Single sign-on secure service access
First Claim
1. System for providing secure service access for a user to at least one service from a service provider, where the user and the service provider are provided with means for connection to a common computer network, said system comprising:
- one or more validation service units arranged for performing the steps of;
receiving a name in a user certificate from an access server, controlling the validity of the user certificate, if the user'"'"'s certificate is valid, either sending the user'"'"'s certificate name to an authorization service unit for translation to a user name, and passing the user name returned from the authorization service unit to the access server, or passing the user'"'"'s certificate name to the access server, if the user'"'"'s certificate is not valid, denying the user access to the service;
one or more authorization service units arranged for performing the steps of;
receiving a user'"'"'s certificate name from a validation service unit or an access server, sending the user'"'"'s certificate name to a database, receiving user name and profile from the database, passing the named user identity to the validation service unit or the access server, receiving a query for access rights from an access server, querying for subscription info from the database, receiving subscription info from the database, determining access rights based on said subscription info, passing access rights to the access server; and
one or more authorization role units and adjoining databases arranged for performing the steps of;
receiving a user'"'"'s certificate from an authorization service unit, locating the user'"'"'s name and profile in the database, sending user'"'"'s name and profile to the authorization service unit, receiving a query for subscription info from an authorization service unit, sending subscription info to the authorization service unit.
1 Assignment
0 Petitions
Accused Products
Abstract
This invention relates in general to authentication, authorisation, and access control, and more specifically to a method and a system for general Public Key Infrastructure based authentication allowing users to have only one electronic ID for secure access to all services. The system described advances the state of the art by providing general, PKI-based authentication. By offering validation and possibly also authorisation services to other service providers, the system can provide an infrastructure for general, PKI-based authentication, handling electronic IDs from in principle any issuer of such.
116 Citations
14 Claims
-
1. System for providing secure service access for a user to at least one service from a service provider,
where the user and the service provider are provided with means for connection to a common computer network, said system comprising: -
one or more validation service units arranged for performing the steps of;
receiving a name in a user certificate from an access server, controlling the validity of the user certificate, if the user'"'"'s certificate is valid, either sending the user'"'"'s certificate name to an authorization service unit for translation to a user name, and passing the user name returned from the authorization service unit to the access server, or passing the user'"'"'s certificate name to the access server, if the user'"'"'s certificate is not valid, denying the user access to the service;
one or more authorization service units arranged for performing the steps of;
receiving a user'"'"'s certificate name from a validation service unit or an access server, sending the user'"'"'s certificate name to a database, receiving user name and profile from the database, passing the named user identity to the validation service unit or the access server, receiving a query for access rights from an access server, querying for subscription info from the database, receiving subscription info from the database, determining access rights based on said subscription info, passing access rights to the access server; and
one or more authorization role units and adjoining databases arranged for performing the steps of;
receiving a user'"'"'s certificate from an authorization service unit, locating the user'"'"'s name and profile in the database, sending user'"'"'s name and profile to the authorization service unit, receiving a query for subscription info from an authorization service unit, sending subscription info to the authorization service unit. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. Method for providing secure service access for a user to at least one service from a service provider,
where the customer and the service provider are provided with means for connection to a common computer network, said method comprising the steps of: -
by means of one or more validation service units;
receiving a name in a user certificate from an access server, controlling the validity of the user certificate, if the user'"'"'s certificate is valid, either sending the user'"'"'s certificate name to an authorization service unit for translation to a user name, and passing the user name returned from the authorization service unit to the access server, or passing the user'"'"'s certificate name to the access server, and if the user'"'"'s certificate is not valid, denying the user access to the service;
by means of one or more authorization service units;
receiving a user'"'"'s certificate name from a validation service unit or an access server, sending the user'"'"'s certificate name to a database, receiving user name and profile from the database, passing the named user identity to the validation service unit or the access server, receiving a query for access rights from an access server, querying for subscription info from the database, receiving subscription info from the database, determining access rights based on said subscription info, and passing access rights to the access server; and
by means of one or more authorization role units and adjoining databases;
receiving a user'"'"'s certificate from an authorization service unit, locating the user'"'"'s name and profile in the database, sending user'"'"'s name and profile to the authorization service unit, receiving a query for subscription info from an authorization service unit, sending subscription info to the authorization service unit. - View Dependent Claims (14)
-
Specification