[go: up one dir, main page]

WO2010000298A1 - Apparatus, method and program for integrated authentication - Google Patents

Apparatus, method and program for integrated authentication Download PDF

Info

Publication number
WO2010000298A1
WO2010000298A1 PCT/EP2008/058384 EP2008058384W WO2010000298A1 WO 2010000298 A1 WO2010000298 A1 WO 2010000298A1 EP 2008058384 W EP2008058384 W EP 2008058384W WO 2010000298 A1 WO2010000298 A1 WO 2010000298A1
Authority
WO
WIPO (PCT)
Prior art keywords
identity
user
item
provider
authentication
Prior art date
Application number
PCT/EP2008/058384
Other languages
French (fr)
Inventor
Uwe Föll
Original Assignee
Nokia Siemens Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Siemens Networks Oy filed Critical Nokia Siemens Networks Oy
Priority to PCT/EP2008/058384 priority Critical patent/WO2010000298A1/en
Publication of WO2010000298A1 publication Critical patent/WO2010000298A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Definitions

  • a gap between network and application level authentication is bridged, e.g. by extracting a user identity, user ID, for e.g. a valid IP data session.
  • the user identity may for example be extracted from that network element that can resolve a mapping between the IP address and a primary identity, ID, (e.g. MSIDN or mobile station international data number, MSISDN, international mobile subscriber identity, IMSI, international mobile equipment identity, IMEI, a globally or at least locally unique identity, and/or permanent identity, or the like) of a user.
  • ID e.g. MSIDN or mobile station international data number, MSISDN, international mobile subscriber identity, IMSI, international mobile equipment identity, IMEI, a globally or at least locally unique identity, and/or permanent identity, or the like
  • the user identity information may e.g. be retrieved from an authentication server but may also come from a policy and charging rules function, or from a bootstrapping server function, or from any other source, etc.
  • the server 5 checks the authorization of the entity indicated by the IP address or other identification indicated in message 10, and returns an authentication response message 11 to the identity provider 7, the authentication response message 11 indicating an identity or primary identity of the user or terminal 1 such as MSISDN or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

At least one or more of the embodiments provide a method and apparatus for a federation mechanism in an authentication, authorization and accounting / identity management server environment.

Description

Apparatus, Method and Program for Integrated Authentication
FIELD OF TECHNOLOGY AND BACKGROUND
The invention generally relates to devices, network elements, apparatuses, parts of such elements or devices such as processors, software, programs, systems, methods, etc .
In some cases, when a user wants to access a service or application such as an internet application using e.g. a mobile terminal, the user has to input or type in credentials like username and/or password. To avoid re- typing of the credentials for each application, functions like single sign on may be used. This function may be implemented by an identity provider (IdP) that provides the required identity or identities, IDs, to access one or more applications. Even with the usage of an identity provider the user has to authenticate her/himself at the identity provider and therefore has e.g. to type in username and/or password.
Customarily, network level authentication is strictly separated from internet application level authentication. Each of the applications may provide its own identity management, IdM, system and the user may have separate identities, IDs, for the access network as well as for the different internet applications. An identity management, IdM, or identity provider, IdP, refers to processes, functions or hardware or software devices for generating, maintaining and using digital identities.
SUMMARY In accordance with at least one, more or all of the embodiments, the invention provides an apparatus, method, program etc. as defined in one or more of the independent claims or any one of the dependent claims.
In accordance with one or more embodiments of the invention a mechanism or method is provided which may advantageously reuse e.g. already existing network level authentication for example for a single sign on function. Embodiments of the invention relate to one or more of identity management, IDM, single sign on, authentication, etc.
In accordance with one or more embodiments of the invention, an apparatus, method and/or program for integrated authentication are provided.
An embodiment of an apparatus may e.g. be a server accessible by a network.
In accordance with one or more embodiments, a gap between network and application level authentication is bridged, e.g. by extracting a user identity, user ID, for e.g. a valid IP data session. The user identity may for example be extracted from that network element that can resolve a mapping between the IP address and a primary identity, ID, (e.g. MSIDN or mobile station international data number, MSISDN, international mobile subscriber identity, IMSI, international mobile equipment identity, IMEI, a globally or at least locally unique identity, and/or permanent identity, or the like) of a user. The user identity information may e.g. be retrieved from an authentication server but may also come from a policy and charging rules function, or from a bootstrapping server function, or from any other source, etc.
In accordance with one or more embodiments of the invention, a method is provided which comprises retrieving a user identity based on another identity in case access to an item is required by indicating the another identity, checking based on the retrieved user identity whether the user has a valid identity for the item to be accessed, deciding on grant of access to the item based on the check result. The method may further comprise a feature of retrieving the user identity from at least one of an authentication server, an authentication, authorization and accounting server, a policy and charging rules function, or a bootstrapping server function. At least one of the retrieving, checking and deciding may be performed by an identity provider or identity management.
The item may e.g. be at least one of an application, service, content, or information.
The method may comprise e.g. at least one or more, in any arbitrary combination, of: the identity provider or identity management retrieves the required user identity from the authentication server by sending an IP address, the identity provider or identity management or authentication server checks profile data of the user based on the user identity, the identity provider or identity management checks whether the user has a valid identity for the application to be accessed, in case of a valid identity the identity provider builds up a security assertion, optionally using a security assertion markup language, sending the security assertion to the application to be accessed, granting access to the application based on the identity with the security assertion.
In accordance with one or more embodiments of the invention an apparatus may be configured to retrieve a user identity based on another identity in case access to an item is required by indicating the another identity, check based on the retrieved user identity whether the user has a valid identity for the item to be accessed, and decide on grant of access to the item based on the check result, wherein the apparatus may retrieve the user identity from at least one of an authentication server, an authentication, authorization and accounting server, a policy and charging rules function, or a bootstrapping server function, and/or may perform at least one of the retrieving, checking and deciding by an identity provider or identity management.
The apparatus may e.g. be an identity provider or identity management.
The apparatus may comprise at least one or more, in any arbitrary combination, of: the identity provider or identity management is configured to retrieve the required user identity from an accounting server by sending an IP address, the identity provider or identity management or accounting server is configured to check profile data of the user based on the user identity, the identity provider or identity management is configured to check whether the user has a valid identity for the application to be accessed, the identity provider is configured to build up a security assertion, optionally using a security assertion markup language, in case of a valid identity, being configured to send the or a security assertion to an application to be accessed, and/or to grant access to the application based on the identity with the security assertion.
In accordance with one or more embodiments of the invention an apparatus may be configured to comprise a database mapping user identities to other identities, and to provide a user identity based on another identity indicated in a retrieval request, wherein the apparatus is at least one of an authentication server, an authentication, authorization and accounting server, a policy and charging rules function, or a bootstrapping server function.
In accordance with one or more embodiments of the invention a computer program product is provided which comprise code means configured to carry out or implement, when run on a processor, retrieving a user identity from at least one of an authentication server, an authentication, authorization and accounting server, a policy and charging rules function, or a bootstrapping server function, based on another identity in case access to an item is required by indicating the another identity, checking based on the retrieved user identity whether the user has a valid identity for the item to be accessed, deciding on grant of access to the item based on the check result . In accordance with one or more embodiments of the invention a computer program product may comprise code means configured to carry out or implement, when run on a processor, retrieving a user identity based on another identity in case access to an item is required by indicating the another identity, checking based on the retrieved user identity whether the user has a valid identity for the item to be accessed, deciding on grant of access to the item based on the check result, wherein at least one of the retrieving, checking and deciding is performed by an identity provider or identity management.
The computer program product may e.g. be embodied on a computer-readable medium.
Other objects, features and advantages of embodiments of the invention will become apparent from the following description of embodiments of the invention.
BRIEF DESCRIPTION OF DRAWINGS
Fig. 1 illustrates embodiments of a system, apparatuses, and a method in accordance with the invention; and
Fig. 2 shows an embodiment configured in accordance with an implementation of the invention.
DESCRIPTION OF EMBODIMENTS In accordance with one or more embodiments, a mechanism is provided that reuses the already existing network level authentication for a single sign on function.
In accordance with one or more embodiments of the invention, a packet data protocol, PDP, context according to 3GPP may be set up. When a user wants to access an internet application, the user will be redirected to an identity management or identity provider, IdP.
In accordance with an embodiment shown in Fig. 1, a gap between network level authentication and application level authentication is bridged by extracting the user identity, user ID, for e.g. an IP session.
The user identity is in this example embodiment extracted from that network element that can resolve the mapping between the IP address and a primary identity, ID, (e.g. MSIDN or mobile station international data number, MSISDN or mobile station international subscriber integrated services digital network number, or the like) of a user.
In the message flow shown in Fig. 1, the user identity information is retrieved from an authentication, authorization, accounting, AAA, server 5.
In another embodiment this user identity information may e.g. also come from a policy and charging rules function, PCRF, which may be provided as an extension of third generation partnership project, 3GPP, standard, or from a bootstrapping server function, BSF, according to generic bootstrapping architecture GBA / generic authentication architecture, GAA, or from other sources, etc. The integrated authentication may in accordance with one or more embodiments of the invention take place as follows.
In a first step an identity management, IdM, or identity provider, IdP, may retrieve the required user ID from a server such as an authentication, authorization, accounting, AAA, server e.g. by sending the IP address or other identity of the user. Based on the retrieved user identity, e.g. a mobile station international subscriber directory number or mobile station international integrated services digital network, ISDN, number, MSISDN, etc, the identity management or provider can find the profile data of the user and may check whether the user has a valid identity, ID, for the application. In case there is a valid ID the identity provider may build up an assertion such as e.g. a security assertion markup language, SAML, assertion which may be sent to the application. Based on the ID with the SAML message the application can grant access to the user.
In accordance with one or more embodiments of the invention, a user may advantageously access internet applications without an explicit authentication i.e. without need of typing in e.g. username/ password on her or his mobile terminal.
Fig. 1 illustrates an embodiment of a system and apparatuses in accordance with the invention. Fig. 1 shows an implementation in accordance with one or more embodiments of the invention which comprises at least one or more of a terminal 1, a browser 2, a support entity 3 such as a serving node e.g. a serving general packet radio service support node, SGSN, a gateway entity 4 such as e.g. a gateway general packet radio service support node, GGSN, a server 5 such as e.g. an authentication, authorization, accounting, AAA, server, an identity management entity or function 6 such as an identity provider, and a service provider 7.
In the embodiment of Fig. 1, messages 1 to 6 show a procedure to setup a packet data protocol, PDP, context e.g. according to 3GPP.
With messages 7 to 9 a user wants to access an internet application in this embodiment. In this case the user will be redirected to the identity management or identity provider 6 according to this embodiment.
Messages 10, 11, 13 show an example of an integrated authentication in accordance with one or more embodiments of the invention.
In a step according to message 10, the identity provider 6 retrieves the required user ID from the AAA server 5 e.g. by sending the IP address of the user. Based on the user ID e.g. MSISDN received in response message 11 from the server 5, the identity provider 6 can find the profile data of the user and check whether the user has a valid ID for the application to be accessed. In case there is a valid ID the identity provider 6 may build up a security assertion markup language, SAML, assertion or assertion of other type, which assertion is sent to the application to be accessed. Based on the ID with the SAML message the application can grant access to the user.
In the following, the messages, functions and structures of the embodiment of Fig. 1 will be described in more detail. As shown in the example embodiment of Fig. 1, the terminal 1 may send a message 1, Activate PDP Context Request, to the serving entity 3 when desiring a packet or data connection or content etc. In response thereto, the serving entity 3 sends a message 2, Create PDP Context Request, to the gateway entity 4. The gateway entity 4 sends a request message 3 such as a RADIUS access request, indicating a user identity such as MSISDN, to the server 5. The server 5 checks whether to grant access and in this example returns to the gateway entity 4 an accept message 4, e.g. RADIUS Access Accept, indicating an address or other identity of the user such as an IP-Address.
The gateway entity 4 returns a response message 5, Create PDP Context Response, to the serving entity 3. The serving entity 3 sends in this example an accepting message 6, e.g. Activate PDP Context Accept, to the terminal 1. Thus a PDP context is provided in the network for the terminal 1.
The browser 2 may be or comprise a function, device or process, such as internet explorer (trademark) , firefox (trademark) etc, and may be provided in and/or accessible by the terminal 1 e.g. for accessing an application such as an internet application or any other type of service, content or information.
When a user of the terminal 1 or some other process requests a service, content, or other information e.g. from service provider 7, the browser 2 may send a request such as a message 7, HTTP GET Request, to the provider 7. The provider 7 may respond by returning a response message 8 such as a redirect message like HTTP Redirect (SAML Authentication Request) to the browser 2 e.g. in case the requested application or provider 7 requires some authentication or the like. The browser 2 reacts to message 8 by sending an authentication requesting message 9, e.g. a message HTTP Redirect (SAML Authentication Request) to the identity management or identity provider 6, optionally indicating the IP address or other identification of the user or terminal 1.
In response thereto, the identity management or provider 6 transmits a message 10 to the server 5 requesting authentication from the server 5 and indicating the IP address or other identification of the user or terminal 1, e.g. message 10, Authentication Request (IP-Address) .
The server 5 checks the authorization of the entity indicated by the IP address or other identification indicated in message 10, and returns an authentication response message 11 to the identity provider 7, the authentication response message 11 indicating an identity or primary identity of the user or terminal 1 such as MSISDN or the like.
The identity provider 6 executes a program, routine or function 12 for checking whether the identity of the user or terminal comprised in the message 11 is a valid identity allowing provision of the requested service, content or information, etc. In case the identity is not valid, the provider 6 may prevent providing the requested service or information. When the check determines that the identity is a valid identity, the identity management or provider 6 may send an asserting authentication response message 13 to the browser 2 such as message 13, HTTP Response (SAML Authentication Response (SAML Assertion) ) . The browser 2 issues an authentication response message 14, e.g. message 14: HTTP Response (SAML Authentication Response (SAML Assertion)) to the service provider 7, responding to the authentication request message 8 and indicating the assertion received in message 13.
In response to message 14, the service provider 7 may provide the requested service, content or information, e.g. by sending a message 15, HTTP PUT Request to the browser 2, e.g. for presentation of the requested service or content at the terminal or to the user e.g. in visual, acoustic, haptic or any other form.
In accordance with one or more embodiments of the invention, a method and devices for a federation mechanism in AAA / IdM Server environment are provided.
Embodiments of the invention may bridge a gap between network level authentication and application level authentication, e.g. by extracting a user ID for e.g. a valid IP data session from a network element that can resolve a mapping between the IP address and a primary identity ID (e.g. MSIDN) of a user. The mapping information may e.g. be retrieved from an AAA-Server or a PCRF or from a BSF according to GBA/ GAA.
Embodiments of the invention allow a user to access internet applications without an explicit authentication. That means the user does not have to carry out any specific action, e.g. type in a username/ password etc on her or his mobile terminal.
At least one or more of the embodiments of the invention may be applied to or used in or for packet networks. Authentication may be effected in accordance with one or more embodiments of the invention by means, processes or functions in accordance with third generation partnership project, 3GPP.
In accordance with one or more embodiments of the invention, federation of identities such as MSISDN/IP address or other identities, is provided. All services may be running in the operator's domain.
The pair of MSISDN/ IP address or other identities may be stored in the authentication server, e.g. AAA server 5.
The MSISDN/ IP address pair may be requested by an entity like the identity management or identity provider.
The ID may be sent to the service in accordance with one or more embodiments of the invention. The user may be authenticated by the service in accordance with one or more embodiments of the invention. In accordance with one or more embodiments of the invention a user or terminal identity such as MSISDN may be included in the HTTP header e.g. of message 11 or other messages.
An embodiment of the invention may e.g. be implemented in a real-time protocol, RTP, innovation project or in an Internet attribute broker.
Fig. 2 illustrates an embodiment of an apparatus in accordance with the invention. The embodiment of Fig. 2 may be a service provider such as an identity provider or function 6 of Figs. 1, or a part, module, chipset, software, or program codes of such an apparatus or function 6. According to the embodiment of Fig. 2, the apparatus 6 comprises a transceiver 61 for transmitting and/or receiving signals, a processor 62 for at least one of processing data or controlling part or all of the apparatus 6; an identity check means or function 63 for checking an identity or validity of such an identity e.g. in case the apparatus 6 receives information, e.g. from browser 2, on an identity for a service, content or information to be provided for user equipment 1. Further, a memory 64 is provided for storing at least one or more of information on valid identities, control functions, program instructions, etc.
A network may comprise such an apparatus or function as mentioned above. The network may comprise an evolved packet service, EPS architecture, or may comprise at least one of a serving general packet radio service support node, SGSN, a mobility management entity, MME, or a gateway.
In accordance with one or more embodiments of the invention, a network or architecture may e.g. have an evolved packet system, EPS, or long-term evolution, LTE, architecture and may comprise one or more of a serving GPRS, general packet radio service, support node, SGSN, a mobility management entity, MME, for managing mobility, UE identities and security parameters, a UMTS terrestrial radio access network, UTRAN, a GERAN, GSM/EDGE, Enhanced
Data rate for GSM Evolution, radio access network, E-UTRAN, a HS, a serving gateway e.g. for terminating an interface towards E-UTRAN, a packet data network gateway such as e.g. a gateway general packet radio service support node, GGSN, a packet data network, PDN, a policy and charging rules function, PCRF, and operator's IP services (e.g. IP multimedia subsystem, IMS, PSS etc.) . The access point may be a gateway, a serving gateway, a packet data network gateway, or a gateway general packet radio service, GPRS, support node, GGSN.
For the purpose of embodiments of the present invention as described herein above, it should be noted that any access or network technology may be used which may be any technology by means of which a user equipment can access a network. The network may be any device, unit or means by which a mobile or stationary entity or other user equipment may connect to and/or utilize services offered by the network. Such services may include, among others, data and/or (audio-) visual communication, data download etc.
Generally, the present invention is also applicable in those network/terminal environments relying on a data packet based transmission scheme according to which data are transmitted in data packets and which are for example based on the Internet Protocol IP. The present invention is, however, not limited thereto, and any other present or future IP or mobile IP version, or, more generally, a protocol following similar principles is also applicable. The user equipment entity may be any device, unit or means by which a system user may experience services from a network.
The sequence of method steps described above or shown in the drawings can be implemented in any other sequence arbitrarily deviating from the above described or shown sequence of steps. Further, the method, apparatuses and devices, may include only one, more or all of the features described above or shown in the drawings, in any arbitrary combination . The method steps may be implemented as software code portions and be run using a processor at a network element or terminal, can be software code independent, or can be specified using any known or future developed programming language as long as the functionality defined by the method steps is preserved. Generally, any method step is suitable to be implemented as software or by hardware without changing the idea of the present invention in terms of the functionality implemented. Devices, apparatus, units, or means, and/or method steps may be implemented as hardware components of a stationary or mobile station, or a terminal, or a network element, or part, or chipset, or module thereof, which part, or chipset, or module e.g. be used for an apparatus; may be hardware independent; and may be implemented using any known or future developed hardware technology or any hybrids of these, such as MOS (Metal Oxide Semiconductor), CMOS (Complementary MOS), BiMOS (Bipolar MOS), BiCMOS (Bipolar CMOS), ECL (Emitter Coupled Logic), TTL (Transistor-Transistor Logic), etc., using for example ASIC (Application Specific IC (Integrated Circuit)) components, FPGA (Field-programmable Gate Arrays) components, CPLD (Complex Programmable Logic Device) components or DSP (Digital Signal Processor) components. Devices, apparatus, units or means (e.g. User equipment, CSCF) can be implemented as individual devices, units, means, chipsets, modules, or part of devices, and may also be implemented in a distributed fashion throughout a system, as long as the functionality of the device, unit or means is preserved.

Claims

Claims
1. A method, comprising retrieving a user identity based on another identity in case access to an item is required by indicating the another identity, checking based on the retrieved user identity whether the user has a valid identity for the item to be accessed, deciding on grant of access to the item based on the check result, further comprising at least one of: the user identity is retrieved from at least one of an authentication server, an authentication, authorization and accounting server, a policy and charging rules function, or a bootstrapping server function, at least one of the retrieving, checking and deciding is performed by an identity provider or identity management .
2. A method according to claim 1, wherein the item is at least one of an application, service, content, or information .
3. A method according to claim 1 or 2, comprising at least one of: the identity provider or identity management retrieves the required user identity from the authentication server by sending an IP address, the identity provider or identity management or authentication server checks profile data of the user based on the user identity.
4. A method according to any one of claims 1 to 3, comprising: the identity provider or identity management checks whether the user has a valid identity for the application to be accessed.
5. A method according to any one of claims 1 to 4, comprising at least one of: in case of a valid identity the identity provider builds up a security assertion, optionally using a security assertion markup language, sending the security assertion to the application to be accessed, granting access to the application based on the identity with the security assertion.
6. An apparatus, configured to retrieve a user identity based on another identity in case access to an item is required by indicating the another identity, check based on the retrieved user identity whether the user has a valid identity for the item to be accessed, decide on grant of access to the item based on the check result, further comprising at least one of: retrieve the user identity from at least one of an authentication server, an authentication, authorization and accounting server, a policy and charging rules function, or a bootstrapping server function, perform at least one of the retrieving, checking and deciding by an identity provider or identity management .
7. An apparatus according to claim 6, wherein the apparatus is an identity provider or identity management.
8. An apparatus according to claim 6 or 7, comprising at least one of: the identity provider or identity management is configured to retrieve the required user identity from an accounting server by sending an IP address, the identity provider or identity management or accounting server is configured to check profile data of the user based on the user identity, the identity provider or identity management is configured to check whether the user has a valid identity for the application to be accessed.
9. An apparatus according to claim 6, 7 or 8, comprising at least one of: the identity provider is configured to build up a security assertion, optionally using a security assertion markup language, in case of a valid identity.
10. An apparatus according to any one of claims 6 to 9, the apparatus being configured to send the or a security assertion to an application to be accessed, and/or to grant access to the application based on the identity with the security assertion.
11. An apparatus, configured to: comprise a database mapping user identities to other identities, provide a user identity based on another identity indicated in a retrieval request, wherein the apparatus is at least one of: an authentication server, an authentication, authorization and accounting server, a policy and charging rules function, or a bootstrapping server function.
12. Computer program product, comprising code means configured to carry out or implement, when run on a processor, retrieving a user identity from at least one of an authentication server, an authentication, authorization and accounting server, a policy and charging rules function, or a bootstrapping server function, based on another identity in case access to an item is required by indicating the another identity, checking based on the retrieved user identity whether the user has a valid identity for the item to be accessed, deciding on grant of access to the item based on the check result.
13. Computer program product, comprising code means configured to carry out or implement, when run on a processor, retrieving a user identity based on another identity in case access to an item is required by indicating the another identity, checking based on the retrieved user identity whether the user has a valid identity for the item to be accessed, deciding on grant of access to the item based on the check result, wherein at least one of the retrieving, checking and deciding is performed by an identity provider or identity management.
14. Computer program product according to claim 12 or 13, embodied on a computer-readable medium.
PCT/EP2008/058384 2008-06-30 2008-06-30 Apparatus, method and program for integrated authentication WO2010000298A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2008/058384 WO2010000298A1 (en) 2008-06-30 2008-06-30 Apparatus, method and program for integrated authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2008/058384 WO2010000298A1 (en) 2008-06-30 2008-06-30 Apparatus, method and program for integrated authentication

Publications (1)

Publication Number Publication Date
WO2010000298A1 true WO2010000298A1 (en) 2010-01-07

Family

ID=40395883

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2008/058384 WO2010000298A1 (en) 2008-06-30 2008-06-30 Apparatus, method and program for integrated authentication

Country Status (1)

Country Link
WO (1) WO2010000298A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110296518A1 (en) * 2010-05-28 2011-12-01 Igor Faynberg Application layer authentication in packet networks
US20120079569A1 (en) * 2010-09-24 2012-03-29 Microsoft Corporation Federated mobile authentication using a network operator infrastructure
CN101789864B (en) * 2010-02-05 2012-10-10 中国工商银行股份有限公司 On-line bank background identity identification method, device and system
WO2013002886A1 (en) * 2011-06-30 2013-01-03 Cisco Technology, Inc. Network identity for software-as-a-service authentication
CN103139181A (en) * 2011-12-01 2013-06-05 华为技术有限公司 Authorization method, authorization device and authorization system of open type authentication
WO2013149650A1 (en) * 2012-04-03 2013-10-10 Telefonaktiebolaget L M Ericsson (Publ) Methods and apparatus for providing a subscriber identity
US8949938B2 (en) 2011-10-27 2015-02-03 Cisco Technology, Inc. Mechanisms to use network session identifiers for software-as-a-service authentication
US9152781B2 (en) 2012-08-09 2015-10-06 Cisco Technology, Inc. Secure mobile client with assertions for access to service provider applications
CN106295394A (en) * 2016-07-22 2017-01-04 飞天诚信科技股份有限公司 Resource authorization method and system and authorization server and method of work
US11495749B2 (en) 2015-04-06 2022-11-08 Universal Display Corporation Organic electroluminescent materials and devices

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003073783A1 (en) * 2002-02-28 2003-09-04 Telefonaktiebolaget L M Ericsson System, method and apparatus for federated single sign-on services
WO2006045402A1 (en) * 2004-10-26 2006-05-04 Telecom Italia S.P.A. Method and system for transparently authenticating a mobile user to access web services

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003073783A1 (en) * 2002-02-28 2003-09-04 Telefonaktiebolaget L M Ericsson System, method and apparatus for federated single sign-on services
WO2006045402A1 (en) * 2004-10-26 2006-05-04 Telecom Italia S.P.A. Method and system for transparently authenticating a mobile user to access web services

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); Liberty Alliance and 3GPP security interworking; Interworking of Liberty Alliance Identity Federation Framework (ID-FF), Identity Web Services Framework (ID-WSF) and Generic Authentication Archi", 1 October 2007, ETSI STANDARDS, LIS, SOPHIA ANTIPOLIS CEDEX, FRANCE, ISSN: 0000-0001, XP014039738 *

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101789864B (en) * 2010-02-05 2012-10-10 中国工商银行股份有限公司 On-line bank background identity identification method, device and system
WO2011149704A1 (en) * 2010-05-28 2011-12-01 Alcatel-Lucent Usa Inc. Application layer authentication in packet networks
US8973125B2 (en) 2010-05-28 2015-03-03 Alcatel Lucent Application layer authentication in packet networks
US20110296518A1 (en) * 2010-05-28 2011-12-01 Igor Faynberg Application layer authentication in packet networks
US8881247B2 (en) 2010-09-24 2014-11-04 Microsoft Corporation Federated mobile authentication using a network operator infrastructure
US20120079569A1 (en) * 2010-09-24 2012-03-29 Microsoft Corporation Federated mobile authentication using a network operator infrastructure
WO2013002886A1 (en) * 2011-06-30 2013-01-03 Cisco Technology, Inc. Network identity for software-as-a-service authentication
US8949938B2 (en) 2011-10-27 2015-02-03 Cisco Technology, Inc. Mechanisms to use network session identifiers for software-as-a-service authentication
US9356928B2 (en) 2011-10-27 2016-05-31 Cisco Technology, Inc. Mechanisms to use network session identifiers for software-as-a-service authentication
CN103139181A (en) * 2011-12-01 2013-06-05 华为技术有限公司 Authorization method, authorization device and authorization system of open type authentication
CN103139181B (en) * 2011-12-01 2016-03-30 华为技术有限公司 A kind of authorization method of open authentication, device and system
WO2013149650A1 (en) * 2012-04-03 2013-10-10 Telefonaktiebolaget L M Ericsson (Publ) Methods and apparatus for providing a subscriber identity
US20150043430A1 (en) * 2012-04-03 2015-02-12 Telefonaktiebolaget L M Ericsson (Publ) Methods and apparatus for providing a subscriber identity
US9503885B2 (en) 2012-04-03 2016-11-22 Telefonaktiebolaget Lm Ericsson (Publ) Methods and apparatus for providing a subscriber identity
US9152781B2 (en) 2012-08-09 2015-10-06 Cisco Technology, Inc. Secure mobile client with assertions for access to service provider applications
US9876799B2 (en) 2012-08-09 2018-01-23 Cisco Technology, Inc. Secure mobile client with assertions for access to service provider applications
US11495749B2 (en) 2015-04-06 2022-11-08 Universal Display Corporation Organic electroluminescent materials and devices
CN106295394A (en) * 2016-07-22 2017-01-04 飞天诚信科技股份有限公司 Resource authorization method and system and authorization server and method of work

Similar Documents

Publication Publication Date Title
WO2010000298A1 (en) Apparatus, method and program for integrated authentication
CN111385100B (en) Method, computer readable medium and mobile device for accessing resources
US8472388B2 (en) Gateway apparatus, authentication server, control method thereof and computer program
EP3251324B1 (en) Secure access to cloud-based services
EP3120591B1 (en) User identifier based device, identity and activity management system
JP4782139B2 (en) Method and system for transparently authenticating mobile users and accessing web services
JP5490874B2 (en) Identity management services provided by network operators
EP2572527B1 (en) Generic bootstrapping architecture usage with web applications and web pages
EP1871065A1 (en) Methods, arrangement and systems for controlling access to a network
US20120204231A1 (en) User identity management for permitting interworking of a bootstrapping architecture and a shared identity service
KR20130004598A (en) Application layer authentication in packet networks
CN103200159B (en) A kind of Network Access Method and equipment
EP3182672B1 (en) Result reporting for authentication, authorization and accounting protocols
CN105721479A (en) URL filtering method and device
US10812536B2 (en) Method and apparatus for providing quality of service for web-based real-time communication
WO2004075512A1 (en) Discovery of an application server in an ip network
CN114339760A (en) Authorization in a communication network
US20150118995A1 (en) Internet protocol multimedia subsystem (ims) authentication for non-ims subscribers
US11490255B2 (en) RCS authentication
US11405764B2 (en) Multiple parallel WebRTC accesses to IMS
WO2016099940A1 (en) User equipment and method for dynamic internet protocol multimedia subsystem (ims) registration
US8274985B2 (en) Control of cellular data access
US20160234685A1 (en) Methods and Devices for Processing Identification Information
CN113543112B (en) Network roaming authentication method, device, electronic device and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08774537

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08774537

Country of ref document: EP

Kind code of ref document: A1