METHOD AND APPARATUS FOR INTERWORKING WITH SINGLE SIGN-ON AUTHENTICATION ARCHITECTURE

US 20110264913A1
Filed: 03/29/2011
Published: 10/27/2011
Est. Priority Date: 04/13/2010
Status: Abandoned Application

First Claim

Patent Images

1. A method for use in interworking a single sign-on authentication architecture and a further authentication architecture in a split terminal scenario where authentication under the single sign-on authentication architecture is required of a browsing agent being used to access a relying party and in response, due to the interworking in the split terminal scenario, an associated authentication under the further authentication architecture is performed in relation to a separate authentication agent, the method comprising, at a controlling agent:

sending a token to the authentication agent;

sending a request to the browsing agent to return a token;

receiving the token from the browsing agent, the authentication agent or a user of the authentication agent having communicated the received token to the browsing agent via a secure and/or trusted channel and the browsing agent, in response to the earlier received request, having forwarded the token to the controlling agent;

comparing the received token with the token sent to the authentication agent to determine whether the authentication agent is authorised to perform authentication on behalf of the browsing agent and/or whether the browsing agent is authorised to act as a representative for the authentication agent; and

authenticating the browsing agent to the relying party based on the associated authentication performed in relation to the authentication agent if it is determined in the comparing step that the authentication agent and/or browsing agent is so authorised.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided for use in interworking a single sign-on authentication architecture and a further authentication architecture in a split terminal scenario. The split terminal scenario is one in which authentication under the single sign-on authentication architecture is required of a browsing agent (8) being used to access a relying party and in response, due to the interworking in the split terminal scenario, an associated authentication under the further authentication architecture is performed in relation to a separate authentication agent (7). A controlling agent (4) sends (C3) a token to the authentication agent (7). The controlling agent (4) sends (C4) a request to the browsing agent (8) to return a token for comparing with the token sent to the authentication agent (7). The controlling agent (4) waits (06) for the authentication agent (7) or a user of the authentication agent (7) to communicate (A2) the received token to the browsing agent (8) via a secure and/or trusted channel and for the browsing agent (8), in response to the earlier received request, to forward (B4) the token to the controlling agent (4). The controlling agent (4) receives (C7) the token from the browsing agent (8). The controlling agent (4) compares (C10) the received token with the token sent to the authentication agent (7) to determine whether the authentication agent (7) is authorised to perform authentication on behalf of the browsing agent (8) and/or whether the browsing agent (8) is authorised to act as a representative for the authentication agent (7). The controlling agent (4) authenticates (C11) the browsing agent (8) to the relying party based on the associated authentication performed in relation to the authentication agent (7) if it is determined in the comparing step (C10) that the authentication agent (7) and/or browsing agent (8) is so authorised.

75 Citations

View as Search Results

51 Claims

1. A method for use in interworking a single sign-on authentication architecture and a further authentication architecture in a split terminal scenario where authentication under the single sign-on authentication architecture is required of a browsing agent being used to access a relying party and in response, due to the interworking in the split terminal scenario, an associated authentication under the further authentication architecture is performed in relation to a separate authentication agent, the method comprising, at a controlling agent:
- sending a token to the authentication agent;
  
  sending a request to the browsing agent to return a token;
  
  receiving the token from the browsing agent, the authentication agent or a user of the authentication agent having communicated the received token to the browsing agent via a secure and/or trusted channel and the browsing agent, in response to the earlier received request, having forwarded the token to the controlling agent;
  
  comparing the received token with the token sent to the authentication agent to determine whether the authentication agent is authorised to perform authentication on behalf of the browsing agent and/or whether the browsing agent is authorised to act as a representative for the authentication agent; and
  
  authenticating the browsing agent to the relying party based on the associated authentication performed in relation to the authentication agent if it is determined in the comparing step that the authentication agent and/or browsing agent is so authorised.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 48, 49)
- - 2. A method as claimed in claim 1, wherein the token received from the browsing agent is received in an HTTP request message, and comprising sending an HTTP response to the browsing agent.
  - 3. A method as claimed in claim 1, comprising encrypting the token sent to the authentication agent.
  - 4. A method as claimed in claim 3, comprising receiving a session or encryption key from a bootstrapping server function of the further authentication architecture before the encrypting step to enable the session or encryption key to be used in the encryption.
  - 5. A method as claimed in claim 1, comprising sending a piece of the controlling agent'"'"'s internal state to the browsing agent, subsequently receiving the piece of internal state back from the browsing agent, and restoring the piece of internal state at the controlling agent.
  - 6. A method as claimed in claim 5, wherein the piece of internal state is sent to the browsing agent with the token request, and the piece of internal state is returned from the browsing agent with the token.
  - 7. A method as claimed in claim 5, comprising encrypting the piece of internal state.
  - 8. A method as claimed in claim 7, comprising receiving a session or encryption key from a bootstrapping server function of the further authentication architecture before the encrypting step to enable the session or encryption key to be used in the encryption.
  - 9. A method as claimed in claim 1, wherein the token comprises a session identifier.
  - 10. A method as claimed in claim 1, wherein the token sent to the authentication agent comprises a random number or a nonce.
  - 11. A method as claimed in claim 1, wherein the sending of a request to the browsing agent to return a token is done by way of sending an authentication prompt to the browsing agent.
  - 12. A method as claimed in claim 1, wherein the further authentication architecture is a 3GPP authentication architecture.
  - 13. A method as claimed in claim 12, wherein the 3GPP authentication architecture is a 3GPP Generic Bootstrapping Architecture.
  - 14. A method as claimed in claim 1, wherein the single sign-on authentication architecture is an OpenID authentication architecture.
  - 15. A method as claimed in claim 14, wherein the further authentication architecture is a 3GPP authentication architecture, and wherein the controlling agent comprises an OpenID Provider and Network Application Function of the 3GPP/OpenID authentication architecture.
  - 16. A method as claimed in claim 1, wherein the token is representative rather than actual, and wherein the step of comparing the received token with the previously-sent token amounts to comparing what is represented by the received token with what is represented by the previously-sent token.
  - 48. A program for controlling an apparatus to perform a method as claimed in claim 1, carried for example on a carrier medium such as a storage medium or a transmission medium.
  - 49. A storage medium containing a program as claimed in claim 48.

17. An apparatus for use by a controlling agent in interworking a single sign-on authentication architecture and a further authentication architecture in a split terminal scenario where authentication under the single sign-on authentication architecture is required of a browsing agent being used to access a relying party and in response, due to the interworking in the split terminal scenario, an associated authentication under the further authentication architecture is performed in relation to a separate authentication agent, the apparatus comprising:
- means for sending a token to the authentication agent;
  
  means for sending a request to the browsing agent to return a token;
  
  means for receiving the requested token from the browsing agent, the authentication agent or a user of the authentication agent having communicated the received token to the browsing agent via a secure and/or trusted channel and the browsing agent, in response to the earlier received request, having forwarded the token to the controlling agent;
  
  means for comparing the received token with the token sent to the authentication agent to determine whether the authentication agent is authorised to perform authentication on behalf of the browsing agent and/or whether the browsing agent is authorised to act as a representative for the authentication agent; and
  
  means for authenticating the browsing agent to the relying party based on the associated authentication performed in relation to the authentication agent if it is determined by the comparing means that the authentication agent and/or browsing agent is so authorised.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 18. An apparatus as claimed in claim 17, wherein the token received from the browsing agent is received in an HTTP request message, and comprising means for sending an HTTP response to the browsing agent.
  - 19. An apparatus as claimed in claim 17, comprising means for encrypting the token sent to the authentication agent.
  - 20. An apparatus as claimed in claim 17, comprising means for sending a piece of the controlling agent'"'"'s internal state to the browsing agent, means for subsequently receiving the piece of internal state back from the browsing agent, and means for restoring the piece of internal state at the controlling agent.
  - 21. An apparatus as claimed in claim 17, wherein the token comprises a session identifier.
  - 22. An apparatus as claimed in claim 17, wherein the token sent to the authentication agent comprises a random number or a nonce.
  - 23. An apparatus as claimed in claim 17, wherein the sending of a request to the browsing agent to return a token is done by way of sending an authentication prompt to the browsing agent.
  - 24. An apparatus as claimed in claim 17, wherein the further authentication architecture is a 3GPP authentication architecture.
  - 25. An apparatus as claimed in claim 24, wherein the 3GPP authentication architecture is a 3GPP Generic Bootstrapping Architecture.
  - 26. An apparatus as claimed in claim 17, wherein the single sign-on authentication architecture is an OpenID authentication architecture.
  - 27. An apparatus as claimed in claim 26, wherein the further authentication architecture is a 3GPP authentication architecture, and wherein the controlling agent comprises an OpenID Provider and Network Application Function of the 3GPP/OpenID authentication architecture.
  - 28. An apparatus as claimed in claim 17, wherein the token is representative rather than actual, and wherein the step of comparing the received token with the previously-sent token amounts to comparing what is represented by the received token with what is represented by the previously-sent token.

29. A cryptographic method for enabling a second device of first, second and third devices to determine whether a user consents for the third device to represent the first device as the user'"'"'s proxy, and the method comprising:
- passing a cryptographic secret or token from the second device to the first device;
  
  passing a piece of the internal state of the second device to the third device;
  
  receiving the piece of internal state and the token from the third device, the token having been passed from the first device to the third device as the user'"'"'s consent for the third device to represent the first device as the user'"'"'s proxy, and the piece of internal state and the token having subsequently been passed from the third device to the second device;
  
  reconstructing the internal state of the second device using the piece of internal state received from the third device; and
  
  comparing the token received from the third device with the token previously sent to the first device to determine whether the user has consented to the third device representing the first device as the user'"'"'s proxy.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 50, 51)
- - 30. A method as claimed in claim 29, comprising discarding the piece of internal state at the second device before receiving the internal state back from the third device.
  - 31. A method as claimed in claim 29, wherein the token is passed from the second device to the first device over a secure and/or trusted channel between the first and second devices.
  - 32. A method as claimed in claim 29, wherein the token is passed from the first device to the third device over a secure and/or trusted user-controlled channel between the first and third devices.
  - 33. A method as claimed in claim 32, wherein the secure and/or trusted user-controlled channel is a narrow communication channel that is able to pass relatively short pieces of information at a relatively low rate.
  - 34. A method as claimed in claim 32, wherein the secure and/or trusted user-controlled channel is provided by way of a manual entry of information from the first device to the third device.
  - 35. A method as claimed in claim 29, comprising passing the token from the first device to the third device as the user'"'"'s consent for the third device to represent the first device as the user'"'"'s proxy, and passing the piece of internal state and the token from the third device to the second device.
  - 36. A method as claimed in claim 29, wherein the step of comparing the token received from the third device with the token previously sent to the first device is performed using the internal state of the second device reconstructed in the reconstructing step.
  - 37. A method as claimed in claim 29, wherein the piece of the internal state passed to the third device is encrypted.
  - 38. A method as claimed in claim 29, wherein the piece of the internal state relates to the first device, for example comprising information identifying the first device.
  - 39. A method as claimed in claim 29, wherein, in a split terminal scenario of a scheme for interworking a 3GPP authentication architecture and an OpenID authentication architecture, the first device comprises an Authentication Agent of the 3GPP/OpenID authentication architecture, the second device comprises an OpenID Provider and Network Application Function of the 3GPP/OpenID authentication architecture, and the third device comprises a Browsing Agent of the 3GPP/OpenID authentication architecture.
  - 40. A method as claimed in claim 29, wherein the token is representative rather than actual, and wherein the step of comparing the received token with the previously-sent token amounts to comparing what is represented by the received token with what is represented by the previously-sent token.
  - 50. A program for controlling an apparatus to perform a method as claimed in claim 29, carried for example on a carrier medium such as a storage medium or a transmission medium.
  - 51. A storage medium containing a program as claimed in claim 50.

41. An apparatus for enabling a second device of first, second and third devices to determine whether a user consents for the third device to represent the first device as the user'"'"'s proxy, and the apparatus comprising:
- means for passing a cryptographic secret or token from the second device to the first device;
  
  means for passing a piece of the internal state of the second device to the third device;
  
  means for receiving the piece of internal state and the token from the third device, the token having been passed from the first device to the third device as the user'"'"'s consent for the third device to represent the first device as the user'"'"'s proxy, and the piece of internal state and the token having subsequently been passed from the third device to the second device;
  
  means for reconstructing the internal state of the second device using the piece of internal state received from the third device; and
  
  means for comparing the token received from the third device with the token previously sent to the first device to determine whether the user has consented to the third device representing the first device as the user'"'"'s proxy.
- View Dependent Claims (42, 43, 44, 45, 46, 47)
- - 42. An apparatus as claimed in claim 41, comprising means for discarding the piece of internal state at the second device before receiving the internal state back from the third device.
  - 43. An apparatus as claimed in claim 41, wherein the comparing means use the internal state of the second device reconstructed by the reconstructing means.
  - 44. An apparatus as claimed in claim 41, wherein the piece of the internal state passed to the third device is encrypted.
  - 45. An apparatus as claimed in claim 41, wherein the piece of the internal state relates to the first device, for example comprising information identifying the first device.
  - 46. An apparatus as claimed in claim 41, wherein, in a split terminal scenario of a scheme for interworking a 3GPP authentication architecture and an OpenID authentication architecture, the first device comprises an Authentication Agent of the 3GPP/OpenID authentication architecture, the second device comprises an OpenID Provider and Network Application Function of the 3GPP/OpenID authentication architecture, and the third device comprises a Browsing Agent of the 3GPP/OpenID authentication architecture.
  - 47. An apparatus as claimed in claim 41, wherein the token is representative rather than actual, and wherein the step of comparing the received token with the previously-sent token amounts to comparing what is represented by the received token with what is represented by the previously-sent token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
WIFVESSON, Monica, NIKANDER, Pekka, NORRMAN, Karl, EKDAHL, Patrick, LEHTOVIRTA, Vesa

Application Number

US13/074,299
Publication Number

US 20110264913A1
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 63/18   using different networks or...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

METHOD AND APPARATUS FOR INTERWORKING WITH SINGLE SIGN-ON AUTHENTICATION ARCHITECTURE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

75 Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR INTERWORKING WITH SINGLE SIGN-ON AUTHENTICATION ARCHITECTURE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links