User initiated and controlled identity federation establishment and revocation mechanism

摘要

A method for single sign-on with established federation includes triggering a single sign-on operation from a first service to a second service, retrieving, by the first service, an associated federation key and pseudo identification for a user agent, generating, by the first service, a token signed with a federation key for the user agent based on the pseudo identification, redirecting, by the first service, the user agent to the second service, wherein the user agent transfers the token to the second service, verifying, by the second service, the token and determining an associated identification in the second service, and returning, by the second service, a resource to the user agent.

主权项

1. A method for single sign-on with established federation comprising:
triggering a single sign-on operation from a first service to a second service; retrieving, by the first service, an associated federation key and pseudo identification for a user agent; generating, by the first service, a token signed with a federation key for the user agent based on the pseudo identification; transferring the token from the user agent to the second service under the direction of the first service; verifying, by the second service, the token and determining an associated identification in the second service; and returning, by the second service, a resource to the user agent, wherein the first service and the second service store a respective first and second federation key associated with the user agent, the user agent generates a third federation key based on the pseudo identification and signs the token with the third federation key, and the generated third federation key is sent to the first and second service to accomplish the single sign-on operation, wherein the resource is returned to the user agent on the basis of the token without the user agent signing-on to the second service.