System, method and apparatus for federated single sign-on services
First Claim
1. A telecommunication system providing Single Sign-On services to a user accessing selected Service Providers, the user having a subscription with a first mobile network operator, the system comprising:
- a first mobile network and at least one second mobile network;
at least one of a plurality of Service Providers for providing services to subscribers of said mobile networks once said subscribers have been authenticated for the at least one Service Provider by an authentication authority, wherein said authentication authority comprises;
a cellular Federation of mobile network operators, the cellular Federation including the first mobile network and the at least one second mobile network;
an Authentication Provider belonging to the first mobile network as the only member of said Federation entitled to authenticate said user toward the at least one Service Provider; and
an Authentication Broker belonging to a particular one of said second mobile networks and arranged to act as the entry point to said Federation from those Service Providers respectively having entry point agreements with the operator of said particular second mobile network;
wherein said Authentication Provider belonging to the first mobile network operator may be directly accessed, without involving an Authentication Broker, from the Service Providers respectively having entry point agreements with said first mobile network operator;
means for redirecting said user, when said user is accessing a Service Provider, toward an Authentication Provider of said user'"'"'s Home mobile network operator, without involving an Authentication Broker, when said accessed Service Provider has an entry point agreement with said user'"'"'s Home mobile network operator;
wherein a Service Provider that has an agreement with said first mobile network operator may request validation of an authentication assertion for a user to an Authentication Provider of said first mobile network operator without involving an Authentication Broker.
1 Assignment
0 Petitions
Accused Products
Abstract
The advent of new and sophisticated web services provided by Service Providers to users, services that individually require authentication of user and authorization of access, brings the needs for a new service to facilitate such authentication and access, a service referred to as Single Sign-On (SSO). The basic principle behind SSO is that users are authenticated once at a particular level, and then access all their subscribed services accepting that level of authentication.
The present invention provides a system, method and apparatus wherein a cellular Federation of mobile network operators becomes an SSO authentication authority for subscribers of this Federation accessing Service Providers having such agreement with a mobile network operator of the Federation. In accordance with this invention, mobile network operators can leverage their operator-subscriber trust relationship in order to act as SSO authentication authority for those subscribers accessing Service Providers in a service domain other than the mobile network domain.
65 Citations
24 Claims
-
1. A telecommunication system providing Single Sign-On services to a user accessing selected Service Providers, the user having a subscription with a first mobile network operator, the system comprising:
-
a first mobile network and at least one second mobile network; at least one of a plurality of Service Providers for providing services to subscribers of said mobile networks once said subscribers have been authenticated for the at least one Service Provider by an authentication authority, wherein said authentication authority comprises; a cellular Federation of mobile network operators, the cellular Federation including the first mobile network and the at least one second mobile network; an Authentication Provider belonging to the first mobile network as the only member of said Federation entitled to authenticate said user toward the at least one Service Provider; and an Authentication Broker belonging to a particular one of said second mobile networks and arranged to act as the entry point to said Federation from those Service Providers respectively having entry point agreements with the operator of said particular second mobile network; wherein said Authentication Provider belonging to the first mobile network operator may be directly accessed, without involving an Authentication Broker, from the Service Providers respectively having entry point agreements with said first mobile network operator; means for redirecting said user, when said user is accessing a Service Provider, toward an Authentication Provider of said user'"'"'s Home mobile network operator, without involving an Authentication Broker, when said accessed Service Provider has an entry point agreement with said user'"'"'s Home mobile network operator; wherein a Service Provider that has an agreement with said first mobile network operator may request validation of an authentication assertion for a user to an Authentication Provider of said first mobile network operator without involving an Authentication Broker. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for providing Single Sign-On services to a user accessing selected Service Providers, the user having a subscription with a first mobile network operator, and each selected Service Provider being associated with a second mobile network operator, the method comprising the steps of:
-
(a) establishing an authentication trust relationship between the first and the second mobile network operators, thus forming a Federation of mobile network operators; (b) redirecting an access request generated by said user from a particular one of said Service Providers toward the cellular network of said first mobile network operator; (c) generating at an Authentication Provider of said first mobile network operator, to which said user'"'"'s access request is redirected, an authentication assertion valid for said user accessing said particular Service Provider, and returning an artifact for said assertion back to said user; (d) requesting verification of said authentication assertion, which is included in said artifact presented by the user, from said particular Service Provider to said Authentication Provider of said first mobile network operator; and (e) accepting service access to said user upon receipt of a successful verification response at the said particular Service Provider. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. An Authentication Broker included in a telecommunication system providing Single Sign-On services to a user accessing selected Service Providers, the user having a subscription with a first mobile network operator, and each selected Service Provider being associated with a second mobile network operator, said Authentication Broker comprising:
- an Authentication Broker Web front End that includes first interfacing means for communicating with a user having a subscription with a first mobile network operator, and second interfacing means for communicating with a Service Provider associated with a second mobile network operator;
a broker channel formed from said first and second interfacing means for enabling the Authentication Broker to redirect said user to said user'"'"'s Home network, and for resolving said user'"'"'s Home network for said Service Provider, respectively; and
storage for all the Authentication Providers in the cellular Federation on a per mobile network operator basis, each mobile network operator included in the cellular Federation. - View Dependent Claims (15, 16, 17)
- an Authentication Broker Web front End that includes first interfacing means for communicating with a user having a subscription with a first mobile network operator, and second interfacing means for communicating with a Service Provider associated with a second mobile network operator;
-
18. An Authentication Provider included in a telecommunication system providing Single Sign-On services to a user accessing selected Service Providers, the user having a subscription with a first mobile network operator, and each selected Service Provider being associated with a second mobile network operator, said Authentication Provider comprising:
-
a front channel including a Web Front End that comprises first interfacing means for enabling an authentication session between said user and said Authentication Provider, a Session Manager and storage for handling session status for the user, and a Front End Authentication server for carrying out a specific authentication mechanism for the user; and a back channel including a Protocol Binding that comprises second interfacing means for exchanging information related to user authentication assertion between said Authentication Provider and a selected Service Provider that the user is accessing. - View Dependent Claims (19, 20, 21, 22, 23, 24)
-
Specification