WO2009127163A1 - Method for user attribute query, method and equipment for providing service - Google Patents

Method for user attribute query, method and equipment for providing service Download PDF

Info

Publication number
WO2009127163A1
WO2009127163A1 PCT/CN2009/071342 CN2009071342W WO2009127163A1 WO 2009127163 A1 WO2009127163 A1 WO 2009127163A1 CN 2009071342 W CN2009071342 W CN 2009071342W WO 2009127163 A1 WO2009127163 A1 WO 2009127163A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
attribute
information
service
provider device
Prior art date
Application number
PCT/CN2009/071342
Other languages
French (fr)
Chinese (zh)
Inventor
杨健
王雷
董挺
Original Assignee
深圳华为通信技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳华为通信技术有限公司 filed Critical 深圳华为通信技术有限公司
Publication of WO2009127163A1 publication Critical patent/WO2009127163A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Definitions

  • the present invention relates to the field of communications, and in particular, to a method for querying user attributes, a method and device for providing a service.
  • OMA Web Service 1.1 defines how to expose, discover and use OMA applications with Web Service technology.
  • OMA Web Servicel.l lists parameters for access, authentication and authorization, enabling developers to ensure the integrity of data and the transmission of confidential data. In addition, the user can also find the registered original code and service description without using OMA Web Service.
  • Web Services Network Identity OMASER NI 1.0 provides a variety of protocols and services that enable OMA services and applications to have a federated identity in the Ligerty web services environment.
  • the Web Service architecture is based on interactions between three roles (service providers, service registries, and service requesters). Interaction involves publishing, finding, and binding operations. These roles and operations work together for Web service artifacts: Web services software modules and their descriptions.
  • a service provider hosts a software module (an implementation of a Web service) that is accessible over the network.
  • the service provider defines the service description of the web service and publishes it to the service requester or service registry.
  • the service requester uses the lookup operation to retrieve the service description from the local or service registry, then binds to the service provider using the service description, and invokes or interacts with the web service implementation.
  • the service provider and service requester roles are logical structures, so the service can represent two characteristics. The diagram below shows these operations, as well as the components that provide these operations and the interactions between them.
  • a service description needs to be published so that the service requester can look it up.
  • the location where the service description is published can vary depending on the requirements of the application.
  • Find In a lookup operation, the service requester retrieves the service description directly or queries the service registry for the type of service required. For service requesters, lookup operations may be involved in two different lifecycle phases: The interface description of the service is retrieved at design time for program development, and the binding and location description of the service is retrieved at runtime for the call.
  • Binding Finally, you need to call the service.
  • the service requester uses the binding details in the service description to locate, contact, and invoke the service, thereby invoking or initiating interaction with the service at runtime.
  • the technical problem to be solved by the embodiment of the present invention is to provide a method for querying a user attribute, a method and a device for providing a web service, and can perform querying on user attribute information of other users.
  • the embodiment of the invention provides a method for querying user attributes, including:
  • the attribute query request includes the user identity information of the first user and the user identity information of the second user;
  • An embodiment of the present invention provides a method for providing a service, including:
  • the service request includes user identity information of the first user and user identity information of the second user;
  • the attribute query request includes user identity information of the first user and user identity information of the second user;
  • An embodiment of the present invention provides an attribute provider device, including: a query request receiving unit, configured to receive an attribute query request for a second user sent by a service provider device; and the attribute query request includes user identity information of the first user And user identity information of the second user;
  • a determining unit configured to determine whether the first user has the right to query the attribute of the second user; the attribute querying unit is configured to: in the determining result of the determining unit, the first user has the right to query the second Querying attributes of the second user when the attributes of the user are
  • a feedback unit configured to return attribute information of the second user that is queried by the attribute query unit to the service provider device.
  • An embodiment of the present invention provides an identity authentication provider device, including: an identity authentication unit, configured to authenticate a user identity, and receive a request of the authenticated user; and combine the identity information of at least two users to obtain a joint Information
  • a storage unit configured to save the joint information
  • An information feedback unit configured to: when the service provider device receives the identity authentication request from the service provider, in the storage unit, whether the user has joint information, and if yes, return the user association information to the Service provider equipment.
  • the embodiment of the invention provides a service providing system, which includes:
  • a service provider device configured to receive a service request sent by the first user for the second user; the service request includes user identity information of the first user and user identity information of the second user; and sending according to the service request
  • An attribute query request for the second user includes user identity information of the first user and user identity information of the second user; the service provider device is further configured to obtain the second user After the attribute information, the second user is served according to the second user terminal attribute information;
  • An attribute provider device configured to receive an attribute query request for the second user sent by the service provider device, to determine whether the first user has the right to query the attribute of the second user; If there is permission, the attribute query of the second user is performed, and the attribute information of the second user that is queried is returned to the service provider device.
  • a service provider device comprising:
  • a receiving unit configured to receive a service request sent by the first user for the second user, where the service request includes user identity information of the first user and user identity information of the second user;
  • a query unit configured to send, according to the service request received by the receiving unit, an attribute query request to the second user to the attribute provider device;
  • the attribute query request includes user identity information of the first user and a user of the second user Identity Information;
  • a service providing unit configured to receive attribute information of the second user fed back by the attribute provider device, and serve the second user according to the second user terminal attribute information.
  • the technical solution of the present invention is that the attribute provider device receives the attribute query request for the second user sent by the service provider device in the embodiment of the present invention; the attribute query request includes the first user. The user identity information and the user identity information of the second user; the attribute provider device determines whether the first user has the right to query the attribute of the second user; if the result of the determination is that the right is, the attribute provider device Performing an attribute query and returning the attribute information of the queried second user to the service provider device.
  • the user can query the attribute information of other users, and then one user can help other users complete the corresponding service, increase the diversity of the service provided by the SP for the user, enhance the user experience, and improve the user experience. Service efficiency.
  • FIG. 1 is a flowchart of a method for querying a user attribute according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for querying a user attribute according to Embodiment 2 of the present invention
  • FIG. 3 is a flowchart of a method for providing a Web service according to Embodiment 3 of the present invention.
  • FIG. 4 is a schematic diagram of a logical structure of an attribute provider device according to Embodiment 4 of the present invention.
  • FIG. 5 is a schematic diagram of a logical structure of a determining unit according to Embodiment 4 of the present invention
  • FIG. 6 is a schematic diagram of another logical structure of a determining unit according to Embodiment 4 of the present invention
  • FIG. 8 is a schematic diagram of a logical structure of an identity authentication provider device according to Embodiment 4 of the present invention
  • FIG. 8 is a schematic diagram of a logical structure of an identity authentication provider device according to Embodiment 5 of the present invention
  • FIG. 10 is a signaling diagram between entities in a method for querying user attributes according to a seventh embodiment of the present invention
  • FIG. 11 is a signaling diagram between entities in a method for querying user attributes according to an embodiment of the present invention
  • Signaling diagram between entities of the method of user attribute query is a signaling diagram between entities in a method for querying user attributes according to an embodiment of the present invention.
  • the embodiment of the invention provides a method for querying a user attribute, a method and a device for providing a service, and can implement a query for a user to attribute information of other users.
  • the user attribute query method, the method and device for providing the service provided by the present invention are described in detail below.
  • Embodiment 1 A method for querying a user attribute, which is shown in FIG. 1 and includes:
  • the attribute provider device receives an attribute query request for the second user sent by the service provider device, where the attribute query request includes the user identity information of the first user and the user identity information of the second user;
  • the attribute provider device determines whether the first user has the right to query the attribute of the second user; if yes, proceed to step B3; if not, proceed to step B4.
  • the attribute provider device performs an attribute query and returns the queried attribute information of the second user to the service provider device.
  • Embodiment 2 A method for querying a user attribute, which is shown in FIG. 2, and includes:
  • the method includes:
  • the attribute service provider needs to send a request to other users through the interactive service in order to obtain the authentication of other users;
  • the interactive service sends a message to user B, asking if the attribute is queried;
  • the interactive service can send an inquiry message to user B via HTTP, asking B whether to allow querying user attributes. For example, in this example, the user name and address are looked up.
  • the user can feed back to the interactive service via the HTTP POST method.
  • the interactive service feeds back the query response result of the user to the attribute service provider; the interactive service sends the response message with the ⁇ InteractionResponse> element to the attribute service provider through the interaction.
  • Embodiment 8 is a method for querying user attributes.
  • user A provides a service for user B through an SP.
  • User A provides service to User B after logging in to the SP.
  • User A authenticates with User B before querying certain attributes of User B.
  • User B agrees that User A has checked certain attributes of himself.
  • the main idea of the solution is that when user A needs to provide services to user B through the SP, user A needs to be authenticated by user B first, so that user A can use certain attributes of user B.
  • FIG. 11 shows the signaling flow between entities in this embodiment as shown in FIG. 11.
  • the authentication part is indicated by a dotted line
  • the solid line part is a service providing part.
  • User A wants to provide service for User B, then User A needs to pass Idp authentication first. After authentication by Idp, User A indicates that it is a legitimate user within the trust.
  • Idp is a special service provider role that generates, maintains, and manages user identity information and provides authentication claims to other service providers in the authentication domain (even a trust). After authentication by Idp, User A is the trusted user within the trust. G3. User A initiates a request for authentication to User B;
  • user A When user A sends the authentication of request B, it needs to send the information indicating the identity such as its own ID to user B.
  • the authentication result of Idp to user A needs to be sent to user B to tell user B that user A is a legitimate user authenticated by trust.
  • the authentication process may include a process; first, user B authenticates the identity of the Idp, and after the authentication, the authentication information of B is saved on the Idp for use in subsequent services;
  • User B sends the identity information of User A and his identity information to Idp.
  • Idp will record that A and B are required to be combined.
  • the specific joint method can be in many ways, but the idea is consistent.
  • the joint registration of the identity of user A and user B in Idp may be an incidental process in which user B performs the authentication process.
  • the B user After the Idp authentication, the B user confirms that the trust is a legitimate user, and in the Idp, the A and B information is bound to tell the future service that the two users have passed the Idp authentication, and they It is a help relationship.
  • user B After user A sends an authentication message to user B, user B feeds back an authentication message. After such authentication, User B can decide whether or not A needs to help himself to complete certain services.
  • Landing SP belongs to the prior art category. This can be done via HTTP, etc. There is not much description here. It should be noted that User A needs to bring the joint information with B into the SP when logging in to the SP to notify the SP that User A wants to assist B to obtain the service.
  • SP consults Idp to obtain a record of A and B.
  • the attribute queried by the SP may be the attribute of User B, so it is necessary to find the attribute of B in the attribute service provider.
  • This step omits the process by which the SP obtains AP information from the discovery service.
  • the SP will send the joint information of A and B to the AP.
  • the AP confirms that A is a legitimate user authenticated by B according to the joint information confirmed by Idp, so the user
  • B's property server can provide such property queries for A.
  • user A and user B in this embodiment is only an example. If there are other ways, for example, by telephone number/email address/userlD, the same purpose can be achieved, and other methods can achieve the same purpose. It is consistent.
  • the ninth embodiment a method for querying a user attribute
  • the user A provides a service for the user B through the SP.
  • user B can set a list of related attribute access rights on the Ap, and the users listed in the table can obtain access rights of certain B attributes. In this way, User A can gain access to certain attributes in the table.
  • the main idea of the solution is that user A can negotiate with B for user B before obtaining certain services through SP. Through such authentication, B can generate a list of related attribute access rights for A, and user B can Send this list to the property server for saving for use by subsequent services.
  • the premise of this embodiment is that user B has passed the authentication of Idp.
  • user A needs to obtain user B's authentication first to complete the service for user B to complete the login SP; this authentication process can be completed in a variety of ways. For example, by sending a request message, the user B can be made aware that the requester is the user A; H2, and the user B logs in to the SP1;
  • the login method can use HTTP or the like, and will not be described in detail here;
  • Idp replies with a request, including an authentication assertion describing the user authentication status
  • SP 1 proposes to modify the AP's list of trusted objects for User B, which is maintained at the attribute provider and can be modified by the SP.
  • the service provider must use the ⁇ Modify> element, and the attribute provides User B's list of trusted objects may have a similar form as Table 1 below:
  • the modified result may be in the form of Table 2.
  • user B After user B increases the usage rights of some attributes of user A, user B feeds back to user A.
  • a query unit configured to send, according to the service request received by the receiving unit, an attribute query request to the second user to the attribute provider device;
  • the attribute query request includes user identity information of the first user and a user of the second user Identity Information;
  • the service provider device may further include: an authentication unit, configured to authenticate the identity information of the first user;
  • the querying unit is specifically configured to: after the authentication unit passes the authentication of the identity information of the first user, send an attribute query request to the second user according to the service request received by the receiving unit to the attribute provider device.
  • An authentication result receiving unit configured to receive the returned by the user identity provider device The authentication result of the first user for identity authentication.
  • the authentication unit may further include: a joint information receiving unit, configured to receive, when the identity authentication provider determines that the first user has joint information, return the first user and the second user Joint information;
  • the association information sent by the query unit further includes the joint information.
  • the attribute provider device receives an attribute query request for the second user sent by the service provider device; the attribute query request includes the user identity information of the first user and the user identity information of the second user; The provider device determines whether the first user has the right to query the attribute of the second user; if the result of the determination is that the user has the right, the attribute provider device performs the attribute query and queries the attribute information of the second user. Return to the service provider device.
  • the user can query the attribute information of other users, and then one user can help other users complete the corresponding service to provide corresponding services for other users after logging in to the SP, and the SP is added. Users provide a variety of services, enhance the user experience, and improve service efficiency.
  • the trust confirmation problem between the users is fully considered. If the user consults other user attribute information, three specific preferred implementation methods are given to the user's query authority, and the constraints of the trust relationship between the users are explained. The technical solution of the present invention is better realized.

Abstract

A method for user attribute query includes: receiving a query request for the attributes of a second user sent by service provider equipment, wherein said attribute query request includes identity information of the first user and identity information of the second user; judging whether the first user is authorized to query the attributes of the second user; performing the attribute query and returning the obtained second user's attribute information to the service provider equipment if the result of the judgment is that the first user is authorized.

Description

用户属性查询的方法、 提供服务的方法及设备  User attribute query method, service providing method and device
本申请要求于 2008 年 4 月 18 日提交中国专利局、 申请号为 200810093789.4、发明名称为 "用户属性查询的方法、提供服务的方法及设备" 的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。  This application claims priority to Chinese Patent Application No. 200810093789.4, entitled "Method for Querying User Attributes, Method and Equipment for Providing Services", filed on April 18, 2008, the entire contents of which are hereby incorporated by reference. Combined in this application.
技术领域 Technical field
本发明涉及通信领域,具体涉及用户属性查询的方法、提供服务的方法及 设备。  The present invention relates to the field of communications, and in particular, to a method for querying user attributes, a method and device for providing a service.
背景技术 Background technique
Web服务网络(OMA Web Service, OWSER ) 1.1介定如何以 Web Service 技术公开、 发现和使用 OMA应用程序。 OMA Web Servicel.l列出有关存取、 认证和授权的参数, 使开发商得以确保数据完整和保密资料的传输。 此外, 用 户也可以不通过 OMA Web Servicel.l发现已登记的原码及服务说明。 Web服务 网络身份( OMA Web Service Network Identify, OWSER NI ) 1.0提供各种协议 与服务, 令 OMA的服务和应用程序在 Ligerty网络服务环境中具有联合身份。  The OMA Web Service (OWSER) 1.1 defines how to expose, discover and use OMA applications with Web Service technology. OMA Web Servicel.l lists parameters for access, authentication and authorization, enabling developers to ensure the integrity of data and the transmission of confidential data. In addition, the user can also find the registered original code and service description without using OMA Web Service. Web Services Network Identity ( OMASER NI ) 1.0 provides a variety of protocols and services that enable OMA services and applications to have a federated identity in the Ligerty web services environment.
Web Service体系结构基于三种角色(服务提供者、服务注册中心和服务请 求者)之间的交互。 交互涉及发布、 查找和绑定操作。 这些角色和操作一起作 用于 Web服务构件: Web服务软件模块及其描述。 在典型情况下, 服务提供者 托管可通过网络访问的软件模块 ( Web服务的一个实现)。服务提供者定义 Web 服务的服务描述并把它发布到服务请求者或服务注册中心。服务请求者使用查 找操作来从本地或服务注册中心检索服务描述,然后使用服务描述与服务提供 者进行绑定, 并调用 Web服务实现或同它交互。 服务提供者和服务请求者角色 是逻辑结构, 因而服务可以表现两种特性。 下图显示了这些操作, 以及提供这 些操作的组件及它们之间的交互。  The Web Service architecture is based on interactions between three roles (service providers, service registries, and service requesters). Interaction involves publishing, finding, and binding operations. These roles and operations work together for Web service artifacts: Web services software modules and their descriptions. Typically, a service provider hosts a software module (an implementation of a Web service) that is accessible over the network. The service provider defines the service description of the web service and publishes it to the service requester or service registry. The service requester uses the lookup operation to retrieve the service description from the local or service registry, then binds to the service provider using the service description, and invokes or interacts with the web service implementation. The service provider and service requester roles are logical structures, so the service can represent two characteristics. The diagram below shows these operations, as well as the components that provide these operations and the interactions between them.
对于利用 Web服务的应用程序, 必须发生以下三个行为: 发布服务描述、 查询或查找服务描述以及根据服务描述绑定或调用服务。这些行为可以单次或 反复出现。 这些操作具体为:  For an application that utilizes a Web service, three actions must occur: Publish the service description, query or find the service description, and bind or invoke the service based on the service description. These behaviors can occur in a single or recurring manner. These operations are specifically:
发布:为了使服务可访问,需要发布服务描述以使服务请求者可以查找它。 发布服务描述的位置可以根据应用程序的要求而变化。 查找: 在查找操作中,服务请求者直接检索服务描述或在服务注册中心中 查询所要求的服务类型。对于服务请求者,可能会在两个不同的生命周期阶段 中牵涉到查找操作: 在设计时为了程序开发而检索服务的接口描述, 而在运行 时为了调用而检索服务的绑定和位置描述。 Publishing: In order for a service to be accessible, a service description needs to be published so that the service requester can look it up. The location where the service description is published can vary depending on the requirements of the application. Find: In a lookup operation, the service requester retrieves the service description directly or queries the service registry for the type of service required. For service requesters, lookup operations may be involved in two different lifecycle phases: The interface description of the service is retrieved at design time for program development, and the binding and location description of the service is retrieved at runtime for the call.
绑定: 最后需要调用服务。 在绑定操作中, 服务请求者使用服务描述中的 绑定细节来定位、 联系和调用服务, 从而在运行时调用或启动与服务的交互。  Binding: Finally, you need to call the service. In a bind operation, the service requester uses the binding details in the service description to locate, contact, and invoke the service, thereby invoking or initiating interaction with the service at runtime.
现有技术方案中,一个用户使用某个 SP完成某项业务的时候,需要通过身 份提供者 (Identity provider, IdP)的身份认证, 以及完成用户属性的查询。  In the prior art solution, when a user completes a certain service by using an SP, it needs to authenticate by an identity provider (IdP) and complete the query of the user attribute.
在对现有技术的研究和实践过程中 , 发明人发现现有技术存在以下问题: 在一个用户通过 SP完成某项服务的时候, 是需要向属性提供商查询查询, 查 询的内容是该登陆用户本人的相关信息;因为当前提供的服务只能查询本人的 相关属性信息, 无法查询其他用户的属性信息。 而在实际上, 一个用户代替另 一个用户订购某项业务或者产品的需求是存在的, 例如: 用户 A代替用户 B 在网络上订购一张电影票等情况, 但是因为本次订购无法查询到用户 B 的相 关信息, 将无法完成订购。  In the research and practice of the prior art, the inventor found that the prior art has the following problems: When a user completes a service through the SP, it is necessary to query the attribute provider for the query, and the content of the query is the login user. I have relevant information; because the currently provided service can only query the relevant attribute information of the person, and cannot query the attribute information of other users. In fact, there is a need for one user to order a certain service or product instead of another user. For example: User A replaces User B to order a movie ticket on the network, but because the order cannot query the user. Information about B will not be able to complete the order.
发明内容 Summary of the invention
本发明实施例解决的技术问题是提供用户属性查询的方法、 提供 Web服 务的方法及设备, 可以实现对用户对其他用户属性信息的查询。  The technical problem to be solved by the embodiment of the present invention is to provide a method for querying a user attribute, a method and a device for providing a web service, and can perform querying on user attribute information of other users.
本发明实施例提供一种用户属性查询的方法, 包括:  The embodiment of the invention provides a method for querying user attributes, including:
接收服务提供商设备发送的对第二用户的属性查询请求;所述属性查询请 求包含第一用户的用户身份信息和第二用户的用户身份信息;  Receiving, by the service provider device, an attribute query request for the second user; the attribute query request includes the user identity information of the first user and the user identity information of the second user;
判断所述第一用户是否有权限查询所述第二用户的属性;若所述判断的结 果为有权限,则进行属性查询并将查询到的第二用户的属性信息返回给所述服 务提供商设备。  Determining whether the first user has the right to query the attribute of the second user; if the result of the determining is that the right is privileged, performing an attribute query and returning the attribute information of the queried second user to the service provider device.
本发明实施例提供一种提供服务的方法, 其特征在于, 包括:  An embodiment of the present invention provides a method for providing a service, including:
接收第一用户发送的为第二用户进行的业务请求;所述业务请求中包含第 一用户的用户身份信息和第二用户的用户身份信息; 向属性提供商设备发送对第二用户的属性查询请求;所述属性查询请求包 含所述第一用户的用户身份信息和第二用户的用户身份信息; Receiving a service request sent by the first user for the second user; the service request includes user identity information of the first user and user identity information of the second user; Sending an attribute query request to the second user to the attribute provider device; the attribute query request includes user identity information of the first user and user identity information of the second user;
接收当属性提供商设备判断所述第一用户有权限查询所述第二用户的属 性时返回的第二用户的属性信息;  Receiving attribute information of the second user returned when the attribute provider device determines that the first user has the right to query the attribute of the second user;
根据所述第二用户属性信息为所述第二用户提供服务。  Providing a service to the second user according to the second user attribute information.
本发明实施例提供一种属性提供商设备, 包括: 查询请求接收单元, 用于 接收服务提供商设备发送的对第二用户的属性查询请求;所述属性查询请求包 含第一用户的用户身份信息和第二用户的用户身份信息;  An embodiment of the present invention provides an attribute provider device, including: a query request receiving unit, configured to receive an attribute query request for a second user sent by a service provider device; and the attribute query request includes user identity information of the first user And user identity information of the second user;
判断单元, 用于判断所述第一用户是否有权限查询所述第二用户的属性; 属性查询单元,用于在所述判断单元的判断结果为所述第一用户有权限查 询所述第二用户的属性时, 查询所述第二用户的属性;  a determining unit, configured to determine whether the first user has the right to query the attribute of the second user; the attribute querying unit is configured to: in the determining result of the determining unit, the first user has the right to query the second Querying attributes of the second user when the attributes of the user are
反馈单元,用于将所述属性查询单元查询到的第二用户的属性信息返回给 所述服务提供商设备。  And a feedback unit, configured to return attribute information of the second user that is queried by the attribute query unit to the service provider device.
本发明实施例提供一种身份鉴别提供商设备, 包括: 身份鉴别单元, 用于 对用户的身份进行认证, 并接收通过认证的用户的请求; 将至少两个用户的身 份信息进行联合, 得到联合信息;  An embodiment of the present invention provides an identity authentication provider device, including: an identity authentication unit, configured to authenticate a user identity, and receive a request of the authenticated user; and combine the identity information of at least two users to obtain a joint Information
存储单元, 用于保存所述联合信息;  a storage unit, configured to save the joint information;
信息反馈单元,用于在收到服务提供商设备对用户的身份鉴别请求时,在 所述存储单元中查找所述用户是否存在联合信息, 若存在, 则将所述用户联合 信息返回给所述服务提供商设备。  An information feedback unit, configured to: when the service provider device receives the identity authentication request from the service provider, in the storage unit, whether the user has joint information, and if yes, return the user association information to the Service provider equipment.
本发明实施例提供一种服务提供系统, 其特征在于, 包括:  The embodiment of the invention provides a service providing system, which includes:
服务提供商设备, 用于接收第一用户发送的为第二用户进行的业务请求; 所述业务请求中包含第一用户的用户身份信息和第二用户的用户身份信息;根 据所述业务请求发送对第二用户的属性查询请求;所述属性查询请求包含所述 第一用户的用户身份信息和第二用户的用户身份信息;所述服务提供商设备还 用于在获得所述第二用户的属性信息后 , 据所述第二用户端额属性信息为所 述第二用户进行服务; 属性提供商设备,用于接收所述服务提供商设备发送的对第二用户的属性 查询请求, 判断所述第一用户是否有权限查询所述第二用户的属性; 若所述判 断的结果为有权限,则进行对所述第二用户的属性查询并将查询的所述第二用 户的属性信息返回给所述服务提供商设备。 a service provider device, configured to receive a service request sent by the first user for the second user; the service request includes user identity information of the first user and user identity information of the second user; and sending according to the service request An attribute query request for the second user; the attribute query request includes user identity information of the first user and user identity information of the second user; the service provider device is further configured to obtain the second user After the attribute information, the second user is served according to the second user terminal attribute information; An attribute provider device, configured to receive an attribute query request for the second user sent by the service provider device, to determine whether the first user has the right to query the attribute of the second user; If there is permission, the attribute query of the second user is performed, and the attribute information of the second user that is queried is returned to the service provider device.
一种服务提供商设备, 其特征在于, 包括:  A service provider device, comprising:
接收单元, 用于接收第一用户发送的为第二用户进行的业务请求; 所述业 务请求中包含第一用户的用户身份信息和第二用户的用户身份信息;  a receiving unit, configured to receive a service request sent by the first user for the second user, where the service request includes user identity information of the first user and user identity information of the second user;
查询单元,用于根据所述接收单元接收的业务请求向属性提供商设备发送 对第二用户的属性查询请求;所述属性查询请求包含所述第一用户的用户身份 信息和第二用户的用户身份信息;  a query unit, configured to send, according to the service request received by the receiving unit, an attribute query request to the second user to the attribute provider device; the attribute query request includes user identity information of the first user and a user of the second user Identity Information;
服务提供单元, 用于接收属性提供商设备反馈的所述第二用户的属性信 息 , 并根据所述第二用户端额属性信息为所述第二用户进行服务。  a service providing unit, configured to receive attribute information of the second user fed back by the attribute provider device, and serve the second user according to the second user terminal attribute information.
采用上述技术方案, 本发明实施例有益的技术效果在于: 本发明实施例中 ,属性提供商设备接收服务提供商设备发送的对第二用户 的属性查询请求;所述属性查询请求包含第一用户的用户身份信息和第二用户 的用户身份信息;属性提供商设备判断所述第一用户是否有权限查询所述第二 用户的属性; 若所述判断的结果为有权限, 则属性提供商设备进行属性查询并 将查询到的第二用户的属性信息返回给所述服务提供商设备。通过本发明实施 例的技术方案,可以实现对用户对其他用户属性信息的查询,进而一个用户可 以帮助其他用户完成相应的服务, 增加了 SP为用户提供业务的多样性, 增强 了用户体验, 提高了服务效率。  The technical solution of the present invention is that the attribute provider device receives the attribute query request for the second user sent by the service provider device in the embodiment of the present invention; the attribute query request includes the first user. The user identity information and the user identity information of the second user; the attribute provider device determines whether the first user has the right to query the attribute of the second user; if the result of the determination is that the right is, the attribute provider device Performing an attribute query and returning the attribute information of the queried second user to the service provider device. Through the technical solution of the embodiment of the present invention, the user can query the attribute information of other users, and then one user can help other users complete the corresponding service, increase the diversity of the service provided by the SP for the user, enhance the user experience, and improve the user experience. Service efficiency.
附图说明 DRAWINGS
图 1为本发明实施例一用户属性查询的方法的流程图;  1 is a flowchart of a method for querying a user attribute according to an embodiment of the present invention;
图 2为本发明实施例二用户属性查询的方法的流程图;  2 is a flowchart of a method for querying a user attribute according to Embodiment 2 of the present invention;
图 3为本发明实施例三提供 Web服务的方法的流程图;  3 is a flowchart of a method for providing a Web service according to Embodiment 3 of the present invention;
图 4为本发明实施例四属性提供商设备的逻辑结构示意图;  4 is a schematic diagram of a logical structure of an attribute provider device according to Embodiment 4 of the present invention;
图 5为本发明实施例四判断单元一种逻辑结构示意图; 图 6为本发明实施例四判断单元另一种逻辑结构示意图; FIG. 5 is a schematic diagram of a logical structure of a determining unit according to Embodiment 4 of the present invention; FIG. 6 is a schematic diagram of another logical structure of a determining unit according to Embodiment 4 of the present invention;
图 Ί为本发明实施例四实施例四判断单元再一种逻辑结构示意图; 图 8为本发明实施例五一种身份鉴别提供商设备的逻辑结构示意图; 图 9为本发明实施例六一种服务提供系统的逻辑结构示意图;  FIG. 8 is a schematic diagram of a logical structure of an identity authentication provider device according to Embodiment 4 of the present invention; FIG. 8 is a schematic diagram of a logical structure of an identity authentication provider device according to Embodiment 5 of the present invention; Schematic diagram of the logical structure of the service delivery system;
图 10为本发明实施例七用户属性查询的方法的实体间的信令图; 图 11为本发明实施例八用户属性查询的方法的实体间的信令图; 图 12为本发明实施例九用户属性查询的方法的实体间的信令图。  10 is a signaling diagram between entities in a method for querying user attributes according to a seventh embodiment of the present invention; FIG. 11 is a signaling diagram between entities in a method for querying user attributes according to an embodiment of the present invention; Signaling diagram between entities of the method of user attribute query.
具体实施方式 detailed description
本发明实施例提供了用户属性查询的方法、提供服务的方法及设备,可以 实现对用户对其他用户属性信息的查询。  The embodiment of the invention provides a method for querying a user attribute, a method and a device for providing a service, and can implement a query for a user to attribute information of other users.
下面对本发明提供的用户属性查询方法、提供服务的方法及设备进行详细 描述。  The user attribute query method, the method and device for providing the service provided by the present invention are described in detail below.
实施例一, 一种用户属性查询的方法, 流程图如图 1所示, 包括: Embodiment 1 A method for querying a user attribute, which is shown in FIG. 1 and includes:
B1 , 属性提供商设备接收服务提供商设备发送的对第二用户的属性查询 请求;所述属性查询请求包含第一用户的用户身份信息和第二用户的用户身份 信息; B1, the attribute provider device receives an attribute query request for the second user sent by the service provider device, where the attribute query request includes the user identity information of the first user and the user identity information of the second user;
B2, 属性提供商设备判断所述第一用户是否有权限查询所述第二用户的 属性; 若是, 则继续步骤 B3; 若否, 则继续步骤 B4。  B2: The attribute provider device determines whether the first user has the right to query the attribute of the second user; if yes, proceed to step B3; if not, proceed to step B4.
B3 , 属性提供商设备进行属性查询并将查询到的第二用户的属性信息返 回给所述服务提供商设备。  B3. The attribute provider device performs an attribute query and returns the queried attribute information of the second user to the service provider device.
B4, 通知所述服务提供商设备没有权限, 无法查询。  B4, notifying the service provider device that there is no permission to query.
本发明实施例一技术方案可以实现对用户对其他用户属性信息的查询,进 而一个用户可以在登录 SP后, 可帮助其他用户完成相应的服务为其他用户提 供相应的业务, 增加了 SP为用户提供业务的多样性, 增强了用户体验, 提高 了服务效率。  The technical solution of the first embodiment of the present invention can implement the query of the user attribute information of other users, and then one user can help other users complete the corresponding service to provide corresponding services for other users after logging in to the SP, and the SP is added to provide the user with the corresponding service. The diversity of services enhances the user experience and improves service efficiency.
实施例二, 一种用户属性查询的方法, 流程图如图 2所示, 包括: Embodiment 2 A method for querying a user attribute, which is shown in FIG. 2, and includes:
C1 , 服务提供商设备接收第一用户发送的为第二用户进行的业务请求; 所述业务请求中包含第二用户身份信息; C1. The service provider device receives a service request sent by the first user for the second user. The service request includes second user identity information;
C2, 所述服务提供商设备与身份鉴别提供商设备进行交互, 对所述第一 用户的身份信息进行认证, 若认证通过, 则继续步骤 C4, 若认证失败, 则继 续步骤 C3;  C2, the service provider device interacts with the identity authentication provider device to authenticate the identity information of the first user, if the authentication is passed, proceed to step C4, and if the authentication fails, proceed to step C3;
本发明实施例中, 所述对所述第一用户的身份信息进行认证的过程包括: 向服务提供商设备向用户身份鉴别提供商设备发送用户认证请求; 用户身份鉴别提供商设备对该所述第一用户进行身份认证,并返回认证结 果。  In the embodiment of the present invention, the process of authenticating the identity information of the first user includes: sending a user authentication request to the user identity authentication provider device to the service provider device; the user identity authentication provider device The first user authenticates and returns the authentication result.
C3 , 向通知所述第一用户认证失败, 拒绝提供业务。  C3, failing to provide the service to notify the first user that the authentication fails.
C4, 服务提供商设备向属性提供商设备发送对第二用户的属性查询请求; 所述属性查询请求包含所述第二用户的身份信息;  C4, the service provider device sends an attribute query request to the second user to the attribute provider device; the attribute query request includes the identity information of the second user;
可以理解的是,服务提供商可以与发现服务器交互获得属性提供商设备的 地址。本发明强调的是,现有的服务提供商设备有能力获得属性提供商设备的 地址, 并与之进行通信,具体如何获取到属性提供商的方式可以采用常规方式 实现, 此处不做赞述。  It will be appreciated that the service provider can interact with the discovery server to obtain the address of the attribute provider device. The present invention emphasizes that the existing service provider device has the ability to obtain and communicate with the address of the attribute provider device, and the manner of how to obtain the attribute provider can be implemented in a conventional manner. .
C5 , 属性提供商设备判断所述第一用户是否有权限查询所述第二用户的 属性; 若是, 则继续步骤 C6; 若否, 则继续步骤 C7。  C5: The attribute provider device determines whether the first user has the right to query the attribute of the second user; if yes, proceed to step C6; if not, proceed to step C7.
本发明实施例中 , 所述判断所述第一用户是否有权限可以采取多种方式: 下面列举几种可行的方式 , 具体的方式不构成对本发明的限制。  In the embodiment of the present invention, the determining whether the first user has the permission may take a plurality of manners. The following is a list of possible ways, and the specific manner does not constitute a limitation of the present invention.
方式一:  method one:
所述属性提供商设备向所述第二用户发送鉴权请求;所述鉴权请求包含所 述第一用户的用户身份信息;  The attribute provider device sends an authentication request to the second user; the authentication request includes user identity information of the first user;
所述第二用户判断所述第一用户设备是否有权限查询属性;并将判断的结 果返回给所述属性提供商设备。  The second user determines whether the first user equipment has a right to query attributes; and returns the determined result to the attribute provider device.
上述方式一中, 属性提供商设备向所述第二用户确认第一用户的查询权 限,属性提供商设备和所述第二用户设备之间,可以通过交互服务器进行信令 转换进行通信。 In the foregoing manner 1, the attribute provider device confirms the query authority of the first user to the second user, and the signaling between the attribute provider device and the second user device may be performed through the interaction server. Convert to communicate.
方式二:属性提供商设备将所述第一用户的身份信息与所述第二用户的相 关属性访问权限列表进行比较;若所述第一用户的身份信息属于所述相关属性 访问权限列表 , 则判断所述第一用户有权限查询。  Manner 2: the attribute provider device compares the identity information of the first user with the related attribute access permission list of the second user; if the identity information of the first user belongs to the related attribute access permission list, Determining that the first user has permission to query.
可以理解的是, 对于所述相关属性访问权限列表保存在属性提供商设备, 用户可以与属性提供商设备交互对所述相关属性访问权限列表进行配置,具体 包括:  It can be understood that, for the related attribute access permission list is saved in the attribute provider device, the user can interact with the attribute provider device to configure the related attribute access permission list, which specifically includes:
所述第一用户与所述第二用户进行协商认证,通过协商认证后, 所述第二 用户为所述第一用户配置相关属性访问权限列表;所述相关属性访问列表保存 在属性提供商设备。这里的配置可以是生成对相关属性访问列表或对已有的相 关属性访问列表进行添加、 修改等操作。  The first user and the second user perform negotiation and authentication, and after the authentication is performed, the second user configures a related attribute access permission list for the first user; the related attribute access list is saved in the attribute provider device. . The configuration here may be to generate an access list for related attributes or to add or modify an existing related attribute access list.
更伴细的相关属性访问列表的表现方式可以参见实施例九。  For a more detailed description of the associated attribute access list, see Example 9.
方式三:  Method three:
所述属性提供商设备判断所述服务提供商设备发送的对第二用户的属性 查询请求中是否包含所述第一用户与所述第二用户进行联合的联合信息; 若包含, 则判断所述第一用户有权限。  The attribute provider device determines whether the attribute query request for the second user sent by the service provider device includes the joint information of the first user and the second user; if yes, determining the The first user has permission.
可以理解的是,所述第一用户与所述第二用户的联合信息可以是用户通过 特定的渠道预先配置, 例如:  It can be understood that the joint information of the first user and the second user may be pre-configured by the user through a specific channel, for example:
所述服务提供商设备接收第一用户发送的为第二用户进行的业务请求之 前包括:  Before the service provider device receives the service request sent by the first user for the second user, the method includes:
所述身份鉴别提供商设备将所述第一用户的身份信息和所述第二用户和 的身份信息建立联合并保存联合信息;  The identity authentication provider device associates the identity information of the first user with the identity information of the second user and saves the joint information;
这里的联合信息可以用于证明所述第二用户与第一用户之间的信任关系; 联合信息中可以包括: 第一用户的身份信息和第二用户的身份信息的绑定关 系; 还可以包括: 所述第二用户对所述第一用户开放的属性信息的类型等。  The joint information may be used to prove the trust relationship between the second user and the first user. The joint information may include: a binding relationship between the identity information of the first user and the identity information of the second user; : the type of attribute information that the second user opens to the first user, and the like.
所述步骤 C2服务提供商设备与身份鉴别提供商设备进行交互, 对所述第 一用户进行认证的过程中可以进一步包括: Step C2, the service provider device interacts with the identity authentication provider device, The process of authenticating a user may further include:
所述身份鉴别提供商设备查找所述第一用户是否存在联合信息;若存在则 将联合信息返回给所述服务提供商设备;  The identity authentication provider device searches for whether the first user has joint information; if yes, returns the joint information to the service provider device;
所述接收服务提供商设备发送的对第二用户的属性查询请求中包含所述 联合信息。  The joint information is included in the attribute query request for the second user sent by the receiving service provider device.
C6, 属性提供商设备进行属性查询并将查询到的第二用户的属性信息返 回给所述服务提供商设备。  C6. The attribute provider device performs an attribute query and returns the queried attribute information of the second user to the service provider device.
C7, 通知所述服务提供商设备没有权限, 无法查询。  C7, notifying the service provider device that there is no permission to query.
本发明实施例中, 用户在对某个用户的属性进行查询的同时如果查阅 的属性是需要用户同意才可以查阅的内容, 充分考虑到用户间的信任确认 问题。 如果用户在查阅其他用户属性信息的过程中, 给出了三种具体的优 选实现方式对用户的查询权限, 用户间的信任关系的约束进行了说明。 更 好的实现了本发明技术方案。  In the embodiment of the present invention, when the user queries the attribute of a certain user and the attribute that is consulted is the content that can be consulted only when the user agrees, the problem of trust confirmation between the users is fully considered. If the user consults other user attribute information, three specific preferred implementation methods are given to the user's query authority, and the constraints of the trust relationship between the users are explained. The technical solution of the present invention is better achieved.
实施例三, 一种提供服务的方法, 流程图如图 3所示, 包括:  Embodiment 3 is a method for providing a service. The flowchart is shown in FIG. 3, and includes:
D1 , 服务提供商设备接收第一用户发送的为第二用户进行的业务请求; 所述业务请求中包含第一用户的用户身份信息和第二用户的用户身份信息; 可以理解的是,所述接收第一用户发送的为第二用户进行的业务请求后进 一步包括:服务提供商设备对所述第一用户的身份信息进行认证,若认证通过, 继续所述步骤 D2。  D1, the service provider device receives the service request sent by the first user for the second user; the service request includes the user identity information of the first user and the user identity information of the second user; After receiving the service request sent by the first user for the second user, the method further includes: the service provider device authenticating the identity information of the first user, and if the authentication is passed, continuing the step D2.
具体对第一用户进行认证的过程可以包括:  The process of specifically authenticating the first user may include:
向用户身份鉴别提供商设备发送用户认证请求;  Sending a user authentication request to the user identity provider device;
用户身份鉴别提供商设备对该所述第一用户进行身份认证,并返回认证结 果。  The user identity provider device authenticates the first user and returns an authentication result.
可以理解的是, 所述向用户身份鉴别提供商设备发送用户认证请求后,本 发明实施例可以进一步包括:  It is to be understood that, after the user identity authentication provider device is sent to the user authentication request, the embodiment of the present invention may further include:
接收所述当身份鉴别提供商查找所述第一用户存在联合信息时返回的给 所述第一用户与所述第二用户的进行联合的联合信息; Receiving, when the identity authentication provider searches for the first user to have joint information, returning Joint information of the first user and the second user;
向属性提供商设备发送对第二用户的属性查询请求中包含所述联合信息。 一般情况下, 所述联合信息可以随对所述第一用户的认证结果一起返回。  The joint information is included in the attribute query request sent to the attribute provider device for the second user. In general, the joint information may be returned along with the authentication result of the first user.
D2, 服务提供商设备向属性提供商设备发送对第二用户的属性查询请求; 所述属性查询请求包含所述第一用户的用户身份信息和第二用户的用户身份 信息;  D2, the service provider device sends an attribute query request to the second user for the attribute provider device; the attribute query request includes user identity information of the first user and user identity information of the second user;
D3 , 属性提供商设备判断所述第一用户是否有权限查询所述第二用户的 属性; 若是, 则继续步骤 D5, 若否则继续步骤 D4;  D3, the attribute provider device determines whether the first user has the right to query the attribute of the second user; if yes, proceed to step D5, if otherwise, continue to step D4;
D4, 向通知所述第一用户认证失败, 拒绝提供业务。  D4, failing to provide the service to notify the first user that the authentication fails.
D5 , 属性提供商设备进行属性查询并将查询的第二用户的属性信息返回 给所述服务提供商设备;  D5, the attribute provider device performs an attribute query and returns the attribute information of the queried second user to the service provider device;
D6, 所述服务提供商设备获得所述第二用户的属性信息后, 根据所述第 二用户端额属性信息为所述第二用户进行服务。  D6. After obtaining the attribute information of the second user, the service provider device serves the second user according to the second user terminal attribute information.
可以理解的是, 所述步骤 D6之后可以包括: 所述服务提供商设备向所述 第一用户返回服务的结果。  It can be understood that, after the step D6, the method may include: returning, by the service provider device, a result of the service to the first user.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步骤 是可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可 读存储介质中, 该程序在执行时, 包括如下步骤:  It will be understood by those skilled in the art that all or part of the steps of implementing the foregoing embodiments may be performed by a program to instruct related hardware, and the program may be stored in a computer readable storage medium. , including the following steps:
属性提供商设备接收服务提供商设备发送的对第二用户的属性查询请求; 所述属性查询请求包含第一用户的用户身份信息和第二用户的用户身份信息; 属性提供商设备判断所述第一用户是否有权限查询所述第二用户的属性; 若所述判断的结果为有权限,则属性提供商设备进行属性查询并将查询到的第 二用户的属性信息返回给所述服务提供商设备。  The attribute provider device receives an attribute query request for the second user sent by the service provider device; the attribute query request includes the user identity information of the first user and the user identity information of the second user; the attribute provider device determines the first Whether a user has the right to query the attribute of the second user; if the result of the determination is that the right is privileged, the attribute provider device performs an attribute query and returns the queried attribute information of the second user to the service provider. device.
上述提到的存储介质可以是只读存储器, 磁盘或光盘等。  The above-mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
实施例四, 一种属性提供商设备 500,逻辑结构示意图如图 4所示, 包括: 查询请求接收单元 510、 判断单元 520、 属性查询单元 530和反馈单元 540; 查询请求接收单元 510, 用于接收服务提供商设备发送的对第二用户的属 性查询请求;所述属性查询请求包含第一用户的用户身份信息和第二用户的用 户身份信息; Embodiment 4 is an attribute provider device 500. The logical structure diagram is as shown in FIG. 4, and includes: a query request receiving unit 510, a determining unit 520, an attribute query unit 530, and a feedback unit 540. The query request receiving unit 510 is configured to: Receiving a genus of the second user sent by the service provider device a query request; the attribute query request includes user identity information of the first user and user identity information of the second user;
判断单元 520, 用于根据所述判断所述第一用户是否有权限查询所述第二 用户的属性; 若所述判断的结果为有权限, 则通知属性查询单元 530查询查询 所述第二用户的属性;  The determining unit 520 is configured to determine, according to the determining, whether the first user has the right to query the attribute of the second user; if the result of the determining is that the right is, the notification attribute query unit 530 queries and queries the second user. Attribute
属性查询单元 530, 用于根据所述判断单元的通知进行属性查询; 反馈单元 540, 用于将将所述属性查询单元 530查询到的第二用户的属性 信息返回给所述服务提供商设备。  The attribute query unit 530 is configured to perform an attribute query according to the notification of the determining unit. The feedback unit 540 is configured to return the attribute information of the second user that is queried by the attribute query unit 530 to the service provider device.
本实施例中, 所述判断单元 520可以采取不同的判断方式。  In this embodiment, the determining unit 520 can adopt different judgment manners.
一并参阅图 5, 为所述判断单元 520—种逻辑结构示意图;  Referring to FIG. 5, a schematic diagram of the logical structure of the determining unit 520 is shown;
所述判断单元 520可以包括: 列表保存单元 521和比较单元 522;  The determining unit 520 may include: a list holding unit 521 and a comparing unit 522;
所述列表保存单元 521 , 用于保存所述第二用户的相关属性访问权限列 表;  The list holding unit 521 is configured to save a list of related attribute access rights of the second user;
所述比较单元 522 , 用于将所述第一用户的身份信息与所述列表保存单元 521保存的第二用户的相关属性访问权限列表进行比较, 若所述第一用户的身 份信息属于所述相关属性访问权限列表 , 则判断所述第一用户有权限查询。  The comparing unit 522 is configured to compare the identity information of the first user with the related attribute access permission list of the second user saved by the list holding unit 521, if the identity information of the first user belongs to the The related attribute access permission list determines that the first user has permission to query.
一并参阅图 6, 为所述判断单元的内部另一种逻辑结构示意图; 所述判断单元包括 520: 鉴权请求单元 523和鉴权响应接收单元 524; 所述鉴权请求单元 523, 用于向所述第二用户发送鉴权请求; 所述鉴权请 求包含所述第一用户的用户身份信息;  Referring to FIG. 6 , another logical structure diagram of the internals of the determining unit is provided. The determining unit includes: 520: an authentication requesting unit 523 and an authentication response receiving unit 524. The authentication requesting unit 523 is configured to: Sending an authentication request to the second user; the authentication request includes user identity information of the first user;
所述鉴权请求响应单元 524, 用于接收第二用户设备返回的鉴权结果; 所 述鉴权结果指示所述第一用户是否有权限查询所述第二用户的属性。  The authentication request response unit 524 is configured to receive an authentication result returned by the second user equipment, where the authentication result indicates whether the first user has the right to query the attribute of the second user.
一并参阅图 7, 为所述判断单元的内部再一种逻辑结构示意图; 所述判断单元包括 520: 联合信息检查单元 525和决策单元 526;  Referring to FIG. 7, FIG. 7 is another schematic diagram of the internal structure of the judging unit; the judging unit includes 520: joint information checking unit 525 and decision unit 526;
所述联合信息检查单元 525 , 用于检查所述查询请求接收单元接收的对第 二用户的属性查询请求中是否包含所述第一用户与所述第二用户进行联合的 联合信息; 并将检查结果发送给决策单元; The joint information checking unit 525 is configured to check whether the first user and the second user are jointly included in the attribute query request of the second user received by the query request receiving unit. Joint information; and send the inspection result to the decision unit;
所述决策单元 526, 用于在所述检查单元的检查结果为存在联合信息时, 通知所述查询单元进行第二用户的属性查询。  The determining unit 526 is configured to notify the query unit to perform an attribute query of the second user when the check result of the checking unit is that the joint information exists.
实施例五,一种身份鉴别提供商设备 900,结构示意图如图 8所示, 包括: 身份鉴别单元 910、 存储单元 920和信息反馈单元 930;  Embodiment 5, an identity authentication provider device 900, a schematic structural diagram shown in FIG. 8, comprising: an identity authentication unit 910, a storage unit 920, and an information feedback unit 930;
身份鉴别单元 910, 用于对用户的身份进行认证, 并接收通过认证的用户 的请求; 将至少两个用户的身份信息进行联合, 并保存联合信息到存储单元 920;  The identity authentication unit 910 is configured to authenticate the identity of the user, and receive the request of the authenticated user; combine the identity information of the at least two users, and save the joint information to the storage unit 920;
所述存储单元 920, 用于保存联合信息;  The storage unit 920 is configured to save joint information.
信息反馈单元 930, 用于在收到服务提供商设备对用户的身份鉴别请求 时, 在所述存储单元 920中查找所述用户是否存在联合信息, 若存在, 则将所 述用户联合信息返回给所述服务提供商设备。  The information feedback unit 930 is configured to: when the service provider device receives the identity authentication request from the service provider, search, in the storage unit 920, whether the user has joint information, and if yes, return the user association information to The service provider device.
实施例六, 一种服务提供系统, 逻辑结构示意图如图 9所示, 包括: 服务 提供商设备 1010和属性提供商设备 1020;  Embodiment 6, a service providing system, a logical structure diagram shown in FIG. 9, comprising: a service provider device 1010 and an attribute provider device 1020;
所述服务提供商设备 1010, 用于接收第一用户发送的为第二用户进行的 业务请求;所述业务请求中包含第一用户的用户身份信息和第二用户的用户身 份信息; 并向属性提供商设备 1020发送对第二用户的属性查询请求; 所述属 性查询请求包含所述第一用户的用户身份信息和第二用户的用户身份信息;所 述服务提供商设备还用于在获得属性提供商设备 1020返回的所述第二用户的 属性信息后, 根据所述第二用户端额属性信息为所述第二用户进行服务;  The service provider device 1010 is configured to receive a service request sent by a first user for a second user, where the service request includes user identity information of the first user and user identity information of the second user; The provider device 1020 sends an attribute query request to the second user; the attribute query request includes user identity information of the first user and user identity information of the second user; the service provider device is further configured to obtain an attribute After the attribute information of the second user returned by the provider device 1020, the second user is served according to the second user terminal attribute information;
所述属性提供商设备 1020, 用于判断所述第一用户是否有权限查询所述 第二用户的属性; 若所述判断的结果为有权限, 则进行属性查询并将查询的第 二用户的属性信息返回给所述服务提供商设备 1010。  The attribute provider device 1020 is configured to determine whether the first user has the right to query the attribute of the second user; if the result of the determination is that the right is, the attribute query is performed and the second user of the query is The attribute information is returned to the service provider device 1010.
下面结合具体的应用场景对本发明技术方案进行伴细描述,以下实施例中, 均实现在 OWSER NI网络中。 实施例七,一种用户属性查询的方法,通过本方案,用户 A可以在 SP登陆, 然后通过 Idp的认证, 再由发现服务给出所需要查阅用户 B的属性服务商地址, 通过用户 B的认证, 用户 A可以通过 SP获取用户 B允许查阅的某些属性。 本实施例方案的主要思想在于, 用户 A可以通过 SP为用户 B进行服务。 通 常意义上的 OWSERNI都是用户为自身通过 SP查询属性来提供服务,但是当出 现需要通过某用户终端为其他用户服务的情况时就需要在发生服务的时候查 询所需服务的用户属性。通常我们所说的属性,都是保存在一个叫做属性服务 商的逻辑地址中。例如用户的位置信息就是一种属性, 那么提供这种属性的服 务商就可能会去查找家庭用户服务(HSS )等设备, 来确定用户的位置信息。 考虑到隐私方面的问题, 用户的某些属性是不能够直接提供给其他人的, 因此 在查阅某些属性的时候就需要该用户同意。 本实施例的前提条件是用户 A和 B都已经通过了 Idp的认证。 本实施例中用 户 A/B与服务提供商 SP和交互服务之间的交互属于现有技术, 为了能够更完整 的将过程表现出来, 这里还是在图中表示出来, 分别用 a/b/c/d来区别。 实体间的信令图如图 10所示, 包括: F1 , 用户 A登陆服务提供商 SP; The technical solutions of the present invention are described in detail below in conjunction with specific application scenarios. In the following embodiments, they are implemented in the OWSER NI network. Embodiment 7 is a method for querying user attributes. Through this solution, user A can log in at the SP. Then, through the authentication of the Idp, the discovery service gives the address of the attribute service provider that needs to refer to the user B. Through the authentication of the user B, the user A can obtain some attributes that the user B is allowed to access through the SP. The main idea of the solution in this embodiment is that user A can serve user B through the SP. In the usual sense, OWSERNI is a service for users to query attributes through SP, but when there is a need to serve other users through a user terminal, it is necessary to query the user attributes of the required service when the service occurs. Usually the attributes we refer to are stored in a logical address called the attribute service provider. For example, the location information of the user is an attribute, and the service provider providing the attribute may find a device such as a home user service (HSS) to determine the location information of the user. Considering privacy issues, certain attributes of the user are not directly available to others, so the user's consent is required when reviewing certain attributes. The precondition of this embodiment is that both users A and B have passed the authentication of Idp. In this embodiment, the interaction between the user A/B and the service provider SP and the interactive service belongs to the prior art. In order to be able to express the process more completely, it is also shown in the figure, respectively, using a/b/c. /d to distinguish. The signaling diagram between the entities is shown in Figure 10, including: F1, user A logs into the service provider SP;
服务提供商 SP向属性提供商提出属性查找的请求;  The service provider SP makes a request for an attribute lookup to the attribute provider;
服务提供商可以使用 Liberty Data Service Template ( DST )定义的机制来 向属性提供商发起查询。 在这种情况下, 一个服务提供商必须使用 <Query> 元素, 且属性提供商在对服务提供者的响应中必须使用 <(^6 1^8 01186>元 素 。 下 面 是 一 个 〈 Query > 的 例 子 , 其 资 源 以 资 源 IDhttp://0 WSER-attributeprovider.com/u6gh8jlx90bt8h 1 o作为标识 . , 对名字和 家庭住址作为查询: <Query> Service providers can use the mechanisms defined by the Liberty Data Service Template ( DST ) to initiate queries to attribute providers. In this case, a service provider must use the <Query> element, and the attribute provider must use the <(^6 1^8 01186> element in response to the service provider. Here is an example of < Query > , its resource is identified by the resource ID http://0 WSER-attributeprovider.com/u6gh8jlx90bt8h 1 o. For the name and home address as a query: <Query>
<ResourceID>http :〃0 WSER-attribute-provider.com/u6gh8j Ix90bt8h 1 o</Re source ID>  <ResourceID>http :〃0 WSER-attribute-provider.com/u6gh8j Ix90bt8h 1 o</Re source ID>
<QueryItem itemID="name">  <QueryItem itemID="name">
<Select>/pp:PP/pp:CommonName</Select>  <Select>/pp:PP/pp:CommonName</Select>
</QueryItem>  </QueryItem>
<QueryItem itemID="home">  <QueryItem itemID="home">
<Select>/pp:PP/pp:AddressCard[pp:AddressType="urn:liberty:id-sis-pp:add rType:home"]</Select>  <Select>/pp:PP/pp:AddressCard[pp:AddressType="urn:liberty:id-sis-pp:add rType:home"]</Select>
</QueryItem>  </QueryItem>
</Query>  </Query>
F2, 属性服务提供商为了获取其它用户的认证, 需要通过交互服务向其 他用户发送请求; F2, the attribute service provider needs to send a request to other users through the interactive service in order to obtain the authentication of other users;
属性服务提供商通过发送 <InteractionRequest>元素到交互服务。 下面是 一个 < InteractionRequest > 的例子:  The attribute service provider sends the <InteractionRequest> element to the interactive service. Here's an example of < InteractionRequest >:
<InteractionRequest">  <InteractionRequest">
<ResourceID>http :〃0 WSER-attribute-provider.com/u6gh8j Ix90bt8h 1 o</Re source ID>  <ResourceID>http :〃0 WSER-attribute-provider.com/u6gh8j Ix90bt8h 1 o</Re source ID>
<Inquiry title=" attribute-provider question">  <Inquiry title=" attribute-provider question">
<Help moreLink="http://pip.example.com/help/attribute/r ead/consent"> example.com is requesting your address. We do not have a rule that instructs us how you want us to process this request. Please pick one of the given options. Note that the last two options do prevent you from being prompted this question when example.com asks for your address again. </Help> <Help moreLink="http://pip.example.com/help/attribute/r ead/consent"> example.com is requesting your address. We do not have a rule that instructs us how you want us to process this request Please pick one of the given options. Note that the last two options do prevent you from being prompted this question when example.com asks for your address again. </Help>
<Select name="addresschoice">  <Select name="addresschoice">
<Label>Do you want to share your address with attribute-provider.co m?</Label>  <Label>Do you want to share your address with attribute-provider.co m?</Label>
<Value>no</Value>  <Value>no</Value>
<Item label="Not this time" value="no"/>  <Item label="Not this time" value="no"/>
<Item label=" Yes , once" value="yes"/>  <Item label=" Yes , once" value="yes"/>
<Item label="No , never" value="never">  <Item label="No , never" value="never">
<Hint>We won't give out your address and won't ask you again</Hint> </Item>  <Hint>We won't give out your address and won't ask you again</Hint> </Item>
<Item label=" Yes , always" value="always">  <Item label=" Yes , always" value="always">
<Hint>We will share your address now and in the future with - 641 service-provider.com</Hint>  <Hint>We will share your address now and in the future with - 641 service-provider.com</Hint>
</Item>  </Item>
</Select>  </Select>
</Inquiry>  </Inquiry>
</InteractionRequest>  </InteractionRequest>
上面的例子就是属性服务提供商向交互服务所提出的查询用户 B地址属 性的请求。  The above example is a request from the property service provider to the interactive service to query the user B address attribute.
F4, 交互服务向用户 B发送消息, 询问是否同意属性被查询;  F4, the interactive service sends a message to user B, asking if the attribute is queried;
交互服务可以通过 HTTP将询问消息发送到用户 B , 询问 B是否允许查询 用户属性。 例如, 本例中查找的是用户名字和住址。  The interactive service can send an inquiry message to user B via HTTP, asking B whether to allow querying user attributes. For example, in this example, the user name and address are looked up.
F5 , 用户向反馈交互服务器反馈查询响应;  F5, the user feeds back the query response to the feedback interaction server;
如果用户同意对名字和住址的查询, 则, 用户可以通过 HTTP POST方法 反馈给交互服务。 F6 , 交互服务将对用户 Β的查询响应结果反馈给属性服务提供商; 交互服务通过交互后发送含有 <InteractionResponse>元素的响应消息 ^1 属性服务提供商。 If the user agrees to the query for the name and address, the user can feed back to the interactive service via the HTTP POST method. F6, the interactive service feeds back the query response result of the user to the attribute service provider; the interactive service sends the response message with the <InteractionResponse> element to the attribute service provider through the interaction.
<InteractionResponse>  <InteractionResponse>
<Status code="is:success" />  <Status code="is:success" />
<InteractionStatement>  <InteractionStatement>
<Inquiry title="Profile Provider Question" id="inquiry-3d4e2f a37213b"> <Inquiry title="Profile Provider Question" id="inquiry-3d4e2f a37213b">
<Select name="addresschoice"> <Select name="addresschoice">
<Label>Do you want to share your address with - 753  <Label>Do you want to share your address with - 753
service-provider.com?</Label>  Service-provider.com?</Label>
<Value>always<A¾lue>  <Value>always<A3⁄4lue>
</Select>  </Select>
</Inquiry>  </Inquiry>
<ds:Signature>  <ds:Signature>
.... <ds:Reference>#inquiry-3d4e2f a37213b</ds:Refere nce> ....  .... <ds:Reference>#inquiry-3d4e2f a37213b</ds:Refere nce> ....
</ds:Signature>  </ds:Signature>
</InteractionStatement>  </InteractionStatement>
</InteractionResponse>  </InteractionResponse>
F7, 属性服务器根据交互服务器的查询结果, 对 SP反馈查询的结果; 若所述用户 B同意用户 A查询用户 B的属性,则本步骤属性服务器返回查 询到的用户 B的属性。  F7, the attribute server returns the result of the query to the SP according to the query result of the interaction server; if the user B agrees that the user A queries the attribute of the user B, the attribute server of the step returns the attribute of the user B that is queried.
下面是一个用于响应上面 <Query>it求的 <QueryResponse:^々例子。资源 的公共名字返回值为 Dr.Genie Wunderkid, 另一个可选的公共名字为 Dr.Genie Wunder。 资源地址也已给出。  Below is a <QueryResponse:^々 example for responding to <Query>it above. The public name of the resource returns Dr.Genie Wunderkid, and another optional public name is Dr.Genie Wunder. The resource address is also given.
<QueryResponse> <QueryResponse>
tmmi Tmmi
Figure imgf000018_0001
Figure imgf000018_0001
11 </QueryResponse> 11 </QueryResponse>
F8, SP对用户 A反馈响应;  F8, SP responds to user A feedback;
本实施例中属性服务器对用户 B的属性确认访问可以通过其它常规实现 方式完成, 具体的方式不构成对本发明的限制。 实施例八, 一种用户属性查询的方法, 本实施例中用户 A通过 SP为用户 B 提供服务的方案。 通过该方案, 用户 A在登陆 SP后为用户 B提供服务。 用户 A 在查询用户 B的某些属性之前和用户 B进行了认证, 结果是用户 B同意用户 A查 阅自己的某些属性。 该方案的主要思想在于, 当用户 A需要通过 SP为用户 B提供服务的时候, 需要用户 A先通过用户 B的认证,这样,用户 A就可以使用用户 B的某些属性了。 接下来用户 A通过登陆 SP然后再认证, 获取属性服务提供商提供的用户 B的相 关属性的时候就可以不再需要认证过程, 而只需要像用户 B自己操作一样方便 了。 下图本实施例中实体之间的信令流程如图 11所示: 本实施例中对鉴权部分都通过虚线表示, 实线部分为提供服务部分。  In this embodiment, the attribute server confirms the access of the attribute of the user B by other conventional implementation manners, and the specific manner does not constitute a limitation of the present invention. Embodiment 8 is a method for querying user attributes. In this embodiment, user A provides a service for user B through an SP. Through this scheme, User A provides service to User B after logging in to the SP. User A authenticates with User B before querying certain attributes of User B. As a result, User B agrees that User A has checked certain attributes of himself. The main idea of the solution is that when user A needs to provide services to user B through the SP, user A needs to be authenticated by user B first, so that user A can use certain attributes of user B. Next, user A can log in to the SP and then re-authenticate to obtain the relevant attributes of user B provided by the attribute service provider, and the authentication process is no longer needed, but only needs to be as convenient as user B's own operation. The following figure shows the signaling flow between entities in this embodiment as shown in FIG. 11. In this embodiment, the authentication part is indicated by a dotted line, and the solid line part is a service providing part.
G1. 用户 A向 Idp发送鉴权;  G1. User A sends an authentication to Idp;
用户 A要为用户 B提供服务, 那么用户 A就首先需要通过 Idp的认证。 通过 Idp的认证后用户 A就表明在该信任圏内是一个合法的用户。  User A wants to provide service for User B, then User A needs to pass Idp authentication first. After authentication by Idp, User A indicates that it is a legitimate user within the trust.
G2. Idp对用户 A进行鉴权认证;  G2. Idp authenticates user A;
Idp是一种特殊的服务提供商角色, 它生成、 维护和管理用户的身份信息, 并且能够为认证域(甚至一个信任圏)中的其他服务提供商提供认证声明。 通 过 Idp的认证后, 用户 A就是该信任圏内的可信任用户。 G3. 用户 A发起向用户 B的请求鉴权; Idp is a special service provider role that generates, maintains, and manages user identity information and provides authentication claims to other service providers in the authentication domain (even a trust). After authentication by Idp, User A is the trusted user within the trust. G3. User A initiates a request for authentication to User B;
用户 A发送请求 B的鉴权的同时 , 需要将自身的 ID等表明身份的信息一并 发送到用户 B。 需要将 Idp对用户 A的鉴权结果发送到用户 B, 以告诉用户 B, 用 户 A是通过信任圏认证的合法用户。  When user A sends the authentication of request B, it needs to send the information indicating the identity such as its own ID to user B. The authentication result of Idp to user A needs to be sent to user B to tell user B that user A is a legitimate user authenticated by trust.
G4. 用户 B向 Idp进行身份认证。 该认证过程可以包含连个过程; 首先, 用户 B向 Idp进行身份的认证, 经过认证后, B的认证信息会保存在 Idp上供后续服务时使用;  G4. User B authenticates to Idp. The authentication process may include a process; first, user B authenticates the identity of the Idp, and after the authentication, the authentication information of B is saved on the Idp for use in subsequent services;
其次, 用户 B会将受到的用户 A的身份信息联合自己的身份信息发送到 Idp。 通过这个步骤, Idp会纪录 A与 B是需要联合。 这里只是一个举例, 具体的 联合方法可以是多种方式的, 但是其思想是一致的。 用户 A和用户 B的身份在 Idp联合登记可以是用户 B在进行认证过程中的一个附带过程。  Second, User B sends the identity information of User A and his identity information to Idp. Through this step, Idp will record that A and B are required to be combined. Here is just an example. The specific joint method can be in many ways, but the idea is consistent. The joint registration of the identity of user A and user B in Idp may be an incidental process in which user B performs the authentication process.
G5. Idp对用户 B进行认证, 并且对用户 A和用户 B联合纪录;  G5. Idp authenticates user B and records the combination of user A and user B;
经过 Idp的认证后, B用户确认为该信任圏合法的用户, 并且在 Idp中会将 A 与 B的信息进行帮定, 以告诉以后的服务这两个用户通过了 Idp的认证, 并且他 们之间是帮定关系。  After the Idp authentication, the B user confirms that the trust is a legitimate user, and in the Idp, the A and B information is bound to tell the future service that the two users have passed the Idp authentication, and they It is a help relationship.
G6. 用户 B向用户 A发送键权消息;  G6. User B sends a key right message to User A;
用户 A在向用户 B发送鉴权消息后,用户 B反馈一个鉴权消息。经过这样的 鉴权, 用户 B可以决定到底是不是需要 A帮助自己来完成某些服务。  After user A sends an authentication message to user B, user B feeds back an authentication message. After such authentication, User B can decide whether or not A needs to help himself to complete certain services.
G7. 用户 A登陆 SP, 获取服务;  G7. User A logs in to the SP to obtain the service;
登陆 SP属于现有技术范畴。 可以通过 HTTP等方式来完成。 这里不过多的 描述。 需要注意的一点是, 用户 A在登陆 SP需要将与 B的联合信息一并带入到 SP中, 以通知 SP是用户 A要协助 B获取服务。  Landing SP belongs to the prior art category. This can be done via HTTP, etc. There is not much description here. It should be noted that User A needs to bring the joint information with B into the SP when logging in to the SP to notify the SP that User A wants to assist B to obtain the service.
G8. SP对 A进行认证;  G8. SP authenticates A;
SP查阅 Idp, 获取 A与 B联合的纪录。  SP consults Idp to obtain a record of A and B.
G9. Idp反馈 A与 B的认证纪录以及联合纪录;  G9. Idp feedback A and B certification records and joint records;
G10. SP根据 A所需服务查询相关属性; SP所查询的属性可能是用户 B的属性, 因此需要在属性服务提供商那里找 B的属性。 这一步骤省略了 SP向发现服务获取 AP信息的过程。 SP会将 A与 B的 联合信息一并发送到 AP。 G10. SP queries relevant attributes according to the service required by A; The attribute queried by the SP may be the attribute of User B, so it is necessary to find the attribute of B in the attribute service provider. This step omits the process by which the SP obtains AP information from the discovery service. The SP will send the joint information of A and B to the AP.
Gi l. AP ^居 A所查的用户 B属性反馈给用户 A相关信息;  Gi l. AP ^ A user B attribute checked back to the user A related information;
AP根据 Idp确认的联合信息,确认 A是通过 B的认证的合法用户, 因此用户 The AP confirms that A is a legitimate user authenticated by B according to the joint information confirmed by Idp, so the user
B的属性服务器可以为 A提供这样的属性查询。 B's property server can provide such property queries for A.
G12. SP获取属性信息后, 处理, 并将最终服务结果发送给用户 。 结果的发送可以通过多种方式, 例如通过 PS域或 CS域的方式都可以。 这 里不作详细的说明。  G12. After the SP obtains the attribute information, it processes it and sends the final service result to the user. The result can be sent in a variety of ways, such as through the PS domain or the CS domain. No detailed explanation is given here.
本实施例中对用户 A与用户 B的联合只是举例说明, 如果有其他的方式, 例如通过电话号码 /邮件地址 /userlD等方式都可以达到这样的目的, 其它方式 也可以达到相同的目的, 原理是一致的。  The combination of user A and user B in this embodiment is only an example. If there are other ways, for example, by telephone number/email address/userlD, the same purpose can be achieved, and other methods can achieve the same purpose. It is consistent.
实施例九, 一种用户属性查询的方法, 本实施例中本用户 A通过 SP为用户 B提供服务的方案。 通过该方案, 用户 B在 Ap上可以设置一个相关属性访问权 限列表, 表中所列的用户可以获得某些 B属性的访问权限。 通过这个方式, 用 户 A可以获得表中某些属性的访问权限。  The ninth embodiment, a method for querying a user attribute, in this embodiment, the user A provides a service for the user B through the SP. Through this scheme, user B can set a list of related attribute access rights on the Ap, and the users listed in the table can obtain access rights of certain B attributes. In this way, User A can gain access to certain attributes in the table.
该方案的主要思想在于, 用户 A在为用户 B通过 SP获取某些服务前, 可以 与 B进行协商认证,通过这样的认证, B可以为 A生成一个相关属性访问权限的 列表, 同时用户 B可以将这个列表发送到属性服务器保存,以供后续服务使用。  The main idea of the solution is that user A can negotiate with B for user B before obtaining certain services through SP. Through such authentication, B can generate a list of related attribute access rights for A, and user B can Send this list to the property server for saving for use by subsequent services.
实体间的信令流程如图 12所示, 包括:  The signaling process between entities is shown in Figure 12, including:
本实施例的前提是用户 B已经通过了 Idp的认证。  The premise of this embodiment is that user B has passed the authentication of Idp.
HI,用户 A为了实现登陆 SP为用户 B完成服务首先需要得到用户 B的认证; 这一认证过程可以通过多种方式完成。例如可以通过发送请求信息,使用 户 B知道请求者是用户 A; H2, 用户 B登陆 SP1; 登陆的方式可以使用 HTTP等方式, 这里不作详细的说明; HI, user A needs to obtain user B's authentication first to complete the service for user B to complete the login SP; this authentication process can be completed in a variety of ways. For example, by sending a request message, the user B can be made aware that the requester is the user A; H2, and the user B logs in to the SP1; The login method can use HTTP or the like, and will not be described in detail here;
H3 , SP1通过 Idp核对用户 B的认证状态;  H3, SP1 checks the authentication status of user B through Idp;
H4, Idp回复请求, 包括一个描述用户认证状态的认证断言;  H4, Idp replies with a request, including an authentication assertion describing the user authentication status;
H5, SP1提供修改属性服务;  H5, SP1 provides modified attribute services;
SP 1提出修改 AP中关于用户 B的可信任对象列表, 该列表在属性提供商处 维护, 可以由 SP提出修改。 服务提供商必须使用 <Modify>元素, 且属性提供 用户 B的可以信任对象列表可能具有以下表 1类似的形式: SP 1 proposes to modify the AP's list of trusted objects for User B, which is maintained at the attribute provider and can be modified by the SP. The service provider must use the <Modify> element, and the attribute provides User B's list of trusted objects may have a similar form as Table 1 below:
Figure imgf000022_0001
Figure imgf000022_0001
Figure imgf000022_0003
Figure imgf000022_0003
上面的可信任对象列表仅仅是一个举例,如果有其他形式可以表示,其原 理也是一致的。  The above list of trusted objects is just an example. If there are other forms that can be represented, the principle is the same.
H6, 属性提供商反馈可信任对象列表修改结果;  H6, the attribute provider feeds back the list of trusted object modification results;
修改后的结果可能为表 2的形式。 The modified result may be in the form of Table 2.
Figure imgf000022_0002
Figure imgf000022_0002
用户 B属性 用户 B可信任对象  User B attribute User B can trust object
姓名 A 地址 A Name A Address A
位置 A, C, D 其中增加了对用户 A关于访问用户 B位置属性的获取权限。  Location A, C, D This adds access to User A's access to User B's location properties.
H7, SP1将修改的结果反馈给用户 B, 反馈的方式可以是多种的;  H7, SP1 feeds back the modified result to user B, and the feedback method can be multiple;
H8, 用户 B反馈用户 A认证应答;  H8, User B feedback user A authentication response;
用户 B经过增加用户 A的某些属性使用权限后 , 反馈给用户 A结果。  After user B increases the usage rights of some attributes of user A, user B feeds back to user A.
H9, 用户 AJ ^起 Idp认证;  H9, user AJ ^ from Idp certification;
HI 0 , Idp反馈认证结果给用户 A;  HI 0 , Idp feedback authentication result to user A;
H11 , 用户 A登陆服务提供商 SP2;  H11, User A logs in to the service provider SP2;
用户 A登陆 SP2后的结果是希望能够为用户 B完成某些服务;、  The result of user A logging in to SP2 is that he hopes to complete some services for user B;
H12, SP2核对用户 A的认证状态;  H12, SP2 check the authentication status of user A;
H13 , Idp反馈给 SP2用户 A的认证状态, 返回一个认证断言;  H13, Idp feedback to the authentication status of SP2 user A, returning an authentication assertion;
H14, 为了完成对用户 B的服务需要某些用户 B的属性, 因此 SP2在 AP上查 找用户 B的某些属性;  H14, in order to complete the service to user B, some user B attributes are required, so SP2 searches for certain attributes of user B on the AP;
由于用户 B已经将用户 入到某些属性的可获取权限中,所以用户 A可以 获取那些用户 B提供的属性。 这一过程需要 AP将属性获取对象与可相关属 性访问权限列表进行比较。  Since User B has already entered the user into the available permissions of certain attributes, User A can obtain the attributes provided by User B. This process requires the AP to compare the attribute acquisition object with a list of related attribute access rights.
H15, 如果 AP查找到用户 A可以获得用户 B的地址信息, 那么 AP就会将结 果反馈给 SP2;  H15, if the AP finds that user A can obtain the address information of user B, the AP will feed back the result to SP2;
H16, SP2将最终的服务结果反馈给用户 A,反馈的结果可以是多种形式的 , 例如通过 HTTP的方式。 本实施例中的相关属性访问权限列表与 AP上对可以相关属性访问权限列 表的维护都是举例说明, 如果有类似的方式, 其原理也使一致的。 可以立即的是, 本是实施例中, 用户 B可以将自己的某些属性公开, 这样 就可以让其他用户对自己进行某些操作或服务。 该方案的主要思想在于, 用户 B事先就将自己的某些常用信息公开在属性 服务商那里, 这样, 其他用户可以不需要经过用户 B的认证就能够对用户 B完 成某些操作或服务。本实施例作为实施例三的补充, 不同之处在于把某些属性 设置为对所有人公开。 只是在属性的保存信息上进行一些修改。 修改可能集中在属性提供商 AP上维护的属性信息。 例如可以具有如下表 3 的形式:
Figure imgf000024_0001
H16, SP2 feeds back the final service result to user A, and the feedback result can be in various forms, for example, by HTTP. The related attribute access rights list in this embodiment and the maintenance of the related attribute access rights list on the AP are examples. If there is a similar way, the principle is also consistent. It can be immediately said that in the embodiment, user B can disclose some of his own attributes, so that other users can perform certain operations or services on themselves. The main idea of the solution is that User B exposes some of its common information to the Attribute Service Provider in advance, so that other users can perform certain operations or services on User B without being authenticated by User B. This embodiment is supplemented by the third embodiment, except that certain attributes are set to be public to everyone. Just make some changes on the save information of the property. Modify the attribute information that may be concentrated on the attribute provider AP. For example, it can have the form of Table 3 below:
Figure imgf000024_0001
Figure imgf000024_0002
Figure imgf000024_0002
AP上维护多个这样的用户属性列表, 这个表可以被用户 B修改的, 但是需 要通过 Idp认证, 以及通过服务提供商完成。 从上面的表可以看到对于用户 B 的姓名可以让任何人看到, 并且是只读的,对于地址信息则显示可以让任何人 查阅。 因此如果属性服务商维护这样一个表以后,其他的用户如果需要查阅用 户 B的某些属性, 那么只需要在访问属性提供商的时候查阅这样的列表, 找出 是否用户同意授权就可以了。 用户 B对该列表的维护或修改与上一个实施例完全相同。 本实施例中所列出的属性服务商的用户属性列表仅是一个举例说明,如果 有其他的方式可以保存属性信息,或者完成类似的属性操作,其原理是一致的, 都在保护范围内。 实施例十、 一种服务提供商设备, 包括: A plurality of such user attribute lists are maintained on the AP. This table can be modified by User B, but needs to be authenticated by Idp and completed by the service provider. From the above table, you can see that the name for user B can be seen by anyone, and is read-only. For address information, it can be displayed for anyone. Check it out. Therefore, if the attribute service provider maintains such a table, if other users need to check some attributes of user B, then only need to consult such a list when accessing the attribute provider to find out whether the user agrees to the authorization. User B maintains or modifies the list exactly as in the previous embodiment. The user attribute list of the attribute service provider listed in this embodiment is only an example. If there are other ways to save the attribute information, or complete similar attribute operations, the principle is the same, and all are within the scope of protection. Embodiment 10: A service provider device, including:
接收单元, 用于接收第一用户发送的为第二用户进行的业务请求; 所述业 务请求中包含第一用户的用户身份信息和第二用户的用户身份信息;  a receiving unit, configured to receive a service request sent by the first user for the second user, where the service request includes user identity information of the first user and user identity information of the second user;
查询单元,用于根据所述接收单元接收的业务请求向属性提供商设备发送 对第二用户的属性查询请求;所述属性查询请求包含所述第一用户的用户身份 信息和第二用户的用户身份信息;  a query unit, configured to send, according to the service request received by the receiving unit, an attribute query request to the second user to the attribute provider device; the attribute query request includes user identity information of the first user and a user of the second user Identity Information;
服务提供单元, 用于接收属性提供商设备反馈的所述第二用户的属性信 息, 并根据所述第二用户端额属性信息为所述第二用户进行服务。  And a service providing unit, configured to receive attribute information of the second user fed back by the attribute provider device, and serve the second user according to the second user terminal attribute information.
本实施例中, 服务提供商设备还可以包括: 认证单元, 用于对所述第一用 户的身份信息进行认证;  In this embodiment, the service provider device may further include: an authentication unit, configured to authenticate the identity information of the first user;
所述查询单元具体用于在所述认证单元对所述第一用户的身份信息的认 证通过后,根据所述接收单元接收的业务请求向属性提供商设备发送对第二用 户的属性查询请求。  The querying unit is specifically configured to: after the authentication unit passes the authentication of the identity information of the first user, send an attribute query request to the second user according to the service request received by the receiving unit to the attribute provider device.
所述认证单元可以包括:  The authentication unit may include:
认证请求发送单元, 用于向用户身份鉴别提供商设备发送用户认证请求, 以使所述用户身份鉴别提供商设备对所述第一用户进行身份认证;  An authentication request sending unit, configured to send a user authentication request to the user identity provider device, so that the user identity provider device performs identity authentication on the first user;
认证结果接收单元,用于接收所述用户身份鉴别提供商设备返回的对所述 第一用户进行身份认证的认证结果。 An authentication result receiving unit, configured to receive the returned by the user identity provider device The authentication result of the first user for identity authentication.
所述认证单元还可以包括: 联合信息接收单元, 用于接收当所述身份鉴别 提供商确定所述第一用户存在联合信息时返回的将所述第一用户与所述第二 用户的进行联合的联合信息;  The authentication unit may further include: a joint information receiving unit, configured to receive, when the identity authentication provider determines that the first user has joint information, return the first user and the second user Joint information;
所述查询单元发送的属性查询请求中还包含所述联合信息。  The association information sent by the query unit further includes the joint information.
以上对本发明所提供的用户属性查询的方法、提供服务的方法及设备。进 行了详细介绍, 其中:  The method for querying user attributes provided by the present invention, the method and device for providing services. A detailed introduction, in which:
本发明一实施例中,属性提供商设备接收服务提供商设备发送的对第二用 户的属性查询请求;所述属性查询请求包含第一用户的用户身份信息和第二用 户的用户身份信息;属性提供商设备判断所述第一用户是否有权限查询所述第 二用户的属性; 若所述判断的结果为有权限, 则属性提供商设备进行属性查询 并将查询到的第二用户的属性信息返回给所述服务提供商设备。通过本发明实 施例的技术方案,可以实现对用户对其他用户属性信息的查询,进而一个用户 可以在登录 SP后, 可帮助其他用户完成相应的服务为其他用户提供相应的业 务, 增加了 SP为用户提供业务的多样性, 增强了用户体验,提高了服务效率。  In an embodiment of the present invention, the attribute provider device receives an attribute query request for the second user sent by the service provider device; the attribute query request includes the user identity information of the first user and the user identity information of the second user; The provider device determines whether the first user has the right to query the attribute of the second user; if the result of the determination is that the user has the right, the attribute provider device performs the attribute query and queries the attribute information of the second user. Return to the service provider device. With the technical solution of the embodiment of the present invention, the user can query the attribute information of other users, and then one user can help other users complete the corresponding service to provide corresponding services for other users after logging in to the SP, and the SP is added. Users provide a variety of services, enhance the user experience, and improve service efficiency.
并且本发明其他实施例中,用户在对某个用户的属性进行查询的同时如果 查阅的属性是需要用户同意才可以查阅的内容,充分考虑到用户间的信任确认 问题。如果用户在查阅其他用户属性信息的过程中, 给出了三种具体的优选实 现方式对用户的查询权限, 用户间的信任关系的约束进行了说明。 更好的实现 了本发明技术方案。  In other embodiments of the present invention, when the user queries the attribute of a certain user, and if the attribute to be consulted is the content that can be consulted by the user, the trust confirmation problem between the users is fully considered. If the user consults other user attribute information, three specific preferred implementation methods are given to the user's query authority, and the constraints of the trust relationship between the users are explained. The technical solution of the present invention is better realized.
对于本领域的一般技术人员,依据本发明实施例的思想,在具体实施方式 及应用范围上均会有改变之处, 综上所述,本说明书内容不应理解为对本发明 的限制。  For those skilled in the art, the present invention is not limited by the scope of the present invention, and the scope of the present invention is not limited by the scope of the present invention.

Claims

OP080882 WO 2009/127163 PCT/CN2009/071342 -25- 权 利 要 求 OP080882 WO 2009/127163 PCT/CN2009/071342 -25- Claims
1、 一种用户属性查询的方法, 其特征在于, 包括:  A method for querying a user attribute, comprising:
接收服务提供商设备发送的对第二用户的属性查询请求;所述属性查询请 求包含第一用户的用户身份信息和第二用户的用户身份信息;  Receiving, by the service provider device, an attribute query request for the second user; the attribute query request includes the user identity information of the first user and the user identity information of the second user;
判断所述第一用户是否有权限查询所述第二用户的属性;若所述判断的结 果为有权限,则进行属性查询并将查询到的第二用户的属性信息返回给所述服 务提供商设备。  Determining whether the first user has the right to query the attribute of the second user; if the result of the determining is that the right is privileged, performing an attribute query and returning the attribute information of the queried second user to the service provider device.
2、 如权利要求 1所述的用户属性查询的方法, 其特征在于, 所述判断所 述第一用户是否有权限查询所述第二用户的属性的步骤包括:  The method for querying the user attribute according to claim 1, wherein the step of determining whether the first user has the right to query the attribute of the second user comprises:
向所述第二用户发送鉴权请求;所述鉴权请求包含所述第一用户的用户身 份信息;  Sending an authentication request to the second user; the authentication request includes user identity information of the first user;
所述第二用户判断所述第一用户设备是否有权限查询属性;并将判断的结 果返回。  The second user determines whether the first user equipment has permission to query attributes; and returns the determined result.
3、 如权利要求 1所述的用户属性查询的方法, 其特征在于, 判断所述第 一用户是否有权限查询所述第二用户的属性的步骤包括:  The method for querying a user attribute according to claim 1, wherein the step of determining whether the first user has the right to query the attribute of the second user comprises:
将所述第一用户的身份信息与所述第二用户的相关属性访问权限列表进 行比较; 若所述第一用户的身份信息属于所述相关属性访问权限列表, 则判断 所述第一用户有权限查询。  Comparing the identity information of the first user with the related attribute access permission list of the second user; if the identity information of the first user belongs to the related attribute access permission list, determining that the first user has Permission query.
4、 如权利要求 3所述的用户属性查询的方法, 其特征在于, 还包括: 接收所述第二用户在与所述第一用户进行协商认证, 并通过协商认证后, 为所述第一用户配置的所述相关属性访问权限列表。  The method for querying the user attribute according to claim 3, further comprising: receiving the first user to perform the negotiation authentication with the first user, and after the authentication by negotiation, the first The related attribute access permission list configured by the user.
5、 如权利要求 1所述的用户属性查询的方法, 其特征在于, 所述判断所 述第一用户是否有权限查询所述第二用户的属性的步骤包括:  The method for querying the user attribute according to claim 1, wherein the step of determining whether the first user has the right to query the attribute of the second user comprises:
判断所述服务提供商设备发送的对第二用户的属性查询请求中是否包含 所述第一用户与所述第二用户进行联合的联合信息;  Determining, by the service provider device, whether the attribute query request for the second user includes the joint information of the first user and the second user;
若包含, 则判断所述第一用户有权限。 OP080882 If included, it is determined that the first user has authority. OP080882
WO 2009/127163 PCT/CN2009/071342  WO 2009/127163 PCT/CN2009/071342
-26--26-
6、 如权利要求 1至 5任意一项所述的的用户属性查询的方法, 其特征在 于, 所述将查询到的第二用户的属性信息返回给所述服务提供商设备之后包 括: The method for querying a user attribute according to any one of claims 1 to 5, wherein after the attribute information of the queried second user is returned to the service provider device, the method includes:
所述服务提供商设备将所述第二用户的属性信息发送给所述第一用户。  The service provider device sends the attribute information of the second user to the first user.
7、 一种提供服务的方法, 其特征在于, 包括: 7. A method of providing a service, comprising:
接收第一用户发送的为第二用户进行的业务请求;所述业务请求中包含第 一用户的用户身份信息和第二用户的用户身份信息;  Receiving a service request sent by the first user for the second user; the service request includes user identity information of the first user and user identity information of the second user;
向属性提供商设备发送对第二用户的属性查询请求;所述属性查询请求包 含所述第一用户的用户身份信息和第二用户的用户身份信息;  Sending an attribute query request to the second user to the attribute provider device; the attribute query request includes user identity information of the first user and user identity information of the second user;
接收当属性提供商设备判断所述第一用户有权限查询所述第二用户的属 性时返回的第二用户的属性信息;  Receiving attribute information of the second user returned when the attribute provider device determines that the first user has the right to query the attribute of the second user;
根据所述第二用户属性信息为所述第二用户提供服务。  Providing a service to the second user according to the second user attribute information.
8、 如权利要求 7所述的提供服务的方法, 其特征在于, 所述接收第一用 户发送的为第二用户进行的业务请求后进一步包括:所述对所述第一用户的身 份信息进行认证, 若认证通过, 继续所述向属性提供商设备发送对第二用户的 属性查询请求的步骤。  The method for providing a service according to claim 7, wherein the receiving the service request sent by the first user for the second user further comprises: performing the identity information of the first user Authentication, if the authentication is passed, continue the step of sending an attribute query request to the second user to the attribute provider device.
9、 如权利要求 8所述的提供服务的方法, 其特征在于, 对所述第一用户 的身份信息进行认证的步骤包括:  9. The method of providing a service according to claim 8, wherein the step of authenticating the identity information of the first user comprises:
向用户身份鉴别提供商设备发送用户认证请求,以使所述用户身份鉴别提 供商设备对所述第一用户进行身份认证;  Sending a user authentication request to the user identity provider device, so that the user identity provider device authenticates the first user;
接收所述用户身份鉴别提供商设备返回的对所述第一用户进行身份认证 的认证结果。  Receiving an authentication result of authenticating the first user returned by the user identity provider device.
10、 如权利要求 9所述的提供服务的方法, 其特征于, 所述向用户身份鉴 别提供商设备发送用户认证请求之后进一步包括:  The method of providing a service according to claim 9, wherein the sending the user authentication request to the user identity authentication provider device further comprises:
接收当所述身份鉴别提供商确定所述第一用户存在联合信息时返回的将 所述第一用户与所述第二用户的进行联合的联合信息; OP080882 Receiving, when the identity authentication provider determines that the first user has joint information, joint information that combines the first user and the second user; OP080882
WO 2009/127163 PCT/CN2009/071342  WO 2009/127163 PCT/CN2009/071342
-27- 所述属性查询请求中还包含所述联合信息。 -27- The attribute query request further includes the joint information.
11、 如权利要求 8至 10任意一项所述的提供服务的方法, 其特征在于, 所述根据所述第二用户属性信息为所述第二用户提供服务之后包括:  The method for providing a service according to any one of claims 8 to 10, wherein the providing the second user according to the second user attribute information comprises:
所述服务提供商设备向所述第一用户返回服务的结果。  The service provider device returns a result of the service to the first user.
12、 一种属性提供商设备, 其特征在于, 包括:  12. An attribute provider device, comprising:
查询请求接收单元,用于接收服务提供商设备发送的对第二用户的属性查 询请求;所述属性查询请求包含第一用户的用户身份信息和第二用户的用户身 份信息;  The query request receiving unit is configured to receive an attribute query request for the second user sent by the service provider device, where the attribute query request includes the user identity information of the first user and the user identity information of the second user;
判断单元, 用于判断所述第一用户是否有权限查询所述第二用户的属性; 属性查询单元,用于在所述判断单元的判断结果为所述第一用户有权限查 询所述第二用户的属性时, 查询所述第二用户的属性;  a determining unit, configured to determine whether the first user has the right to query the attribute of the second user; the attribute querying unit is configured to: in the determining result of the determining unit, the first user has the right to query the second Querying attributes of the second user when the attributes of the user are
反馈单元,用于将所述属性查询单元查询到的第二用户的属性信息返回给 所述服务提供商设备。  And a feedback unit, configured to return attribute information of the second user that is queried by the attribute query unit to the service provider device.
13、 如权利要求 12所述的属性提供商设备, 其特征在于, 所述判断单元 包括:  The attribute provider device according to claim 12, wherein the determining unit comprises:
列表保存单元, 用于保存所述第二用户的相关属性访问权限列表; 比较单元,用于将所述第一用户的身份信息与所述列表保存单元保存的第 二用户的相关属性访问权限列表进行比较,若所述第一用户的身份信息属于所 述第二用户的相关属性访问权限列表 ,则判断所述第一用户有权限查询所述第 二用户的属性。  a list holding unit, configured to save a related attribute access permission list of the second user; a comparison unit, configured to use the identity information of the first user and the related attribute access permission list of the second user saved by the list holding unit For comparison, if the identity information of the first user belongs to the related attribute access permission list of the second user, it is determined that the first user has the right to query the attribute of the second user.
14、 如权利要求 12所述的属性提供商设备, 其特征在于, 所述判断单元 包括:  The attribute provider device according to claim 12, wherein the determining unit comprises:
鉴权请求单元, 用于向所述第二用户发送鉴权请求; 所述鉴权请求包含所 述第一用户的用户身份信息;  An authentication requesting unit, configured to send an authentication request to the second user; the authentication request includes user identity information of the first user;
鉴权请求响应单元,用于接收第二用户设备返回的鉴权结果; 所述鉴权结 果指示所述第一用户是否有权限查询所述第二用户的属性。 OP080882 The authentication request response unit is configured to receive an authentication result returned by the second user equipment, where the authentication result indicates whether the first user has the right to query the attribute of the second user. OP080882
WO 2009/127163 PCT/CN2009/071342  WO 2009/127163 PCT/CN2009/071342
-28--28-
15、 如权利要求 12所述的属性提供商设备, 其特征在于, 所述判断单元 包括: The attribute provider device according to claim 12, wherein the determining unit comprises:
联合信息检查单元,用于检查所述查询请求接收单元接收的对第二用户的 属性查询请求中是否包含所述第一用户与所述第二用户进行联合的联合信息; 决策单元,用于在所述检查单元的检查结果为存在所述联合信息时,确定 所述第一用户有权限查询所述第二用户的属性。  a joint information checking unit, configured to check whether the attribute query request for the second user received by the query request receiving unit includes joint information of the first user and the second user; the decision unit is configured to The result of the checking by the checking unit is that when the joint information exists, it is determined that the first user has the right to query the attribute of the second user.
16、 一种身份鉴别提供商设备, 其特征在于, 包括:  16. An identity authentication provider device, comprising:
身份鉴别单元,用于对用户的身份进行认证, 并接收通过认证的用户的请 求; 将至少两个用户的身份信息进行联合, 得到联合信息;  An identity authentication unit, configured to authenticate the identity of the user, and receive the request of the authenticated user; and combine the identity information of the at least two users to obtain the joint information;
存储单元, 用于保存所述联合信息;  a storage unit, configured to save the joint information;
信息反馈单元,用于在收到服务提供商设备对用户的身份鉴别请求时,在 所述存储单元中查找所述用户是否存在联合信息, 若存在, 则将所述用户联合 信息返回给所述服务提供商设备。  An information feedback unit, configured to: when the service provider device receives the identity authentication request from the service provider, in the storage unit, whether the user has joint information, and if yes, return the user association information to the Service provider equipment.
17、 一种服务提供系统, 其特征在于, 包括:  17. A service providing system, comprising:
服务提供商设备, 用于接收第一用户发送的为第二用户进行的业务请求; 所述业务请求中包含第一用户的用户身份信息和第二用户的用户身份信息;根 据所述业务请求发送对第二用户的属性查询请求;所述属性查询请求包含所述 第一用户的用户身份信息和第二用户的用户身份信息;所述服务提供商设备还 用于在获得所述第二用户的属性信息后 , 据所述第二用户端额属性信息为所 述第二用户进行服务;  a service provider device, configured to receive a service request sent by the first user for the second user; the service request includes user identity information of the first user and user identity information of the second user; and sending according to the service request An attribute query request for the second user; the attribute query request includes user identity information of the first user and user identity information of the second user; the service provider device is further configured to obtain the second user After the attribute information, the second user is served according to the second user terminal attribute information;
属性提供商设备,用于接收所述服务提供商设备发送的对第二用户的属性 查询请求, 判断所述第一用户是否有权限查询所述第二用户的属性; 若所述判 断的结果为有权限,则进行对所述第二用户的属性查询并将查询的所述第二用 户的属性信息返回给所述服务提供商设备。  An attribute provider device, configured to receive an attribute query request for the second user sent by the service provider device, to determine whether the first user has the right to query the attribute of the second user; If there is permission, the attribute query of the second user is performed, and the attribute information of the second user that is queried is returned to the service provider device.
18、 一种服务提供商设备, 其特征在于, 包括:  18. A service provider device, comprising:
接收单元, 用于接收第一用户发送的为第二用户进行的业务请求; 所述业 务请求中包含第一用户的用户身份信息和第二用户的用户身份信息; OP080882 a receiving unit, configured to receive a service request sent by the first user for the second user, where the service request includes user identity information of the first user and user identity information of the second user; OP080882
WO 2009/127163 PCT/CN2009/071342  WO 2009/127163 PCT/CN2009/071342
-29- 查询单元,用于根据所述接收单元接收的业务请求向属性提供商设备发送 对第二用户的属性查询请求;所述属性查询请求包含所述第一用户的用户身份 信息和第二用户的用户身份信息; a Querying unit, configured to send, according to the service request received by the receiving unit, an attribute query request to the second user to the attribute provider device; the attribute query request includes the user identity information of the first user and the second User identity information of the user;
服务提供单元, 用于接收属性提供商设备反馈的所述第二用户的属性信 息, 并根据所述第二用户端额属性信息为所述第二用户进行服务。  And a service providing unit, configured to receive attribute information of the second user fed back by the attribute provider device, and serve the second user according to the second user terminal attribute information.
19、 如权利要求 18所述的服务提供商设备, 其特征在于, 还包括: 认证单元, 用于对所述第一用户的身份信息进行认证;  The service provider device according to claim 18, further comprising: an authentication unit, configured to authenticate identity information of the first user;
所述查询单元具体用于在所述认证单元对所述第一用户的身份信息的认 证通过后,根据所述接收单元接收的业务请求向属性提供商设备发送对第二用 户的属性查询请求。  The querying unit is specifically configured to: after the authentication unit passes the authentication of the identity information of the first user, send an attribute query request to the second user according to the service request received by the receiving unit to the attribute provider device.
20、 如权利要求 19所述的服务提供商设备, 其特征在于, 所述认证单元 包括:  The service provider device according to claim 19, wherein the authentication unit comprises:
认证请求发送单元, 用于向用户身份鉴别提供商设备发送用户认证请求, 以使所述用户身份鉴别提供商设备对所述第一用户进行身份认证;  An authentication request sending unit, configured to send a user authentication request to the user identity provider device, so that the user identity provider device performs identity authentication on the first user;
认证结果接收单元,用于接收所述用户身份鉴别提供商设备返回的对所述 第一用户进行身份认证的认证结果。  And an authentication result receiving unit, configured to receive an authentication result that is performed by the user identity provider device to perform identity authentication on the first user.
21、 如权利要求 20所述的提供服务的方法, 其特征于, 所述认证单元还 包括: 联合信息接收单元, 用于接收当所述身份鉴别提供商确定所述第一用户 存在联合信息时返回的将所述第一用户与所述第二用户的进行联合的联合信 息;  The method for providing a service according to claim 20, wherein the authentication unit further comprises: a joint information receiving unit, configured to receive when the identity authentication provider determines that the first user has joint information Returned joint information that combines the first user with the second user;
所述查询单元发送的属性查询请求中还包含所述联合信息。  The association information sent by the query unit further includes the joint information.
PCT/CN2009/071342 2008-04-18 2009-04-17 Method for user attribute query, method and equipment for providing service WO2009127163A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNA2008100937894A CN101562627A (en) 2008-04-18 2008-04-18 User attribute inquiry method, method providing service and equipment
CN200810093789.4 2008-04-18

Publications (1)

Publication Number Publication Date
WO2009127163A1 true WO2009127163A1 (en) 2009-10-22

Family

ID=41198790

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/071342 WO2009127163A1 (en) 2008-04-18 2009-04-17 Method for user attribute query, method and equipment for providing service

Country Status (2)

Country Link
CN (1) CN101562627A (en)
WO (1) WO2009127163A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112769672A (en) * 2019-11-01 2021-05-07 腾讯科技(深圳)有限公司 Data communication method and device and communication configuration method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6092201A (en) * 1997-10-24 2000-07-18 Entrust Technologies Method and apparatus for extending secure communication operations via a shared list
CN1750519A (en) * 2005-11-01 2006-03-22 中国移动通信集团公司 Method for sharing instant news data
CN1859117A (en) * 2006-01-26 2006-11-08 华为技术有限公司 Virtual image realizing method and system
CN101079765A (en) * 2006-06-08 2007-11-28 腾讯科技(深圳)有限公司 Method for implementing social network service in network communication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6092201A (en) * 1997-10-24 2000-07-18 Entrust Technologies Method and apparatus for extending secure communication operations via a shared list
CN1750519A (en) * 2005-11-01 2006-03-22 中国移动通信集团公司 Method for sharing instant news data
CN1859117A (en) * 2006-01-26 2006-11-08 华为技术有限公司 Virtual image realizing method and system
CN101079765A (en) * 2006-06-08 2007-11-28 腾讯科技(深圳)有限公司 Method for implementing social network service in network communication

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112769672A (en) * 2019-11-01 2021-05-07 腾讯科技(深圳)有限公司 Data communication method and device and communication configuration method and device

Also Published As

Publication number Publication date
CN101562627A (en) 2009-10-21

Similar Documents

Publication Publication Date Title
US10785037B2 (en) Managing secure content in a content delivery network
US9356928B2 (en) Mechanisms to use network session identifiers for software-as-a-service authentication
US8978100B2 (en) Policy-based authentication
US8782765B2 (en) Techniques for environment single sign on
US7860882B2 (en) Method and system for distributed retrieval of data objects using tagged artifacts within federated protocol operations
US7860883B2 (en) Method and system for distributed retrieval of data objects within multi-protocol profiles in federated environments
JP5038531B2 (en) Authentication limited to trusted equipment
TWI295135B (en) Communication device and method for handling user identity and privacy
US20040064687A1 (en) Providing identity-related information and preventing man-in-the-middle attacks
WO2007131415A1 (en) System and method to manage home network
KR20170106515A (en) Multi-factor certificate authority
US20140013390A1 (en) System and method for out-of-band application authentication
JP5065682B2 (en) System and method for name resolution
US20140366110A1 (en) Methods and systems for single sign-on while protecting user privacy
JP2004355619A5 (en)
JP6185934B2 (en) Integrate server applications with many authentication providers
US20120106399A1 (en) Identity management system
Reed et al. Openid identity discovery with xri and xrds
Müller et al. A secure service infrastructure for interconnecting future home networks based on DPWS and XACML
WO2009127163A1 (en) Method for user attribute query, method and equipment for providing service
CN111786969B (en) Single sign-on method, device and system
El Maliki et al. User-centric mobile identity management services
Kubher Home area networking with OSGi
Pandey et al. Online Identity Management techniques: identification and analysis of flaws and standard methods
Lutz et al. Harmonizing service and network provisioning for federative access in a mobile environment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09733621

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09733621

Country of ref document: EP

Kind code of ref document: A1