Secure communication network user mobility apparatus and methods

US 8,346,265 B2
Filed: 08/17/2006
Issued: 01/01/2013
Est. Priority Date: 06/20/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving an authentication request, from a first secure intranet network in which a network service is provided, for an independently controlled second secure intranet network, with which a mobile user is associated, to authenticate the mobile user for local access to the network service from within the first secure intranet network, the authentication request being received at the second secure intranet network and comprising a request by the first secure intranet network for the second secure intranet network to authenticate the mobile user for local access to the network service from within the first secure intranet network;

the second secure intranet network authenticating the mobile user according to user identity records at the second secure intranet network; and

the second secure intranet network providing to the first secure intranet network an indication of a result of the authentication,the method further comprising;

creating at the second secure intranet network a digital user identity to be used by the mobile user in the first secure intranet network, where the mobile user is successfully authenticated,wherein the providing comprises providing the user identity to the first secure intranet network.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure communication network user mobility apparatus and methods are disclosed. A mobile user that is locally connected to a first communication network in which a service is provided, but is associated with an independently controlled second secure communication network, may be authenticated for access to the service by the second communication network. This allows seamless user mobility between networks in a partner extranet or other collection of trusted networks based on existing inter-network user mobility relationships. Access control, monitoring, and reporting, for example, and possibly other functions, may also be provided.

Citations

21 Claims

1. A method comprising:
- receiving an authentication request, from a first secure intranet network in which a network service is provided, for an independently controlled second secure intranet network, with which a mobile user is associated, to authenticate the mobile user for local access to the network service from within the first secure intranet network, the authentication request being received at the second secure intranet network and comprising a request by the first secure intranet network for the second secure intranet network to authenticate the mobile user for local access to the network service from within the first secure intranet network;
  
  the second secure intranet network authenticating the mobile user according to user identity records at the second secure intranet network; and
  
  the second secure intranet network providing to the first secure intranet network an indication of a result of the authentication,the method further comprising;
  
  creating at the second secure intranet network a digital user identity to be used by the mobile user in the first secure intranet network, where the mobile user is successfully authenticated,wherein the providing comprises providing the user identity to the first secure intranet network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - controlling, at the first secure intranet network, access to the network service by the mobile user based on a result of the authentication by the second secure intranet network.
  - 3. The method of claim 2, wherein controlling comprises granting access to the network service in accordance with an access policy.
  - 4. The method of claim 1, further comprising:
    - receiving, at the first secure intranet network, from the second secure intranet network the digital user identity to be used by the mobile user in the first secure intranet network.
  - 5. The method of claim 4, further comprising:
    - storing the identity in a mobile user database at the first secure intranet network; and
      
      forwarding the identity to the mobile user.
  - 6. The method of claim 1, further comprising:
    - receiving, at the first secure intranet network, service access information associated with local access to the network service by the mobile user, wherein the service access information comprises a user authentication request; and
      
      the first secure intranet network requesting the second secure intranet network to authenticate the mobile user.
  - 7. The method of claim 1, further comprising:
    - receiving, at the first secure intranet network, service access information associated with local access to the network service by the mobile user, wherein the service access information comprises a service access request;
      
      determining, at the first secure intranet network, whether the mobile user has been previously authenticated by the second secure intranet network; and
      
      the first secure intranet network requesting the second secure intranet network to authenticate the mobile user where the mobile user has not been previously authenticated by the second secure intranet network.
  - 8. The method of claim 1, further comprising:
    - receiving, at a web services node of the first secure intranet network, service access information associated with local access to the network service by the mobile user.
  - 9. The method of claim 1, wherein a transformation is applied to service access information, associated with external access to the network service by the mobile user from the second secure intranet network, for transfer between the mobile user and an application server by which the network service is provided, the method further comprising:
    - receiving, at the first secure intranet network, service access information associated with local access to the network service by the mobile user; and
      
      applying the transformation to the received service access information.
  - 10. The method of claim 1, further comprising:
    - tracking activity of the mobile user in the first secure intranet network; and
      
      reporting the tracked activity from the first secure intranet network to the second secure intranet network.
  - 11. A non-transitory machine-readable medium storing instructions which when executed perform the method of claim 1.
  - 12. The method of claim 1, wherein the first secure intranet network and the second secure intranet network are partner sites that interact with each other in a partner extranet.
  - 13. The method of claim 12, wherein a first gateway in the first secure intranet network and a second gateway in the second secure intranet network enable the partner extranet.

14. An apparatus comprising:
- an interface for exchanging information between a first secure intranet network and an independently controlled second secure intranet network; and
  
  an authentication module operatively coupled to the interface and operable;
  
  to receive through the interface, at the second secure intranet network, an authentication request from the first secure intranet network for the second secure intranet network to authenticate a mobile user associated with the second secure intranet network for local access from within the first secure intranet network to a network service provided in the first secure intranet network, the authentication request comprising a request by the first secure intranet network for the second secure intranet network to authenticate the mobile user for local access to the network service from within the first secure intranet network;
  
  to authenticate the mobile user, at the second secure intranet network, according to user identity records at the second secure intranet network; and
  
  to provide an indication of a result of the authentication from the second secure intranet network to the first secure intranet network through the interface,at least one of the interface and the authentication module being implemented using hardware,wherein the authentication module is further configured to create, at the second secure intranet network, a digital user identity to be used by the mobile user in the first secure intranet network, where the mobile user is successfully authenticated, and to provide an indication of a result of the authentication by providing the user identity to the first secure intranet network.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The apparatus of claim 14, further comprising:
    - an access module, at the first secure intranet network, operable to control access to the network service by the mobile user based on a result of the authentication by the second secure intranet network.
  - 16. The apparatus of claim 15, wherein the access module is further operable to track activity of the mobile user in the first secure intranet network, the apparatus further comprising:
    - an interface operatively coupled to the access module for enabling the tracked activity to be reported from the first secure intranet to the second secure intranet network.
  - 17. The apparatus of claim 15, further comprising:
    - a memory operatively coupled to the access module for storing service access policies,wherein the access module is further operable to determine whether the memory stores a policy in accordance with which access to the network service by the mobile user is to be controlled, and, where the memory stores a policy in accordance with which access to the network service by the mobile user is to be controlled, to control access to the network service by the mobile user by granting or denying access to the network service based on the policy stored in the memory.
  - 18. The apparatus of claim 14, further comprising:
    - an authentication module, at the first secure intranet network, that is operable to receive from the second secure intranet network the digital user identity to be used by the mobile user in the first secure intranet network.
  - 19. The apparatus of claim 18, further comprising:
    - a memory for storing the identity in a mobile user database at the first secure intranet network; and
      
      an interface enabling the identity to be forwarded to the mobile user.
  - 20. The apparatus of claim 14, further comprising, at the first secure intranet network:
    - an interface operable to receive service access information associated with local access to the network service by the mobile user; and
      
      an authentication module operatively coupled to the interface at the first secure intranet network,wherein the service access information comprises a service access request, and wherein the authentication module at the first secure intranet network is operable to determine, at the first secure intranet network, whether the mobile user has been previously authenticated by the second secure intranet network, and to send, from the first secure intranet network to the second secure intranet network, the authentication request for the second secure intranet network to authenticate the mobile user where the mobile user has not been previously authenticated by the second secure intranet network.
  - 21. The apparatus of claim 14, further comprising, at the first secure intranet network:
    - a gateway that enables remote usage of the network service from the second secure intranet network, the gateway being configured to perform a transformation of information relating to remote usage of the network service from the second secure intranet network, and to perform the transformation for information relating to local access to the network service by the mobile user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Strub, Lyle, Grossner, Clifford, Serghi, Laura Mihaela
Primary Examiner(s)
Arevalo, Joseph

Application Number

US11/465,172
Publication Number

US 20070293210A1
Time in Patent Office

2,329 Days
Field of Search

370/395.53, 370/282, 370/546, 370/276, 370/332, 370/311, 370/441, 370/320, 370/342, 370/130, 370/328, 370/338, 370/390, 370/331, 370/312, 370/335, 370/401, 370/259, 370/389, 379/306, 379/334, 455/420, 455/411, 455/41.2, 455/552.1, 455/445, 455/433, 455/466, 455/428, 455/550.1, 455/435.1, 455/456.1, 455/414.1, 705/64, 705/50, 705/7, 705/9, 733/04.C
US Class Current

455/441
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

H04L 63/102   Entity profiles

H04L 63/18   using different networks or...

H04L 67/02   based on web technology, e....

Secure communication network user mobility apparatus and methods

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Secure communication network user mobility apparatus and methods

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links