WO2013056619A1 - Method, idp, sp and system for identity federation - Google Patents

Method, idp, sp and system for identity federation Download PDF

Info

Publication number
WO2013056619A1
WO2013056619A1 PCT/CN2012/082471 CN2012082471W WO2013056619A1 WO 2013056619 A1 WO2013056619 A1 WO 2013056619A1 CN 2012082471 W CN2012082471 W CN 2012082471W WO 2013056619 A1 WO2013056619 A1 WO 2013056619A1
Authority
WO
WIPO (PCT)
Prior art keywords
identity
idp
authentication
module
identifier
Prior art date
Application number
PCT/CN2012/082471
Other languages
French (fr)
Chinese (zh)
Inventor
夏正雪
郝振武
张孟旺
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2013056619A1 publication Critical patent/WO2013056619A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Definitions

  • the present invention relates to the field of network communications, and in particular, to a method for identity association, an IdP, an SP, and a system.
  • the core of the network layer is the IP protocol at the network layer, which enables mutual access between users through IP addresses.
  • IP protocols such as web browsing, mail sending and receiving, instant messaging, etc., are carried on top of the application layer protocol.
  • users Before using these services, users must access the Internet through the basic network provided by the telecom operators. Different users may have different access methods, such as xDSL, optical fiber, mobile access, and so on.
  • the user terminal will obtain an IP address, and the user then accesses various applications on the Internet through the IP address, which is equivalent to the temporary identity of the user.
  • the embodiments of the present invention provide a method for identity association, an IdP, an SP, and a system, so that an operator can provide a single sign-on service for a user.
  • the SP After receiving the positive assertion and verifying the validity of the SP, the SP checks whether the associated local account is not present, and then initiates a challenge to the UE. After the UE successfully logs in, the SP identifies the identity of the UE in the SP and the identity of the IdP. The identity, and the identity of the UE in the IdP are associated.
  • the identity of the UE generated by the IdP at the IdP is a permanent identity or a temporary identity.
  • the IdP when the identity of the IdP is a temporary identity, the IdP further generates a lifetime for the temporary identity.
  • the identity of the terminal user in the IdP includes:
  • the IdP After the IdP confirms that the UE passes the authentication, it actively generates an identity identifier of the terminal user at the IdP for the UE; or
  • the IdP establishes a security association with the SP, and confirms that after the UE passes the authentication, after receiving the authentication request sent by the SP, the identity of the IdP is generated for the UE.
  • the method further includes:
  • the SP first asks whether the UE is willing to associate with the local account, and after the UE agrees, initiates a challenge to the UE to request login.
  • the method further includes: after the UE performs access authentication with the access service node (ASR) and the authentication center, generating a master session key with the ASR;
  • ASR access service node
  • the terminal performs authentication, the UE is authenticated by the access identifier of the UE and the primary session key.
  • the authentication request sent by the SP includes a random number, and the random number is used to temporarily identify the identity information of the UE in the SP and used to prevent replay attacks.
  • the IdP actively generates an identity of the IdP for the UE, and generates a positive assertion sent to the SP, where the positive assertion includes a random number, and the random number is used to prevent a replay attack.
  • An identity providing server for implementing identity federation is provided by the embodiment of the present invention.
  • the IdP is located in an operator network, and includes an authentication module, an identity identifier generating module, an association module, and an assertion generating module, where:
  • the identity identifier generating module is configured to: after the authentication module confirms that the UE passes the authentication, generate an identity of the IdP for the UE;
  • the association module is configured to associate an identity of the UE with the IdP and an identity of the SP; the assertion generation module is configured to generate a positive assertion and send the SP to the SP.
  • the identifier generated by the identity identifier generating module for the UE in the IdP is a temporary identity, and the lifetime of the temporary identity is generated.
  • the identity identifier generating module is configured to: after the authentication module confirms that the terminal passes the authentication in the following manner, generate an identity identifier of the terminal user in the IdP for the UE:
  • the identity generation module actively generates an identity of the IdP for the UE.
  • the service providing server (SP) for implementing identity association includes an authentication check module and an association module, where:
  • the authentication check module is configured to, after receiving the positive assertion sent by the identity providing server (IdP) and verifying the validity of the authentication, check whether the challenge of requesting login is sent to the UE if there is no associated local account;
  • the system for implementing identity association includes an identity providing server (IdP) and a service providing server (SP) located in an operator network, where:
  • the IdP is set to be used in the service process provided by the UE to access the SP, after the UE is authenticated, the identity of the terminal user in the IdP is generated for the UE, and the identity of the UE in the IdP and the identity of the SP are associated with the IdP. Generate a positive assertion sent to the SP;
  • the SP is configured to, after receiving the positive assertion and verifying the validity of the policy, check if the associated local account is not present, and then initiate a challenge requesting the login to the UE. After the UE successfully logs in, the SP sets the identity of the UE locally in the SP. Identification, IdP identity, and the identity of the UE in the IdP Line association.
  • FIG. 3 is a schematic flowchart of a method for identity association initiated by an SP according to Embodiment 2 of the present invention
  • FIG. 4 is a schematic flowchart of a method for identity association initiated by an IdP according to Embodiment 3 of the present invention
  • FIG. 5 is a schematic diagram of an IdP and an SP according to Embodiment 4 of the present invention; Schematic diagram of the structure.
  • the user since the user may already have a registered account in a major different Internet application system, and the registered account already carries some information useful to the user, in this case, the user usually wants to be able to use the single sign-on technology in combination. In the case of convenience, continue to use the relevant information in the original account.
  • FIG. 1 is a schematic structural diagram of a network element according to an embodiment of the present invention.
  • the network element 101 is a user equipment (UE), and the terminal accessing the network may be one or more of a mobile terminal and a fixed terminal, such as a mobile phone, a fixed telephone, a computer, and an application server;
  • UE user equipment
  • the terminal accessing the network may be one or more of a mobile terminal and a fixed terminal, such as a mobile phone, a fixed telephone, a computer, and an application server;
  • the network element 102 is an access service router (ASR), which is used for providing access services for the user terminal, maintaining the connection between the terminal and the network, assigning a RID (Routing Identifier) to the terminal, and registering with the ILR/PTF. Register and query the RID of the terminal, maintain the AID (Access Identifier)-RID mapping information, and implement routing and forwarding of data packets.
  • ASR access service router
  • the NMS interface provides the pseudonym service of the end user
  • the network element 105 is an Interconnect Service Router (ISR), which is used for querying and maintaining AID-RID mapping information of the network terminal, encapsulating, routing, and forwarding data between the network and the traditional IP network.
  • ISR Interconnect Service Router
  • the interworking function between the network and the traditional IP network including a format conversion module, for the network included in the data packet sent by the traditional IP network Converting the IPv4/IPv6 address of the terminal into a corresponding AID, and converting the AID of the network terminal into an IPv4/IPv6 address format, and then transmitting the terminal to the terminal of the traditional IP network;
  • the network element 106 is a Service Provider (SP), which is an application system for providing services to terminal users on the Internet.
  • SP Service Provider
  • FIG. 2 is a schematic flowchart of a method for identity association according to an embodiment of the present invention. As shown in FIG. 2, the method includes the following steps:
  • the terminal confirms that the terminal is authenticated by the IdP of the operator network, and generates an identity of the terminal user in the IdP for the terminal user, and associates the identity identifier of the terminal user with the IdP.
  • the SP's identity generated a positive assertion sent to the SP;
  • the IdP After the IdP associates the identity of the SP with the identity of the IdP, the IdP can no longer authenticate the next time the user accesses the service provided by the SP.
  • the generated end user's identity in the IdP can be either a permanent identifier or a temporary identifier. If it is a temporary identifier, it can also generate a lifetime for the temporary identity.
  • the IdP can confirm that the terminal is authenticated, and the IdP can actively generate the identity of the terminal user in the IdP. Alternatively, the IdP can establish a security association with the SP during the service process provided by the terminal accessing the SP. After receiving the authentication request sent by the SP, the identity of the terminal user in the IdP is generated and associated. Step 202: After receiving the positive assertion and verifying the validity of the SP, the SP checks whether there is a related local account, and then initiates a challenge to the user to log in. After the user successfully logs in, the SP identifies the end user in the SP local identity. , the IdP identity, and the identity of the end user in the IdP.
  • the SP After receiving the positive assertion and verifying its legality, the SP checks if there is an associated local account, and directly provides services for the user. Before checking whether there is no associated local account, the SP may first ask the user whether to associate with the local account before initiating the challenge of requesting the login. If the user agrees, the association is performed. If the user does not agree, the normal login process is performed. .
  • the association between the identity of the user at the operator and the identity of the identity at the SP is achieved.
  • the operator can provide the single sign-on service for the user, and the user can inherit the original account information.
  • the IdP does not perform the mutual authentication process with the UE.
  • the UE is redirected to the SP.
  • the SP provides services for the UE according to the associated account information, and the UE is no longer required to perform the UE. log in. Users reduce the number of logins or no longer need to enter a username and password to log in, which improves security.
  • the association due to the association, the continuity of the user's service is ensured, and the user experience is improved.
  • FIG. 3 is a schematic diagram of the process of implementing Embodiment 2 initiated by the SP. As shown in FIG. 3, the following steps are included:
  • Step 301 The user terminal UE and the access service node ASR, and the authentication center perform access authentication. After the authentication is passed, the identity location separation network allocates an access identifier AID to the user.
  • Step 302 The UE and the ASR derive a primary session key MSK according to the user access authentication, and are used for subsequent terminal authentication.
  • Step 304 The SP acquires a corresponding IdP address, and generates an authentication request message. Note that the manner of obtaining the IdP address can be implemented by a UE selection or an IdP discovery mechanism or the like.
  • Step 305 The SP establishes a security association (SA) between itself and the IdP, and the two parties generate a shared key for subsequent positive assertion message signature and verification;
  • SA security association
  • Step 306 The SP redirects the authentication request message to the IdP, where the redirection message includes an authentication request assertion, and the assertion includes an SP identity identifier, an IdP identity identifier, and a random number nonce;
  • the session key (e.g., confidentiality key CK/integrity key IK) is negotiated between the UE and the network through access authentication, communication between the UE and the IdP is protected.
  • the lifetime field value is null.
  • Step 311 The SP initiates a challenge requesting login to the user terminal.
  • Step 314 The SP returns a service access response to the user terminal. Thereafter, during the lifetime of the life, the terminal that logs in through the IdP does not need to re-enter the username/password, or token, etc. in the SP, and can directly use the original account. Operation, etc.
  • Step 402 The UE and the ASR derive a primary session key MSK according to the user access authentication.
  • Step 404 The UE selects an SP to be accessed on an interface provided by the IdP.
  • Step 405 A security association is established between the IdP and the SP, and the two parties generate a shared key for subsequently performing a positive disconnection message signature.
  • Step 406 The IdP recognizes the terminal UE by using the terminal identifier AID and the master session key MSK. Certificate
  • the session key (e.g., confidentiality key CK/integrity key IK) is negotiated between the UE and the network through access authentication, communication between the UE and the IdP is protected.
  • Step 408 The IdP redirects the SAML positive assertion to the SP, and the IdP identity identifier, the temporary identity of the terminal user on the IdP, the UEidp, the lifetime, the SP identity, and the random number nonce;
  • the random number in this embodiment is generated by IdP. Since the identity of the UE or the user is carried in the assertion, the random number in this embodiment is only used to let the SP determine whether the message is used by the attacker for the replay attack by whether the received random number is repeated.
  • Step 410 The SP initiates a challenge requesting login to the user terminal.
  • Step 411 The user terminal initiates a user login response to the SP, and the response may be a login mode such as a username/password or a token;
  • Step 412 After the user successfully logs in, the SP identifies the IdP identity and the end user on the SP. The identity and the temporary identity of the end user on the IdP are associated (as shown in the following table);
  • Step 413 The SP returns a service access response to the user terminal. Thereafter, during the lifetime of the life, the terminal that logs in through the IdP does not need to re-enter the username/password, or token, etc. in the SP, and can directly use the original account. Operation, etc.
  • the system for implementing identity aggregation includes an identity providing server (IdP) and a service providing server (SP) located in a carrier network, where:
  • the SP is configured to: after receiving the positive assertion and verifying the validity of the policy, if the local account is not associated, the user is required to initiate a login request. After the user successfully logs in, the SP identifies the terminal user in the local state of the SP. The identity, the identity of the IdP, and the identity of the end user in the IdP are associated.
  • the identity generation module is configured to: after the authentication module confirms that the terminal passes the authentication, generate an identity of the terminal user in the IdP for the terminal user;
  • the first association module is configured to associate the identity identifier of the terminal user with the ID of the SP and the identity of the SP;
  • the assertion generation module is set to generate a positive assertion and send to the SP.
  • the identity identifier generated by the identity identifier generating module for the terminal user is a permanent identity identifier of the terminal user in the IdP; or the identity identifier of the terminal user generated by the terminal user in the IdP is a temporary identity identifier, and Generate the lifetime of the temporary identity.
  • the identity identifier generating module is configured to: after the authentication module confirms that the terminal passes the authentication in the following manner, generate an identity identifier of the terminal user in the IdP for the terminal user: after the authentication module confirms that the terminal passes the authentication, actively The terminal user generates the identity of the terminal user in the IdP; or, after the IdP establishes a security association with the SP, and confirms that the terminal passes the authentication, after receiving the authentication request sent by the SP, the terminal user is generated for the terminal user at the IdP. Identity.
  • the authentication module is configured to authenticate the terminal in the following manner: authenticating the terminal by using an access identifier of the terminal and a primary session key, where the primary session key is a terminal and an access service node (ASR) And generated by the certification center after access authentication.
  • ASR access service node
  • the positive assertion generated by the assertion generation module includes a random number for preventing replay attacks.
  • the SP includes an authentication check module and a second association module, where:
  • the authentication check module is configured to: after receiving the positive assertion sent by the IdP and verifying that the legality is passed, checking that if there is no associated local account, the user is required to initiate a login request; the second association module is set to After the user logs in successfully, the identity of the end user in the SP, the identity of the IdP, and the identity of the terminal user in the IdP are associated.
  • the authentication check module is further configured to ask the user whether to associate with the local account before initiating the challenge of requesting the login to the user, and after the user agrees, initiate a challenge requesting the login to the user.
  • the authentication check module is further configured to send an authentication request to the IdP after the IdP establishes a security association with the SP, where the authentication request includes a random number, and the random number is used to temporarily identify the identity information of the user in the SP. For protection against replay attacks.
  • the embodiment of the present invention combines the identity association technology, so that the operator can provide the single sign-on service for the user, and the user can inherit the original account information. On the one hand, it improves security, on the other hand, it ensures the continuity of user services and improves the user experience.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The embodiments of the invention disclose a method, an IdP, an SP and a system for identity federation, so that the provider is able to provide single sign-in services for users. The method comprises: when a UE is accessing a service provided by the SP, the IdP located in the network of the provider determines that the identification of the UE is finished, and then generates an UE ID in the IdP for the UE, associates the UE ID in the IdP with the ID of the SP, generates an acknowledgement and sends the acknowledgement to the SP; the SP receives the acknowledgement and validates the legality of the acknowledgement, then checks that an associated local account is not existed, and initiates a challenge of requiring sign-in to UE. After the UE finishes the sign-in, the SP associates the local UE ID in the SP and the ID of the IdP with the UE ID in the IdP.

Description

一种身份联合的方法、 IdP、 SP及系统  Method for identity association, IdP, SP and system
技术领域 Technical field
本发明涉及网络通信领域, 尤其涉及一种身份联合的方法、 IdP、 SP及 系统。  The present invention relates to the field of network communications, and in particular, to a method for identity association, an IdP, an SP, and a system.
背景技术 Background technique
在 TCP/IP体系中, 最为核心的是网络层的 IP协议, 通过 IP地址实现用 户之间的相互访问。 各种应用, 如网络浏览、 邮件收发、 即时通讯等, 都承 载在应用层协议之上。  In the TCP/IP system, the core of the network layer is the IP protocol at the network layer, which enables mutual access between users through IP addresses. Various applications, such as web browsing, mail sending and receiving, instant messaging, etc., are carried on top of the application layer protocol.
用户在使用这些业务之前必须通过电信运营商提供的基础网络接入互联 网, 不同的用户可能有不同的接入方式, 如 xDSL、 光纤、 移动接入等等。 一 般情况下, 用户终端都会获取到一个 IP地址, 用户此后就通过这个 IP地址 访问互联网上的各种应用, 这个 IP地址就相当于用户的临时身份。  Before using these services, users must access the Internet through the basic network provided by the telecom operators. Different users may have different access methods, such as xDSL, optical fiber, mobile access, and so on. In general, the user terminal will obtain an IP address, and the user then accesses various applications on the Internet through the IP address, which is equivalent to the temporary identity of the user.
由于 IP地址的前缀部分表示用户当前所在的子网, 当用户位置发生变化 时, 必须分配不同的 IP地址, 否则路由器无法正确地把数据包转发给用户。 而因为 IP地址具有身份和位置的双重属性, 同时用户每次获取到的 IP地址 不一定相同, 从而无法作为用户的长期身份标识, 因此互联网上的应用系统 必须自建一套用户身份标识系统, 即通常所说的用户账号系统。  Since the prefix part of the IP address indicates the subnet where the user is currently located, when the user's location changes, different IP addresses must be assigned. Otherwise, the router cannot correctly forward the data packet to the user. Because the IP address has the dual attributes of identity and location, and the IP address obtained by the user is not necessarily the same every time, and thus cannot be used as the long-term identity of the user, the application system on the Internet must establish a user identity identification system. This is the so-called user account system.
由此可见, 用户在访问互联网上的应用时存在二次认证的情况, 运营商 在用户接入互联网时进行一次认证, 互联网上的应用系统在用户访问时进行 自身的认证。  It can be seen that there is a secondary authentication when the user accesses the application on the Internet, and the operator performs authentication once when the user accesses the Internet, and the application system on the Internet performs its own authentication when the user accesses.
随着信息技术和网络技术的迅猛发展,互联网上的应用系统也越来越多。 由于这些应用系统相互独立, 用户在使用每一个系统之前必须先进行注册登 记, 并按照相应的身份进行登录, 为此用户必须记住每个应用系统的用户名 和密码, 这给用户带来了很大的麻烦。 发明内容 本发明实施例提供一种身份联合的方法、 IdP、 SP及系统, 使得运营商 既可以为用户提供单点登录业务。 With the rapid development of information technology and network technology, there are more and more application systems on the Internet. Since these applications are independent of each other, users must register before using each system and log in according to their respective identities. For this reason, users must remember the username and password of each application system, which brings a lot of users. Big trouble. Summary of the invention The embodiments of the present invention provide a method for identity association, an IdP, an SP, and a system, so that an operator can provide a single sign-on service for a user.
本发明实施例提供的身份联合的方法, 包括:  The method for identity association provided by the embodiment of the present invention includes:
UE在访问业务提供服务器(SP )提供的业务过程中, 位于运营商网络的 身份提供服务器( IdP )在确认终端通过认证后, 为该 UE生成在 IdP的身份 标识, 关联该 UE在 IdP的身份标识和 SP的身份标识, 生成肯定断言发送给 SP;  In the service process provided by the UE to access the service providing server (SP), the identity providing server (IdP) located in the operator network generates an identity of the IdP for the UE after confirming that the terminal passes the authentication, and associates the identity of the UE with the IdP. Identification and SP identity, generate a positive assertion sent to the SP;
SP在接收到肯定断言并验证其合法性通过后,检查如果不存在关联的本 地账号, 则向 UE发起要求登录的挑战, UE登录成功后, SP将 UE在 SP本 地的身份标识、 IdP的身份标识, 以及 UE在 IdP的身份标识进行关联。  After receiving the positive assertion and verifying the validity of the SP, the SP checks whether the associated local account is not present, and then initiates a challenge to the UE. After the UE successfully logs in, the SP identifies the identity of the UE in the SP and the identity of the IdP. The identity, and the identity of the UE in the IdP are associated.
较佳地,所述 IdP生成的 UE在 IdP的身份标识是永久身份标识或者是临 时身份标识。  Preferably, the identity of the UE generated by the IdP at the IdP is a permanent identity or a temporary identity.
较佳地, 所述 IdP生成的 UE在 IdP的身份标识是临时身份标识时, 所述 IdP还为该临时身份标识生成生命期。  Preferably, when the identity of the IdP is a temporary identity, the IdP further generates a lifetime for the temporary identity.
较佳地, 所述 IdP确认 UE通过认证后, 为该 UE生成该终端用户在 IdP 的身份标识包括:  Preferably, after the IdP confirms that the UE passes the authentication, generating, by the UE, the identity of the terminal user in the IdP includes:
所述 IdP确认 UE通过认证后, 主动为该 UE生成该终端用户在 IdP的身 份标识; 或者,  After the IdP confirms that the UE passes the authentication, it actively generates an identity identifier of the terminal user at the IdP for the UE; or
所述 IdP在与 SP建立安全关联, 并确认 UE通过认证后, 在接收到 SP 发送的认证请求后再为该 UE生成在 IdP的身份标识。  The IdP establishes a security association with the SP, and confirms that after the UE passes the authentication, after receiving the authentication request sent by the SP, the identity of the IdP is generated for the UE.
较佳地, 所述 SP向用户发起要求登录的挑战之前, 所述方法还包括: Preferably, before the SP initiates a challenge to the user to request login, the method further includes:
SP先询问 UE是否愿意关联本地账号, 在 UE同意后, 向 UE发起要求 登录的挑战。 The SP first asks whether the UE is willing to associate with the local account, and after the UE agrees, initiates a challenge to the UE to request login.
较佳地, IdP确认 UE通过认证前, 所述方法还包括: UE与接入服务节 点 ( ASR ) 以及认证中心进行接入认证后, 与所述 ASR生成主会话密钥; 所述 IdP在对终端进行认证时 , 通过 UE的接入标识和主会话密钥对 UE 进行认证。 较佳地, 所述 SP发送的认证请求中包括随机数, 所述随机数用于临时标 识 UE在 SP的身份信息和用于防范重放攻击。 Preferably, before the IdP confirms that the UE passes the authentication, the method further includes: after the UE performs access authentication with the access service node (ASR) and the authentication center, generating a master session key with the ASR; When the terminal performs authentication, the UE is authenticated by the access identifier of the UE and the primary session key. Preferably, the authentication request sent by the SP includes a random number, and the random number is used to temporarily identify the identity information of the UE in the SP and used to prevent replay attacks.
较佳地, 所述 IdP主动为该 UE生成在 IdP的身份标识, 生成肯定断言发 送给 SP, 所述肯定断言中包括随机数, 所述随机数用于防范重放攻击。  Preferably, the IdP actively generates an identity of the IdP for the UE, and generates a positive assertion sent to the SP, where the positive assertion includes a random number, and the random number is used to prevent a replay attack.
较佳地, UE再次访问该 SP提供的业务时, IdP不再与该 UE交互进行认 证, SP不再要求该 UE登录。  Preferably, when the UE accesses the service provided by the SP again, the IdP does not interact with the UE for authentication, and the SP no longer requests the UE to log in.
本发明实施例提供的实现身份联合的身份提供服务器(IdP ) , 所述 IdP 位于运营商网络, 包括认证模块、 身份标识生成模块、 关联模块和断言生成 模块, 其中: An identity providing server (IdP) for implementing identity federation is provided by the embodiment of the present invention. The IdP is located in an operator network, and includes an authentication module, an identity identifier generating module, an association module, and an assertion generating module, where:
所述认证模块, 设置为在 UE访问业务提供服务器(SP )提供的业务过 程中, 确认 UE是否通过认证;  The authentication module is configured to confirm whether the UE passes the authentication process during the service provided by the UE accessing the service providing server (SP);
所述身份标识生成模块, 设置为在认证模块确认 UE通过认证后, 为该 UE生成在 IdP的身份标识;  The identity identifier generating module is configured to: after the authentication module confirms that the UE passes the authentication, generate an identity of the IdP for the UE;
所述关联模块, 设置为关联该 UE在 IdP的身份标识和 SP的身份标识; 所述断言生成模块, 设置为生成肯定断言并发送给 SP。  The association module is configured to associate an identity of the UE with the IdP and an identity of the SP; the assertion generation module is configured to generate a positive assertion and send the SP to the SP.
较佳地,所述身份标识生成模块为所述 UE生成的在 IdP的身份标识是永 久身份标识; 或者  Preferably, the identifier of the IdP generated by the identity identifier generating module for the UE is a permanent identity identifier; or
所述身份标识生成模块为所述 UE生成的该 UE在 IdP的身份标识是临时 身份标识, 并生成该临时身份标识的生命期。  The identifier generated by the identity identifier generating module for the UE in the IdP is a temporary identity, and the lifetime of the temporary identity is generated.
较佳地, 所述身份标识生成模块是设置为釆用以下方式在认证模块确认 终端通过认证后, 为该 UE生成该终端用户在 IdP的身份标识:  Preferably, the identity identifier generating module is configured to: after the authentication module confirms that the terminal passes the authentication in the following manner, generate an identity identifier of the terminal user in the IdP for the UE:
所述身份标识生成模块在认证模块确认 UE通过认证后, 主动为该 UE 生成在 IdP的身份标识; 或者,  After the authentication module confirms that the UE passes the authentication, the identity generation module actively generates an identity of the IdP for the UE; or
所述身份标识生成模块在所述 IdP与 SP建立安全关联, 并确认 UE通过 认证后, 在接收到 SP发送的认证请求后再为该 UE生成该终端用户在 IdP的 身份标识。 较佳地, 所述认证模块是设置为釆用以下方式对 UE进行认证: 通过 UE 的接入标识和主会话密钥对 UE进行认证,所述主会话密钥是 UE与接入服务 节点 (ASR ) 以及认证中心进行接入认证后生成的。 The identity identifier generating module establishes a security association between the IdP and the SP, and confirms that after the UE passes the authentication, after receiving the authentication request sent by the SP, the identity identifier of the terminal user in the IdP is generated for the UE. Preferably, the authentication module is configured to authenticate the UE by: authenticating the UE by using an access identifier of the UE and a primary session key, where the primary session key is the UE and the access service node ( ASR) and the authentication center generated after access authentication.
较佳地, 所述断言生成模块生成的肯定断言中包括随机数, 所述随机数 用于防范重放攻击。  Preferably, the affirmative assertion generated by the assertion generation module includes a random number, and the random number is used to prevent a replay attack.
本发明实施例提供的实现身份联合的业务提供服务器(SP ) , 包括认证 检查模块和关联模块, 其中: The service providing server (SP) for implementing identity association provided by the embodiment of the present invention includes an authentication check module and an association module, where:
所述认证检查模块, 设置为在接收到身份提供服务器(IdP )发送的肯定 断言并验证其合法性通过后, 检查如果不存在关联的本地账号, 则向 UE发 起要求登录的挑战;  The authentication check module is configured to, after receiving the positive assertion sent by the identity providing server (IdP) and verifying the validity of the authentication, check whether the challenge of requesting login is sent to the UE if there is no associated local account;
所述关联模块,设置为在用户登录成功后,将 UE在 SP本地的身份标识、 IdP的身份标识, 以及 UE在 IdP的身份标识进行关联。  The association module is configured to associate the identity of the UE in the SP, the identity of the IdP, and the identity of the UE in the IdP after the user successfully logs in.
较佳地, 所述认证检查模块, 还设置为向 UE发起要求登录的挑战之前, 先询问 UE是否愿意关联本地账号,在 UE同意后, 向用户发起要求登录的挑 战。  Preferably, the authentication check module is further configured to ask the UE whether to associate with the local account before initiating the challenge of requesting the login to the UE, and after the UE agrees, initiate a challenge to the user to request login.
较佳地, 所述认证检查模块还设置为在 IdP与 SP建立安全关联后向 IdP 发送认证请求, 所述认证请求中包括随机数, 所述随机数用于临时标识 UE 在 SP的身份信息和用于防范重放攻击。  Preferably, the authentication check module is further configured to send an authentication request to the IdP after the IdP establishes a security association with the SP, where the authentication request includes a random number, and the random number is used to temporarily identify the identity information of the UE in the SP. Used to protect against replay attacks.
本发明实施例提供的实现身份联合的系统, 包括位于运营商网络的身份 提供服务器(IdP )和业务提供服务器(SP ) , 其中: The system for implementing identity association provided by the embodiment of the present invention includes an identity providing server (IdP) and a service providing server (SP) located in an operator network, where:
所述 IdP, 设置为在 UE访问 SP提供的业务过程中, 在确认 UE通过认 证后, 为该 UE生成该终端用户在 IdP的身份标识, 关联该 UE在 IdP的身份 标识和 SP的身份标识, 生成肯定断言发送给 SP;  The IdP is set to be used in the service process provided by the UE to access the SP, after the UE is authenticated, the identity of the terminal user in the IdP is generated for the UE, and the identity of the UE in the IdP and the identity of the SP are associated with the IdP. Generate a positive assertion sent to the SP;
所述 SP, 设置为在接收到肯定断言并验证其合法性通过后, 检查如果不 存在关联的本地账号, 则向 UE发起要求登录的挑战, UE登录成功后, SP 将 UE在 SP本地的身份标识、 IdP的身份标识,以及 UE在 IdP的身份标识进 行关联。 The SP is configured to, after receiving the positive assertion and verifying the validity of the policy, check if the associated local account is not present, and then initiate a challenge requesting the login to the UE. After the UE successfully logs in, the SP sets the identity of the UE locally in the SP. Identification, IdP identity, and the identity of the UE in the IdP Line association.
本发明实施例将 IdP部署在运营商网络中, 并将用户在运营商承载层的 身份和用户在 SP业务层的身份进行关联,从而实现用户在运营商处的身份标 识与在 SP处的身份标识之间的联合。用户在运营商承载层的身份可以是终端 标识(如移动网络中的 IMSI、 MSISDN等) , 也可以是固网中的 ADSL账号 等。 本发明实施例结合身份联合技术, 使得运营商既能为用户提供单点登录 业务, 而用户又能继承原有的账号信息。 一方面提高了安全性, 另一方面, 保证了用户业务的连续性, 提高用户体验。 The embodiment of the present invention deploys the IdP in the carrier network, and associates the identity of the user in the bearer layer of the operator with the identity of the user in the SP service layer, thereby implementing the identity of the user at the operator and the identity at the SP. The union between the logos. The identity of the user at the bearer layer of the operator may be a terminal identifier (such as IMSI, MSISDN, etc. in the mobile network), or an ADSL account in the fixed network. The embodiment of the present invention combines the identity association technology, so that the operator can provide the single sign-on service for the user, and the user can inherit the original account information. On the one hand, it improves security, on the other hand, it ensures the continuity of user services and improves the user experience.
附图概述 BRIEF abstract
图 1为本发明实施例所涉及的网元架构示意图;  FIG. 1 is a schematic structural diagram of a network element according to an embodiment of the present invention;
图 2为本发明实施例 1身份联合的方法流程示意图;  2 is a schematic flowchart of a method for identity association according to Embodiment 1 of the present invention;
图 3 为本发明实施例 2由 SP发起的身份联合的方法流程示意图; 图 4为本发明实施例 3由 IdP发起的身份联合的方法流程示意图; 图 5为本发明实施例 4中 IdP和 SP的结构示意图。  FIG. 3 is a schematic flowchart of a method for identity association initiated by an SP according to Embodiment 2 of the present invention; FIG. 4 is a schematic flowchart of a method for identity association initiated by an IdP according to Embodiment 3 of the present invention; FIG. 5 is a schematic diagram of an IdP and an SP according to Embodiment 4 of the present invention; Schematic diagram of the structure.
本发明的较佳实施方式 Preferred embodiment of the invention
由于用户在访问互联网应用之前, 天然地需要接入运营商网络, 因而可 以将身份提供服务器部署在运营商网络中。 具有如下优势: 通过运营商网络 的接入认证, 能够很好的保证安全性, 同时, 将身份提供服务器 IdP部署在 运营商网络, 将不需要用户重新进行注册登记, 易于使用, 并且具有优质成 熟的用户消费群体。  Since the user naturally needs to access the carrier network before accessing the Internet application, the identity providing server can be deployed in the carrier network. It has the following advantages: Access authentication through the carrier network can ensure security. At the same time, the identity providing server IdP is deployed on the carrier network, which does not require users to re-register, is easy to use, and has high quality and mature. User consumer groups.
另一方面, 由于用户在主要不同的互联网应用系统中可能已经存在注册 账号, 并且该注册账号已经携带了一些对用户有用的信息, 这种情况下, 用 户通常希望能够在结合使用单点登录技术便利性的情况下, 继续使用原有账 号里的相关信息。  On the other hand, since the user may already have a registered account in a major different Internet application system, and the registered account already carries some information useful to the user, in this case, the user usually wants to be able to use the single sign-on technology in combination. In the case of convenience, continue to use the relevant information in the original account.
因此, 当身份管理技术中的身份提供服务器 IdP部署在运营商网络中时, 可以结合身份联合技术, 将用户在运营商承载层的身份与用户在互联网应用 系统的应用账号身份进行临时或永久关联, 这样运营商既能为用户提供单点 登录业务, 而用户又能继承原有的账号信息, 一方面提高了安全性, 另一方 面, 保证了用户业务的连续性, 提高用户体验。 Therefore, when the identity providing server IdP in the identity management technology is deployed in the carrier network, The identity association technology can be used to temporarily or permanently associate the identity of the user in the bearer layer of the operator with the identity of the application account of the user in the Internet application system, so that the operator can provide the single sign-on service for the user, and the user can inherit the original Some account information improves security on the one hand, and ensures continuity of user services and improves user experience on the other hand.
下文中将结合附图对本发明的实施例进行详细说明。 需要说明的是, 在 不冲突的情况下, 本申请中的实施例及实施例中的特征可以相互任意组合。 Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.
图 1为本发明实施例所涉及的网元架构示意图。  FIG. 1 is a schematic structural diagram of a network element according to an embodiment of the present invention.
网元 101为用户终端 UE ( User Equipment ) , 接入网络的终端可以是移 动终端、 固定终端中的一种或多种, 如手机、 固定电话、 电脑和应用服务器 等;  The network element 101 is a user equipment (UE), and the terminal accessing the network may be one or more of a mobile terminal and a fixed terminal, such as a mobile phone, a fixed telephone, a computer, and an application server;
网元 102为接入服务路由器 ASR ( Access Service Router ) , 用于为用户 终端提供接入服务、 维护终端与网络的连接, 为终端分配 RID ( Routing Identifier, 路由标识) , 并到 ILR/PTF登记注册和查询终端的 RID, 维护 AID ( Access Identifier , 接入标识) -RID映射信息, 以及实现数据报文的路由和 转发;  The network element 102 is an access service router (ASR), which is used for providing access services for the user terminal, maintaining the connection between the terminal and the network, assigning a RID (Routing Identifier) to the terminal, and registering with the ILR/PTF. Register and query the RID of the terminal, maintain the AID (Access Identifier)-RID mapping information, and implement routing and forwarding of data packets.
网元 103为认证中心,用于记录本网络终端用户的属性信息如用户类别、 认证信息和用户服务等级等, 完成对终端的接入认证和授权, 还可具有计费 功能。 认证中心支持终端与网络间的双向认证, 可产生用于认证、 完整性保 护和机密性保护的用户安全信息;  The network element 103 is an authentication center, and is used for recording attribute information of the network terminal user, such as user category, authentication information, and user service level, and completing access authentication and authorization for the terminal, and may also have a charging function. The certificate authority supports two-way authentication between the terminal and the network, and can generate user security information for authentication, integrity protection, and confidentiality protection;
网元 104为身份提供服务器 IdP ( Identity Provider ) , 向业务提供服务器 SP提供对终端用户的认证断言, 并向 SP进行认证, 检查 SP的合法性。 通过 与认证中心的接口查询终端用户相应的属性信息, 通过与名字映射服务器 The network element 104 is an identity providing server (IdP), which provides an authentication assertion to the terminal user to the service providing server SP, and authenticates to the SP to check the legality of the SP. Query the corresponding attribute information of the terminal user through the interface with the authentication center, and map the server with the name.
NMS的接口, 提供终端用户的假名服务; The NMS interface provides the pseudonym service of the end user;
网元 105为互联服务路由器 ISR ( Interconnect Service Router ) , 用于查 询、 维护本网络终端的 AID-RID映射信息, 封装、 路由和转发本网络与传统 IP网络之间往来的数据 ^艮文、实现本网络与传统 IP网络之间的互联互通功能, 其中包括格式转换模块, 用于将传统 IP网络发来的数据报文中包含的本网络 终端的 IPv4/IPv6地址转换成对应的 AID , 以及将本网络终端的 AID转换成 IPv4/IPv6地址格式后, 再发送到传统 IP网络的终端; The network element 105 is an Interconnect Service Router (ISR), which is used for querying and maintaining AID-RID mapping information of the network terminal, encapsulating, routing, and forwarding data between the network and the traditional IP network. The interworking function between the network and the traditional IP network, including a format conversion module, for the network included in the data packet sent by the traditional IP network Converting the IPv4/IPv6 address of the terminal into a corresponding AID, and converting the AID of the network terminal into an IPv4/IPv6 address format, and then transmitting the terminal to the terminal of the traditional IP network;
网元 106为业务提供服务器 SP ( Service Provider ) , 是互联网上为终端 用户提供业务的应用系统。  The network element 106 is a Service Provider (SP), which is an application system for providing services to terminal users on the Internet.
其中身份提供服务器 IdP和业务提供服务器 SP的具体描述参见实施例 4 及附图 5。  For a detailed description of the identity providing server IdP and the service providing server SP, see Embodiment 4 and FIG.
实施例 1 Example 1
图 2为本发明实施例身份联合的方法流程示意图, 如图 2所示, 所述方 法包括以下步骤:  2 is a schematic flowchart of a method for identity association according to an embodiment of the present invention. As shown in FIG. 2, the method includes the following steps:
步骤 201 : 终端在访问 SP提供的业务过程中, 位于运营商网络的 IdP确 认终端通过认证后, 为该终端用户生成该终端用户在 IdP的身份标识, 并关 联该终端用户在 IdP的身份标识与该 SP的身份标识, 生成肯定断言发送给 SP;  In the process of accessing the service provided by the SP, the terminal confirms that the terminal is authenticated by the IdP of the operator network, and generates an identity of the terminal user in the IdP for the terminal user, and associates the identity identifier of the terminal user with the IdP. The SP's identity, generated a positive assertion sent to the SP;
具体地, 肯定断言中包含 SP的身份标识、 IdP的身份标识和终端用户在 Specifically, the assertion includes the identity of the SP, the identity of the IdP, and the end user.
IdP的身份标识,以及认证结果(只要接收到肯定断言就认为终端认证成功)、 签名算法、签名结果等等, 目的是告诉 SP,该用户或终端已经成功通过了 IdP 的认证, 是可信的, 并且这些身份信息, SP可以用于随后的本地关联过程。 而上述的身份标识、签名信息等是为了让 SP验证断言消息的完整性,也就是 断言消息没有被篡改、 伪造, 是合法的断言消息。 IdP's identity, as well as the authentication result (as long as the positive assertion is received, the terminal authentication is successful), the signature algorithm, the signature result, etc., the purpose is to tell the SP that the user or terminal has successfully passed the IdP authentication, which is trusted. And these identity information, SP can be used for subsequent local association processes. The above identity, signature information, etc. are for the SP to verify the integrity of the message, that is, the assertion message has not been tampered with or forged, and is a legal assertion message.
IdP将 SP的身份标识与终端用户在 IdP的身份标识进行关联后, 用户下 次再访问该 SP提供的业务时, IdP可不再对其进行认证。  After the IdP associates the identity of the SP with the identity of the IdP, the IdP can no longer authenticate the next time the user accesses the service provided by the SP.
生成的终端用户在 IdP的身份标识可以是永久标识也可以是临时标识, 如果是临时标识, 还可以为该临时身份标识生成生命期。  The generated end user's identity in the IdP can be either a permanent identifier or a temporary identifier. If it is a temporary identifier, it can also generate a lifetime for the temporary identity.
终端在访问 SP提供的业务过程中, IdP确认终端通过认证后, IdP可以 主动生成该终端用户在 IdP的身份标识; 或者, 终端在访问 SP提供的业务过 程中, IdP可以在与 SP建立安全关联, 接收到 SP发送的认证请求后再生成 该终端用户在 IdP的身份标识并进行关联。 步骤 202: SP在接收到肯定断言并验证其合法性通过后, 检查如果不存 在关联的本地账号, 则向用户发起要求登录的挑战, 用户登录成功后, SP将 终端用户在 SP本地的身份标识、 IdP的身份标识, 以及终端用户在 IdP的身 份标识进行关联。 After the terminal accesses the service provided by the SP, the IdP can confirm that the terminal is authenticated, and the IdP can actively generate the identity of the terminal user in the IdP. Alternatively, the IdP can establish a security association with the SP during the service process provided by the terminal accessing the SP. After receiving the authentication request sent by the SP, the identity of the terminal user in the IdP is generated and associated. Step 202: After receiving the positive assertion and verifying the validity of the SP, the SP checks whether there is a related local account, and then initiates a challenge to the user to log in. After the user successfully logs in, the SP identifies the end user in the SP local identity. , the IdP identity, and the identity of the end user in the IdP.
SP在接收到肯定断言并验证其合法性通过后,检查如果存在关联的本地 账号, 则直接为该用户提供业务。 在检查如果不存在关联的本地账号时, 向 用户发起要求登录的挑战之前, SP可以先询问用户是否愿意关联本地账号, 如果用户同意, 则进行关联, 如果用户不同意, 则进行正常的登录流程。  After receiving the positive assertion and verifying its legality, the SP checks if there is an associated local account, and directly provides services for the user. Before checking whether there is no associated local account, the SP may first ask the user whether to associate with the local account before initiating the challenge of requesting the login. If the user agrees, the association is performed. If the user does not agree, the normal login process is performed. .
通过上述流程从而实现用户在运营商处的身份标识与在 SP处的身份标 识之间的联合。 这样运营商既能为用户提供单点登录业务, 而用户又能继承 原有的账号信息。 关联后, 用户再访问相同的 SP时, IdP不再与 UE进行交 互认证过程, 本地确认该 UE已经认证通过后, 重定向到 SP, SP根据关联账 号信息为 UE提供业务, 不再要求 UE进行登录。用户减少登录次数或者不再 需要输入用户名密码进行登录, 提高了安全性。 另一方面, 由于进行了关联, 保证了用户业务的连续性, 提高了用户体验。  Through the above process, the association between the identity of the user at the operator and the identity of the identity at the SP is achieved. In this way, the operator can provide the single sign-on service for the user, and the user can inherit the original account information. After the association, when the user accesses the same SP, the IdP does not perform the mutual authentication process with the UE. After the local authentication is confirmed, the UE is redirected to the SP. The SP provides services for the UE according to the associated account information, and the UE is no longer required to perform the UE. log in. Users reduce the number of logins or no longer need to enter a username and password to log in, which improves security. On the other hand, due to the association, the continuity of the user's service is ensured, and the user experience is improved.
实施例 2 Example 2
图 3 为由 SP发起的实现实施例 2流程的示意图, 如图 3所示, 包括以 下步骤:  FIG. 3 is a schematic diagram of the process of implementing Embodiment 2 initiated by the SP. As shown in FIG. 3, the following steps are included:
步骤 301 : 用户终端 UE和接入服务节点 ASR, 以及认证中心之间进行 接入认证, 认证通过后, 身份位置分离网络为用户分配接入标识 AID;  Step 301: The user terminal UE and the access service node ASR, and the authentication center perform access authentication. After the authentication is passed, the identity location separation network allocates an access identifier AID to the user.
此后, 用户终端发送的>¾文通过 AID进行传输, ASR为终端用户分配 RID,并通过 RID进行路由选路找到 ISR, ISR从^艮文中获取终端用户的 AID, 并转换成 IPv4/IPv6地址发送到传统 IP网络。  Thereafter, the >3⁄4 text sent by the user terminal is transmitted through the AID, the ASR allocates the RID to the end user, and the routing is selected by the RID to find the ISR, and the ISR obtains the AID of the terminal user from the ^艮 text, and converts it into an IPv4/IPv6 address. To the traditional IP network.
步骤 302: UE和 ASR根据用户接入认证派生出主会话密钥 MSK, 用于 随后的终端认证;  Step 302: The UE and the ASR derive a primary session key MSK according to the user access authentication, and are used for subsequent terminal authentication.
步骤 303: UE向 SP发起业务访问请求;  Step 303: The UE initiates a service access request to the SP.
步骤 304: SP获取相应 IdP地址, 并生成认证请求消息; 注, 获取 IdP地址的方式, 可以通过 UE选择或 IdP发现机制等实现。 步骤 305: SP建立自身和 IdP之间的安全关联(SA ) , 双方生成用于随 后进行肯定断言消息签名和验证的共享密钥; Step 304: The SP acquires a corresponding IdP address, and generates an authentication request message. Note that the manner of obtaining the IdP address can be implemented by a UE selection or an IdP discovery mechanism or the like. Step 305: The SP establishes a security association (SA) between itself and the IdP, and the two parties generate a shared key for subsequent positive assertion message signature and verification;
步骤 306: SP将认证请求消息重定向到 IdP, 重定向消息中包含认证请 求断言, 断言中包括 SP身份标识、 IdP身份标识, 随机数 nonce;  Step 306: The SP redirects the authentication request message to the IdP, where the redirection message includes an authentication request assertion, and the assertion includes an SP identity identifier, an IdP identity identifier, and a random number nonce;
该随机数 nonce用于临时标识用户在 SP的身份信息 ,以及用于防范重放 攻击。  The random number nonce is used to temporarily identify the identity information of the user in the SP and to prevent replay attacks.
步骤 307: IdP通过终端标识 AID和主会话密钥 MSK对终端 UE进行认 证;  Step 307: The IdP authenticates the terminal UE by using the terminal identifier AID and the master session key MSK.
由于 IdP和 ASR同在标识网域内, 因此可以安全地从 ASR获取到主会 话密钥 MSK。  Since the IdP and the ASR are in the same identification domain, the primary session key MSK can be securely obtained from the ASR.
此外, 由于 UE和网络之间已经通过接入认证协商出会话密钥 (如机密 性密钥 CK/完整性密钥 IK )等, 因此 UE和 IdP之间的通信是受到保护的。  In addition, since the session key (e.g., confidentiality key CK/integrity key IK) is negotiated between the UE and the network through access authentication, communication between the UE and the IdP is protected.
步骤 308: IdP确认终端通过认证,则生成该终端用户的临时身份标识(或 永久身份标识) UEidp, 并将终端标识(如 AID、 MSISDN等) 、 SP身份标 识( Identity )、 IdP生成的终端用户在 IdP的临时身份标识 UEidp进行关联(如 下表) , 并产生经过签名的 SAML肯定断言;
Figure imgf000011_0001
Step 308: The IdP confirms that the terminal passes the authentication, and generates the temporary identity (or permanent identity) UEidp of the terminal user, and the terminal identifier (such as AID, MSISDN, etc.), SP identity (identity), and IdP generated terminal user. The temporary identity UEidp of the IdP is associated (as shown in the following table), and a signed SAML positive assertion is generated;
Figure imgf000011_0001
注, 如果 UEidp为终端永久标识, 则 lifetime字段值为 null。  Note: If UEidp is the terminal permanent identifier, the lifetime field value is null.
步骤 309: IdP将 SAML肯定断言重定向到 SP, 肯定断言中携带 IdP身 份标识、 终端用户在 IdP的临时身份标识 UEidp、 lifetime、 SP的身份标识、 随机数 nonce;  Step 309: The IdP redirects the SAML positive assertion to the SP, and the IdP identity identifier, the temporary identity of the terminal user in the IdP, the UEidp, the lifetime, the identity of the SP, and the random number nonce;
步骤 310: SP检查 SAML肯定断言合法性, 验证通过后, 检查该 UEidp 在 SP上是否有关联的 SP本地用户账号, 如果没有, 则提示用户是否关联账 号, 若关联, 则要求用户登录;  Step 310: The SP checks that the SAML asserts the validity of the assertion. After the verification is passed, it checks whether the UEidp has an associated SP local user account on the SP. If not, the user is prompted whether to associate the account number. If the association is required, the user is required to log in;
检查过程如下: 1 ) 随机数 nonce, SP身份标识和 IdP身份标识与请求 认证的身份标识是否一致; 2 ) 随机数 nonce是否重复接收到; 3 )通过签名 验证断言消息本身是否被篡改, 若上述检查都通过, 则确认肯定断言消息验 证通过。 否则 3全证失败。 The checking process is as follows: 1) The random number nonce, whether the SP identity and the IdP identity are consistent with the identity of the requesting authentication; 2) whether the random number nonce is repeatedly received; 3) by signature Verify that the assertion message itself has been tampered with. If the above checks pass, then confirm that the assertion message is validated. Otherwise 3 failed.
步骤 311 : SP向用户终端发起要求登录的挑战;  Step 311: The SP initiates a challenge requesting login to the user terminal.
步骤 312:用户终端向 SP发起用户登录响应,响应中可能为用户名 /口令, 或令牌等登录方式;  Step 312: The user terminal initiates a user login response to the SP, and the response may be a login mode such as a username/password or a token.
步骤 313: 用户登录成功后, SP将 IdP身份标识、 终端用户在 SP上的身 份标识、 终端用户在 IdP上的临时身份标识进行关联(如下表) ;
Figure imgf000012_0001
Step 313: After the user successfully logs in, the SP associates the IdP identity identifier, the identity identifier of the terminal user on the SP, and the temporary identity identifier of the terminal user on the IdP (as shown in the following table);
Figure imgf000012_0001
步骤 314: SP向用户终端返回业务访问响应, 此后, 在 lifetime生命周期 内, 通过 IdP单点登录的终端不需要重新在 SP输入用户名 /口令、 或令牌等 就可以直接使用原有账户进行操作等。  Step 314: The SP returns a service access response to the user terminal. Thereafter, during the lifetime of the life, the terminal that logs in through the IdP does not need to re-enter the username/password, or token, etc. in the SP, and can directly use the original account. Operation, etc.
实施例 3 Example 3
图 4 为由 SP发起的实现实施例 2流程的示意图, 如图 4所示, 包括以 下步骤:  FIG. 4 is a schematic diagram of the process of implementing Embodiment 2 initiated by the SP. As shown in FIG. 4, the following steps are included:
步骤 401 : 用户终端 UE和接入服务节点 ASR , 以及认证中心之间进行 接入认证, 认证通过后, 身份位置分离网络为用户分配接入标识 AID;  Step 401: The user terminal UE and the access service node ASR, and the authentication center perform access authentication. After the authentication is passed, the identity location separation network allocates an access identifier AID to the user.
此后, 终端用户发送的>¾文通过 AID进行传输, ASR为终端用户分配 RID,并通过 RID进行路由选路找到 ISR, ISR从^艮文中获取终端用户的 AID, 并转换成 IPv4/IPv6地址发送到传统 IP网络。  Thereafter, the >3⁄4 text sent by the end user is transmitted by the AID, the ASR allocates the RID to the end user, and the routing is selected by the RID to find the ISR, and the ISR obtains the AID of the terminal user from the ^艮 text, and converts it into an IPv4/IPv6 address. To the traditional IP network.
步骤 402: UE和 ASR根据用户接入认证派生出主会话密钥 MSK;  Step 402: The UE and the ASR derive a primary session key MSK according to the user access authentication.
步骤 403: UE向 IdP发起业务访问请求;  Step 403: The UE initiates a service access request to the IdP.
步骤 404: UE在 IdP提供的界面上选择将要访问的 SP;  Step 404: The UE selects an SP to be accessed on an interface provided by the IdP.
步骤 405: IdP和 SP之间建立安全关联, 双方生成用于随后进行肯定断 言消息签名的共享密钥;  Step 405: A security association is established between the IdP and the SP, and the two parties generate a shared key for subsequently performing a positive disconnection message signature.
步骤 406: IdP通过终端标识 AID和主会话密钥 MSK对终端 UE进行认 证; Step 406: The IdP recognizes the terminal UE by using the terminal identifier AID and the master session key MSK. Certificate
由于 IdP和 ASR同在标识网域内, 因此可以安全地从 ASR获取到主会 话密钥 MSK。  Since the IdP and the ASR are in the same identification domain, the primary session key MSK can be securely obtained from the ASR.
此外, 由于 UE和网络之间已经通过接入认证协商出会话密钥 (如机密 性密钥 CK/完整性密钥 IK )等, 因此 UE和 IdP之间的通信是受到保护的。  In addition, since the session key (e.g., confidentiality key CK/integrity key IK) is negotiated between the UE and the network through access authentication, communication between the UE and the IdP is protected.
步骤 407: IdP确认终端通过认证, 则生成该终端用户在 IdP的临时身份 标识(或永久身份标识) UEidp, 并将终端标识(如 AID、 MSISDN等)、 SP 身份标识、 终端用户在 IdP上的临时或永久身份标识 UEidp进行关联(如下 表) , 并产生经过签名的 SAML肯定断言;
Figure imgf000013_0001
Step 407: The IdP confirms that the terminal passes the authentication, and generates the temporary identity (or permanent identity) UEidp of the terminal user in the IdP, and the terminal identifier (such as AID, MSISDN, etc.), the SP identity, and the terminal user on the IdP. The temporary or permanent identity UEidp is associated (as shown in the following table) and produces a signed SAML positive assertion;
Figure imgf000013_0001
步骤 408: IdP将 SAML肯定断言重定向到 SP, 断言中携带 IdP身份标 识、 终端用户在 IdP上的临时身份标识 UEidp、 lifetime、 SP的身份标识、 随 机数 nonce;  Step 408: The IdP redirects the SAML positive assertion to the SP, and the IdP identity identifier, the temporary identity of the terminal user on the IdP, the UEidp, the lifetime, the SP identity, and the random number nonce;
本实施例中随机数是由 IdP生成的。由于肯定断言中携带了 UE或用户的 身份, 因此, 本实施例中随机数仅用于让 SP通过接收到的随机数是否重复来 判断肯定断言消息是否被攻击者利用进行重放攻击。  The random number in this embodiment is generated by IdP. Since the identity of the UE or the user is carried in the assertion, the random number in this embodiment is only used to let the SP determine whether the message is used by the attacker for the replay attack by whether the received random number is repeated.
步骤 409: SP检查 SAML肯定断言合法性, 验证通过后, 检查该 UEidp 在 SP上是否有关联的 SP本地用户账号, 如果没有, 则提示用户是否关联账 号, 若关联, 则要求用户登录;  Step 409: The SP checks that the SAML asserts the validity of the assertion. After the verification is passed, it checks whether the UEidp has an associated SP local user account on the SP. If not, the user is prompted to associate the account number. If the association is required, the user is required to log in.
检查过程如下: 1 ) SP身份标识、 IdP身份标识与 SP上存储的 SP和 IdP 身份标识是否一致; 2 ) 随机数 nonce是否重复接收到; 3 )通过签名验证断 言消息本身是否被篡改, 若上述检查都通过, 则确认肯定断言消息验证通过。 否则验证失败。  The checking process is as follows: 1) Whether the SP identity, the IdP identity and the SP and IdP identity stored on the SP are consistent; 2) whether the random number nonce is repeatedly received; 3) verifying by the signature that the message itself has been tampered with, if If the check passes, then confirm that the assertion message is verified. Otherwise the verification fails.
步骤 410: SP向用户终端发起要求登录的挑战;  Step 410: The SP initiates a challenge requesting login to the user terminal.
步骤 411 :用户终端向 SP发起用户登录响应,响应中可能为用户名 /口令, 或令牌等登录方式;  Step 411: The user terminal initiates a user login response to the SP, and the response may be a login mode such as a username/password or a token;
步骤 412: 用户登录成功后, SP将 IdP身份标识、 终端用户在 SP上的身 份标识、 终端用户在 IdP上的临时身份标识进行关联(如下表) ;
Figure imgf000014_0001
Step 412: After the user successfully logs in, the SP identifies the IdP identity and the end user on the SP. The identity and the temporary identity of the end user on the IdP are associated (as shown in the following table);
Figure imgf000014_0001
步骤 413: SP向用户终端返回业务访问响应, 此后, 在 lifetime生命周期 内, 通过 IdP单点登录的终端不需要重新在 SP输入用户名 /口令、 或令牌等 就可以直接使用原有账户进行操作等。  Step 413: The SP returns a service access response to the user terminal. Thereafter, during the lifetime of the life, the terminal that logs in through the IdP does not need to re-enter the username/password, or token, etc. in the SP, and can directly use the original account. Operation, etc.
实施例 4 Example 4
本实施例介绍实现上述方法的 IdP和 SP, 以及包含该 IdP和 SP的系统。 如图 5所示, 该实现身份联合的系统, 包括位于运营商网络的身份提供服务 器(IdP )和业务提供服务器(SP ) , 其中:  This embodiment introduces IdP and SP implementing the above method, and a system including the IdP and SP. As shown in FIG. 5, the system for implementing identity aggregation includes an identity providing server (IdP) and a service providing server (SP) located in a carrier network, where:
该 IdP,用于终端在访问 SP提供的业务过程中,在确认终端通过认证后, 为该终端用户生成该终端用户在 IdP的身份标识, 关联该终端用户在 IdP的 身份标识和 SP的身份标识, 生成肯定断言发送给 SP;  The IdP is used in the service process provided by the terminal to access the SP. After confirming that the terminal passes the authentication, the terminal identifies the identity of the terminal user in the IdP, and associates the identity identifier of the terminal user with the identity of the SP and the identity of the SP. , generating a positive assertion sent to the SP;
该 SP, 用于在接收到肯定断言并验证其合法性通过后, 检查如果不存在 关联的本地账号, 则向用户发起要求登录的挑战, 用户登录成功后, SP将终 端用户在 SP本地的身份标识、 IdP的身份标识, 以及终端用户在 IdP的身份 标识进行关联。  The SP is configured to: after receiving the positive assertion and verifying the validity of the policy, if the local account is not associated, the user is required to initiate a login request. After the user successfully logs in, the SP identifies the terminal user in the local state of the SP. The identity, the identity of the IdP, and the identity of the end user in the IdP are associated.
具体地, IdP包括认证模块、 身份标识生成模块、 第一关联模块和断言生 成模块, 其中: 该认证模块,设置为终端在访问 SP提供的业务过程中,确认终端是否通 过认证;  Specifically, the IdP includes an authentication module, an identity generation module, a first association module, and a assertion generation module, where: the authentication module is configured to confirm, in the service process provided by the terminal, whether the terminal passes the authentication;
该身份标识生成模块, 设置为在认证模块确认终端通过认证后, 为该终 端用户生成该终端用户在 IdP的身份标识;  The identity generation module is configured to: after the authentication module confirms that the terminal passes the authentication, generate an identity of the terminal user in the IdP for the terminal user;
该第一关联模块,设置为关联该终端用户在 IdP的身份标识和 SP的身份 标识;  The first association module is configured to associate the identity identifier of the terminal user with the ID of the SP and the identity of the SP;
该断言生成模块, 设置为生成肯定断言并发送给 SP。 优选地, 身份标识生成模块为所述终端用户生成的该终端用户在 IdP的 身份标识是永久身份标识; 或者, 为所述终端用户生成的该终端用户在 IdP 的身份标识是临时身份标识, 并生成该临时身份标识的生命期。 The assertion generation module is set to generate a positive assertion and send to the SP. Preferably, the identity identifier generated by the identity identifier generating module for the terminal user is a permanent identity identifier of the terminal user in the IdP; or the identity identifier of the terminal user generated by the terminal user in the IdP is a temporary identity identifier, and Generate the lifetime of the temporary identity.
优选地, 该身份标识生成模块是设置为釆用以下方式在认证模块确认终 端通过认证后, 为该终端用户生成该终端用户在 IdP的身份标识: 在认证模 块确认终端通过认证后, 主动为该终端用户生成该终端用户在 IdP的身份标 识; 或者, 在 IdP与 SP建立安全关联, 并确认终端通过认证后, 在接收到 SP发送的认证请求后再为该终端用户生成该终端用户在 IdP的身份标识。  Preferably, the identity identifier generating module is configured to: after the authentication module confirms that the terminal passes the authentication in the following manner, generate an identity identifier of the terminal user in the IdP for the terminal user: after the authentication module confirms that the terminal passes the authentication, actively The terminal user generates the identity of the terminal user in the IdP; or, after the IdP establishes a security association with the SP, and confirms that the terminal passes the authentication, after receiving the authentication request sent by the SP, the terminal user is generated for the terminal user at the IdP. Identity.
优选地, 该认证模块是设置为釆用以下方式对终端进行认证: 通过终端 的接入标识和主会话密钥对终端进行认证, 所述主会话密钥是终端与接入服 务节点 (ASR ) 以及认证中心进行接入认证后生成的。  Preferably, the authentication module is configured to authenticate the terminal in the following manner: authenticating the terminal by using an access identifier of the terminal and a primary session key, where the primary session key is a terminal and an access service node (ASR) And generated by the certification center after access authentication.
优选地, 该断言生成模块生成的肯定断言中包括用于防范重放攻击的随 机数。  Preferably, the positive assertion generated by the assertion generation module includes a random number for preventing replay attacks.
SP包括认证检查模块、 第二关联模块, 其中: The SP includes an authentication check module and a second association module, where:
该认证检查模块, 设置为在接收到 IdP发送的肯定断言并验证其合法性 通过后, 检查如果不存在关联的本地账号, 则向用户发起要求登录的挑战; 该第二关联模块,设置为在用户登录成功后,将终端用户在 SP本地的身 份标识、 IdP的身份标识, 以及终端用户在 IdP的身份标识进行关联。  The authentication check module is configured to: after receiving the positive assertion sent by the IdP and verifying that the legality is passed, checking that if there is no associated local account, the user is required to initiate a login request; the second association module is set to After the user logs in successfully, the identity of the end user in the SP, the identity of the IdP, and the identity of the terminal user in the IdP are associated.
优选地, 所述认证检查模块, 还设置为向用户发起要求登录的挑战之前, 先询问用户是否愿意关联本地账号, 在用户同意后, 向用户发起要求登录的 挑战。  Preferably, the authentication check module is further configured to ask the user whether to associate with the local account before initiating the challenge of requesting the login to the user, and after the user agrees, initiate a challenge requesting the login to the user.
优选地, 所述认证检查模块还设置为在 IdP与 SP建立安全关联后向 IdP 发送认证请求, 所述认证请求中包括随机数, 所述随机数用于临时标识用户 在 SP的身份信息和用于防范重放攻击。  Preferably, the authentication check module is further configured to send an authentication request to the IdP after the IdP establishes a security association with the SP, where the authentication request includes a random number, and the random number is used to temporarily identify the identity information of the user in the SP. For protection against replay attacks.
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序 来指令相关硬件完成, 所述程序可以存储于计算机可读存储介质中, 如只读 存储器、 磁盘或光盘等。 可选地, 上述实施例的全部或部分步骤也可以使用 一个或多个集成电路来实现。 相应地, 上述实施例中的各模块 /单元可以釆用 硬件的形式实现, 也可以釆用软件功能模块的形式实现。 本发明不限制于任 何特定形式的硬件和软件的结合。 One of ordinary skill in the art can understand that all or part of the above steps can be completed by a program to instruct related hardware, and the program can be stored in a computer readable storage medium, such as read only. Memory, disk or disc, etc. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the foregoing embodiment may be implemented in the form of hardware, or may be implemented in the form of a software function module. The invention is not limited to any specific form of combination of hardware and software.
当然, 本发明还可有其他多种实施例, 在不背离本发明精神及其实质的 但这些相应的改变和变形都应属于本发明所附的权利要求的保护范围。  It is a matter of course that the invention may be embodied in various other forms and modifications without departing from the spirit and scope of the invention.
工业实用性 本发明实施例结合身份联合技术, 使得运营商既能为用户提供单点登录 业务, 而用户又能继承原有的账号信息。 一方面提高了安全性, 另一方面, 保证了用户业务的连续性, 提高用户体验。 Industrial Applicability The embodiment of the present invention combines the identity association technology, so that the operator can provide the single sign-on service for the user, and the user can inherit the original account information. On the one hand, it improves security, on the other hand, it ensures the continuity of user services and improves the user experience.

Claims

权 利 要 求 书 Claim
1、 一种身份联合的方法, 包括:  1. A method of identity association, comprising:
用户终端(UE )在访问业务提供服务器(SP )提供的业务过程中, 位于 运营商网络的身份提供服务器(IdP )在确认所述 UE通过认证后, 为该 UE 生成在 IdP的身份标识, 关联该 UE在 IdP的身份标识和 SP的身份标识, 生 成肯定断言发送给 SP;  The user terminal (UE) accesses the service provided by the service providing server (SP), and the identity providing server (IdP) located in the operator network generates an identity of the IdP for the UE after confirming that the UE passes the authentication. The identity identifier of the UE in the IdP and the identity of the SP are generated and sent to the SP by a certain assertion;
SP在接收到肯定断言并验证其合法性通过后,检查如果不存在关联的本 地账号, 则向 UE发起要求登录的挑战, UE登录成功后, SP将 UE在 SP本 地的身份标识、 IdP的身份标识, 以及 UE在 IdP的身份标识进行关联。  After receiving the positive assertion and verifying the validity of the SP, the SP checks whether the associated local account is not present, and then initiates a challenge to the UE. After the UE successfully logs in, the SP identifies the identity of the UE in the SP and the identity of the IdP. The identity, and the identity of the UE in the IdP are associated.
2、 如权利要求 1所述的方法, 其中:  2. The method of claim 1 wherein:
所述 IdP生成的 UE在 IdP的身份标识是永久身份标识或者是临时身份标 识。  The identity of the UE generated by the IdP at the IdP is a permanent identity or a temporary identity.
3、 如权利要求 2所述的方法, 其中:  3. The method of claim 2, wherein:
所述 IdP生成的 UE在 IdP的身份标识是临时身份标识时,所述 IdP还为 该临时身份标识生成生命期。  When the identity of the IdP is a temporary identity, the IdP also generates a lifetime for the temporary identity.
4、 如权利要求 1或 2或 3所述的方法, 其中:  4. The method of claim 1 or 2 or 3, wherein:
所述 IdP确认 UE通过认证后, 为该 UE生成在 IdP的身份标识包括: 所述 IdP确认 UE通过认证后, 主动为该 UE生成在 IdP的身份标识; 或 者,  After the IdP confirms that the UE is authenticated, generating the identity of the IdP for the UE includes: after the IdP confirms that the UE passes the authentication, actively generating an identity of the IdP for the UE; or
所述 IdP在与 SP建立安全关联, 并确认 UE通过认证后, 在接收到 SP 发送的认证请求后再为该 UE生成在 IdP的身份标识。  The IdP establishes a security association with the SP, and confirms that after the UE passes the authentication, after receiving the authentication request sent by the SP, the identity of the IdP is generated for the UE.
5、 如权利要求 1或 2或 3所述的方法, 其中:  5. The method of claim 1 or 2 or 3, wherein:
所述 SP向 UE发起要求登录的挑战之前, 所述方法还包括:  Before the SP initiates a challenge to the UE to request login, the method further includes:
SP先询问 UE是否愿意关联本地账号, 在 UE同意后, 向 UE发起要求 登录的挑战。  The SP first asks whether the UE is willing to associate with the local account, and after the UE agrees, initiates a challenge to the UE to request login.
6、 如权利要求 1或 2或 3所述的方法, 其中:  6. The method of claim 1 or 2 or 3, wherein:
IdP确认 UE通过认证前, 所述方法还包括: UE与接入服务节点( ASR ) 以及认证中心进行接入认证后, 与所述 ASR生成主会话密钥; 所述 IdP在对 UE进行认证时, 通过 UE的接入标识和主会话密钥对 UE 进行认证。 Before the IdP confirms that the UE passes the authentication, the method further includes: the UE and the access service node (ASR) And the authentication center performs the access authentication, and generates a master session key with the ASR. When the IdP authenticates the UE, the IdP authenticates the UE by using the access identifier of the UE and the primary session key.
7、 如权利要求 4所述的方法, 其中:  7. The method of claim 4, wherein:
所述 SP发送的认证请求中包括随机数,所述随机数用于临时标识 UE在 The authentication request sent by the SP includes a random number, where the random number is used to temporarily identify the UE in the
SP的身份信息和用于防范重放攻击。 SP identity information and used to prevent replay attacks.
8、 如权利要求 4所述的方法, 其中:  8. The method of claim 4, wherein:
所述 IdP主动为该 UE生成在 IdP的身份标识,生成肯定断言发送给 SP, 所述肯定断言中包括随机数, 所述随机数用于防范重放攻击。  The IdP actively generates an identity of the IdP for the UE, generates a positive assertion and sends it to the SP, and the affirmative assertion includes a random number, and the random number is used to prevent a replay attack.
9、 如权利要求 1或 2或 3所述的方法, 其中:  9. The method of claim 1 or 2 or 3, wherein:
UE再次访问该 SP提供的业务时, IdP不再与该 UE交互进行认证, SP 不再要求该 UE登录。  When the UE accesses the service provided by the SP again, the IdP does not interact with the UE for authentication, and the SP no longer requests the UE to log in.
10、 一种实现身份联合的身份提供服务器(IdP ) , 所述 IdP位于运营商 网络, 包括认证模块、 身份标识生成模块、 关联模块和断言生成模块, 其中: 所述认证模块设置为: 在用户终端(UE )访问业务提供服务器(SP )提 供的业务过程中, 确认 UE是否通过认证;  An identity providing server (IdP) for implementing identity federation, where the IdP is located in an operator network, including an authentication module, an identity generating module, an associating module, and an assertion generating module, where: the authentication module is set to: The terminal (UE) accesses the service provided by the service providing server (SP) to confirm whether the UE passes the authentication;
所述身份标识生成模块设置为: 在认证模块确认 UE通过认证后, 为该 UE生成在 IdP的身份标识;  The identity identifier generating module is configured to: after the authentication module confirms that the UE passes the authentication, generate an identity of the IdP for the UE;
所述关联模块设置为: 关联该 UE在 IdP的身份标识和 SP的身份标识; 所述断言生成模块设置为: 生成肯定断言并发送给 SP。  The association module is configured to: associate an identity of the UE with the IdP and an identity of the SP; the assertion generation module is configured to: generate a positive assertion and send to the SP.
11、 如权利要求 10所述的身份提供服务器, 其中:  11. The identity providing server of claim 10, wherein:
所述身份标识生成模块为所述 UE生成的在 IdP的身份标识是永久身份 标识 或者  The identity identifier generated by the identity identifier generating module for the UE is a permanent identity identifier of the IdP or
所述身份标识生成模块为所述 UE生成的在 IdP的身份标识是临时身份 标识, 并生成该临时身份标识的生命期。  The identity identifier generated by the identity identifier generating module for the UE is a temporary identity identifier, and generates a lifetime of the temporary identity identifier.
12、 如权利要求 10或 11所述的身份提供服务器, 其中:  12. An identity providing server according to claim 10 or 11, wherein:
所述身份标识生成模块是设置为釆用以下方式在认证模块确认 UE通过 认证后, 为该 UE生成在 IdP的身份标识: The identity generation module is configured to confirm that the UE passes the authentication module in the following manner After authentication, the identity of the IdP is generated for the UE:
所述身份标识生成模块在认证模块确认 UE通过认证后, 主动为该 UE 生成在 IdP的身份标识; 或者,  After the authentication module confirms that the UE passes the authentication, the identity generation module actively generates an identity of the IdP for the UE; or
所述身份标识生成模块在所述 IdP与 SP建立安全关联, 并确认 UE通过 认证后, 在接收到 SP发送的认证请求后再为该 UE生成在 IdP的身份标识。  The identity identifier generating module establishes a security association between the IdP and the SP, and confirms that after the UE passes the authentication, after receiving the authentication request sent by the SP, the identity identifier of the IdP is generated for the UE.
13、 如权利要求 10或 11所述的身份提供服务器, 其中:  13. An identity providing server according to claim 10 or 11, wherein:
所述认证模块是设置为釆用以下方式对 UE进行认证:通过 UE的接入标 识和主会话密钥对 UE进行认证, 所述主会话密钥是 UE 与接入服务节点 ( ASR ) 以及认证中心进行接入认证后生成的。  The authentication module is configured to authenticate the UE by: authenticating the UE by using an access identifier of the UE and a primary session key, where the primary session key is a UE and an access service node (ASR) and authentication Generated after the center performs access authentication.
14、 如权利要求 12所述的身份提供服务器, 其中:  14. The identity providing server of claim 12, wherein:
所述断言生成模块生成的肯定断言中包括随机数, 所述随机数用于防范 重放攻击。  The affirmative assertion generated by the assertion generation module includes a random number, and the random number is used to prevent a replay attack.
15、 一种实现身份联合的业务提供服务器(SP ) , 包括认证检查模块和 关联模块, 其中:  15. A service providing server (SP) for implementing identity federation, comprising an authentication check module and an associated module, wherein:
所述认证检查模块设置为: 在接收到身份提供服务器(IdP )发送的肯定 断言并验证其合法性通过后, 检查如果不存在关联的本地账号, 则向 UE发 起要求登录的挑战;  The authentication check module is configured to: after receiving the positive assertion sent by the identity providing server (IdP) and verifying the validity of the authentication, check if there is no associated local account, and then send a challenge to the UE requesting login;
所述关联模块设置为: 在用户终端 (UE )登录成功后, 将 UE在 SP本 地的身份标识、 IdP的身份标识, 以及 UE在 IdP的身份标识进行关联。  The association module is configured to: after the user terminal (UE) successfully logs in, associate the identity of the UE in the SP, the identity of the IdP, and the identity of the UE in the IdP.
16、 如权利要求 15所述的业务提供服务器, 其中:  16. The service providing server according to claim 15, wherein:
所述认证检查模块, 还设置为: 向 UE发起要求登录的挑战之前, 先询 问 UE是否愿意关联本地账号, 在 UE同意后, 向 UE发起要求登录的挑战。  The authentication check module is further configured to: before initiating a challenge requesting the login to the UE, first query the UE whether it is willing to associate with the local account, and after the UE agrees, initiate a challenge requesting the login to the UE.
17、 如权利要求 15或 16所述的业务提供服务器, 其中:  17. The service providing server according to claim 15 or 16, wherein:
所述认证检查模块还设置为: 在 IdP与 SP建立安全关联后向 IdP发送认 证请求, 所述认证请求中包括随机数, 所述随机数用于临时标识 UE在 SP的 身份信息和用于防范重放攻击。  The authentication check module is further configured to: after the IdP establishes a security association with the SP, send an authentication request to the IdP, where the authentication request includes a random number, where the random number is used to temporarily identify the identity information of the UE in the SP and is used for preventing Replay attack.
18、 一种实现身份联合的系统, 包括位于运营商网络的身份提供服务器 ( IdP )和业务提供服务器(SP ) , 其中: 18. A system for implementing identity federation, including an identity providing server located on a carrier network (IdP) and Service Provisioning Server (SP), where:
所述 IdP设置为: 在用户终端 (UE )访问 SP提供的业务过程中, 在确 认 UE通过认证后, 为该 UE生成在 IdP的身份标识, 关联该 UE在 IdP的身 份标识和 SP的身份标识, 生成肯定断言发送给 SP;  The IdP is set to: when the user terminal (UE) accesses the service provided by the SP, after confirming that the UE passes the authentication, generates an identity of the IdP for the UE, and associates the identity of the UE with the IdP and the identity of the SP. , generating a positive assertion sent to the SP;
所述 SP设置为: 在接收到肯定断言并验证其合法性通过后,检查如果不 存在关联的本地账号, 则向 UE发起要求登录的挑战, UE登录成功后, SP 将 UE在 SP本地的身份标识、 IdP的身份标识, 以及 UE在 IdP的身份标识进 行关联。  The SP is set to: after receiving a positive assertion and verifying that the legality is passed, checking that if there is no associated local account, the UE is required to initiate a login challenge. After the UE successfully logs in, the SP sets the UE local to the SP. The identity, the identity of the IdP, and the identity of the UE in the IdP are associated.
19、 如权利要求 18所述的系统, 其中:  19. The system of claim 18, wherein:
所述 IdP包括认证模块、 身份标识生成模块、 第一关联模块和断言生成 模块, 其中:  The IdP includes an authentication module, an identity generation module, a first association module, and an assertion generation module, where:
所述认证模块设置为: 在 UE访问 SP提供的业务过程中, 确认 UE是否 通过认证;  The authentication module is configured to: determine, in the service process provided by the UE accessing the SP, whether the UE passes the authentication;
所述身份标识生成模块设置为: 在认证模块确认 UE通过认证后, 为该 UE生成在 IdP的身份标识;  The identity identifier generating module is configured to: after the authentication module confirms that the UE passes the authentication, generate an identity of the IdP for the UE;
所述第一关联模块设置为: 关联该 UE在 IdP的身份标识和 SP的身份标 识;  The first association module is configured to: associate an identity identifier of the UE with the IdP and an identity identifier of the SP;
所述断言生成模块设置为: 生成肯定断言并发送给 SP。  The assertion generation module is configured to: generate a positive assertion and send to the SP.
20、 如权利要求 18或 19所述的系统, 其中:  20. The system of claim 18 or 19, wherein:
所述 SP包括认证检查模块和第二关联模块, 其中:  The SP includes an authentication check module and a second association module, where:
所述认证检查模块设置为: 在接收到身份提供服务器(IdP )发送的肯定 断言并验证其合法性通过后, 检查如果不存在关联的本地账号, 则向 UE发 起要求登录的挑战;  The authentication check module is configured to: after receiving the positive assertion sent by the identity providing server (IdP) and verifying the validity of the authentication, check if there is no associated local account, and then send a challenge to the UE requesting login;
所述第二关联模块设置为: 在 UE登录成功后, 将 UE在 SP本地的身份 标识、 IdP的身份标识, 以及 UE在 IdP的身份标识进行关联。  The second association module is configured to: after the UE successfully logs in, associate the identity identifier of the UE in the SP, the identity of the IdP, and the identity of the UE in the IdP.
PCT/CN2012/082471 2011-10-19 2012-09-29 Method, idp, sp and system for identity federation WO2013056619A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110318815.0A CN103067337B (en) 2011-10-19 2011-10-19 Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system
CN201110318815.0 2011-10-19

Publications (1)

Publication Number Publication Date
WO2013056619A1 true WO2013056619A1 (en) 2013-04-25

Family

ID=48109803

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/082471 WO2013056619A1 (en) 2011-10-19 2012-09-29 Method, idp, sp and system for identity federation

Country Status (2)

Country Link
CN (1) CN103067337B (en)
WO (1) WO2013056619A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9736165B2 (en) 2015-05-29 2017-08-15 At&T Intellectual Property I, L.P. Centralized authentication for granting access to online services

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103595618B (en) * 2013-11-08 2016-12-14 北京奇立软件技术有限公司 One is used for keeping the successional method of instant communication session, server and system
US9525664B2 (en) * 2014-02-28 2016-12-20 Symantec Corporation Systems and methods for providing secure access to local network devices
US9680868B2 (en) * 2015-09-05 2017-06-13 Nudata Security Inc. Systems and methods for matching and scoring sameness
EP3422752B1 (en) * 2016-03-15 2020-07-08 Huawei Technologies Co., Ltd. Method and device for processing data packets
CN106209785A (en) * 2016-06-28 2016-12-07 浪潮电子信息产业股份有限公司 A kind of many accounts binding method, Apparatus and system
CN107770770A (en) * 2016-08-16 2018-03-06 电信科学技术研究院 A kind of access authentication method, UE and access device
CN107872455A (en) * 2017-11-09 2018-04-03 武汉虹旭信息技术有限责任公司 A kind of cross-domain single login system and its method
CN109388937B (en) * 2018-11-05 2022-07-12 用友网络科技股份有限公司 Single sign-on method and sign-on system for multi-factor identity authentication
CN114640992B (en) * 2020-11-30 2024-06-11 华为技术有限公司 Method and device for updating user identity

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1866822A (en) * 2005-05-16 2006-11-22 联想(北京)有限公司 Method for realizing uniform authentication
CN101719238A (en) * 2009-11-30 2010-06-02 中国建设银行股份有限公司 Method and system for managing, authenticating and authorizing unified identities
CN101729540A (en) * 2009-12-02 2010-06-09 江西省电力信息通讯有限公司 Synchronous single sing-on method based on application layer identity messages
CN102111410A (en) * 2011-01-13 2011-06-29 中国科学院软件研究所 Agent-based single sign on (SSO) method and system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040002878A1 (en) * 2002-06-28 2004-01-01 International Business Machines Corporation Method and system for user-determined authentication in a federated environment
CN1805336A (en) * 2005-01-12 2006-07-19 北京航空航天大学 Single entering method and system facing ASP mode
CN101388773B (en) * 2007-09-12 2011-12-07 中国移动通信集团公司 Identity management platform, service server, uniform login system and method
CN101399813B (en) * 2007-09-24 2011-08-17 中国移动通信集团公司 Identity combination method
CN101998407B (en) * 2009-08-31 2014-07-02 中国移动通信集团公司 WLAN access authentication based method for accessing services
CN102045166B (en) * 2009-10-13 2014-07-02 中国移动通信集团福建有限公司 Method and system of single sign-on

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1866822A (en) * 2005-05-16 2006-11-22 联想(北京)有限公司 Method for realizing uniform authentication
CN101719238A (en) * 2009-11-30 2010-06-02 中国建设银行股份有限公司 Method and system for managing, authenticating and authorizing unified identities
CN101729540A (en) * 2009-12-02 2010-06-09 江西省电力信息通讯有限公司 Synchronous single sing-on method based on application layer identity messages
CN102111410A (en) * 2011-01-13 2011-06-29 中国科学院软件研究所 Agent-based single sign on (SSO) method and system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9736165B2 (en) 2015-05-29 2017-08-15 At&T Intellectual Property I, L.P. Centralized authentication for granting access to online services
US10673858B2 (en) 2015-05-29 2020-06-02 At&T Intellectual Property I, L.P. Centralized authentication for granting access to online services
US11425137B2 (en) 2015-05-29 2022-08-23 At&T Intellectual Property I, L.P. Centralized authentication for granting access to online services

Also Published As

Publication number Publication date
CN103067337A (en) 2013-04-24
CN103067337B (en) 2017-02-15

Similar Documents

Publication Publication Date Title
WO2013056619A1 (en) Method, idp, sp and system for identity federation
CN101127600B (en) A method for user access authentication
JP4782139B2 (en) Method and system for transparently authenticating mobile users and accessing web services
JP4801147B2 (en) Method, system, network node and computer program for delivering a certificate
JP5651313B2 (en) SIP signaling that does not require continuous re-authentication
EP3120591B1 (en) User identifier based device, identity and activity management system
US9515824B2 (en) Provisioning devices for secure wireless local area networks
US20080222714A1 (en) System and method for authentication upon network attachment
US20090158390A1 (en) Method, system and apparatus for authentication
WO2019017836A1 (en) Session processing method and device
US20090064291A1 (en) System and method for relaying authentication at network attachment
KR20050064119A (en) Server certification validation method for authentication of extensible authentication protocol for internet access on user terminal
US20110035592A1 (en) Authentication method selection using a home enhanced node b profile
WO2013040957A1 (en) Single sign-on method and system, and information processing method and system
WO2014117525A1 (en) Method and device for handling authentication of static user terminal
JP2009514256A (en) Apparatus and method for single sign-on authentication via untrusted access network
WO2008034319A1 (en) Authentication method, system and device for network device
WO2009097778A1 (en) A method, device and system for calling the security interface
WO2015089996A1 (en) Security authentication method and authorization authentication server
WO2014176997A1 (en) Method and system for transmitting and receiving data, method and device for processing message
WO2010000157A1 (en) Configuration method, device and system for access device
WO2013023475A1 (en) Method for sharing user data in network and identity providing server
WO2011131002A1 (en) Method and system for identity management
WO2008006309A1 (en) Method and apparatus for determining service type of key request
US9485654B2 (en) Method and apparatus for supporting single sign-on in a mobile communication system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12841702

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12841702

Country of ref document: EP

Kind code of ref document: A1