SECURE COMMUNICATION NETWORK USER MOBILITY APPARATUS AND METHODS

US 20070293210A1
Filed: 08/17/2006
Published: 12/20/2007
Est. Priority Date: 06/20/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a first secure communication network in which a network service is provided, service access information associated with local access to the service by a mobile user, the mobile user being associated with an independently controlled second secure communication network but locally accessing the service from within the first communication network; and

requesting the second communication network to authenticate the mobile user.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure communication network user mobility apparatus and methods are disclosed. A mobile user that is locally connected to a first communication network in which a service is provided, but is associated with an independently controlled second secure communication network, may be authenticated for access to the service by the second communication network. This allows seamless user mobility between networks in a partner extranet or other collection of trusted networks based on existing inter-network user mobility relationships. Access control, monitoring, and reporting, for example, and possibly other functions, may also be provided.

Citations

27 Claims

1. A method comprising:
- receiving, at a first secure communication network in which a network service is provided, service access information associated with local access to the service by a mobile user, the mobile user being associated with an independently controlled second secure communication network but locally accessing the service from within the first communication network; and
  
  requesting the second communication network to authenticate the mobile user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - controlling access to the service by the mobile user based on a result of the authentication by the second communication network.
  - 3. The method of claim 1, further comprising:
    - receiving from the second communication network an automatically generated digital identity to be used by the mobile user in the first communication network.
  - 4. The method of claim 3, further comprising:
    - storing the identity in a mobile user database at the first communication network; and
      
      forwarding the identity to the mobile user.
  - 5. The method of claim 1, wherein the service access information comprises a user authentication request.
  - 6. The method of claim 1, wherein the service access information comprises a service access request, the method further comprising:
    - determining whether the mobile user has been previously authenticated by the second communication network; and
      
      requesting the second communication network to authenticate the mobile user where the mobile user has not been previously authenticated by the second communication network.
  - 7. The method of claim 2, wherein controlling comprises granting access to the service in accordance with an access policy.
  - 8. The method of claim 1, wherein receiving comprises receiving the service access information at a web services node of the first communication network.
  - 9. The method of claim 1, wherein a transformation is applied to service access information, associated with external access to the service by the mobile user from the second communication network, for transfer between the mobile user and an application server by which the service is provided, the method further comprising:
    - applying the transformation to the received service access information.
  - 10. The method of claim 1, further comprising:
    - tracking activity of the mobile user in the first communication network; and
      
      reporting the tracked activity to the second communication network.
  - 11. A machine-readable medium storing instructions which when executed perform the method of claim 1.

12. An apparatus comprising:
- an interface operable to receive service access information associated with local access by a mobile user to a network service that is provided in a first secure communication network, the mobile user being associated with an independently controlled second secure communication network but locally accessing the service from within the first communication network; and
  
  an authentication module operatively coupled to the interface and operable to request the second communication network to authenticate the mobile user.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The apparatus of claim 12, further comprising:
    - an access module operatively coupled to the authentication module and operable to control access to the service by the mobile user based on a result of the authentication by the second communication network.
  - 14. The apparatus of claim 13, wherein the access module is further operable to track activity of the mobile user in the first communication network, the apparatus further comprising:
    - an interface operatively coupled to the access module for enabling the tracked activity to be reported to the second communication network.
  - 15. The apparatus of claim 13, further comprising:
    - a memory operatively coupled to the access module for storing service access policies,wherein the access module is further operable to determine whether the memory stores a policy in accordance with which access to the service by the mobile user is to be controlled, and, where the memory stores a policy in accordance with which access to the service by the mobile user is to be controlled, to control access to the service by the mobile user by granting or denying access to the service based on the policy stored in the memory.
  - 16. The apparatus of claim 12, wherein the authentication module is further operable to receive from the second communication network an automatically generated digital identity to be used by the mobile user in the first communication network.
  - 17. The apparatus of claim 16, further comprising:
    - a memory for storing the identity in a mobile user database; and
      
      an interface enabling the identity to be forwarded to the mobile user.
  - 18. The apparatus of claim 12, wherein the service access information comprises a service access request, and wherein the authentication module is further operable to determine whether the mobile user has been previously authenticated by the second communication network, and to request the second communication network to authenticate the mobile user where the mobile user has not been previously authenticated by the second communication network.
  - 19. A web services node for managing web service application usage, the web services node comprising:
    - the apparatus of claim 12.
  - 20. The web services node of claim 19, wherein the web services node comprises a gateway that enables remote usage of the service from the second communication network, the gateway being configured to perform a transformation of information relating to remote usage of the service from the second communication network, and to perform the transformation for information relating to local access to the service by the mobile user.

21. A method comprising:
- receiving, from a first secure communication network in which a network service is provided, a request for an independently controlled second secure communication network, with which a mobile user is associated, to authenticate the mobile user for local access to the service from within the first communication network;
  
  authenticating the mobile user according to user identity records at the second communication network; and
  
  providing to the first communication network an indication of a result of the authentication.
- View Dependent Claims (22, 23)
- - 22. The method of claim 21, further comprising:
    - creating at the second communication network a digital user identity to be used by the mobile user in the first communication network, where the mobile user is successfully authenticated,wherein providing comprises providing the user identity to the first communication network.
  - 23. A machine-readable medium storing instructions which when executed perform the method of claim 21.

24. An apparatus comprising:
- an interface for exchanging information between a first secure communication network and an independently controlled second secure communication network; and
  
  an authentication module operatively coupled to the interface and operable;
  
  to receive through the interface a request from the first communication network to authenticate a mobile user associated with the second communication network for local access from within the first communication network to a service provided in the first communication network;
  
  to authenticate the mobile user according to user identity records at the second communication network; and
  
  to provide an indication of a result of the authentication to the first communication network through the interface.
- View Dependent Claims (25)
- - 25. The apparatus of claim 24, wherein the authentication module is further configured to create a digital user identity to be used by the mobile user in the first communication network, where the mobile user is successfully authenticated, and to provide an indication of a result of the authentication by providing the user identity to the first communication network.

26. A machine-readable medium storing a data structure, the data structure comprising:
- an identifier of a mobile user by whom a service provided in a first secure communication network may be locally accessed from within the first communication network; and
  
  an identifier of an independently controlled second secure communication network with which the mobile user is associated and by which the mobile user is to be authenticated for local access to the service.
- View Dependent Claims (27)
- - 27. The machine-readable medium of claim 26, wherein the data structure further comprises:
    - an access record providing an indication of local access to the service by the mobile user after the mobile user is authenticated by the second communication network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Strub, Lyle, Grossner, Clifford, Serghi, Laura Mihaela

Granted Patent

US 8,346,265 B2
Time in Patent Office

Days
Field of Search
US Class Current

455/420
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

H04L 63/102   Entity profiles

H04L 63/18   using different networks or...

H04L 67/02   based on web technology, e....

SECURE COMMUNICATION NETWORK USER MOBILITY APPARATUS AND METHODS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE COMMUNICATION NETWORK USER MOBILITY APPARATUS AND METHODS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links