FEDERATED MOBILE AUTHENTICATION USING A NETWORK OPERATOR INFRASTRUCTURE

US 20120079569A1
Filed: 09/24/2010
Published: 03/29/2012
Est. Priority Date: 09/24/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented security system having computer readable media that store executable instructions executed by a processor, comprising:

an authentication component of a network operator infrastructure that authenticates a mobile client to the network operator infrastructure based on a mobile identity and issues proof of authentication; and

a network operator security token server of the network operator infrastructure that communicates with the authentication component to obtain the proof of authentication in response to a request by the mobile client for access to an application, the network operator infrastructure having an established trust and in identity federation with the application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Architecture that utilizes the strong authentication mechanisms of network operators to provide authentication to mobile applications by identity federation. When a mobile client initiates request for access to an application outside the network operation infrastructure, the request is passed to an associated application secure token service. The application secure token service has an established trust and identity federation with the network operator. The application secure token service redirects the request to a network operator security token server, which then passes the request to a network operator authentication server for authentication against an operator identity service. Proof of authentication is then issued and returned from the network operator security token server to the application secure token service and the application, which allows the mobile client to access the application.

37 Citations

View as Search Results

20 Claims

1. A computer-implemented security system having computer readable media that store executable instructions executed by a processor, comprising:
- an authentication component of a network operator infrastructure that authenticates a mobile client to the network operator infrastructure based on a mobile identity and issues proof of authentication; and
  
  a network operator security token server of the network operator infrastructure that communicates with the authentication component to obtain the proof of authentication in response to a request by the mobile client for access to an application, the network operator infrastructure having an established trust and in identity federation with the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the request includes network source information that compares to a range of network addresses associated with the network operator infrastructure.
  - 3. The system of claim 1, wherein the request is checked for inclusion of a predefined token that identifies the network operator infrastructure.
  - 4. The system of claim 1, wherein the application redirects the mobile device to an application secure token service, and the application secure token service then redirects the mobile device to the network operator security token server.
  - 5. The system of claim 1, wherein the network operator security token server sends the request to the authentication component for authentication against an operator identity service and returns the proof of authentication to an application secure token service associated with the application.
  - 6. The system of claim 5, wherein the network operator infrastructure is a GSM (global system for mobile communications) mobile communications network and authentication is accomplished against the operator identity service, which is a location register, using an XML-based standard.
  - 7. The system of claim 1, further comprising a user identity component that allows a user to choose to allow basic and additional user identity information to be utilized for the identity federation, the basic and additional user identity information includes location information.
  - 8. The system of claim 1, wherein the network operator security token server is in identity federation with an application secure token service associated with the application.

9. A computer-implemented security method executed by a processor, comprising:
- receiving at an application a request from a mobile client;
  
  checking if the request is associated with a network operator based on network operator information;
  
  redirecting the request to a network operator security token service based on the network operator information;
  
  mapping the request to the mobile client using a network operator identity service; and
  
  providing identity of the mobile client to the application.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, further comprising conditioning exposure of basic and additional user identity information on opt-in or opt-out by a user of the identity.
  - 11. The method of claim 9, further comprising associating the network operator with the request based on network operator information that is a network address in a range of network addresses.
  - 12. The method of claim 9, further comprising associating the network operator with the request based on network operator information that is a token included in the request.
  - 13. The method of claim 9, further comprising providing the identity to the application based on identity federation and an established trust between the application and the network operator.
  - 14. The method of claim 9, further comprising redirecting the request to the network operator security token service via an application secure token service associated with the application.
  - 15. The method of claim 9, further comprising sending proof of authentication from the network operator to an application secure token service to allow access to the application by the mobile client.

16. A computer-implemented security method executed by a processor, comprising:
- receiving from a mobile client a request for access to an application, the application external to a network operator infrastructure of which the mobile client is a subscriber;
  
  passing the request to an application secure token service associated with the application;
  
  checking the request for network operator information associated with the network operator infrastructure;
  
  redirecting the request to a network operator security token server of the network operator infrastructure based on the network operator information;
  
  mapping the request to the mobile client using a network operator identity service;
  
  providing proof of authentication and the request to the application; and
  
  allowing access to the application by the mobile client.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, further comprising associating the network operator infrastructure to the request based on network operator information that is a network address in a range of network addresses of a network operator or a token included in the request.
  - 18. The method of claim 16, further comprising implementing a federation proxy by which the application and other applications co-hosted on a single application server receive identity federation.
  - 19. The method of claim 16, further comprising providing the proof of authentication and the request according to a regulatory agreement.
  - 20. The method of claim 16, further comprising:
    - sending the request from the network operator security token server to a network operator authentication server associated with an operator identity service;
      
      receiving the proof of authentication at the network operator security token server; and
      
      sending the request and the proof of authentication from the network operator security token server to the application secure token service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Neystadt, John, Ahmed, Khaja E., Mendelovich, Meir

Granted Patent

US 8,881,247 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 9/3213   using tickets or tokens, e....

H04W 12/062   Pre-authentication

H04W 88/02   Terminal devices

FEDERATED MOBILE AUTHENTICATION USING A NETWORK OPERATOR INFRASTRUCTURE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

FEDERATED MOBILE AUTHENTICATION USING A NETWORK OPERATOR INFRASTRUCTURE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links