CN103023856B - Method, system and the information processing method of single-sign-on, system - Google Patents
Method, system and the information processing method of single-sign-on, system Download PDFInfo
- Publication number
- CN103023856B CN103023856B CN201110279495.2A CN201110279495A CN103023856B CN 103023856 B CN103023856 B CN 103023856B CN 201110279495 A CN201110279495 A CN 201110279495A CN 103023856 B CN103023856 B CN 103023856B
- Authority
- CN
- China
- Prior art keywords
- user
- identity
- information
- identity provider
- service providing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 230000010365 information processing Effects 0.000 title claims abstract description 13
- 238000003672 processing method Methods 0.000 title description 5
- 230000005540 biological transmission Effects 0.000 claims abstract description 19
- 238000013507 mapping Methods 0.000 claims description 25
- 238000012545 processing Methods 0.000 claims description 15
- 238000012795 verification Methods 0.000 claims description 14
- 238000012790 confirmation Methods 0.000 claims description 13
- 238000004519 manufacturing process Methods 0.000 claims description 3
- 230000004044 response Effects 0.000 description 18
- 238000010586 diagram Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 235000013399 edible fruits Nutrition 0.000 description 4
- 230000011664 signaling Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 210000004556 brain Anatomy 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of method of single-sign-on, the system of single-sign-on, information processing unit, identity provider and service providing servers, wherein the method for single-sign-on includes:Identity provider confirms that user passes through access authentication;The identity provider generates the information of asserting to user according to itself shared key between the user service providing server to be accessed, and asserts information to described in service providing server transmission.The embodiment of the present invention has been well solved the problem of user accesses the multiple authentication registration in internet, has been played the role of protection to privacy of user by generating assumed name, avoid the leakage of privacy of user by huge profit access authentication.
Description
Technical field
The present invention relates to network communication field more particularly to a kind of method of single-sign-on, the system of single-sign-on, information
Processing unit, identity provider and service providing server.
Background technology
In transmission control protocol (TCP)/Internet protocol (IP) system, the most core be network layer IP agreement, lead to
Cross the mutual access between IP address realization user.Various applications, such as web browsing, mail transmission/reception, instant messaging, all carry
On application layer protocol.
The basic network that user must be provided before using these business by telecom operators accesses internet, different
User may have a different access ways, such as various types digital subscriber line (xDSL), optical fiber, mobile access.One
As in the case of, as soon as user terminal can all get an IP address, hereafter user is accessed by this IP address on internet
Various applications, this IP address are equivalent to the temporary identity of user.
Since the prefix part of IP address indicates the subnet that user is currently located, when user location changes, it is necessary to
Different IP address is distributed, otherwise data packet correctly can not be transmitted to user by router.And because IP address has identity
With the double attribute of position, while the IP address that user gets every time is not necessarily identical, to can not be as the long-term of user
Identity, therefore the necessary self-built a set of User Identity system of application system on internet, i.e., usually said user
Account system.
It can be seen that user access internet on application when there are re-authentications the case where, operator connects in user
Primary certification is carried out when entering internet, the application system on internet carries out the certification of itself when user accesses.
With the fast development of information technology and network technology, the application system on internet is also more and more.Due to this
A little application systems are mutual indepedent, and user must first be registered before using each system, and according to corresponding body
Part is logged in, and user must remember the username and password of each application system thus, this brings prodigious fiber crops to user
It is tired.In this case, the concept of single-sign-on is proposed out, and is applied.
Single-sign-on (SSO, Single-Sign On) is a kind of technology for facilitating user to access multiple application systems, user
It only needs to carry out primary certification when logging in, so that it may with the free access between multiple application systems, it is not necessary to repeatedly input user
Name and password confirm identity.
In existing internet single-sign-on system, user is before using single-sign-on, it is necessary in identity provider
It is registered at (IdP, Identity Provider), the business of service provider (SP, Service Provider) carries
Authentication result for server dependent on the identity provider of identity provider IdP provides a user business.Additionally due to
The identity provider IdP of internet is typically to disperse deployment, thus, if service provider SP uses single-sign-on mode,
So its business development scale will largely depend on the quantity for the IdP registration users that it is relied on.Single-sign-on relates to
And major technique have:Open identity (OpenID), Passport (pass), Liberty Alliance (Liberty Alliance)
Deng.Here, OpenID is easy to use, but there are security risks, cannot take precautions against " fishing " attack well;Passport is easy to make
With safety is slightly higher, but is only applicable to use inside service provider SP at present;Liberty Alliance have certain safety
Property, but deployment is not easy, and user's use is also inconvenient.
Since user is before accessing the Internet, applications, need access carrier network, thus can using operator as
Identity provider IdP.Operator has following advantage as identity provider IdP:It, can be very by the access authentication of operator
Good guarantee safety, meanwhile, operator will not need user and re-start registration as identity provider IdP, be easy to
It uses, and operator, as identity provider IdP, relative to the identity provider IdP of internet, there are one high-quality maturations
Customer consumption group.
Currently, IP address has the defect of double attribute, brings mobility and safety issue, has become restriction
The bottleneck that Internet industry further develops.In order to solve this problem, industry proposes HIP (Host Identity
Protocol, host identity protocol) and LISP (Locator/Identifier Separation Protocol, position/mark
Separated protocol) technology etc..The common ground of these technologies is the introduction of two classes coding:Represent identity coding and the representative of user identity
User location it is position encoded, not only there are one identity codings by each user again there are one position encoded, user's identity-based volume
Code and opposite end communicate, and when user location changes, the identity coding of user remains unchanged, and user's is position encoded
It will change therewith.In this way, user can be corresponded to always by user identity coding, without that there are IP address is ambiguous
Problem.
But in existing identity position separation network technology, user identity coding is served only in Network Layer identities user's body
Part, thus user accesses Internet application system and still needs multiple authentication registration.On the other hand, since user is a large amount of different
Internet application system in register account number, for the sake of convenience, the account of user's registration has certain regularity, that
It is easy for causing the privacy of identities information of user to be leaked.
Invention content
The present invention provides a kind of method of single-sign-on, the system of single-sign-on, information processing method, information processing apparatus
It sets, identity provider, service providing server and name mapping server, Internet application system is accessed to solve user
The problem of need to carrying out multiple authentication registration.
The present invention provides a kind of method of single-sign-on, this method includes:
Identity provider confirms that user passes through access authentication;
The identity provider is shared close between the user service providing server to be accessed according to itself
Key generates the information of asserting to user, and asserts information to described in service providing server transmission.
Preferably, the identity provider according to itself between the user service providing server to be accessed
Shared key generate to user assert information before, the method further includes:
The identity provider is receiving the certification request or the user that the service providing server is sent
After the Operational Visit request of transmission, the shared key is checked for, if being not present, in the service providing server
After certification, the shared key is generated.
Preferably, the identity provider generate to user assert information before, the method further includes:
The identity provider is that the user obtains assumed name and life cycle corresponding with the assumed name.
Preferably, the identity provider is that the user obtains assumed name and life cycle corresponding with the assumed name,
Including:
The identity provider is sent according to the anonymous service requests of the user to name mapping server (NMS)
Anonymous Identity is asked, and receive the user requested to generate according to the anonymous Identity that the NMS is returned assumed name and with
The assumed name corresponding life cycle.
Preferably, the identity provider be the user obtain assumed name and life cycle corresponding with the assumed name it
Afterwards, the method further includes:
The identity provider receives the anonymity for carrying designated user's name and corresponding life cycle that the user sends
Update request, and the anonymous update request is sent to the NMS, and receive the update result that the NMS is returned.
Preferably, described assert carries random number, the identity information of the identity provider, the industry in information
Business provide the identity information of server, the identity information of the user, signature algorithm and the identity provider according to
The calculated signature result of shared key;Wherein, the identity information of the user includes the assumed name or the specified use
Name in an account book.
The present invention also provides a kind of method of single-sign-on, this method includes:
Service providing server receive identity provider send to being intended to access the use of the service providing server
Assert information in family;
The service providing server according to itself between the identity provider shared key verification described in
Assert information.
Preferably, the service providing server is tested according to itself shared key between the identity provider
After asserting information described in card, the method further includes:
If the verification passes, then the service providing server creates and the identity for asserting the user for including in information
The corresponding entry of information, and provide business to the user;The identity information of the user is the assumed name or specified of the user
User name.
Preferably, what the service providing server received that identity provider sends provides being intended to access the business
The user of server assert information before, the method further includes:
After the service providing server receives the Operational Visit request that the user sends, random number is generated, and
The certification request for carrying the random number is sent to the identity provider.
Preferably, described assert carries the random number, the identity information of the identity provider, institute in information
State the identity information of service providing server, the identity information of the user, signature algorithm and the identity provider
According to the calculated signature result of the shared key;
The service providing server according to itself between the identity provider shared key verification described in
Assert information, including:
Identity information of the service providing server according to the identity provider, the service providing server
Identity information, the user identity information, the signature algorithm and the shared key calculate signature result, and compare
Whether oneself calculated signature result and the calculated signature result of the identity provider are consistent;And
Judge whether the generated time of the random number is whether the current nearest and described random number is unique.
The present invention also provides a kind of information processing method, this method includes:
Name mapping server (NMS) receives the anonymous Identity request that identity provider is sent, the anonymous Identity
The identity of user is carried in request;
The NMS according to the anonymous Identity request to generate user corresponding with the identity assumed name and with the vacation
Name corresponding life cycle, and return to the assumed name of the user and existence corresponding with the assumed name to the identity provider
Phase.
Preferably, the NMS sends the assumed name of the user and corresponding with the assumed name to the identity provider
Life cycle after, the method further includes:
Carrying designated user name from the user that the NMS receives that the identity provider sends and corresponding
The anonymous update request of life cycle is updated processing according to anonymity update request, and returns to update result.
The present invention also provides a kind of identity provider, which includes:
Confirmation module, for confirming that user passes through access authentication;
Message processing module is asserted, after in confirmation module confirmation user by access authentication, according to the body
Part provides the shared key generation between server and the user service providing server to be accessed and asserts information to user,
And assert information to described in service providing server transmission.
Preferably, the identity provider further includes:
Key production module, for assert message processing module generate to user assert information before, receiving
After the Operational Visit request that the certification request or the user that the service providing server is sent are sent, institute is checked for
Shared key is stated, if being not present, after the service providing server is by certification, generates the shared key.
Preferably, the identity provider further includes:
Module is obtained, it is described to assert information after confirming the user by access authentication in the confirmation module
Processing module generate to user assert information before, obtain assumed name and life cycle corresponding with the assumed name for the user.
Preferably, the acquisition module, be for according to the anonymous service requests of the user to name mapping server
(NMS) anonymous Identity request is sent, and receives the user's requested to generate according to the anonymous Identity that the NMS is returned
Assumed name and life cycle corresponding with the assumed name.
Preferably, the acquisition module is additionally operable to receive the carrying designated user name and corresponding existence that the user sends
The anonymous update request of phase, and the anonymous update request is sent to the NMS, and receive the update knot that the NMS is returned
Fruit.
Preferably, described assert carries random number, the identity information of the identity provider, the industry in information
Business provide the identity information of server, the identity information of the user, signature algorithm and the identity provider according to
The calculated signature result of shared key;Wherein, the identity information of the user includes the assumed name or the specified use
Name in an account book.
The present invention also provides a kind of service providing server, which includes:
Receiving module, for receive identity provider transmission to being intended to access the user of the service providing server
Assert information;
Authentication module, for according to the shared key between the service providing server and the identity provider
Information is asserted described in verification.
Preferably, the service providing server further includes:
Business provides module, for the authentication module be verified it is described assert information after, create and assert letter with described
The corresponding entry of identity information for the user for including in breath, and provide business to the user.
The present invention provides a kind of name mapping server (NMS), which includes:
Receiving module, the anonymous Identity request for receiving identity provider transmission, in the anonymous Identity request
Carry the identity of user;
Sending module is generated, the anonymous Identity for being received according to the receiving module requests to generate and the identity mark
Know the assumed name of corresponding user and life cycle corresponding with the assumed name, and the user is returned to the identity provider
Assumed name and life cycle corresponding with the assumed name.
Preferably, the generation sending module, is additionally operable to receive that the identity provider sends comes from the use
The anonymous update request for carrying designated user's name and corresponding life cycle at family, processing is updated according to anonymity update request, and
Return to update result.
The present invention also provides a kind of information processing unit, which includes above-mentioned identity provider and above-mentioned name
Mapping server.
The present invention also provides a kind of single-node login system, which includes above-mentioned identity provider and above-mentioned business
Server is provided.
The present invention also provides a kind of single-node login system, which includes above-mentioned identity provider, above-mentioned name
Mapping server and above-mentioned service providing server.
The embodiment of the present invention has been well solved user and has accessed internet and repeatedly register and recognized by huge profit access authentication
The problem of card, plays the role of protection to privacy of user by generating assumed name, avoids the leakage of privacy of user.
Description of the drawings
Fig. 1 is the network element configuration diagram involved by the embodiment of the present invention;
Fig. 2 is the flow chart of single-point logging method embodiment of the present invention;
Fig. 3 is the signaling process figure for the single-point logging method embodiment that the present invention is initiated by service providing server;
Fig. 4 is the signaling process figure for the single-point logging method embodiment that the present invention is initiated by identity provider;
Fig. 5 is the structural schematic diagram of identity provider embodiment of the present invention;
Fig. 6 is the structural schematic diagram of service providing server embodiment of the present invention;
Fig. 7 is the structural schematic diagram of name mapping server embodiment of the present invention;
Fig. 8 is the structural schematic diagram of information processing unit embodiment of the present invention;
Fig. 9 is the structural schematic diagram of single-node login system embodiment of the present invention.
Specific implementation mode
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with attached drawing to the present invention
Embodiment be described in detail.It should be noted that in the absence of conflict, in the embodiment and embodiment in the application
Feature mutually can arbitrarily combine.
For a better understanding of the present invention, the network element framework involved by the embodiment of the present invention is introduced first, such as Fig. 1 institutes
Show, the framework include user terminal (Mobile Node, MN) 101, access service node (Access Service Node,
ASN) 102, authentication center 103, identity provider (Identity Provider, IdP) identity provider 104, name
Mapping server (Name Mapping Server, NMS) 105, interconnection services node (Interconnect Service
Node, ISN) 106 and service provider (Service Provider, SP) service providing server 107, wherein:
It can be one or more in mobile terminal, fixed terminal to access the MN of network, such as mobile phone, fixed-line telephone, electricity
Brain and application server etc.;
ASN, the connection for providing access service, maintenance terminal and network for user terminal, for terminal distribution routing mark
Know (Routing Identifier, RID), and is registered to identity position register (ILR)/message forwarding capability entity (PTF)
The RID of registration and inquiry terminal safeguards access mark (Access Identifier, AID)-RID map informations, and realizes
The routing and forwarding of data message;
Authentication center is used for the attribute information such as class of subscriber, authentication information and user service etc. of the minute book network user
Grade etc., the access authentication of complete paired terminal and mandate can also have billing function.Authentication center supports terminal and internetwork pair
To certification, the user security information for certification, integrity protection and Confidentiality protection can be generated;
Identity provider provides the information of asserting to user to service providing server, and to service providing server
It is authenticated, checks the legitimacy of service providing server;Believed by attribute corresponding with the interface polls user of authentication center
Breath, by the interface with NMS, provides the assumed name service of user;
NMS generates assumed name according to the user identity that identity provider provides, and as the replacement identity of user, and creates
Assumed name and subscriber identity information, service providing server uniform resource locator (URL), life cycle (lifetime) corresponding item
Mesh, if user changes the lifetime of assumed name and assumed name, NMS is asked in the anonymous update for receiving identity provider
After asking, also this information is updated;
Wherein, NMS and identity provider can be disposed individually, can also provide service using NMS as identity
The function module of device is disposed;
ISN, the AID-RID map informations for inquiring, safeguarding present networks terminal, encapsulation, routing and forwarding present networks with
The function that interconnects between data message, realization present networks and the traditional IP come and gone between traditional IP, wherein wrapping
Format converting module is included, the IPv4/IPv6 for the present networks terminal for including in the data message for sending traditional IP
Location is converted into corresponding AID, and after the AID of present networks terminal is converted into IPv4/IPv6 address formats, re-sends to tradition
The terminal of IP network;
Service providing server is the application system for providing business on internet to the user.
An embodiment of the present invention provides a kind of method of single-sign-on, this method is retouched from identity provider side
It states, this method includes:
Step 11, identity provider confirm that user passes through access authentication;
Identity provider confirms that user passes through access authentication according to the identity of user;
Step 12, the identity provider are according to itself between the user service providing server to be accessed
Shared key generates the information of asserting to user, and asserts information to described in service providing server transmission.
The embodiment of the present invention additionally provides a kind of method of single-sign-on, and this method provides server side from business and retouched
It states, this method includes:
What step 21, service providing server received that identity provider sends provides service to being intended to access the business
The user's of device asserts information;
Step 22, the service providing server are tested according to itself shared key between the identity provider
Information is asserted described in card.
Above-mentioned service providing server asserts that information is authenticated using what identity provider was sent so that Yong Hufang
Ask that Internet application system need not carry out multiple authentication registration, meanwhile, in order to avoid privacy of user is revealed, the embodiment of the present invention
A kind of information processing method is provided again, and this method is described from name mapping server side, and this method includes:
Step 31, name mapping server (NMS) receive the anonymous Identity request that identity provider is sent, described to hide
The identity of user is carried in name identity request;
Step 32, the NMS according to the anonymous Identity request to generate user corresponding with the identity assumed name and
Life cycle corresponding with the assumed name, and to the identity provider return the user assumed name and with the assumed name pair
The life cycle answered.
In order to more clearly describe the single-point logging method of the embodiment of the present invention, below from identity provider, business
The angle for providing server and name mapping server three interaction is described, as shown in Fig. 2, being single-sign-on side of the present invention
The flow chart of method embodiment, the described method comprises the following steps:
Step 201, identity provider are in the certification request for receiving service providing server or the business of user
After access request, the shared key Ks between own and service providing server is checked for, if it does not exist, then certification
Service providing server generates shared key Ks after certification success;
Further, the authentication method includes but not limited to:Wildcard, TLS, public key infrastructure (PKI), association
The technologies such as safety (IPsec) are discussed, since it is the prior art, which is not described herein again.
Step 202, identity provider confirm user by access authentication, and logical according to the anonymous service requests of user
The mode for crossing name mapping server generation assumed name protects user identity, while being generated to this for service providing server
User's asserts information;
Step 203, service providing server receive identity provider transmission assert information after, to asserting information
It is verified, if the verification passes, then creates the corresponding entry of user's assumed name, and provide a user business.
Above-mentioned single-point logging method has well solved user and has accessed internet by huge profit access authentication and assumed name
The problem of application system needs multiple authentication registration and privacy of identities to reveal.
As shown in figure 3, the signaling process for the single-point logging method embodiment initiated by service providing server for the present invention
Figure, the method includes:
Access authentication is carried out between step 301, MN, ASN and authentication center, after certification passes through, identity position separate mesh
Network is that user distributes access mark AID;
Hereafter, the message that user terminal is sent is transmitted by AID, and ASN is that user distributes RID, and is carried out by RID
Route selection finds ISN, and ISN obtains the AID of user from message, and is converted into the addresses IPv4/IPv6 and is sent to traditional IP network
Network.
Step 302, MN initiate Operational Visit request to service providing server;
Step 303, user select identity provider, service providing server root on the service providing server page
Random number nonce is generated according to current time stamp, as user in the temporary identifier of service providing server, and builds certification request
Message carries service providing server URL, identity provider URL and random number nonce in message;
Authentication request message is redirected to by step 304, service providing server by hypertext transfer protocol (HTTP)
Identity provider;
Step 305, user send anonymous service requests by terminal to identity provider;
Step 306, identity provider obtain the access mark AID of user from message, confirm that user passes through access
Certification;And check and whether there is shared key Ks between own and service providing server, if it does not exist, then authentication business carries
For server shared key Ks is generated after certification success;It determines and the corresponding assumed name of user or corresponding assumed name life cycle is not present
(lifetime) expired;
Wherein, identity provider authentication business provide server mode include but not limited to wildcard,
PKI, TLS or IPsec etc. authentication mode.Since it is the prior art, which is not described herein again;
Step 307, identity provider send anonymous Identity request message to NMS, carry user's in request message
The URL of AID, service providing server;
After step 308, NMS receive anonymous Identity request message, the random number R and and lifetime of acquiescence is generated,
Assumed names of the Rand as relative users, and build AID, the service providing server URL and Rand, lifetime correspondence of a MN
Entry, as shown in table 1;
The corresponding entries of table 1MN
Step 309, NMS send anonymous Identity response message to identity provider, carry user's in response message
AID, service providing server URL and random number R and and lifetime;
Step 310, identity provider send anonymous service response message to user terminal, and industry is carried in response message
Business provides server URL, random number R and and lifetime;
Step 311, user send specified user name and its lifetime by terminal to identity provider;
Random number R and can be revised as specified user name and it is expected the user name showed by user, and specified desired
lifetime;
Step 312, identity provider send anonymous update request message to NMS, carried in message user AID,
The assumed name and lifetime that random number R and, user specify;
After assumed name and update lifetime that step 313, NMS are specified in addition user, sent to identity provider
Anonymity updates response message, and the result for being updated successfully or failing is carried in message;
Step 314, identity provider build authentication response message, include to assert information in authentication response message, should
It asserts and carries the assumed name that random number nonce, service providing server URL, identity provider URL, NMS generate in information
The signature result of user name, signature algorithm and Ks that Rand or user specify;
Signature result herein is identity provider according to service providing server URL, identity provider
User name, the shared key that the assumed name Rand or user of URL, NMS generation are specified use the calculated signature of signature algorithm to tie
Fruit;
Identity provider URL representative capacities in the present embodiment provide the identity information of server;Business provides clothes
Business device URL represents the identity information of service providing server;The user name that the assumed name Rand or user that NMS is generated are specified represents
The identity information of user;Random number nonce is for preventing Replay Attack;
Authentication response message is sent to business by HTTP redirection and provides service by step 315, identity provider
Device;
Step 316, service providing server are asserted by the shared key Ks verifications between identity provider
Integrality, and check whether nonce is newly generated, if repeat etc.;
Service providing server is according to asserting the service providing server URL carried in information, identity provider
The user name and the shared key use negotiated with identity provider that the assumed name Rand or user that URL, NMS are generated are specified
It asserts that the signature algorithm carried in information calculates signature result, and by the signature result and asserts the signature knot carried in information
Fruit is compared, if the two is consistent, asserts complete;Meanwhile judging whether it is newly generated according to the generated time of nonce
And whether repeat;If being newly generated and not repeating, then it is verified.
Step 317, after above-mentioned be verified, service providing server is that user MN creates random number R and or specified
The entry of user name;
Step 318, service providing server return to Operational Visit response to user, using Rand or user name as user
Business is provided a user in the mark of service providing server.
As shown in figure 4, the signaling process for the single-point logging method embodiment initiated by identity provider for the present invention
Figure, this approach includes the following steps:
Access authentication is carried out between step 401, MN, ASN and authentication center, after certification passes through, identity position separate mesh
Network is that user distributes access mark AID;
Hereafter, the message that user terminal is sent is transmitted by AID, and ASN is that user distributes RID, and is carried out by RID
Route selection finds ISN, and ISN obtains the AID of user from message, and is converted into the addresses IPv4/IPv6 and is sent to traditional IP network
Network.
Step 402, MN initiate Operational Visit request to identity provider;
Step 403, MN select the business that will be accessed on the identity provider page, and to identity provider
Send anonymous service requests;
Step 404, identity provider get the access mark AID of user from message, confirm user by connecing
Enter certification;And check and whether there is shared key Ks between own and service providing server, if it does not exist, then authentication business
Server is provided, after certification passes through, generates shared key Ks.It checks and the corresponding assumed names of AID or corresponding assumed name is not present
Lifetime is expired;
Step 405, identity provider send anonymous Identity request to NMS and disappear according to the anonymous service requests of user
It ceases, AID, the service providing server URL of user is carried in request message;
After step 406, NMS receive anonymous Identity request message, the random number R and and lifetime of acquiescence is generated,
As the assumed name of relative users, and build AID, the service providing server URL and the corresponding item of Rand, lifetime of a MN
Mesh, as shown in table 1;
Step 407, NMS send anonymous Identity response message to identity provider, carry user's in response message
AID, service providing server URL, random number R and and lifetime;
Step 408, identity provider send anonymous service response message to user, and carrying business in response message carries
For server URL, random number R and and lifetime;
Step 409, user send specified user name and its lifetime by terminal to identity provider;
Random number R and can be revised as specified user name and it is expected the user name showed by user, and specified desired
lifetime;
Step 410, identity provider send anonymous update request message to NMS, carried in message user AID,
The assumed name and lifetime that random number R and, user specify;
Step 411, NMS are in the assumed name specified of addition user and after update lifetime, to identity provider hair
Anonymous update response message is sent, the result for being updated successfully or failing is carried in message;
Step 412, identity provider generate random number nonce according to current time stamp, build authentication response message,
Comprising information is asserted in authentication response message, this, which is asserted, carries random number nonce, service providing server URL, identity in information
The signature knot of the assumed name Rand that server URL, NMS are generated or user name, signature algorithm and Ks that user specifies are provided
Fruit;
Authentication response message is sent to business by HTTP redirection and provides service by step 413, identity provider
Device;
Step 414, service providing server are asserted by the shared key Ks verifications between identity provider
Integrality, and check whether nonce is newly generated, if repeat etc.;
Step 415, after above-mentioned be verified, service providing server is that user MN creates random number R and or specified
The entry of user name;
Step 416, service providing server return to Operational Visit response to user, using Rand or user name as user
Business is provided a user in the mark of service providing server.
It is similar with the processing of step 305-318 in above-described embodiment by step 403-416 in this present embodiment, therefore
It is repeated no more in the present embodiment.
As shown in figure 5, for the structural schematic diagram of identity provider embodiment of the present invention, the identity provider packet
It includes confirmation module 51 and asserts message processing module 52, wherein:
Confirmation module, for confirming that user passes through access authentication;
Message processing module is asserted, after in confirmation module confirmation user by access authentication, according to the body
Part provides the shared key generation between server and the user service providing server to be accessed and asserts information to user,
And assert information to described in service providing server transmission.
In addition, the identity provider further includes:Key production module, for asserting message processing module generation
To user assert information before, receiving certification request that the service providing server is sent or the user sends
After Operational Visit request, the shared key is checked for, if being not present, in the service providing server by recognizing
After card, the shared key is generated.
In order to avoid the identity information leakage of user, the identity provider further includes:Module is obtained, in institute
It is described to assert that message processing module generation asserts letter to user after the confirmation module confirmation user is stated by access authentication
Before breath, assumed name and life cycle corresponding with the assumed name are obtained for the user.Specifically, the acquisition module, is to be used for
Anonymous Identity request is sent to name mapping server (NMS) according to the anonymous service requests of the user, and described in reception
The assumed name for the user requested to generate according to the anonymous Identity that NMS is returned and life cycle corresponding with the assumed name.In addition,
User can also change user name, therefore the acquisition module, be additionally operable to receive carrying designated user name that the user sends and
The anonymous update request of corresponding life cycle, and the anonymous update request is sent to the NMS, and receive the NMS and return
Update result.
Wherein, described assert carries random number, the identity information of the identity provider, the business in information
The identity information of server, the identity information of the user, signature algorithm and the identity provider are provided according to institute
State the calculated signature result of shared key;Wherein, the identity information of the user includes the assumed name or the designated user
Name.
Above-mentioned service providing server is provided to service providing server to the use after confirming user by access authentication
Assert information in family so that user does not need input authentication information and be possibly realized when access service provides server.
As shown in fig. 6, for the structural schematic diagram of service providing server embodiment of the present invention, the service providing server packet
Receiving module 61 and authentication module 62 are included, wherein:
Receiving module, for receive identity provider transmission to being intended to access the user of the service providing server
Assert information;
Authentication module, for according to the shared key between the service providing server and the identity provider
Information is asserted described in verification.
In addition, the service providing server further includes:Business provides module, and institute is verified for the authentication module
It states after asserting information, creates and assert the corresponding entry of the identity information for the user for including in information with described, and to the user
Offer business.
Above-mentioned authentication module according to assert the service providing server URL carried in information, identity provider URL,
The assumed name Rand or user's user name specified and the shared key use negotiated with identity provider that NMS is generated are asserted
The signature algorithm carried in information calculates signature result, and the signature result that the signature result and asserting is carried in information into
Row compares, if the two is consistent, asserts complete;Meanwhile judging whether it is to be newly generated and be according to the generated time of nonce
No repetition;If being newly generated and not repeating, then it is verified.
Above-mentioned service providing server asserts that information completes user's according to what identity provider was sent to user
Single-sign-on, and the effective protection privacy of user.
As shown in fig. 7, for the structural schematic diagram of name mapping server embodiment of the present invention, which includes receiving module
71 and generate sending module 72, wherein:
Receiving module, the anonymous Identity request for receiving identity provider transmission, in the anonymous Identity request
Carry the identity of user;
Sending module is generated, the anonymous Identity for being received according to the receiving module requests to generate and the identity mark
Know the assumed name of corresponding user and life cycle corresponding with the assumed name, and the user is returned to the identity provider
Assumed name and life cycle corresponding with the assumed name.
In addition, in order to modify to the assumed name of user, the generation sending module is additionally operable to receive the identity
The anonymous update request for carrying designated user's name and corresponding life cycle from the user that server is sent is provided, according to hideing
Name update request is updated processing, and returns to update result.
Further, name mapping server shown in Fig. 7 and identity provider shown in fig. 5, which can close, sets, and two
Person closes the device after setting as shown in figure 8, the function of correlation module is identical as the function of corresponding module in Fig. 5 and Fig. 7 in the device,
Details are not described herein again.
The single-point logging method of corresponding above-mentioned privacy enhancing, the embodiment of the present invention additionally provide a kind of single-node login system,
As shown in figure 9, the system includes service providing server 91, identity provider 92 and name mapping server 93, this is
The function of correlation module is identical as the function of corresponding module in Fig. 5-Fig. 7 in system, and details are not described herein again.
In short, in the embodiment of the present invention, identity provider in the certification request for receiving service providing server or
After the Operational Visit request of person user, shared key Ks is checked for, if it does not exist, then authentication business provides service
Device after certification passes through, generates shared key Ks, and identity provider confirms that user passes through access according to the identity of user
Certification, and generated by name mapping server (NMS, Name Mapping Server) according to the anonymous service requests of user
The mode of assumed name protects user identity, while the information of asserting of the user is generated for service providing server, and business carries
For server receive identity provider assert information after, the legitimacy of information is asserted in verification, if the verification passes, then
The corresponding entry of assumed name is created, and provides a user business.
Certainly, if only needing to solve the problems, such as multiple certification, name mapping server can not included in above system,
Correspondingly, also need not include to obtain module in identity provider.
One of ordinary skill in the art will appreciate that all or part of step in the above method can be instructed by program
Related hardware is completed, and above procedure can be stored in computer readable storage medium, such as read-only memory, disk or CD
Deng.Optionally, all or part of step of above-described embodiment can also be realized using one or more integrated circuits.Accordingly
Ground, the form that hardware may be used in each module/unit in above-described embodiment are realized, the shape of software function module can also be used
Formula is realized.The present invention is not limited to the combinations of the hardware and software of any particular form.
The above examples are only used to illustrate the technical scheme of the present invention and are not limiting, reference only to preferred embodiment to this hair
It is bright to be described in detail.It will be understood by those of ordinary skill in the art that can modify to technical scheme of the present invention
Or equivalent replacement should all cover the claim model in the present invention without departing from the spirit of the technical scheme of the invention and range
In enclosing.
Claims (21)
1. a kind of method of single-sign-on, this method include:
Identity provider confirms that user passes through access authentication;
The identity provider is given birth to according to itself shared key between the user service providing server to be accessed
Pairs of user's asserts information, and asserts information to described in service providing server transmission;
It is described to assert that random number, the identity information of the identity provider, the business are carried in information provides service
The identity information of device, the identity information of the user, signature algorithm and signature result;
Identity information of the signature result by the identity provider according to the identity provider, the business
The identity information of server, the identity information and shared key of the user are provided, are calculated using signature algorithm;
Wherein, the identity information of the user includes assumed name or designated user's name.
2. according to the method described in claim 1, it is characterized in that:
The identity provider is given birth to according to itself shared key between the user service providing server to be accessed
Pairs of user assert information before, the method further includes:
The identity provider is receiving the certification request or user transmission that the service providing server is sent
Operational Visit request after, check for the shared key, if being not present, pass through in the service providing server
After certification, the shared key is generated.
3. method according to claim 1 or 2, it is characterised in that:
The identity provider generate to user assert information before, the method further includes:
The identity provider is that the user obtains assumed name and life cycle corresponding with the assumed name.
4. according to the method described in claim 3, it is characterized in that:
The identity provider obtains assumed name and life cycle corresponding with the assumed name for the user, including:
The identity provider sends anonymous body according to the anonymous service requests of the user to name mapping server NMS
Part request, and receive the user requested to generate according to the anonymous Identity that the NMS is returned assumed name and with the vacation
Name corresponding life cycle.
5. according to the method described in claim 4, it is characterized in that:
The identity provider is for user acquisition assumed name and after life cycle corresponding with the assumed name, the method
Further include:
The identity provider receives the anonymous update for carrying designated user's name and corresponding life cycle that the user sends
Request, and the anonymous update request is sent to the NMS, and receive the update result that the NMS is returned.
6. a kind of method of single-sign-on, this method include:
Service providing server receive identity provider send to being intended to access the user's of the service providing server
Assert information;
The service providing server according to itself between the identity provider shared key verification described in assert
Information;
It is described to assert that random number, the identity information of the identity provider, the business are carried in information provides service
The identity information of device, the identity information of user, signature algorithm and signature result;
Identity information of the signature result by the identity provider according to the identity provider, the business
The identity information of server, the identity information and shared key of the user are provided, are calculated using signature algorithm;
Wherein, the identity information of the user includes assumed name or designated user's name.
7. according to the method described in claim 6, it is characterized in that:
The service providing server according to itself between the identity provider shared key verification described in assert
After information, the method further includes:
If the verification passes, then the service providing server creates and the identity information for asserting the user for including in information
Corresponding entry, and provide business to the user;The identity information of the user is assumed name or the designated user of the user
Name.
8. the method described according to claim 6 or 7, it is characterised in that:
The service providing server receive that identity provider sends to being intended to access the use of the service providing server
Family assert information before, the method further includes:
After the service providing server receives the Operational Visit request that the user sends, random number is generated, and to institute
It states identity provider and sends the certification request for carrying the random number.
9. according to the method described in claim 8, it is characterized in that:
The service providing server according to itself between the identity provider shared key verification described in assert
Information, including:
The service providing server is according to the identity information of the identity provider, the body of the service providing server
Part information, the identity information of the user, the signature algorithm and the shared key calculate signature result, and compare oneself
Whether calculated signature result and the calculated signature result of the identity provider are consistent;And
Judge whether the generated time of the random number is whether the current nearest and described random number is unique.
10. a kind of identity provider, the identity provider include:
Confirmation module, for confirming that user passes through access authentication;
Message processing module is asserted, for after the confirmation module confirms user by access authentication, being carried according to the identity
For the shared key generation between server and the user service providing server to be accessed to the information of asserting of user, and to
The service providing server asserts information described in sending;
It is described to assert that random number, the identity information of the identity provider, the business are carried in information provides service
The identity information of device, the identity information of user, signature algorithm and signature result;
Identity information of the signature result by the identity provider according to the identity provider, the business
The identity information of server, the identity information and shared key of the user are provided, are calculated using signature algorithm;
Wherein, the identity information of the user includes assumed name or designated user's name.
11. identity provider according to claim 10, which is characterized in that the identity provider is also wrapped
It includes:
Key production module, for assert message processing module generate to user assert information before, it is described receiving
After the Operational Visit request that the certification request or the user that service providing server is sent are sent, check for described total
Key is enjoyed, if being not present, after the service providing server is by certification, generates the shared key.
12. identity provider according to claim 11, which is characterized in that the identity provider is also wrapped
It includes:
Module is obtained, it is described to assert information processing after confirming the user by access authentication in the confirmation module
Module generate to user assert information before, obtain assumed name and life cycle corresponding with the assumed name for the user.
13. identity provider according to claim 12, it is characterised in that:
The acquisition module is for being hidden to name mapping server (NMS) transmission according to the anonymous service requests of the user
Name identity request, and receive the user requested to generate according to the anonymous Identity that the NMS is returned assumed name and with institute
State assumed name corresponding life cycle.
14. identity provider according to claim 13, it is characterised in that:
The acquisition module is additionally operable to receive the anonymous update for carrying designated user's name and corresponding life cycle that the user sends
Request, and the anonymous update request is sent to the NMS, and receive the update result that the NMS is returned.
15. a kind of service providing server, the service providing server include:
Receiving module, for receive identity provider transmission to being intended to access the disconnected of the user of the service providing server
Say information;
Authentication module, for being verified according to the shared key between the service providing server and the identity provider
It is described to assert information;
It is described to assert that random number, the identity information of the identity provider, the business are carried in information provides service
The identity information of device, the identity information of user, signature algorithm and signature result;
Identity information of the signature result by the identity provider according to the identity provider, the business
The identity information of server, the identity information and shared key of the user are provided, are calculated using signature algorithm;
Wherein, the identity information of the user includes assumed name or designated user's name.
16. service providing server according to claim 15, which is characterized in that the service providing server is also wrapped
It includes:
Business provides module, for the authentication module be verified it is described assert information after, create and asserted in information with described
Including user the corresponding entry of identity information, and to the user provide business.
17. a kind of information processing unit, which includes that the identity described in claim 10-14 any claims provides service
Device and name mapping server NMS, wherein the NMS includes:
Receiving module, the anonymous Identity request for receiving identity provider transmission carry in the anonymous Identity request
There is the identity of user;
Sending module is generated, the anonymous Identity for being received according to the receiving module requests to generate and the identity pair
The assumed name of the user answered and life cycle corresponding with the assumed name, and return to the identity provider vacation of the user
Name and life cycle corresponding with the assumed name.
18. according to claim 17 described information processing unit, it is characterised in that:
The generation sending module of the NMS is additionally operable to receive the taking from the user that the identity provider is sent
Anonymous update request with designated user's name and corresponding life cycle is updated processing according to anonymity update request, and returns more
New result.
19. a kind of single-node login system, which includes that the identity described in claim 10-14 any claims provides service
Service providing server described in device and claim 15-16 any claims.
20. a kind of single-node login system, which includes that the identity described in claim 13-15 any claims provides service
Service providing server described in device, claim 15-16 any claims and name mapping server NMS, wherein described
NMS includes:
Receiving module, the anonymous Identity request for receiving identity provider transmission carry in the anonymous Identity request
There is the identity of user;
Sending module is generated, the anonymous Identity for being received according to the receiving module requests to generate and the identity pair
The assumed name of the user answered and life cycle corresponding with the assumed name, and return to the identity provider vacation of the user
Name and life cycle corresponding with the assumed name.
21. according to single-node login system described in claim 20, it is characterised in that:
The generation sending module of the NMS is additionally operable to receive the taking from the user that the identity provider is sent
Anonymous update request with designated user's name and corresponding life cycle is updated processing according to anonymity update request, and returns more
New result.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610833474.3A CN106254386B (en) | 2011-09-20 | 2011-09-20 | A kind of information processing method and name mapping server |
| CN201110279495.2A CN103023856B (en) | 2011-09-20 | 2011-09-20 | Method, system and the information processing method of single-sign-on, system |
| PCT/CN2012/079709 WO2013040957A1 (en) | 2011-09-20 | 2012-08-06 | Single sign-on method and system, and information processing method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110279495.2A CN103023856B (en) | 2011-09-20 | 2011-09-20 | Method, system and the information processing method of single-sign-on, system |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610833474.3A Division CN106254386B (en) | 2011-09-20 | 2011-09-20 | A kind of information processing method and name mapping server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103023856A CN103023856A (en) | 2013-04-03 |
| CN103023856B true CN103023856B (en) | 2018-07-13 |
Family
ID=47913855
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110279495.2A Active CN103023856B (en) | 2011-09-20 | 2011-09-20 | Method, system and the information processing method of single-sign-on, system |
| CN201610833474.3A Active CN106254386B (en) | 2011-09-20 | 2011-09-20 | A kind of information processing method and name mapping server |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610833474.3A Active CN106254386B (en) | 2011-09-20 | 2011-09-20 | A kind of information processing method and name mapping server |
Country Status (2)
| Country | Link |
|---|---|
| CN (2) | CN103023856B (en) |
| WO (1) | WO2013040957A1 (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP6568869B2 (en) * | 2014-03-31 | 2019-08-28 | ドイッチェ テレコム アーゲー | Method and system, mobile communication network, program and computer program product for protecting and / or anonymizing user identification and / or user data of a subscriber of a data protection service |
| WO2018014535A1 (en) * | 2016-07-16 | 2018-01-25 | 华为技术有限公司 | Network verification method and associated apparatus and system |
| CN107623668A (en) * | 2016-07-16 | 2018-01-23 | 华为技术有限公司 | A kind of method for network authorization, relevant device and system |
| JP6943260B2 (en) * | 2016-12-28 | 2021-09-29 | ソニーグループ株式会社 | Server equipment, information management method, information processing equipment, information processing method and program |
| CN106790272A (en) * | 2017-02-16 | 2017-05-31 | 济南浪潮高新科技投资发展有限公司 | A kind of system and method for single-sign-on, a kind of application server |
| CN106713367A (en) * | 2017-03-02 | 2017-05-24 | 山东浪潮云服务信息科技有限公司 | Authentication method, authentication platform, business system and authentication system |
| CN107770183B (en) * | 2017-10-30 | 2020-11-20 | 新华三信息安全技术有限公司 | Data transmission method and device |
| CN110351721A (en) * | 2018-04-08 | 2019-10-18 | 中兴通讯股份有限公司 | Access method and device, the storage medium, electronic device of network slice |
| FR3090259A1 (en) * | 2018-12-18 | 2020-06-19 | Orange | Method and system for authenticating a client terminal by a target server, by triangulation via an authentication server. |
| CN110378135A (en) * | 2019-07-08 | 2019-10-25 | 武汉东湖大数据交易中心股份有限公司 | Intimacy protection system and method based on big data analysis and trust computing |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101399671A (en) * | 2008-11-18 | 2009-04-01 | 中国科学院软件研究所 | Cross-domain authentication method and system thereof |
| CN101771722A (en) * | 2009-12-25 | 2010-07-07 | 中兴通讯股份有限公司 | System and method for WAPI terminal to access Web application site |
| CN101938465A (en) * | 2010-07-05 | 2011-01-05 | 北京广电天地信息咨询有限公司 | Method and system based on webservice authentication |
| CN101998407A (en) * | 2009-08-31 | 2011-03-30 | 中国移动通信集团公司 | WLAN access authentication based method for accessing services |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7836305B2 (en) * | 2004-05-06 | 2010-11-16 | Telefonaktiebolaget L M Ericsson (Publ) | Method of and system for storage of I-WLAN temporary identities |
| EP1754391A1 (en) * | 2004-05-28 | 2007-02-21 | Koninklijke Philips Electronics N.V. | Privacy-preserving information distributing system |
| US9490984B2 (en) * | 2009-09-14 | 2016-11-08 | Interdigital Patent Holdings, Inc. | Method and apparatus for trusted authentication and logon |
-
2011
- 2011-09-20 CN CN201110279495.2A patent/CN103023856B/en active Active
- 2011-09-20 CN CN201610833474.3A patent/CN106254386B/en active Active
-
2012
- 2012-08-06 WO PCT/CN2012/079709 patent/WO2013040957A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101399671A (en) * | 2008-11-18 | 2009-04-01 | 中国科学院软件研究所 | Cross-domain authentication method and system thereof |
| CN101998407A (en) * | 2009-08-31 | 2011-03-30 | 中国移动通信集团公司 | WLAN access authentication based method for accessing services |
| CN101771722A (en) * | 2009-12-25 | 2010-07-07 | 中兴通讯股份有限公司 | System and method for WAPI terminal to access Web application site |
| CN101938465A (en) * | 2010-07-05 | 2011-01-05 | 北京广电天地信息咨询有限公司 | Method and system based on webservice authentication |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103023856A (en) | 2013-04-03 |
| CN106254386B (en) | 2019-07-05 |
| WO2013040957A1 (en) | 2013-03-28 |
| CN106254386A (en) | 2016-12-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103023856B (en) | Method, system and the information processing method of single-sign-on, system | |
| CN101069402B (en) | Method and system for transparently authenticating a mobile user to access web services | |
| US7221935B2 (en) | System, method and apparatus for federated single sign-on services | |
| CN1977514B (en) | Authenticating users | |
| US8261078B2 (en) | Access to services in a telecommunications network | |
| CN101414907B (en) | Method and system for accessing network based on user identification authorization | |
| EP3120591B1 (en) | User identifier based device, identity and activity management system | |
| CN102695167B (en) | Mobile subscriber identity management method and apparatus thereof | |
| US20060195893A1 (en) | Apparatus and method for a single sign-on authentication through a non-trusted access network | |
| CN103067337B (en) | Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system | |
| KR102299865B1 (en) | Method and system related to authentication of users for accessing data networks | |
| CN105763658B (en) | For being addressed method, addressable server and the system of equipment dynamic IP addressing | |
| CN102420808A (en) | Method for realizing single sign-on in telecom online business hall | |
| CN102938757B (en) | The method and identity provider of user data in shared network | |
| US20130183934A1 (en) | Methods for initializing and/or activating at least one user account for carrying out a transaction, as well as terminal device | |
| WO2011063658A1 (en) | Method and system for unified security authentication | |
| KR101506594B1 (en) | Method and system for subscriber to log in internet content provider(icp) website in identity/location separation network and login device thereof | |
| CN102238148B (en) | identity management method and system | |
| CN106330894B (en) | SAVI proxy authentication system and method based on link-local address | |
| JP4579592B2 (en) | Information providing service system and method | |
| KR101869584B1 (en) | Method and system for cloud-based identity management (c-idm) implementation | |
| WO2014187423A1 (en) | Method and device for processing identification information | |
| CN101355578A (en) | Compatible method and system for mobile IP application based on RADIUS and DIAMETER protocols | |
| CN119210736B (en) | Application credibility checking method and system based on APN6 network | |
| KR100904004B1 (en) | User Authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |