Description
SYSTEM AND METHOD FOR PERFORMING SERVICE LOGOUT IN SINGLE-SIGN-ON SERVICE USING IDENTITY
Technical Field
[1] The present invention relates to a system and a method for performing a service logout in a single-sign-on service using federated identity. Background Art
[2] Thanks to development and expansion of the Internet, an electronic commerce has been rapidly expanded and actively in use. Lots of users become a member of a plurality of on-line service providers (SP) and receive services thereof. The SP requests an user to register an identifier(ID) and a password when the user joins the SP. The SP provides the services after performing a user authentication using the ID and the password registered by the users. However, due to overflowing of numerous SPs, the users have so many IDs and passwords that the users cannot actually memorize all the IDs and the passwords. Thus, lots of systems currently provide a single-sign-on function that allows the users to use web-services without additional authentication if the users pass through an authentication procedure for one time.
[3] For example, a Korean patent application No.10-2000-0044999 titled "Method for performing automatic joining and automatic login of an Internet site and system using the same" discloses an authentication technology such that when the member of the site accesses another external site linked by the site, the member is allowed to achieve the same rights as the member of the external site without a separate login- procedure. Particularly, the above Korean application discloses an SSO (Single-Sign-On) method, in which when the users intend to become a member of a predetermined site (sub-site) the system delivers member information of a site (main-site) already joined by the users to the sub-site, thereby allowing the users to achieve the same rights as the member of the main site also in the sub-site without a separate login-procedure.
[4] However, the above-described Korean application does not provide a service for logging-out when users intend to quit using a service for respective websites in case the users have logged-in multiple websites using SSO.
[5] To solve the above-described problems, Liberty Alliance group provides a single- logout service in which respective SPs manage user IDs and passwords and work in cooperation with one another to provide an Internet SSO service to users and the users are allowed to logout from all the logged-in SPs at a time if the users desire to logout. However, even Liberty Alliance does not provide a service for allowing the users to logout a single website when the users may want to leave the visited website and no
longer wish to come back that site. Disclosure of Invention Technical Problem
[6] Accordingly, the present invention is directed to a system and a method for performing a service logout in a single-sign-on service that substantially obviate one or more of the problems due to limitations and disadvantages of the related art.
[7] An object of the present invention is to provide a system and a method for performing a service logout in a single-sign-on service using a federated identity capable of processing service-logout requests in cooperation with system policies and sessions so as to support logouts from respective sites which cannot be provided by a related art SSO.
Technical Solution
[8] To achieve these and other advantages and in accordance with the purpose of the present invention, as embodied and broadly described, there is a system provided performing a service logout in a single-sign-on service using a federated identity, which includes: a service-logout-request processor for receiving a service-logout request from an SP to refer to policies regarding a service logout through a system policy manager and referring to whether a session is valid through a session manager; a system policy manager for referring to whether a user has rights for performing a service logout and referring to other policies necessary for the service logout; and a session manager for managing an authentication session and a service session of the user and referring to whether a session exists and is valid in order to logout from the service session.
[9] According to another aspect of the present invention, there is a method provided for performing a service logout in a single-sign-on service using a federated identity, which includes the steps of: referring to service-logout polices through a policy database (DB) when a service-logout request is received; judging whether the service- logout request is valid on the basis of the above-referred policy; if the service-logout request is valid as a result of the judgment, referring to session information using a session ID and checking whether a session is valid; and if the session is valid currently as a result of the checking, deleting the session. Brief Description of the Drawings
[10] FIG. 1 is a view schematically illustrating a structure of a system for performing a service logout in a single-sign-on service using a federated identity according to the present invention;
[11] FIG. 2 is a view schematically illustrating a structure and an operation principle of a system policy manager according to the present invention;
[12] FIG. 3 is a view schematically illustrating a structure and an operation principle of a session manager according to the present invention;
[13] FIG. 4 is a flowchart illustrating a schematic processing procedure of a method for performing a service logout in a single-sign-on service using a federated identity according to the present invention; and
[14] FIG. 5 is a flowchart illustrating a method for performing a service logout in a single-sign-on service using a federated identity according to the present invention. Best Mode for Carrying Out the Invention
[15] Hereinafter, preferred embodiments of the present invention will be described in detail with reference to accompanying drawings.
[16] FIG. 1 is a view schematically illustrating a structure of a system for performing a service logout in a single-sign-on service using a federated identity according to the present invention.
[17] The SP 2000 is intended for providing services to users through on-line. The SP
2000 has a service-logout request and response processor for requesting an ID service provider (IDSP) 1000 to perform a service logout and receiving a response thereto from the IDSP 1000 to output a response message to a user's web-browser.
[18] The IDSP 1000 is intended for allowing users to login a plurality of sites through an
Internet SSO service under a federated identity environment and to logout from the respective sites. The IDSP 1000 includes a service-logout-request processor 100 for receiving a service-logout request of a user transmitted from the SP 2000 and referring to policies regarding service logout by communicating with a system policy manage; the system policy manager 200 for referring to whether a user has rights for performing a service logout and referring to other policies necessary for the service logout; and a session manager 300 for managing an authentication session and a service session of the user and referring to whether a session exists and is valid in order to logout from the service session. The service-logout-request processor 100 determines whether to logout from the service session and perform the logout on the basis of the information referred through the system policy manager 200 and the session manager 300 and transmits results to the SP.
[19] FIG. 2 is a view schematically illustrating a structure and an operation principle of a system policy manager 200 for managing policies regarding an SSO according to the present invention. The system policy manager 200 has a policy request receiver 201 for receiving requests regarding a variety of policies and a policy dispatcher 202 for classifying the requests according to the their kind to send the classified requests to the relevant module. The policies are roughly classified into registration, inquiry, change, and deletion operations. The system policy manager 200 refers to the policies through
a policy database (DB) when performing each operation.
[20] FIG. 3 is a view schematically illustrating a structure and an operation principle of a session manager 300 for managing SSO sessions according to the present invention. The session manager 300 has a session handler 301 for receiving and analyzing all operations regarding the session and sending a request to the relevant operation. Since the session handler manages session information on a memory and records the session information on a session DB so that log information may be left afterwards, the session handler accesses the DB to leave the record when generating and deleting the session. On the contrary, when referring to and updating the session, the session handler performs the operations directly on the memory.
[21] FIG. 4 is a flowchart illustrating a schematic processing procedure of a method for performing a service logout in a single-sign-on service using a federated identity according to the present invention. If users designate an IDSP at an SP 2000 to make a service-logout request, the SP 2000 generates a service-logout request message and transmit the same to the IDSP 1000 through a user's web-browser. At this time, a redirection which is one of communication methods generally used on the web is used.
[22] The SP 2000 transmits a login ID of the user and a session ID given when logging in the SP 2000 together with the request message.
[23] The IDSP 1000 that has received the request message executes a service logout upon request of the user, makes a response message using results thereof, and transmits the response message to the SP 2000 using a redirection. The SP 2000 that has received the response message informs the user of the results regarding the requested service.
[24] FIG. 5 is a flowchart illustrating a method for performing a service logout in a single-sign-on service using a federated identity according to the present invention. If the service-logout-request processor 100 of the IDSP 1000 receives a service-logout request, the service-logout policies are referred to by the system policy manager 200 first (Sl 1), and whether the user has rights to request a service logout is judged on the basis of the referred policy (S 12). Next, the session information is referred to using the session ID through the session manager 300 (S 13). Whether the session information exists and is currently valid are checked (S 14) and the session manager is requested to delete the relevant service session (S 15). After the service session is deleted, a response message is generated and transmitted to the SP 2000, whereby a service- logout procedure is completed.
Industrial Applicability
[25] The present invention increases security in the SSO service as well as enhances reliability of the service and increases efficiency of the system management by providing
the service-logout service in that the users of the SSO service using the federated identity may be allowed to separately logout from the respective sites.
[26] While the present invention has been described and illustrated herein with reference to the preferred embodiments thereof, it will be apparent to those skilled in the art that various modifications and variations can be made therein without departing from the spirit and scope of the invention. Thus, it is intended that the present invention covers the modifications and variations of this invention that come within the scope of the appended claims and their equivalents.