WO2010149222A1 - Attribute management - Google Patents

Attribute management Download PDF

Info

Publication number
WO2010149222A1
WO2010149222A1 PCT/EP2009/058060 EP2009058060W WO2010149222A1 WO 2010149222 A1 WO2010149222 A1 WO 2010149222A1 EP 2009058060 W EP2009058060 W EP 2009058060W WO 2010149222 A1 WO2010149222 A1 WO 2010149222A1
Authority
WO
WIPO (PCT)
Prior art keywords
attribute
manage
user
request
value
Prior art date
Application number
PCT/EP2009/058060
Other languages
French (fr)
Inventor
Markus Bauer-Hermann
Robert Seidl
Original Assignee
Nokia Siemens Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Siemens Networks Oy filed Critical Nokia Siemens Networks Oy
Priority to PCT/EP2009/058060 priority Critical patent/WO2010149222A1/en
Publication of WO2010149222A1 publication Critical patent/WO2010149222A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • H04L67/306User profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Definitions

  • the present invention relates to attribute management in an identity management system.
  • Federated identity management or the "federation" of identity, describes technologies that serve to enable the portability of identity information across otherwise autonomous security domains.
  • a goal of identity federation is to enable users of one domain to access data or systems of another do- main seamlessly and securely, and without the need for redundant user administration. Eliminating the need for repeated login procedures each time a new application or account is accessed can substantially improve the user experience.
  • SAML Security Assertion Markup Language
  • XML Extensible Markup Language
  • SAML is used for exchanging assertion data between an identity provider (a producer of assertions) and a service provider (a consumer of assertions) .
  • SAML is a specification defined by the OASIS (Organization for the Advancement of Structured Information standards) .
  • the SAML protocol currently provides two methods that enable a service provider to retrieve attributes relating to a user that has been authenticated by an identity provider.
  • the first method is an Attribute-Push-Method in which the identity provider can send attribute information within the SAML assertion provided in response to the service provider' s user authentication request.
  • the second method is an Attribute-Pull-Method in which the service provider can use an AttributeAuthority message or an AttributeQuery message to retrieve information regarding user attributes from the identity provider once the user has been authenticated by the identity provider.
  • the service provider can only obtain information relating to the attributes of the user logged into the service provider.
  • a problem with the conventional systems and methods is that there currently exists no mechanism to enable a service provider to transmit user attributes to be stored at the identity provider. This is particularly disadvantageous as the user cannot reuse a single profile containing user attributes, such as layout, preferred e-mail address etc, for different service providers. In current systems and methods the user will only be able to store attributes and change those attributes locally at each service provider meaning that the user will have to enter and change the same attributes multiple times in order to ensure they are consistent for each of the different service providers the user has an account with. However, a further problem can arise when storing attributes at the service provider.
  • a user creates a temporary or transient account with a service provider then the user can- not reuse the attributes relating to the temporary or transient account when the user next logs on to the service provider. This is because by the very nature of a temporary or transient account the next time the user logs on to the service provider the user will have a different username and so the service provider will not be able to link the attributes for a user' s temporary account with the user' s permanent account .
  • the present invention seeks to address at least some of the problems outlined above.
  • a method comprising the steps of: transmitting a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and receiving a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, and wherein said at least one attribute relates to a user's profile.
  • many of the embodiments of the present invention pro- vide a new mechanism that enables attribute values for one or more attributes to be transmitted to an identity provider where the identity provider may store the attribute values for the attributes.
  • a service provider may transmit the attribute values to the identity provider in a manage attribute request which requests the identity provider stores the attribute values for the at least one attribute.
  • a response will be received from the identity provider that includes the stored attribute values for the attributes.
  • the method may further comprise the step of: receiving a request from a user to store at the identity provider the attribute value for at least one attribute.
  • a user can initiate the process of storing specific attribute values at the identity provider.
  • a user may, for example, fill in a form via a web browser on a user device identifying the attributes and the corresponding attribute value that the user wishes to change or store at the identity provider.
  • the method may further comprise the step of: determining if the stored attribute value for the at least one attribute included in the manage attribute response matches the attribute value for the at least one attribute included in the manage attribute request.
  • the manage attribute response from the identity provider includes the attribute values that have been stored then it can be determined whether the attribute values for the attributes have been stored correctly or successfully. For example, if the stored attribute values do not match the attribute values that were included in the manage attribute request then it may be determined that an error has occurred in storing the attribute values at the identity provider.
  • the method may further comprise transmitting a message to a user device where the message informs the user whether or not at- tributes were successfully stored.
  • a user of a service provider may have a profile that includes several attributes.
  • the profile will include attributes relating to the user and attributes relating to the service provider that the user has an account with.
  • User related attributes may define aspects relating to the user, for example, given name, family name, nickname, telephone number, e- mail address, postal address, hair colour, eye colour, height and so on.
  • Service provider related attributes may define aspects that are specific to a particular service provider or general to all service provider accounts that a user may have, for example, the attributes may include preferred language, preferred layout, preferred means of communication and so on .
  • the manage attribute request may be compatible with, or in accordance with, the Security Assertion Markup Language protocol; and the manage attribute response may be compatible with, or in accordance with, the Security Assertion Markup Language protocol.
  • an appratus comprising: an output adapted to transmit a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and a first input adapted to receive a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, and wherein said at least one attribute relates to a user' s profile .
  • an apparatus adapted to transmit a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one at- tribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and receive a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one at- tribute, and wherein said at least one attribute relates to a user's profile.
  • the apparatus may be further adapted, for example, by comprising a second input, to receive a request from a user to store at the identity provider the attribute value for at least one attribute.
  • the apparatus may be further adapted, for example, by comprising a processor, to determine if the stored attribute value for the at least one attribute included in the manage attribute response matches the attribute value for the at least one attribute included in the manage attribute request.
  • the apparatus may be further adapted, for example, by comprising a second output, to transmit a message to the user where the message indicates whether or not the attribute values were successfully or correctly stored at the identity provider.
  • the apparatus may be a server or a computing device.
  • the apparatus may be operated by a service provider .
  • the first input and the second input may be the same input or different inputs to the apparatus.
  • the first output and the second output may be the same output or different outputs of the apparatus
  • the apparatus may be adapted to perform the functions in many different ways.
  • the apparatus may be adapted by installing and executing on the apparatus the appropriate and corre- sponding computer readable executable code in order to enable the apparatus to perform the necessary functions and tasks.
  • a computer program or a computer program product comprising computer readable executable code for: transmitting a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and receiving a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, and wherein said at least one attribute relates to a user's profile.
  • the computer program product may further comprise computer readable executable code for: receiving a request from a user to store at the identity provider the attribute value for at least one attribute.
  • the computer program product may further comprise computer readable executable code for: determining if the stored attribute value for the at least one attribute included in the manage attribute response matches the attribute value for the at least one attribute included in the manage attribute request .
  • the computer program product may further comprise computer readable executable code for performing any or all of the functions in accordance with the aspects of the invention.
  • a method comprising the steps of: receiving a manage attribute request from a service provider wherein the manage attribute request includes an attribute value for at least one attribute; storing the attribute value for the at least one attribute in a database; and transmitting a manage attribute response to the service provider wherein the manage attribute response includes the stored attribute value for the at least one attribute, and wherein the at least one attribute relates to a user's profile.
  • many of the embodiments of the present invention pro- vide a new mechanism that enables attribute values for one or more attributes to be received from a service provider which are then stored in a database. Once the attribute values have been stored in the database a manage attribute response may be generated and transmitted to the service provider where the response includes the stored attribute values.
  • An identity provider may receive the manage attribute request from the service provider, the database may be located at the identity provider and the identity provider may generate and transmit the manage attribute response.
  • the manage attribute request may be in accordance with Security Assertion Markup Language protocol; and the manage attribute response may be in accordance with Security Assertion Markup Language protocol .
  • an apparatus comprising an input adapted to receive a manage attribute request from a service provider wherein said manage attribute request includes an attribute value for at least one attribute; a processor adapted to store said attribute value for said at least one attribute in a database; and an output adapted to transmit a manage attribute response to said service provider wherein said manage attribute response includes said stored attribute value for said at least one attribute, and wherein said at least one attribute relates to a user's profile.
  • an apparatus adapted to: receive a manage attrib- ute request from a service provider wherein the manage attribute request includes an attribute value for at least one attribute; store the attribute value for the at least one attribute in a database; and transmit a manage attribute response to the service provider wherein the manage attribute response includes the stored attribute value for the at least one attribute, and wherein the at least one attribute relates to a user's profile.
  • the apparatus may be a server or a computing device.
  • the ap- paratus may be operated by an identity provider.
  • the apparatus may be adapted to perform the functions in many different ways.
  • the apparatus may be adapted by install- ing and executing on the apparatus the appropriate and corresponding computer readable executable code in order to enable the apparatus to perform the necessary functions and tasks.
  • a computer program or computer program product comprising computer readable executable code for: receiving a manage attribute request from a service provider wherein the manage attribute request includes an attribute value for at least one attribute; storing the attribute value for the at least one attribute in a database; and transmitting a manage attribute response to the service provider wherein the manage attribute response includes the stored attribute value for the at least one attribute, and wherein the at least one at- tribute relates to a user's profile.
  • the computer program product may further comprise computer readable executable code for performing any or all of the functions in accordance with the aspects of the invention.
  • An advantage of many embodiments of the present invention is that a new mechanism is provided which enables user attributes to be stored in a database of the identity provider where the process is initiated by a service provider.
  • a fur- ther advantage of many embodiments of the present invention is that by storing user attributes in a database of the identity provider then the user can reuse the attributes for several different service providers without having to enter and provide the user attributes to each service provider inde- pendently.
  • the user attributes stored in a database of the identity provider to be changed then the user does not have to manually change the same attribute for each of the service providers with which the user has an account as the changed attribute values at the identity provider may be used by all service providers .
  • FIG. 1 is a block diagram of an identity management system in accordance with the aspects of the present invention.
  • FIG. 2 shows a message sequence in accordance with aspects of the present invention.
  • Figure 1 shows a system, indicated generally by the reference numeral 101, comprising an end user 105, a user device 102, a service provider 103 and an identity provider 104.
  • the end user 105 of the system 101 wants to access a secure resource, service or application at the service provider 103, and the service provider 103 requires the user's identity to be authenticated, the identity provider 104 can be used to provide the required authentication information to the service provider 103.
  • the user device may comprise an inputs and outputs 106 in or- der to receive and transmit messages and data.
  • the user device may be a computing device, such as a computer or a mobile device, such as a mobile phone, personal digital assistant.
  • the service provider 103 may include a server or computing device that may comprise inputs and outputs 107 and processors 108.
  • the identity provider 104 may include a server or computing device that may comprise inputs and outputs 109 and processors 110.
  • SAML assumes that the user 105 has enrolled with at least one identity provider (such as the identity provider 104) .
  • the identity provider 104 is expected to provide local authentication services to the user 105.
  • the service provider 103 relies on the identity provider 104 to identify the user 105.
  • the service provider 103 When a user 105 wants to access a service that is provided by a service provider 103 who has a contract with the identity provider 104 (i.e. the service provider 103 and the identity provider 104 form at least part of a circle of trust) , the service provider 103 requests a user authentication from the identity provider 104. In response to the service provider's request, the identity provider 104 passes a SAML assertion to the service provider 103. On the basis of this assertion, the ser- vice provider 103 can make decisions, for example, the service provider 103 can decide whether to grant access to the resources, services or applications requested by the user 105.
  • the user 105 If the user 105 has been authenticated then the user 105 is logged in to the service provider 103 and can access the services, resources and/or applications that the user 105 wishes to use.
  • the embodiments of the present invention provide a new mechanism to enable the user 105 to store and/or change user specific attributes and user's service provider attributes in an identity provider's database via the service provider.
  • a user 105 will have a profile that includes several attributes.
  • the profile will include attributes relating to the user and attributes relating to each of the service providers that the user has an account with.
  • User related attributes may define aspects relating to the user, for example, given name, family name, nickname, telephone number, e-mail address, postal address, hair colour, eye colour, height and so on.
  • Service provider related attributes may define aspects that are specific to a particular service provider or general to all service provider accounts that a user may have, for example, the attributes may include preferred language, preferred layout, preferred means of communication and so on.
  • the attributes defining a user profile may be stored in a database at the identity provider. If an attribute value does not exist in the database for a particular attribute then this can be created by storing an attribute value for the particular attribute. If an attribute doesn't exist then an attribute can be created by storing the attribute along with a corresponding attribute value in the database. If an attribute value for a particular attribute exits and a user wishes to change the attribute value then this can be performed by storing the new attribute value in place of the previous attribute value for a particular attribute in a database. In other words, the user may add or change any attribute relating to the user or to the user' s account with a service provider by storing the appropriate attribute value in a database at the identity provider.
  • Figure 2 shows an exemplary message sequence, indicated generally by the reference numeral 201, demonstrating the process of storing attribute values relating to a user' s profile at the identity provider in accordance with the embodiments.
  • the message sequence 201 starts with the end user 105 sending a message 202 to the service provider 103 via a user device 102 (for example using a web browser) requesting to add or change an attribute of the user's profile.
  • the user 105 may request to change or add attributes by, for example, entering data into a form on the service provider 103.
  • the service provider 103 will then generate a new mes- sage called ManageAttributeRequest which will include an At- tributeStatement block which includes at least one attribute value for one or more attributes that the user 105 wishes to change or store at the identity provider 104.
  • ManageAttributeRequest message is given below.
  • the message given below is only an example of the format and content of a ManageAttributeRequest message. As a person skilled in the art will appreciate the message may include different, fewer or more blocks. Similarly, the message may also include different, fewer or more tags .
  • xmlns :x500 "urn: oasis: names : tc : SAML : 2.0 :profiles : attribute :X5 00"
  • x500:Encoding "LDAP"
  • NameFormat "urn : oasis : names : tc : SAML : 2.0 : attrname- format :uri"
  • NameFormat "urn : oasis : names : tc : SAML : 2.0 : attrname- format :uri"
  • Name "urn:oid:1.3.6.1.4.1.1466.115.121.1.26”
  • FriendlyName "mail"> ⁇ saml : AttributeValue
  • the service provider passes 203 the ManageAttributeRequest to the identity provider 104.
  • the ManageAttributeRequest may be passed to the identity provider as an HTTP redirect via the user device 102.
  • the identity provider 104 on receipt of the ManageAttributeRequest will process 204 the request and store the identified attribute values for the identified user attributes in a database of the identity provider 104.
  • An attribute value may be changed by storing the new attribute value in place of the previous attribute value for the par- ticular attribute.
  • the identity provider 104 will generate a ManageAttributeResponse message that includes an At- tributeStatement block.
  • the AttributeStatement block will include the attribute values of the attributes that have been stored in the database of the identity provider 104.
  • An example ManageAttributeResponse message is given below. The message given below is only an example of the format and con- tent of a ManageAttributeResponse message. As a person skilled in the art will appreciate the message may include different, fewer or more blocks. Similarly, the message may also include different, fewer or more tags.
  • NameFormat "urn : oasis : names : tc : SAML : 2.0 : attrname- format :uri"
  • the identity provider 104 passes 205 the ManageAttributeRe- sponse to the service provider 103.
  • the ManageAttributeRe- sponse may be passed to the service provider 103 as an HTTP redirect via the user device 102.
  • the service provider 103 on receipt of the ManageAttributeResponse can check and verify 206 that the attributes have been correctly stored in the database of the identity provider 104.
  • the attribute values for the user attributes included in the ManageAttributeRe- sponse from the identity provider 104 were retrieved from the database of the identity provider after the attribute values were stored in the database.
  • the service provider can determine that the correct attribute values were stored in the identity provider's database.
  • the service provider 103 may then send 207 a message to the user device 102 to inform the user 105 that the attribute values of the user attributes the user requested to change or store were successfully (or not) stored at the identity pro- vider 104.
  • the embodiments of the present invention provide a new mechanism that enables user attributes to be stored in a database of the identity provider rather than stored by the service provider.
  • the embodiments also provide a new mechanism for editing or changing specific attributes stored in a database of the identity provider.
  • the embodiments of the present invention provide sev- eral advantages over the conventional systems which, as discussed hereinabove, do not enable a user of a service provider to store attributes directly to the identity provider' s database or enable a user to change specific attributes stored in the identity provider' s database via a service pro- vider.
  • One advantage is that by storing user attributes in a database of the identity provider then the user can reuse the attributes for several different service providers without hav- ing to enter and provide the user attributes to each service provider independently. Furthermore, by providing the capability for a user to change attributes stored in a database of the identity provider then the user does not have to manually change the same attribute for each of the service pro- viders with which the user has an account.

Abstract

Methods and apparatus are described which enable user attributes to be stored and managed at an identity provider (104). A service provider (103) may pass (203) a manage attribute request which includes attribute values of at least one attribute to the identity provider (104). The identity provider (104) stores (204) the attribute values and returns (205) a manage attribute response message to the service provider (103).

Description

Attribute Management
The present invention relates to attribute management in an identity management system.
More and more services and applications are becoming available on the Internet, and many of these services and applica- tions require authentication. One approach that has been developed to assist users to access multiple services and applications, each requiring separate authentication procedures, involves the use of identity federation.
Federated identity management, or the "federation" of identity, describes technologies that serve to enable the portability of identity information across otherwise autonomous security domains. A goal of identity federation is to enable users of one domain to access data or systems of another do- main seamlessly and securely, and without the need for redundant user administration. Eliminating the need for repeated login procedures each time a new application or account is accessed can substantially improve the user experience.
Security Assertion Markup Language (SAML) is an XML (extensible Markup Language) standard for exchanging authentication and authorisation data between security domains. For example, SAML is used for exchanging assertion data between an identity provider (a producer of assertions) and a service provider (a consumer of assertions) . SAML is a specification defined by the OASIS (Organization for the Advancement of Structured Information standards) . The SAML protocol currently provides two methods that enable a service provider to retrieve attributes relating to a user that has been authenticated by an identity provider.
The first method is an Attribute-Push-Method in which the identity provider can send attribute information within the SAML assertion provided in response to the service provider' s user authentication request.
The second method is an Attribute-Pull-Method in which the service provider can use an AttributeAuthority message or an AttributeQuery message to retrieve information regarding user attributes from the identity provider once the user has been authenticated by the identity provider.
In both methods described hereinabove, the service provider can only obtain information relating to the attributes of the user logged into the service provider. There currently exists no mechanism to enable a service provider to transmit user attributes to be stored at the identity provider.
However, a problem with the conventional systems and methods is that there currently exists no mechanism to enable a service provider to transmit user attributes to be stored at the identity provider. This is particularly disadvantageous as the user cannot reuse a single profile containing user attributes, such as layout, preferred e-mail address etc, for different service providers. In current systems and methods the user will only be able to store attributes and change those attributes locally at each service provider meaning that the user will have to enter and change the same attributes multiple times in order to ensure they are consistent for each of the different service providers the user has an account with. However, a further problem can arise when storing attributes at the service provider. If a user creates a temporary or transient account with a service provider then the user can- not reuse the attributes relating to the temporary or transient account when the user next logs on to the service provider. This is because by the very nature of a temporary or transient account the next time the user logs on to the service provider the user will have a different username and so the service provider will not be able to link the attributes for a user' s temporary account with the user' s permanent account .
The present invention seeks to address at least some of the problems outlined above.
According to a first aspect of the present invention there is provided a method comprising the steps of: transmitting a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and receiving a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, and wherein said at least one attribute relates to a user's profile.
Thus, many of the embodiments of the present invention pro- vide a new mechanism that enables attribute values for one or more attributes to be transmitted to an identity provider where the identity provider may store the attribute values for the attributes. A service provider may transmit the attribute values to the identity provider in a manage attribute request which requests the identity provider stores the attribute values for the at least one attribute. A response will be received from the identity provider that includes the stored attribute values for the attributes. An advantage of many embodiments of the present invention is that by storing the attribute values at the identity provider then the attribute values may be used for several different service providers without the user having to enter or change those attributes at each service provider.
The method may further comprise the step of: receiving a request from a user to store at the identity provider the attribute value for at least one attribute. Thus, a user can initiate the process of storing specific attribute values at the identity provider. A user may, for example, fill in a form via a web browser on a user device identifying the attributes and the corresponding attribute value that the user wishes to change or store at the identity provider.
The method may further comprise the step of: determining if the stored attribute value for the at least one attribute included in the manage attribute response matches the attribute value for the at least one attribute included in the manage attribute request. Thus, as the manage attribute response from the identity provider includes the attribute values that have been stored then it can be determined whether the attribute values for the attributes have been stored correctly or successfully. For example, if the stored attribute values do not match the attribute values that were included in the manage attribute request then it may be determined that an error has occurred in storing the attribute values at the identity provider. Once it has been determined whether or not the attribute values for the attributes have been successfully stored then the method may further comprise transmitting a message to a user device where the message informs the user whether or not at- tributes were successfully stored.
A user of a service provider may have a profile that includes several attributes. The profile will include attributes relating to the user and attributes relating to the service provider that the user has an account with. User related attributes may define aspects relating to the user, for example, given name, family name, nickname, telephone number, e- mail address, postal address, hair colour, eye colour, height and so on. Service provider related attributes may define aspects that are specific to a particular service provider or general to all service provider accounts that a user may have, for example, the attributes may include preferred language, preferred layout, preferred means of communication and so on .
The manage attribute request may be compatible with, or in accordance with, the Security Assertion Markup Language protocol; and the manage attribute response may be compatible with, or in accordance with, the Security Assertion Markup Language protocol.
According to a second aspect of the present invention there is provided an appratus comprising: an output adapted to transmit a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and a first input adapted to receive a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, and wherein said at least one attribute relates to a user' s profile .
According to a third aspect of the present invention there is provided an apparatus adapted to transmit a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one at- tribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and receive a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one at- tribute, and wherein said at least one attribute relates to a user's profile.
The apparatus may be further adapted, for example, by comprising a second input, to receive a request from a user to store at the identity provider the attribute value for at least one attribute. The apparatus may be further adapted, for example, by comprising a processor, to determine if the stored attribute value for the at least one attribute included in the manage attribute response matches the attribute value for the at least one attribute included in the manage attribute request. The apparatus may be further adapted, for example, by comprising a second output, to transmit a message to the user where the message indicates whether or not the attribute values were successfully or correctly stored at the identity provider. The apparatus may be a server or a computing device. The apparatus may be operated by a service provider . The first input and the second input may be the same input or different inputs to the apparatus. Similarly, the first output and the second output may be the same output or different outputs of the apparatus
As a skilled person in the art will appreciate, the apparatus may be adapted to perform the functions in many different ways. For example, the apparatus may be adapted by installing and executing on the apparatus the appropriate and corre- sponding computer readable executable code in order to enable the apparatus to perform the necessary functions and tasks.
According to a fourth aspect of the present invention there is provided a computer program or a computer program product comprising computer readable executable code for: transmitting a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and receiving a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, and wherein said at least one attribute relates to a user's profile.
The computer program product may further comprise computer readable executable code for: receiving a request from a user to store at the identity provider the attribute value for at least one attribute.
The computer program product may further comprise computer readable executable code for: determining if the stored attribute value for the at least one attribute included in the manage attribute response matches the attribute value for the at least one attribute included in the manage attribute request .
The computer program product may further comprise computer readable executable code for performing any or all of the functions in accordance with the aspects of the invention.
According to a fifth aspect of the present invention there is provided a method comprising the steps of: receiving a manage attribute request from a service provider wherein the manage attribute request includes an attribute value for at least one attribute; storing the attribute value for the at least one attribute in a database; and transmitting a manage attribute response to the service provider wherein the manage attribute response includes the stored attribute value for the at least one attribute, and wherein the at least one attribute relates to a user's profile.
Thus, many of the embodiments of the present invention pro- vide a new mechanism that enables attribute values for one or more attributes to be received from a service provider which are then stored in a database. Once the attribute values have been stored in the database a manage attribute response may be generated and transmitted to the service provider where the response includes the stored attribute values.
This may enable the service provider to verify and check that the stored attribute values match the attribute values in the manage attribute request. An identity provider may receive the manage attribute request from the service provider, the database may be located at the identity provider and the identity provider may generate and transmit the manage attribute response. The manage attribute request may be in accordance with Security Assertion Markup Language protocol; and the manage attribute response may be in accordance with Security Assertion Markup Language protocol .
According to a sixth aspect of the present invention there is provided an apparatus comprising an input adapted to receive a manage attribute request from a service provider wherein said manage attribute request includes an attribute value for at least one attribute; a processor adapted to store said attribute value for said at least one attribute in a database; and an output adapted to transmit a manage attribute response to said service provider wherein said manage attribute response includes said stored attribute value for said at least one attribute, and wherein said at least one attribute relates to a user's profile.
According to a seventh aspect of the present invention there is provided an apparatus adapted to: receive a manage attrib- ute request from a service provider wherein the manage attribute request includes an attribute value for at least one attribute; store the attribute value for the at least one attribute in a database; and transmit a manage attribute response to the service provider wherein the manage attribute response includes the stored attribute value for the at least one attribute, and wherein the at least one attribute relates to a user's profile.
The apparatus may be a server or a computing device. The ap- paratus may be operated by an identity provider.
As a skilled person in the art will appreciate, the apparatus may be adapted to perform the functions in many different ways. For example, the apparatus may be adapted by install- ing and executing on the apparatus the appropriate and corresponding computer readable executable code in order to enable the apparatus to perform the necessary functions and tasks.
According to an eighth aspect of the present invention there is provided a computer program or computer program product comprising computer readable executable code for: receiving a manage attribute request from a service provider wherein the manage attribute request includes an attribute value for at least one attribute; storing the attribute value for the at least one attribute in a database; and transmitting a manage attribute response to the service provider wherein the manage attribute response includes the stored attribute value for the at least one attribute, and wherein the at least one at- tribute relates to a user's profile.
The computer program product may further comprise computer readable executable code for performing any or all of the functions in accordance with the aspects of the invention.
An advantage of many embodiments of the present invention is that a new mechanism is provided which enables user attributes to be stored in a database of the identity provider where the process is initiated by a service provider. A fur- ther advantage of many embodiments of the present invention is that by storing user attributes in a database of the identity provider then the user can reuse the attributes for several different service providers without having to enter and provide the user attributes to each service provider inde- pendently. Furthermore, by providing the capability for the user attributes stored in a database of the identity provider to be changed then the user does not have to manually change the same attribute for each of the service providers with which the user has an account as the changed attribute values at the identity provider may be used by all service providers .
Embodiments of the present invention will now be described, by way of example only, and with reference to the accompanying drawings in which:
Figure 1 is a block diagram of an identity management system in accordance with the aspects of the present invention.
Figure 2 shows a message sequence in accordance with aspects of the present invention.
Figure 1 shows a system, indicated generally by the reference numeral 101, comprising an end user 105, a user device 102, a service provider 103 and an identity provider 104. When the end user 105 of the system 101 wants to access a secure resource, service or application at the service provider 103, and the service provider 103 requires the user's identity to be authenticated, the identity provider 104 can be used to provide the required authentication information to the service provider 103.
The user device may comprise an inputs and outputs 106 in or- der to receive and transmit messages and data. The user device may be a computing device, such as a computer or a mobile device, such as a mobile phone, personal digital assistant. The service provider 103 may include a server or computing device that may comprise inputs and outputs 107 and processors 108. The identity provider 104 may include a server or computing device that may comprise inputs and outputs 109 and processors 110. In an exemplary use of the system 101, SAML assumes that the user 105 has enrolled with at least one identity provider (such as the identity provider 104) . The identity provider 104 is expected to provide local authentication services to the user 105. The service provider 103 relies on the identity provider 104 to identify the user 105. When a user 105 wants to access a service that is provided by a service provider 103 who has a contract with the identity provider 104 (i.e. the service provider 103 and the identity provider 104 form at least part of a circle of trust) , the service provider 103 requests a user authentication from the identity provider 104. In response to the service provider's request, the identity provider 104 passes a SAML assertion to the service provider 103. On the basis of this assertion, the ser- vice provider 103 can make decisions, for example, the service provider 103 can decide whether to grant access to the resources, services or applications requested by the user 105.
If the user 105 has been authenticated then the user 105 is logged in to the service provider 103 and can access the services, resources and/or applications that the user 105 wishes to use.
Once a user 105 has logged in to the service provider 103 then the embodiments of the present invention provide a new mechanism to enable the user 105 to store and/or change user specific attributes and user's service provider attributes in an identity provider's database via the service provider.
A user 105 will have a profile that includes several attributes. The profile will include attributes relating to the user and attributes relating to each of the service providers that the user has an account with. User related attributes may define aspects relating to the user, for example, given name, family name, nickname, telephone number, e-mail address, postal address, hair colour, eye colour, height and so on. Service provider related attributes may define aspects that are specific to a particular service provider or general to all service provider accounts that a user may have, for example, the attributes may include preferred language, preferred layout, preferred means of communication and so on.
The attributes defining a user profile may be stored in a database at the identity provider. If an attribute value does not exist in the database for a particular attribute then this can be created by storing an attribute value for the particular attribute. If an attribute doesn't exist then an attribute can be created by storing the attribute along with a corresponding attribute value in the database. If an attribute value for a particular attribute exits and a user wishes to change the attribute value then this can be performed by storing the new attribute value in place of the previous attribute value for a particular attribute in a database. In other words, the user may add or change any attribute relating to the user or to the user' s account with a service provider by storing the appropriate attribute value in a database at the identity provider.
Figure 2 shows an exemplary message sequence, indicated generally by the reference numeral 201, demonstrating the process of storing attribute values relating to a user' s profile at the identity provider in accordance with the embodiments.
The message sequence 201 starts with the end user 105 sending a message 202 to the service provider 103 via a user device 102 (for example using a web browser) requesting to add or change an attribute of the user's profile. The user 105 may request to change or add attributes by, for example, entering data into a form on the service provider 103. The service provider 103 will then generate a new mes- sage called ManageAttributeRequest which will include an At- tributeStatement block which includes at least one attribute value for one or more attributes that the user 105 wishes to change or store at the identity provider 104.
For example, if a user requests to change their given name to "Tom" and to change their e-mail address to
"trscavo@gmail.com" then an example ManageAttributeRequest message is given below. The message given below is only an example of the format and content of a ManageAttributeRequest message. As a person skilled in the art will appreciate the message may include different, fewer or more blocks. Similarly, the message may also include different, fewer or more tags .
<samlp :ManageAttributeRequest xmlns : saml="urn : oasis : names : tc : SAML : 2.0 : assertion" xmlns : samlp="urn : oasis : names : tc : SAML : 2.0 :protocol" ID="aaf23196-1773-2113-474a-fell4412ab72" Version="2.0" IssueInstant="2006-07-17T20:31:40Z"> <saml : Issuer
Format="urn : oasis : names : tc : SAML : 1.1 : nameid- format:X509SubjectName">
C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc . edu </saml : Issuer> <saml : Subject> <saml :NameID
Format="urn : oasis : names : tc : SAML : 1.1 : nameid- format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc . edu </saml :NameID> </saml : Subj ect>
<saml : Attributestatement> <saml : Attribute
xmlns :x500="urn: oasis: names : tc : SAML : 2.0 :profiles : attribute :X5 00" x500:Encoding="LDAP"
NameFormat="urn : oasis : names : tc : SAML : 2.0 : attrname- format :uri"
Name="urn:oid:2.5.4.42" FriendlyName="givenName"> <saml : AttributeValue xsi : type="xs : string">Tom</saml : AttributeValue> </saml : Attribute> <saml : Attribute
xmlns :x500="urn: oasis: names : tc : SAML : 2.0 :profiles : attribute :X5 00" x500 :Encoding="LDAP"
NameFormat="urn : oasis : names : tc : SAML : 2.0 : attrname- format :uri" Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26" FriendlyName="mail"> <saml : AttributeValue
xsi : type="xs : string">trscavo@gmail . com</saml : AttributeValue> </saml:Attribute>
</saml : AttributeStatement> </samlp :ManageAttributeRequest> The service provider passes 203 the ManageAttributeRequest to the identity provider 104. The ManageAttributeRequest may be passed to the identity provider as an HTTP redirect via the user device 102. The identity provider 104 on receipt of the ManageAttributeRequest will process 204 the request and store the identified attribute values for the identified user attributes in a database of the identity provider 104. An attribute value may be changed by storing the new attribute value in place of the previous attribute value for the par- ticular attribute.
Once the identity provider 104 has stored the identified attributes in a database the identity provider 104 will generate a ManageAttributeResponse message that includes an At- tributeStatement block. The AttributeStatement block will include the attribute values of the attributes that have been stored in the database of the identity provider 104. An example ManageAttributeResponse message is given below. The message given below is only an example of the format and con- tent of a ManageAttributeResponse message. As a person skilled in the art will appreciate the message may include different, fewer or more blocks. Similarly, the message may also include different, fewer or more tags.
<samlp :ManageAttributeResponse xmlns : saml="urn : oasis : names : tc : SAML : 2.0 : assertion" xmlns : samlp="urn : oasis : names : tc : SAML : 2.0 :protocol"
ID="aaf23196-1773-2113-474a-fell4412ab72"
Version="2.0" IssueInstant="2006-07-17T20:31:40Z">
<saml : Assertion
MajorVersion="l" MinorVersion="0"
AssertionID="128.9.167.32.12345678" Issuer="Smith Corporation"> <saml : Issuer
Format="urn : oasis : names : tc : SAML : 1.1 : nameid- format :unspecified"> http://idm.nsn.com </saml : Issuer> <saml : Subj ect> <saml :NameID
Format="urn : oasis : names : tc : SAML : 1.1 : nameid- format :X509SubjectName">
C=US, O=NCSA-TEST, 0U=User, CN=trscavo@uiuc . edu </saml:NameID> </saml : Subject> <saml : AttributeStatement> <saml : Attribute
xmlns :x500="urn: oasis: names : tc : SAML : 2.0 :profiles : attribute :X5 00" x500 :Encoding="LDAP" NameFormat="urn : oasis : names : tc : SAML : 2.0 : attrname- format :uri"
Name="urn:oid:2.5.4.42" FriendlyName="givenName"> <saml : AttributeValue xsi : type="xs : string">Tom</saml : AttributeValue>
</saml : Attribute> <saml : Attribute
xmlns :x500="urn: oasis: names : tc : SAML : 2.0 :profiles : attribute :X5 00" x500 :Encoding="LDAP"
NameFormat="urn : oasis : names : tc : SAML : 2.0 : attrname- format :uri"
Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26" FriendlyName="mail"> <saml : AttributeValue
xsi : type="xs : string">trscavo@gmail . com</saml : AttributeValue> </saml:Attribute>
</saml : AttributeStatement> </saml : Assertion> <samlp : Status xmlns : samlp="urn : oasis : names : tc : SAML : 2.0 :protocol"> <samlp : StatusCode xmlns : samlp="urn : oasis : names : tc : SAML : 2.0 : protocol" Value="urn : oasis : names : tc : SAML : 2.0 : status : Success">
</samlp : StatusCode> </samlp : Status> </samlp :ManageAttributeResponse>
The identity provider 104 passes 205 the ManageAttributeRe- sponse to the service provider 103. The ManageAttributeRe- sponse may be passed to the service provider 103 as an HTTP redirect via the user device 102. The service provider 103 on receipt of the ManageAttributeResponse can check and verify 206 that the attributes have been correctly stored in the database of the identity provider 104. The attribute values for the user attributes included in the ManageAttributeRe- sponse from the identity provider 104 were retrieved from the database of the identity provider after the attribute values were stored in the database. Thus, by comparing the attribute values included in the ManageAttributeResponse with the attribute values included in the ManageAttributeRequest that was originally passed from the service provider to the identity manager, the service provider can determine that the correct attribute values were stored in the identity provider's database. The service provider 103 may then send 207 a message to the user device 102 to inform the user 105 that the attribute values of the user attributes the user requested to change or store were successfully (or not) stored at the identity pro- vider 104.
Accordingly, the embodiments of the present invention provide a new mechanism that enables user attributes to be stored in a database of the identity provider rather than stored by the service provider. The embodiments also provide a new mechanism for editing or changing specific attributes stored in a database of the identity provider.
Thus, the embodiments of the present invention provide sev- eral advantages over the conventional systems which, as discussed hereinabove, do not enable a user of a service provider to store attributes directly to the identity provider' s database or enable a user to change specific attributes stored in the identity provider' s database via a service pro- vider.
One advantage is that by storing user attributes in a database of the identity provider then the user can reuse the attributes for several different service providers without hav- ing to enter and provide the user attributes to each service provider independently. Furthermore, by providing the capability for a user to change attributes stored in a database of the identity provider then the user does not have to manually change the same attribute for each of the service pro- viders with which the user has an account.
While preferred embodiments of the invention have been shown and described, it will be understood that such embodiments are described by way of example only. Numerous variations, changes and substitutions will occur to those skilled in the art without departing from the scope of the present invention as defined by the appended claims. For example, although the invention has been described with reference to the SAML stan- dard, other implementations are possible. Accordingly, it is intended that the following claims cover all such variations or equivalents as fall within the spirit and the scope of the invention .

Claims

Claims
1. A method comprising the steps of: transmitting a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and receiving a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, wherein said at least one attribute relates to a user's profile.
2. The method as claimed in claim 1 further comprising the step of: receiving a request from a user to store at said identity provider said attribute value for at least one attribute .
3. The method as claimed in claim 1 or 2 further comprising the step of: determining if said stored attribute value for said at least one attribute included in said manage attribute re- sponse matches said attribute value for said at least one attribute included in said manage attribute request.
4. The method as claimed in any one of the preceding claims in which said manage attribute request is compatible with Se- curity Assertion Markup Language protocol; and said manage attribute response is compatible with Security Assertion Markup Language protocol.
5. An apparatus comprising: an output adapted to transmit a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity pro- vider to store said attribute value for said at least one attribute; and a first input adapted to receive a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, wherein said at least one attribute relates to a user' s profile .
6. The apparatus as claimed in claim 5 further comprising: a second input adapted to receive a request from a user to store at said identity provider said attribute value for at least one attribute.
7. The apparatus as claimed in claim 5 or 6 further com- prising: a processor adapted to determine if said stored attribute value for said at least one attribute included in said manage attribute response matches said attribute value for said at least one attribute included in said manage attribute request.
8. A computer program product comprising computer readable executable code for: transmitting a manage attribute request to an iden- tity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and receiving a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, wherein said at least one attribute relates to a user' s profile.
9. The computer program product as claimed in claim 8 further comprising computer readable executable code for: receiving a request from a user to store at said iden- tity provider said attribute value for at least one attribute .
10. The computer program product as claimed in claim 8 or 9 further comprising computer readable executable code for: determining if said stored attribute value for said at least one attribute included in said manage attribute response matches said attribute value for said at least one attribute included in said manage attribute request.
11. A method comprising the steps of: receiving a manage attribute request from a service provider wherein said manage attribute request includes an attribute value for at least one attribute; storing said attribute value for said at least one at- tribute in a database; and transmitting a manage attribute response to said service provider wherein said manage attribute response includes said stored attribute value for said at least one attribute, wherein said at least one attribute relates to a user's profile.
12. The method as claimed in claim 11 in which said manage attribute request is compatible with Security Assertion Mar- kup Language protocol; and said manage attribute response is compatible with Security Assertion Markup Language protocol.
13. An apparatus comprising: an input adapted to receive a manage attribute request from a service provider wherein said manage attribute request includes an attribute value for at least one attribute; a processor adapted to store said attribute value for said at least one attribute in a database; and an output adapted to transmit a manage attribute response to said service provider wherein said manage attribute response includes said stored attribute value for said at least one attribute, wherein said at least one attribute relates to a user's profile.
14. A computer program product comprising computer readable executable code for: receiving a manage attribute request from a service pro- vider wherein said manage attribute request includes an attribute value for at least one attribute; storing said attribute value for said at least one attribute in a database; and transmitting a manage attribute response to said service provider wherein said manage attribute response includes said stored attribute value for said at least one attribute, wherein said at least one attribute relates to a user' s profile .
PCT/EP2009/058060 2009-06-26 2009-06-26 Attribute management WO2010149222A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2009/058060 WO2010149222A1 (en) 2009-06-26 2009-06-26 Attribute management

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2009/058060 WO2010149222A1 (en) 2009-06-26 2009-06-26 Attribute management

Publications (1)

Publication Number Publication Date
WO2010149222A1 true WO2010149222A1 (en) 2010-12-29

Family

ID=42040338

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2009/058060 WO2010149222A1 (en) 2009-06-26 2009-06-26 Attribute management

Country Status (1)

Country Link
WO (1) WO2010149222A1 (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014039882A1 (en) * 2012-09-07 2014-03-13 Oracle International Corporation Ldap-based multi-tenant in-cloud identity management system
US9015114B2 (en) 2012-09-07 2015-04-21 Oracle International Corporation Data synchronization in a cloud infrastructure
US9053302B2 (en) 2012-06-08 2015-06-09 Oracle International Corporation Obligation system for enterprise environments
US9253113B2 (en) 2012-09-07 2016-02-02 Oracle International Corporation Customizable model for throttling and prioritizing orders in a cloud environment
US9276942B2 (en) 2012-09-07 2016-03-01 Oracle International Corporation Multi-tenancy identity management system
US9467355B2 (en) 2012-09-07 2016-10-11 Oracle International Corporation Service association model
US9542400B2 (en) 2012-09-07 2017-01-10 Oracle International Corporation Service archive support
US9608958B2 (en) 2013-03-12 2017-03-28 Oracle International Corporation Lightweight directory access protocol (LDAP) join search mechanism
US9621435B2 (en) 2012-09-07 2017-04-11 Oracle International Corporation Declarative and extensible model for provisioning of cloud based services
US9667470B2 (en) 2012-09-07 2017-05-30 Oracle International Corporation Failure handling in the execution flow of provisioning operations in a cloud environment
US10148530B2 (en) 2012-09-07 2018-12-04 Oracle International Corporation Rule based subscription cloning
US10164901B2 (en) 2014-08-22 2018-12-25 Oracle International Corporation Intelligent data center selection
US10521746B2 (en) 2012-09-07 2019-12-31 Oracle International Corporation Recovery workflow for processing subscription orders in a computing infrastructure system
EP3928211A4 (en) * 2019-02-19 2022-11-02 CloudBlue LLC System and method for bulk user service assignment using csv

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030149781A1 (en) * 2001-12-04 2003-08-07 Peter Yared Distributed network identity
US20040128378A1 (en) * 2002-12-31 2004-07-01 International Business Machines Corporation Method and system for user-determined attribute storage in a federated environment
US20060236382A1 (en) * 2005-04-01 2006-10-19 Hinton Heather M Method and system for a runtime user account creation operation within a single-sign-on process in a federated computing environment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030149781A1 (en) * 2001-12-04 2003-08-07 Peter Yared Distributed network identity
US20040128378A1 (en) * 2002-12-31 2004-07-01 International Business Machines Corporation Method and system for user-determined attribute storage in a federated environment
US20060236382A1 (en) * 2005-04-01 2006-10-19 Hinton Heather M Method and system for a runtime user account creation operation within a single-sign-on process in a federated computing environment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
OASIS: "Security Assertion Markup Language(SAML) V2.0 Technical Overview", vol. Committee Draft 02, 25 March 2008 (2008-03-25), http://www.oasis-open.org/, XP002578461, Retrieved from the Internet <URL:http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.pdf> [retrieved on 20100414] *
SHOICHIROU FUJIWARA ET AL: "A Privacy Oriented Extension of Attribute Exchange in Shibboleth", APPLICATIONS AND THE INTERNET WORKSHOPS, 2007. SAINT WORKSHOPS 2007. I NTERNATIONAL SYMPOSIUM ON, IEEE, PI, 1 January 2007 (2007-01-01), pages 28 - 28, XP031044122, ISBN: 978-0-7695-2757-4 *

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9053302B2 (en) 2012-06-08 2015-06-09 Oracle International Corporation Obligation system for enterprise environments
US9058471B2 (en) 2012-06-08 2015-06-16 Oracle International Corporation Authorization system for heterogeneous enterprise environments
US10009219B2 (en) 2012-09-07 2018-06-26 Oracle International Corporation Role-driven notification system including support for collapsing combinations
WO2014039882A1 (en) * 2012-09-07 2014-03-13 Oracle International Corporation Ldap-based multi-tenant in-cloud identity management system
US9619540B2 (en) 2012-09-07 2017-04-11 Oracle International Corporation Subscription order generation for cloud services
US9203866B2 (en) 2012-09-07 2015-12-01 Oracle International Corporation Overage framework for cloud services
US9219749B2 (en) 2012-09-07 2015-12-22 Oracle International Corporation Role-driven notification system including support for collapsing combinations
US9253113B2 (en) 2012-09-07 2016-02-02 Oracle International Corporation Customizable model for throttling and prioritizing orders in a cloud environment
US9276942B2 (en) 2012-09-07 2016-03-01 Oracle International Corporation Multi-tenancy identity management system
US9319269B2 (en) 2012-09-07 2016-04-19 Oracle International Corporation Security infrastructure for cloud services
US9397884B2 (en) 2012-09-07 2016-07-19 Oracle International Corporation Workflows for processing cloud services
US9467355B2 (en) 2012-09-07 2016-10-11 Oracle International Corporation Service association model
US9501541B2 (en) 2012-09-07 2016-11-22 Oracle International Corporation Separation of pod provisioning and service provisioning
US9542400B2 (en) 2012-09-07 2017-01-10 Oracle International Corporation Service archive support
US9069979B2 (en) 2012-09-07 2015-06-30 Oracle International Corporation LDAP-based multi-tenant in-cloud identity management system
US11075791B2 (en) 2012-09-07 2021-07-27 Oracle International Corporation Failure handling in the execution flow of provisioning operations in a cloud environment
US10581867B2 (en) 2012-09-07 2020-03-03 Oracle International Corporation Multi-tenancy identity management system
US9667470B2 (en) 2012-09-07 2017-05-30 Oracle International Corporation Failure handling in the execution flow of provisioning operations in a cloud environment
US9734224B2 (en) 2012-09-07 2017-08-15 Oracle International Corporation Data synchronization in a cloud infrastructure
US9792338B2 (en) 2012-09-07 2017-10-17 Oracle International Corporation Role assignments in a cloud infrastructure
US9838370B2 (en) 2012-09-07 2017-12-05 Oracle International Corporation Business attribute driven sizing algorithms
US9015114B2 (en) 2012-09-07 2015-04-21 Oracle International Corporation Data synchronization in a cloud infrastructure
US10148530B2 (en) 2012-09-07 2018-12-04 Oracle International Corporation Rule based subscription cloning
US9621435B2 (en) 2012-09-07 2017-04-11 Oracle International Corporation Declarative and extensible model for provisioning of cloud based services
US10212053B2 (en) 2012-09-07 2019-02-19 Oracle International Corporation Declarative and extensible model for provisioning of cloud based services
US10521746B2 (en) 2012-09-07 2019-12-31 Oracle International Corporation Recovery workflow for processing subscription orders in a computing infrastructure system
US9608958B2 (en) 2013-03-12 2017-03-28 Oracle International Corporation Lightweight directory access protocol (LDAP) join search mechanism
US10164901B2 (en) 2014-08-22 2018-12-25 Oracle International Corporation Intelligent data center selection
EP3928211A4 (en) * 2019-02-19 2022-11-02 CloudBlue LLC System and method for bulk user service assignment using csv

Similar Documents

Publication Publication Date Title
WO2010149222A1 (en) Attribute management
EP1700416B1 (en) Access control for federated identities
US8117459B2 (en) Personal identification information schemas
US8104074B2 (en) Identity providers in digital identity system
US8060632B2 (en) Method and system for user-determined attribute storage in a federated environment
US8707412B2 (en) Application identity design
CN106716960B (en) User authentication method and system
US20100077467A1 (en) Authentication service for seamless application operation
CN101426009A (en) Identity management platform, service server, uniform login system and method
CN106716918B (en) User authentication method and system
CN104255007A (en) Oauth framework
JP5422753B1 (en) Policy management system, ID provider system, and policy evaluation apparatus
US20130185809A1 (en) System for delegation of authority, access management service system, medium, and method for controlling the system for delegation of authority
EP1532545A1 (en) Method and system for managing cookies according to a privacy policy
JP2013137588A (en) Integrated authentication system and id provider device
WO2003091861A9 (en) Identity management system using single sign-on
US10601809B2 (en) System and method for providing a certificate by way of a browser extension
JP5565408B2 (en) ID authentication system, ID authentication method, authentication server, terminal device, authentication method of authentication server, communication method of terminal device, and program
EP2207303B1 (en) Method, system and entity for bill authentication in network serving
US20100250607A1 (en) Personal information management apparatus and personal information management method
JP2011197874A (en) Server apparatus and program
CN113411324B (en) Method and system for realizing login authentication based on CAS and third-party server
CN107864114B (en) Group insurance account login method and system
EP3343494A1 (en) Electronic signature of transactions between users and remote providers by use of two-dimensional codes
CN103001775A (en) Enterprise service bus (ESB) based system and method for safety management

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09779977

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09779977

Country of ref document: EP

Kind code of ref document: A1