WO2020207517A1 - Method of authenticating a user to a relying party in federated electronic identity systems - Google Patents

Method of authenticating a user to a relying party in federated electronic identity systems Download PDF

Info

Publication number
WO2020207517A1
WO2020207517A1 PCT/CZ2020/050021 CZ2020050021W WO2020207517A1 WO 2020207517 A1 WO2020207517 A1 WO 2020207517A1 CZ 2020050021 W CZ2020050021 W CZ 2020050021W WO 2020207517 A1 WO2020207517 A1 WO 2020207517A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
authentication
identity
relying party
identity provider
Prior art date
Application number
PCT/CZ2020/050021
Other languages
French (fr)
Inventor
Libor Neumann
Original Assignee
Aducid S.R.O.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aducid S.R.O. filed Critical Aducid S.R.O.
Publication of WO2020207517A1 publication Critical patent/WO2020207517A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/018Certifying business or products
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/06Buying, selling or leasing transactions
    • G06Q30/0601Electronic shopping [e-shopping]
    • G06Q30/0609Buyer or seller confidence or verification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the presented invention relates to a method of authenticating a user to a relying party in an environment of federated identity systems.
  • federated electronic identity or federated identity systems are used in which a user authentication is performed by an Identity provider using an authentication means (such as softwares, applications, names, passwords).
  • an authentication means such as softwares, applications, names, passwords.
  • the authentication result is used by the Relying Party to control the user's access to the target assets (services, data), while relying on the identity provided by the identity provider and on the user data provided by the identity provider.
  • federated identity systems based on principles such as "Bearer token based authentication”, “Bearer authentication” or alternatively “Bearer Assertion” are used.
  • the principle is that the user or his device used to access the services, respectively, proves his identity to the relying party by means of an assertion that does not allow the relying party to verify that the user is real subject of the assertion, i.e. the relying party must assume that the user is the authenticated person for whom the assertion is valid but the relying party cannot verify this assumption in any way (NIST Special Publication 800-63-2 Electronic Authentication Guideline p.7).
  • Redirection of the communication through the user's web browser is used to transmit the assertion between the identity provider system where the authentication was performed and the relying party system where the assertion is used. Redirecting can take place automatically, without the need for any action on the part of the user.
  • SAML Security assertion Markup Language
  • SAML Security assertion Markup Language
  • oAuth IETF: RFC 6749 - The OAuth 2.0 Authorization Framework - https://tools.ietf.org/html/rfc6749
  • WS-federation OASIS: Web Services Federation Language (WS -Federation) Version 1.2 - http://docs.oasis- open.org/wsfed/federation/vL2/ws-federation.html).
  • the redirection functionality is standardized by international RFC standards (IETF: RFC 7231 - Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content - https://tools.ietf.org/html/rfc7231;
  • Other systems are used in the federated identity systems to transmit the result of the authentication (the Assertion). They are referred to alternatively as an Identity broker or an Identity node. Their goal is to allow the use of multiple identity providers for the relying party, thereby expanding the number of users. In this case, the user selects his identity provider or another identity broker in the identity broker system; and after performing the authentication, the assertion is always transmitted via the redirect functionality via the user's web browser back through the intermediary identity broker to the relying party system.
  • a method of authenticating a user to a relying party through an identity provider proceeds by: first creating a data channel between the user and the relying party, then authenticating the user to the identity provider, and passing the assertion from the identity provider to the relying party, optionally via further identity provider(s) or identity broker(s), whereby the assertion is passed from each identity provider or identity broker to another identity provider or identity broker, and further to the relying party always through the redirection functionality in the web browser or other user application.
  • the relying party has no possibility to verify that the user whose device submits the assertion is indeed the person to whom the assertion relates.
  • the prior art processes are shown schematically in Fig. 1.
  • the present invention aims to improve the current methods of authenticating a user to a service provider (relying party) through an identity provider in federated (electronic) identity systems so as to maintain the use of existing standards for assertions and their transmission, while significantly enhancing practicality, security and decreasing the risk of abuse of an intercepted assertion by an attacker.
  • An object of the present invention is a method of authenticating a user to a relying party through an identity provider, in which a data channel is first established between the user device and the relying party, the user is subsequently authenticated with the identity provider, and the assertion is transmitted from the identity provider to the relying party, wherein the authentication with the identity provider includes binding of the data channel between the user device and the relying party with the authentication of the user at the identity provider, and wherein the assertion with the said bond to the said data channel is transmitted from the identity provider to the relying party through a communication module; wherein the said communication module, optionally together with the identity provider, controls the authentication with the bond to the data channel.
  • a noteduser“ is a user of services or data of the relying party who wishes to access such services or data.
  • the user has a user device.
  • the user device has access to a relying party application through which the user can initiate a login process which subseqently includes authentication.
  • the user has authentication means.
  • the user's authentication means can be, for example, a smart phone, a computer, a tablet, a smart watch with an authentication application, a token, a smart card, or a PEIG.
  • a Treating party is a server and/or a system of an entity which provides the services or data that the user wishes to access.
  • An affinity provider (IdP) is a server and/or a system of an entity which provides electronic identities and provides services for these electronic identities, i.e. authentication services.
  • An epicidentity broker (node of an electronic identity system) is a server and/or a system through which an identity provider can be selected and through which the assertion can be transmitted between the identity provider and the relying party. This transmission of the assertion between the identity provider and the relying party is performed in the present invention by means of the communication module.
  • a Treating service provider is a collective term including a relying party, an identity provider, and an identity provider.
  • An exertassertion“ is an output data issued by an identity provider.
  • the assertion proves that the user was authenticated by specified means at a specified time.
  • the assertion is the result of the verification of identity performed by the identity provider.
  • the identity provider transmits the assertion to the relying party. Based on the assertion, the relying party provides access to the services or data to the authorized user.
  • the identity provider must have authentication means enabling the binding of the data channel with the authentication. Such means are known in the art (e.g., standards RFC 8472, RFC 6677, RFC 5056, relate to protocols for channel binding).
  • a communication module is a server and/or a system which controls and manages the authentication and its binding with the data channel between the user device (user) and the relying party, and transmits the assertion between the identity provider and the relying party.
  • the communication module communicates with at least one relying party, at least one identity provider, and optionally one or more identity broker. On the side of the relying party, the communication module can communicate either directly with the target application of the relying party or can communicate with a reverse proxy server.
  • the communication module ensures the transmission of information necessary to control authentication between the relying party and the identity provider, including binding the data channel established between the relying party and the user device to the user authentication. It also ensures the creation of assertion request data according to the relevant standards, and the transmission of the generated assertion between all necessary service providers in the federated identity system according to the relevant standards.
  • the communication module further provides for binding the assertion to the authentication and to the data channel between the relying party and the user device, and processing the content of the assertion and transmittal of the assertion including the user data to the target application of the relying party, optionally via a reverse proxy server.
  • the communication module may be operated by a relying party or other entity, for example, a separate operator of the communication module operation services for several relying parties.
  • the communication module is configured to allow the user to select an identity provider and to allow the relying party to communicate with multiple identity providers.
  • Authentication is usually part of the communication protocol of the data channel (e.g. using the client certificate for TLS authentication), authentication data can be transmitted directly between the relevant parts of the application (e.g. filling in a login form in a web browser on the target application webpage with username and password) or by a combination of transmission via another channel and transmission via an authenticated data channel (e.g. transcription of the code sent to the user via SMS). It may also be the transmission of data identifying the data channel from the user end of the data channel to the user authentication device (i.e., the device or application involved in the authentication on the user side) when external authentication is used. This data is then transmitted or processed as part of authentication.
  • the user authentication device i.e., the device or application involved in the authentication on the user side
  • binding of a data channel with user authentication can be performed by assigning a unique identifier to the data channel between the user device and the relying party prior to the authentication, and using the said identifier as information transmitted by the above described methods.
  • the relying party or the identity provider can assign a data channel identifier.
  • the data channel identifier may be a data channel session identifier or an authentication identifier. It is possible to additionally use an unauthorized data channel secret (or a cryptographic material derived from the data channel cryptographic material, e.g., from an unverified shared secret of both ends of the data channel, the creation of which is described, for example, in CZ PV 2013-373), in combination with the data channel identifier, to increase securinty and to avoid attacks on the channel.
  • an unauthorized data channel secret or a cryptographic material derived from the data channel cryptographic material, e.g., from an unverified shared secret of both ends of the data channel, the creation of which is described, for example, in CZ PV 2013-373
  • the method of the present invention brings the following advantages: - Assertions are not transmitted via the user's web browser and therefore are not transmitted over the Internet via unprotected data channels, but they are transmitted directly between servers through the introduction of a communication module to the federated electronic identity system where they can be protected by standard security measures established between service providers.
  • the data channel between the user and the relying party is bound to the assertion.
  • the binding can also be cryptographic, thus eliminating even a sophisticated attack on the data channel between the user and the relying party.
  • the process uses fewer service environments with which the user needs to communicate.
  • the target application of the relying party may preferably be located behind a reverse proxy server.
  • a reverse proxy server is sometimes used for web applications or server parts of mobile applications.
  • the data channel between the user's device and the target application is terminated on the reverse proxy server.
  • the reverse proxy server controls the user access to the appropriate resources of the target application (e.g., the respective website) and ensures the transmission of user data to the appropriate internal variables (eg, Remote_user).
  • the communication module can communicate directly with the reverse proxy server.
  • both the data channel and the user will be authenticated invisibly from the viewpoint of the application creator.
  • the programmer does not have to program the authentication, he can rely on the fact that only an authenticated user can use the relevant part of the application and that the application can read the user data directly from internal variables. Authentication and placement of user data in internal variables is ensured by the reverse proxy server with the assistance of the communication module according to the system configuration.
  • identity providers In more complex topologies of federated (electronic) identity systems, multiple identity providers are often involved. In such a case, the user typically selects an identity provider who can verify his/her identity, e.g., who has issued his or her authentication means (e.g., an electronic identity card in a particular state or an authentication token or a smart card).
  • identity provider who can verify his/her identity, e.g., who has issued his or her authentication means (e.g., an electronic identity card in a particular state or an authentication token or a smart card).
  • the communication module may preferably allow the user to select an identity provider using existing standards and utilizing the identity broker functionality known in the art.
  • One possible option to select an identity provider is that the user is redirected to a communication module, which at that moment functions as a standard http proxy server or http client, before authentication begins.
  • a communication module which at that moment functions as a standard http proxy server or http client, before authentication begins.
  • the user can transparently use an identity broker functionality to select an identity provider.
  • the functionality of the http proxy server or http client on the communication module is terminated.
  • the result of the selection, transmitted from the identity broker server to the communication module is processed by the communication module, for example, using an algorithm, conversion table, etc., to create data needed to control the identity provider selection in the next step.
  • the user communicates with a dedicated part of the relying party target application on the relying party's server prior to initiating authentication.
  • This application communicates with an identity broker directly or through a communication module.
  • the result of the mediated interaction of the user with the identity broker i.e. the identity provider selection, is processed and the data necessary to control the identity provider selection is generated in the next step.
  • Yet another possible option is to create a separate identity provider selection module communicating with an identity broker, which is located behind the reverse proxy server analogously to the target application.
  • the data is used to route the authentication control communication with the selected identity provider via the communication module.
  • the data can also be used to select a communication method (communication protocol) if different identity providers use different protocols.
  • the control data for the selection of the identity provider is used to create routing information transmitted in the binding of the data channel between the relying party and the user with the user authentication. This information may preferably take the form of a standard URI.
  • the present invention further provides a system for authenticating a user to a relying party through an identity provider, comprising at least one user device, at least one relying party, at least one identity provider, and at least one communication module adapted to communicate with the relying party and with the identity provider and equipped with means for control of authentication with binding of the authentication with the data channel between the user device and the relying party.
  • the system may further include one or more identity brokers.
  • Fig. 1 schematically illustrates authentication in a prior art federated electronic identity system.
  • Fig. 2 schematically shows authentication in a federated electronic identity system according to the invention, with binding of authentication with a data channel between a user and a relying party, and with the inclusion of a communication module.
  • FIG. 3 schematically shows authentication in a federated electronic identity system according to the invention, in a preferred embodiment using a reverse proxy server at the relying party.
  • Fig. 4 schematically shows authentication in a federated electronic identity system according to the invention, in a preferred embodiment with the selection of an identity provider.
  • the user selects a relying party service on his device 1, wherein the relying party requires authentication of the user.
  • the relying party 4 identifies an unauthenticated user request and requests authentication of the user from an identity provider 2 by transmitting the authentication request to a communication module 10 via authentication control 13.
  • the communication module 10 requests the authentication from the identity provider 2 using authentication control 12.
  • the identity provider 2 generates an authentication identifier for binding 11 the data channel 7 with the authentication.
  • the authentication identifier is transmitted using controls 12 and 13 via communication module 10 to the target application the relying party 4.
  • the application transmits to the user via the yet unauthenticated data channel 7 of the target application all information necessary for binding the data channel 7 with authentication, including the identifier obtained from the identity provider 2.
  • the user device 1 forwards the information 11 to the user authentication means, for example, by displaying and photographing the QR code, using URI calls within the operation system of the device 1, or by other means of communication between tasks in the user device 1.
  • the authentication means transmits the information 11, including the identifier, by the authentication data channel 8 to the authentication system of the identity provider 2, where it is bound based on the identifier with the result of the authentication.
  • the communication module 10 while retaining the context, requests the issuance of an assertion 5 according to the relevant standard.
  • the assertion 5 is transmitted as a response to a communication module 10 in accordance with the relevant standard, and the communication module 10 processes the assertion as a standard browser (http redirect).
  • the issued assertion 5 is delivered in standard form to the identity broker 3.
  • the identity broker 3 processes the assertion 5 in a standard manner and transmits the response as a delivered assertion 6 to the communication module 10.
  • the communication module handles all communication related to a single authentication in a single session, so it can link the original authentication request from the relying party 4 to the authentication identifier generated by the identity provider 2 as well as to the delivered assertion 6.
  • the communication module processes this information and transmits to the relying party 4 the complete result of user authentication via the control 13.
  • the user selects on his device 1 a service provided by a relying party that requires authentication.
  • the relying party 4 identifies an unauthenticated user request.
  • the relying party 4 together with the user device 1 creates a yet unauthenticated data channel 7 of the target communication and creates a cryptomaterial and a channel identifier for the data channel 7.
  • the relying party 4 requests authentication to be performed by the identity provider 2 by passing the authentication request together with the identifier of the data channel 7 and derivative of the cryptomaterial of the data channel 7 to the communication module 10 via authentication control 13.
  • the communication module 10 requests authentication by the identity provider 2 using authentication control 12.
  • the identity provider 2 uses the channel 7 identifier and the crypromaterial derivative to authenticate the user and the data channel 7.
  • the user device 1 generates a derivative of the cryptomaterial of the data channel 7 and processes the channel 7 identifier, thereby creating all necessary information to bind the data channel 7 to the authentication and to perform the authentication.
  • the authentication means processes the information 11 including the identifier and the cryptomaterial, and, by means of the authentication data channel 8, performs the authentication, including the authentication of the data channel 7, using information transmitted from the relying party 4 via the communication module 10.
  • the user selects on his device 1 a service of a relying party that requires authentication.
  • the relying party 4 uses a reverse proxy server 14 on which terminates the secure data channel of the target application, e.g., TLS.
  • the reverse proxy server 14 identifies an unauthenticated user request.
  • the reverse proxy server 14, together with the user device 1, creates an as yet unauthenticated data channel 7 for the target communication and creates the cryptomaterial and the channel identifier (for the channel 7).
  • the reverse proxy server 14 requests authentication from the identity provider 2 by transmitting the authentication request together with the data channel 7 identifier and the data channel 7 cryptomaterial derivative to the communication module 10 via the authentication control 13.
  • the communication module 10 requests authentication by the identity provider 2 using authentication control 12.
  • the identity provider 2 uses the channel identifier and the crypromaterial derivative to authenticate the user and the data channel 7.
  • the user device 1 generates a derivative of the cryptomaterial of the data channel 7 and processes the channel 7 identifier, thereby creating all the necessary information 11 for binding the data channel with authentication and for performing the authentication.
  • the authentication means processes the information 11 including the identifier and the cryptomaterial, and by means of the authentication data channel 8 performs the authentication, including the authentication of the data channel 7, using information transmitted from the reverse proxy server 14 via the communication module 10.
  • the reverse proxy server processes the assertion 6 and based on the assertion, makes the desired page of the target application available or unavailable to the user, and optionally passes the processed information from the assertion 6 to the internal variables of the target application.
  • the user has a client part of a mobile application of a relying party 4 installed on his mobile device 1.
  • the relying party 4 has a list of trusted identity providers 2.
  • the user launches the mobile application.
  • the mobile application requests a current list of trusted identity providers 2 from the relying party 4 server, to display the list to the user.
  • the user selects his identity provider 2.
  • the result of the selection is transmitted to the server part of the mobile application, which uses the result as a parameter when requesting authentication through the communication module 10 via authentication control 13. This parameter is used by the communication module 10 to communicate with the identity provider 2 via authentication control 12.
  • the user has installed the client part of the relying party 4 mobile application on his mobile device 1.
  • the relying party 4 uses a reverse proxy server 14 as a terminal of a secure data channel of the target application, e.g., TLS, and does not have a list of trusted identity providers 2.
  • the list of trusted 2 identity providers is provided by an identity broker 3.
  • the user launches the mobile application.
  • the mobile application uses an unauthenticated data channel 7 to communicate with the reverse proxy server 14.
  • the reverse proxy server identifies an unauthenticated user and starts the server part of an identity provider selection application.
  • the identity provider selection application requests, using the authentication control 13, from the communication module a current list of trusted identity providers 2.
  • the communication module 10 requests a current list of trusted identity providers 2 from the identity broker 3 using standard communication 17 for selecting an identity provider.
  • the list is transmitted up to the client part of the mobile application, where the user selects his identity provider 2.
  • the result of the selection is forwarded to the reverse proxy server 14, which uses it as an authentication request parameter, which is transmitted to the communication module 10 via the authentication control 13. This parameter is used by the communication module 10 to communicate with the identity provider 2 using the authentication control 12.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • General Business, Economics & Management (AREA)
  • Strategic Management (AREA)
  • Marketing (AREA)
  • Economics (AREA)
  • Development Economics (AREA)
  • Software Systems (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a method of authenticating a user to a relying party (4) through an identity provider (2) in federated identity system, in which a data channel (7) is first established between the user device (1) and the relying party (4), the user is subsequently authenticated with the identity provider (2), and the assertion (5,6) is transmitted from the identity provider (2) to the relying party (4), wherein the authentication with the identity provider (2) includes binding of the data channel (7), which is established between the user device (1) and the relying party (4), with the authentication of the user at the identity provider (2), and wherein the assertion (5,6) with the said bond to the said data channel (7) is transmitted from the identity provider (2) to the relying party (4) through a communication module (10); wherein the said communication module (10), optionally together with the identity provider (2), controls the authentication with the bond to the data channel (7).

Description

Method of authenticating a user to a relying party in federated electronic identity systems
Field of Art
The presented invention relates to a method of authenticating a user to a relying party in an environment of federated identity systems.
Background Art
Currently, federated electronic identity (or federated identity) systems are used in which a user authentication is performed by an Identity provider using an authentication means (such as softwares, applications, names, passwords).
The authentication result is used by the Relying Party to control the user's access to the target assets (services, data), while relying on the identity provided by the identity provider and on the user data provided by the identity provider.
Currently, federated identity systems based on principles such as "Bearer token based authentication", "Bearer authentication" or alternatively "Bearer Assertion" are used. The principle is that the user or his device used to access the services, respectively, proves his identity to the relying party by means of an assertion that does not allow the relying party to verify that the user is real subject of the assertion, i.e. the relying party must assume that the user is the authenticated person for whom the assertion is valid but the relying party cannot verify this assumption in any way (NIST Special Publication 800-63-2 Electronic Authentication Guideline p.7).
Redirection of the communication through the user's web browser is used to transmit the assertion between the identity provider system where the authentication was performed and the relying party system where the assertion is used. Redirecting can take place automatically, without the need for any action on the part of the user.
The assertion is transmitted using various standards such as SAML (OASIS: Security assertion Markup Language (SAML) V2.0 Technical Overview - http://docs. oasis- open. org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html), oAuth (IETF: RFC 6749 - The OAuth 2.0 Authorization Framework - https://tools.ietf.org/html/rfc6749), WS-federation (OASIS: Web Services Federation Language (WS -Federation) Version 1.2 - http://docs.oasis- open.org/wsfed/federation/vL2/ws-federation.html). The redirection functionality is standardized by international RFC standards (IETF: RFC 7231 - Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content - https://tools.ietf.org/html/rfc7231;
Figure imgf000003_0001
Other systems are used in the federated identity systems to transmit the result of the authentication (the Assertion). They are referred to alternatively as an Identity broker or an Identity node. Their goal is to allow the use of multiple identity providers for the relying party, thereby expanding the number of users. In this case, the user selects his identity provider or another identity broker in the identity broker system; and after performing the authentication, the assertion is always transmitted via the redirect functionality via the user's web browser back through the intermediary identity broker to the relying party system.
Each time an assertion is transmitted between two systems of different identity providers, identity brokers and relying parties, the user's redirect functionality is used for the transmission, and the assertion is thus transmitted at least twice over the Internet, over two - usually unauthenticated or insufficiently authenticated - data channels.
Thus, in federated identity systems, a method of authenticating a user to a relying party through an identity provider proceeds by: first creating a data channel between the user and the relying party, then authenticating the user to the identity provider, and passing the assertion from the identity provider to the relying party, optionally via further identity provider(s) or identity broker(s), whereby the assertion is passed from each identity provider or identity broker to another identity provider or identity broker, and further to the relying party always through the redirection functionality in the web browser or other user application. Furthermore, in current systems, the relying party has no possibility to verify that the user whose device submits the assertion is indeed the person to whom the assertion relates. The prior art processes are shown schematically in Fig. 1.
Existing authentication procedures in the environment of federated (electronic) identity systems have considerable disadvantages in practical application. First, they require the redirection functionality even when the user is not using a web browser. This is typical for mobile applications. This increases the costs and complicates the use of existing federated identity systems for mobile applications, because it is necessary to integrate the redirection functionality into applications, and to sufficiently secure the redirection functionality because the information needed to perform authentication and transmit the assertion is passed via this application. Furthermore, these procedures allow an attacker to intercept an assertion on any transmission via Internet between a user and one of the federated identity system components, and thus the attacker can impersonate the user and gain access to their services and data in the target applications.
The present invention aims to improve the current methods of authenticating a user to a service provider (relying party) through an identity provider in federated (electronic) identity systems so as to maintain the use of existing standards for assertions and their transmission, while significantly enhancing practicality, security and decreasing the risk of abuse of an intercepted assertion by an attacker.
Disclosure of the Invention
An object of the present invention is a method of authenticating a user to a relying party through an identity provider, in which a data channel is first established between the user device and the relying party, the user is subsequently authenticated with the identity provider, and the assertion is transmitted from the identity provider to the relying party, wherein the authentication with the identity provider includes binding of the data channel between the user device and the relying party with the authentication of the user at the identity provider, and wherein the assertion with the said bond to the said data channel is transmitted from the identity provider to the relying party through a communication module; wherein the said communication module, optionally together with the identity provider, controls the authentication with the bond to the data channel.
A„user“ is a user of services or data of the relying party who wishes to access such services or data. The user has a user device. The user device has access to a relying party application through which the user can initiate a login process which subseqently includes authentication. Furthermore, the user has authentication means.
The user's authentication means can be, for example, a smart phone, a computer, a tablet, a smart watch with an authentication application, a token, a smart card, or a PEIG.
A„relying party" (RP) is a server and/or a system of an entity which provides the services or data that the user wishes to access. An„identity provider" (IdP) is a server and/or a system of an entity which provides electronic identities and provides services for these electronic identities, i.e. authentication services.
An„identity broker" (node of an electronic identity system) is a server and/or a system through which an identity provider can be selected and through which the assertion can be transmitted between the identity provider and the relying party. This transmission of the assertion between the identity provider and the relying party is performed in the present invention by means of the communication module.
A„service provider" is a collective term including a relying party, an identity provider, and an identity provider.
An„assertion“ is an output data issued by an identity provider. The assertion proves that the user was authenticated by specified means at a specified time. The assertion is the result of the verification of identity performed by the identity provider. The identity provider transmits the assertion to the relying party. Based on the assertion, the relying party provides access to the services or data to the authorized user. The identity provider must have authentication means enabling the binding of the data channel with the authentication. Such means are known in the art (e.g., standards RFC 8472, RFC 6677, RFC 5056, relate to protocols for channel binding).
A communication module" is a server and/or a system which controls and manages the authentication and its binding with the data channel between the user device (user) and the relying party, and transmits the assertion between the identity provider and the relying party.
The communication module communicates with at least one relying party, at least one identity provider, and optionally one or more identity broker. On the side of the relying party, the communication module can communicate either directly with the target application of the relying party or can communicate with a reverse proxy server.
Thus, the communication module ensures the transmission of information necessary to control authentication between the relying party and the identity provider, including binding the data channel established between the relying party and the user device to the user authentication. It also ensures the creation of assertion request data according to the relevant standards, and the transmission of the generated assertion between all necessary service providers in the federated identity system according to the relevant standards. The communication module further provides for binding the assertion to the authentication and to the data channel between the relying party and the user device, and processing the content of the assertion and transmittal of the assertion including the user data to the target application of the relying party, optionally via a reverse proxy server.
The communication module may be operated by a relying party or other entity, for example, a separate operator of the communication module operation services for several relying parties.
Preferably, the communication module is configured to allow the user to select an identity provider and to allow the relying party to communicate with multiple identity providers.
Methods for binding a data channel with user authentication are known in the art. Authentication is usually part of the communication protocol of the data channel (e.g. using the client certificate for TLS authentication), authentication data can be transmitted directly between the relevant parts of the application (e.g. filling in a login form in a web browser on the target application webpage with username and password) or by a combination of transmission via another channel and transmission via an authenticated data channel (e.g. transcription of the code sent to the user via SMS). It may also be the transmission of data identifying the data channel from the user end of the data channel to the user authentication device (i.e., the device or application involved in the authentication on the user side) when external authentication is used. This data is then transmitted or processed as part of authentication.
Preferably, binding of a data channel with user authentication can be performed by assigning a unique identifier to the data channel between the user device and the relying party prior to the authentication, and using the said identifier as information transmitted by the above described methods. For example, the relying party or the identity provider can assign a data channel identifier.
For example, the data channel identifier may be a data channel session identifier or an authentication identifier. It is possible to additionally use an unauthorized data channel secret (or a cryptographic material derived from the data channel cryptographic material, e.g., from an unverified shared secret of both ends of the data channel, the creation of which is described, for example, in CZ PV 2013-373), in combination with the data channel identifier, to increase securinty and to avoid attacks on the channel.
The method of the present invention brings the following advantages: - Assertions are not transmitted via the user's web browser and therefore are not transmitted over the Internet via unprotected data channels, but they are transmitted directly between servers through the introduction of a communication module to the federated electronic identity system where they can be protected by standard security measures established between service providers.
- There is no need for redirection functionality on the part of the user because the assertion is transmitted via a communication module instead of through a web browser or user application. Therefore, the invention can be easily integrated into mobile applications without the need to introduce a new redirect feature.
- The use of existing assertion transmission standards is maintained.
- The data channel between the user and the relying party is bound to the assertion. The binding can also be cryptographic, thus eliminating even a sophisticated attack on the data channel between the user and the relying party.
- Shorter total time is taken.
- Less active involvement of the user is needed.
- The process uses fewer service environments with which the user needs to communicate.
In some embodiments of the invention, the target application of the relying party (i.e., the application providing the service or data requested by the user and to which the user authenticates) may preferably be located behind a reverse proxy server. Such location behind a reverse proxy server is sometimes used for web applications or server parts of mobile applications. In this case, the data channel between the user's device and the target application is terminated on the reverse proxy server. The reverse proxy server controls the user access to the appropriate resources of the target application (e.g., the respective website) and ensures the transmission of user data to the appropriate internal variables (eg, Remote_user).
In this case, the communication module can communicate directly with the reverse proxy server. In this case, both the data channel and the user will be authenticated invisibly from the viewpoint of the application creator. The programmer does not have to program the authentication, he can rely on the fact that only an authenticated user can use the relevant part of the application and that the application can read the user data directly from internal variables. Authentication and placement of user data in internal variables is ensured by the reverse proxy server with the assistance of the communication module according to the system configuration.
In more complex topologies of federated (electronic) identity systems, multiple identity providers are often involved. In such a case, the user typically selects an identity provider who can verify his/her identity, e.g., who has issued his or her authentication means (e.g., an electronic identity card in a particular state or an authentication token or a smart card).
In such systems, the communication module may preferably allow the user to select an identity provider using existing standards and utilizing the identity broker functionality known in the art.
One possible option to select an identity provider is that the user is redirected to a communication module, which at that moment functions as a standard http proxy server or http client, before authentication begins. Thus, the user can transparently use an identity broker functionality to select an identity provider. When the user completes the selection, the functionality of the http proxy server or http client on the communication module is terminated. The result of the selection, transmitted from the identity broker server to the communication module, is processed by the communication module, for example, using an algorithm, conversion table, etc., to create data needed to control the identity provider selection in the next step.
Another possible option is that the user communicates with a dedicated part of the relying party target application on the relying party's server prior to initiating authentication. This application communicates with an identity broker directly or through a communication module. Also in this case, the result of the mediated interaction of the user with the identity broker, i.e. the identity provider selection, is processed and the data necessary to control the identity provider selection is generated in the next step.
Yet another possible option is to create a separate identity provider selection module communicating with an identity broker, which is located behind the reverse proxy server analogously to the target application.
Once the identity provider selection control data is created, the data is used to route the authentication control communication with the selected identity provider via the communication module. The data can also be used to select a communication method (communication protocol) if different identity providers use different protocols. Further, the control data for the selection of the identity provider is used to create routing information transmitted in the binding of the data channel between the relying party and the user with the user authentication. This information may preferably take the form of a standard URI.
The present invention further provides a system for authenticating a user to a relying party through an identity provider, comprising at least one user device, at least one relying party, at least one identity provider, and at least one communication module adapted to communicate with the relying party and with the identity provider and equipped with means for control of authentication with binding of the authentication with the data channel between the user device and the relying party. The system may further include one or more identity brokers.
Brief Description of Drawings
Fig. 1 schematically illustrates authentication in a prior art federated electronic identity system.
Fig. 2 schematically shows authentication in a federated electronic identity system according to the invention, with binding of authentication with a data channel between a user and a relying party, and with the inclusion of a communication module.
Fig. 3 schematically shows authentication in a federated electronic identity system according to the invention, in a preferred embodiment using a reverse proxy server at the relying party.
Fig. 4 schematically shows authentication in a federated electronic identity system according to the invention, in a preferred embodiment with the selection of an identity provider.
Reference signs: 1 - user device, 2 - identity provider, 3 - identity broker, 4 - relying party, 5 - issued assertion, 6 - delivered assertion, 7 - data channel between user and relying party, 8 - data channel for authentication, 9 - open network (internet), 10 - communication module, 11 - binding of data channel with authentication (transmission of information between the end of data channel 7 at the user side and the user authentication means which is the end of the authentication data channel 8), 12 - control of authentication by the communication module, 13 - control of authentication by the communication module and transmission of assertion to the relying party, 14 - reverse proxy server at relying party, 15 - target application at relying party, 16 - communication for identity provider selection by the user, 17 - communication for selection of an identity provider.
Examples of carrying out the Invention
Example 1
The user selects a relying party service on his device 1, wherein the relying party requires authentication of the user. The relying party 4 identifies an unauthenticated user request and requests authentication of the user from an identity provider 2 by transmitting the authentication request to a communication module 10 via authentication control 13. The communication module 10 requests the authentication from the identity provider 2 using authentication control 12.
The identity provider 2 generates an authentication identifier for binding 11 the data channel 7 with the authentication. The authentication identifier is transmitted using controls 12 and 13 via communication module 10 to the target application the relying party 4.
The application transmits to the user via the yet unauthenticated data channel 7 of the target application all information necessary for binding the data channel 7 with authentication, including the identifier obtained from the identity provider 2. The user device 1 forwards the information 11 to the user authentication means, for example, by displaying and photographing the QR code, using URI calls within the operation system of the device 1, or by other means of communication between tasks in the user device 1.
The authentication means transmits the information 11, including the identifier, by the authentication data channel 8 to the authentication system of the identity provider 2, where it is bound based on the identifier with the result of the authentication.
Meanwhile, the communication module 10, while retaining the context, requests the issuance of an assertion 5 according to the relevant standard.
The assertion 5 is transmitted as a response to a communication module 10 in accordance with the relevant standard, and the communication module 10 processes the assertion as a standard browser (http redirect). Thus, the issued assertion 5 is delivered in standard form to the identity broker 3. The identity broker 3 processes the assertion 5 in a standard manner and transmits the response as a delivered assertion 6 to the communication module 10. The communication module handles all communication related to a single authentication in a single session, so it can link the original authentication request from the relying party 4 to the authentication identifier generated by the identity provider 2 as well as to the delivered assertion 6.
The communication module processes this information and transmits to the relying party 4 the complete result of user authentication via the control 13.
Example 2
The user selects on his device 1 a service provided by a relying party that requires authentication. The relying party 4 identifies an unauthenticated user request. The relying party 4 together with the user device 1 creates a yet unauthenticated data channel 7 of the target communication and creates a cryptomaterial and a channel identifier for the data channel 7.
The relying party 4 requests authentication to be performed by the identity provider 2 by passing the authentication request together with the identifier of the data channel 7 and derivative of the cryptomaterial of the data channel 7 to the communication module 10 via authentication control 13. The communication module 10 requests authentication by the identity provider 2 using authentication control 12.
The identity provider 2 uses the channel 7 identifier and the crypromaterial derivative to authenticate the user and the data channel 7.
Meanwhile, the user device 1 generates a derivative of the cryptomaterial of the data channel 7 and processes the channel 7 identifier, thereby creating all necessary information to bind the data channel 7 to the authentication and to perform the authentication.
The authentication means processes the information 11 including the identifier and the cryptomaterial, and, by means of the authentication data channel 8, performs the authentication, including the authentication of the data channel 7, using information transmitted from the relying party 4 via the communication module 10.
The procedure is continued as in Example 1.
Example 3
The user selects on his device 1 a service of a relying party that requires authentication. The relying party 4 uses a reverse proxy server 14 on which terminates the secure data channel of the target application, e.g., TLS. The reverse proxy server 14 identifies an unauthenticated user request. The reverse proxy server 14, together with the user device 1, creates an as yet unauthenticated data channel 7 for the target communication and creates the cryptomaterial and the channel identifier (for the channel 7).
The reverse proxy server 14 requests authentication from the identity provider 2 by transmitting the authentication request together with the data channel 7 identifier and the data channel 7 cryptomaterial derivative to the communication module 10 via the authentication control 13. The communication module 10 requests authentication by the identity provider 2 using authentication control 12.
The identity provider 2 uses the channel identifier and the crypromaterial derivative to authenticate the user and the data channel 7.
Meanwhile, the user device 1 generates a derivative of the cryptomaterial of the data channel 7 and processes the channel 7 identifier, thereby creating all the necessary information 11 for binding the data channel with authentication and for performing the authentication.
The authentication means processes the information 11 including the identifier and the cryptomaterial, and by means of the authentication data channel 8 performs the authentication, including the authentication of the data channel 7, using information transmitted from the reverse proxy server 14 via the communication module 10.
Next, the procedure proceeds as in Example 1 except that the assertion 6 is transmitted to the reverse proxy server 14.
The reverse proxy server processes the assertion 6 and based on the assertion, makes the desired page of the target application available or unavailable to the user, and optionally passes the processed information from the assertion 6 to the internal variables of the target application.
Example 4
The user has a client part of a mobile application of a relying party 4 installed on his mobile device 1. The relying party 4 has a list of trusted identity providers 2.
The user launches the mobile application. The mobile application requests a current list of trusted identity providers 2 from the relying party 4 server, to display the list to the user. The user selects his identity provider 2. The result of the selection is transmitted to the server part of the mobile application, which uses the result as a parameter when requesting authentication through the communication module 10 via authentication control 13. This parameter is used by the communication module 10 to communicate with the identity provider 2 via authentication control 12.
The procedure is continued as in Example 1.
Example 5
The user has installed the client part of the relying party 4 mobile application on his mobile device 1.
The relying party 4 uses a reverse proxy server 14 as a terminal of a secure data channel of the target application, e.g., TLS, and does not have a list of trusted identity providers 2. The list of trusted 2 identity providers is provided by an identity broker 3.
The user launches the mobile application. The mobile application uses an unauthenticated data channel 7 to communicate with the reverse proxy server 14. The reverse proxy server identifies an unauthenticated user and starts the server part of an identity provider selection application. The identity provider selection application requests, using the authentication control 13, from the communication module a current list of trusted identity providers 2. The communication module 10 requests a current list of trusted identity providers 2 from the identity broker 3 using standard communication 17 for selecting an identity provider. The list is transmitted up to the client part of the mobile application, where the user selects his identity provider 2. The result of the selection is forwarded to the reverse proxy server 14, which uses it as an authentication request parameter, which is transmitted to the communication module 10 via the authentication control 13. This parameter is used by the communication module 10 to communicate with the identity provider 2 using the authentication control 12.
The procedure is continued as in Example 3.

Claims

1. A method of authenticating a user to a relying party (4) through an identity provider (2) in federated identity system, wherein a data channel (7) is first established between the user device
(1) and the relying party (4), the user is subsequently authenticated with the identity provider
(2), and assertion (5,6) is transmitted from the identity provider (2) to the relying party (4), characterized in that the authentication with the identity provider (2) includes binding of the data channel (7), which is established between the user device (1) and the relying party (4), with the authentication of the user, and in that the assertion (5,6) with the said bond to the said data channel (7) is transmitted from the identity provider (2) to the relying party (4) through a communication module (10); wherein the said communication module (10), optionally together with the identity provider (2), controls the authentication with the bond to the data channel (7).
2. The method according to claim 1, wherein the binding of the data channel (7) between the user device (1) and the relying party (4) with user authentication is performed by assigning a unique identifier to the data channel (7) prior to the authentication, and using the said identifier as information transmitted between the user end of the data channel (7) and the authentication means of the user.
3. The method according to claim 2, wherein the identifier of the data channel (7) is a data channel session identifier or an authentication session identifier.
4. The method according to claim 2 or 3, wherein a cryptographic material derived from the data channel (7) cryptographic material is used together with the data channel (7) session identifier.
5. The method according to any one of the preceding claims, wherein the communication module (10) communicates with a reverse proxy server (14), and the data channel (7) between the user device (1) and the relying party (4) is terminated at the reverse proxy server (14), and wherein the reverse proxy server (14) controls the access of the users to the resources of the target application of the relying party (4).
6. The method according to any one of the preceding claims, wherein the communication module (10) is configured for selection of identity provider (2) and for communication with multiple identity providers (2), preferably via identity broker (3).
7. The method according to claim 6, wherein the user, before the authentication begins, utilizes the communication module (10), which at that moment functions as a standard http proxy server or http client, to select an identity provider (2) from a list provided by an identity broker (3), and when the user completes the selection, the functionality of the http proxy server or http client on the communication module (10) is terminated; and wherein the result of the selection, transmitted from the identity broker (3) to the communication module (10), is processed by the communication module (10) to create data needed to control the identity provider selection.
8. The method according to claim 6, wherein for performing the selection of the identity provider (2), the user communicates with a dedicated part of the relying party (4) target application on the relying party's (4) server prior to initiating authentication, the said part of the target application communicates with an identity broker (3) directly or through a communication module (10), and the result of the mediated interaction of the user with the identity broker (3) which is the identity provider (2) selection, is processed to create data necessary to control the identity provider (2) selection.
9. The method according to claim 6, wherein for performing the selection of the identity provider (2), the user communicates with a separate module for selection of identity provider (2) communicating with an identity broker (3), and the said module is located behind a reverse proxy server (14), wherein the result of the interaction of the user with the said module which is the identity provider (2) selection, is processed to create data necessary to control the identity provider (2) selection.
10. A system for authenticating a user to a relying party (4) through an identity provider (2), comprising at least one user device (1), at least one relying party (4), at least one identity provider (2), optionally at least one identity broker (3), characterized in that the system further comprises at least one communication module (10) configured to communicate with the relying party (4) and with the identity provider (2), and optionally with the identity broker (3), and the communication module (10) is equipped with means for control of authentication with binding of the authentication with the data channel (7) between the user device and the relying party.
PCT/CZ2020/050021 2019-04-08 2020-04-07 Method of authenticating a user to a relying party in federated electronic identity systems WO2020207517A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CZ2019-221A CZ2019221A3 (en) 2019-04-08 2019-04-08 A method of authenticating a user to a relying party in an electronic identity federation system
CZPV2019-221 2019-04-08

Publications (1)

Publication Number Publication Date
WO2020207517A1 true WO2020207517A1 (en) 2020-10-15

Family

ID=71079995

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CZ2020/050021 WO2020207517A1 (en) 2019-04-08 2020-04-07 Method of authenticating a user to a relying party in federated electronic identity systems

Country Status (2)

Country Link
CZ (1) CZ2019221A3 (en)
WO (1) WO2020207517A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2588573A (en) * 2019-07-09 2021-05-05 Rimo Capital Ltd A remediation system to prevent incompatible program module installation in an information processing system
CN113014554A (en) * 2021-02-07 2021-06-22 博为科技有限公司 Automatic switching method and system for internet access channel, ONU (optical network unit) equipment and OLT (optical line terminal) equipment

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CZ2020271A3 (en) 2020-05-14 2021-11-24 Aducid S.R.O. Software system and authentication method

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160294797A1 (en) * 2015-03-31 2016-10-06 Cisco Technology, Inc. Secure transmission of a session identifier during service authentication

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8607322B2 (en) * 2004-07-21 2013-12-10 International Business Machines Corporation Method and system for federated provisioning
WO2008020991A2 (en) * 2006-07-28 2008-02-21 Brown University Notarized federated identity management
US20080271121A1 (en) * 2007-04-27 2008-10-30 Heather Maria Hinton External user lifecycle management for federated environments
WO2010030458A2 (en) * 2008-09-12 2010-03-18 Motorola, Inc. Method for action assertion generation and usage
WO2011091313A1 (en) * 2010-01-22 2011-07-28 Interdigital Patent Holdings, Inc. Method and apparatus for trusted federated identity management and data access authorization
US9965614B2 (en) * 2011-09-29 2018-05-08 Oracle International Corporation Mobile application, resource management advice
US8776209B1 (en) * 2012-03-09 2014-07-08 Juniper Networks, Inc. Tunneling session detection to provide single-sign on (SSO) functionality for a VPN gateway

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160294797A1 (en) * 2015-03-31 2016-10-06 Cisco Technology, Inc. Secure transmission of a session identifier during service authentication

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ANONYMOUS: "Reverse proxy - Wikipedia, the free encyclopedia", 23 April 2013 (2013-04-23), XP055220478, Retrieved from the Internet <URL:https://web.archive.org/web/20130423213637/http://en.wikipedia.org/wiki/Reverse_proxy> [retrieved on 20151013] *
PAUL GRASSI ET AL: "PRIVACY-ENHANCED IDENTITY FEDERATION", 1 December 2016 (2016-12-01), XP055691756, Retrieved from the Internet <URL:https://web.archive.org/web/20170107115608if_/https://nccoe.nist.gov/sites/default/files/library/project-descriptions/privacy-enhanced-identity-federation-project-description-final.pdf> [retrieved on 20200505] *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2588573A (en) * 2019-07-09 2021-05-05 Rimo Capital Ltd A remediation system to prevent incompatible program module installation in an information processing system
GB2588573B (en) * 2019-07-09 2021-11-17 Rimo Capital Ltd A remediation system to prevent incompatible program module installation in an information processing system
CN113014554A (en) * 2021-02-07 2021-06-22 博为科技有限公司 Automatic switching method and system for internet access channel, ONU (optical network unit) equipment and OLT (optical line terminal) equipment
CN113014554B (en) * 2021-02-07 2023-06-13 博为科技有限公司 Automatic switching method and system for internet surfing channels, ONU (optical network Unit) equipment and OLT (optical line terminal) equipment

Also Published As

Publication number Publication date
CZ308358B6 (en) 2020-06-17
CZ2019221A3 (en) 2020-06-17

Similar Documents

Publication Publication Date Title
KR100800339B1 (en) Method and system for user-determined authentication and single-sign-on in a federated environment
JP4867663B2 (en) Network communication system
US10541991B2 (en) Method for OAuth service through blockchain network, and terminal and server using the same
EP2643955B1 (en) Methods for authorizing access to protected content
EP1964021B1 (en) Secure identity management
US8554930B2 (en) Method and system for proof-of-possession operations associated with authentication assertions in a heterogeneous federated environment
US7565536B2 (en) Method for secure delegation of trust from a security device to a host computer application for enabling secure access to a resource on the web
US7774612B1 (en) Method and system for single signon for multiple remote sites of a computer network
US9143502B2 (en) Method and system for secure binding register name identifier profile
US20060294366A1 (en) Method and system for establishing a secure connection based on an attribute certificate having user credentials
WO2008067646A1 (en) Method and system for trusted client bootstrapping
JP2009519529A (en) Method and system for extending authentication methods
JP2008511232A (en) Personal token and method for control authentication
WO2020207517A1 (en) Method of authenticating a user to a relying party in federated electronic identity systems
US20030163694A1 (en) Method and system to deliver authentication authority web services using non-reusable and non-reversible one-time identity codes
CN101299667A (en) Authentication method, system, client equipment and server
KR20210095093A (en) Method for providing authentification service by using decentralized identity and server using the same
KR102372503B1 (en) Method for providing authentification service by using decentralized identity and server using the same
US11985118B2 (en) Computer-implemented system and authentication method
KR20030075809A (en) Client authentication method using SSO in the website builded on a multiplicity of domains
KR100366403B1 (en) Method for authenticating user in internet and system for the same
WO2012028168A1 (en) Identity gateway
CN115913568A (en) Authorization authentication method and device, gateway, medium and computer equipment
WO2011032577A1 (en) Methods and systems for delegating authorization

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20720735

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20720735

Country of ref document: EP

Kind code of ref document: A1