WO2010149222A1 - Attribute management - Google Patents
Attribute management Download PDFInfo
- Publication number
- WO2010149222A1 WO2010149222A1 PCT/EP2009/058060 EP2009058060W WO2010149222A1 WO 2010149222 A1 WO2010149222 A1 WO 2010149222A1 EP 2009058060 W EP2009058060 W EP 2009058060W WO 2010149222 A1 WO2010149222 A1 WO 2010149222A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- attribute
- manage
- user
- request
- value
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
- H04L67/306—User profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Definitions
- the present invention relates to attribute management in an identity management system.
- Federated identity management or the "federation" of identity, describes technologies that serve to enable the portability of identity information across otherwise autonomous security domains.
- a goal of identity federation is to enable users of one domain to access data or systems of another do- main seamlessly and securely, and without the need for redundant user administration. Eliminating the need for repeated login procedures each time a new application or account is accessed can substantially improve the user experience.
- SAML Security Assertion Markup Language
- XML Extensible Markup Language
- SAML is used for exchanging assertion data between an identity provider (a producer of assertions) and a service provider (a consumer of assertions) .
- SAML is a specification defined by the OASIS (Organization for the Advancement of Structured Information standards) .
- the SAML protocol currently provides two methods that enable a service provider to retrieve attributes relating to a user that has been authenticated by an identity provider.
- the first method is an Attribute-Push-Method in which the identity provider can send attribute information within the SAML assertion provided in response to the service provider' s user authentication request.
- the second method is an Attribute-Pull-Method in which the service provider can use an AttributeAuthority message or an AttributeQuery message to retrieve information regarding user attributes from the identity provider once the user has been authenticated by the identity provider.
- the service provider can only obtain information relating to the attributes of the user logged into the service provider.
- a problem with the conventional systems and methods is that there currently exists no mechanism to enable a service provider to transmit user attributes to be stored at the identity provider. This is particularly disadvantageous as the user cannot reuse a single profile containing user attributes, such as layout, preferred e-mail address etc, for different service providers. In current systems and methods the user will only be able to store attributes and change those attributes locally at each service provider meaning that the user will have to enter and change the same attributes multiple times in order to ensure they are consistent for each of the different service providers the user has an account with. However, a further problem can arise when storing attributes at the service provider.
- a user creates a temporary or transient account with a service provider then the user can- not reuse the attributes relating to the temporary or transient account when the user next logs on to the service provider. This is because by the very nature of a temporary or transient account the next time the user logs on to the service provider the user will have a different username and so the service provider will not be able to link the attributes for a user' s temporary account with the user' s permanent account .
- the present invention seeks to address at least some of the problems outlined above.
- a method comprising the steps of: transmitting a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and receiving a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, and wherein said at least one attribute relates to a user's profile.
- many of the embodiments of the present invention pro- vide a new mechanism that enables attribute values for one or more attributes to be transmitted to an identity provider where the identity provider may store the attribute values for the attributes.
- a service provider may transmit the attribute values to the identity provider in a manage attribute request which requests the identity provider stores the attribute values for the at least one attribute.
- a response will be received from the identity provider that includes the stored attribute values for the attributes.
- the method may further comprise the step of: receiving a request from a user to store at the identity provider the attribute value for at least one attribute.
- a user can initiate the process of storing specific attribute values at the identity provider.
- a user may, for example, fill in a form via a web browser on a user device identifying the attributes and the corresponding attribute value that the user wishes to change or store at the identity provider.
- the method may further comprise the step of: determining if the stored attribute value for the at least one attribute included in the manage attribute response matches the attribute value for the at least one attribute included in the manage attribute request.
- the manage attribute response from the identity provider includes the attribute values that have been stored then it can be determined whether the attribute values for the attributes have been stored correctly or successfully. For example, if the stored attribute values do not match the attribute values that were included in the manage attribute request then it may be determined that an error has occurred in storing the attribute values at the identity provider.
- the method may further comprise transmitting a message to a user device where the message informs the user whether or not at- tributes were successfully stored.
- a user of a service provider may have a profile that includes several attributes.
- the profile will include attributes relating to the user and attributes relating to the service provider that the user has an account with.
- User related attributes may define aspects relating to the user, for example, given name, family name, nickname, telephone number, e- mail address, postal address, hair colour, eye colour, height and so on.
- Service provider related attributes may define aspects that are specific to a particular service provider or general to all service provider accounts that a user may have, for example, the attributes may include preferred language, preferred layout, preferred means of communication and so on .
- the manage attribute request may be compatible with, or in accordance with, the Security Assertion Markup Language protocol; and the manage attribute response may be compatible with, or in accordance with, the Security Assertion Markup Language protocol.
- an appratus comprising: an output adapted to transmit a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and a first input adapted to receive a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, and wherein said at least one attribute relates to a user' s profile .
- an apparatus adapted to transmit a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one at- tribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and receive a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one at- tribute, and wherein said at least one attribute relates to a user's profile.
- the apparatus may be further adapted, for example, by comprising a second input, to receive a request from a user to store at the identity provider the attribute value for at least one attribute.
- the apparatus may be further adapted, for example, by comprising a processor, to determine if the stored attribute value for the at least one attribute included in the manage attribute response matches the attribute value for the at least one attribute included in the manage attribute request.
- the apparatus may be further adapted, for example, by comprising a second output, to transmit a message to the user where the message indicates whether or not the attribute values were successfully or correctly stored at the identity provider.
- the apparatus may be a server or a computing device.
- the apparatus may be operated by a service provider .
- the first input and the second input may be the same input or different inputs to the apparatus.
- the first output and the second output may be the same output or different outputs of the apparatus
- the apparatus may be adapted to perform the functions in many different ways.
- the apparatus may be adapted by installing and executing on the apparatus the appropriate and corre- sponding computer readable executable code in order to enable the apparatus to perform the necessary functions and tasks.
- a computer program or a computer program product comprising computer readable executable code for: transmitting a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and receiving a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, and wherein said at least one attribute relates to a user's profile.
- the computer program product may further comprise computer readable executable code for: receiving a request from a user to store at the identity provider the attribute value for at least one attribute.
- the computer program product may further comprise computer readable executable code for: determining if the stored attribute value for the at least one attribute included in the manage attribute response matches the attribute value for the at least one attribute included in the manage attribute request .
- the computer program product may further comprise computer readable executable code for performing any or all of the functions in accordance with the aspects of the invention.
- a method comprising the steps of: receiving a manage attribute request from a service provider wherein the manage attribute request includes an attribute value for at least one attribute; storing the attribute value for the at least one attribute in a database; and transmitting a manage attribute response to the service provider wherein the manage attribute response includes the stored attribute value for the at least one attribute, and wherein the at least one attribute relates to a user's profile.
- many of the embodiments of the present invention pro- vide a new mechanism that enables attribute values for one or more attributes to be received from a service provider which are then stored in a database. Once the attribute values have been stored in the database a manage attribute response may be generated and transmitted to the service provider where the response includes the stored attribute values.
- An identity provider may receive the manage attribute request from the service provider, the database may be located at the identity provider and the identity provider may generate and transmit the manage attribute response.
- the manage attribute request may be in accordance with Security Assertion Markup Language protocol; and the manage attribute response may be in accordance with Security Assertion Markup Language protocol .
- an apparatus comprising an input adapted to receive a manage attribute request from a service provider wherein said manage attribute request includes an attribute value for at least one attribute; a processor adapted to store said attribute value for said at least one attribute in a database; and an output adapted to transmit a manage attribute response to said service provider wherein said manage attribute response includes said stored attribute value for said at least one attribute, and wherein said at least one attribute relates to a user's profile.
- an apparatus adapted to: receive a manage attrib- ute request from a service provider wherein the manage attribute request includes an attribute value for at least one attribute; store the attribute value for the at least one attribute in a database; and transmit a manage attribute response to the service provider wherein the manage attribute response includes the stored attribute value for the at least one attribute, and wherein the at least one attribute relates to a user's profile.
- the apparatus may be a server or a computing device.
- the ap- paratus may be operated by an identity provider.
- the apparatus may be adapted to perform the functions in many different ways.
- the apparatus may be adapted by install- ing and executing on the apparatus the appropriate and corresponding computer readable executable code in order to enable the apparatus to perform the necessary functions and tasks.
- a computer program or computer program product comprising computer readable executable code for: receiving a manage attribute request from a service provider wherein the manage attribute request includes an attribute value for at least one attribute; storing the attribute value for the at least one attribute in a database; and transmitting a manage attribute response to the service provider wherein the manage attribute response includes the stored attribute value for the at least one attribute, and wherein the at least one at- tribute relates to a user's profile.
- the computer program product may further comprise computer readable executable code for performing any or all of the functions in accordance with the aspects of the invention.
- An advantage of many embodiments of the present invention is that a new mechanism is provided which enables user attributes to be stored in a database of the identity provider where the process is initiated by a service provider.
- a fur- ther advantage of many embodiments of the present invention is that by storing user attributes in a database of the identity provider then the user can reuse the attributes for several different service providers without having to enter and provide the user attributes to each service provider inde- pendently.
- the user attributes stored in a database of the identity provider to be changed then the user does not have to manually change the same attribute for each of the service providers with which the user has an account as the changed attribute values at the identity provider may be used by all service providers .
- FIG. 1 is a block diagram of an identity management system in accordance with the aspects of the present invention.
- FIG. 2 shows a message sequence in accordance with aspects of the present invention.
- Figure 1 shows a system, indicated generally by the reference numeral 101, comprising an end user 105, a user device 102, a service provider 103 and an identity provider 104.
- the end user 105 of the system 101 wants to access a secure resource, service or application at the service provider 103, and the service provider 103 requires the user's identity to be authenticated, the identity provider 104 can be used to provide the required authentication information to the service provider 103.
- the user device may comprise an inputs and outputs 106 in or- der to receive and transmit messages and data.
- the user device may be a computing device, such as a computer or a mobile device, such as a mobile phone, personal digital assistant.
- the service provider 103 may include a server or computing device that may comprise inputs and outputs 107 and processors 108.
- the identity provider 104 may include a server or computing device that may comprise inputs and outputs 109 and processors 110.
- SAML assumes that the user 105 has enrolled with at least one identity provider (such as the identity provider 104) .
- the identity provider 104 is expected to provide local authentication services to the user 105.
- the service provider 103 relies on the identity provider 104 to identify the user 105.
- the service provider 103 When a user 105 wants to access a service that is provided by a service provider 103 who has a contract with the identity provider 104 (i.e. the service provider 103 and the identity provider 104 form at least part of a circle of trust) , the service provider 103 requests a user authentication from the identity provider 104. In response to the service provider's request, the identity provider 104 passes a SAML assertion to the service provider 103. On the basis of this assertion, the ser- vice provider 103 can make decisions, for example, the service provider 103 can decide whether to grant access to the resources, services or applications requested by the user 105.
- the user 105 If the user 105 has been authenticated then the user 105 is logged in to the service provider 103 and can access the services, resources and/or applications that the user 105 wishes to use.
- the embodiments of the present invention provide a new mechanism to enable the user 105 to store and/or change user specific attributes and user's service provider attributes in an identity provider's database via the service provider.
- a user 105 will have a profile that includes several attributes.
- the profile will include attributes relating to the user and attributes relating to each of the service providers that the user has an account with.
- User related attributes may define aspects relating to the user, for example, given name, family name, nickname, telephone number, e-mail address, postal address, hair colour, eye colour, height and so on.
- Service provider related attributes may define aspects that are specific to a particular service provider or general to all service provider accounts that a user may have, for example, the attributes may include preferred language, preferred layout, preferred means of communication and so on.
- the attributes defining a user profile may be stored in a database at the identity provider. If an attribute value does not exist in the database for a particular attribute then this can be created by storing an attribute value for the particular attribute. If an attribute doesn't exist then an attribute can be created by storing the attribute along with a corresponding attribute value in the database. If an attribute value for a particular attribute exits and a user wishes to change the attribute value then this can be performed by storing the new attribute value in place of the previous attribute value for a particular attribute in a database. In other words, the user may add or change any attribute relating to the user or to the user' s account with a service provider by storing the appropriate attribute value in a database at the identity provider.
- Figure 2 shows an exemplary message sequence, indicated generally by the reference numeral 201, demonstrating the process of storing attribute values relating to a user' s profile at the identity provider in accordance with the embodiments.
- the message sequence 201 starts with the end user 105 sending a message 202 to the service provider 103 via a user device 102 (for example using a web browser) requesting to add or change an attribute of the user's profile.
- the user 105 may request to change or add attributes by, for example, entering data into a form on the service provider 103.
- the service provider 103 will then generate a new mes- sage called ManageAttributeRequest which will include an At- tributeStatement block which includes at least one attribute value for one or more attributes that the user 105 wishes to change or store at the identity provider 104.
- ManageAttributeRequest message is given below.
- the message given below is only an example of the format and content of a ManageAttributeRequest message. As a person skilled in the art will appreciate the message may include different, fewer or more blocks. Similarly, the message may also include different, fewer or more tags .
- xmlns :x500 "urn: oasis: names : tc : SAML : 2.0 :profiles : attribute :X5 00"
- x500:Encoding "LDAP"
- NameFormat "urn : oasis : names : tc : SAML : 2.0 : attrname- format :uri"
- NameFormat "urn : oasis : names : tc : SAML : 2.0 : attrname- format :uri"
- Name "urn:oid:1.3.6.1.4.1.1466.115.121.1.26”
- FriendlyName "mail"> ⁇ saml : AttributeValue
- the service provider passes 203 the ManageAttributeRequest to the identity provider 104.
- the ManageAttributeRequest may be passed to the identity provider as an HTTP redirect via the user device 102.
- the identity provider 104 on receipt of the ManageAttributeRequest will process 204 the request and store the identified attribute values for the identified user attributes in a database of the identity provider 104.
- An attribute value may be changed by storing the new attribute value in place of the previous attribute value for the par- ticular attribute.
- the identity provider 104 will generate a ManageAttributeResponse message that includes an At- tributeStatement block.
- the AttributeStatement block will include the attribute values of the attributes that have been stored in the database of the identity provider 104.
- An example ManageAttributeResponse message is given below. The message given below is only an example of the format and con- tent of a ManageAttributeResponse message. As a person skilled in the art will appreciate the message may include different, fewer or more blocks. Similarly, the message may also include different, fewer or more tags.
- NameFormat "urn : oasis : names : tc : SAML : 2.0 : attrname- format :uri"
- the identity provider 104 passes 205 the ManageAttributeRe- sponse to the service provider 103.
- the ManageAttributeRe- sponse may be passed to the service provider 103 as an HTTP redirect via the user device 102.
- the service provider 103 on receipt of the ManageAttributeResponse can check and verify 206 that the attributes have been correctly stored in the database of the identity provider 104.
- the attribute values for the user attributes included in the ManageAttributeRe- sponse from the identity provider 104 were retrieved from the database of the identity provider after the attribute values were stored in the database.
- the service provider can determine that the correct attribute values were stored in the identity provider's database.
- the service provider 103 may then send 207 a message to the user device 102 to inform the user 105 that the attribute values of the user attributes the user requested to change or store were successfully (or not) stored at the identity pro- vider 104.
- the embodiments of the present invention provide a new mechanism that enables user attributes to be stored in a database of the identity provider rather than stored by the service provider.
- the embodiments also provide a new mechanism for editing or changing specific attributes stored in a database of the identity provider.
- the embodiments of the present invention provide sev- eral advantages over the conventional systems which, as discussed hereinabove, do not enable a user of a service provider to store attributes directly to the identity provider' s database or enable a user to change specific attributes stored in the identity provider' s database via a service pro- vider.
- One advantage is that by storing user attributes in a database of the identity provider then the user can reuse the attributes for several different service providers without hav- ing to enter and provide the user attributes to each service provider independently. Furthermore, by providing the capability for a user to change attributes stored in a database of the identity provider then the user does not have to manually change the same attribute for each of the service pro- viders with which the user has an account.
Abstract
Methods and apparatus are described which enable user attributes to be stored and managed at an identity provider (104). A service provider (103) may pass (203) a manage attribute request which includes attribute values of at least one attribute to the identity provider (104). The identity provider (104) stores (204) the attribute values and returns (205) a manage attribute response message to the service provider (103).
Description
Attribute Management
The present invention relates to attribute management in an identity management system.
More and more services and applications are becoming available on the Internet, and many of these services and applica- tions require authentication. One approach that has been developed to assist users to access multiple services and applications, each requiring separate authentication procedures, involves the use of identity federation.
Federated identity management, or the "federation" of identity, describes technologies that serve to enable the portability of identity information across otherwise autonomous security domains. A goal of identity federation is to enable users of one domain to access data or systems of another do- main seamlessly and securely, and without the need for redundant user administration. Eliminating the need for repeated login procedures each time a new application or account is accessed can substantially improve the user experience.
Security Assertion Markup Language (SAML) is an XML (extensible Markup Language) standard for exchanging authentication and authorisation data between security domains. For example, SAML is used for exchanging assertion data between an identity provider (a producer of assertions) and a service provider (a consumer of assertions) . SAML is a specification defined by the OASIS (Organization for the Advancement of Structured Information standards) .
The SAML protocol currently provides two methods that enable a service provider to retrieve attributes relating to a user that has been authenticated by an identity provider.
The first method is an Attribute-Push-Method in which the identity provider can send attribute information within the SAML assertion provided in response to the service provider' s user authentication request.
The second method is an Attribute-Pull-Method in which the service provider can use an AttributeAuthority message or an AttributeQuery message to retrieve information regarding user attributes from the identity provider once the user has been authenticated by the identity provider.
In both methods described hereinabove, the service provider can only obtain information relating to the attributes of the user logged into the service provider. There currently exists no mechanism to enable a service provider to transmit user attributes to be stored at the identity provider.
However, a problem with the conventional systems and methods is that there currently exists no mechanism to enable a service provider to transmit user attributes to be stored at the identity provider. This is particularly disadvantageous as the user cannot reuse a single profile containing user attributes, such as layout, preferred e-mail address etc, for different service providers. In current systems and methods the user will only be able to store attributes and change those attributes locally at each service provider meaning that the user will have to enter and change the same attributes multiple times in order to ensure they are consistent for each of the different service providers the user has an account with.
However, a further problem can arise when storing attributes at the service provider. If a user creates a temporary or transient account with a service provider then the user can- not reuse the attributes relating to the temporary or transient account when the user next logs on to the service provider. This is because by the very nature of a temporary or transient account the next time the user logs on to the service provider the user will have a different username and so the service provider will not be able to link the attributes for a user' s temporary account with the user' s permanent account .
The present invention seeks to address at least some of the problems outlined above.
According to a first aspect of the present invention there is provided a method comprising the steps of: transmitting a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and receiving a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, and wherein said at least one attribute relates to a user's profile.
Thus, many of the embodiments of the present invention pro- vide a new mechanism that enables attribute values for one or more attributes to be transmitted to an identity provider where the identity provider may store the attribute values for the attributes. A service provider may transmit the attribute values to the identity provider in a manage attribute
request which requests the identity provider stores the attribute values for the at least one attribute. A response will be received from the identity provider that includes the stored attribute values for the attributes. An advantage of many embodiments of the present invention is that by storing the attribute values at the identity provider then the attribute values may be used for several different service providers without the user having to enter or change those attributes at each service provider.
The method may further comprise the step of: receiving a request from a user to store at the identity provider the attribute value for at least one attribute. Thus, a user can initiate the process of storing specific attribute values at the identity provider. A user may, for example, fill in a form via a web browser on a user device identifying the attributes and the corresponding attribute value that the user wishes to change or store at the identity provider.
The method may further comprise the step of: determining if the stored attribute value for the at least one attribute included in the manage attribute response matches the attribute value for the at least one attribute included in the manage attribute request. Thus, as the manage attribute response from the identity provider includes the attribute values that have been stored then it can be determined whether the attribute values for the attributes have been stored correctly or successfully. For example, if the stored attribute values do not match the attribute values that were included in the manage attribute request then it may be determined that an error has occurred in storing the attribute values at the identity provider.
Once it has been determined whether or not the attribute values for the attributes have been successfully stored then the method may further comprise transmitting a message to a user device where the message informs the user whether or not at- tributes were successfully stored.
A user of a service provider may have a profile that includes several attributes. The profile will include attributes relating to the user and attributes relating to the service provider that the user has an account with. User related attributes may define aspects relating to the user, for example, given name, family name, nickname, telephone number, e- mail address, postal address, hair colour, eye colour, height and so on. Service provider related attributes may define aspects that are specific to a particular service provider or general to all service provider accounts that a user may have, for example, the attributes may include preferred language, preferred layout, preferred means of communication and so on .
The manage attribute request may be compatible with, or in accordance with, the Security Assertion Markup Language protocol; and the manage attribute response may be compatible with, or in accordance with, the Security Assertion Markup Language protocol.
According to a second aspect of the present invention there is provided an appratus comprising: an output adapted to transmit a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and a first input adapted to receive a manage attribute response from said
identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, and wherein said at least one attribute relates to a user' s profile .
According to a third aspect of the present invention there is provided an apparatus adapted to transmit a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one at- tribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and receive a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one at- tribute, and wherein said at least one attribute relates to a user's profile.
The apparatus may be further adapted, for example, by comprising a second input, to receive a request from a user to store at the identity provider the attribute value for at least one attribute. The apparatus may be further adapted, for example, by comprising a processor, to determine if the stored attribute value for the at least one attribute included in the manage attribute response matches the attribute value for the at least one attribute included in the manage attribute request. The apparatus may be further adapted, for example, by comprising a second output, to transmit a message to the user where the message indicates whether or not the attribute values were successfully or correctly stored at the identity provider. The apparatus may be a server or a computing device. The apparatus may be operated by a service provider .
The first input and the second input may be the same input or different inputs to the apparatus. Similarly, the first output and the second output may be the same output or different outputs of the apparatus
As a skilled person in the art will appreciate, the apparatus may be adapted to perform the functions in many different ways. For example, the apparatus may be adapted by installing and executing on the apparatus the appropriate and corre- sponding computer readable executable code in order to enable the apparatus to perform the necessary functions and tasks.
According to a fourth aspect of the present invention there is provided a computer program or a computer program product comprising computer readable executable code for: transmitting a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and receiving a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, and wherein said at least one attribute relates to a user's profile.
The computer program product may further comprise computer readable executable code for: receiving a request from a user to store at the identity provider the attribute value for at least one attribute.
The computer program product may further comprise computer readable executable code for: determining if the stored attribute value for the at least one attribute included in the manage attribute response matches the attribute value for the
at least one attribute included in the manage attribute request .
The computer program product may further comprise computer readable executable code for performing any or all of the functions in accordance with the aspects of the invention.
According to a fifth aspect of the present invention there is provided a method comprising the steps of: receiving a manage attribute request from a service provider wherein the manage attribute request includes an attribute value for at least one attribute; storing the attribute value for the at least one attribute in a database; and transmitting a manage attribute response to the service provider wherein the manage attribute response includes the stored attribute value for the at least one attribute, and wherein the at least one attribute relates to a user's profile.
Thus, many of the embodiments of the present invention pro- vide a new mechanism that enables attribute values for one or more attributes to be received from a service provider which are then stored in a database. Once the attribute values have been stored in the database a manage attribute response may be generated and transmitted to the service provider where the response includes the stored attribute values.
This may enable the service provider to verify and check that the stored attribute values match the attribute values in the manage attribute request. An identity provider may receive the manage attribute request from the service provider, the database may be located at the identity provider and the identity provider may generate and transmit the manage attribute response.
The manage attribute request may be in accordance with Security Assertion Markup Language protocol; and the manage attribute response may be in accordance with Security Assertion Markup Language protocol .
According to a sixth aspect of the present invention there is provided an apparatus comprising an input adapted to receive a manage attribute request from a service provider wherein said manage attribute request includes an attribute value for at least one attribute; a processor adapted to store said attribute value for said at least one attribute in a database; and an output adapted to transmit a manage attribute response to said service provider wherein said manage attribute response includes said stored attribute value for said at least one attribute, and wherein said at least one attribute relates to a user's profile.
According to a seventh aspect of the present invention there is provided an apparatus adapted to: receive a manage attrib- ute request from a service provider wherein the manage attribute request includes an attribute value for at least one attribute; store the attribute value for the at least one attribute in a database; and transmit a manage attribute response to the service provider wherein the manage attribute response includes the stored attribute value for the at least one attribute, and wherein the at least one attribute relates to a user's profile.
The apparatus may be a server or a computing device. The ap- paratus may be operated by an identity provider.
As a skilled person in the art will appreciate, the apparatus may be adapted to perform the functions in many different ways. For example, the apparatus may be adapted by install-
ing and executing on the apparatus the appropriate and corresponding computer readable executable code in order to enable the apparatus to perform the necessary functions and tasks.
According to an eighth aspect of the present invention there is provided a computer program or computer program product comprising computer readable executable code for: receiving a manage attribute request from a service provider wherein the manage attribute request includes an attribute value for at least one attribute; storing the attribute value for the at least one attribute in a database; and transmitting a manage attribute response to the service provider wherein the manage attribute response includes the stored attribute value for the at least one attribute, and wherein the at least one at- tribute relates to a user's profile.
The computer program product may further comprise computer readable executable code for performing any or all of the functions in accordance with the aspects of the invention.
An advantage of many embodiments of the present invention is that a new mechanism is provided which enables user attributes to be stored in a database of the identity provider where the process is initiated by a service provider. A fur- ther advantage of many embodiments of the present invention is that by storing user attributes in a database of the identity provider then the user can reuse the attributes for several different service providers without having to enter and provide the user attributes to each service provider inde- pendently. Furthermore, by providing the capability for the user attributes stored in a database of the identity provider to be changed then the user does not have to manually change the same attribute for each of the service providers with which the user has an account as the changed attribute values
at the identity provider may be used by all service providers .
Embodiments of the present invention will now be described, by way of example only, and with reference to the accompanying drawings in which:
Figure 1 is a block diagram of an identity management system in accordance with the aspects of the present invention.
Figure 2 shows a message sequence in accordance with aspects of the present invention.
Figure 1 shows a system, indicated generally by the reference numeral 101, comprising an end user 105, a user device 102, a service provider 103 and an identity provider 104. When the end user 105 of the system 101 wants to access a secure resource, service or application at the service provider 103, and the service provider 103 requires the user's identity to be authenticated, the identity provider 104 can be used to provide the required authentication information to the service provider 103.
The user device may comprise an inputs and outputs 106 in or- der to receive and transmit messages and data. The user device may be a computing device, such as a computer or a mobile device, such as a mobile phone, personal digital assistant. The service provider 103 may include a server or computing device that may comprise inputs and outputs 107 and processors 108. The identity provider 104 may include a server or computing device that may comprise inputs and outputs 109 and processors 110.
In an exemplary use of the system 101, SAML assumes that the user 105 has enrolled with at least one identity provider (such as the identity provider 104) . The identity provider 104 is expected to provide local authentication services to the user 105. The service provider 103 relies on the identity provider 104 to identify the user 105. When a user 105 wants to access a service that is provided by a service provider 103 who has a contract with the identity provider 104 (i.e. the service provider 103 and the identity provider 104 form at least part of a circle of trust) , the service provider 103 requests a user authentication from the identity provider 104. In response to the service provider's request, the identity provider 104 passes a SAML assertion to the service provider 103. On the basis of this assertion, the ser- vice provider 103 can make decisions, for example, the service provider 103 can decide whether to grant access to the resources, services or applications requested by the user 105.
If the user 105 has been authenticated then the user 105 is logged in to the service provider 103 and can access the services, resources and/or applications that the user 105 wishes to use.
Once a user 105 has logged in to the service provider 103 then the embodiments of the present invention provide a new mechanism to enable the user 105 to store and/or change user specific attributes and user's service provider attributes in an identity provider's database via the service provider.
A user 105 will have a profile that includes several attributes. The profile will include attributes relating to the user and attributes relating to each of the service providers that the user has an account with. User related attributes
may define aspects relating to the user, for example, given name, family name, nickname, telephone number, e-mail address, postal address, hair colour, eye colour, height and so on. Service provider related attributes may define aspects that are specific to a particular service provider or general to all service provider accounts that a user may have, for example, the attributes may include preferred language, preferred layout, preferred means of communication and so on.
The attributes defining a user profile may be stored in a database at the identity provider. If an attribute value does not exist in the database for a particular attribute then this can be created by storing an attribute value for the particular attribute. If an attribute doesn't exist then an attribute can be created by storing the attribute along with a corresponding attribute value in the database. If an attribute value for a particular attribute exits and a user wishes to change the attribute value then this can be performed by storing the new attribute value in place of the previous attribute value for a particular attribute in a database. In other words, the user may add or change any attribute relating to the user or to the user' s account with a service provider by storing the appropriate attribute value in a database at the identity provider.
Figure 2 shows an exemplary message sequence, indicated generally by the reference numeral 201, demonstrating the process of storing attribute values relating to a user' s profile at the identity provider in accordance with the embodiments.
The message sequence 201 starts with the end user 105 sending a message 202 to the service provider 103 via a user device 102 (for example using a web browser) requesting to add or change an attribute of the user's profile.
The user 105 may request to change or add attributes by, for example, entering data into a form on the service provider 103. The service provider 103 will then generate a new mes- sage called ManageAttributeRequest which will include an At- tributeStatement block which includes at least one attribute value for one or more attributes that the user 105 wishes to change or store at the identity provider 104.
For example, if a user requests to change their given name to "Tom" and to change their e-mail address to
"trscavo@gmail.com" then an example ManageAttributeRequest message is given below. The message given below is only an example of the format and content of a ManageAttributeRequest message. As a person skilled in the art will appreciate the message may include different, fewer or more blocks. Similarly, the message may also include different, fewer or more tags .
<samlp :ManageAttributeRequest xmlns : saml="urn : oasis : names : tc : SAML : 2.0 : assertion" xmlns : samlp="urn : oasis : names : tc : SAML : 2.0 :protocol" ID="aaf23196-1773-2113-474a-fell4412ab72" Version="2.0" IssueInstant="2006-07-17T20:31:40Z"> <saml : Issuer
Format="urn : oasis : names : tc : SAML : 1.1 : nameid- format:X509SubjectName">
C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc . edu </saml : Issuer> <saml : Subject> <saml :NameID
Format="urn : oasis : names : tc : SAML : 1.1 : nameid- format:X509SubjectName">
C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc . edu </saml :NameID> </saml : Subj ect>
<saml : Attributestatement> <saml : Attribute
xmlns :x500="urn: oasis: names : tc : SAML : 2.0 :profiles : attribute :X5 00" x500:Encoding="LDAP"
NameFormat="urn : oasis : names : tc : SAML : 2.0 : attrname- format :uri"
Name="urn:oid:2.5.4.42" FriendlyName="givenName"> <saml : AttributeValue xsi : type="xs : string">Tom</saml : AttributeValue> </saml : Attribute> <saml : Attribute
xmlns :x500="urn: oasis: names : tc : SAML : 2.0 :profiles : attribute :X5 00" x500 :Encoding="LDAP"
NameFormat="urn : oasis : names : tc : SAML : 2.0 : attrname- format :uri" Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26" FriendlyName="mail"> <saml : AttributeValue
xsi : type="xs : string">trscavo@gmail . com</saml : AttributeValue> </saml:Attribute>
</saml : AttributeStatement> </samlp :ManageAttributeRequest>
The service provider passes 203 the ManageAttributeRequest to the identity provider 104. The ManageAttributeRequest may be passed to the identity provider as an HTTP redirect via the user device 102. The identity provider 104 on receipt of the ManageAttributeRequest will process 204 the request and store the identified attribute values for the identified user attributes in a database of the identity provider 104. An attribute value may be changed by storing the new attribute value in place of the previous attribute value for the par- ticular attribute.
Once the identity provider 104 has stored the identified attributes in a database the identity provider 104 will generate a ManageAttributeResponse message that includes an At- tributeStatement block. The AttributeStatement block will include the attribute values of the attributes that have been stored in the database of the identity provider 104. An example ManageAttributeResponse message is given below. The message given below is only an example of the format and con- tent of a ManageAttributeResponse message. As a person skilled in the art will appreciate the message may include different, fewer or more blocks. Similarly, the message may also include different, fewer or more tags.
<samlp :ManageAttributeResponse xmlns : saml="urn : oasis : names : tc : SAML : 2.0 : assertion" xmlns : samlp="urn : oasis : names : tc : SAML : 2.0 :protocol"
ID="aaf23196-1773-2113-474a-fell4412ab72"
Version="2.0" IssueInstant="2006-07-17T20:31:40Z">
<saml : Assertion
MajorVersion="l" MinorVersion="0"
AssertionID="128.9.167.32.12345678"
Issuer="Smith Corporation"> <saml : Issuer
Format="urn : oasis : names : tc : SAML : 1.1 : nameid- format :unspecified"> http://idm.nsn.com </saml : Issuer> <saml : Subj ect> <saml :NameID
Format="urn : oasis : names : tc : SAML : 1.1 : nameid- format :X509SubjectName">
C=US, O=NCSA-TEST, 0U=User, CN=trscavo@uiuc . edu </saml:NameID> </saml : Subject> <saml : AttributeStatement> <saml : Attribute
xmlns :x500="urn: oasis: names : tc : SAML : 2.0 :profiles : attribute :X5 00" x500 :Encoding="LDAP" NameFormat="urn : oasis : names : tc : SAML : 2.0 : attrname- format :uri"
Name="urn:oid:2.5.4.42" FriendlyName="givenName"> <saml : AttributeValue xsi : type="xs : string">Tom</saml : AttributeValue>
</saml : Attribute> <saml : Attribute
xmlns :x500="urn: oasis: names : tc : SAML : 2.0 :profiles : attribute :X5 00" x500 :Encoding="LDAP"
NameFormat="urn : oasis : names : tc : SAML : 2.0 : attrname- format :uri"
Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26"
FriendlyName="mail"> <saml : AttributeValue
xsi : type="xs : string">trscavo@gmail . com</saml : AttributeValue> </saml:Attribute>
</saml : AttributeStatement> </saml : Assertion> <samlp : Status xmlns : samlp="urn : oasis : names : tc : SAML : 2.0 :protocol"> <samlp : StatusCode xmlns : samlp="urn : oasis : names : tc : SAML : 2.0 : protocol" Value="urn : oasis : names : tc : SAML : 2.0 : status : Success">
</samlp : StatusCode> </samlp : Status> </samlp :ManageAttributeResponse>
The identity provider 104 passes 205 the ManageAttributeRe- sponse to the service provider 103. The ManageAttributeRe- sponse may be passed to the service provider 103 as an HTTP redirect via the user device 102. The service provider 103 on receipt of the ManageAttributeResponse can check and verify 206 that the attributes have been correctly stored in the database of the identity provider 104. The attribute values for the user attributes included in the ManageAttributeRe- sponse from the identity provider 104 were retrieved from the database of the identity provider after the attribute values were stored in the database. Thus, by comparing the attribute values included in the ManageAttributeResponse with the attribute values included in the ManageAttributeRequest that was originally passed from the service provider to the identity manager, the service provider can determine that the correct attribute values were stored in the identity provider's database.
The service provider 103 may then send 207 a message to the user device 102 to inform the user 105 that the attribute values of the user attributes the user requested to change or store were successfully (or not) stored at the identity pro- vider 104.
Accordingly, the embodiments of the present invention provide a new mechanism that enables user attributes to be stored in a database of the identity provider rather than stored by the service provider. The embodiments also provide a new mechanism for editing or changing specific attributes stored in a database of the identity provider.
Thus, the embodiments of the present invention provide sev- eral advantages over the conventional systems which, as discussed hereinabove, do not enable a user of a service provider to store attributes directly to the identity provider' s database or enable a user to change specific attributes stored in the identity provider' s database via a service pro- vider.
One advantage is that by storing user attributes in a database of the identity provider then the user can reuse the attributes for several different service providers without hav- ing to enter and provide the user attributes to each service provider independently. Furthermore, by providing the capability for a user to change attributes stored in a database of the identity provider then the user does not have to manually change the same attribute for each of the service pro- viders with which the user has an account.
While preferred embodiments of the invention have been shown and described, it will be understood that such embodiments are described by way of example only. Numerous variations,
changes and substitutions will occur to those skilled in the art without departing from the scope of the present invention as defined by the appended claims. For example, although the invention has been described with reference to the SAML stan- dard, other implementations are possible. Accordingly, it is intended that the following claims cover all such variations or equivalents as fall within the spirit and the scope of the invention .
Claims
1. A method comprising the steps of: transmitting a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and receiving a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, wherein said at least one attribute relates to a user's profile.
2. The method as claimed in claim 1 further comprising the step of: receiving a request from a user to store at said identity provider said attribute value for at least one attribute .
3. The method as claimed in claim 1 or 2 further comprising the step of: determining if said stored attribute value for said at least one attribute included in said manage attribute re- sponse matches said attribute value for said at least one attribute included in said manage attribute request.
4. The method as claimed in any one of the preceding claims in which said manage attribute request is compatible with Se- curity Assertion Markup Language protocol; and said manage attribute response is compatible with Security Assertion Markup Language protocol.
5. An apparatus comprising: an output adapted to transmit a manage attribute request to an identity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity pro- vider to store said attribute value for said at least one attribute; and a first input adapted to receive a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, wherein said at least one attribute relates to a user' s profile .
6. The apparatus as claimed in claim 5 further comprising: a second input adapted to receive a request from a user to store at said identity provider said attribute value for at least one attribute.
7. The apparatus as claimed in claim 5 or 6 further com- prising: a processor adapted to determine if said stored attribute value for said at least one attribute included in said manage attribute response matches said attribute value for said at least one attribute included in said manage attribute request.
8. A computer program product comprising computer readable executable code for: transmitting a manage attribute request to an iden- tity provider, wherein said manage attribute request includes an attribute value for at least one attribute and said manage attribute request requests said identity provider to store said attribute value for said at least one attribute; and receiving a manage attribute response from said identity provider wherein said manage attribute response includes a stored attribute value for said at least one attribute, wherein said at least one attribute relates to a user' s profile.
9. The computer program product as claimed in claim 8 further comprising computer readable executable code for: receiving a request from a user to store at said iden- tity provider said attribute value for at least one attribute .
10. The computer program product as claimed in claim 8 or 9 further comprising computer readable executable code for: determining if said stored attribute value for said at least one attribute included in said manage attribute response matches said attribute value for said at least one attribute included in said manage attribute request.
11. A method comprising the steps of: receiving a manage attribute request from a service provider wherein said manage attribute request includes an attribute value for at least one attribute; storing said attribute value for said at least one at- tribute in a database; and transmitting a manage attribute response to said service provider wherein said manage attribute response includes said stored attribute value for said at least one attribute, wherein said at least one attribute relates to a user's profile.
12. The method as claimed in claim 11 in which said manage attribute request is compatible with Security Assertion Mar- kup Language protocol; and said manage attribute response is compatible with Security Assertion Markup Language protocol.
13. An apparatus comprising: an input adapted to receive a manage attribute request from a service provider wherein said manage attribute request includes an attribute value for at least one attribute; a processor adapted to store said attribute value for said at least one attribute in a database; and an output adapted to transmit a manage attribute response to said service provider wherein said manage attribute response includes said stored attribute value for said at least one attribute, wherein said at least one attribute relates to a user's profile.
14. A computer program product comprising computer readable executable code for: receiving a manage attribute request from a service pro- vider wherein said manage attribute request includes an attribute value for at least one attribute; storing said attribute value for said at least one attribute in a database; and transmitting a manage attribute response to said service provider wherein said manage attribute response includes said stored attribute value for said at least one attribute, wherein said at least one attribute relates to a user' s profile .
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/EP2009/058060 WO2010149222A1 (en) | 2009-06-26 | 2009-06-26 | Attribute management |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/EP2009/058060 WO2010149222A1 (en) | 2009-06-26 | 2009-06-26 | Attribute management |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2010149222A1 true WO2010149222A1 (en) | 2010-12-29 |
Family
ID=42040338
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2009/058060 WO2010149222A1 (en) | 2009-06-26 | 2009-06-26 | Attribute management |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2010149222A1 (en) |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014039882A1 (en) * | 2012-09-07 | 2014-03-13 | Oracle International Corporation | Ldap-based multi-tenant in-cloud identity management system |
US9015114B2 (en) | 2012-09-07 | 2015-04-21 | Oracle International Corporation | Data synchronization in a cloud infrastructure |
US9053302B2 (en) | 2012-06-08 | 2015-06-09 | Oracle International Corporation | Obligation system for enterprise environments |
US9253113B2 (en) | 2012-09-07 | 2016-02-02 | Oracle International Corporation | Customizable model for throttling and prioritizing orders in a cloud environment |
US9276942B2 (en) | 2012-09-07 | 2016-03-01 | Oracle International Corporation | Multi-tenancy identity management system |
US9467355B2 (en) | 2012-09-07 | 2016-10-11 | Oracle International Corporation | Service association model |
US9542400B2 (en) | 2012-09-07 | 2017-01-10 | Oracle International Corporation | Service archive support |
US9608958B2 (en) | 2013-03-12 | 2017-03-28 | Oracle International Corporation | Lightweight directory access protocol (LDAP) join search mechanism |
US9621435B2 (en) | 2012-09-07 | 2017-04-11 | Oracle International Corporation | Declarative and extensible model for provisioning of cloud based services |
US9667470B2 (en) | 2012-09-07 | 2017-05-30 | Oracle International Corporation | Failure handling in the execution flow of provisioning operations in a cloud environment |
US10148530B2 (en) | 2012-09-07 | 2018-12-04 | Oracle International Corporation | Rule based subscription cloning |
US10164901B2 (en) | 2014-08-22 | 2018-12-25 | Oracle International Corporation | Intelligent data center selection |
US10521746B2 (en) | 2012-09-07 | 2019-12-31 | Oracle International Corporation | Recovery workflow for processing subscription orders in a computing infrastructure system |
EP3928211A4 (en) * | 2019-02-19 | 2022-11-02 | CloudBlue LLC | System and method for bulk user service assignment using csv |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030149781A1 (en) * | 2001-12-04 | 2003-08-07 | Peter Yared | Distributed network identity |
US20040128378A1 (en) * | 2002-12-31 | 2004-07-01 | International Business Machines Corporation | Method and system for user-determined attribute storage in a federated environment |
US20060236382A1 (en) * | 2005-04-01 | 2006-10-19 | Hinton Heather M | Method and system for a runtime user account creation operation within a single-sign-on process in a federated computing environment |
-
2009
- 2009-06-26 WO PCT/EP2009/058060 patent/WO2010149222A1/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030149781A1 (en) * | 2001-12-04 | 2003-08-07 | Peter Yared | Distributed network identity |
US20040128378A1 (en) * | 2002-12-31 | 2004-07-01 | International Business Machines Corporation | Method and system for user-determined attribute storage in a federated environment |
US20060236382A1 (en) * | 2005-04-01 | 2006-10-19 | Hinton Heather M | Method and system for a runtime user account creation operation within a single-sign-on process in a federated computing environment |
Non-Patent Citations (2)
Title |
---|
OASIS: "Security Assertion Markup Language(SAML) V2.0 Technical Overview", vol. Committee Draft 02, 25 March 2008 (2008-03-25), http://www.oasis-open.org/, XP002578461, Retrieved from the Internet <URL:http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.pdf> [retrieved on 20100414] * |
SHOICHIROU FUJIWARA ET AL: "A Privacy Oriented Extension of Attribute Exchange in Shibboleth", APPLICATIONS AND THE INTERNET WORKSHOPS, 2007. SAINT WORKSHOPS 2007. I NTERNATIONAL SYMPOSIUM ON, IEEE, PI, 1 January 2007 (2007-01-01), pages 28 - 28, XP031044122, ISBN: 978-0-7695-2757-4 * |
Cited By (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9053302B2 (en) | 2012-06-08 | 2015-06-09 | Oracle International Corporation | Obligation system for enterprise environments |
US9058471B2 (en) | 2012-06-08 | 2015-06-16 | Oracle International Corporation | Authorization system for heterogeneous enterprise environments |
US10009219B2 (en) | 2012-09-07 | 2018-06-26 | Oracle International Corporation | Role-driven notification system including support for collapsing combinations |
WO2014039882A1 (en) * | 2012-09-07 | 2014-03-13 | Oracle International Corporation | Ldap-based multi-tenant in-cloud identity management system |
US9619540B2 (en) | 2012-09-07 | 2017-04-11 | Oracle International Corporation | Subscription order generation for cloud services |
US9203866B2 (en) | 2012-09-07 | 2015-12-01 | Oracle International Corporation | Overage framework for cloud services |
US9219749B2 (en) | 2012-09-07 | 2015-12-22 | Oracle International Corporation | Role-driven notification system including support for collapsing combinations |
US9253113B2 (en) | 2012-09-07 | 2016-02-02 | Oracle International Corporation | Customizable model for throttling and prioritizing orders in a cloud environment |
US9276942B2 (en) | 2012-09-07 | 2016-03-01 | Oracle International Corporation | Multi-tenancy identity management system |
US9319269B2 (en) | 2012-09-07 | 2016-04-19 | Oracle International Corporation | Security infrastructure for cloud services |
US9397884B2 (en) | 2012-09-07 | 2016-07-19 | Oracle International Corporation | Workflows for processing cloud services |
US9467355B2 (en) | 2012-09-07 | 2016-10-11 | Oracle International Corporation | Service association model |
US9501541B2 (en) | 2012-09-07 | 2016-11-22 | Oracle International Corporation | Separation of pod provisioning and service provisioning |
US9542400B2 (en) | 2012-09-07 | 2017-01-10 | Oracle International Corporation | Service archive support |
US9069979B2 (en) | 2012-09-07 | 2015-06-30 | Oracle International Corporation | LDAP-based multi-tenant in-cloud identity management system |
US11075791B2 (en) | 2012-09-07 | 2021-07-27 | Oracle International Corporation | Failure handling in the execution flow of provisioning operations in a cloud environment |
US10581867B2 (en) | 2012-09-07 | 2020-03-03 | Oracle International Corporation | Multi-tenancy identity management system |
US9667470B2 (en) | 2012-09-07 | 2017-05-30 | Oracle International Corporation | Failure handling in the execution flow of provisioning operations in a cloud environment |
US9734224B2 (en) | 2012-09-07 | 2017-08-15 | Oracle International Corporation | Data synchronization in a cloud infrastructure |
US9792338B2 (en) | 2012-09-07 | 2017-10-17 | Oracle International Corporation | Role assignments in a cloud infrastructure |
US9838370B2 (en) | 2012-09-07 | 2017-12-05 | Oracle International Corporation | Business attribute driven sizing algorithms |
US9015114B2 (en) | 2012-09-07 | 2015-04-21 | Oracle International Corporation | Data synchronization in a cloud infrastructure |
US10148530B2 (en) | 2012-09-07 | 2018-12-04 | Oracle International Corporation | Rule based subscription cloning |
US9621435B2 (en) | 2012-09-07 | 2017-04-11 | Oracle International Corporation | Declarative and extensible model for provisioning of cloud based services |
US10212053B2 (en) | 2012-09-07 | 2019-02-19 | Oracle International Corporation | Declarative and extensible model for provisioning of cloud based services |
US10521746B2 (en) | 2012-09-07 | 2019-12-31 | Oracle International Corporation | Recovery workflow for processing subscription orders in a computing infrastructure system |
US9608958B2 (en) | 2013-03-12 | 2017-03-28 | Oracle International Corporation | Lightweight directory access protocol (LDAP) join search mechanism |
US10164901B2 (en) | 2014-08-22 | 2018-12-25 | Oracle International Corporation | Intelligent data center selection |
EP3928211A4 (en) * | 2019-02-19 | 2022-11-02 | CloudBlue LLC | System and method for bulk user service assignment using csv |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2010149222A1 (en) | Attribute management | |
EP1700416B1 (en) | Access control for federated identities | |
US8117459B2 (en) | Personal identification information schemas | |
US8104074B2 (en) | Identity providers in digital identity system | |
US8060632B2 (en) | Method and system for user-determined attribute storage in a federated environment | |
US8707412B2 (en) | Application identity design | |
CN106716960B (en) | User authentication method and system | |
US20100077467A1 (en) | Authentication service for seamless application operation | |
CN101426009A (en) | Identity management platform, service server, uniform login system and method | |
CN106716918B (en) | User authentication method and system | |
CN104255007A (en) | Oauth framework | |
JP5422753B1 (en) | Policy management system, ID provider system, and policy evaluation apparatus | |
US20130185809A1 (en) | System for delegation of authority, access management service system, medium, and method for controlling the system for delegation of authority | |
EP1532545A1 (en) | Method and system for managing cookies according to a privacy policy | |
JP2013137588A (en) | Integrated authentication system and id provider device | |
WO2003091861A9 (en) | Identity management system using single sign-on | |
US10601809B2 (en) | System and method for providing a certificate by way of a browser extension | |
JP5565408B2 (en) | ID authentication system, ID authentication method, authentication server, terminal device, authentication method of authentication server, communication method of terminal device, and program | |
EP2207303B1 (en) | Method, system and entity for bill authentication in network serving | |
US20100250607A1 (en) | Personal information management apparatus and personal information management method | |
JP2011197874A (en) | Server apparatus and program | |
CN113411324B (en) | Method and system for realizing login authentication based on CAS and third-party server | |
CN107864114B (en) | Group insurance account login method and system | |
EP3343494A1 (en) | Electronic signature of transactions between users and remote providers by use of two-dimensional codes | |
CN103001775A (en) | Enterprise service bus (ESB) based system and method for safety management |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 09779977 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 09779977 Country of ref document: EP Kind code of ref document: A1 |