WO2006065004A1 - Systeme et procede de deconnexion d'une session de service dans un service d'ouverture de session a l'aide d'un identifiant - Google Patents

Systeme et procede de deconnexion d'une session de service dans un service d'ouverture de session a l'aide d'un identifiant Download PDF

Info

Publication number
WO2006065004A1
WO2006065004A1 PCT/KR2005/000713 KR2005000713W WO2006065004A1 WO 2006065004 A1 WO2006065004 A1 WO 2006065004A1 KR 2005000713 W KR2005000713 W KR 2005000713W WO 2006065004 A1 WO2006065004 A1 WO 2006065004A1
Authority
WO
WIPO (PCT)
Prior art keywords
service
logout
session
request
referring
Prior art date
Application number
PCT/KR2005/000713
Other languages
English (en)
Inventor
Sang Rae Cho
Yeong Sub Cho
Dae Seon Choi
Jong Hyouk Noh
Taesung Kim
Seung Hyun Kim
Seung Hun Jin
Original Assignee
Electronics And Telecommunications Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Electronics And Telecommunications Research Institute filed Critical Electronics And Telecommunications Research Institute
Publication of WO2006065004A1 publication Critical patent/WO2006065004A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations

Definitions

  • the present invention relates to a system and a method for performing a service logout in a single-sign-on service using federated identity.
  • a Korean patent application No.10-2000-0044999 titled "Method for performing automatic joining and automatic login of an Internet site and system using the same” discloses an authentication technology such that when the member of the site accesses another external site linked by the site, the member is allowed to achieve the same rights as the member of the external site without a separate login- procedure.
  • the above Korean application discloses an SSO (Single-Sign-On) method, in which when the users intend to become a member of a predetermined site (sub-site) the system delivers member information of a site (main-site) already joined by the users to the sub-site, thereby allowing the users to achieve the same rights as the member of the main site also in the sub-site without a separate login-procedure.
  • SSO Single-Sign-On
  • Liberty Alliance group provides a single- logout service in which respective SPs manage user IDs and passwords and work in cooperation with one another to provide an Internet SSO service to users and the users are allowed to logout from all the logged-in SPs at a time if the users desire to logout.
  • Liberty Alliance does not provide a service for allowing the users to logout a single website when the users may want to leave the visited website and no longer wish to come back that site. Disclosure of Invention Technical Problem
  • the present invention is directed to a system and a method for performing a service logout in a single-sign-on service that substantially obviate one or more of the problems due to limitations and disadvantages of the related art.
  • An object of the present invention is to provide a system and a method for performing a service logout in a single-sign-on service using a federated identity capable of processing service-logout requests in cooperation with system policies and sessions so as to support logouts from respective sites which cannot be provided by a related art SSO.
  • a system provided performing a service logout in a single-sign-on service using a federated identity which includes: a service-logout-request processor for receiving a service-logout request from an SP to refer to policies regarding a service logout through a system policy manager and referring to whether a session is valid through a session manager; a system policy manager for referring to whether a user has rights for performing a service logout and referring to other policies necessary for the service logout; and a session manager for managing an authentication session and a service session of the user and referring to whether a session exists and is valid in order to logout from the service session.
  • a method provided for performing a service logout in a single-sign-on service using a federated identity which includes the steps of: referring to service-logout polices through a policy database (DB) when a service-logout request is received; judging whether the service- logout request is valid on the basis of the above-referred policy; if the service-logout request is valid as a result of the judgment, referring to session information using a session ID and checking whether a session is valid; and if the session is valid currently as a result of the checking, deleting the session.
  • DB policy database
  • FIG. 1 is a view schematically illustrating a structure of a system for performing a service logout in a single-sign-on service using a federated identity according to the present invention
  • FIG. 2 is a view schematically illustrating a structure and an operation principle of a system policy manager according to the present invention
  • FIG. 3 is a view schematically illustrating a structure and an operation principle of a session manager according to the present invention
  • FIG. 4 is a flowchart illustrating a schematic processing procedure of a method for performing a service logout in a single-sign-on service using a federated identity according to the present invention.
  • FIG. 5 is a flowchart illustrating a method for performing a service logout in a single-sign-on service using a federated identity according to the present invention. Best Mode for Carrying Out the Invention
  • FIG. 1 is a view schematically illustrating a structure of a system for performing a service logout in a single-sign-on service using a federated identity according to the present invention.
  • the SP 2000 is intended for providing services to users through on-line.
  • the SP is intended for providing services to users through on-line.
  • ID service provider 2000 has a service-logout request and response processor for requesting an ID service provider (IDSP) 1000 to perform a service logout and receiving a response thereto from the IDSP 1000 to output a response message to a user's web-browser.
  • IDSP ID service provider
  • the IDSP 1000 is intended for allowing users to login a plurality of sites through an
  • the IDSP 1000 includes a service-logout-request processor 100 for receiving a service-logout request of a user transmitted from the SP 2000 and referring to policies regarding service logout by communicating with a system policy manage; the system policy manager 200 for referring to whether a user has rights for performing a service logout and referring to other policies necessary for the service logout; and a session manager 300 for managing an authentication session and a service session of the user and referring to whether a session exists and is valid in order to logout from the service session.
  • the service-logout-request processor 100 determines whether to logout from the service session and perform the logout on the basis of the information referred through the system policy manager 200 and the session manager 300 and transmits results to the SP.
  • FIG. 2 is a view schematically illustrating a structure and an operation principle of a system policy manager 200 for managing policies regarding an SSO according to the present invention.
  • the system policy manager 200 has a policy request receiver 201 for receiving requests regarding a variety of policies and a policy dispatcher 202 for classifying the requests according to the their kind to send the classified requests to the relevant module.
  • the policies are roughly classified into registration, inquiry, change, and deletion operations.
  • the system policy manager 200 refers to the policies through a policy database (DB) when performing each operation.
  • DB policy database
  • FIG. 3 is a view schematically illustrating a structure and an operation principle of a session manager 300 for managing SSO sessions according to the present invention.
  • the session manager 300 has a session handler 301 for receiving and analyzing all operations regarding the session and sending a request to the relevant operation. Since the session handler manages session information on a memory and records the session information on a session DB so that log information may be left afterwards, the session handler accesses the DB to leave the record when generating and deleting the session. On the contrary, when referring to and updating the session, the session handler performs the operations directly on the memory.
  • FIG. 4 is a flowchart illustrating a schematic processing procedure of a method for performing a service logout in a single-sign-on service using a federated identity according to the present invention. If users designate an IDSP at an SP 2000 to make a service-logout request, the SP 2000 generates a service-logout request message and transmit the same to the IDSP 1000 through a user's web-browser. At this time, a redirection which is one of communication methods generally used on the web is used.
  • the SP 2000 transmits a login ID of the user and a session ID given when logging in the SP 2000 together with the request message.
  • the IDSP 1000 that has received the request message executes a service logout upon request of the user, makes a response message using results thereof, and transmits the response message to the SP 2000 using a redirection.
  • the SP 2000 that has received the response message informs the user of the results regarding the requested service.
  • FIG. 5 is a flowchart illustrating a method for performing a service logout in a single-sign-on service using a federated identity according to the present invention.
  • the service-logout-request processor 100 of the IDSP 1000 receives a service-logout request
  • the service-logout policies are referred to by the system policy manager 200 first (Sl 1), and whether the user has rights to request a service logout is judged on the basis of the referred policy (S 12).
  • the session information is referred to using the session ID through the session manager 300 (S 13). Whether the session information exists and is currently valid are checked (S 14) and the session manager is requested to delete the relevant service session (S 15).
  • a response message is generated and transmitted to the SP 2000, whereby a service- logout procedure is completed.
  • the present invention increases security in the SSO service as well as enhances reliability of the service and increases efficiency of the system management by providing the service-logout service in that the users of the SSO service using the federated identity may be allowed to separately logout from the respective sites.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

L'invention concerne un système et un procédé de déconnexion d'une session de service dans un service d'ouverture de session. Le système de l'invention comprend un processeur de requête de déconnexion de session de service, un gestionnaire de stratégies système, et un gestionnaire de session. Le processeur de requête de déconnexion de session de service reçoit une requête de déconnexion de session de service provenant d'un fournisseur de services (SP) pour se référer à des stratégies concernant une déconnexion de session de service au moyen d'un gestionnaire de stratégies système, et vérifie si une session est valide au moyen d'un gestionnaire de session. Le gestionnaire de stratégies système vérifie si un utilisateur a le droit de se déconnecter de la session de service et se réfère à d'autres stratégies nécessaires pour la déconnexion de session de service. Le gestionnaire de session gère une session d'authentification et une session de service de l'utilisateur et vérifie si une session existante est en cours et valide afin de se déconnecter de la session de service.
PCT/KR2005/000713 2004-12-15 2005-03-14 Systeme et procede de deconnexion d'une session de service dans un service d'ouverture de session a l'aide d'un identifiant WO2006065004A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2004-0106627 2004-12-15
KR1020040106627A KR20060067732A (ko) 2004-12-15 2004-12-15 연동 아이덴터티를 이용한 단일 인증 서비스에서의 서비스로그아웃 시스템 및 방법

Publications (1)

Publication Number Publication Date
WO2006065004A1 true WO2006065004A1 (fr) 2006-06-22

Family

ID=36588032

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2005/000713 WO2006065004A1 (fr) 2004-12-15 2005-03-14 Systeme et procede de deconnexion d'une session de service dans un service d'ouverture de session a l'aide d'un identifiant

Country Status (2)

Country Link
KR (1) KR20060067732A (fr)
WO (1) WO2006065004A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008003593A1 (fr) * 2006-07-07 2008-01-10 International Business Machines Corporation Procédé et système pour le déclenchement à base de règles d'une gestion de fédération
US7743153B2 (en) * 2006-01-18 2010-06-22 International Business Machines Corporation Killing login-based sessions with a single action
CN103560884A (zh) * 2013-10-28 2014-02-05 上海浦东物流云计算有限公司 用户身份信息的注销方法、***、认证服务器及客户端
US8825855B2 (en) 2011-03-31 2014-09-02 International Business Machines Corporation Non-intrusive single sign-on mechanism in cloud services
CN110365680A (zh) * 2019-07-16 2019-10-22 中国联合网络通信集团有限公司 基于单点登录的批量登出方法及装置

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101042484B1 (ko) * 2008-12-19 2011-06-16 주식회사 케이티 단일 로그인 및 로그아웃을 위한 서비스 연계 장치 및 그 방법
CN114615084B (zh) * 2022-04-11 2024-04-16 西安热工研究院有限公司 一种应用于前后端分离场景的单点登录注销方法、***、电子设备和储存介质

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003073242A1 (fr) * 2002-02-28 2003-09-04 Telefonaktiebolaget L M Ericsson (Publ) Procede et appareil permettant de traiter des identites utilisateur sous des services d'entree en communication unique
WO2004075035A1 (fr) * 2003-02-21 2004-09-02 Telefonaktiebolaget Lm Ericsson (Publ) Anonymisation de fournisseurs de services dans un systeme d'ouverture de session unique

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003073242A1 (fr) * 2002-02-28 2003-09-04 Telefonaktiebolaget L M Ericsson (Publ) Procede et appareil permettant de traiter des identites utilisateur sous des services d'entree en communication unique
WO2004075035A1 (fr) * 2003-02-21 2004-09-02 Telefonaktiebolaget Lm Ericsson (Publ) Anonymisation de fournisseurs de services dans un systeme d'ouverture de session unique

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
JUN MIYOSHI.: "Network-based Single Sign-On Architecture for IP-VPN.", IEEE COMMUNICATIONS, COMPUTER AND SIGNAL PROCESSING., vol. 1, 28 August 2003 (2003-08-28) - 30 August 2003 (2003-08-30), pages 458 - 461 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7743153B2 (en) * 2006-01-18 2010-06-22 International Business Machines Corporation Killing login-based sessions with a single action
WO2008003593A1 (fr) * 2006-07-07 2008-01-10 International Business Machines Corporation Procédé et système pour le déclenchement à base de règles d'une gestion de fédération
US8825855B2 (en) 2011-03-31 2014-09-02 International Business Machines Corporation Non-intrusive single sign-on mechanism in cloud services
CN103560884A (zh) * 2013-10-28 2014-02-05 上海浦东物流云计算有限公司 用户身份信息的注销方法、***、认证服务器及客户端
CN103560884B (zh) * 2013-10-28 2016-08-17 上海浦东物流云计算有限公司 用户身份信息的注销方法、***、认证服务器及客户端
CN110365680A (zh) * 2019-07-16 2019-10-22 中国联合网络通信集团有限公司 基于单点登录的批量登出方法及装置
CN110365680B (zh) * 2019-07-16 2022-04-15 中国联合网络通信集团有限公司 基于单点登录的批量登出方法及装置

Also Published As

Publication number Publication date
KR20060067732A (ko) 2006-06-20

Similar Documents

Publication Publication Date Title
JP4579546B2 (ja) 単一サインオンサービスにおけるユーザ識別子の取り扱い方法及び装置
TWI400922B (zh) 在聯盟中主用者之認證
US8332919B2 (en) Distributed authentication system and distributed authentication method
EP2375688B1 (fr) Gestion de la connexion automatique de ressources cibles sur Internet
EP2643955B1 (fr) Procédés pour autoriser l'accès à un contenu protégé
US9197639B2 (en) Method for sharing data of device in M2M communication and system therefor
US8683565B2 (en) Authentication
US9319412B2 (en) Method for establishing resource access authorization in M2M communication
WO2013099065A1 (fr) Système de coordination d'authentification et dispositif de fournisseur d'id
US9319413B2 (en) Method for establishing resource access authorization in M2M communication
EP3297243B1 (fr) Procédé et dispositif de connexion sécurisée
US20110010762A1 (en) Identity management
CN112235265B (zh) 一种外网访问项目进度***与方法
US20070209066A1 (en) Method and system for identity management integration
US6874088B1 (en) Secure remote servicing of a computer system over a computer network
WO2008001338A2 (fr) Secure communication network user mobility apparatus and methods
WO2006065004A1 (fr) Systeme et procede de deconnexion d'une session de service dans un service d'ouverture de session a l'aide d'un identifiant
JP2002334056A (ja) ログイン代行システム及びログイン代行方法
CN113922982B (zh) 登录方法、电子设备及计算机可读存储介质
US11165768B2 (en) Technique for connecting to a service
KR101186695B1 (ko) 연합 쿠키를 이용한 id 연합 기반의 사이트 연동 방법
KR20070009490A (ko) 아이피 주소 기반 사용자 인증 시스템 및 방법
KR20130124447A (ko) 지능형 로그인 인증 시스템 및 그 방법
KR101256675B1 (ko) 아이디 도용 방지 시스템, 그 서비스 방법, 그를 적용한싱글 사인 온 시스템 및 그 서비스 방법
US20060048198A1 (en) Establishing remote connections

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 05789406

Country of ref document: EP

Kind code of ref document: A1