[go: up one dir, main page]

CN102938757B - The method and identity provider of user data in shared network - Google Patents

The method and identity provider of user data in shared network Download PDF

Info

Publication number
CN102938757B
CN102938757B CN201110233110.9A CN201110233110A CN102938757B CN 102938757 B CN102938757 B CN 102938757B CN 201110233110 A CN201110233110 A CN 201110233110A CN 102938757 B CN102938757 B CN 102938757B
Authority
CN
China
Prior art keywords
providing server
user
service
identity
service providing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201110233110.9A
Other languages
Chinese (zh)
Other versions
CN102938757A (en
Inventor
韦银星
符涛
吴强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Yanxin Automobile Industry Investment Development Co ltd
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201110233110.9A priority Critical patent/CN102938757B/en
Priority to PCT/CN2012/076275 priority patent/WO2013023475A1/en
Publication of CN102938757A publication Critical patent/CN102938757A/en
Application granted granted Critical
Publication of CN102938757B publication Critical patent/CN102938757B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention provides method, service providing server, identity provider and the user equipment of user data in a kind of shared network, wherein, the network includes identity provider and Resource Server (RS), and this method includes:Service providing server receives the access of user equipment (UE);The service providing server directly or indirectly obtains the users to share data of user's mandate from the RS.Method, service providing server, identity provider and the user equipment of user data in above-mentioned shared network so that service providing server safely shares the user data of telecom operators.

Description

共享网络中用户数据的方法和身份提供服务器Method for sharing user data in a network and an identity providing server

技术领域technical field

本发明涉及通讯领域和互联网领域,尤其涉及一种共享网络中用户数据的方法、业务提供服务器、身份提供服务器和用户设备。The invention relates to the communication field and the Internet field, in particular to a method for sharing user data in the network, a service providing server, an identity providing server and user equipment.

背景技术Background technique

随着网络的普及和信息技术的发展,人们越来越多地在网络空间中开展业务活动,如网上购物、网络电话、电子邮件、博客、即时通讯等。通常,由电信运营商和业务提供商向用户提供服务,其中电信运营商拥有通讯网络的基础设施,为用户提供丰富的接入方式,如非对称数字用户线路(Asymmetric Digital Subscriber Line,ADSL)接入、第三代(TheThird Generation,3G)移动通信接入、无线局域网(Wireless Local Area Network,WLAN)接入、以太网接入等等;业务提供商向用户提供丰富的业务,如传统门户网站、电子商务、网络通信、网上银行和社交网络等。With the popularization of the Internet and the development of information technology, more and more people carry out business activities in cyberspace, such as online shopping, Internet telephony, email, blog, instant messaging, etc. Usually, telecom operators and service providers provide services to users. The telecom operators own the communication network infrastructure and provide users with rich access methods, such as asymmetric digital subscriber line (Asymmetric Digital Subscriber Line, ADSL) access. Access, third generation (The Third Generation, 3G) mobile communication access, wireless local area network (Wireless Local Area Network, WLAN) access, Ethernet access, etc.; service providers provide users with rich services, such as traditional portal websites , e-commerce, network communications, online banking and social networking, etc.

互联网上业务提供商规模不一,有些虽然可以提供创新的业务,但是用户数量发展较慢,用户数通常成为业务发展的瓶颈。近年来,互联网上出现了一类提供身份服务的供应商,称为身份提供商(Identity Provider,身份提供服务器)。身份提供商提供的身份提供服务器通常具有比较庞大的用户资源,可以为其他用户或业务供应商提供身份验证等服务。电信运营商的用户数巨大,具备了天然的身份提供服务器的能力,但是与开放的互联网相比,电信网络相对封闭,业务种类单一。为了增强电信运营商的竞争能力,而不是仅仅为业务提供商提供管道,电信运营商有必要成为业务价值链的一部分:作为身份提供服务器提供身份服务、共享用户信息、提供可信的安全服务、提供移动支付能力等;业务提供商可以尽量重用电信运营商提供的各种能力,专注于核心竞争力的业务;对用户来说,可以享受无缝的业务体验并提升安全和个人隐私。Service providers on the Internet vary in size. Although some can provide innovative services, the number of users develops slowly, and the number of users usually becomes the bottleneck of business development. In recent years, a class of providers providing identity services has emerged on the Internet, which is called an identity provider (Identity Provider, identity provider server). The identity providing server provided by the identity provider usually has relatively large user resources, and can provide services such as identity verification for other users or service providers. Telecom operators have a huge number of users and have the natural ability to provide servers for identities. However, compared with the open Internet, the telecom network is relatively closed and has a single type of business. In order to enhance the competitiveness of telecom operators, instead of just providing channels for service providers, it is necessary for telecom operators to become part of the business value chain: provide identity services as identity providing servers, share user information, provide credible security services, Provide mobile payment capabilities, etc.; service providers can reuse various capabilities provided by telecom operators as much as possible, and focus on core competitive services; for users, they can enjoy seamless service experience and improve security and personal privacy.

在现有的技术中,IP多媒体子系统(IP Multimedia System,IMS)中应用服务器(Application Server,AS)可以直接访问归属用户服务器(Home Subscriber Server,HSS)中用户的签约数据。用户通过修改签约信息决定共享哪些数据。对于互联网上业务提供商来说,其数量众多,而且新的业务提供商不断出现,事先很难定义签约数据。因此这种方案存在可扩展性问题。此外,对于第三方AS来说,根据信任关系来保证从HSS中获取用户签约数据,但是目前不能灵活地控制AS对用户签约数据的访问。In the existing technology, an Application Server (Application Server, AS) in an IP Multimedia Subsystem (IP Multimedia System, IMS) can directly access subscription data of a user in a Home Subscriber Server (Home Subscriber Server, HSS). Users decide which data to share by modifying the subscription information. For service providers on the Internet, there are a large number of them, and new service providers appear constantly, so it is difficult to define contract data in advance. Therefore, there is a scalability problem in this scheme. In addition, for the third-party AS, it is guaranteed to obtain the user subscription data from the HSS according to the trust relationship, but at present, it is not possible to flexibly control the access of the AS to the user subscription data.

在目前的身份管理(Identity Management,IdM)中,涉及到三个角色:用户、业务提供商和身份提供服务器,目前的解决方案主要是解决单点登录问题,如开放身份(OpenID),自由联盟(Liberty Alliance),卡片空间(Card Space),通用认证架构(GenericAuthentication Architecture,GAA)和Kerberos模型等,这些方案对用户身份的定义并不统一,各自独立完成。身份的多样性给用户使用互联网的业务还是带来不便。In the current Identity Management (IdM), three roles are involved: user, service provider and identity provider server. The current solution is mainly to solve the problem of single sign-on, such as OpenID, Liberty Alliance (Liberty Alliance), Card Space, Generic Authentication Architecture (GAA) and Kerberos model, etc. These solutions have different definitions of user identity and are completed independently. The diversity of identities still brings inconvenience to the business of users using the Internet.

开放授权(Open Authorization,OAuth)解决互联网中用户资源数据的授权访问的协议,对于用户没有采用统一的方式进行标识,没有定义如何与电信运营商的资源一起来使用。Open Authorization (OAuth) is a protocol for solving authorized access to user resource data on the Internet. It does not identify users in a unified way, and does not define how to use them with resources of telecom operators.

目前的网络中,用户的身份用于网络层对用户的识别,也可以用于业务提供商对用户的识别,为用户提供了一个统一的身份。但是目前还缺乏有效的方法实现业务提供商的业务提供服务器安全地共享电信运营商的用户数据,这也限制新业务的开展。In the current network, the user's identity is used to identify the user at the network layer, and can also be used to identify the user by the service provider, providing a unified identity for the user. However, there is currently no effective method to enable the service provider's service provider server to safely share the telecom operator's user data, which also limits the development of new services.

发明内容Contents of the invention

本发明提供了一种共享网络中用户数据的方法、业务提供服务器、身份提供服务器和用户设备,以解决现有的业务提供服务器无法安全地共享电信运营商的用户数据的问题。The invention provides a method for sharing user data in a network, a service providing server, an identity providing server and user equipment to solve the problem that existing service providing servers cannot safely share user data of telecommunication operators.

本发明提供了一种共享网络中用户数据的方法,该方法包括:The present invention provides a method for sharing user data in a network, the method comprising:

所述网络包括身份提供服务器和资源服务器(RS),该方法包括:The network includes an identity providing server and a resource server (RS), and the method includes:

业务提供服务器接收用户设备(UE)的访问;The service providing server receives the access of the user equipment (UE);

所述业务提供服务器从所述RS直接或间接地获取用户授权的用户共享数据。The service providing server directly or indirectly acquires the user-authorized shared data from the RS.

优选地,所述业务提供服务器接收UE的访问之前,所述方法还包括:Preferably, before the service providing server receives the access of the UE, the method further includes:

所述业务提供服务器直接或间接地完成对所述UE的业务接入认证。The service providing server directly or indirectly completes service access authentication for the UE.

优选地,所述业务提供服务器直接地完成对UE的业务接入认证包括:Preferably, the service providing server directly completing the service access authentication of the UE includes:

所述业务提供服务器从所述身份提供服务器获得用户安全参数,根据所述用户安全参数完成对所述UE的业务接入认证。The service providing server obtains user security parameters from the identity providing server, and completes service access authentication for the UE according to the user security parameters.

优选地,所述业务提供服务器间接地完成对UE的业务接入认证包括:Preferably, the service providing server indirectly completing the service access authentication of the UE includes:

所述业务提供服务器从所述身份提供服务器获得所述身份提供服务器对所述UE的业务接入认证结果。The service providing server obtains the service access authentication result of the identity providing server for the UE from the identity providing server.

优选地,所述用户安全参数是所述身份提供服务器根据所述网络对所述UE的接入认证结果获得的。Preferably, the user security parameter is obtained by the identity providing server according to an access authentication result of the network for the UE.

优选地,所述业务接入认证结果是所述身份提供服务器根据所述网络对所述UE的接入认证结果完成的。Preferably, the service access authentication result is completed by the identity providing server according to the network's access authentication result for the UE.

优选地,所述业务提供服务器从所述RS直接地获取用户授权的用户共享数据包括:Preferably, the service providing server directly obtaining user-authorized user shared data from the RS includes:

所述业务提供服务器从所述身份提供服务器获取令牌,根据所述令牌从所述RS直接地获取用户授权的用户共享数据。The service providing server obtains a token from the identity providing server, and directly obtains user-authorized user sharing data from the RS according to the token.

优选地,所述业务提供服务器从所述RS间接地获取用户授权的用户共享数据包括:Preferably, the service providing server indirectly obtaining user-authorized user-shared data from the RS includes:

所述业务提供服务器通过所述身份提供服务器获取用户授权的用户共享数据。The service providing server acquires user-authorized shared data through the identity providing server.

本发明还提供了一种业务提供服务器,该业务提供服务器包括:The present invention also provides a service providing server, which includes:

接收模块,用于接收用户设备(UE)的访问;A receiving module, configured to receive access from a user equipment (UE);

获取模块,用于从资源服务器(RS)直接或间接地获取用户授权的用户共享数据。The obtaining module is used to directly or indirectly obtain the user-authorized shared data from the resource server (RS).

优选地,所述业务提供服务器还包括:Preferably, the service providing server further includes:

业务接入认证模块,用于在所述接收模块接收UE的访问之前,直接或间接地完成对所述UE的业务接入认证。The service access authentication module is configured to directly or indirectly complete the service access authentication of the UE before the receiving module receives the access of the UE.

优选地,所述业务接入认证模块,是用于从身份提供服务器获得用户安全参数,根据所述用户安全参数完成对所述UE的业务接入认证;或者,从所述身份提供服务器获得所述身份提供服务器对所述UE的业务认证结果。Preferably, the service access authentication module is configured to obtain user security parameters from an identity providing server, and complete service access authentication for the UE according to the user security parameters; or, obtain the user security parameters from the identity providing server The identity provides the service authentication result of the UE by the server.

优选地,所述用户安全参数是所述身份提供服务器根据所述网络对所述UE的接入认证结果获得的;或者Preferably, the user security parameter is obtained by the identity providing server according to the network's access authentication result for the UE; or

所述业务认证结果是所述身份提供服务器根据所述网络对所述UE的接入认证结果完成的。The service authentication result is completed by the identity providing server according to the network's access authentication result for the UE.

优选地,所述获取模块,是用于从所述身份提供服务器获取令牌,根据所述令牌从所述RS直接地获取用户授权的用户共享数据;或者通过所述身份提供服务器获取用户授权的用户共享数据。Preferably, the obtaining module is configured to obtain a token from the identity providing server, and directly obtain user-authorized user shared data from the RS according to the token; or obtain user authorization through the identity providing server users share data.

本发明还提供了一种身份提供服务器,该身份提供服务器包括:The present invention also provides an identity providing server, which includes:

网络接入认证模块,用于对用户设备(UE)接入网络进行认证,并获得用户安全参数;A network access authentication module, configured to authenticate user equipment (UE) access to the network, and obtain user security parameters;

业务接入认证模块,用于根据所述网络接入认证模块获得的用户安全参数完成对所述UE的业务接入认证,并将业务接入认证结果发送给业务提供服务器。The service access authentication module is configured to complete the service access authentication of the UE according to the user security parameters obtained by the network access authentication module, and send the service access authentication result to the service providing server.

优选地,所述身份提供服务器还包括:Preferably, the identity providing server further includes:

发送模块,用于将所述网络接入认证模块获得的用户安全参数发送给所述业务提供服务器。A sending module, configured to send the user security parameters obtained by the network access authentication module to the service providing server.

优选地,所述用户安全参数包括会话密钥。Preferably, said user security parameters include a session key.

优选地,所述身份提供服务器还包括:Preferably, the identity providing server further includes:

数据发送模块,用于在所述业务接入认证模块将业务接入认证结果或者所述发送模块将所述用户安全参数发送给业务提供服务器之后,接收所述业务提供服务器发送的数据请求,根据所述数据请求从资源服务器(RS)获得用户授权的用户共享数据,并将所述用户共享数据发送给所述业务提供服务器。The data sending module is configured to receive the data request sent by the service providing server after the service access authentication module sends the service access authentication result or the sending module sends the user security parameter to the service providing server, according to The data request obtains user-authorized user shared data from a resource server (RS), and sends the user shared data to the service providing server.

优选地,所述数据发送模块,还用于在所述业务接入认证模块将业务接入认证结果或者所述发送模块将所述用户安全参数发送给业务提供服务器之后,接收所述业务提供服务器发送的令牌请求,根据所述令牌请求向所述业务提供服务器发送令牌,以便所述业务提供服务器根据所述令牌从所述RS中获得用户授权的用户共享数据。Preferably, the data sending module is further configured to receive the service provider server after the service access authentication module sends the service access authentication result or the sending module sends the user security parameter to the service provider server. A token request is sent, and a token is sent to the service providing server according to the token request, so that the service providing server obtains user-authorized user sharing data from the RS according to the token.

本发明还提供了一种用户设备(UE),该UE包括:The present invention also provides a user equipment (UE), where the UE includes:

访问模块,用于访问业务提供服务器;An access module, used to access the service providing server;

数据处理模块,用于接收身份提供服务器根据所述业务提供服务器发送的数据请求发送的用户数据授权请求,根据用户对该用户数据授权请求中携带的用户数据的授权结果,向所述身份提供服务器返回用户授权的用户共享数据。The data processing module is configured to receive the user data authorization request sent by the identity providing server according to the data request sent by the service providing server, and send the request to the identity providing server according to the authorization result of the user data carried in the user data authorization request. Returns the user's shared data authorized by the user.

优选地,所述访问模块,是用于所述UE采用标识成功接入网络并获得所述业务提供服务器的业务接入认证后,访问所述业务提供服务器。Preferably, the access module is used for accessing the service providing server after the UE successfully accesses the network by using the ID and obtains the service access authentication of the service providing server.

上述共享网络中用户数据的方法、业务提供服务器、身份提供服务器和用户设备,使得业务提供服务器安全地共享电信运营商的用户数据。The above method for sharing user data in the network, the service providing server, the identity providing server and the user equipment enable the service providing server to safely share the user data of the telecom operator.

附图说明Description of drawings

图1为本发明共享网络中用户数据的场景示意图;FIG. 1 is a schematic diagram of a scenario of sharing user data in a network according to the present invention;

图2为本发明共享网络中用户数据实施例一的架构示意图;FIG. 2 is a schematic diagram of the architecture of Embodiment 1 of user data in a shared network in the present invention;

图3为本发明共享网络中用户数据实施例二的架构示意图;FIG. 3 is a schematic diagram of the structure of Embodiment 2 of user data in the sharing network of the present invention;

图4为本发明共享网络中用户数据实施例一的信令流程图;FIG. 4 is a signaling flowchart of Embodiment 1 of user data in a shared network according to the present invention;

图5为本发明共享网络中用户数据实施例二的信令流程图;FIG. 5 is a signaling flowchart of Embodiment 2 of user data in a shared network according to the present invention;

图6为本发明共享网络中用户数据实施例三的信令流程图。FIG. 6 is a signaling flowchart of Embodiment 3 of user data in a shared network according to the present invention.

具体实施方式detailed description

为使本发明的目的、技术方案和优点更加清楚明白,下文中将结合附图对本发明的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。In order to make the purpose, technical solution and advantages of the present invention more clear, the embodiments of the present invention will be described in detail below in conjunction with the accompanying drawings. It should be noted that, in the case of no conflict, the embodiments in the present application and the features in the embodiments can be combined arbitrarily with each other.

如图1所示,为本发明共享网络中用户数据的场景示意图,在该实施例中,社交网络安全地共享用户在网络中的数据,如联系人列表,该共享过程包括:As shown in FIG. 1 , it is a schematic diagram of a scenario of sharing user data in a network according to the present invention. In this embodiment, a social network safely shares user data in the network, such as a contact list. The sharing process includes:

步骤10、用户100接入到网络102,通过了网络102的认证;Step 10, the user 100 accesses the network 102 and passes the authentication of the network 102;

步骤12、用户100访问社交网站104;Step 12, the user 100 visits the social networking site 104;

步骤14、社交网站104没有用户100的身份信息,社交网站104根据配置信息找到网络102或利用动态发现协议找到网络102;Step 14, the social networking site 104 does not have the identity information of the user 100, the social networking site 104 finds the network 102 according to the configuration information or uses the dynamic discovery protocol to find the network 102;

步骤16、网络102联系用户100,由用户100授权是否共享用户数据,如联系人列表;Step 16, the network 102 contacts the user 100, and the user 100 authorizes whether to share user data, such as a contact list;

步骤18、用户100授权共享的用户数据后,由网络102继续后面的处理;Step 18, after the user 100 authorizes the shared user data, the network 102 continues the subsequent processing;

步骤20、网络102向社交网络104返回用户100共享的信息,如联系人列表;Step 20, the network 102 returns the information shared by the user 100 to the social network 104, such as a contact list;

步骤22、用户106通过网络102访问社交网站104时,使用用户100共享的用户数据,如联系人列表。Step 22 , when the user 106 accesses the social networking site 104 through the network 102 , use the user data shared by the user 100 , such as a contact list.

如图2所示,为本发明共享网络中用户数据实施例一的架构示意图,网络通过接入服务节点(ASN,Access Serving Node)完成数据包的路由;用户设备(UE)200用ID来标识。在网络中,由身份提供服务器对用户设备200进行认证,支持从资源服务器(ResourceServer,RS)206直接获取用户共享的数据,或通过身份提供服务器204获取用户共享的数据。所述的网络包括但不限于移动通信网络,标识网。所述UE 200与业务提供服务器208之间的认证是基于用户接入认证的结果。该架构中,网络不会把用户的安全凭证传递到业务提供服务器208,从而业务提供服务器208不能直接对用户设备200进行认证,需要通过UE200和身份提供服务器204之间的接口完成对用户认证。As shown in Figure 2, it is a schematic diagram of the structure of the user data embodiment 1 in the shared network of the present invention, the network completes the routing of the data packet through the access service node (ASN, Access Serving Node); the user equipment (UE) 200 is identified by ID . In the network, the user equipment 200 is authenticated by the identity providing server, which supports directly obtaining the data shared by the user from the resource server (ResourceServer, RS) 206 , or obtaining the data shared by the user through the identity providing server 204 . The network includes, but not limited to, a mobile communication network and an identification network. The authentication between the UE 200 and the service providing server 208 is based on the result of user access authentication. In this architecture, the network will not pass the user's security credentials to the service provider server 208, so the service provider server 208 cannot directly authenticate the user equipment 200, and needs to complete the user authentication through the interface between the UE200 and the identity provider server 204.

用户设备200指用户节点,如手机、个人电脑等;用户设备预先配置或从网络获取标识ID;用户设备拥有安全凭证,与网络预共享根密钥,或者设置数字证书。在移动通信网络中,用户设备的ID可以用国际移动用户识别码(IMSI)或移动用户综合业务数字网(MSISDN)来标识;在标识网中,用户设备的ID是接入标识符(Access Identifier,AID)。用户设备的能力包括但不限于:支持超文本传输协议(HTTP)摘要(Digest)认证协议;支持会话初始协议(SIP)Digest认证协议;支持扩展认证协议(Extensible AuthenticationProtocol,EAP)和EAP认证方法;能够推导出新的密钥材料。User equipment 200 refers to user nodes, such as mobile phones, personal computers, etc.; user equipment is pre-configured or obtains an ID from the network; user equipment has security credentials, pre-shares root keys with the network, or sets digital certificates. In the mobile communication network, the ID of the user equipment can be identified by the International Mobile Subscriber Identity (IMSI) or the Mobile Subscriber Integrated Services Digital Network (MSISDN); in the identification network, the ID of the user equipment is an access identifier (Access Identifier) , AID). The capabilities of the user equipment include but are not limited to: support for Hypertext Transfer Protocol (HTTP) Digest authentication protocol; support for Session Initiation Protocol (SIP) Digest authentication protocol; support for Extensible Authentication Protocol (EAP) and EAP authentication methods; New keying material can be derived.

接入服务节点202位于网络的边界处,用于为用户设备200提供接入服务、维护终端与网络的连接,实现数据报文的路由和转发等功能,与身份提供服务器204配合完成对UE200的接入认证。在移动通信网络中,接入服务节点是GPRS服务支持节点(Serving GPRSSUPPORT NODE,SGSN)和/或网关GPRS支持节点(Gateway GPRS Support Node,GGSN),在标识网中,接入服务节点是ASN。The access service node 202 is located at the border of the network, and is used to provide access services for the user equipment 200, maintain the connection between the terminal and the network, implement functions such as routing and forwarding of data packets, and cooperate with the identity providing server 204 to complete the UE200 Access authentication. In the mobile communication network, the access service node is a GPRS service support node (Serving GPRSSUPPORT NODE, SGSN) and/or gateway GPRS support node (Gateway GPRS Support Node, GGSN), and in the identification network, the access service node is an ASN.

身份提供服务器204在网络中是以用户身份ID为核心,负责创建、维护、管理用户的身份信息,提供用户身份验证服务。身份提供服务器204的能力包括但不限于:提供网络接入认证服务;提供业务接入认证服务;支持EAP的功能;能够从RS获取用户信息;具体实现时可以对认证中心的功能增强实现身份管理的功能,如支持Web功能、HTTP(HypertextTransfer Protocol,超文本传输协议)、HTTP摘要认证协议、安全断言标记语言(SecurityAssertion Markup Language,SAML)。The identity providing server 204 takes the user identity ID as the core in the network, is responsible for creating, maintaining, and managing user identity information, and provides user identity verification services. The capabilities of the identity providing server 204 include, but are not limited to: providing network access authentication services; providing business access authentication services; supporting EAP functions; being able to obtain user information from RS; in specific implementation, the functions of the authentication center can be enhanced to realize identity management functions, such as supporting Web functions, HTTP (HypertextTransfer Protocol, Hypertext Transfer Protocol), HTTP Digest Authentication Protocol, and Security Assertion Markup Language (SecurityAssertion Markup Language, SAML).

资源服务器(RS)206存储用户的安全信息,提供用户的属性数据和其他数据,如联系人列表、头像、照片、视频等。Resource server (RS) 206 stores user's security information, provides user's attribute data and other data, such as contact list, avatar, photo, video and so on.

业务提供服务器208向用户节点200提供业务,可以是Web类业务,如门户网站、电子商城,这类业务通常采用超文本传输标记语言(HTML)/HTTP;也可以是非Web类业务,如电子邮件,即时通信,这类业务通常基于传输层的协议,如传输控制协议(TransmissionControl Protocol,TCP)。The service providing server 208 provides services to the user node 200, which can be Web services, such as portal websites and electronic malls, which usually use Hypertext Transfer Markup Language (HTML)/HTTP; they can also be non-Web services, such as e-mail , instant messaging, such services are usually based on transport layer protocols, such as Transmission Control Protocol (Transmission Control Protocol, TCP).

下面对图2中各接口进行介绍:The following is an introduction to each interface in Figure 2:

接口A:位于UE 200和ASN 202之间,提供UE 200和ASN 202的双向认证,支持但不限于EAP协议;Interface A: located between UE 200 and ASN 202, providing mutual authentication between UE 200 and ASN 202, supporting but not limited to EAP protocol;

接口B:位于ASN 202和身份提供服务器204之间,从身份提供服务器204传输主会话密钥到ASN 202;支持但不限于通过鉴别授权计费(AAA)协议传递EAP载荷;Interface B: located between the ASN 202 and the identity providing server 204, from which the identity providing server 204 transmits the master session key to the ASN 202; supports but is not limited to passing the EAP load through the Authentication Authorization Accounting (AAA) protocol;

接口C:位于身份提供服务器204和RS 206之间,身份提供服务器204通过C 214接口获取用户的安全信息以及其他用户数据。该接口的协议包括但不限于:支持Diameter协议。Interface C: located between the identity providing server 204 and the RS 206, the identity providing server 204 obtains the user's security information and other user data through the C 214 interface. The protocol of this interface includes but is not limited to: support Diameter protocol.

接口D:位于UE 200和身份提供服务器204之间,支持用户的单点登录服务,支持安全共享数据。该接口的协议包括但不限于:支持HTTP Digest协议;支持SIP Digest协议;支持SAML协议。Interface D: located between the UE 200 and the identity providing server 204, supports single sign-on service for users, and supports secure sharing of data. The protocol of this interface includes but not limited to: support HTTP Digest protocol; support SIP Digest protocol; support SAML protocol.

接口E:位于UE 200和业务提供服务器208之间,UE 200通过该接口访问业务提供服务器208提供的业务,该接口的协议包括但不限于:支持HTTP协议;支持传输层协议,如TCP;支持SAML协议;支持Diameter协议;支持HTTPS协议。Interface E: located between UE 200 and service provider server 208, UE 200 accesses services provided by service provider server 208 through this interface, the protocol of this interface includes but not limited to: support HTTP protocol; support transport layer protocol, such as TCP; support SAML protocol; support Diameter protocol; support HTTPS protocol.

接口F:位于身份提供服务器204和业务提供服务器208之间,提供单点登录服务,支持安全共享数据。该接口的协议包括但不限于:支持HTTP协议,支持AAA协议。Interface F: Located between the identity providing server 204 and the service providing server 208, it provides single sign-on service and supports safe data sharing. The protocol of this interface includes but not limited to: support HTTP protocol, support AAA protocol.

接口G:位于业务提供服务器208和RS 206之间,业务提供服务器208通过该接口获取用户相关数据。该接口的协议包括但不限于:支持Diameter协议。Interface G: located between the service providing server 208 and the RS 206, the service providing server 208 acquires user-related data through this interface. The protocol of this interface includes but is not limited to: support Diameter protocol.

如图3所示,为本发明共享网络中用户数据实施例二的架构示意图,该架构图与图2所示架构图的区别在于,本实施例中的架构图中,UE和身份提供服务器之间没有接口;但网络可以把用户安全信息(如标识,主会话密钥,密钥生命周期等)传递到业务提供服务器208,从而业务提供服务器208能直接对用户设备200进行认证。其中,所述UE 200与业务提供服务器208之间的认证所使用的用户安全信息是基于用户的网络接入认证的结果。As shown in FIG. 3, it is a schematic diagram of the structure of the second embodiment of the user data in the shared network of the present invention. The difference between this structure diagram and the structure diagram shown in FIG. There is no interface between them; but the network can transfer user security information (such as identification, master session key, key life cycle, etc.) to the service providing server 208, so that the service providing server 208 can directly authenticate the user equipment 200. Wherein, the user security information used in the authentication between the UE 200 and the service providing server 208 is based on the result of the user's network access authentication.

如图4所示,为本发明共享网络中用户数据实施例一的信令流程图,该流程图是基于图2所示架构完成的,在该实施例中,由身份提供服务器204对UE 200进行认证,业务提供服务器208从身份提供服务器204获取令牌,从RS 206直接获取用户共享的数据,身份提供服务器204和RS 206已经预先配置了用户数据共享的模板,具体共享哪些数据由用户来授权。As shown in FIG. 4 , it is a signaling flowchart of Embodiment 1 of user data in a shared network in the present invention. This flowchart is completed based on the architecture shown in FIG. 2 . For authentication, the service provider server 208 obtains the token from the identity provider server 204, and directly obtains the data shared by the user from the RS 206. The identity provider server 204 and RS 206 have pre-configured a template for user data sharing, and the specific data to be shared is determined by the user. authorized.

该流程进行的前提条件是UE 200和ASN202之间的链路已经建立,UE200已预先配置了用户的身份标识ID;该共享网络中用户数据过程包括:The prerequisite for this process is that the link between UE 200 and ASN 202 has been established, and UE 200 has been pre-configured with the user's identity ID; the user data sharing process in the network includes:

步骤220、ASN 202发送身份请求至UE 200;Step 220, ASN 202 sends an identity request to UE 200;

步骤222、UE 200发送响应至ASN 202,在响应中携带用户的身份ID;Step 222, UE 200 sends a response to ASN 202, carrying the user's ID in the response;

步骤224、ASN 202发送所述响应报文至身份提供服务器204,所述报文携带用户身份ID;Step 224, ASN 202 sends the response message to the identity providing server 204, and the message carries the user ID;

步骤226、身份提供服务器204发送携带ID的报文至RS 206请求密钥材料;Step 226, the identity providing server 204 sends a message carrying an ID to the RS 206 to request key material;

步骤228、RS 206向身份提供服务器204返回密钥材料;Step 228, RS 206 returns the key material to the identity providing server 204;

步骤230、UE 200和身份提供服务器204协商安全参数,包括双方支持的安全协议和会话密钥;Step 230, the UE 200 and the identity providing server 204 negotiate security parameters, including security protocols and session keys supported by both parties;

上述步骤220-230为网络对UE的接入认证过程;The above steps 220-230 are the network's access authentication process for the UE;

步骤232、UE 200访问业务提供服务器208的业务,业务提供服务器208通过静态配置或动态发现身份提供服务器204的位置;Step 232, the UE 200 accesses the services of the service providing server 208, and the service providing server 208 discovers the location of the identity providing server 204 through static configuration or dynamic;

步骤234、业务提供服务器208发送重定向消息至UE 200,UE 200根据重定向消息头中身份提供服务器的地址把该消息发送至身份提供服务器204;Step 234, the service providing server 208 sends a redirect message to the UE 200, and the UE 200 sends the message to the identity providing server 204 according to the address of the identity providing server in the header of the redirect message;

步骤236、身份提供服务器204向UE 200发送未授权消息;Step 236, the identity providing server 204 sends an unauthorized message to the UE 200;

步骤238、UE200向身份提供服务器204发送摘要认证消息,用ID作为用户名,会话密钥作为密码;Step 238, the UE 200 sends a digest authentication message to the identity providing server 204, using the ID as the user name and the session key as the password;

步骤240、身份提供服务器204收到摘要认证消息后验证用户的身份;Step 240, the identity providing server 204 verifies the identity of the user after receiving the digest authentication message;

步骤242、身份提供服务器204向RS 206请求用户数据列表,该请求中携带用户的身份;Step 242, the identity providing server 204 requests the user data list from the RS 206, and the request carries the identity of the user;

步骤244、RS 206向身份提供服务器204返回用户列表;Step 244, RS 206 returns the user list to the identity providing server 204;

步骤246、身份提供服务器204通过向UE200发送用户数据的列表,请求用户授权;Step 246, the identity providing server 204 requests user authorization by sending a list of user data to UE200;

步骤248、UE 200向身份提供服务器204返回用户授权结果;Step 248, the UE 200 returns the user authorization result to the identity providing server 204;

步骤250、身份提供服务器204发送重定向消息至UE 200,UE 200根据消息头中的地址联系业务提供服务器208,所述消息包括索引和授权码;Step 250, the identity providing server 204 sends a redirection message to the UE 200, and the UE 200 contacts the service providing server 208 according to the address in the message header, and the message includes an index and an authorization code;

步骤252、业务提供服务器208向身份提供服务器204请求访问令牌,所述请求中包含索引和授权码;Step 252, the service providing server 208 requests an access token from the identity providing server 204, and the request includes an index and an authorization code;

步骤254、身份提供服务器204向业务提供服务器208返回访问令牌,该令牌包含密钥、密钥生命周期等信息;Step 254, the identity providing server 204 returns the access token to the service providing server 208, and the token contains information such as keys and key life cycles;

步骤256、业务提供服务器208从RS206中批量获取共享用户数据,RS206对这些数据进行安全保护,如机密性保护、完整性保护;业务提供服务器208收到这些用户数据后,用访问令牌读取这些受保护的数据;Step 256, the service provider server 208 obtains shared user data in batches from RS206, and RS206 performs security protection on these data, such as confidentiality protection and integrity protection; after service provider server 208 receives these user data, read them with the access token these protected data;

步骤258、业务提供服务器208返回结果消息至UE 200。Step 258 , the service providing server 208 returns a result message to the UE 200 .

下面以EAP、AAA、HTTP和SAML协议为例,对图4所示的安全共享网络中用户数据流程以应用示例的形式进行描述:The following uses EAP, AAA, HTTP and SAML protocols as examples to describe the flow of user data in the secure shared network shown in Figure 4 in the form of an application example:

步骤220a、ASN 202发送EAP-Identity身份请求至UE 200;Step 220a, ASN 202 sends an EAP-Identity identity request to UE 200;

步骤222a、UE 200发送EAP-Identity响应至ASN 202,在响应中携带用户的身份ID,其中EAP-Identity响应中Type-Data设置为ID;Step 222a, the UE 200 sends an EAP-Identity response to the ASN 202, carrying the ID of the user in the response, wherein Type-Data in the EAP-Identity response is set to ID;

步骤224a、ASN 202通过AAA协议发送EAP载荷(EAP-Payload)至身份提供服务器204。对于Diameter协议,采用Diameter-EAP-Request消息的EAP-Payload AVP(Attribute-Value Pair,属性-值对)来封装EAP-Identity载荷;对于远程用户拨号认证服务(RADIUS)协议,采用RADIUSAccess-Request消息的EAP-Message属性来封装EAP-Identity载荷;In step 224a, the ASN 202 sends the EAP payload (EAP-Payload) to the identity providing server 204 through the AAA protocol. For the Diameter protocol, the EAP-Payload AVP (Attribute-Value Pair, attribute-value pair) of the Diameter-EAP-Request message is used to encapsulate the EAP-Identity load; for the Remote User Dial Authentication Service (RADIUS) protocol, the RADIUSAccess-Request message is used The EAP-Message attribute to encapsulate the EAP-Identity payload;

步骤226a、身份提供服务器204通过Diameter协议发送ID至RS 206获取密钥材料,具体可采用多媒体授权请求(Multimedia-Auth-Request,MAR)携带ID;Step 226a, the identity providing server 204 sends the ID to the RS 206 through the Diameter protocol to obtain the key material, specifically, a multimedia authorization request (Multimedia-Auth-Request, MAR) can be used to carry the ID;

步骤228a、RS 206通过Diameter协议向身份提供服务器204返回密钥材料,具体可采用多媒体授权应答(Multimedia-Auth-Answer,MAA)消息携带密钥材料,其中ID映射为用户名(User-Name)属性;Step 228a, RS 206 returns the key material to the identity providing server 204 through the Diameter protocol. Specifically, the multimedia authorization response (Multimedia-Auth-Answer, MAA) message can be used to carry the key material, wherein the ID is mapped to the user name (User-Name) Attributes;

步骤230a、UE 200和身份提供服务器204协商安全参数:(1)协商EAP方法(Method),如EAP-认证和密钥协商(AKA),EAK-安全传输层协议(TLS)等,对于Diameter协议,采用Diameter-EAP-Request消息的EAP-Payload AVP(Attribute-Value Pair,属性-值对)来封装EAP-AKA,EAP-TLS等载荷;对于RADIUS协议,采用RADIUS Access-Challenge和Access-Accept封装EAP-AKA,EAP-TLS等载荷。(2)UE 200和身份提供服务器204协商MSK(Master Session Key,主会话密钥),对于Diameter协议,采用Diameter-EAP-Request消息的EAP-Master-Session-Key AVP来携带密钥材料;对于RADIUS协议,通过RADIUS Accept消息中VSA(Vendor业务提供服务器ecific Attribute,特定供应商属性)来携带MSK;Step 230a, UE 200 and identity providing server 204 negotiate security parameters: (1) Negotiate EAP method (Method), such as EAP-Authentication and Key Agreement (AKA), EAK-Security Transport Layer Protocol (TLS), etc., for the Diameter protocol , use the EAP-Payload AVP (Attribute-Value Pair, attribute-value pair) of the Diameter-EAP-Request message to encapsulate EAP-AKA, EAP-TLS and other loads; for the RADIUS protocol, use RADIUS Access-Challenge and Access-Accept encapsulation EAP-AKA, EAP-TLS and other payloads. (2) The UE 200 and the identity providing server 204 negotiate MSK (Master Session Key, master session key). For the Diameter protocol, the EAP-Master-Session-Key AVP of the Diameter-EAP-Request message is used to carry the key material; for The RADIUS protocol carries the MSK through the VSA (Vendor service provider ecific Attribute, vendor-specific attribute) in the RADIUS Accept message;

步骤232a、UE 200发送HTTP请求至业务提供服务器208,在业务提供服务器208上选择通过身份提供服务器204登录。在HTTP请求的头字段中带有身份提供服务器的URL(Uniform Resource Locator,统一资源定位符)地址,业务提供服务器208通过静态配置或动态发现身份提供服务器204的URL地址,所述请求消息中携带<lib:AuthnRequest>;In step 232a, the UE 200 sends an HTTP request to the service providing server 208, and chooses to log in through the identity providing server 204 on the service providing server 208. In the header field of the HTTP request, there is a URL (Uniform Resource Locator, Uniform Resource Locator) address of the identity providing server, and the service providing server 208 discovers the URL address of the identity providing server 204 through static configuration or dynamic discovery, and the request message carries <lib:AuthnRequest>;

步骤234a、业务提供服务器208发送HTTP重定向消息至UE 200,UE200根据HTTP重定向消息头中身份提供服务器的URL地址把该消息发送至身份提供服务器204;Step 234a, the service providing server 208 sends an HTTP redirect message to the UE 200, and the UE 200 sends the message to the identity providing server 204 according to the URL address of the identity providing server in the header of the HTTP redirect message;

步骤236a、身份提供服务器204向UE 200发送HTTP 401未授权(Unauthorized)消息;Step 236a, the identity providing server 204 sends an HTTP 401 Unauthorized (Unauthorized) message to the UE 200;

步骤238a、UE200向身份提供服务器204发送HTTP请求消息,用ID作为用户名,MSK作为密码,进行HTTP Digest认证;Step 238a, UE200 sends HTTP request message to identity providing server 204, uses ID as user name, MSK as password, and performs HTTP Digest authentication;

步骤240a、身份提供服务器204收到HTTP摘要认证消息后,根据ID检查本地的ID/MSK,进行同样的HTTP Digest认证算法,计算的结果一致时,则验证通过;Step 240a, after the identity providing server 204 receives the HTTP Digest authentication message, it checks the local ID/MSK according to the ID, and performs the same HTTP Digest authentication algorithm. When the calculated results are consistent, the verification is passed;

步骤242a、身份提供服务器204通过Diameter协议发送ID至RS 206请求用户数据列表,采用Push-Profile-Request消息User Data属性来携带用户数据的列表,其中ID映射为User-Name属性;Step 242a, the identity providing server 204 sends the ID to the RS 206 to request the user data list through the Diameter protocol, and uses the User Data attribute of the Push-Profile-Request message to carry the list of user data, wherein the ID is mapped to the User-Name attribute;

步骤244a、RS 206通过Diameter协议向身份提供服务器204返回用户数据列表,采用Push-Profile-Answer消息User Data属性来携带用户数据的列表,其中ID映射为User-Name属性;Step 244a, RS 206 returns the list of user data to the identity providing server 204 through the Diameter protocol, and uses the User Data attribute of the Push-Profile-Answer message to carry the list of user data, where the ID is mapped to the User-Name attribute;

步骤246a、身份提供服务器204通过HTTPS发送用户数据的列表至UE200请求用户授权;Step 246a, the identity providing server 204 sends a list of user data to the UE 200 via HTTPS to request user authorization;

步骤248a、用户授权后由UE 200把用户授权数据列表返回至身份提供服务器204;Step 248a, after the user is authorized, the UE 200 returns the user authorization data list to the identity providing server 204;

步骤250a、身份提供服务器204生成SAML Artifact(工件)和授权码,通过HTTPS把消息重定向至UE 200,UE 200根据消息头中的URL联系业务提供服务器208,其中SAMLArtifact指向SAML协议消息的结构化数据对象,SAML Artifact比较小,可以嵌在HTTP消息中;Step 250a, the identity providing server 204 generates a SAML Artifact (artifact) and an authorization code, and redirects the message to the UE 200 through HTTPS, and the UE 200 contacts the service providing server 208 according to the URL in the message header, wherein the SAML Artifact points to the structured structure of the SAML protocol message Data objects, SAML Artifact is relatively small and can be embedded in HTTP messages;

步骤252a、业务提供服务器208通过HTTPS发送HTTP GET请求至从身份提供服务器204,该消息中包含SAML Artifact和授权码;Step 252a, the service providing server 208 sends an HTTP GET request to the slave identity providing server 204 through HTTPS, and the message includes SAML Artifact and authorization code;

步骤254a、身份提供服务器204通过HTTPS响应消息向业务提供服务器208返回访问令牌,该令牌包含密钥、密钥生命周期等信息;Step 254a, the identity providing server 204 returns an access token to the service providing server 208 through an HTTPS response message, and the token includes information such as a key and a key life cycle;

步骤256a、业务提供服务器208通过Diameter协议从RS 206中批量获取共享用户数据,采用Diameter推送签约请求(Push-Profile-Request)/应答(Answer)消息User Data属性来批量获取用户共享的数据。RS 206对这些数据进行安全保护,如机密性保护、完整性保护;业务提供服务器208收到这些用户数据后,用访问令牌读取这些受保护的数据;Step 256a, the service provider server 208 obtains the shared user data in batches from the RS 206 through the Diameter protocol, and uses the User Data attribute of the Diameter Push-Profile-Request/Answer message to obtain the shared user data in batches. RS 206 performs security protection on these data, such as confidentiality protection and integrity protection; after the service provision server 208 receives these user data, it reads these protected data with an access token;

步骤258a、业务提供服务器返回HTTP 200OK消息至UE 200。Step 258a, the service providing server returns an HTTP 200 OK message to the UE 200 .

上述流程适用于ADSL、WLAN和以太网等支持EAP认证的接入。对于3G接入过程来说,采用AKA认证过程,认证过程结束后设置MSK=CK||IK。The above procedure is applicable to accesses that support EAP authentication, such as ADSL, WLAN, and Ethernet. For the 3G access process, the AKA authentication process is adopted, and MSK=CK||IK is set after the authentication process ends.

身份位置分离网络支持与现有的终端和接入技术兼容,即不改变终端和接入网。在这种情况下,UE 200按照现有的方式接入网络,通过接入认证后,网络给用户设备分配接入标识ID,此时用户设备和网络共享会话密钥。后续的处理流程完全一致。The identity and location separation network supports compatibility with existing terminals and access technologies, that is, no changes to terminals and access networks. In this case, the UE 200 accesses the network in an existing manner, and after passing the access authentication, the network assigns an access ID to the user equipment, and at this time, the user equipment and the network share a session key. The subsequent processing flow is exactly the same.

如图5所示,为本发明共享网络中用户数据实施例二的信令流程图,该实施例也是基于图2所示架构完成的,在该实施例中,由身份提供服务器204对UE 200进行认证,业务提供服务器208通过身份提供服务器204获取用户共享的数据,具体共享哪些数据由用户来授权,用户的真实身份信息可以不向业务提供服务器透露。As shown in FIG. 5 , it is a signaling flowchart of Embodiment 2 of the user data sharing network in the present invention. This embodiment is also completed based on the architecture shown in FIG. 2 . For authentication, the service providing server 208 obtains the data shared by the user through the identity providing server 204, and the specific shared data is authorized by the user, and the real identity information of the user may not be disclosed to the service providing server.

该流程进行的前提条件是UE 200和ASN 202之间的链路已经建立,UE200已预先配置了用户的身份标识ID或者由网络给用户分配ID;该共享网络中用户数据过程包括:The prerequisite for this process is that the link between UE 200 and ASN 202 has been established, UE 200 has been pre-configured with the user's identity ID or the network has assigned an ID to the user; the user data sharing process in the network includes:

步骤302、UE 200通过了网络的接入认证,认证结束后UE 200与身份提供服务器204共享会话密钥;Step 302, the UE 200 has passed the network access authentication, and after the authentication is completed, the UE 200 shares the session key with the identity providing server 204;

步骤302具体可以包括图4中的步骤220-步骤230,此处不再赘述;Step 302 may specifically include steps 220-230 in FIG. 4 , which will not be repeated here;

步骤304、UE 200访问业务提供服务器208的业务,业务提供服务器208通过静态配置或动态发现身份提供服务器204的位置;Step 304, the UE 200 accesses the services of the service providing server 208, and the service providing server 208 discovers the location of the identity providing server 204 through static configuration or dynamic;

步骤306、业务提供服务器208发送重定向消息至UE 200,UE 200根据重定向消息头中身份提供服务器的地址把该消息发送至身份提供服务器204;Step 306, the service providing server 208 sends a redirect message to the UE 200, and the UE 200 sends the message to the identity providing server 204 according to the address of the identity providing server in the header of the redirect message;

步骤308、身份提供服务器204向UE 200发送未授权消息;Step 308, the identity providing server 204 sends an unauthorized message to the UE 200;

步骤310、UE200向身份提供服务器204发送摘要认证消息,用ID作为用户名,会话密钥作为密码;Step 310, the UE 200 sends a digest authentication message to the identity providing server 204, using the ID as the user name and the session key as the password;

步骤312、身份提供服务器204收到摘要认证消息后验证用户的身份;Step 312, the identity providing server 204 verifies the identity of the user after receiving the digest authentication message;

步骤314、身份提供服务器204向业务提供服务器208发送重定向消息,所述消息包括索引;Step 314, the identity providing server 204 sends a redirection message to the service providing server 208, and the message includes an index;

步骤316、业务提供服务器208向身份提供服务器204发送请求以认证用户的身份,消息中包括索引;Step 316, the service providing server 208 sends a request to the identity providing server 204 to authenticate the identity of the user, and the message includes an index;

步骤318、身份提供服务器204向业务提供服务器208返回认证结果;Step 318, the identity providing server 204 returns the authentication result to the service providing server 208;

步骤320、业务提供服务器208向身份提供服务器204请求用户共享数据,所述消息包括索引;Step 320, the service providing server 208 requests the user to share data to the identity providing server 204, and the message includes an index;

步骤322、身份提供服务器204向RS 208请求用户数据,所述请求包括用户ID;Step 322, the identity providing server 204 requests user data from the RS 208, and the request includes the user ID;

步骤324、RS 206向身份提供服务器返回用户数据;Step 324, RS 206 returns user data to the identity providing server;

步骤326、身份提供服务器204发送请求至UE 200,请求用户授权数据;Step 326, the identity providing server 204 sends a request to the UE 200, requesting user authorization data;

步骤328、UE 200向身份提供服务器204返回用户授权的数据;Step 328, the UE 200 returns the data authorized by the user to the identity providing server 204;

步骤330、身份提供服务器204向业务提供服务器208返回用户授权的数据;Step 330, the identity providing server 204 returns the data authorized by the user to the service providing server 208;

步骤332、业务提供服务器208返回结果消息至UE 200。Step 332 , the service providing server 208 returns a result message to the UE 200 .

下面以HTTP和SAML协议为例,对图5所示的安全共享网络中用户数据流程以应用示例的形式进行描述:The following uses the HTTP and SAML protocols as examples to describe the flow of user data in the secure sharing network shown in Figure 5 in the form of an application example:

步骤302a、UE 200通过了网络的接入认证,认证结束后UE 200与身份提供服务器204共享会话密钥MSK;Step 302a, the UE 200 has passed the network access authentication, and after the authentication, the UE 200 shares the session key MSK with the identity providing server 204;

步骤304a、UE 200发送HTTP请求至业务提供服务器208,在业务提供服务器208上选择通过身份提供服务器204登录。在HTTP请求的头字段中带有身份提供服务器的URL(Uniform Resource Locator,统一资源定位符)地址,业务提供服务器208通过静态配置或动态发现身份提供服务器204的URL地址,携带<lib:AuthnRequest>;In step 304a, the UE 200 sends an HTTP request to the service providing server 208, and selects to log in through the identity providing server 204 on the service providing server 208. In the header field of the HTTP request, there is a URL (Uniform Resource Locator, Uniform Resource Locator) address of the identity providing server, and the service providing server 208 discovers the URL address of the identity providing server 204 through static configuration or dynamic discovery, carrying <lib:AuthnRequest> ;

步骤306a、业务提供服务器208发送HTTP重定向消息至UE 200,UE200根据HTTP重定向消息头中身份提供服务器的URL地址把该消息发送至身份提供服务器204;Step 306a, the service providing server 208 sends an HTTP redirect message to the UE 200, and the UE 200 sends the message to the identity providing server 204 according to the URL address of the identity providing server in the header of the HTTP redirect message;

步骤308a、身份提供服务器204向UE 200发送HTTP 401 Unauthorized消息;Step 308a, the identity providing server 204 sends an HTTP 401 Unauthorized message to the UE 200;

步骤310a、UE 200向身份提供服务器204发送HTTP请求消息,用ID作为用户名,MSK作为密码,进行HTTP Digest认证;Step 310a, UE 200 sends an HTTP request message to the identity providing server 204, uses ID as the user name, MSK as the password, and performs HTTP Digest authentication;

步骤312a、身份提供服务器204收到HTTP摘要认证消息后,根据ID检查本地的ID/MSK,进行同样的HTTP Digest认证算法,计算的结果一致时,则验证通过;Step 312a, after the identity providing server 204 receives the HTTP digest authentication message, it checks the local ID/MSK according to the ID, and performs the same HTTP Digest authentication algorithm. When the calculated results are consistent, the authentication is passed;

步骤314a、身份提供服务器204生成SAML Artifact,向业务提供服务器208发送HTTPS重定向消息,消息中携带SAML Artifact,其中SAMLArtifact指向SAML协议消息的结构化数据对象,SAML Artifact比较小,可以嵌在HTTP消息中;Step 314a, the identity providing server 204 generates a SAML Artifact, and sends an HTTPS redirection message to the service providing server 208, the message carries the SAML Artifact, wherein the SAML Artifact points to the structured data object of the SAML protocol message, and the SAML Artifact is relatively small and can be embedded in the HTTP message middle;

步骤316a、业务提供服务器208收到SAML Artifact后,向身份提供服务器204发送HTTPS请求,消息中携带SAML Artifact;身份提供服务器204收到该消息后,构造SAML断言;Step 316a, after the service providing server 208 receives the SAML Artifact, it sends an HTTPS request to the identity providing server 204, and the message carries the SAML Artifact; after receiving the message, the identity providing server 204 constructs a SAML assertion;

步骤318a、身份提供服务器204把SAML断言通过HTTPS返回给业务提供服务器208;Step 318a, the identity providing server 204 returns the SAML assertion to the service providing server 208 via HTTPS;

步骤320a、业务提供服务器208验证SAML断言的签名后,发送HTTPS请求至身份提供服务器204,请求共享用户数据,消息中携带SAML Artifact;Step 320a, after the service providing server 208 verifies the signature of the SAML assertion, it sends an HTTPS request to the identity providing server 204, requesting to share user data, and the message carries SAML Artifact;

步骤322a、身份提供服务器204根据SAML Artifact,获取ID,通过Diameter Push-Profile-Request向RS206请求用户共享数据;Step 322a, the identity providing server 204 obtains the ID according to the SAML Artifact, and requests the user to share data with the RS206 through the Diameter Push-Profile-Request;

步骤324a、RS206向身份提供服务器204返回用户共享数据,通过Diameter Push-Profile-Answer消息User Data属性来携带用户数据;Step 324a, RS206 returns the user shared data to the identity providing server 204, and carries the user data through the User Data attribute of the Diameter Push-Profile-Answer message;

步骤326a、身份提供服务器204发送HTTPS请求至UE 200,请求用户授权共享的数据;Step 326a, the identity providing server 204 sends an HTTPS request to the UE 200, requesting the user to authorize the shared data;

步骤328a、用户授权共享的用户数据后,结果返回身份提供服务器204;Step 328a, after the user authorizes the shared user data, the result is returned to the identity providing server 204;

步骤330a、用户授权后,由身份提供服务器204向业务提供服务器208返回用户授权的数据;Step 330a, after the user authorizes, the identity providing server 204 returns the data authorized by the user to the service providing server 208;

步骤332a、业务提供服务器208返回HTTP 200OK消息至UE 200。In step 332a, the service providing server 208 returns an HTTP 200 OK message to the UE 200 .

如图6所示,为本发明安全共享网络中用户数据实施例三的信令流程图,该流程图是基于图3所示架构完成的,在该实施例中,由身份提供服务器204对UE 200进行接入认证,业务提供服务器208验证用户身份,然后进行安全共享网络中用户数据过程。As shown in FIG. 6, it is a signaling flowchart of Embodiment 3 of user data in a secure shared network of the present invention. This flowchart is completed based on the architecture shown in FIG. 3. In this embodiment, the identity providing server 204 sends UE 200 performs access authentication, the service providing server 208 verifies the identity of the user, and then performs the process of safely sharing user data in the network.

该流程进行的前提条件是UE 200和ASN 202之间的链路已经建立,UE200已预先配置了用户的身份标识ID或者由网络给用户分配ID;该过程包括:The prerequisite for this process is that the link between UE 200 and ASN 202 has been established, UE 200 has been pre-configured with the user's identity ID or the network has assigned an ID to the user; the process includes:

步骤402、UE 200通过了网络的接入认证,认证结束后UE 200与身份提供服务器204共享会话密钥;Step 402, the UE 200 has passed the network access authentication, and after the authentication is completed, the UE 200 shares the session key with the identity providing server 204;

步骤404、UE 200访问业务提供服务器208的业务,业务提供服务器208通过静态配置或动态发现身份提供服务器204的位置;Step 404, the UE 200 accesses the services of the service providing server 208, and the service providing server 208 discovers the location of the identity providing server 204 through static configuration or dynamic;

步骤406、业务提供服务器208向UE 200发送未授权消息;Step 406, the service providing server 208 sends an unauthorized message to the UE 200;

步骤408、UE200向业务提供服务器208发送摘要认证消息,用ID作为用户名,会话密钥作为密码;Step 408, the UE 200 sends a digest authentication message to the service providing server 208, using the ID as the user name and the session key as the password;

步骤410、业务提供服务器208向身份提供服务器204请求用户的安全参数;Step 410, the service providing server 208 requests the identity providing server 204 for the security parameters of the user;

步骤412、身份提供服务器204向业务提供服务器208返回用户的安全参数;Step 412, the identity providing server 204 returns the user's security parameters to the service providing server 208;

步骤414、业务提供服务器208验证用户的身份,所述验证过程根据收到的摘要认证消息和用户的安全参数;Step 414, the service providing server 208 verifies the identity of the user, and the verification process is based on the received summary authentication message and the user's security parameters;

步骤416、业务提供服务器208,RS 206,身份提供服务器204和UE 200进行安全共享网络中用户数据过程。Step 416, the service providing server 208, the RS 206, the identity providing server 204 and the UE 200 perform a process of securely sharing user data in the network.

其中,安全共享数据的过程可以和图4中的步骤252-258相同,也可以和图5中的步骤320-332相同,此处不再赘述。Wherein, the process of securely sharing data may be the same as steps 252-258 in FIG. 4, or may be the same as steps 320-332 in FIG. 5, and will not be repeated here.

本发明还提供了一种业务提供服务器,该业务提供服务器包括:The present invention also provides a service providing server, which includes:

接收模块,用于接收用户设备(UE)的访问;A receiving module, configured to receive access from a user equipment (UE);

获取模块,用于从资源服务器(RS)直接或间接地获取用户授权的用户共享数据。The obtaining module is used to directly or indirectly obtain the user-authorized shared data from the resource server (RS).

另外,所述业务提供服务器还可以包括:业务接入认证模块,用于在所述接收模块接收UE的访问之前,直接或间接地完成对所述UE的业务接入认证。In addition, the service providing server may further include: a service access authentication module, configured to directly or indirectly complete service access authentication for the UE before the receiving module receives access from the UE.

具体地,所述业务接入认证模块,是用于从身份提供服务器获得用户安全参数,根据所述用户安全参数完成对所述UE的业务接入认证;或者,从所述身份提供服务器获得所述身份提供服务器对所述UE的业务认证结果。其中,所述用户安全参数是所述身份提供服务器根据所述网络对所述UE的接入认证结果获得的;所述业务认证结果是所述身份提供服务器根据所述网络对所述UE的接入认证结果完成的。Specifically, the service access authentication module is configured to obtain user security parameters from an identity providing server, and complete service access authentication for the UE according to the user security parameters; or, obtain the user security parameters from the identity providing server The identity provides the service authentication result of the UE by the server. Wherein, the user security parameter is obtained by the identity providing server according to the network's access authentication result for the UE; the service authentication result is obtained by the identity providing server according to the network's access authentication result for the UE. The authentication result is entered.

进一步地,所述获取模块,是用于从所述身份提供服务器获取令牌,根据所述令牌从所述RS直接地获取用户授权的用户共享数据;或者通过所述身份提供服务器获取用户授权的用户共享数据。Further, the acquiring module is configured to acquire a token from the identity providing server, and directly acquire user-authorized user shared data from the RS according to the token; or acquire user authorization through the identity providing server users share data.

该业务提供服务器可以共享网络中用户授权的用户共享数据,具体实现过程可参见图4-图6,此处不再赘述。The service providing server can share data shared by users authorized by users in the network. The specific implementation process can be seen in FIGS. 4-6 , and will not be repeated here.

本发明还提供了一种身份提供服务器,该身份提供服务器包括:The present invention also provides an identity providing server, which includes:

网络接入认证模块,用于对用户设备(UE)接入网络进行认证,并获得用户安全参数;A network access authentication module, configured to authenticate user equipment (UE) access to the network, and obtain user security parameters;

业务接入认证模块,用于根据所述网络接入认证模块获得的用户安全参数完成对所述UE的业务接入认证,并将业务接入认证结果发送给业务提供服务器。The service access authentication module is configured to complete the service access authentication of the UE according to the user security parameters obtained by the network access authentication module, and send the service access authentication result to the service providing server.

其中,所述用户安全参数包括会话密钥。Wherein, the user security parameter includes a session key.

另外,所述身份提供服务器还可以包括:发送模块,用于将所述网络接入认证模块获得的用户安全参数发送给所述业务提供服务器。In addition, the identity providing server may further include: a sending module, configured to send the user security parameters obtained by the network access authentication module to the service providing server.

进一步地,所述身份提供服务器还可以包括:数据发送模块,用于在所述业务接入认证模块将业务接入认证结果或者所述发送模块将所述用户安全参数发送给业务提供服务器之后,接收所述业务提供服务器发送的数据请求,根据所述数据请求从资源服务器(RS)获得用户授权的用户共享数据,并将所述用户共享数据发送给所述业务提供服务器。所述数据发送模块,还用于在所述业务接入认证模块将业务接入认证结果或者所述发送模块将所述用户安全参数发送给业务提供服务器之后,接收所述业务提供服务器发送的令牌请求,根据所述令牌请求向所述业务提供服务器发送令牌,以便所述业务提供服务器根据所述令牌从所述RS中获得用户授权的用户共享数据。Further, the identity providing server may further include: a data sending module, configured to, after the service access authentication module sends the service access authentication result or the sending module sends the user security parameter to the service providing server, receiving the data request sent by the service providing server, obtaining user-authorized user shared data from a resource server (RS) according to the data request, and sending the user shared data to the service providing server. The data sending module is further configured to receive the command sent by the service providing server after the service access authentication module sends the service access authentication result or the sending module sends the user security parameter to the service providing server. A token request, sending a token to the service providing server according to the token request, so that the service providing server obtains user-authorized user sharing data from the RS according to the token.

该身份提供服务器为实现UE访问业务提供服务器奠定了基础,同时,也为业务提供服务器提供用户授权的用户共享数据,或者,为业务提供服务器提供令牌,使得业务提供服务器根据令牌可以获得用户授权的用户共享数据。The identity providing server lays the foundation for the UE to access the service providing server. At the same time, it also provides the service providing server with user-authorized user shared data, or provides the service providing server with a token, so that the service providing server can obtain the user according to the token. Authorized users share data.

本发明还提供了一种用户设备(UE),该UE包括:The present invention also provides a user equipment (UE), where the UE includes:

访问模块,用于访问业务提供服务器;An access module, used to access the service providing server;

数据处理模块,用于接收身份提供服务器根据所述业务提供服务器发送的数据请求发送的用户数据授权请求,根据用户对该用户数据授权请求中携带的用户数据的授权结果,向所述身份提供服务器返回用户授权的用户共享数据。The data processing module is configured to receive the user data authorization request sent by the identity providing server according to the data request sent by the service providing server, and send the request to the identity providing server according to the authorization result of the user data carried in the user data authorization request. Returns the user's shared data authorized by the user.

具体地,所述访问模块,是用于所述UE采用标识成功接入网络并获得所述业务提供服务器的业务接入认证后,访问所述业务提供服务器。Specifically, the access module is used for accessing the service providing server after the UE successfully accesses the network by using the identifier and obtains the service access authentication of the service providing server.

该UE可以在成功地接入网络并获得业务提供服务器的业务接入认证后,访问业务提供服务器,并由自己授权业务提供服务器可以共享网络中的哪些数据,然后业务提供服务器可以共享网络中用户通过UE授权的用户共享数据,具体交互过程可参见图4-图6。After successfully accessing the network and obtaining the service access authentication of the service provider server, the UE can access the service provider server, and authorize the service provider server to share which data in the network, and then the service provider server can share the user information in the network. Users authorized by the UE share data, and the specific interaction process can be referred to in Figure 4-Figure 6.

本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序来指令相关硬件完成,上述程序可以存储于计算机可读存储介质中,如只读存储器、磁盘或光盘等。可选地,上述实施例的全部或部分步骤也可以使用一个或多个集成电路来实现。相应地,上述实施例中的各模块/单元可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。本发明不限制于任何特定形式的硬件和软件的结合。Those skilled in the art can understand that all or part of the steps in the above method can be completed by instructing related hardware through a program, and the above program can be stored in a computer-readable storage medium, such as a read-only memory, a magnetic disk or an optical disk, and the like. Optionally, all or part of the steps in the foregoing embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the foregoing embodiments may be implemented in the form of hardware, or may be implemented in the form of software function modules. The present invention is not limited to any specific combination of hardware and software.

以上实施例仅用以说明本发明的技术方案而非限制,仅仅参照较佳实施例对本发明进行了详细说明。本领域的普通技术人员应当理解,可以对本发明的技术方案进行修改或者等同替换,而不脱离本发明技术方案的精神和范围,均应涵盖在本发明的权利要求范围当中。The above embodiments are only used to illustrate the technical solutions of the present invention rather than limit them, and the present invention is described in detail with reference to preferred embodiments. Those skilled in the art should understand that the technical solutions of the present invention can be modified or equivalently replaced without departing from the spirit and scope of the technical solutions of the present invention, and all should be covered by the claims of the present invention.

Claims (15)

1.一种共享网络中用户数据的方法,所述网络包括身份提供服务器和资源服务器RS,该方法包括:1. A method for sharing user data in a network comprising an identity providing server and a resource server RS, the method comprising: 业务提供服务器接收用户设备UE的访问;The service providing server receives the access of the user equipment UE; 所述业务提供服务器从所述RS直接或间接地获取用户授权的用户共享数据;The service providing server directly or indirectly acquires user-authorized user shared data from the RS; 其中,所述业务提供服务器从所述RS直接地获取用户授权的用户共享数据包括:Wherein, the service providing server directly obtaining user-authorized user shared data from the RS includes: 所述业务提供服务器从所述身份提供服务器获取令牌,根据所述令牌从所述RS直接地获取用户授权的用户共享数据;The service providing server obtains a token from the identity providing server, and directly obtains user-authorized user sharing data from the RS according to the token; 所述业务提供服务器从所述RS间接地获取用户授权的用户共享数据包括:The service providing server indirectly obtaining user-authorized user-shared data from the RS includes: 所述业务提供服务器通过所述身份提供服务器获取用户授权的用户共享数据。The service providing server acquires user-authorized shared data through the identity providing server. 2.根据权利要求1所述的方法,其特征在于:2. The method according to claim 1, characterized in that: 所述业务提供服务器接收UE的访问之前,所述方法还包括:Before the service providing server receives the access of the UE, the method further includes: 所述业务提供服务器直接或间接地完成对所述UE的业务接入认证。The service providing server directly or indirectly completes service access authentication for the UE. 3.根据权利要求2所述的方法,其特征在于:3. The method according to claim 2, characterized in that: 所述业务提供服务器直接地完成对UE的业务接入认证包括:The service providing server directly completing the service access authentication of the UE includes: 所述业务提供服务器从所述身份提供服务器获得用户安全参数,根据所述用户安全参数完成对所述UE的业务接入认证。The service providing server obtains user security parameters from the identity providing server, and completes service access authentication for the UE according to the user security parameters. 4.根据权利要求2所述的方法,其特征在于:4. The method according to claim 2, characterized in that: 所述业务提供服务器间接地完成对UE的业务接入认证包括:The indirect completion of the service access authentication of the UE by the service providing server includes: 所述业务提供服务器从所述身份提供服务器获得所述身份提供服务器对所述UE的业务接入认证结果。The service providing server obtains the service access authentication result of the identity providing server for the UE from the identity providing server. 5.根据权利要求3所述的方法,其特征在于:5. The method according to claim 3, characterized in that: 所述用户安全参数是所述身份提供服务器根据所述网络对所述UE的接入认证结果获得的。The user security parameter is obtained by the identity providing server according to the network's access authentication result of the UE. 6.根据权利要求4所述的方法,其特征在于:6. The method according to claim 4, characterized in that: 所述业务接入认证结果是所述身份提供服务器根据所述网络对所述UE的接入认证结果完成的。The service access authentication result is completed by the identity providing server according to the network's access authentication result for the UE. 7.一种业务提供服务器,该业务提供服务器包括:7. A service providing server, the service providing server comprising: 接收模块,用于接收用户设备UE的访问;a receiving module, configured to receive an access from a user equipment UE; 获取模块,用于从资源服务器RS直接或间接地获取用户授权的用户共享数据;An acquisition module, configured to directly or indirectly acquire user-authorized user shared data from the resource server RS; 其中,所述获取模块,是用于从身份提供服务器获取令牌,根据所述令牌从所述RS直接地获取用户授权的用户共享数据;或者通过所述身份提供服务器获取用户授权的用户共享数据。Wherein, the obtaining module is used to obtain a token from an identity providing server, and directly obtain the user-authorized user sharing data from the RS according to the token; or obtain the user-authorized user sharing data through the identity providing server. data. 8.根据权利要求7所述的业务提供服务器,其特征在于,所述业务提供服务器还包括:8. The service providing server according to claim 7, characterized in that, the service providing server further comprises: 业务接入认证模块,用于在所述接收模块接收UE的访问之前,直接或间接地完成对所述UE的业务接入认证。The service access authentication module is configured to directly or indirectly complete the service access authentication of the UE before the receiving module receives the access of the UE. 9.根据权利要求8所述的业务提供服务器,其特征在于:9. The service providing server according to claim 8, characterized in that: 所述业务接入认证模块,是用于从身份提供服务器获得用户安全参数,根据所述用户安全参数完成对所述UE的业务接入认证;或者,从所述身份提供服务器获得所述身份提供服务器对所述UE的业务认证结果。The service access authentication module is configured to obtain user security parameters from an identity providing server, and complete service access authentication for the UE according to the user security parameters; or obtain the identity provisioning server from the identity providing server. The server's service authentication result for the UE. 10.根据权利要求9所述的业务提供服务器,其特征在于:10. The service providing server according to claim 9, characterized in that: 所述用户安全参数是所述身份提供服务器根据网络对所述UE的接入认证结果获得的;或者The user security parameter is obtained by the identity providing server according to the network's access authentication result for the UE; or 所述业务认证结果是所述身份提供服务器根据所述网络对所述UE的接入认证结果完成的。The service authentication result is completed by the identity providing server according to the network's access authentication result for the UE. 11.一种身份提供服务器,该身份提供服务器包括:11. An identity providing server, the identity providing server comprising: 网络接入认证模块,用于对用户设备UE接入网络进行认证,并获得用户安全参数;A network access authentication module, configured to authenticate user equipment UE access to the network and obtain user security parameters; 业务接入认证模块,用于根据所述网络接入认证模块获得的用户安全参数完成对所述UE的业务接入认证,并将业务接入认证结果发送给业务提供服务器;A service access authentication module, configured to complete the service access authentication of the UE according to the user security parameters obtained by the network access authentication module, and send the service access authentication result to the service provider server; 发送模块,用于将所述网络接入认证模块获得的用户安全参数发送给所述业务提供服务器;A sending module, configured to send the user security parameters obtained by the network access authentication module to the service providing server; 数据发送模块,用于在所述业务接入认证模块将业务接入认证结果或者所述发送模块将所述用户安全参数发送给业务提供服务器之后,接收所述业务提供服务器发送的数据请求,根据所述数据请求从资源服务器RS获得用户授权的用户共享数据,并将所述用户共享数据发送给所述业务提供服务器。The data sending module is configured to receive the data request sent by the service providing server after the service access authentication module sends the service access authentication result or the sending module sends the user security parameter to the service providing server, according to The data request obtains user-authorized user-shared data from the resource server RS, and sends the user-shared data to the service providing server. 12.根据权利要求11所述的身份提供服务器,其特征在于:12. The identity providing server according to claim 11, characterized in that: 所述用户安全参数包括会话密钥。The user security parameters include a session key. 13.根据权利要求11所述的身份提供服务器,其特征在于:13. The identity providing server according to claim 11, characterized in that: 所述数据发送模块,还用于在所述业务接入认证模块将业务接入认证结果或者所述发送模块将所述用户安全参数发送给业务提供服务器之后,接收所述业务提供服务器发送的令牌请求,根据所述令牌请求向所述业务提供服务器发送令牌,以便所述业务提供服务器根据所述令牌从所述RS中获得用户授权的用户共享数据。The data sending module is further configured to receive the command sent by the service providing server after the service access authentication module sends the service access authentication result or the sending module sends the user security parameter to the service providing server. A token request, sending a token to the service providing server according to the token request, so that the service providing server obtains user-authorized user sharing data from the RS according to the token. 14.一种用户设备UE,该UE包括:14. A user equipment UE, the UE comprising: 访问模块,用于访问业务提供服务器;An access module, used to access the service providing server; 数据处理模块,用于接收身份提供服务器根据所述业务提供服务器发送的数据请求发送的用户数据授权请求,根据用户对该用户数据授权请求中携带的用户数据的授权结果,向所述身份提供服务器返回用户授权的用户共享数据。The data processing module is configured to receive the user data authorization request sent by the identity providing server according to the data request sent by the service providing server, and send the request to the identity providing server according to the authorization result of the user data carried in the user data authorization request by the user. Returns the user's shared data authorized by the user. 15.根据权利要求14所述的UE,其特征在于:15. The UE according to claim 14, characterized in that: 所述访问模块,是用于所述UE采用标识成功接入网络并获得所述业务提供服务器的业务接入认证后,访问所述业务提供服务器。The access module is used for accessing the service providing server after the UE successfully accesses the network by using the identifier and obtains the service access authentication of the service providing server.
CN201110233110.9A 2011-08-15 2011-08-15 The method and identity provider of user data in shared network Active CN102938757B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201110233110.9A CN102938757B (en) 2011-08-15 2011-08-15 The method and identity provider of user data in shared network
PCT/CN2012/076275 WO2013023475A1 (en) 2011-08-15 2012-05-30 Method for sharing user data in network and identity providing server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110233110.9A CN102938757B (en) 2011-08-15 2011-08-15 The method and identity provider of user data in shared network

Publications (2)

Publication Number Publication Date
CN102938757A CN102938757A (en) 2013-02-20
CN102938757B true CN102938757B (en) 2017-12-08

Family

ID=47697626

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110233110.9A Active CN102938757B (en) 2011-08-15 2011-08-15 The method and identity provider of user data in shared network

Country Status (2)

Country Link
CN (1) CN102938757B (en)
WO (1) WO2013023475A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8959358B2 (en) * 2012-05-08 2015-02-17 Qualcomm Incorporated User-based identification system for social networks
CN104361519B (en) * 2014-10-31 2018-05-18 中国建设银行股份有限公司 A kind of implementation method of social networking service platform and social networking service platform
CN107241293A (en) * 2016-03-28 2017-10-10 杭州萤石网络有限公司 A kind of resource access method, apparatus and system
CN109033774B (en) * 2018-08-31 2020-08-07 阿里巴巴集团控股有限公司 Method and device for acquiring and feeding back user resources and electronic equipment
EP4030799A4 (en) * 2019-09-30 2022-09-28 Huawei Technologies Co., Ltd. COMMUNICATION METHOD, DEVICE AND SYSTEM, AND STORAGE MEDIA

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1856155A (en) * 2005-04-18 2006-11-01 华为技术有限公司 Method for user accessing information in next generation network
US7207058B2 (en) * 2002-12-31 2007-04-17 American Express Travel Related Services Company, Inc. Method and system for transmitting authentication context information
CN101686425A (en) * 2008-09-27 2010-03-31 中兴通讯股份有限公司 Method for providing service to whole network and service network system
CN101809584A (en) * 2007-09-25 2010-08-18 日本电气株式会社 Certificate generating/distributing system, certificate generating/distributing method and certificate generating/distributing program

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020013827A1 (en) * 2000-05-18 2002-01-31 Edstrom Claes G.R. Personal service environment management apparatus and methods
US7454508B2 (en) * 2002-06-28 2008-11-18 Microsoft Corporation Consent mechanism for online entities
CN100517162C (en) * 2003-12-17 2009-07-22 甲骨文国际公司 Method and apparatus for personalization and identity management
US8418234B2 (en) * 2005-12-15 2013-04-09 International Business Machines Corporation Authentication of a principal in a federation
CN101771677B (en) * 2008-12-31 2013-08-07 华为技术有限公司 Method for providing resource for access user, server and system thereof
US8078870B2 (en) * 2009-05-14 2011-12-13 Microsoft Corporation HTTP-based authentication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7207058B2 (en) * 2002-12-31 2007-04-17 American Express Travel Related Services Company, Inc. Method and system for transmitting authentication context information
CN1856155A (en) * 2005-04-18 2006-11-01 华为技术有限公司 Method for user accessing information in next generation network
CN101809584A (en) * 2007-09-25 2010-08-18 日本电气株式会社 Certificate generating/distributing system, certificate generating/distributing method and certificate generating/distributing program
CN101686425A (en) * 2008-09-27 2010-03-31 中兴通讯股份有限公司 Method for providing service to whole network and service network system

Also Published As

Publication number Publication date
CN102938757A (en) 2013-02-20
WO2013023475A1 (en) 2013-02-21

Similar Documents

Publication Publication Date Title
EP3752941B1 (en) Security management for service authorization in communication systems with service-based architecture
US10645583B2 (en) Security management for roaming service authorization in communication systems with service-based architecture
US20200359218A1 (en) Apparatus and method for providing mobile edge computing services in wireless communication system
EP3750342B1 (en) Mobile identity for single sign-on (sso) in enterprise networks
CN102550001B (en) User identity management for permitting interworking of a bootstrapping architecture and a shared identity service
CN101414907B (en) Method and system for accessing network based on user identification authorization
CN101039311B (en) An identity identification webpage service network system and its authentication method
US9450951B2 (en) Secure over-the-air provisioning solution for handheld and desktop devices and services
KR20070032805A (en) System and method for managing user authentication and authorization to realize single-sign-on for accessing multiple networks
US9241264B2 (en) Network access authentication for user equipment communicating in multiple networks
CN106254386B (en) A kind of information processing method and name mapping server
CN105027529A (en) Method and apparatus for secure network access
CN101401385A (en) Method for personal network management across multiple operators
US10637850B2 (en) Method and system for accessing service/data of a first network from a second network for service/data access via the second network
CN102938757B (en) The method and identity provider of user data in shared network
KR20200130141A (en) Apparatus and method for providing mobile edge computing service in wireless communication system
CN103685201A (en) Method and system for WLAN user fixed network access
CN118160338A (en) Secure information push for service applications in communication networks
US20090136043A1 (en) Method and apparatus for performing key management and key distribution in wireless networks
WO2020208294A1 (en) Establishing secure communication paths to multipath connection server with initial connection over public network
CN104640111B (en) Network access processing method, device and system
WO2011017851A1 (en) Method for accessing message storage server securely by client and related devices
Živković et al. Authentication across heterogeneous networks
Sánchez-Guerrero et al. Introducing identity management in wimax to enable secure and personalized services
Santos Secure Wifi Portals in WIFI4EU Environment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20201230

Address after: No.66 Lijiang Road, Yancheng Economic and Technological Development Zone, Jiangsu Province 224000

Patentee after: Jiangsu New Energy Vehicle Research Institute Co.,Ltd.

Address before: 518057 Ministry of justice, Zhongxing building, South Science and technology road, Nanshan District hi tech Industrial Park, Shenzhen, Guangdong

Patentee before: ZTE Corp.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20210714

Address after: Room 309, building 1, No.69, Donghuan South Road, Yancheng Economic and Technological Development Zone, Jiangsu 224000

Patentee after: Jiangsu Yanxin Automobile Industry Investment Development Co.,Ltd.

Address before: No.66 Lijiang Road, Yancheng Economic and Technological Development Zone, Jiangsu Province 224000

Patentee before: Jiangsu New Energy Vehicle Research Institute Co.,Ltd.

TR01 Transfer of patent right