WO2010083889A1 - Identity management scheme - Google Patents

Identity management scheme Download PDF

Info

Publication number
WO2010083889A1
WO2010083889A1 PCT/EP2009/050771 EP2009050771W WO2010083889A1 WO 2010083889 A1 WO2010083889 A1 WO 2010083889A1 EP 2009050771 W EP2009050771 W EP 2009050771W WO 2010083889 A1 WO2010083889 A1 WO 2010083889A1
Authority
WO
WIPO (PCT)
Prior art keywords
provider
service
address
identity
identity provider
Prior art date
Application number
PCT/EP2009/050771
Other languages
French (fr)
Inventor
Jin Liu
Original Assignee
Nokia Siemens Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Siemens Networks Oy filed Critical Nokia Siemens Networks Oy
Priority to PCT/EP2009/050771 priority Critical patent/WO2010083889A1/en
Publication of WO2010083889A1 publication Critical patent/WO2010083889A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Definitions

  • the invention relates to identity management and, more specifically, to access to identity management information.
  • Figure 1 is a block diagram demonstrating an aspect of identity management.
  • Figure 1 shows a system, indicated generally by the reference numeral 2, comprising an end user 4, a service provider 6 and an identity provider 8.
  • the end user 4 of the system 2 wants to access a secure resource at the service provider 6, and the service provider 6 requires the user' s identity to be authenticated, the identity provider 8 can be used to provide the required authentication information to the service provider.
  • Figure 2 shows an algorithm, indicated generally by the reference numeral 10, showing how the system 2 can be can be used to provide the end user 4 with access to a secure service provided by the service provider 6.
  • the algorithm 10 starts at step 12, at which step the end user 4 sends a message to the service provider 6 (for example using a web browser) requesting access to a particular application provided by the service provider.
  • the service requires user credentials, which credentials are not provided in the request.
  • the algorithm 10 moves to step 13, at which step a discovery process is carried out.
  • the discovery process 13 determines the location of the identity provider 8.
  • the algorithm 10 moves to step 14, at which step the service provider 6 redirects the user to the identity provider 8.
  • the algorithm 10 then moves to step 16, where the identity provider 8 provides user credential data to the service provider 6 (via the user) .
  • the service provider 6 grants the user access to the requested service (step 18) .
  • the algorithm 10 may be implemented using the Security Assertion Markup Language (SAML) protocol, as shown, by way of example, in the message sequence 20 of Figure 3.
  • SAML is an XML (extensible Markup Language) standard for exchanging authentication and authorization data between security domains.
  • SAML is used for exchanging assertion data between an identity provider (a producer of assertions) and a service provider (a consumer of assertions) .
  • SAML is a specification defined by the OASIS (Organization for the Advancement of Structured Information standards) .
  • the message sequence 20 begins with the user browser 4 issuing an HTTP request 22 to the service provider 6, requesting access to a secure resource at the service provider, thereby implementing step 12 of the algorithm 10.
  • the service provider 6 issues an HTTP redirect message 24 to the browser, instructing the user browser 4 to obtain user credentials from a particular identity provider.
  • the user browser then sends a SAML authentication request 26 to the identity provider 8 indicated in the redirect message 24.
  • the sending of the redirect message 24 and the request 26 implement the step 14 of the algorithm 10.
  • the identity provider 8 replies with an HTTP redirect message 28, including the requested SAML assertion, thereby implementing step 16 of the algorithm 10.
  • the user browser sends a SAML authentication response 30 to the service provider, including the SAML assertion obtained from the identity provider 8.
  • the service provider provides the user with access to the requested secure resource and sends an HTTP response 32 to the browser 4 (implementing step 18 of the algorithm 10 ) .
  • the discovery step (step 13) of the algorithm 10 involves determining the location of the identity provider 8 and providing that information in a form that can be communicated to the user.
  • the discovery step 13 enables the service provider 6 to issue the HTTP redirect message 24 to the user browser 4 including the location of the identity provider 8. It is, of course, possible for the service provider 6 to retain information regarding the identity provider used for each user, but this is clearly impractical as the number of users increases and it does not allow for new users to access the service provider. Accordingly, the need for a discovery process can limit the use of the algorithm 10.
  • One approach for overcoming the need for a discovery process is to define a single identity provider that must be used by all users in order to access secure services provided by the service provider 6; however, this approach is inflexible, since it requires all users to have an account with that identity provider.
  • An alternative approach is to require the user to manually input the address of the identity provider being used by that user. This is inconvenient for the user and is vulnerable to user errors.
  • the present invention seeks to address at least some of the problems outlined above.
  • a method comprising: issuing a request to a service provider for access to a service provided by the service provider; receiving an authentication request from the service provider, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service; and retrieving a second address for the identity provider from a first server (for example, using the first address) .
  • the first server may be programmed with the details of the identity provider to use. For example, a particular user may specify in advance that a particular identity provider should be used.
  • the first server may be a name server, such as a domain name system (DNS) server.
  • DNS domain name system
  • a method comprising: receiving (for example, at a service provider) a request (for example, from a user device or browser) for access to a service; and issuing an authentication request (for example, to the user device or browser) , wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or the identity of an entity issuing the request for access to the service.
  • An authentication assertion (such as a SAML assertion) may be received from the user device.
  • a method comprising: issuing a request from a user browser to a service provider for access to a service provided by the service provider; issuing an authentication request from the service provider to the user browser, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service; and retrieving a second address (for example, using the first address) for the identity provider from a first server (such as a DNS server) .
  • a first server such as a DNS server
  • an apparatus (such as a user browser) comprising: a first output adapted to issue a request to a service provider for access to a service provided by the service provider; a first input adapted to receive an authentication request from the service provider, the authentication request including an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service; and a second output for issuing a request to a first server for a second address for the identity provider (for example, on the basis of said first address) .
  • the first server may be a name server, such as a domain name system (DNS) server.
  • DNS domain name system
  • the first and second outputs of the apparatus may be implemented using a single physical output.
  • an apparatus such as a service provider comprising: a first input adapted to receive a request (for example, from a user device or browser) for access to a service; and a first output for issuing an authentication request (for example, to the user device or browser) , wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service.
  • the apparatus may further comprise a second input for receiving authentication information (for example, from said user device or browser) .
  • the first and second inputs of the apparatus may be implemented using a single physical input.
  • a system comprising a user browser and a service provider, wherein: the user browser comprises: a first output adapted to issue a request to the service provider for access to a service provided by the service provider, a first input adapted to receive an authentication request from the service provider, wherein the authentication request includes an instruction to redirect to an identity provider and the authentication request includes a first address for the identity provider, and a second output for issuing a request to a first server for a second address for the identity provider (for example, on the basis of said first address) ; the service provider comprises: a first input adapted to receive the request for access to a service, and a first output for issuing the authentication request to the user browser; and wherein the first address for the identity provider is not dependent on either a location of the identity provider or the identity of the user browser issuing the request for access to the service.
  • the first and second outputs of the browser may be implemented using a single physical output.
  • the present invention enables a service provider to redirect a user device, such as a browser, to an identity provider, without the service provider needing to know the details (such as the address) of the identity provider.
  • the invention requires minimal changes to service providers, yet provides significant flexibility.
  • the invention can be provided in a variety of forms and can be made to work with all kinds of user terminals without any configuration, so long as a browser is able to run on the terminal .
  • the invention works with all kinds of identity providers, which support federated identity management.
  • some aspects of the invention make use of the normal functionality of a name server, such as a DNS server, to resolve the name of a virtual address to provide a real address of an identity provider for use in providing authentication information for a user.
  • a name server such as a DNS server
  • the invention may further comprise forwarding an authentication request received from the service provider to the identity provider.
  • the invention may further comprise obtaining user credentials, for example in the form of a SAML assertion, from the identity provider.
  • the invention may further comprise forwarding the user credentials to the service provider.
  • the first address is a pre- defined address, such as well-known.idp.org.
  • the first address includes details of characteristics of the identity provider that are desired by the service provider. In other forms of the invention, the first address includes details of characteristics of the identity provider that are required by the service provider. Those details may, for example, include requiring that an identity provided by an identity provider is in accordance with the SAML protocol; in such a scenario the first address may be saml.idp.org. Those details may include requiring that an identity provided by an identity provider is a persistent identity and in accordance with the SAML protocol; in such a scenario the first address may be persistent.saml.idp.org.
  • the service provider's identity management preferences and/or requirements can be fully communicated to enable the selection of an appropriate identity provider.
  • the second address does not depend on the first address. In some forms of the invention, the second address does depend on the first address.
  • a computer program product comprising: means for issuing a request to a service provider for access to a service provided by the service provider; means for receiving an authentication request from the service provider, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service; and means for using the first address to retrieve a second address for the identity provider from a first server (such as a name server) .
  • a first server such as a name server
  • a computer program comprising: code for issuing a request to a service provider for access to a service provided by the service provider; code for receiving an authentication request from the service provider, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service; and code for retrieving a second address (for example, using the first address) for the identity provider from a first server (such as a name server) .
  • the computer program may be a computer program product comprising a computer-readable medium bearing computer program code embodied therein for use with a computer.
  • a computer program product comprising: means for issuing a request from a user browser to a service provider for access to a service provided by the service provider; means for issuing an authentication request from the service provider to the user browser, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service; and means for retrieving a second address (for example, using the first address) for the identity provider from a first server (such as a name server) .
  • a first server such as a name server
  • a computer program comprising: code for issuing a request from a user browser to a service provider for access to a service provided by the service provider; code for issuing an authentication request from the service provider to the user browser, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service; and code for using the first address to retrieve a second address for the identity provider from a first server (such as a name server) .
  • the computer program may be a computer program product comprising a computer-readable medium bearing computer program code embodied therein for use with a computer .
  • a computer program product comprising: means for receiving a request for access to a service; and means for issuing an authentication request, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or the identity of an entity issuing the request for access to the service.
  • a computer program comprising: code for receiving a request for access to a service; and code for issuing an authentication request, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or the identity of an entity issuing the request for access to the service.
  • the computer program may be a computer program product comprising a computer-readable medium bearing computer program code embodied therein for use with a computer.
  • Figure 1 is a block diagram demonstrating the use of identity management in the prior art
  • Figure 2 is a flow chart demonstrating a known use of the arrangement of Figure 1;
  • Figure 3 is a message sequence showing a potential implementation of the algorithm of Figure 2;
  • Figure 4 is a block diagram of a system in accordance with an aspect of the present invention.
  • Figure 5 is a message sequence showing an exemplary use of the system of Figure 4, in accordance with an aspect of the present invention.
  • Figure 6 is a block diagram of a system in accordance with an aspect of the present invention.
  • FIG 4 is a block diagram, indicated generally by the reference numeral 40, of a system in accordance with an aspect of the present invention.
  • the system 40 comprises a user browser 42, a domain name system (DNS) server 44 associated with the browser, an identity provider (IDP) 46 and a service provider (SP) 48.
  • DNS domain name system
  • IDP identity provider
  • SP service provider
  • the browser 42 is in two-way communication with each of the DNS server 44, identity provider 46 and service provider 48.
  • the identity provider 46 can be used to provide the required authentication information to the service provider.
  • DNS domain name system
  • IP Internet protocol
  • Figure 5 shows a message sequence, indicated generally by the reference numeral 50, showing an exemplary use of the system 40 in accordance with an aspect of the present invention.
  • the message sequence 50 begins with the user browser 42 requesting access to a secure resource at the service provider 48.
  • the request takes the form of an HTTP Request 52 issued by the browser 42 to the service provider 48.
  • the service provider 48 requires the user to the authenticated before access is given to the secure resource.
  • the service provider issues a SAML authentication request in the form of an HTTP Redirect command 54.
  • the HTTP Redirect command 54 indicates the address to which the browser should be directed to obtain authentication data.
  • the service provider 48 does not know the address of the appropriate identity provider 46 to provide the authentication data.
  • the HTTP Redirect request redirects the browser to a pre-defined "virtual" name, such as "well-known.idp.org" without caring which identity provider will actually authenticate the user.
  • the user browser In response to receiving the HTTP Redirect request 54, the user browser sends a message 56 to the DNS server 44 requesting the Internet Protocol (IP) address of the virtual address received from the service provider 48, thereby using the DNS server to resolve the virtual name.
  • IP Internet Protocol
  • the DNS server 44 knows the address of the identity provider appropriate for enabling the user to be authenticated at the service provider 48 and simply returns the IP address of that identity provider to the browser 42 in a message 58.
  • the DNS server may check the address included in the redirect request 56 against a list of pre-defined names. If a match is found, the identity provider discovery process is triggered.
  • One of the associated identity providers i.e.
  • the identity provider 46 is chosen, based on policies including the end user's IP address, the queried domain name, the identity provider status and so on.
  • the IP address of the selected identity provider 46 is returned to the end user in the message 58 and the standard identity management process continues, as discussed further below.
  • the user browser 42 obtains the address of the identity provider 46 without the service provider 48 (or, indeed, the browser 42) needing to know that address in advance.
  • the normal translation functionality provided by the DNS server 44 is exploited to provide the address of the identity provider 46.
  • the remainder of the algorithm 50 is in accordance with the SAML standard, as described above with reference to Figure 3. Accordingly, the user browser 42 uses the IP address received from the DNS server 44 to send a SAML authentication request 60 to the identity provider 46.
  • the identity provider 46 provides a SAML authentication response in the form of an HTTP redirect message 62.
  • the HTTP redirect message 62 provides the user authentication data and the user browser, as instructed by the redirect message 62, forwards that information to the service provider 48 in a SAML authentication response message 64.
  • the service provider 48 has the required user authentication details and provides the user with access to the secure resource (message 66) .
  • the messages 52 and 54 are the same as the messages 22 and 24 described above with reference to Figure 2, with the exception that the redirect command 24 includes an address of a known identity provider, whereas the message 54 includes a virtual address.
  • the messages 60, 62, 64 and 66 are the same as the messages 26, 28, 30 and 32 described above with reference to Figure 2. Accordingly, the known identity management process is largely unchanged.
  • the system 40 can be easily implemented. The additional step uses a DNS server, which servers are readily available and understood by persons skilled in the art. Further, the service provider 6 described above with reference to Figures 1 to 3 requires only minor modification to return a virtual identity provider address, rather than carrying out the discovery process 13.
  • the DNS server 44 may obtain the required information regarding the identity provider 46 by manual or automatic configuration beforehand.
  • the information includes, but is not limited to, IP address, user IP address space, authentication methods etc.
  • the virtual identity provider name given by the service provider 48 is used to specify requirements of the desired identity provider.
  • the redirect instructions 54 may include the identity provider saml.idp.org.
  • the redirect instruction 54 may include the IDP name persistent.saml.idp.org.
  • FIG 6 is a block diagram of a system, indicated generally by the reference numeral 70, in accordance with an aspect of the present invention.
  • the system comprises a first user browser 72a, a first DNS server 74a, a first identity provider 76a and a service provider 78 similar to the browser 42, DNS server 44, identity provider 46 and service provider 48 respectively discussed above with reference to Figure 4.
  • the system 70 comprises a second user browser 72b, second DNS server 74b and second identity provider 76b similar to the browser 42, DNS server 44 and identity provider 46 respectively.
  • the service provider 78 is in two-way communication with both the first user browser 72a and the second user browser 72b. Each user browser is able to issue a service access request (similar to the request 52) to the service provider 78. In response, the service provider 78 returns an authentication request message (similar to the message 54) to the requesting user browser.
  • the authentication request includes a redirect instruction.
  • the redirect instruction does not depend on the identity of the user browser and so, regardless of which browser issues the service access request, the redirect instruction issued by the service provider is identical.
  • the first user browser uses the first DNS server 74a to resolve the virtual address included in the redirect command received from the service provider 78.
  • the first DNS server 74a resolves the address by returning the location of the first identity provider 76a.
  • the second user browser uses the second DNS server 74b to resolve the virtual address included in the redirect command received from the service provider 78.
  • the second DNS server 74b resolves the address by returning the location of the second identity provider 76b.
  • the pre-defined domain names are operated by real internet servers. In this way, the proposed discovery mechanism can work seamlessly with traditional DNS servers. For such a traditional DNS server, it knows nothing about identity provider. Using standard DNS resolution protocol, the IP address of the internet server with the pre-defined name will be returned to the end user.

Abstract

A method for obtaining authentication information to enable a user to access a secure service provided by a service provider is described. The service provider redirects the user to an identity provider, providing a virtual address for the identity provider. A DNS server associated with the user redirects the user to the appropriate identity provider based on the knowledge that the DNS server has of the identity provider to use. Thus, the service provider does not need to know the actual address of the appropriate identity provider in advance.

Description

Description
Title
Identity Management Scheme
The invention relates to identity management and, more specifically, to access to identity management information.
Figure 1 is a block diagram demonstrating an aspect of identity management. Figure 1 shows a system, indicated generally by the reference numeral 2, comprising an end user 4, a service provider 6 and an identity provider 8. When the end user 4 of the system 2 wants to access a secure resource at the service provider 6, and the service provider 6 requires the user' s identity to be authenticated, the identity provider 8 can be used to provide the required authentication information to the service provider.
Figure 2 shows an algorithm, indicated generally by the reference numeral 10, showing how the system 2 can be can be used to provide the end user 4 with access to a secure service provided by the service provider 6.
The algorithm 10 starts at step 12, at which step the end user 4 sends a message to the service provider 6 (for example using a web browser) requesting access to a particular application provided by the service provider. The service requires user credentials, which credentials are not provided in the request.
The algorithm 10 moves to step 13, at which step a discovery process is carried out. The discovery process 13 determines the location of the identity provider 8. Next, the algorithm 10 moves to step 14, at which step the service provider 6 redirects the user to the identity provider 8. The algorithm 10 then moves to step 16, where the identity provider 8 provides user credential data to the service provider 6 (via the user) . In response to receiving the user credentials, the service provider 6 grants the user access to the requested service (step 18) .
The algorithm 10 may be implemented using the Security Assertion Markup Language (SAML) protocol, as shown, by way of example, in the message sequence 20 of Figure 3. SAML is an XML (extensible Markup Language) standard for exchanging authentication and authorization data between security domains. For example, SAML is used for exchanging assertion data between an identity provider (a producer of assertions) and a service provider (a consumer of assertions) . SAML is a specification defined by the OASIS (Organization for the Advancement of Structured Information standards) .
The message sequence 20 begins with the user browser 4 issuing an HTTP request 22 to the service provider 6, requesting access to a secure resource at the service provider, thereby implementing step 12 of the algorithm 10. In response to the request 22, the service provider 6 issues an HTTP redirect message 24 to the browser, instructing the user browser 4 to obtain user credentials from a particular identity provider. The user browser then sends a SAML authentication request 26 to the identity provider 8 indicated in the redirect message 24. The sending of the redirect message 24 and the request 26 implement the step 14 of the algorithm 10.
In response to the request 26, the identity provider 8 replies with an HTTP redirect message 28, including the requested SAML assertion, thereby implementing step 16 of the algorithm 10. Next, the user browser sends a SAML authentication response 30 to the service provider, including the SAML assertion obtained from the identity provider 8. Once the SAML assertion has been verified by the service provider 6, the service provider provides the user with access to the requested secure resource and sends an HTTP response 32 to the browser 4 (implementing step 18 of the algorithm 10 ) .
The discovery step (step 13) of the algorithm 10 involves determining the location of the identity provider 8 and providing that information in a form that can be communicated to the user. The discovery step 13 enables the service provider 6 to issue the HTTP redirect message 24 to the user browser 4 including the location of the identity provider 8. It is, of course, possible for the service provider 6 to retain information regarding the identity provider used for each user, but this is clearly impractical as the number of users increases and it does not allow for new users to access the service provider. Accordingly, the need for a discovery process can limit the use of the algorithm 10.
One approach for overcoming the need for a discovery process is to define a single identity provider that must be used by all users in order to access secure services provided by the service provider 6; however, this approach is inflexible, since it requires all users to have an account with that identity provider. An alternative approach is to require the user to manually input the address of the identity provider being used by that user. This is inconvenient for the user and is vulnerable to user errors. The present invention seeks to address at least some of the problems outlined above.
In accordance with an aspect of the present invention, there is provided a method comprising: issuing a request to a service provider for access to a service provided by the service provider; receiving an authentication request from the service provider, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service; and retrieving a second address for the identity provider from a first server (for example, using the first address) . The first server may be programmed with the details of the identity provider to use. For example, a particular user may specify in advance that a particular identity provider should be used. The first server may be a name server, such as a domain name system (DNS) server.
In accordance with an aspect of the invention, there is provided a method comprising: receiving (for example, at a service provider) a request (for example, from a user device or browser) for access to a service; and issuing an authentication request (for example, to the user device or browser) , wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or the identity of an entity issuing the request for access to the service. An authentication assertion (such as a SAML assertion) may be received from the user device. In accordance with a further aspect of the invention, there is provided a method comprising: issuing a request from a user browser to a service provider for access to a service provided by the service provider; issuing an authentication request from the service provider to the user browser, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service; and retrieving a second address (for example, using the first address) for the identity provider from a first server (such as a DNS server) .
In accordance with an aspect of the invention, there is provided an apparatus (such as a user browser) comprising: a first output adapted to issue a request to a service provider for access to a service provided by the service provider; a first input adapted to receive an authentication request from the service provider, the authentication request including an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service; and a second output for issuing a request to a first server for a second address for the identity provider (for example, on the basis of said first address) . The first server may be a name server, such as a domain name system (DNS) server. The first and second outputs of the apparatus may be implemented using a single physical output. According to another aspect of the invention, there is provided an apparatus (such as a service provider) comprising: a first input adapted to receive a request (for example, from a user device or browser) for access to a service; and a first output for issuing an authentication request (for example, to the user device or browser) , wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service. The apparatus may further comprise a second input for receiving authentication information (for example, from said user device or browser) . The first and second inputs of the apparatus may be implemented using a single physical input.
According to a further aspect of the invention, there is provided a system comprising a user browser and a service provider, wherein: the user browser comprises: a first output adapted to issue a request to the service provider for access to a service provided by the service provider, a first input adapted to receive an authentication request from the service provider, wherein the authentication request includes an instruction to redirect to an identity provider and the authentication request includes a first address for the identity provider, and a second output for issuing a request to a first server for a second address for the identity provider (for example, on the basis of said first address) ; the service provider comprises: a first input adapted to receive the request for access to a service, and a first output for issuing the authentication request to the user browser; and wherein the first address for the identity provider is not dependent on either a location of the identity provider or the identity of the user browser issuing the request for access to the service. The first and second outputs of the browser may be implemented using a single physical output.
Thus, the present invention enables a service provider to redirect a user device, such as a browser, to an identity provider, without the service provider needing to know the details (such as the address) of the identity provider. The invention requires minimal changes to service providers, yet provides significant flexibility.
The invention can be provided in a variety of forms and can be made to work with all kinds of user terminals without any configuration, so long as a browser is able to run on the terminal .
The invention works with all kinds of identity providers, which support federated identity management.
As outlined above, some aspects of the invention make use of the normal functionality of a name server, such as a DNS server, to resolve the name of a virtual address to provide a real address of an identity provider for use in providing authentication information for a user. This provides a simple, but elegant, solution to many of the problems outlined above.
The invention may further comprise forwarding an authentication request received from the service provider to the identity provider. The invention may further comprise obtaining user credentials, for example in the form of a SAML assertion, from the identity provider. The invention may further comprise forwarding the user credentials to the service provider.
In some forms of the invention, the first address is a pre- defined address, such as well-known.idp.org.
In some forms of the invention, the first address includes details of characteristics of the identity provider that are desired by the service provider. In other forms of the invention, the first address includes details of characteristics of the identity provider that are required by the service provider. Those details may, for example, include requiring that an identity provided by an identity provider is in accordance with the SAML protocol; in such a scenario the first address may be saml.idp.org. Those details may include requiring that an identity provided by an identity provider is a persistent identity and in accordance with the SAML protocol; in such a scenario the first address may be persistent.saml.idp.org. Thus, the service provider's identity management preferences and/or requirements can be fully communicated to enable the selection of an appropriate identity provider.
In some forms of the invention, the second address does not depend on the first address. In some forms of the invention, the second address does depend on the first address.
In accordance with an aspect of the present invention, there is provided a computer program product comprising: means for issuing a request to a service provider for access to a service provided by the service provider; means for receiving an authentication request from the service provider, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service; and means for using the first address to retrieve a second address for the identity provider from a first server (such as a name server) .
In accordance with an aspect of the present invention, there is provided a computer program comprising: code for issuing a request to a service provider for access to a service provided by the service provider; code for receiving an authentication request from the service provider, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service; and code for retrieving a second address (for example, using the first address) for the identity provider from a first server (such as a name server) . The computer program may be a computer program product comprising a computer-readable medium bearing computer program code embodied therein for use with a computer.
In accordance with an aspect of the present invention, there is provided a computer program product comprising: means for issuing a request from a user browser to a service provider for access to a service provided by the service provider; means for issuing an authentication request from the service provider to the user browser, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service; and means for retrieving a second address (for example, using the first address) for the identity provider from a first server (such as a name server) .
In accordance with an aspect of the present invention, there is provided a computer program comprising: code for issuing a request from a user browser to a service provider for access to a service provided by the service provider; code for issuing an authentication request from the service provider to the user browser, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service; and code for using the first address to retrieve a second address for the identity provider from a first server (such as a name server) . The computer program may be a computer program product comprising a computer-readable medium bearing computer program code embodied therein for use with a computer .
In accordance with an aspect of the present invention, there is provided a computer program product comprising: means for receiving a request for access to a service; and means for issuing an authentication request, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or the identity of an entity issuing the request for access to the service. In accordance with an aspect of the present invention, there is provided a computer program comprising: code for receiving a request for access to a service; and code for issuing an authentication request, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or the identity of an entity issuing the request for access to the service. The computer program may be a computer program product comprising a computer-readable medium bearing computer program code embodied therein for use with a computer.
Embodiments of the invention are described below, by way of example only, with reference to the following schematic drawings .
Figure 1 is a block diagram demonstrating the use of identity management in the prior art; Figure 2 is a flow chart demonstrating a known use of the arrangement of Figure 1;
Figure 3 is a message sequence showing a potential implementation of the algorithm of Figure 2;
Figure 4 is a block diagram of a system in accordance with an aspect of the present invention;
Figure 5 is a message sequence showing an exemplary use of the system of Figure 4, in accordance with an aspect of the present invention; and
Figure 6 is a block diagram of a system in accordance with an aspect of the present invention.
Figure 4 is a block diagram, indicated generally by the reference numeral 40, of a system in accordance with an aspect of the present invention. The system 40 comprises a user browser 42, a domain name system (DNS) server 44 associated with the browser, an identity provider (IDP) 46 and a service provider (SP) 48. The browser 42 is in two-way communication with each of the DNS server 44, identity provider 46 and service provider 48. As in the system 2 described above with reference to Figure 1, when the user at the browser 42 wants to access a secure resource at the service provider 48, and the service provider 48 requires the user's identity to be authenticated, the identity provider 46 can be used to provide the required authentication information to the service provider.
As is well known in the art, the domain name system (DNS) is a hierarchical naming system for computers participating in the Internet. The domain name system translates between human-friendly computer hostnames (such as well- known . idp . org) and Internet protocol (IP) addresses (such as 123.123.12.1), thereby acting in a similar manner to a telephone directory. This translation process is carried out by a DNS server, such as the DNS server 44. The present invention exploits the functionality of DNS servers, as described further below. It should be noted, however, that although the invention is described with reference to DNS servers, other name servers which perform similar translations could be used instead of a DNS server.
Figure 5 shows a message sequence, indicated generally by the reference numeral 50, showing an exemplary use of the system 40 in accordance with an aspect of the present invention.
The message sequence 50 begins with the user browser 42 requesting access to a secure resource at the service provider 48. The request takes the form of an HTTP Request 52 issued by the browser 42 to the service provider 48. The service provider 48 requires the user to the authenticated before access is given to the secure resource. Thus, in accordance with the SAML protocol, the service provider issues a SAML authentication request in the form of an HTTP Redirect command 54.
In accordance with the SAML protocol, the HTTP Redirect command 54 indicates the address to which the browser should be directed to obtain authentication data. However, in the present example, it is assumed that the service provider 48 does not know the address of the appropriate identity provider 46 to provide the authentication data. The HTTP Redirect request redirects the browser to a pre-defined "virtual" name, such as "well-known.idp.org" without caring which identity provider will actually authenticate the user.
In response to receiving the HTTP Redirect request 54, the user browser sends a message 56 to the DNS server 44 requesting the Internet Protocol (IP) address of the virtual address received from the service provider 48, thereby using the DNS server to resolve the virtual name. The DNS server 44 knows the address of the identity provider appropriate for enabling the user to be authenticated at the service provider 48 and simply returns the IP address of that identity provider to the browser 42 in a message 58. In order to achieve this, the DNS server may check the address included in the redirect request 56 against a list of pre-defined names. If a match is found, the identity provider discovery process is triggered. One of the associated identity providers (i.e. the identity provider 46) is chosen, based on policies including the end user's IP address, the queried domain name, the identity provider status and so on. The IP address of the selected identity provider 46 is returned to the end user in the message 58 and the standard identity management process continues, as discussed further below.
Accordingly, the user browser 42 obtains the address of the identity provider 46 without the service provider 48 (or, indeed, the browser 42) needing to know that address in advance. Thus, the normal translation functionality provided by the DNS server 44 is exploited to provide the address of the identity provider 46.
The remainder of the algorithm 50 is in accordance with the SAML standard, as described above with reference to Figure 3. Accordingly, the user browser 42 uses the IP address received from the DNS server 44 to send a SAML authentication request 60 to the identity provider 46. The identity provider 46 provides a SAML authentication response in the form of an HTTP redirect message 62. The HTTP redirect message 62 provides the user authentication data and the user browser, as instructed by the redirect message 62, forwards that information to the service provider 48 in a SAML authentication response message 64.
At this stage, the service provider 48 has the required user authentication details and provides the user with access to the secure resource (message 66) .
Thus, the messages 52 and 54 are the same as the messages 22 and 24 described above with reference to Figure 2, with the exception that the redirect command 24 includes an address of a known identity provider, whereas the message 54 includes a virtual address. Further, the messages 60, 62, 64 and 66 are the same as the messages 26, 28, 30 and 32 described above with reference to Figure 2. Accordingly, the known identity management process is largely unchanged. As the message sequence 50 differs from the known message sequence 20 in the manner in which the discovery process 13 described above with reference to Figure 2 is carried out, the system 40 can be easily implemented. The additional step uses a DNS server, which servers are readily available and understood by persons skilled in the art. Further, the service provider 6 described above with reference to Figures 1 to 3 requires only minor modification to return a virtual identity provider address, rather than carrying out the discovery process 13.
The DNS server 44 may obtain the required information regarding the identity provider 46 by manual or automatic configuration beforehand. The information includes, but is not limited to, IP address, user IP address space, authentication methods etc.
In a modified embodiment of the invention, the virtual identity provider name given by the service provider 48 is used to specify requirements of the desired identity provider. By way of example, if the service provider 48 requires that the identity provider supports SAML, then the redirect instructions 54 may include the identity provider saml.idp.org. Alternatively, if the service provider 48 requires that a persistent user identifier to be provided by the identity provider, then the redirect instruction 54 may include the IDP name persistent.saml.idp.org. Thus, the service provider's identity provider preferences (or requirements) can be fully communicated to enable the selection of the appropriate identity provider.
Figure 6 is a block diagram of a system, indicated generally by the reference numeral 70, in accordance with an aspect of the present invention. The system comprises a first user browser 72a, a first DNS server 74a, a first identity provider 76a and a service provider 78 similar to the browser 42, DNS server 44, identity provider 46 and service provider 48 respectively discussed above with reference to Figure 4. In addition, the system 70 comprises a second user browser 72b, second DNS server 74b and second identity provider 76b similar to the browser 42, DNS server 44 and identity provider 46 respectively.
The service provider 78 is in two-way communication with both the first user browser 72a and the second user browser 72b. Each user browser is able to issue a service access request (similar to the request 52) to the service provider 78. In response, the service provider 78 returns an authentication request message (similar to the message 54) to the requesting user browser. The authentication request includes a redirect instruction. The redirect instruction does not depend on the identity of the user browser and so, regardless of which browser issues the service access request, the redirect instruction issued by the service provider is identical.
In the event that a service access request is issued by the first user browser 72a, the first user browser uses the first DNS server 74a to resolve the virtual address included in the redirect command received from the service provider 78. The first DNS server 74a resolves the address by returning the location of the first identity provider 76a. Similarly, in the event that a service access request is issued by the second user browser 72b, the second user browser uses the second DNS server 74b to resolve the virtual address included in the redirect command received from the service provider 78. The second DNS server 74b resolves the address by returning the location of the second identity provider 76b. In some forms of the invention, the pre-defined domain names are operated by real internet servers. In this way, the proposed discovery mechanism can work seamlessly with traditional DNS servers. For such a traditional DNS server, it knows nothing about identity provider. Using standard DNS resolution protocol, the IP address of the internet server with the pre-defined name will be returned to the end user.
The embodiments of the invention described above are illustrative rather than restrictive. It will be apparent to those skilled in the art that the above devices and methods may incorporate a number of modifications without departing from the general scope of the invention. It is intended to include all such modifications within the scope of the invention insofar as they fall within the scope of the appended claims.

Claims

CLAIMS:
1. A method comprising: issuing a request to a service provider for access to a service provided by the service provider; receiving an authentication request from the service provider, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service; and retrieving a second address for the identity provider from a first server.
2. A method comprising: issuing a request from a user browser to a service provider for access to a service provided by a service provider; issuing an authentication request from the service provider to the user browser, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service; and retrieving a second address for the identity provider from a first server.
3. A method as claimed in claim 1 or claim 2, wherein the first server is a domain name system server.
4. A method as claimed in any one of claims 1 to 3, wherein the second address does not depend on the first address.
5. A method as claimed in any preceding claim, further comprising using the first address when retrieving the second address for the first server.
6. A method comprising: receiving a request for access to a service; and issuing an authentication request, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or the identity of an entity issuing the request for access to the service.
7. A method as claimed in claim 6, further comprising receiving an authentication assertion in response to the authentication request.
8. A method as claimed in claim 6 or claim 7, wherein the service access request is received from one of a plurality of user devices .
9. A method as claimed in any preceding claim, wherein the first address is a pre-defined address.
10. A method as claimed in any preceding claim, wherein the first address includes details of characteristics of the identity provider that are desired by the service provider.
11. A method as claimed in any preceding claim, wherein the first address includes details of characteristics of the identity provider that are required by the service provider.
12. An apparatus comprising: a first output adapted to issue a request to a service provider for access to a service provided by the service provider; a first input adapted to receive an authentication request from the service provider, the authentication request including an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service; and a second output for issuing a request to a first server for a second address for the identity provider.
13. An apparatus as claimed in claim 12, wherein the first server is a domain name system server.
14. An apparatus as claimed in claim 12 or claim 13, wherein the second address does not depend on the first address.
15. An apparatus as claimed in any one of claims 12 to 14, wherein the apparatus is a user browser.
16. An apparatus comprising: a first input adapted to receive a request for access to a service; and a first output for issuing an authentication request, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service.
17. An apparatus as claimed in claim 16, further comprising a second input for receiving authentication information.
18. An apparatus as claimed in claim 16 or claim 17, wherein the apparatus is a service provider.
19. An apparatus as claimed in any one of claims 12 to 18, wherein the first address is a pre-defined address.
20. An apparatus as claimed in any one of claims 12 to 19, wherein the first address includes details of characteristics of the identity provider that are desired by the service provider .
21. An apparatus as claimed in any one of claims 12 to 20, wherein the first address includes details of characteristics of the identity provider that are required by the service provider .
22. A system comprising a service provider and one or more user browsers, wherein: each of the one or more user browsers comprises a first output adapted to issue a request to the service provider for access to a service provided by the service provider, a first input adapted to receive an authentication request from the service provider, wherein the authentication request includes an instruction to redirect to an identity provider and the authentication request includes a first address for the identity provider, and a second output for issuing a request to a first server for a second address for the identity provider; the service provider comprises a first input adapted to receive the request for access to a service, and a first output for issuing the authentication request to the user browser from which the request for access to a service is received; and the first address for the identity provider is not dependent on either a location of the identity provider or the identity of the user browser issuing the request for access to the service.
23. A computer program product comprising: means for issuing a request to a service provider for access to a service provided by the service provider; means for receiving an authentication request from the service provider, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or an identity of an entity issuing the request for access to the service; and means for retrieving a second address for the identity provider from a first server.
24. A computer program product comprising: means for receiving a request for access to a service; and means for issuing an authentication request, wherein the authentication request includes an instruction to redirect to an identity provider, and wherein the authentication request includes a first address for the identity provider that is not dependent on either a location of the identity provider or the identity of an entity issuing the request for access to the service.
PCT/EP2009/050771 2009-01-23 2009-01-23 Identity management scheme WO2010083889A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2009/050771 WO2010083889A1 (en) 2009-01-23 2009-01-23 Identity management scheme

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2009/050771 WO2010083889A1 (en) 2009-01-23 2009-01-23 Identity management scheme

Publications (1)

Publication Number Publication Date
WO2010083889A1 true WO2010083889A1 (en) 2010-07-29

Family

ID=41382471

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2009/050771 WO2010083889A1 (en) 2009-01-23 2009-01-23 Identity management scheme

Country Status (1)

Country Link
WO (1) WO2010083889A1 (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130091355A1 (en) * 2011-10-05 2013-04-11 Cisco Technology, Inc. Techniques to Prevent Mapping of Internal Services in a Federated Environment
WO2014128343A1 (en) * 2013-02-22 2014-08-28 Nokia Corporation Method and apparatus for providing account-less access via an account connector platform
WO2016041571A1 (en) * 2014-09-15 2016-03-24 Abb Technology Ltd Controlling real world objects in an industrial installation
WO2016205195A1 (en) * 2015-06-15 2016-12-22 Airwatch, Llc Single sign-on for managed mobile devices
US9866546B2 (en) 2015-10-29 2018-01-09 Airwatch Llc Selectively enabling multi-factor authentication for managed devices
US9882887B2 (en) 2015-06-15 2018-01-30 Airwatch Llc Single sign-on for managed mobile devices
WO2018200554A1 (en) * 2017-04-28 2018-11-01 Amazon Technologies, Inc. Single sign-on registration
US10171447B2 (en) 2015-06-15 2019-01-01 Airwatch Llc Single sign-on for unmanaged mobile devices
US10171448B2 (en) 2015-06-15 2019-01-01 Airwatch Llc Single sign-on for unmanaged mobile devices
US10187374B2 (en) 2015-10-29 2019-01-22 Airwatch Llc Multi-factor authentication for managed applications using single sign-on technology
US10944738B2 (en) 2015-06-15 2021-03-09 Airwatch, Llc. Single sign-on for managed mobile devices using kerberos
US11057364B2 (en) 2015-06-15 2021-07-06 Airwatch Llc Single sign-on for managed mobile devices

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030149781A1 (en) * 2001-12-04 2003-08-07 Peter Yared Distributed network identity
US20040015584A1 (en) * 2000-10-09 2004-01-22 Brian Cartmell Registering and using multilingual domain names
WO2006103176A1 (en) * 2005-04-01 2006-10-05 International Business Machines Corporation Method for a runtime user account creation operation
US20080189778A1 (en) * 2007-02-05 2008-08-07 Peter Andrew Rowley Secure authentication in browser redirection authentication schemes

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040015584A1 (en) * 2000-10-09 2004-01-22 Brian Cartmell Registering and using multilingual domain names
US20030149781A1 (en) * 2001-12-04 2003-08-07 Peter Yared Distributed network identity
WO2006103176A1 (en) * 2005-04-01 2006-10-05 International Business Machines Corporation Method for a runtime user account creation operation
US20080189778A1 (en) * 2007-02-05 2008-08-07 Peter Andrew Rowley Secure authentication in browser redirection authentication schemes

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130091355A1 (en) * 2011-10-05 2013-04-11 Cisco Technology, Inc. Techniques to Prevent Mapping of Internal Services in a Federated Environment
WO2014128343A1 (en) * 2013-02-22 2014-08-28 Nokia Corporation Method and apparatus for providing account-less access via an account connector platform
US10146217B2 (en) 2014-09-15 2018-12-04 Abb Schweiz Ag Controlling real world objects in an industrial installation
WO2016041571A1 (en) * 2014-09-15 2016-03-24 Abb Technology Ltd Controlling real world objects in an industrial installation
CN107077128B (en) * 2014-09-15 2019-07-26 Abb瑞士股份有限公司 Control the real world objects in industrial plants
CN107077128A (en) * 2014-09-15 2017-08-18 Abb瑞士股份有限公司 Control the real world objects in industrial plants
US9882887B2 (en) 2015-06-15 2018-01-30 Airwatch Llc Single sign-on for managed mobile devices
US11057364B2 (en) 2015-06-15 2021-07-06 Airwatch Llc Single sign-on for managed mobile devices
US10812464B2 (en) 2015-06-15 2020-10-20 Airwatch Llc Single sign-on for managed mobile devices
US10171447B2 (en) 2015-06-15 2019-01-01 Airwatch Llc Single sign-on for unmanaged mobile devices
US10171448B2 (en) 2015-06-15 2019-01-01 Airwatch Llc Single sign-on for unmanaged mobile devices
US10965664B2 (en) 2015-06-15 2021-03-30 Airwatch Llc Single sign-on for unmanaged mobile devices
WO2016205195A1 (en) * 2015-06-15 2016-12-22 Airwatch, Llc Single sign-on for managed mobile devices
US10944738B2 (en) 2015-06-15 2021-03-09 Airwatch, Llc. Single sign-on for managed mobile devices using kerberos
US9866546B2 (en) 2015-10-29 2018-01-09 Airwatch Llc Selectively enabling multi-factor authentication for managed devices
US10432608B2 (en) 2015-10-29 2019-10-01 Airwatch Llc Selectively enabling multi-factor authentication for managed devices
US10187374B2 (en) 2015-10-29 2019-01-22 Airwatch Llc Multi-factor authentication for managed applications using single sign-on technology
US10630668B2 (en) 2017-04-28 2020-04-21 Amazon Technologies, Inc. Single sign-on registration
CN110651458A (en) * 2017-04-28 2020-01-03 亚马逊技术有限公司 Single sign-on registration
WO2018200554A1 (en) * 2017-04-28 2018-11-01 Amazon Technologies, Inc. Single sign-on registration
US11196732B2 (en) 2017-04-28 2021-12-07 Amazon Technologies, Inc. Single sign-on registration
CN110651458B (en) * 2017-04-28 2022-05-10 亚马逊技术有限公司 Single sign-on registration

Similar Documents

Publication Publication Date Title
WO2010083889A1 (en) Identity management scheme
US11632353B2 (en) Delegating DNS records to additional providers
EP2338262B1 (en) Service provider access
US9160623B2 (en) Method and system for partitioning recursive name servers
CN102077546B (en) Remote access between UPnP devices
US9374352B2 (en) Content restriction compliance using reverse DNS lookup
EP2266064B1 (en) Request routing
JP5357246B2 (en) System, method and program product for integrated authentication
US20100049790A1 (en) Virtual Identity System and Method for Web Services
US9444780B1 (en) Content provided DNS resolution validation and use
WO2010041347A1 (en) Gateway apparatus, authentication server, control method thereof and computer program
Reed et al. Openid identity discovery with xri and xrds
US20220158988A1 (en) Dual domain cloud kerberos authentication
Cisco Configuring the Cisco SSD
Cisco Configuring the Cisco SSD
US10291612B2 (en) Bi-directional authentication between a media repository and a hosting provider
KR20100068358A (en) Enhanced proxy system and control method that use url restructuring methodology
JP4983924B2 (en) COMMUNICATION SYSTEM, COMMUNICATION OPTIMIZATION DEVICE, AND COMMUNICATION NETWORK ESTIMATING METHOD USED FOR THEM
US10148729B2 (en) Hosting provider hosting routes from a media repository
KR20110065247A (en) Method and apparatus for using service of plurality of internet service provider
WO2006113014A1 (en) Web content administration information discovery
WO2008142212A1 (en) Access to service
KR20080052980A (en) Enum system and user authentication method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09778979

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09778979

Country of ref document: EP

Kind code of ref document: A1