机制如下: AID and location identifier RID, the specific mechanism is as follows:
1)以终端所在的边缘路由器的 IP地址作为终端的位置标识, 称为终端 的 RID, 当终端位置改变时, RID发生变化。  1) The IP address of the edge router where the terminal is located is used as the location identifier of the terminal, which is called the RID of the terminal. When the terminal location changes, the RID changes.
2)引入一个新的命名空间作为终端的身份标识, 称为终端的 AID, 终端 的 AID终身保持不变。  2) Introduce a new namespace as the identity of the terminal, called the AID of the terminal, and the AID of the terminal remains unchanged for life.
3)终端只感知自身的 AID, 以及通信对端的 AID, 不感知 RID信息。 所 有的上层连接均基于 AID来建立。 即用 TCP/AID、 UDP/AID代替 TCP/IP、 UDP/IP。 4)终端以目的 AID、 源 AID作为目的、 源地址发出数据包, 边缘路由器 收到数据包后将其中的 AID转换成 RID; RID是 IP地址的格式, 可以在现有 互联网上寻址到通信对端的边缘路由器; 对端边缘路由器在将数据包中的 RID再转换成 AID , 发往对方终端。 3) The terminal only perceives its own AID and the AID of the communication peer, and does not perceive the RID information. All upper layer connections are established based on the AID. That is, TCP/AID and UDP/AID are used instead of TCP/IP and UDP/IP. 4) The terminal sends the data packet with the destination AID and the source AID as the destination and the source address, and the edge router converts the AID into the RID after receiving the data packet; the RID is the format of the IP address, and can be addressed to the communication on the existing Internet. The peer edge router; the peer edge router converts the RID in the packet into an AID and sends it to the other terminal.
AID的编码格式, 可以由服务提供商或者政府机构定义, 也可以釆用但 不局限于: IPv4/IPv6。 釆用 IP地址编码格式的好处, 主要是现有市面上的终 端无需改动, 即可支持标识网。  The AID encoding format can be defined by the service provider or government agency, but it can be used but is not limited to: IPv4/IPv6. The advantage of using the IP address encoding format is that the existing terminal on the market does not need to be modified to support the identification network.
发明内容 Summary of the invention
本发明提供一种身份管理方法和系统以简化身份管理。  The present invention provides an identity management method and system to simplify identity management.
为解决以上技术问题, 本发明提供一种身份管理方法, 其特征在于, 该 方法基于标识网实现, 该标识网的终端及身份管理( IDP )服务器具有表示标 识网内身份的身份标识(AID ) , 所述方法包括: 终端发起身份服务流程时, 所述标识网的接入服务节点 (ASN )利用终端和该终端归属的 IDP服务器的 AID将该终端的身份服务请求发送给该终端归属的 IDP服务器, 由该终端归 属的 IDP服务器根据所述身份服务请求实现对所述终端的身份管理。  To solve the above technical problem, the present invention provides an identity management method, characterized in that the method is implemented based on an identification network, and the terminal and identity management (IDP) server of the identification network has an identity (AID) indicating an identity in the identification network. The method includes: when the terminal initiates the identity service process, the access service node (ASN) of the identity network sends the identity service request of the terminal to the IDP of the terminal by using the terminal and the AID of the IDP server to which the terminal belongs. The server, by which the IDP server to which the terminal belongs, implements identity management of the terminal according to the identity service request.
上述方法中,终端已知所归属的 IDP的情况下,终端和该终端归属的 IDP 服务器的 AID可由终端在发送身份服务请求时提供给 ASN。  In the above method, when the terminal knows the IDP to which the terminal belongs, the terminal and the AID of the IDP server to which the terminal belongs may be provided to the ASN by the terminal when transmitting the identity service request.
终端未知所归属的 IDP服务器的情况下, 终端的 AID可由终端在发送身 份服务请求时提供给 ASN, ASN可向监管中心(IDM )查询为该终端提供身 份服务的 IDP服务器, 获得该终端归属的 IDP服务器的 AID。  If the terminal is not aware of the IDP server to which the terminal belongs, the AID of the terminal may be provided by the terminal to the ASN when the identity service request is sent, and the ASN may query the monitoring center (IDM) for the IDP server that provides the identity service for the terminal, and obtain the identity of the terminal. The AID of the IDP server.
终端归属的 IDP服务器可通过如下方式对终端进行身份管理的流程: 向 终端发送登录指示, 并在终端输入身份信息, 根据输入的身份信息进行身份 验证; 通过 ASN向终端发送身份服务响应, 其中携带验证结果。  The IDP server to which the terminal belongs may perform the process of identity management on the terminal by: sending a login indication to the terminal, inputting identity information in the terminal, performing identity verification according to the input identity information, and sending an identity service response to the terminal through the ASN, where Validation results.
身份服务可包括身份认证、 身份信息查询、 身份信息修改、 身份信息注 册和身份信息撤销中的任一种或多种。  The identity service may include any one or more of identity authentication, identity information query, identity information modification, identity information registration, and identity information revocation.
该方法还可包括: 终端向业务服务器提出业务请求时, 业务服务器发起 身份认证流程, 该身份认证流程包括: (a)业务服务器向终端归属的 IDP发送身份认证请求, 其中携带终端的The method may further include: when the terminal submits a service request to the service server, the service server initiates an identity authentication process, where the identity authentication process includes: (a) The service server sends an identity authentication request to the IDP to which the terminal belongs, where the terminal carries
AID; AID;
(b)终端归属的 IDP服务器根据终端的 AID检查终端是否已经通过验证, 如已通过验证则执行步骤 (e) , 若未通过验证则向终端发出认证挑战;  (b) The IDP server to which the terminal belongs checks whether the terminal has passed the verification according to the AID of the terminal, and if it has passed the verification, step (e) is performed, and if the verification fails, the authentication challenge is sent to the terminal;
(c)终端向归属的 IDP服务器发送身份信息;  (c) the terminal sends identity information to the home IDP server;
(d)终端归属的 IDP服务器对身份信息进行验证;  (d) verifying the identity information by the IDP server to which the terminal belongs;
(e)终端归属的 IDP服务器向业务服务器发送身份认证响应, 其中携带终 端的 AID及身份认证结果;  (e) The IDP server to which the terminal belongs sends an identity authentication response to the service server, where the terminal carries the AID and the identity authentication result;
(f)业务服务器根据终端的身份认证结果决定是否对终端的业务请求授 权。  (f) The service server determines whether to authorize the service request of the terminal according to the identity authentication result of the terminal.
本发明还提供一种身份管理系统, 该系统基于标识网实现, 包括 ASN、 终端及身份管理(IDP )服务器, 其中:  The present invention also provides an identity management system, which is implemented based on an identification network, including an ASN, a terminal, and an identity management (IDP) server, where:
所述终端具有表示标识网内身份的身份标识(AID ) , 所述终端设置成: 通过 ASN向该终端归属的 IDP服务器发送身份服务请求,其中所述身份服务 请求中携带所述终端的 AID; 以及, 向所述归属的 IDP服务器发送身份信息; 所述 ASN设置成根据终端的 AID及该终端归属的 IDP服务器的 AID实 现终端与归属的 IDP服务器之间的身份服务请求及身份服务响应的路由转 发;  The terminal has an identity (AID) indicating an identity in the network, and the terminal is configured to: send an identity service request to the IDP server to which the terminal belongs by using the ASN, where the identity service request carries the AID of the terminal; And sending identity information to the home IDP server; the ASN is configured to implement an identity service request and an identity service response route between the terminal and the home IDP server according to the AID of the terminal and the AID of the IDP server to which the terminal belongs. Forward
所述 IDP服务器具有表示标识网内身份的 AID,所述 IDP服务器设置成: 接收所述 ASN转发的身份服务请求,验证归属于本 IDP服务器的终端发送的 身份信息,以及,向所述 ASN发送身份服务响应,其中携带所述归属于本 IDP 服务器的终端的 AID及验证结果信息。  The IDP server has an AID indicating an identity in the identification network, and the IDP server is configured to: receive an identity service request forwarded by the ASN, verify identity information sent by a terminal that belongs to the IDP server, and send the identity information to the ASN. The identity service response carries the AID and the verification result information of the terminal belonging to the IDP server.
上述系统中, 终端已知所归属的 IDP的情况下, 终端发送的身份服务请 求中还可携带该终端归属的 IDP服务器的 AID。  In the above system, if the terminal knows the IDP to which the terminal belongs, the identity service request sent by the terminal may also carry the AID of the IDP server to which the terminal belongs.
该系统还可包括监管中心( IDM ) , 该 IDM可设置成管理 IDP服务器与 归属于该 IDP服务器的终端的对应关系; ASN还可设置成: 在终端未知所归 属的 IDP服务器的情况下, 根据身份服务请求中该终端的 AID向 IDM查询 为该终端提供身份服务的 IDP服务器, 获得该终端归属的 IDP服务器的身份 标识。 The system may further include a monitoring center (IDM), the IDM may be configured to manage a correspondence between the IDP server and a terminal belonging to the IDP server; the ASN may also be configured to: if the terminal does not know the owned IDP server, according to The AID of the terminal in the identity service request queries the IDM for the IDP server that provides the identity service for the terminal, and obtains the identity of the IDP server to which the terminal belongs. Logo.
身份服务可包括身份认证、 身份信息查询、 身份信息修改、 身份信息注 册和身份信息撤销中的任一种或多种。  The identity service may include any one or more of identity authentication, identity information query, identity information modification, identity information registration, and identity information revocation.
该系统还可包括业务服务器, 该业务服务器可设置成在终端提出业务请 求时, 向终端归属的 IDP服务器发送身份认证请求, 其中携带终端的 AID; , 接收终端归属的 IDP服务器发送的身份认证响应, 其中携带终端的 AID及身 份认证结果; 以及, 根据终端的身份认证结果决定是否对终端的业务请求授 权; IDP服务器还可设置成在收到业务服务器发送的身份认证请求时, 根据 归属于本 IDP服务器的终端的 AID决定是否向该终端发起认证挑战。 其中, 该 IDP服务器检查是否已有该归属于本 IDP服务器的终端的身份认证结果信 息, 如果有, 则可直接根据身份认证结果信息向业务服务器发送身份认证响 应, 若没有则可向终端发起认证挑战。  The system may further include a service server, where the service server may be configured to send an identity authentication request to the IDP server to which the terminal belongs when the terminal requests the service, where the AID of the terminal is carried; and the identity authentication response sent by the IDP server to which the terminal belongs is received. Carrying the AID of the terminal and the identity authentication result; and determining whether to authorize the service request of the terminal according to the identity authentication result of the terminal; the IDP server may also be configured to, when receiving the identity authentication request sent by the service server, according to the attribution to the present The AID of the terminal of the IDP server determines whether to initiate an authentication challenge to the terminal. The IDP server checks whether the identity authentication result information of the terminal belonging to the IDP server is already present, and if yes, may directly send an identity authentication response to the service server according to the identity authentication result information, and if not, may initiate authentication to the terminal. challenge.
终端可设置成根据归属的 IDP服务器发送的登录指示或认证挑战向归属 的 IDP服务器发送身份信息。  The terminal may be configured to send the identity information to the home IDP server according to the login indication or authentication challenge sent by the home IDP server.
本发明方法和系统基于标识网实现, 统一釆用表示身份的 AID作为身份 管理的标识, 可以简化身份管理系统的管理。  The method and system of the present invention are implemented based on an identification network, and the AID representing the identity is used as the identity management identifier, which can simplify the management of the identity management system.
附图概述 BRIEF abstract
图 1 IDM的系统示意图;  Figure 1 Schematic diagram of the IDM system;
图 2 用户申请身份服务的业务流程图;  Figure 2 Business flow chart of the user applying for identity service;
图 3 基于标识网的身份管理拓朴示意图;  Figure 3 is a schematic diagram of identity management based on the identification network;
图 4基于标识网的 IDM系统服务流程图 1 ;  Figure 4 is based on the identification network IDM system service flow chart 1;
图 5基于标识网的 IDM系统服务流程图 2;  Figure 5 is based on the identification network IDM system service flow chart 2;
图 6 单点登录服务流程图。  Figure 6 Single sign-on service flow chart.
本发明的较佳实施方式 Preferred embodiment of the invention
下面结合附图和实施例对本发明作进一步说明。 本发明身份管理方法和系统基于标识网实现, 终端及身份管理(IDP )服 务器具有表示标识网内身份的身份标识 (AID ) , 所述标识网的接入服务节 点 ( ASN )利用终端和 IDP服务器的 AID实现终端与 IDP服务器之间的身份 服务交互, 所述 IDP根据所述终端提供的身份信息实现对所述终端的身份管 理。 The invention will now be further described with reference to the accompanying drawings and embodiments. The identity management method and system of the present invention is implemented based on an identification network. The terminal and identity management (IDP) server has an identity (AID) indicating an identity within the identity network, and the access service node (ASN) of the identity network utilizes the terminal and the IDP server. The AID implements an identity service interaction between the terminal and the IDP server, and the IDP implements identity management of the terminal according to the identity information provided by the terminal.
下面将结合附图及实施例对本发明的技术方案进行更详细的说明。  The technical solution of the present invention will be described in more detail below with reference to the accompanying drawings and embodiments.
如图 3所示的拓朴示意图描述了与本发明相关的系统架构关键特征。 本发明所述的基于标识网技术的身份管理系统架构 (以下简称本架构) 的主要网元和功能实体包括:  The topographical schematic shown in Figure 3 depicts key features of the system architecture associated with the present invention. The main network elements and functional entities of the identity network management system based on the identification network technology (hereinafter referred to as the present architecture) include:
ASN: Access Service Node, 接入服务节点。 ASN维护终端与网络的连 接关系, 为终端分配 RID, 处理切换流程, 处理登记注册流程, 处理计费和 鉴权流程 , 维护并查询通讯对端的 AID-RID映射关系。  ASN: Access Service Node, access service node. The ASN maintains the connection relationship between the terminal and the network, allocates RIDs to the terminals, processes the handover process, processes the registration process, processes the accounting and authentication processes, and maintains and queries the AID-RID mapping relationship of the communication peer.
ASN封装、 路由并转发送达终端或终端发出的数据报文。  The ASN encapsulates, routes, and forwards data packets sent by the terminal or terminal.
ASN收到终端 MN发来的数据报文时, 根据数据报文中目的地址通信对 端 CN的 AIDc查询本地緩存中的 AID-RID映射表: 若查到 AIDc对应的 AIDc-RIDc映射条目 , 则将 RIDc作为目的地址封装在报文头部, 将 MN源 地址 AIDm对应的 RIDm作为源地址封装在报文头部, 并转发到广义转发平 面; 如果没有查到 AIDc对应的 AIDc-RIDc映射条目, 则将数据报文做隧道 封装后转发到映射转发平面, 并向映射转发平面发出查询 AIDc-RIDc映射关 系的流程。  When receiving the data packet sent by the terminal MN, the ASN queries the AID-RID mapping table in the local cache according to the AIDc of the destination CN in the data packet: If the AIDc-RIDc mapping entry corresponding to the AIDc is found, The RIDc is encapsulated in the packet header as the destination address, and the RIDm corresponding to the MN source address AIDm is encapsulated in the packet header and forwarded to the generalized forwarding plane. If the AIDc-RIDc mapping entry corresponding to the AIDc is not found, The data packet is encapsulated and then forwarded to the mapping forwarding plane, and the process of querying the AIDc-RIDc mapping relationship is sent to the mapping forwarding plane.
ASN收到网络发往终端的数据报文时, 对数据报文进行解封装处理, 剥 去数据报文头部的 RID封装, 保留 AID作为数据报文头部发往终端。  When receiving the data packet sent by the network to the terminal, the ASN decapsulates the data packet, strips the RID encapsulation of the data packet header, and retains the AID as the data packet header to be sent to the terminal.
CR: Common Router, 通用路由器。 路由并转发以 RID格式为源地址或 目的地址的数据报文。 该通用路由器的功能作用与现有技术中的路由器没有 区别。  CR: Common Router, general purpose router. Routes and forwards data packets with the RID format as the source or destination address. The function of this general purpose router is no different from that of the prior art routers.
ILR/PTF: Identity Location Register/Packet Transfer Function, ILR是身份位 置寄存器, 维护并保存本架构网络中用户的 AID-RID映射关系。 实现登记注 册功能,处理通信对端的位置查询流程。 Broke ILR主要用于拜访 ILR与归属 ILR之间无直联关系时, 中转 ILR之间的信令。 ILR/PTF: Identity Location Register/Packet Transfer Function, ILR is an identity location register that maintains and saves the AID-RID mapping relationship of users in the architecture network. Implement the registration function and process the location query process of the communication peer. Broke ILR is mainly used to visit ILR and attribution Signaling between transit ILRs when there is no direct connection between ILRs.
PTF是分组转发功能。 映射转发平面在收到 ASN送达的数据报文后, 由 PTF根据目的 AID在映射转发平面内路由并转发。 映射转发平面内 PTF节点 在查到目的 AID-RID的映射关系后, 在数据报文头部封装该映射关系对应的 RID信息并转发到广义转发平面, 由广义转发平面路由并转发到通信对端。  PTF is a packet forwarding function. After receiving the data packet sent by the ASN, the mapping forwarding plane routes and forwards the PTF according to the destination AID in the mapping forwarding plane. After the PTF node in the mapping forwarding plane finds the mapping relationship of the destination AID-RID, the RID information corresponding to the mapping relationship is encapsulated in the data packet header and forwarded to the generalized forwarding plane, which is routed by the generalized forwarding plane and forwarded to the communication peer. .
IDP: Identity provider, 身份服务提供商。 IDP记录本架构网络的用户属 性, 包括用户类别、 鉴权信息、 用户服务等级等信息, 产生用于鉴权、 完整 性保护和加密的用户安全信息, 在用户接入时进行接入控制和授权。 IDP 支 持终端与网络间的双向鉴权。  IDP: Identity provider, identity service provider. The IDP records user attributes of the network, including user categories, authentication information, and user service levels, and generates user security information for authentication, integrity protection, and encryption, and performs access control and authorization when the user accesses. . IDP supports two-way authentication between the terminal and the network.
IDM监控中心: IDM的监管实体, 为用户和服务提供商 (SP)提供 IDP查 询服务, 即 IDP发现功能, 此外还负责对 IDP服务器的资质进行授权。  IDM Monitoring Center: IDM's regulatory entity provides IDP query services for users and service providers (SPs), namely IDP discovery, and is also responsible for authorizing IDP server qualifications.
与本发明相关地,  In connection with the present invention,
本发明身份管理系统基于标识网实现,包括 ASN、终端及身份管理(IDP ) 服务器, 其中:  The identity management system of the present invention is implemented based on an identification network, including an ASN, a terminal, and an identity management (IDP) server, where:
所述终端具有表示标识网内身份的身份标识 (AID ) , 并设置成: 通过 The terminal has an identity (AID) indicating an identity within the identification network, and is set to:
ASN向 IDP服务器发送身份服务请求, 其中所述身份服务请求中携带所述终 端的 AID; 以及, 向 IDP服务器发送身份信息; The ASN sends an identity service request to the IDP server, where the identity service request carries the AID of the terminal; and sends identity information to the IDP server;
所述 ASN设置成根据终端的 AID及 IDP服务器的 AID实现终端与 IDP 服务器之间的身份服务请求及身份服务响应的路由转发;  The ASN is configured to implement an identity service request and an identity service response route forwarding between the terminal and the IDP server according to the AID of the terminal and the AID of the IDP server;
具体的路由转发方法根据标识网的具体网络机制确定, 本发明在此不作 具体阐述。  The specific route forwarding method is determined according to the specific network mechanism of the identification network, and the present invention is not specifically described herein.
所述 IDP服务器具有表示标识网内身份的 AID,并设置成:接收所述 ASN 转发的身份服务请求, 验证所述终端发送的身份信息, 以及, 向所述 ASN发 送身份服务响应, 其中携带所述终端的 AID及验证结果信息。  The IDP server has an AID that identifies an identity in the network, and is configured to: receive an identity service request forwarded by the ASN, verify identity information sent by the terminal, and send an identity service response to the ASN, where the identifier is carried. The AID of the terminal and the verification result information.
所述终端已知所归属的 IDP服务器的情况下, 所述终端发送的身份服务 请求中还携带该终端所归属的 IDP服务器的 AID。  In the case that the terminal is known to belong to the IDP server, the identity service request sent by the terminal further carries the AID of the IDP server to which the terminal belongs.
进一步地,该系统还包括监管中心( IDM ), 所述 IDM设置成: 管理 IDP 服务器与归属于该 IDP服务器的终端的对应关系; ANS还设置成: 在终端未知所归属的 IDP服务器的情况下, 根据身份服 务请求中所述终端的 AID向所述 IDM查询为所述终端提供身份服务的 IDP 服务器, 获得该 IDP服务器的 AID。 Further, the system further includes a monitoring center (IDM), and the IDM is configured to: manage a correspondence between the IDP server and a terminal belonging to the IDP server; The ANS is further configured to: if the terminal does not know the IDP server to which the terminal belongs, query the IDM for the IDP server that provides the identity service for the terminal according to the AID of the terminal in the identity service request, and obtain the AID of the IDP server.
本发明所说的身份服务包括身份认证、 身份信息查询、 身份信息修改、 身份信息注册和身份信息撤销中的任一种或多种。  The identity service according to the present invention includes any one or more of identity authentication, identity information query, identity information modification, identity information registration, and identity information revocation.
进一步地, 本发明系统还包括业务服务器, 该业务服务器设置成: 在终 端提出业务请求时, 向该终端归属的 IDP服务器发送身份认证请求, 其中携 带所述终端的 AID; 以及, 接收 IDP服务器发送的身份认证响应, 其中携带 所述终端的 AID及所述终端的身份认证结果; 该业务服务器还设置成根据所 述终端的身份认证结果决定是否对所述终端的业务请求授权; 所述 IDP服务 器还设置成根据终端的 AID决定是否向所述终端发起认证挑战。  Further, the system of the present invention further includes a service server, the service server is configured to: when the terminal makes a service request, send an identity authentication request to the IDP server to which the terminal belongs, where the AID of the terminal is carried; and the receiving IDP server sends The identity authentication response, wherein the AID of the terminal and the identity authentication result of the terminal are carried; the service server is further configured to determine whether to request authorization for the service of the terminal according to the identity authentication result of the terminal; the IDP server It is further arranged to decide whether to initiate an authentication challenge to the terminal according to the AID of the terminal.
具体地, 所述 IDP服务器检查是否已有所述终端的身份认证结果信息, 如果有, 则直接根据所述身份认证结果信息向所述业务服务器发送身份认证 响应, 如果没有则向所述终端发起认证挑战。  Specifically, the IDP server checks whether the identity authentication result information of the terminal is already present, and if yes, directly sends an identity authentication response to the service server according to the identity authentication result information, and if not, sends the identity authentication response to the terminal. Certification challenge.
所述终端根据所述 IDP服务器发送的登录指示或所述 IDP服务器发出的 认证挑战向所述 IDP服务器发送身份信息。  The terminal sends the identity information to the IDP server according to the login indication sent by the IDP server or the authentication challenge sent by the IDP server.
本发明的身份管理方法基于标识网实现, 终端及身份管理(IDP )服务器 具有表示标识网内身份的身份标识 (AID ) , 终端发起身份服务流程时, 标 识网的接入服务节点(ASN )利用终端和 IDP服务器的 AID将终端的身份服 务请求发送给终端归属的 IDP服务器,终端归属的 IDP服务器根据所述身份 服务请求实现对所述终端的身份管理。  The identity management method of the present invention is implemented based on an identification network. The terminal and identity management (IDP) server has an identity (AID) indicating an identity within the identity network. When the terminal initiates an identity service process, the access service node (ASN) of the identity network utilizes The AID of the terminal and the IDP server sends the identity service request of the terminal to the IDP server to which the terminal belongs, and the IDP server to which the terminal belongs implements identity management of the terminal according to the identity service request.
本发明所述的基于标识网技术的身份管理系统架构中, 有效合法存续期 间的终端用户的身份标识 AID始终保持不变。终端用户接入网络时,需向 IDP 服务器申请身份认证服务。 IDP对用户身份的鉴权方法根据不同的网络体制 釆用不同的方法, 可以是对用户接入标识 AID直接鉴权, 也可以是对网络中 标识用户的其他类型的用户识别(例如国际移动用户识别 IMSI、 网络用户识 别 NAI等)进行鉴权。 用户通过了 IDP服务器的认证, 才能进入 ASN的合 法用户列表中, 才可以访问网络资源。 除了身份认证服务, 用户也可向 IDP申请其他身份服务, 如查询、修改、 注册和撤销身份信息等服务。 In the identity management system architecture based on the identification network technology of the present invention, the identity identifier AID of the terminal user during the valid legal existence period remains unchanged. When an end user accesses the network, he needs to apply for an identity authentication service to the IDP server. IDP's authentication method for user identity uses different methods according to different network systems. It can directly authenticate the user access identifier AID, or it can identify other types of users that identify users in the network (for example, international mobile users). Identify IMSI, network user identification NAI, etc. for authentication. After the user passes the authentication of the IDP server, the user can enter the legal user list of the ASN to access the network resources. In addition to the identity authentication service, users can also apply to IDP for other identity services, such as querying, modifying, registering, and revoking identity information.
IDP服务器对终端进行身份管理的流程包括:  The process of identity management of the terminal by the IDP server includes:
IDP服务器向终端发送登录指示, 终端输入身份信息, IDP服务器根据 终端输入的身份信息进行身份验证;  The IDP server sends a login indication to the terminal, the terminal inputs the identity information, and the IDP server performs identity verification according to the identity information input by the terminal;
IDP服务器通过 ASN向终端发送身份服务响应, 其中携带验证结果。 应用实例 1 :  The IDP server sends an identity service response to the terminal through the ASN, which carries the verification result. Application example 1 :
在终端已知所归属的 IDP服务器的情况下, 终端和该终端归属的 IDP服 务器的 AID由终端在发送身份服务请求时提供给所述 ASN。终端申请身份服 务的业务流程如图 4所示, 包括:  In the case where the terminal is known to belong to the IDP server, the terminal and the AID of the IDP server to which the terminal belongs are provided to the ASN by the terminal when transmitting the identity service request. The business process of the terminal applying for identity service is shown in Figure 4, including:
( 401 )终端 M向 ASN请求身份服务, 并提供终端的身份标识 AIDm和 该终端归属的 IDP服务器的身份标识 AIDn;  (401) The terminal M requests an identity service from the ASN, and provides the identity identifier of the terminal, AIDm, and the identity identifier AIDn of the IDP server to which the terminal belongs;
( 402 ) ASN向该终端归属的 IDP服务器请求身份服务。  (402) The ASN requests an identity service from an IDP server to which the terminal belongs.
( 403 ) IDP服务器向终端 M发送登陆指示,让终端 M输入帐号和密码, 以及其它身份信息, 以进行验证。  (403) The IDP server sends a login indication to the terminal M, and causes the terminal M to input an account number and password, and other identity information for verification.
( 404 )终端 M输入帐号和密码, 以及其它身份信息。  ( 404 ) Terminal M enters an account number and password, and other identity information.
( 405 ) IDP服务器对终端输入的信息进行验证后, 向 ASN发送验证通 过(拒绝) 的指令。  (405) After the IDP server verifies the information input by the terminal, it sends an instruction to the ASN to verify (reject).
( 406 ) ASN向终端 M提供请求的服务。  (406) The ASN provides the requested service to the terminal M.
终端未知所归属的 IDP服务器的情况下, 所述终端的 AID由所述终端在 发送身份服务请求时提供给所述 ASN, 所述 ASN向监管中心 ( IDM )查询为 所述终端提供身份服务的 IDP服务器, 获得所述终端归属的 IDP的 AID。 终 端申请身份服务的业务流程如图 5所示, 包括:  If the terminal is not aware of the IDP server to which the terminal belongs, the AID of the terminal is provided by the terminal to the ASN when the identity service request is sent, and the ASN queries the regulatory center (IDM) to provide an identity service for the terminal. The IDP server obtains the AID of the IDP to which the terminal belongs. The business process of the terminal applying for identity service is shown in Figure 5, including:
( 501 )终端 M向 ASN请求身份服务, 并提供终端的身份标识 AIDm。 ( 502 ) ASN请求 IDM监管中心查找为终端 M提供身份服务的 IDP, 得 出 IDP服务器的身份标识 AIDn。  (501) The terminal M requests an identity service from the ASN, and provides an identity of the terminal, AIDm. ( 502 ) The ASN requests the IDM supervisory center to find the IDP that provides the identity service for the terminal M, and obtains the identity identifier AIDn of the IDP server.
( 503 ) IDM监管中心将 IDP服务器的标识 AIDn发给 ASN。 ( 504 ) ASN根据标识 AIDn, 向 IDP服务器请求身份服务。 ( 503 ) The IDM Supervisory Center sends the ID AID of the IDP server to the ASN. (504) The ASN requests an identity service from the IDP server according to the identifier AIDn.
( 505 ) IDP服务器向终端 M发送登陆指示,让终端 M输入帐号和密码, 以及其它登录信息, 以进行验证。  (505) The IDP server sends a login indication to the terminal M, and causes the terminal M to input an account number and password, and other login information for verification.
( 506 )终端 M输入帐号和密码, 以及其它登录信息。  ( 506 ) Terminal M Enter the account number and password, and other login information.
( 507 ) IDP服务器对终端输入的信息进行验证后, 向 ASN发送验证通 过(拒绝) 的指令。  (507) After the IDP server verifies the information input by the terminal, it sends an instruction to the ASN to verify (reject).
( 508 ) ASN向终端 M提供请求的服务。  (508) The ASN provides the requested service to the terminal M.
本发明所述的身份管理系统架构还可实现单点登录功能, 即终端在通过 了 IDP的身份认证后, 在终端身份有效合法存续期间, 终端无需再登录网络 即可访问多种业务。  The identity management system architecture of the present invention can also implement the single sign-on function, that is, after the terminal passes the identity authentication of the IDP, the terminal can access multiple services without logging in to the network during the effective validity of the terminal identity.
该方法还包括: 终端向所述业务服务器提出业务请求时, 所述业务服务 器发起身份认证流程, 该身份认证流程包括:  The method further includes: when the terminal submits a service request to the service server, the service server initiates an identity authentication process, where the identity authentication process includes:
(a)所述业务服务器向所述 IDP服务器发送身份认证请求, 其中携带所述 终端的 AID;  (a) the service server sends an identity authentication request to the IDP server, where the AID of the terminal is carried;
(b)所述 IDP服务器根据所述终端的 AID检查所述终端是否已经通过验 证,如已通过验证则执行步骤 (e),如未通过验证则向所述终端发出认证挑战; (b) the IDP server checks whether the terminal has passed the verification according to the AID of the terminal, and if the verification has passed, the step (e) is performed, and if the verification fails, the authentication challenge is sent to the terminal;
(c)所述终端向所述 IDP发送所述终端的身份信息; (c) the terminal sends identity information of the terminal to the IDP;
(d)所述 IDP服务器对所述身份信息进行验证;  (d) the IDP server authenticating the identity information;
(e)所述 IDP服务器向所述业务服务器发送身份认证响应, 其中携带所述 终端的 AID及所述终端的身份认证结果; 业务请求授权。  (e) The IDP server sends an identity authentication response to the service server, where the AID of the terminal and the identity authentication result of the terminal are carried;
应用实例 3  Application example 3
以下给出终端向 3个业务服务器请求业务的应用实例, 具体流程如图 6 所示, 包括:  The following is an application example of the terminal requesting services from three service servers. The specific process is shown in Figure 6, including:
( 601 )终端向业务 C (如 IPTV业务) 的业务服务器提出业务请求, 携 带的参数有终端的身份标识 AID; (602)业务 C的业务服务器向 IDP服务器请求身份认证服务, 携带的 参数有终端的身份标识 AID; ( 601) The terminal submits a service request to the service server of the service C (such as the IPTV service), and the carried parameter includes the identity identifier AID of the terminal; (602) The service server of the service C requests the identity authentication service from the IDP server, and the carried parameter includes the identity identifier AID of the terminal;
( 603 ) IDP服务器向终端发出认证挑战;  (603) The IDP server issues an authentication challenge to the terminal;
(604)终端向 IDP服务器请求认证, 携带参数有终端的身份标识 AID、 密码、 信任状等身份信息;  (604) The terminal requests authentication from the IDP server, and carries the identity information such as the identity AID, password, and credential of the terminal;
(605 ) IDP服务器对认证参数进行验证;  (605) the IDP server verifies the authentication parameters;
( 606 ) IDP服务器向业务 C的业务服务器反馈终端的认证结果, 携带参 数有终端的身份标识 AID;  ( 606) the IDP server feeds back the authentication result of the terminal to the service server of the service C, and carries the identity AID of the terminal with the parameter;
( 607 )业务 C的业务服务器根据 IDP服务器的认证结果, 决定对终端 的业务请求是否授权;  ( 607) The service server of the service C determines whether the service request of the terminal is authorized according to the authentication result of the IDP server;
( 608 )如果授权, 则建立终端到业务 C的业务服务器的接入链路; (608) if authorized, establishing an access link of the terminal to the service server of the service C;
( 609 )开始终端和业务 C的业务服务器间的会话, 或者说业务 C服务 器开始给终端提供业务。 (609) Start a session between the terminal and the service server of the service C, or the service C server starts to provide the service to the terminal.
(610)终端又请求业务 B (如数据业务), 终端向业务 B的业务服务器 提出业务请求, 携带的参数有终端的身份标识 AID;  (610) The terminal further requests the service B (such as the data service), and the terminal sends a service request to the service server of the service B, and the parameter carried by the terminal has the identity identifier AID of the terminal;
(612)业务 B的业务服务器向 IDP服务器请求身份认证服务, 携带的 参数有终端的身份标识 AID;  (612) The service server of the service B requests the identity authentication service from the IDP server, and the carried parameter has the identity identifier AID of the terminal;
(613) IDP服务器检查终端的 AID, 是否已经经过了验证;  (613) The IDP server checks whether the AID of the terminal has been verified;
( 614 ) IDP服务器向业务 B的业务服务器反馈终端用户的认证结果, 携 带参数有终端的身份标识 AID;  (614) The IDP server feeds back the authentication result of the terminal user to the service server of the service B, and carries the parameter AID of the terminal;
( 615 )业务 B的业务服务器根据 IDP服务器的验证结果, 决定对终端 的业务请求是否授权;  (615) The service server of service B determines whether the service request of the terminal is authorized according to the verification result of the IDP server;
(616)如果授权, 则建立终端到业务 B的业务服务器的接入链路; (616) if authorized, establishing an access link of the terminal to the service server of service B;
(617)开始终端和业务 B的业务服务器间的会话, 或者说业务 B的业 务服务器开始给终端提供业务; (617) starting a session between the terminal and the service server of the service B, or the service server of the service B starts to provide the service to the terminal;
(618)终端又请求业务 A (如 VOIP业务), 终端向业务 A的业务服务 器提出业务请求, 携带的参数有终端的身份标识 AID; ( 619 )业务 A的业务服务器向 IDP服务器请求身份认证服务, 携带的 参数有终端的身份标识 AID; (618) The terminal further requests the service A (such as the VOIP service), and the terminal sends a service request to the service server of the service A, and the parameter carried by the terminal has the identity identifier AID of the terminal; (619) The service server of the service A requests the identity authentication service from the IDP server, and the parameter carried is the identity identifier AID of the terminal;
( 620 ) IDP服务器检查终端的 AID, 是否已经经过了验证;  (620) The IDP server checks whether the AID of the terminal has been verified;
( 621 ) IDP服务器向业务 A的业务服务器反馈终端用户的认证结果,携 带参数有终端的身份标识 AID;  (621) The IDP server feeds back the authentication result of the terminal user to the service server of the service A, and carries the parameter AID of the terminal;
( 622 )业务 A的业务服务器根据 IDP服务器的验证结果, 建立终端到 业务 A的业务服务器的接入链路;  (622) The service server of service A establishes an access link of the terminal to the service server of service A according to the verification result of the IDP server;
( 623 )开始终端和业务 A的业务服务器间的会话, 或者说业务 A的业 务服务器开始给终端提供业务。  (623) Start a session between the terminal and the service server of the service A, or the service server of the service A starts to provide the service to the terminal.
首先, 现有身份管理系统中, 用户标识没有统一的形式, 可以是用户自 己取的用户名、 email地址或手机号码等, 不同的身份管理系统, 用户标识的 形式不一样, 因此, 本发明方法和系统统一釆用表示身份的 AID做为标识, 可以简化身份管理系统的管理。 其次, 现有身份管理系统中的 IDP标识^^ 于 URL和 DNS域名服务系统的, 最终控制权在美国, 釆用 AID对 IDP进行 标识, 可以保证国家信息安全。 第三, 现有身份管理系统的用户标识和 IDP 标识不能用于互联网上寻址, 而本发明 AID可釆用 IPv4/IPv6形式, 即 IDP 的标识釆用 AID编码的话, 可直接用于互联网寻址。  First, in the existing identity management system, the user identifier has no unified form, and may be a user name, an email address, or a mobile phone number that the user himself takes. Different identity management systems have different forms of user identification. Therefore, the method of the present invention Uniformity with the system uses the AID that represents the identity as an identifier, which simplifies the management of the identity management system. Secondly, the IDP identifier in the existing identity management system is located in the URL and DNS domain name service system, and the final control right is in the United States. The ID is used to identify the IDP, which can ensure the national information security. Third, the user identity and IDP identifier of the existing identity management system cannot be used for addressing on the Internet, and the AID of the present invention can be used in the form of IPv4/IPv6, that is, the identifier of the IDP is encoded by the AID, and can be directly used for Internet search. site.
工业实用性 Industrial applicability
与现有技术相比, 本发明基于标识网实现, 统一釆用表示身份的 AID作 为身份管理的标识, 可以简化身份管理系统的管理。  Compared with the prior art, the invention is implemented based on the identification network, and the AID representing the identity is used as the identity management identifier, which can simplify the management of the identity management system.

Claims

权 利 要 求 书 Claim
1、 一种身份管理方法, 其特征在于, 该方法基于标识网实现, 所述标识 网的终端及身份管理 IDP服务器具有表示该标识网内身份的身份标识 AID; 所述方法包括:  An identity management method, wherein the method is implemented based on an identity network, where the terminal of the identity network and the identity management IDP server have an identity identifier AID indicating an identity in the identity network; the method includes:
终端发起身份服务流程时,所述标识网的接入服务节点 ASN利用该终端 的 AID和该终端归属的 IDP服务器的 AID将该终端的身份服务请求发送给该 终端归属的 IDP服务器, 由该终端归属的 IDP服务器根据所述身份服务请求 实现对所述终端的身份管理。  When the terminal initiates the identity service process, the access service node ASN of the identity network sends the identity service request of the terminal to the IDP server to which the terminal belongs, by using the AID of the terminal and the AID of the IDP server to which the terminal belongs, by the terminal. The home IDP server implements identity management of the terminal according to the identity service request.
2、 如权利要求 1所述的方法, 其中, 所述终端已知该终端归属的 IDP服 务器;  2. The method according to claim 1, wherein the terminal knows an IDP server to which the terminal belongs;
所述方法还包括: 所述终端在发起身份服务流程时通过身份服务请求将 该终端的 AID和该终端归属的 IDP服务器的 AID提供给所述 ASN。  The method further includes: when the terminal initiates the identity service process, the AID of the terminal and the AID of the IDP server to which the terminal belongs are provided to the ASN by using an identity service request.
3、 如权利要求 1所述的方法, 其中, 所述终端未知该终端归属的 IDP服 务器;  3. The method according to claim 1, wherein the terminal does not know an IDP server to which the terminal belongs;
所述方法还包括: 所述终端在发起身份服务流程时通过身份服务请求将 该终端的 AID提供给所述 ASN, 所述 ASN向监管中心 IDM查询所述终端归 属的 IDP服务器, 获得该 IDP服务器的 AID。  The method further includes: the terminal providing an AID of the terminal to the ASN by using an identity service request, and the ASN querying the IDP server to which the terminal belongs to obtain the IDP server by using the identity center IDM. AID.
4、 如权利要求 1、 2或 3所述的方法, 其中, 所述终端归属的 IDP服务 器通过如下方式对所述终端进行身份管理:  4. The method according to claim 1, 2 or 3, wherein the IDP server to which the terminal belongs performs identity management on the terminal by:
所述终端归属的 IDP服务器向所述终端发送登录指示, 并在所述终端输 入身份信息后, 根据输入的身份信息进行身份验证;  The IDP server to which the terminal belongs sends a login indication to the terminal, and after the terminal inputs the identity information, performs identity verification according to the input identity information;
所述终端归属的 IDP服务器通过所述 ASN向所述终端发送身份服务响 应, 该身份服务响应中携带验证结果。  The IDP server to which the terminal belongs sends an identity service response to the terminal through the ASN, and the identity service response carries the verification result.
5、 如权利要求 1所述的方法, 其中, 所述身份服务包括身份认证、 身份 信息查询、 身份信息修改、 身份信息注册和身份信息撤销中的任一种或多种。  5. The method according to claim 1, wherein the identity service comprises any one or more of identity authentication, identity information query, identity information modification, identity information registration, and identity information revocation.
6、 如权利要求 1所述的方法, 还包括: 所述终端向业务服务器提出业务 请求, 所述业务服务器发起身份认证流程, 该身份认证流程包括: (a)所述业务服务器向所述终端归属的 IDP服务器发送身份认证请求, 该 身份认证请求中携带所述终端的 AID; The method of claim 1, further comprising: the terminal submitting a service request to the service server, where the service server initiates an identity authentication process, where the identity authentication process includes: (a) the service server sends an identity authentication request to the IDP server to which the terminal belongs, where the identity authentication request carries the AID of the terminal;
(b)所述终端归属的 IDP服务器根据所述终端的 AID检查所述终端是否已 经通过验证, 如已通过验证则执行步骤 (e), 若未通过则向所述终端发出认证 挑战;  (b) the IDP server to which the terminal belongs checks whether the terminal has passed the verification according to the AID of the terminal, and if it has passed the verification, performs step (e), and if not, sends an authentication challenge to the terminal;
(c)所述终端向该终端归属的 IDP服务器发送所述终端的身份信息; (c) the terminal sends the identity information of the terminal to an IDP server to which the terminal belongs;
(d)所述终端归属的 IDP服务器对所述身份信息进行验证; (d) verifying, by the IDP server to which the terminal belongs, the identity information;
(e)所述终端归属的 IDP服务器向所述业务服务器发送身份认证响应, 该  (e) the IDP server to which the terminal belongs sends an identity authentication response to the service server, where
业务请求授权。 Business request authorization.
7、 一种身份管理系统, 其特征在于, 该系统基于标识网实现, 所述系统 包括接入服务节点 ASN、 终端及身份管理 IDP服务器, 其中,  An identity management system, wherein the system is implemented based on an identification network, where the system includes an access service node ASN, a terminal, and an identity management IDP server, where
所述终端具有表示标识网内身份的身份标识 AID, 所述终端设置成: 通 过 ASN向归属的 IDP服务器发送身份服务请求,所述身份服务请求中携带所 述终端的 AID; 以及, 向所述归属的 IDP服务器发送身份信息;  The terminal has an identity identifier AID indicating an identity in the identification network, and the terminal is configured to: send an identity service request to the home IDP server by using the ASN, where the identity service request carries the AID of the terminal; The home IDP server sends identity information;
所述 ASN设置成: 根据终端的 AID及该终端归属的 IDP服务器的 AID 实现终端与该终端归属的 IDP服务器之间的身份服务请求及身份服务响应的 路由转发;  The ASN is configured to: implement an identity service request and a route forwarding of the identity service response between the terminal and the IDP server to which the terminal belongs according to the AID of the terminal and the AID of the IDP server to which the terminal belongs;
所述 IDP服务器具有表示标识网内身份的 AID,所述 IDP服务器设置成: 接收所述 ASN转发的身份服务请求,验证归属于本 IDP服务器的终端发送的 身份信息, 以及, 向所述 ASN发送身份服务响应, 该身份服务响应中携带所 述归属于本 IDP服务器的终端的 AID及验证结果信息。  The IDP server has an AID indicating an identity in the identification network, and the IDP server is configured to: receive an identity service request forwarded by the ASN, verify identity information sent by a terminal that belongs to the IDP server, and send the identity information to the ASN. The identity service responds, and the identity service response carries the AID and the verification result information of the terminal belonging to the IDP server.
8、 如权利要求 7所述的系统, 其中, 所述终端已知所归属的 IDP服务器 的情况下, 所述终端发送的身份服务请求中还携带该终端归属的 IDP服务器 的 AID。  8. The system according to claim 7, wherein, in the case that the terminal is known to belong to the IDP server, the identity service request sent by the terminal further carries the AID of the IDP server to which the terminal belongs.
9、如权利要求 7所述的系统, 还包括监管中心 IDM, 所述 IDM设置成: 管理 IDP服务器与归属于该 IDP服务器的终端的对应关系; 所述 ASN还设置成: 在所述终端未知所归属的 IDP服务器的情况下,根 据身份服务请求中所述终端的 AID向所述 IDM查询该终端归属的 IDP服务 器, 获得该 IDP服务器的 AID。 9. The system of claim 7, further comprising a supervisory center IDM, the IDM being configured to: manage a correspondence between the IDP server and a terminal belonging to the IDP server; The ASN is further configured to: if the terminal does not know the IDP server to which the terminal belongs, query the IDM of the terminal to the IDM server according to the AID of the terminal in the identity service request, and obtain the AID of the IDP server.
10、 如权利要求 7所述的系统, 其中, 所述身份服务包括身份认证、 身 份信息查询、 身份信息修改、 身份信息注册或身份信息撤销中的任一种或多 种。  10. The system according to claim 7, wherein the identity service comprises any one or more of identity authentication, identity information query, identity information modification, identity information registration, or identity information revocation.
11、 如权利要求 7所述的系统, 还包括业务服务器, 所述业务服务器设 置成:  11. The system of claim 7 further comprising a service server, said service server being configured to:
在所述终端提出业务请求时, 向该终端归属的 IDP服务器发送身份认证 请求, 该身份认证请求中携带所述终端的 AID; 接收所述终端归属的 IDP服 务器发送的身份认证响应, 该身份认证响应中携带所述终端的 AID及所述终 端的身份认证结果; 以及, 根据所述终端的身份认证结果决定是否对所述终 端的业务请求授权; 所述 IDP服务器还设置成在收到所述业务服务器发送的身份认证请求 时,根据归属于本 IDP服务器的终端的 AID决定是否向该终端发起认证挑战。  Sending an identity authentication request to the IDP server to which the terminal belongs, the identity authentication request carrying the AID of the terminal; receiving an identity authentication response sent by the IDP server to which the terminal belongs, the identity authentication The response carries the AID of the terminal and the identity authentication result of the terminal; and, according to the identity authentication result of the terminal, determines whether to request authorization for the service of the terminal; the IDP server is further configured to receive the When the service server sends an identity authentication request, it determines whether to initiate an authentication challenge to the terminal according to the AID of the terminal that belongs to the IDP server.
12、 如权利要求 11所述的系统, 其中, 所述 IDP服务器是设置成通过如 下方式决定是否向归属于本 IDP服务器的终端发起认证挑战: 检查是否已有 所述归属于本 IDP服务器的终端的身份认证结果信息, 如果有, 则直接根据 所述身份认证结果信息向所述业务服务器发送身份认证响应, 若没有则向该 终端发起认证挑战。  12. The system according to claim 11, wherein the IDP server is configured to determine whether to initiate an authentication challenge to a terminal belonging to the IDP server by: checking whether the terminal belonging to the IDP server is already present. The identity authentication result information, if yes, directly sends an identity authentication response to the service server according to the identity authentication result information, and if not, initiates an authentication challenge to the terminal.
13、如权利要求 7所述的系统,其中, 所述终端是设置成根据归属的 IDP 服务器发送的登录指示或认证挑战向归属的 IDP服务器发送身份信息。  13. The system of claim 7, wherein the terminal is configured to send identity information to a home IDP server based on a login indication or an authentication challenge sent by the home IDP server.
PCT/CN2010/078832 2010-04-22 2010-11-17 Method and system for identity management WO2011131002A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010165120.9 2010-04-22
CN201010165120.9A CN102238148B (en) 2010-04-22 2010-04-22 identity management method and system

Publications (1)

Publication Number Publication Date
WO2011131002A1 true WO2011131002A1 (en) 2011-10-27

Family

ID=44833668

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/078832 WO2011131002A1 (en) 2010-04-22 2010-11-17 Method and system for identity management

Country Status (2)

Country Link
CN (1) CN102238148B (en)
WO (1) WO2011131002A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078932B (en) * 2012-12-31 2016-01-27 中国移动通信集团江苏有限公司 A kind of methods, devices and systems realizing universal single sign-on
CN105703931A (en) * 2014-11-26 2016-06-22 中兴通讯股份有限公司 Identification network redundancy backup method and device
CN105743883B (en) * 2016-01-21 2019-06-21 兴唐通信科技有限公司 A kind of the identity attribute acquisition methods and device of network application
CN110247917B (en) * 2019-06-20 2021-09-10 北京百度网讯科技有限公司 Method and apparatus for authenticating identity

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1656773A (en) * 2002-05-24 2005-08-17 艾利森电话股份有限公司 Method for authenticating a user to a service of a service provider
CN101567878A (en) * 2008-04-26 2009-10-28 华为技术有限公司 Method and device for improving safety of network ID authentication

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4186512B2 (en) * 2002-05-20 2008-11-26 ソニー株式会社 Service providing system, device terminal and processing method thereof, authentication device and method, service providing device and method, and program
US7802295B2 (en) * 2003-08-11 2010-09-21 Sony Corporation Authentication method, authentication system, and authentication server
CN100428719C (en) * 2006-01-23 2008-10-22 北京交通大学 Internet access method based on identity and location separation
CN101277513B (en) * 2007-03-27 2011-07-20 厦门致晟科技有限公司 Method for ciphering wireless mobile terminal communication
CN101119206B (en) * 2007-09-13 2011-03-02 北京交通大学 Identification based integrated network terminal united access control method
CN100521660C (en) * 2007-09-13 2009-07-29 北京交通大学 Method for implementing integrated network mobile switch management

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1656773A (en) * 2002-05-24 2005-08-17 艾利森电话股份有限公司 Method for authenticating a user to a service of a service provider
CN101567878A (en) * 2008-04-26 2009-10-28 华为技术有限公司 Method and device for improving safety of network ID authentication

Also Published As

Publication number Publication date
CN102238148A (en) 2011-11-09
CN102238148B (en) 2015-10-21

Similar Documents

Publication Publication Date Title
CN110800331B (en) Network verification method, related equipment and system
US9356928B2 (en) Mechanisms to use network session identifiers for software-as-a-service authentication
JP4777729B2 (en) Setting information distribution apparatus, method, program, and medium
KR100927944B1 (en) Method and apparatus for optimal transmission of data in wireless communication system
US12101416B2 (en) Accessing hosts in a computer network
US11973617B2 (en) Border gateway protocol (BGP) hijacks prefix signing using public/private keys
EP3328023B1 (en) Authentication of users in a computer network
US20160380999A1 (en) User Identifier Based Device, Identity and Activity Management System
CN103067337B (en) Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system
JP2008518533A (en) Method and system for transparently authenticating mobile users and accessing web services
WO2005096644A1 (en) A method for establishing security association between the roaming subscriber and the server of the visited network
WO2013040957A1 (en) Single sign-on method and system, and information processing method and system
US10791464B2 (en) Method for establishing a secure connection
CN106790251B (en) User access method and user access system
US10523445B2 (en) Accessing hosts in a hybrid computer network
WO2011131002A1 (en) Method and system for identity management
WO2016202397A1 (en) Dns based pki system
WO2011063658A1 (en) Method and system for unified security authentication
US20240163271A1 (en) Methods, systems, and computer readable media for detecting stolen access tokens
US10841283B2 (en) Smart sender anonymization in identity enabled networks
US9485654B2 (en) Method and apparatus for supporting single sign-on in a mobile communication system
CN103078834A (en) Method, system and network element of secure connection
KR100904004B1 (en) Authenticating users
CN116711387A (en) Method, device and system for authentication and authorization by using edge data network
JP2014153917A (en) Communication service authentication/connection system, and method of the same

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10850134

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10850134

Country of ref document: EP

Kind code of ref document: A1