System, method and apparatus for federated single sign-on services
First Claim
1. A telecommunication system providing Single Sign-On services to a user accessing selected Service Providers, the user having a subscription with a first mobile network operator, the system comprising:
- a first mobile network and at least one second mobile network;
at least one of a plurality of Service Providers for providing services to subscribers of said mobile networks once said subscribers have been authenticated for the at least one Service Provider by an authentication authority, wherein said authentication authority comprises;
a cellular Federation of mobile network operators, the cellular Federation including the first mobile network and the at least one second mobile network;
an Authentication Provider belonging to the first mobile network as the only member of said Federation entitled to authenticate said user toward the at least one Service Provider; and
an Authentication Broker belonging to a particular one of said second mobile networks and arranged to act as the entry point to said Federation from those Service Providers respectively having entry point agreements with the operator of said particular second mobile network.
1 Assignment
0 Petitions
Accused Products
Abstract
The advent of new and sophisticated web services provided by Service Providers to users, services that individually require authentication of user and authorization of access, brings the needs for a new service to facilitate such authentication and access, a service referred to as Single Sign-On (SSO). The basic principle behind SSO is that users are authenticated once at a particular level, and then access all their subscribed services accepting that level of authentication.
The present invention provides a system, method and apparatus wherein a cellular Federation of mobile network operators becomes an SSO authentication authority for subscribers of this Federation accessing Service Providers having such agreement with a mobile network operator of the Federation. In accordance with this invention, mobile network operators can leverage their operator-subscriber trust relationship in order to act as SSO authentication authority for those subscribers accessing Service Providers in a service domain other than the mobile network domain.
389 Citations
33 Claims
-
1. A telecommunication system providing Single Sign-On services to a user accessing selected Service Providers, the user having a subscription with a first mobile network operator, the system comprising:
-
a first mobile network and at least one second mobile network;
at least one of a plurality of Service Providers for providing services to subscribers of said mobile networks once said subscribers have been authenticated for the at least one Service Provider by an authentication authority, wherein said authentication authority comprises;
a cellular Federation of mobile network operators, the cellular Federation including the first mobile network and the at least one second mobile network;
an Authentication Provider belonging to the first mobile network as the only member of said Federation entitled to authenticate said user toward the at least one Service Provider; and
an Authentication Broker belonging to a particular one of said second mobile networks and arranged to act as the entry point to said Federation from those Service Providers respectively having entry point agreements with the operator of said particular second mobile network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for providing Single Sign-On services to a user accessing selected Service Providers, the user having a subscription with a first mobile network operator, and each selected Service Provider being associated with a second mobile network operator, the method comprising the steps of:
-
(a) establishing an authentication trust relationship between the first and the second mobile network operators, thus forming a Federation of mobile network operators;
(b) redirecting an access request generated by said user from a particular one of said Service Providers toward the cellular network of said first mobile network operator;
(c) generating at an Authentication Provider of said first mobile network operator, to which said user'"'"'s access request is redirected, an authentication assertion valid for said user accessing said particular Service Provider, and returning an artifact for said assertion back to said user;
(d) requesting verification of said authentication assertion, which is included in said artifact presented by the user, from said particular Service Provider to said Authentication Provider of said first mobile network operator; and
(e) accepting service access to said user upon receipt of a successful verification response at the said particular Service Provider. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. An Authentication Broker included in a telecommunication system providing Single Sign-On services to a user accessing selected Service Providers, the user having a subscription with a first mobile network operator, and each selected Service Provider being associated with a second mobile network operator, said Authentication Broker comprising:
-
first interfacing means for communicating with a user having a subscription with a first mobile network operator;
second interfacing means for communicating with a Service Provider associated with a second mobile network operator; and
broker channel formed from said first and second interfacing means for enabling the Authentication Broker to redirect said user to said user'"'"'s Home network, and for resolving said user'"'"'s Home network for said Service Provider, respectively. - View Dependent Claims (18, 19, 20, 21, 22)
-
-
23. An Authentication Provider included in a telecommunication system providing Single Sign-On services to a user accessing selected Service Providers, the user having a subscription with a first mobile network operator, and each selected Service Provider being associated with a second mobile network operator, said Authentication Provider comprising:
-
a front channel including a Web Front End that comprises first interfacing means for enabling an authentication session between said user and said Authentication Provider; and
a back channel including a Protocol Binding that comprises second interfacing means for exchanging information related to user authentication assertion between said Authentication Provider and a selected Service Provider that the user is accessing. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
-
- 31. A method for doing business wherein at least two mobile network operators form a Federation of mobile network operators, thus establishing an authentication trust relationship in the Federation for supporting Single Sign-On services, said Federation acting as an authentication authority toward those Service Providers offering services to subscribers of mobile network operators included in the Federation, each Service Provider being associated with a federated mobile network operator for accessing said Federation.
Specification