Method For Implementing Unified Authentication

Abstract

A method for implementing unified authentication for user logon, the method comprising the steps of: establishing an authentication server; creating a user authentication account number in the authentication server; storing user information which the user uses in a plurality of systems into the authentication server; associating, in the authentication server, the created user authentication account number with the user information which the user uses in the plurality of systems; and providing an authentication flag to the client of the user by the authentication server based on the association between the user authentication account number and the user information which the user uses in the plurality of systems established in the authentication server so that the user can log on the plurality of systems using the authentication flag. The present invention is applied to provide a unified mechanism of user logon authentication in integration and mergence of the service processes provided by a plurality of Internet information systems or Internet providers, and thus the user can access all authorized application systems or service providers with only one logon authentication.

Claims

1 - 13 . (canceled) 14 . A method for implementing unified authentication for user logon, the method comprising the steps of: establishing an authentication server; creating a user authentication account number in the authentication server; storing user information which the user uses in a plurality of systems into the authentication server; associating, in the authentication server, the created user authentication account number with said user information which the user uses in the plurality of systems; and providing an authentication flag to the client of the user by the authentication server based on the association between the user authentication account number and said user information which the user uses in the plurality of systems established in the authentication server so that the user can log on to the plurality of systems using said authentication flag. 15 . The method according to claim 14 , further comprising the step of establishing a temporary memory area for the use information by the authentication server after creating the user authentication account number in the authentication server, and allocating a unique identification to said temporary memory area for the use information. 16 . The method according to claim 15 , further comprising the step of searching the user information of the plurality of systems from the stored user information for the user used in the plurality of systems and storing the user information in the temporary memory area for the use information of the user by the authentication server. 17 . The method according to claim 15 , further comprising the step of encrypting the identification of said temporary memory area for the use information and returning the generated cryptograph to the client of the user as said authentication flag by the authentication server. 18 . The method according to claim 16 , further comprising the step of encrypting the identification of said temporary memory area for the use information and returning the generated cryptograph to the client of the user as said authentication flag by the authentication server. 19 . The method according to claim 17 , wherein said authentication flag can be decrypted by the authentication server. 20 . The method according to claim 18 , wherein said authentication flag can be decrypted by the authentication server. 21 . The method according to claim 14 , further comprising the step of storing said authentication flag and sending a certain request to the authentication server regularly by the client of the user so that the authentication server will not withdraw said temporary memory area for the use information. 22 . The method according to claim 15 , further comprising the step of storing said authentication flag and sending a certain request to the authentication server regularly by the client of the user so that the authentication server will not withdraw said temporary memory area for the use information. 23 . The method according to claim 16 , further comprising the step of storing said authentication flag and sending a certain request to the authentication server regularly by the client of the user so that the authentication server will not withdraw said temporary memory area for the use information. 24 . The method according to claim 17 , further comprising the step of storing said authentication flag and sending a certain request to the authentication server regularly by the client of the user so that the authentication server will not withdraw said temporary memory area for the use information. 25 . The method according to claim 18 , further comprising the step of storing said authentication flag and sending certain request to the authentication server regularly by the client of the user so that the authentication server will not withdraw said temporary memory area for the use information. 26 . The method according to claim 14 , further comprising the step of accessing said plurality of systems by the client of the user carrying said authentication flag. 27 . The method according to claim 26 , further comprising the step of requesting the authentication server to authenticate said authentication flag by said plurality of systems. 28 . The method of claim 19 , further comprising the step of obtaining the identification of temporary memory area for the use information by the authentication server when the decryption of said authentication flag succeeds so as to determine said temporary memory area for the use information. 29 . The method of claim 19 , further comprising the step of extracting the user information of said plurality of systems from said temporary memory area for the use information and sending it to said plurality of systems by the authentication server. 30 . The method of claim 28 , further comprising the step of receiving the user information of said plurality of systems and allowing the user to log on by said plurality of systems.
BACKGROUND OF THE INVENTION [0001] 1. Field of Invention [0002] The present invention relates to a network authentication method in the environment of Internet, and particularly to a method of providing unified authentication for user logon in integrated and merged service processes provided by a plurality of Internet information systems or Internet service providers. [0003] 2. Description of Prior Art [0004] Currently, a user needs to undergo respective procedures for logon authentication before he or she can access each of the services provided by a plurality of Internet information systems and Internet service providers. In this way, the user has to remember several user passwords, which complicates the use of these systems by the user and increases the probability of error occurrence. Besides, the risk of suffering from illegal interception and damage is heightened, leading to security loose correspondingly. Furthermore, if the user forgets one of user passwords, he or she cannot carry out a corresponding task and has to ask for help from an administrator. The user can only wait before regaining his or her password. This contributes to the overhead of system and security management resource and lowers work efficiency. SUMMARY OF THE INVENTION [0005] An object of the present invention is to provide a method for implementing unified authentication for user logon, which enables a user to access all authorized resource with only authenticating the user identity once, instead of several times of authentication for all the resource. With this method, it is possible to improve the work efficiency of a network user, reduce the cost of network operation and enhance the network security. [0006] According to an aspect of the present invention, there is provided a method for implementing unified authentication for user logon, the method comprising the steps of: [0007] establishing an authentication server; [0008] creating a user authentication account number in the authentication server; [0009] storing user information which the user uses in a plurality of systems into the authentication server; [0010] associating, in the authentication server, the created user authentication account number with said user information which the user uses in the plurality of systems; and [0011] providing an authentication flag to the client of the user by the authentication server based on the association between the user authentication account number and said user information which the user uses in the plurality of systems established in the authentication server so that the user can log on the plurality of systems using said authentication flag. [0012] The present invention is primarily applied to provide a unified authenticating mechanism for user logon authentication in integrated and merged service processes provided by a plurality of Internet information systems or Internet providers. Thus, the user can access all authorized application systems or service providers with only logon authentication once, instead of conducting logon authentication every time accessing one application system or service provider. BRIEF DESCRIPTION OF THE DRAWINGS [0013] The above object, advantages and features of the present invention will be apparent from the following detailed description on the preferred embodiments taken conjunction with the drawings in which: [0014] FIG. 1 is a flowchart for creating, collecting and storing data in the method for implementing unified authentication according to the present invention; [0015] FIG. 2 is a main flowchart for logging-on a authentication server and authentication system by using the method for implementing unified authentication according to the present invention; [0016] FIG. 3 is a flowchart for primary operation of the authentication server, the client of the user and the application system server when the user accesses other application systems after a successful logon into the authentication server with the method for implementing unified authentication according to the present invention; and [0017] FIG. 4 is a sequence diagram for user authentication process in the method for implementing unified authentication according to the present invention. DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS [0018] According to the method for implementing unified authentication of the present invention, a user needs to conduct logon authentication with an authentication server only once, and after that, no user authentication is required when the user accesses other application systems and information systems. For clearly describing this solution, the scheme of the present invention will be divided into three sections, with the first section describing preparation work before an authentication system runs, the second section explaining a user's logon, and the third section illustrating access to other application systems by the user after the above logon. [0019] Below, in the description of the present invention with reference to the figures, related terms are defined as follows. [0020] Authentication server: a server used to conduct unified logon authentication; [0021] Authentication account number: an account number used by a user to log on the same authentication server; [0022] User token: a credential for authentication issued by the authentication server to the user after he or she log on the authentication server successfully; [0023] Client of the user: a client-side program used by the user to connect to and access the authentication server and other application systems. [0024] FIG. 1 is a flowchart for creating, collecting and storing data in the method for implementing unified authentication according to the present invention. [0025] Referring to FIG. 1 , at step S 11 , a user authentication account number needs to be created in an authentication server (e.g., allocating a user name and password to the user) and stored permanently (e.g., in a database or LDAP “LDAP” ) so that the user can log on the authentication server. [0026] At step S 12 , the user's user information, for example, user name for logon, in other application systems needs to be collected into the authentication server and stored permanently. [0027] At step S 13 , the correspondence between the created user authentication account number and the user information used in other application systems needs to be established to ensure that the application information of the user used in other application systems can be retrieved through the information of the user authentication account number, that is, the user's user information used in other application systems can be obtained by means of one authentication account number of the user. The correspondence as described above is stored in a persistent storage device. [0028] FIG. 2 is a main flowchart for the user logging on the authentication server and the authentication system in the method for implementing unified authentication according to the present invention. [0029] Referring to FIG. 2 , which shows the primary tasks to be fulfilled by the authentication system and the client of the user when the user logs on the authentication server during the running of the system. [0030] Now, a description will be made to the primary tasks to be completed by the client and the authentication server in the process of a user logon through the client of the user. The user attempts to log on the authentication server at step S 21 . The authentication sever verifies the authentication account number of the user at step S 22 , and the logon will fail if the verification fails. At step S 23 , it is determined whether the verification on the authentication account number succeeds, and if it is, the authentication server allocates a temporary memory area to the user at step S 24 . It is necessary to allocate a unique identification to the temporary memory area, and the identification can be generated in a random manner. Besides, a timer is set and started simultaneously for the temporary memory area, which will be withdrawn by the system if no heartbeat request from the client of the user is received for a predetermined time period. Also, this memory area should be taken back if the user sends out logout information. On the other hand, the timer will be reset to an initial status for retiming if a heartbeat request from the client of the user is received within a predetermined time period. At step S 25 , the authentication server searches the stored user information (e.g., a database) for the user's user information (e.g., user name for logon) used in other application systems and stores the obtained information in the temporary memory area. The authentication server encrypts the unique identification of the temporary memory area at step S 26 . Here, it is necessary to guarantee that the encrypted cryptograph can be decrypted. The generated cryptograph is returned to the client of the user as user token. At step S 27 , the logon is successful when the client of the user receives the user token sent back from the authentication server. The client of the user stores temporarily the token for further use during access to other application systems. Besides, the client of the user sends a heartbeat request to the authentication server at a regular interval so that the latter will not withdraw the temporary memory area allocated for the user. [0031] FIG. 3 is a flowchart showing the primary operations of the authentication server, the client of the user and the application system server when the user accesses other application systems after a successful logon into the authentication server in the method for implementing unified authentication according to the present invention. [0032] Referring to FIG. 3 , when the user wants to access other application systems after a successful logging on the authentication server, the authentication server, the client of the user and the application system server operate mainly as follows. At step S 31 , the client of the user takes the obtained user token to access another application system. At step S 32 , the application system server requests the authentication server to authenticate the user token. In particular, the application system receives the access request from the client of the user, acquires the user token and sends an authentication request to the authentication server along with the user token. At step S 33 , having received the authentication request from the application system, the authentication server retrieves the user token in the request from the application system and decrypts it. Then it is determined whether this decryption succeeds at step S 34 . If it is successful, the flow goes to step S 35 , where the authentication server, after a successful decryption of the user token at step S 33 , obtains the identification of the temporary memory area, locates the temporary memory area based on the identification and acquires the user's user information of the application system from this temporary memory area. On the other hand, the flow goes to step S 39 if the decryption fails at step S 34 . The authentication server returns authentication failure information to the application system at step S 39 , and then the application system returns this authentication failure information to the client of the user at step S 40 . Now, proceeding to step S 36 , where the authentication server determines whether the information on the application system has been obtained. The flow proceeds to step S 37 if the determination result is “YES”. The authentication server returns the user information to the application system at step S 37 , and the flow enters step S 38 where the application system receives the information returned by the authentication server and determines whether there is the user information. If there is, this authentication succeeds, and the user is allowed to use the application system. Otherwise, if the determination result at step S 36 is “NO”, the flow returns to step S 39 , where the authentication server returns authentication failure information to the application system. Again, the application system returns this authentication failure information to the client of the user at step S 40 . [0033] Relevant terms used in implementing the above steps are defined as follows. [0034] Authentication user name: a user name used when the user logs on the authentication server; [0035] Service user name: a user name the user registers with another information system or SP service system, and the user can use this service user name and service user password to log on a SP service system directly (in practice, the service user name is referred to as the user name registered with one of SPs, for example, the user Zhang San has a user name of zhangsan@263.net with 263 service and a user name of 0401210003 with Unicom Service of Uni-Video (baoshitong); [0036] SP: service provider; [0037] SP_ID: the identification of a service provider. [0038] In the method according to the present embodiment. [0039] First, the user needs to create a user account number (e.g., a user name and a password) in the authentication server so as to log on the authentication server using this user account number later. Such account number can be created before the computer is sold to the user and given to the user along with the computer. The account number can also be created when the user registers with the authentication server after he or she has purchased a computer. [0040] Second, the user names which the user utilizes for respective information systems or SPs and corresponding SP_ID need to be collected into the authentication server and stored. In reality, such information will be recoded in the authentication server if the user applies for other SP service through a Lenovo system and the application is admitted. In other kinds of applications, the above information can also be built in the authentication server by the user or administer. [0041] Third, the correspondence between the authentication user names and the service user names needs to be established for the collected information. The relationship can be a one-to-many relationship and depicted in data structure, that is, the user on the authentication server has one or more user names of other service systems. [0042] Such correspondence is established by the system when the user has become registered system user and other service user names of the user are added. [0043] FIG. 4 is a sequence diagram for user authentication process in the method for implementing unified authentication according to the present invention. Referring to FIG. 4 , the user authentication process in the method for implementing unified authentication according to the present invention goes as follows. [0044] 1. The user utilizes his or her account number for the authentication server (authentication user name and password) to log on the authentication server by means of a client, which can be a browser or an application. [0045] 2. The authentication server verifies the account number with which the user logs on and checks whether it coincides with that stored in the system. [0046] 3. After the check on the user authentication credential succeeds, the authentication server constructs a Session object for the user so as to conduct temporary storage. Session object is a data container for holding data of key-value pair. Session object is primarily used to save some information related to the user. Each Session object has an attribute of SessionID, which is unique and can be generated randomly by the authentication system. Table 1 below shows an example of Session object. [0000] TABLE 1 Attribute name Attribute value SessionID A59BA9A3EAE516F1F815E455D4CF324A Key2 Value2 Key3 Value3 . . . . . . [0047] As described above, Session object is a data container for holding data of key-value pair, such as Hashtable, and used to save some information related to the user. Each Session object has an attribute of SessionID, which should be unique and thus can be distinguished from any other Session object. The attribute value of Session object can be generated randomly by the authentication system. As shown in above example, the SessionID is the attribute name, and A59BA9A3EAE516F1F815E455D4CF324A is the attribute value. A Session object can accommodate many key-value pair, in which ‘value’ can be acquired via ‘key’. [0048] 4. The authentication server loads list information of the service user names of the user by using the correspondence between the authentication user names and the service user names, and stores the information in the Session object for the user. The Session object will be destroyed when the user logs out or when the user session expires. [0049] 5. The authentication server encrypts the user's SessionID with a symmetrical encryption algorithm (e.g., DES, 3DES, IDEA) and its key. A user token is generated after the encryption and issued to the client of the user. [0050] 6. The client of the user needs to buffer the returned user token after receiving it so that the user token can be used in logon authentication when the user accesses other information systems or SP services. [0051] 7. It should be noted that the client of the user has to maintain the session with the authentication server throughout the process of using the information systems or SP services by the user. Otherwise, if the session expires, the user token will be invalidated. [0052] 8. When the user accesses to another application system or SP through the client, the client passes the user token to the SP as the credential for logon authentication. [0053] 9. The SP sends the user token of the user along with its SP_ID to the authentication server after receiving the logon request from the user. [0054] 10. The authentication server decrypts the user token with the key and algorithm used in the previous encryption after receiving the authentication request from the SP. [0055] 11. If the user token is legal, the authentication server will obtain SessionID after the decryption and search the Session object established for the user with help of the SessionID. [0056] 12. The authentication server retrieves the service user name corresponding to the above SP_ID from the user's Session object stored in the memory. [0057] 13. The authentication server returns the service user name to the SP. [0058] 14. Having received the service user name, the SP believes the user is trusted and uses this user name to authorize the user for service usage. [0059] 15. When the user logs out the authentication server, the authentication server destroys the user's Session and, at this moment, the user token becomes invalid. If the SP uses this invalid token in the authentication conducted on the authentication server, the latter cannot locate a Session object based on the token and thus returns authentication failure information to the SP. [0060] Data structures used in the embodiment of the present invention are illustrated below. [0000] TABLE 2 Authentication user table Name Code Description Data type Authentication ID Primary key in NUMBER (20) user ID table, self-increment, positive integer, uniqueness in the system Authentication LoginName Authentication user VARCHAR2 (50) user name name Authentication Password Authentication user VARCHAR2 (20) user password password [0061] In Table 2, the authentication user ID is the primary key in the authentication user table and can be a self-increment positive integer. [0062] The authentication user name is a user name which the user utilizes to log on the authentication server. [0063] The authentication user password is a password which the user utilizes to log on the authentication server. [0000] TABLE 3 Service user table Name Code Description Data type Service user UserId Primary key in NUMBER (20) ID table, self-increment, positive integer, uniqueness in the system Service user UserName Service user name VARCHAR2 (50) name Authentication ID Authentication user NUMBER (20) user ID ID Service SP_ID Identification of NUMBER (20) provider ID Service provider [0064] As shown in Table 3, the service user ID is the primary key in the service user table and can be a self-increment positive integer. [0065] The service user name is a user name which the user utilizes to log on and use the service provided by certain service provider. [0066] The authentication user ID is an outer key in the table and used to authenticate the primary key. The Service provider ID is a unique identification of the service provider which provides the service for the user. [0067] Although the present invention has been illustrated above with reference to the detailed embodiments, the present invention is not limited to the described embodiments and defined only by the appended claims. It will be understood that any modification and change made to the embodiments by those skilled in the art within the scope and spirit of the present invention.

Description

Topics

Download Full PDF Version (Non-Commercial Use)

Patent Citations (27)

    Publication numberPublication dateAssigneeTitle
    US-2001044894-A1November 22, 2001Yoko Saito, Michihiro Shimizu, Manabu IkeuchiSecurity management method for network system
    US-2002174344-A1November 21, 2002Imprivata, Inc.System and method for authentication using biometrics
    US-2003033535-A1February 13, 2003Gwyn Fisher, Cam Stevenson, Steven Gutz, Doug Hester, John LewisMethod and system for implementing a common user logon to multiple applications
    US-2003159067-A1August 21, 2003Nokia CorporationMethod and apparatus for granting access by a portable phone to multimedia services
    US-2003208411-A1November 06, 2003Jacquelyn Estes, Orbke Wayne H, Penn Maria C, Pensabene Phillip A, Ray Christine R.L., Rios Julie F, Robinson Jacquelyn M, Troxel Kerry JSystem, method, and article of manufacture for shipping a package privately to a customer
    US-2004221045-A1November 04, 2004Joosten Hendrikus Johannes Maria, Derk Hiddo Hut, Geert Kleinhaus, Van Buuren ReneMethod and system for a service process to provide a service to a client
    US-2004260942-A1December 23, 2004Steve Jamieson, Anil Balakrishnan, Houser Christopher Robert, Torres Rex George, Sharp Joseph W., Larsen Guy Paul, Carrell Douglas R.System and method for unified sign-on
    US-2005044377-A1February 24, 2005Yen-Hui HuangMethod of authenticating user access to network stations
    US-2005193198-A1September 01, 2005Jean-Michel LivowskySystem, method and apparatus for electronic authentication
    US-2006195893-A1August 31, 2006Caceres Luis B, Robles Luis RApparatus and method for a single sign-on authentication through a non-trusted access network
    US-2006230438-A1October 12, 2006Ericom Software Ltd.Single sign-on to remote server sessions using the credentials of the local client
    US-2008072301-A1March 20, 2008Matsushita Electric Industrial Co., Ltd.System And Method For Managing User Authentication And Service Authorization To Achieve Single-Sign-On To Access Multiple Network Interfaces
    US-2009019534-A1January 15, 2009Citibank, N.A.System, method and computer program product for providing unified authentication services for online applications
    US-5339403-AAugust 16, 1994International Computers LimitedAccess control in a distributed computer system
    US-6275941-B1August 14, 2001Hiatchi, Ltd.Security management method for network system
    US-7194591-B2March 20, 2007Sony CorporationData communication apparatus and method for managing memory in the same
    US-7296290-B2November 13, 2007Telefonaktiebolget Lm Ericsson (Publ)Method and apparatus for handling user identities under single sign-on services
    US-7318234-B1January 08, 2008Microsoft CorporationRequest persistence during session authentication
    US-7392536-B2June 24, 2008Microsoft CorporationSystem and method for unified sign-on
    US-7441263-B1October 21, 2008Citibank, N.A.System, method and computer program product for providing unified authentication services for online applications
    US-7530099-B2May 05, 2009International Business Machines CorporationMethod and system for a single-sign-on mechanism within application service provider (ASP) aggregation
    US-7540020-B1May 26, 2009Oracle International CorporationMethod and apparatus for facilitating single sign-on to applications
    US-7676829-B1March 09, 2010Microsoft CorporationMultiple credentials in a distributed system
    US-7702794-B1April 20, 2010Charles Schwab & Co.System and method for providing silent sign on across distributed applications
    US-7823192-B1October 26, 2010Sprint Communications Company L.P.Application-to-application security in enterprise security services
    US-8010783-B1August 30, 2011Aol Inc.Service provider invocation
    US-911539-AFebruary 02, 1909Charles J Fackenberg, Joseph FackenbergCoin-holder.

NO-Patent Citations (1)

    Title
    White Paper, Verisign Unified Authentication - The Next Generation of Strong Authentication. 2005. p. 1-18.

Cited By (21)

    Publication numberPublication dateAssigneeTitle
    CN-103581905-AFebruary 12, 2014百度在线网络技术(北京)有限公司面向多应用的账户信息管理方法和移动终端
    GB-2489563-AOctober 03, 2012IbmLong term delegation of cloud/server data/resource access authorisation to applications by establishing token request rights
    US-2010083000-A1April 01, 2010Validity Sensors, Inc.Fingerprint Sensor Device and System with Verification Token and Methods of Using
    US-2011082791-A1April 07, 2011Validity Sensors, Inc.Monitoring Secure Financial Transactions
    US-2011082800-A1April 07, 2011Validity Sensors, Inc.Secure Transaction Systems and Methods
    US-2011082801-A1April 07, 2011Validity Sensors, Inc.Secure Transaction Systems and Methods
    US-2011082802-A1April 07, 2011Validity Sensors, Inc.Secure Financial Transaction Systems and Methods
    US-2011083016-A1April 07, 2011Validity Sensors, Inc.Secure User Authentication Using Biometric Information
    US-2011083170-A1April 07, 2011Validity Sensors, Inc.User Enrollment via Biometric Device
    US-2011083173-A1April 07, 2011Validity Sensors, Inc.Secure Transaction Systems and Methods
    US-2011138450-A1June 09, 2011Validity Sensors, Inc.Secure Transaction Systems and Methods using User Authenticating Biometric Information
    US-2011202988-A1August 18, 2011Nokia CorporationMethod and apparatus for providing an authentication context-based session
    US-2015046971-A1February 12, 2015Intellectual Discovery Co., Ltd.Method and system for access control in cloud computing service
    US-2015067155-A1March 05, 2015Tune, Inc.Systems and methods for measuring approximate engagement of users in a software application
    US-8799666-B2August 05, 2014Synaptics IncorporatedSecure user authentication using biometric information
    US-8850554-B2September 30, 2014Nokia CorporationMethod and apparatus for providing an authentication context-based session
    US-8904495-B2December 02, 2014Synaptics IncorporatedSecure transaction systems and methods
    US-9467440-B2October 11, 2016Nokia Technologies OyMethod and apparatus for providing an authentication context-based session
    US-9497184-B2November 15, 2016International Business Machines CorporationUser impersonation/delegation in a token-based authentication system
    US-9589399-B2March 07, 2017Synaptics IncorporatedCredential quality assessment engine systems and methods
    WO-2015048418-A1April 02, 2015Wal-Mart Stores, Inc.Application authentication checking system