WO2006065004A1 - Systeme et procede de deconnexion d'une session de service dans un service d'ouverture de session a l'aide d'un identifiant - Google Patents
Systeme et procede de deconnexion d'une session de service dans un service d'ouverture de session a l'aide d'un identifiant Download PDFInfo
- Publication number
- WO2006065004A1 WO2006065004A1 PCT/KR2005/000713 KR2005000713W WO2006065004A1 WO 2006065004 A1 WO2006065004 A1 WO 2006065004A1 KR 2005000713 W KR2005000713 W KR 2005000713W WO 2006065004 A1 WO2006065004 A1 WO 2006065004A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- service
- logout
- session
- request
- referring
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 230000004044 response Effects 0.000 claims description 10
- 238000012545 processing Methods 0.000 claims description 4
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
Definitions
- the present invention relates to a system and a method for performing a service logout in a single-sign-on service using federated identity.
- a Korean patent application No.10-2000-0044999 titled "Method for performing automatic joining and automatic login of an Internet site and system using the same” discloses an authentication technology such that when the member of the site accesses another external site linked by the site, the member is allowed to achieve the same rights as the member of the external site without a separate login- procedure.
- the above Korean application discloses an SSO (Single-Sign-On) method, in which when the users intend to become a member of a predetermined site (sub-site) the system delivers member information of a site (main-site) already joined by the users to the sub-site, thereby allowing the users to achieve the same rights as the member of the main site also in the sub-site without a separate login-procedure.
- SSO Single-Sign-On
- Liberty Alliance group provides a single- logout service in which respective SPs manage user IDs and passwords and work in cooperation with one another to provide an Internet SSO service to users and the users are allowed to logout from all the logged-in SPs at a time if the users desire to logout.
- Liberty Alliance does not provide a service for allowing the users to logout a single website when the users may want to leave the visited website and no longer wish to come back that site. Disclosure of Invention Technical Problem
- the present invention is directed to a system and a method for performing a service logout in a single-sign-on service that substantially obviate one or more of the problems due to limitations and disadvantages of the related art.
- An object of the present invention is to provide a system and a method for performing a service logout in a single-sign-on service using a federated identity capable of processing service-logout requests in cooperation with system policies and sessions so as to support logouts from respective sites which cannot be provided by a related art SSO.
- a system provided performing a service logout in a single-sign-on service using a federated identity which includes: a service-logout-request processor for receiving a service-logout request from an SP to refer to policies regarding a service logout through a system policy manager and referring to whether a session is valid through a session manager; a system policy manager for referring to whether a user has rights for performing a service logout and referring to other policies necessary for the service logout; and a session manager for managing an authentication session and a service session of the user and referring to whether a session exists and is valid in order to logout from the service session.
- a method provided for performing a service logout in a single-sign-on service using a federated identity which includes the steps of: referring to service-logout polices through a policy database (DB) when a service-logout request is received; judging whether the service- logout request is valid on the basis of the above-referred policy; if the service-logout request is valid as a result of the judgment, referring to session information using a session ID and checking whether a session is valid; and if the session is valid currently as a result of the checking, deleting the session.
- DB policy database
- FIG. 1 is a view schematically illustrating a structure of a system for performing a service logout in a single-sign-on service using a federated identity according to the present invention
- FIG. 2 is a view schematically illustrating a structure and an operation principle of a system policy manager according to the present invention
- FIG. 3 is a view schematically illustrating a structure and an operation principle of a session manager according to the present invention
- FIG. 4 is a flowchart illustrating a schematic processing procedure of a method for performing a service logout in a single-sign-on service using a federated identity according to the present invention.
- FIG. 5 is a flowchart illustrating a method for performing a service logout in a single-sign-on service using a federated identity according to the present invention. Best Mode for Carrying Out the Invention
- FIG. 1 is a view schematically illustrating a structure of a system for performing a service logout in a single-sign-on service using a federated identity according to the present invention.
- the SP 2000 is intended for providing services to users through on-line.
- the SP is intended for providing services to users through on-line.
- ID service provider 2000 has a service-logout request and response processor for requesting an ID service provider (IDSP) 1000 to perform a service logout and receiving a response thereto from the IDSP 1000 to output a response message to a user's web-browser.
- IDSP ID service provider
- the IDSP 1000 is intended for allowing users to login a plurality of sites through an
- the IDSP 1000 includes a service-logout-request processor 100 for receiving a service-logout request of a user transmitted from the SP 2000 and referring to policies regarding service logout by communicating with a system policy manage; the system policy manager 200 for referring to whether a user has rights for performing a service logout and referring to other policies necessary for the service logout; and a session manager 300 for managing an authentication session and a service session of the user and referring to whether a session exists and is valid in order to logout from the service session.
- the service-logout-request processor 100 determines whether to logout from the service session and perform the logout on the basis of the information referred through the system policy manager 200 and the session manager 300 and transmits results to the SP.
- FIG. 2 is a view schematically illustrating a structure and an operation principle of a system policy manager 200 for managing policies regarding an SSO according to the present invention.
- the system policy manager 200 has a policy request receiver 201 for receiving requests regarding a variety of policies and a policy dispatcher 202 for classifying the requests according to the their kind to send the classified requests to the relevant module.
- the policies are roughly classified into registration, inquiry, change, and deletion operations.
- the system policy manager 200 refers to the policies through a policy database (DB) when performing each operation.
- DB policy database
- FIG. 3 is a view schematically illustrating a structure and an operation principle of a session manager 300 for managing SSO sessions according to the present invention.
- the session manager 300 has a session handler 301 for receiving and analyzing all operations regarding the session and sending a request to the relevant operation. Since the session handler manages session information on a memory and records the session information on a session DB so that log information may be left afterwards, the session handler accesses the DB to leave the record when generating and deleting the session. On the contrary, when referring to and updating the session, the session handler performs the operations directly on the memory.
- FIG. 4 is a flowchart illustrating a schematic processing procedure of a method for performing a service logout in a single-sign-on service using a federated identity according to the present invention. If users designate an IDSP at an SP 2000 to make a service-logout request, the SP 2000 generates a service-logout request message and transmit the same to the IDSP 1000 through a user's web-browser. At this time, a redirection which is one of communication methods generally used on the web is used.
- the SP 2000 transmits a login ID of the user and a session ID given when logging in the SP 2000 together with the request message.
- the IDSP 1000 that has received the request message executes a service logout upon request of the user, makes a response message using results thereof, and transmits the response message to the SP 2000 using a redirection.
- the SP 2000 that has received the response message informs the user of the results regarding the requested service.
- FIG. 5 is a flowchart illustrating a method for performing a service logout in a single-sign-on service using a federated identity according to the present invention.
- the service-logout-request processor 100 of the IDSP 1000 receives a service-logout request
- the service-logout policies are referred to by the system policy manager 200 first (Sl 1), and whether the user has rights to request a service logout is judged on the basis of the referred policy (S 12).
- the session information is referred to using the session ID through the session manager 300 (S 13). Whether the session information exists and is currently valid are checked (S 14) and the session manager is requested to delete the relevant service session (S 15).
- a response message is generated and transmitted to the SP 2000, whereby a service- logout procedure is completed.
- the present invention increases security in the SSO service as well as enhances reliability of the service and increases efficiency of the system management by providing the service-logout service in that the users of the SSO service using the federated identity may be allowed to separately logout from the respective sites.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR10-2004-0106627 | 2004-12-15 | ||
KR1020040106627A KR20060067732A (ko) | 2004-12-15 | 2004-12-15 | 연동 아이덴터티를 이용한 단일 인증 서비스에서의 서비스로그아웃 시스템 및 방법 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006065004A1 true WO2006065004A1 (fr) | 2006-06-22 |
Family
ID=36588032
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/KR2005/000713 WO2006065004A1 (fr) | 2004-12-15 | 2005-03-14 | Systeme et procede de deconnexion d'une session de service dans un service d'ouverture de session a l'aide d'un identifiant |
Country Status (2)
Country | Link |
---|---|
KR (1) | KR20060067732A (fr) |
WO (1) | WO2006065004A1 (fr) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008003593A1 (fr) * | 2006-07-07 | 2008-01-10 | International Business Machines Corporation | Procédé et système pour le déclenchement à base de règles d'une gestion de fédération |
US7743153B2 (en) * | 2006-01-18 | 2010-06-22 | International Business Machines Corporation | Killing login-based sessions with a single action |
CN103560884A (zh) * | 2013-10-28 | 2014-02-05 | 上海浦东物流云计算有限公司 | 用户身份信息的注销方法、***、认证服务器及客户端 |
US8825855B2 (en) | 2011-03-31 | 2014-09-02 | International Business Machines Corporation | Non-intrusive single sign-on mechanism in cloud services |
CN110365680A (zh) * | 2019-07-16 | 2019-10-22 | 中国联合网络通信集团有限公司 | 基于单点登录的批量登出方法及装置 |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101042484B1 (ko) * | 2008-12-19 | 2011-06-16 | 주식회사 케이티 | 단일 로그인 및 로그아웃을 위한 서비스 연계 장치 및 그 방법 |
CN114615084B (zh) * | 2022-04-11 | 2024-04-16 | 西安热工研究院有限公司 | 一种应用于前后端分离场景的单点登录注销方法、***、电子设备和储存介质 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2003073242A1 (fr) * | 2002-02-28 | 2003-09-04 | Telefonaktiebolaget L M Ericsson (Publ) | Procede et appareil permettant de traiter des identites utilisateur sous des services d'entree en communication unique |
WO2004075035A1 (fr) * | 2003-02-21 | 2004-09-02 | Telefonaktiebolaget Lm Ericsson (Publ) | Anonymisation de fournisseurs de services dans un systeme d'ouverture de session unique |
-
2004
- 2004-12-15 KR KR1020040106627A patent/KR20060067732A/ko active Search and Examination
-
2005
- 2005-03-14 WO PCT/KR2005/000713 patent/WO2006065004A1/fr active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2003073242A1 (fr) * | 2002-02-28 | 2003-09-04 | Telefonaktiebolaget L M Ericsson (Publ) | Procede et appareil permettant de traiter des identites utilisateur sous des services d'entree en communication unique |
WO2004075035A1 (fr) * | 2003-02-21 | 2004-09-02 | Telefonaktiebolaget Lm Ericsson (Publ) | Anonymisation de fournisseurs de services dans un systeme d'ouverture de session unique |
Non-Patent Citations (1)
Title |
---|
JUN MIYOSHI.: "Network-based Single Sign-On Architecture for IP-VPN.", IEEE COMMUNICATIONS, COMPUTER AND SIGNAL PROCESSING., vol. 1, 28 August 2003 (2003-08-28) - 30 August 2003 (2003-08-30), pages 458 - 461 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7743153B2 (en) * | 2006-01-18 | 2010-06-22 | International Business Machines Corporation | Killing login-based sessions with a single action |
WO2008003593A1 (fr) * | 2006-07-07 | 2008-01-10 | International Business Machines Corporation | Procédé et système pour le déclenchement à base de règles d'une gestion de fédération |
US8825855B2 (en) | 2011-03-31 | 2014-09-02 | International Business Machines Corporation | Non-intrusive single sign-on mechanism in cloud services |
CN103560884A (zh) * | 2013-10-28 | 2014-02-05 | 上海浦东物流云计算有限公司 | 用户身份信息的注销方法、***、认证服务器及客户端 |
CN103560884B (zh) * | 2013-10-28 | 2016-08-17 | 上海浦东物流云计算有限公司 | 用户身份信息的注销方法、***、认证服务器及客户端 |
CN110365680A (zh) * | 2019-07-16 | 2019-10-22 | 中国联合网络通信集团有限公司 | 基于单点登录的批量登出方法及装置 |
CN110365680B (zh) * | 2019-07-16 | 2022-04-15 | 中国联合网络通信集团有限公司 | 基于单点登录的批量登出方法及装置 |
Also Published As
Publication number | Publication date |
---|---|
KR20060067732A (ko) | 2006-06-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4579546B2 (ja) | 単一サインオンサービスにおけるユーザ識別子の取り扱い方法及び装置 | |
TWI400922B (zh) | 在聯盟中主用者之認證 | |
US8332919B2 (en) | Distributed authentication system and distributed authentication method | |
EP2375688B1 (fr) | Gestion de la connexion automatique de ressources cibles sur Internet | |
EP2643955B1 (fr) | Procédés pour autoriser l'accès à un contenu protégé | |
US9197639B2 (en) | Method for sharing data of device in M2M communication and system therefor | |
US8683565B2 (en) | Authentication | |
US9319412B2 (en) | Method for establishing resource access authorization in M2M communication | |
WO2013099065A1 (fr) | Système de coordination d'authentification et dispositif de fournisseur d'id | |
US9319413B2 (en) | Method for establishing resource access authorization in M2M communication | |
EP3297243B1 (fr) | Procédé et dispositif de connexion sécurisée | |
US20110010762A1 (en) | Identity management | |
CN112235265B (zh) | 一种外网访问项目进度***与方法 | |
US20070209066A1 (en) | Method and system for identity management integration | |
US6874088B1 (en) | Secure remote servicing of a computer system over a computer network | |
WO2008001338A2 (fr) | Secure communication network user mobility apparatus and methods | |
WO2006065004A1 (fr) | Systeme et procede de deconnexion d'une session de service dans un service d'ouverture de session a l'aide d'un identifiant | |
JP2002334056A (ja) | ログイン代行システム及びログイン代行方法 | |
CN113922982B (zh) | 登录方法、电子设备及计算机可读存储介质 | |
US11165768B2 (en) | Technique for connecting to a service | |
KR101186695B1 (ko) | 연합 쿠키를 이용한 id 연합 기반의 사이트 연동 방법 | |
KR20070009490A (ko) | 아이피 주소 기반 사용자 인증 시스템 및 방법 | |
KR20130124447A (ko) | 지능형 로그인 인증 시스템 및 그 방법 | |
KR101256675B1 (ko) | 아이디 도용 방지 시스템, 그 서비스 방법, 그를 적용한싱글 사인 온 시스템 및 그 서비스 방법 | |
US20060048198A1 (en) | Establishing remote connections |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 05789406 Country of ref document: EP Kind code of ref document: A1 |