System, method and apparatus for federated single sign-on services

US 20030163733A1
Filed: 06/19/2002
Published: 08/28/2003
Est. Priority Date: 02/28/2002
Status: Active Grant

First Claim

Patent Images

1. A telecommunication system providing Single Sign-On services to a user accessing selected Service Providers, the user having a subscription with a first mobile network operator, the system comprising:

a first mobile network and at least one second mobile network;

at least one of a plurality of Service Providers for providing services to subscribers of said mobile networks once said subscribers have been authenticated for the at least one Service Provider by an authentication authority, wherein said authentication authority comprises;

a cellular Federation of mobile network operators, the cellular Federation including the first mobile network and the at least one second mobile network;

an Authentication Provider belonging to the first mobile network as the only member of said Federation entitled to authenticate said user toward the at least one Service Provider; and

an Authentication Broker belonging to a particular one of said second mobile networks and arranged to act as the entry point to said Federation from those Service Providers respectively having entry point agreements with the operator of said particular second mobile network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The advent of new and sophisticated web services provided by Service Providers to users, services that individually require authentication of user and authorization of access, brings the needs for a new service to facilitate such authentication and access, a service referred to as Single Sign-On (SSO). The basic principle behind SSO is that users are authenticated once at a particular level, and then access all their subscribed services accepting that level of authentication.

The present invention provides a system, method and apparatus wherein a cellular Federation of mobile network operators becomes an SSO authentication authority for subscribers of this Federation accessing Service Providers having such agreement with a mobile network operator of the Federation. In accordance with this invention, mobile network operators can leverage their operator-subscriber trust relationship in order to act as SSO authentication authority for those subscribers accessing Service Providers in a service domain other than the mobile network domain.

389 Citations

33 Claims

1. A telecommunication system providing Single Sign-On services to a user accessing selected Service Providers, the user having a subscription with a first mobile network operator, the system comprising:
- a first mobile network and at least one second mobile network;
  
  at least one of a plurality of Service Providers for providing services to subscribers of said mobile networks once said subscribers have been authenticated for the at least one Service Provider by an authentication authority, wherein said authentication authority comprises;
  
  a cellular Federation of mobile network operators, the cellular Federation including the first mobile network and the at least one second mobile network;
  
  an Authentication Provider belonging to the first mobile network as the only member of said Federation entitled to authenticate said user toward the at least one Service Provider; and
  
  an Authentication Broker belonging to a particular one of said second mobile networks and arranged to act as the entry point to said Federation from those Service Providers respectively having entry point agreements with the operator of said particular second mobile network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The telecommunication system of claim 1 further comprising:
    - means for redirecting said user, when said user is accessing a Service Provider, toward an Authentication Broker of a second mobile network operator having an entry agreement with the accessed Service Provider; and
      
      means for redirecting the user, when accessing said Authentication Broker, toward an Authentication Provider at said user'"'"'s Home network.
  - 3. The telecommunication system of claim 2 further comprising means for performing said user'"'"'s Home resolution at an Authentication Broker of a second mobile network operator having an entry point agreement with a Service Provider, for allowing the Service Provider to request validation of an authentication assertion for said user to an Authentication Provider of a first mobile network.
  - 4. The telecommunication system of claim 3 further comprising:
    - means for issuing a Single Sign-On authentication request from said user, when said user is accessing a particular Service Provider, toward an Authentication Provider responsible for authenticating said user for said particular Service Provider, the user being a subscriber of the cellular Federation; and
      
      means for presenting the received authentication artifact to said particular Service Provider.
  - 5. The telecommunication system of claim 1, wherein said Authentication Provider belonging to the first mobile network operator may be directly accessed, without involving an Authentication Broker, from the Service Providers respectively having entry point agreements with said first mobile network operator.
  - 6. The telecommunication system of claim 5 further comprising means for redirecting said user, when said user is accessing a Service Provider, toward an Authentication Provider of said user'"'"'s Home mobile network operator, without involving an Authentication Broker, when said accessed Service Provider has an entry point agreement with said user'"'"'s Home mobile network operator.
  - 7. The telecommunication system of claim 6, wherein a Service Provider that has an agreement with said first mobile network operator may request validation of an authentication assertion for a user to an Authentication Provider of said first mobile network operator without involving an Authentication Broker.
  - 8. The telecommunication system of claim 7 further comprising:
    - means for issuing a Single Sign-On authentication request from said user, when said user is accessing a particular Service Provider, toward an Authentication Provider responsible for authenticating said user for said particular Service Provider, the user being a subscriber of the cellular Federation; and
      
      means for presenting the received authentication artifact to said particular Service Provider.
  - 9. The telecommunication system of claim 1, wherein said user is identified between a given Authentication Provider and a given Service Provider by means of a shared identity independently of the authentication identity used between said user and said given Authentication Provider, and independently of the user identity used between said user and said given Service Provider.
  - 10. The telecommunication system in claim 9 further comprising at least one of the components in a group of components including:
    - Public Key Infrastructure means for accomplishing security and privacy requirements of mobile networks in the cellular Federation;
      
      an Identity Manager for maintaining and handling relationships between identities for said user under cellular Federation premises and those identities for said user under respective Service Provider premises;
      
      Common Directory Service means for storing user identities accessible by a Single Sign-On main Identity; and
      
      a Back End Authentication Server intended for generating an authentication challenge that depends on an authentication mechanism selected by said user.

11. A method for providing Single Sign-On services to a user accessing selected Service Providers, the user having a subscription with a first mobile network operator, and each selected Service Provider being associated with a second mobile network operator, the method comprising the steps of:
- (a) establishing an authentication trust relationship between the first and the second mobile network operators, thus forming a Federation of mobile network operators;
  
  (b) redirecting an access request generated by said user from a particular one of said Service Providers toward the cellular network of said first mobile network operator;
  
  (c) generating at an Authentication Provider of said first mobile network operator, to which said user'"'"'s access request is redirected, an authentication assertion valid for said user accessing said particular Service Provider, and returning an artifact for said assertion back to said user;
  
  (d) requesting verification of said authentication assertion, which is included in said artifact presented by the user, from said particular Service Provider to said Authentication Provider of said first mobile network operator; and
  
  (e) accepting service access to said user upon receipt of a successful verification response at the said particular Service Provider.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11, wherein both first and second mobile network operators are included in the cellular Federation, and the step a) of this method further comprises one of the following steps depending on the mobile network operator which the selected Service Provider is associated with:
    - (a1) determining an Authentication Provider of the first mobile network operator in charge of said user, when the selected Service Provider is associated to the first mobile network operator;
      
      or (a2) redirecting the access request generated by said user from said selected Service Provider toward an Authentication Broker of a particular second mobile network operator, when the selected Service Provider is associated with said second mobile network operator, said Authentication Broker responsible for determining an Authentication Provider of the first mobile network operator that is in charge of said user.
  - 13. The method of claim 11, wherein the step b) comprises the steps of:
    - (b1) receiving a Single Sign-On authentication request from said user;
      
      (b2) determining whether or not said user had been previously authenticated;
      
      (b3) performing a challenge/response authentication procedure accordingly with user preferences for the user accessing said selected Service Provider, provided that said user had not been already authenticated, thus not having a valid session active; and
      
      (b4) storing an assertion generated for said user accessing said selected Service Provider.
  - 14. The method of claim 11, wherein both first and second mobile network operators are included in the cellular Federation, and the step c) of this method further comprises one of the following steps depending on the mobile network operator which the selected Service Provider is associated with:
    - (c1) determining an Authentication Provider of the first mobile network operator responsible for validating the assertion presented by said user, when the Service Provider is associated with said first mobile network operator;
      
      or (c2) requesting resolution of said user'"'"'s Home Site from said selected Service Provider toward an Authentication Broker of a particular second mobile network operator, when said selected Service Provider is associated with said second mobile network operator, this Authentication Broker responsible for determining an Authentication Provider of the first mobile network operator responsible for validating the assertion presented by said user.
  - 15. The method of claim 11, wherein the step d) further comprises the steps of:
    - (d1) retrieving a stored authentication assertion for said user accessing said selected Service Provider; and
      
      (d2) returning said assertion verification response to said selected Service Provider.
  - 16. The method of claim 11, wherein said user is identified between an Authentication Provider and a Service Provider with a shared identity independently of the authentication identity used between the user and the Authentication Provider, and independently of the user identity used between the user and the Service Provider.

17. An Authentication Broker included in a telecommunication system providing Single Sign-On services to a user accessing selected Service Providers, the user having a subscription with a first mobile network operator, and each selected Service Provider being associated with a second mobile network operator, said Authentication Broker comprising:
- first interfacing means for communicating with a user having a subscription with a first mobile network operator;
  
  second interfacing means for communicating with a Service Provider associated with a second mobile network operator; and
  
  broker channel formed from said first and second interfacing means for enabling the Authentication Broker to redirect said user to said user'"'"'s Home network, and for resolving said user'"'"'s Home network for said Service Provider, respectively.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The Authentication Broker of claim 17, wherein both the user and the authentication broker belong to the first mobile network operator, and a number of selected Service Providers are associated with said first mobile network operator.
  - 19. The Authentication Broker of claim 17 further comprising an Authentication Broker Web Front End that includes first and second interfacing means for interfacing with said user and a selected Service Provider, respectively.
  - 20. The Authentication Broker of claim 19 further comprising storage for all the Authentication Providers in the cellular Federation on a per mobile network operator basis, each mobile network operator included in the cellular Federation.
  - 21. The Authentication Broker of claim 20, wherein the Authentication Broker Web Front End further comprises means for retrieving said user'"'"'s Home related addressing data from said storage.
  - 22. The Authentication Broker of claim 21, wherein the Authentication Broker Web Front End further comprises means for offering Public Key Infrastructure services to those Service Providers associated with the mobile network operator owning the Authentication Broker, in order to accomplish the security and privacy requirements of the cellular Federation.

23. An Authentication Provider included in a telecommunication system providing Single Sign-On services to a user accessing selected Service Providers, the user having a subscription with a first mobile network operator, and each selected Service Provider being associated with a second mobile network operator, said Authentication Provider comprising:
- a front channel including a Web Front End that comprises first interfacing means for enabling an authentication session between said user and said Authentication Provider; and
  
  a back channel including a Protocol Binding that comprises second interfacing means for exchanging information related to user authentication assertion between said Authentication Provider and a selected Service Provider that the user is accessing.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. The Authentication Provider of claim 23, wherein the front channel further comprises a Session Manager and storage for handling session status for the user, and a Front End Authentication server for carrying out a specific authentication mechanism for the user.
  - 25. The Authentication Provider of claim 24, wherein the back channel of the Authentication Provider further comprises a Security Assertion Mark-up Language engine for generating an authentication assertion for the user, and storage for authentication assertions.
  - 26. The Authentication Provider of claim 25, further comprising inter-working means between front channel and back channel for generating and storing an authentication assertion for the user.
  - 27. The Authentication Provider of claim 26, wherein operation of the inter-working means between front channel and back channel is performed via the Session Manager and the Security Assertion Mark-up Language engine respectively.
  - 28. The Authentication Provider of claim 27, wherein the Session Manager comprises means for retrieving from an Identity Manager, with Common Directory Service means, relationships between identities for the user under cellular Federation premises and those identities for the user under respective Service Provider premises, said identities correlated by a Single Sign-On main Identity.
  - 29. The Authentication Provider in claim 24, wherein the Front End Authentication server inter-works with other entities in the cellular Federation acting as a Back End Authentication server for providing specific user data under mobile network operator premises.
  - 30. The Authentication Provider in claim 29, wherein the Front End authentication server is an Authentication, Authorization and Accounting server, normally accessible from a Network Access Server in a cellular network.

31. A method for doing business wherein at least two mobile network operators form a Federation of mobile network operators, thus establishing an authentication trust relationship in the Federation for supporting Single Sign-On services, said Federation acting as an authentication authority toward those Service Providers offering services to subscribers of mobile network operators included in the Federation, each Service Provider being associated with a federated mobile network operator for accessing said Federation.
- View Dependent Claims (32, 33)
- - 32. The method for doing business of claim 31, wherein each mobile network operator contributes with its own network and the services provided by its associated Service Providers, each network comprising an Authentication Provider for authenticating subscribers of such network and an Authentication Broker for redirecting the associated Service Providers to an Authentication Provider responsible for authenticating a given user in the Federation.
  - 33. The method for doing business of claim 32, wherein each Service Provider is arranged for offering services to subscribers of any mobile network operator included in the Federation, a given Service Provider accessing the Federation through an Authentication Broker of a mobile network operator having an entry point agreement with said given Service Provider and thus having authentication trust relationship with the Federation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Gregorio-Rodriguez, Jesus Angel de, Pardo-Blazquez, Avelina, Walker-Pina, John Michael, Barriga-Caceres, Luis

Granted Patent

US 7,221,935 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

G06F 2221/2115   Third party

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

H04L 67/04   specially adapted for termi...

H04L 67/1001   for accessing one among a p...

H04L 67/51   Discovery or management the...

H04W 12/068   using credential vaults, e....

System, method and apparatus for federated single sign-on services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

389 Citations

33 Claims

Specification

Use Cases

Quick Links

Others

System, method and apparatus for federated single sign-on services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

389 Citations

33 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others