CN1898622A - Method and apparatus for personalization and identity management - Google Patents

Method and apparatus for personalization and identity management Download PDF

Info

Publication number
CN1898622A
CN1898622A CN 200480038050 CN200480038050A CN1898622A CN 1898622 A CN1898622 A CN 1898622A CN 200480038050 CN200480038050 CN 200480038050 CN 200480038050 A CN200480038050 A CN 200480038050A CN 1898622 A CN1898622 A CN 1898622A
Authority
CN
China
Prior art keywords
identifier
message
isp
user
customized information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200480038050
Other languages
Chinese (zh)
Other versions
CN100517162C (en
Inventor
斯蒂芬·H·麦厄斯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Oracle International Corp
Oracle America Inc
Original Assignee
Oracle International Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oracle International Corp filed Critical Oracle International Corp
Publication of CN1898622A publication Critical patent/CN1898622A/en
Application granted granted Critical
Publication of CN100517162C publication Critical patent/CN100517162C/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses methods and systems for personalization and identity management. In one embodiment, the method comprises receiving, from an access provider, a message for a service provider, the message associated with a first identifier of a user of the access provider. A second identifier is obtained, the first identifier is disassociated from the message, and the second identifier is associated with the message. The message associated with the second identifier is then sent to the service provider.

Description

The method and apparatus that is used for personalized and Identity Management
Cross-reference to related applications
The application requires the U.S. Provisional Patent Application No.60/530 that is entitled as " Method and Apparatus forPersonalization and Identity Management " of submission on Dec 17th, 2003,599 right of priority, this application is incorporated herein by reference.
Technical field
Identity Management in the relate generally to ecommerce of the present invention.More particularly, the present invention relates to can be from Identity Management, authentication, user preference and the profile (profile) of diverse location and distinct device (for example, in mobile space) visit.
Background technology
Multiple technologies have been used to managing user identities.Generally speaking, in order to obtain the visit to network application or server, the user provides the identity information that identifies the user to application or server supplier.Then, the user is awarded a logon identifier, and this logon identifier can be used for access application or server.In some cases, the application/service device also can be created the user profiles of stored user profile.Use the supplier and can just send cookie or authentication token to the user with application (for example, web browser) that visits this application or equipment (for example, user's machine).Thereby the information such as login banner, user preference, transactions history can be saved, to be used for this network application of next user capture.Yet user's customized information (user preference, transactions history etc.) can not be shared between different suppliers.In addition, user ID is known to the ISP.
Other prior aries allow the user to use a logon identifier to visit a plurality of application.An example of these technology is single-sign-on (SSO), for example, and the single-point logging method of Oracle (SingleSign-On Offerings).SSO is effective for a session between the application with " hard coded " specific SSO in program code.Because SSO is only effective to individual session, so SSO does not provide the personalization of application.In addition, user identity all is known to all application.
Another kind of existing method is included in and uses the Identity Management of concentrating between the different access providers, for example, and the Passport technology of Microsoft .The ISP must comprise such program code in application, this program code allows identity/authentication supplier authenticated.Then, the client must use single identity/authentication supplier to sign in to service.This may make the danger of revealing secret and invading secret increase.In addition, ISP thereby become and depend on identity/authentication supplier.For some ISP, this may be considered to unacceptable monopolization risk, and is especially true for telecommunications, Mobile Network Operator (MNO) and banking supplier.
The associating Identity Management is another kind of method, and this method can provide distributed single-sign-on between the supplier.One of this alliance is Liberty Alliance Project (http://www.projectliberty.org).The associating Identity Management allows a member of alliance that the user is authenticated, to be used to authenticate other members of alliance.Yet, still be not provided for covering up user identity or be used between supplier sharing users preference or the mechanism of other customized informations,
Summary of the invention
The invention discloses the method and system that is used for personalized and Identity Management.In one embodiment, this method comprises that described access provider for example is Mobile Network Operator or wireless network supplier from the message of access provider's reception at the ISP.The message quilt is associated with access provider's user's first identifier.Obtain second identifier.First identifier from this message disassociation, is associated second identifier then with this message.The message that is associated with second identifier is sent to the ISP then.In certain embodiments, the indication of indicating second identifier to obtain authenticating also can be sent to the ISP.
In certain embodiments, this method can comprise the customized information that retrieval is associated with second identifier, and the subclass of customized information is sent to the ISP.As example, customized information can comprise user preference, subscriber equipment characteristic, user device function, subscriber equipment setting, user device address and other user personality information.This method determines that the ISP is authorized to have customized information before can being included in transmission information alternatively.Customized information may receive from user, ISP, and/or derive from user's history.
Perhaps or in addition, this method can also comprise session is associated with second identifier, and the message relating that will receive from the access provider is to this session.Can assess message and one or more extra message of the session management information that is associated with first identifier that receives from the access provider.Session management information can be stored to be used for the connection of coming the ISP lost and to retrieve when rebuilding.
After receiving message from the access provider, can be from the message of second access provider reception at the ISP.This message may be associated with user's the 3rd identifier.This method can comprise then determines that the 3rd identifier is mapped to first identifier.The 3rd identifier is by from this message disassociation, and second identifier is associated with this message then.Second message that is associated with second identifier is sent to the ISP then.
In alternative embodiment, this method can comprise from the message of Mobile Network Operator reception at the ISP.The message that receives may be associated with user's MSISDN.Obtain an identifier and it is authenticated.MSISDN is by from this message disassociation, and the identifier that is obtained then is associated with this message.This message is sent to the ISP with the indication that this identifier of indication has obtained authenticating then.The customized information of indication user's preference also is sent to the ISP.
A kind of system is disclosed in the 3rd embodiment.This system comprises and being configured to user's first identifier identity component from the message disassociation that is received from the access provider.Identity supplier also is configured to obtain access provider's user's a identifier, and this second identifier is associated with message.This system also comprises certified component, and it is configured to authenticate second identifier, and the indication that will indicate second identifier to obtain authenticating is associated with this message.The message that communication interface is configured to be associated with second identifier and described indication sends to the ISP.
By the remainder of reference instructions and accompanying drawing, can further understand essence of the present invention and advantage.
Description of drawings
Shown in the drawings according to illustrative embodiment of the present invention, wherein:
Fig. 1 shows an exemplary embodiment of the system that uses Identity Management;
Fig. 2 shows the identity supplier's of Fig. 1 exemplary embodiment;
Fig. 3 shows second exemplary embodiment of the system that uses Identity Management;
Fig. 4 shows the 3rd exemplary embodiment of the system that uses Identity Management;
Fig. 5 shows the simple comparison of some current available mobile network's technology;
Fig. 6 is the block diagram that can realize identity supplier's computer system thereon;
Fig. 7 shows the process flow diagram of the method for covering up user ID; And
Fig. 8 shows the process flow diagram of the Identity Management that is used for user's handover access supplier.
Embodiment
In the following description, for illustration purpose, a lot of details have been set forth, so that fully understand the present invention.But, to those skilled in the art, there be not some in these details, also can implement the present invention.In other examples, show known structure and equipment with the block diagram form.
Fig. 1 shows the exemplary embodiment that can be used to provide to the user system of Identity Management.The user can use access provider 102 to visit network.Network can be the network of Local Area Network, wide area network (WAN), wireless network or other types.Therefore, access provider 102 can be ISP, Mobile Network Operator (MNO), supplier to the other types of the visit of cordless communication network perhaps is provided, the supplier to the visit of wireless network (for example, General Packet Radio Service (GPRS) network, WiFi network, 2.5G, EDGE, UMTS, 3G, CDMA, FOMA etc.) is provided.In certain embodiments, the user can be from the device access network that is moving.As example, mobile device can be laptop computer, PDA(Personal Digital Assistant), mobile phone, perhaps the equipment of other types.In other embodiments, subscriber equipment can be static relatively, for example, and personal computer.
Access to netwoks and one or more ISP 108,110 that the user can use access provider 102 to provide are mutual.ISP 108,110 can provide various dissimilar services.For example, ISP 108,110 can provide E-mail service, voice mail service, message to send service (for example, text message transmission, instant message transmission, MMS, voice-enabled chat etc.), perhaps application service.As example, application service can comprise: allow the user to buy the web website of commodity or service; Seek the application of someone position, appearance or availability; Application with warehouse (repository) synchrodata; Provide/management data, the application of lifetime of application or equipment; Perhaps visit the application of special domain.Should recognize the service of the other types in ISP 108,110 can also provide on a large scale.
The subscriber equipment (not shown) has related identifier, and it allows access provider 102 to send message to it.As example, identifier can be network interface unit (NIC), mobile logo number (MIN), transfer table ISDN (MSISDN), EMI, SIM information or USIM information.Generally has the identifier that is associated with message from subscriber equipment via the message that access provider 102 sends to ISP 108,110, so that ISP 108,110 can be to user's echo message.Yet in some cases, for secret or other reasons, the user may not wish that the ISP knows this identifier.For example, the user of mobile phone may not wish that ISP 108,110 knows this user's mobile logo number.
Identity supplier 104 can be used to ISP 108,110 is covered up user's address.To describe in more detail below, identity supplier 104 can obtain user's different identifier.Identity supplier 104 can make first identifier with from the messages sent by users disassociation, and message is associated with second identifier.The message that is associated with second identifier can be sent to the ISP 108,110 that message is directed to then.In some cases, identity supplier 104 also can authenticate second identifier, will illustrate that then the indication that second identifier has obtained authenticating sends with message.The message that ISP 108,110 will return the user is routed to identity supplier 104.Identity supplier can replace second identifier that is associated with the message that receives from ISP 108,110 with first identifier then, sends a message to access provider 102 then to be delivered to the user.Thereby the user can conclude the business with ISP 108,110 under the situation that identification information is not provided, and described identification information for example is user device address, title, e-mail address, telephone number, perhaps other identification informations.
Fig. 2 shows identity supplier 104 exemplary embodiment.Identity supplier 104 comprises identity manager 204.Identity manager 204 can be used to obtain user's identifier, to be used for that ISP 108,110 is covered up user ID.In some cases, can create new identifier at station address.In other situations, identity manager 204 can be determined for the user and have an identifier.For example, the identifier that is used to cover up may be assigned to another identifier of user.As another example, this identifier may be assigned to a plurality of extra identifier of same user (for example, utilizing the user of a plurality of access providers and/or equipment), and each in these a plurality of extra identifiers all is mapped to this identifier.Same identifier can be with visiting a plurality of ISPs 108,110.Perhaps, for each access provider, can obtain the identity that different identifiers comes the access provider is covered up the user.
Identity manager 204 can be delivered to the identifier that is used to cover up certificate manager 206 then and come identifier is authenticated.This can carry out based on the voucher that receives from the access provider.Voucher can comprise token, cookie digital certificate, SIM authentication, the perhaps token of other types.In some cases, can send challenge responses to subscriber equipment and come authenticated.After having authenticated identifier, certificate manager 206 can notify this identifier to obtain authentication to identity manager 204 then.Certificate manager 206 can transmit the message that is associated with this identifier then, transmits simultaneously and indicates this identifier to obtain the designator that authenticates.
In one embodiment, identity manager 204 can receive the message from access provider 102, covers up user identity, and the message that will be associated with the sign of being covered up then sends to ISP 110.The message that identity manager 204 also can be used for receiving from ISP 108,110 is routed to the user, and this is to replace the identity that the quilt that is associated with message covers up at access provider's user identity and realize by using.Thereby when the identifier of being covered up was mapped to a plurality of user identity of one or more access providers, identity manager 204 can be followed the trail of current identifier to be used for sending message.
In other embodiments, message can be sent to intermediate node, for example session/personal management device 202, the sign that its quilt that can use identity manager 204 to obtain the user is covered up.Thereby, identity supplier 104 can comprise session/personal management device 202 alternatively, the perhaps intermediate node of other types, be used to receive message from access provider 102, obtain the identifier covered up from identity manager 102, the identifier that utilization is covered up substitutes access provider's user ID, then this message is sent to ISP 108,110.As previously mentioned, identity manager 102 can authenticate the identifier of being covered up; Thereby session/personal management device 202 (the perhaps intermediate node of other types) also can send indication with message, indicates the identifier that is used to cover up and has obtained authentication.The message that the intermediate node of session/personal management device 202 or other types also can be used for receiving from ISP 108,110 re-routes the user, and this is to realize by replacing this identifier with access provider's user ID.
Session/personal management device 202 also can be used for sharing users customized information between a plurality of ISPs 108,110, and/or carry out session management when the user switches to different access providers or uses different equipment to visit ISP 108.Can how to carry out in the following application of being described in detail in of session management when roaming (handover access supplier) or using the second device access ISP and describe to some extent: application number No.XX/XXXX about the user, XXX (lawyer's files No.021756-000900US), be entitled as " ROAMING ACROSS DIFFERENTACCESS MECHANISMS AND NETWORK TECHNOLOGIES ", the detailed content of this application is incorporated into this by reference.
The identifier of distributing to the user can be associated with ISP 108,110 session.108,110 the message (and the user conversation between the ISP) from user to ISP that receives in the section at the fixed time can be associated with this session then.Session manager 202 can be assessed the message of session management information.Session management messages can comprise the data of the interaction mode between representative of consumer and the access provider, the user preference in state or the session, and/or the session information of other types.To describe in detail below, session management information can be used to support dissimilar user's roaming (for example, suspend and continue, be connected/disconnection/disconnection at intermittence and the roaming of many equipment).Session/personal management device 202 can use data storage device 208 to come store session management information.
In addition, session/personal management device 202 can managing user personalized information.Session/personal management device 202 can be retrieved the customized information that is associated with identifier from data storage device 208.A subclass of customized information can be sent to ISP 108,110.In some cases, this subclass can comprise whole customized informations, and in other situations, only can send the customized information that the customized information that may be used on ISP 108,110 or ISP 108,110 are authorized to have.Be provided to cover up the embodiment of user's identity at the different identification symbol that is used for each ISP 108,110, customized information can be mapped to all identifiers, so that can share customized information between a plurality of ISPs 108,110.In addition, the subclass of general customized information can be mapped to each in a plurality of identifiers, and special-purpose customized information only can be mapped to the ISP's 108,110 who is used for application-specific identifier.
Customized information can comprise the information of number of different types.For example, customized information can comprise the common user preference, with use relevant preference or other customized informations, for example payment information or preference (for example, M commercial affairs, stored value card or specify the user preference that is used to pay and other information of account), use the specific information of setting, account information, contact person/address book information or other types.Customized information can also comprise device-dependent information, for example, the equipment setting, about wherein/unified message (UM) priority list or the secret rule of how to get in touch.Other examples of customized information comprise user's voucher, comprise that preference and the secret user in being arranged on to the order of service, subscriber equipment (for example, device characteristics/function, equipment setting, device address etc.), network/access mechanism characteristic (for example, multichannel, multi-modal, voice etc.), and preserve information about the other types of user's preference or other information.User personalized information can or provide by the explicit setting of user.Perhaps or in addition, session/personal management device 202 can be derived preference or customized information from the message that sends between user and ISP 108,110.Derive among the embodiment of personal managements in session/personal management device 202, can use secret preference platform (P3P) just to determine the type of the information that transmitted by message for some application.
When user's initiation and ISP's session or in other moment (for example during ongoing session), session/personal management device 202 can send customized information to ISP 108,110, and wherein preference information can be used to set up and user-dependent context.Customized information also can (perhaps replacedly) in response to receiving and be sent out from ISP 108,110 request.For example, session/personal management device 202 may before receive the one or more cookie that are associated with identifier from ISP 108,110.Session/personal management device 202 is not that cookie is forwarded to subscriber equipment, but cookie can be stored in the data storage device 208.When the ISP asked cookie, session/personal management device 202 can retrieve cookie from data storage device 208, then cookie was sent to ISP 108,110.Thereby session/personal management device 202 can serve as the cookie agency to the ISP.The customized information of other types also can be sent out when ISP's 108,110 requests.
Can use various technology to guarantee that ISP 108,110 only receives the customized information that is authorized to.For example, the ISP may have indication use is provided with (the access rights of) customized information for example, background colour, but do not have any access rights to identity information.Before sending customized information, therefore session/personal management device 202 can determine whether ISP 108,110 is authorized to have this customized information.Session/personal management device 202 can ask to authorize to the user before in transmission information (for example, via " ejection " message), perhaps can determine to send the information of which kind of type with reference to rule (acquiescence or the user is provided with).In certain embodiments, the access rights that ISP 108,110 can have data memory device 208, but this information may be filtered, so that the information that only is authorized to can serviced supplier 108,110 check, retrieve or revise.Other mechanism also can be used for preventing unauthorized access or send customized information.
Should recognize that in alternative embodiment, identity supplier 104 can be with shown in Figure 2 different.For example, identity supplier 104 may not comprise certificate manager 206, but the certificate server that is provided by the third party can be provided.As another example, session/personal management device 202 can be the assembly that separates, and perhaps can only provide session or personal management, and can not provide its two.As the 3rd example, can use and be used for the different data storage device of store session management information and store customized information.It is also contemplated that other replacements.
The example embodiment that the user can use identity supplier 104 to cover up identity is used for carrying out mutual with payment provider.The user can utilize identity manager (for example, shown in Figure 1) to sign in to the store website to cover up identity.After the user had selected the project that will buy and prepared payment, the store can send to payment provider with the identity that user's quilt is covered up.The store also can send other personalizations, preference or profile information.Payment provider can use the agreement such as the security protocol of 3-territory to obtain authentication to the user then.In certain embodiments, identity manager also can be used for the user is authenticated.Thereby payment provider may only know that the user has obtained authentication, and can not know user's identity, payment authorization or account information.If necessary, payment provider can be obtained the required affirmation of authorized transactions or other information by identity manager and user interactions.After finishing, payment provider can ask identity manager that the account that the ISP sets up is kept accounts.Then, identity supplier 104 can send the bill of this payment amount to the user, perhaps sends bill informations to access provider 102 and merges with access provider's bill being used for.Perhaps, payment provider can utilize identity manager to send bill notice (for example, send Email) to the user.
Fig. 3 shows the example system 300 that the sign that can be used for supporting the user when user's handover access supplier is covered up.In various environment, the user may switch to second access provider 304 from access provider 302.For example, the user may use the mobile device (for example, mobile phone) to the heterogeneous networks roaming.As another example, the user can switch to the second class access provider (for example, WiFi supplier) from a class access provider (for example, from General Packet Radio Service (GPRS) access provider).The user also can be when switching to second equipment that uses different access provider's accesses network from first equipment handover access supplier.The user also can be switched between the access provider in various other situations, for example, and when switching to another, perhaps when WiFi switches to 3G or GPRS from a WiFi network.Sometimes, when the user switched to different access providers, the user can remain unchanged for different access providers' identity.As example, when from a MNO netsurfing to the second MNO network, user's sign (for example, MSISDN number) remains unchanged.In other situations, the user can change identifier at for example switching device or when switching to dissimilar access providers.
Fig. 3 shows access provider 302,304, and the two uses same identity supplier 306 that the embodiment of Identity Management is provided.After the user had been switched access provider 302,304, identity manager 306 received ISP 3 10 one or more message from second access provider.If being used for second access provider's user identity does not change from the identity that is used for first access provider as yet, then identity manager 306 user ID that can continue to make the access provider with send to ISP 310 message disassociation from this user, and will be mapped to the identifier that the quilt of access provider's user ID (it is obtaining) covers up be associated when access provider 302 receives message with these message.Utilize access provider's user ID, be routed to this user to the message that identifier sends via second access provider 304 from ISP 310.
In many situations, user's identity will change when first access provider 304 switches to the second address supplier 304.In certain embodiments, access provider 302,304 can be the member of following alliance: in this alliance, access provider 302,304 agrees will serve as the authentication of a member's (access provider 302) user identity the authentication of the identity of being safeguarded by different members (access provider 304).Thereby the identifier that identity supplier 104 (for example, in identity manager 204 assemblies) can the maintenance customer has is to each access provider's 302,304 mapping.Because identity supplier 104 safeguards this information, so access provider 302,304 may not know the identity that is used for other access providers that the user has.The user also can provide some mappings to identity supplier 306.
After the message that receives the 3rd identifier (identifier that second access provider uses) that is associated with the user via second access provider 304, identity supplier 306 determines the 3rd identifier and is mapped to first identifier that is associated with the message that receives from first access provider 302.Identity supplier 306 makes the 3rd identifier from this message disassociation then, and the identifier that second message and the quilt that is mapped to first identifier are covered up is associated.This message that is associated with the identifier of being covered up is sent to ISP 310 then.
In certain embodiments, the user can still still use identical access provider by switching device.In those embodiment, the message that is associated with the 3rd identifier may be sent out from same access provider.Identity supplier 306 can use mapping to determine the identity that identifier that the quilt that is associated with first identifier covers up also should be used for covering up the 3rd identifier.In addition, as previously mentioned, in certain embodiments, identity supplier 306 also can provide session and/or personal management.When the user has been switched access provider 302,304 (perhaps switching to different addresses), may be terminated to ISP 310 connection.After second access provider rebuild connection, identity supplier 306 can determine that the identifier covered up is associated with session to the ISP.Identity supplier 306 can send (perhaps otherwise providing) session management information then to ISP 310.Thereby the user can continue mutual with the ISP 310 who is in identical or close state when connection is terminated.
Fig. 4 shows second exemplary embodiment of the system 400 that the sign that can be used for supporting the user when user's handover access supplier covers up.In the present embodiment, access provider 402,404 uses different identity suppliers 406,408.Access provider 402,404 may have joint agreement, the access rights that this agreement allows identity supplier 406,408 to have map information, and wherein said map information is associated the identity that the user has with each access provider 302,304.This system comprises access provider's 402,404 the two data storage device that all can reach 410.Data storage device 410 can be used for storing each access provider's user identity and be used for and one or more identifiers of being covered up that the ISP is mutual between mapping.
Obtained identifier that the quilt of first identifier that is associated with access provider 402 covers up identity supplier 406 after, identity supplier 406 can store into the data storage device 410 to the mapping of the identifier that be covered up from first identifier.Thereby, when the second identity supplier 408 received message from the access provider 404 who is associated with the 3rd identifier (being used by second access provider), it is reference data storage equipment 410 identifier of being covered up that determined whether to have given the 3rd identifier allocation at first.In certain embodiments, the data storage device 410 different identity map that the user can also be had is to different access providers 402,404.In these embodiments, the search of the identifier that the quilt that is associated with the 3rd identifier is covered up can be returned the identifier that the quilt of distributing to first identifier (being used by first access provider) is covered up.Perhaps, access provider 404 can utilize all different identity that are associated with user's the 3rd identifier to come the search data memory device.Access provider 404 can use the same identifier of being covered up that is mapped to first identifier to come covering up user's the 3rd sign with access provider 412 transaction then.
Except will distributing to maps identifiers that the quilt of the identity that the user has covers up to one or more access providers' 402,404 mapping by identity supplier 406,408, data storage device 410 or different data storage device can also Storage Mapping to the session or the customized information of identifier.Thereby identity supplier 408 can send session and customized information to ISP 412 as required or according to request.Perhaps, identity supplier 406,408 may directly not visit the session/customized information by other identity supplier storage.In these embodiments, the second identity supplier 408 can ask the first identity supplier 406 that session and customized information are sent to the second identity supplier 408 or send to ISP 412.
Fig. 5 shows can be by the example wireless network of user via access provider's visit.Radio network technique comprises wireless wide area network (WWAN), wireless lan (wlan) and wireless personal local area network (WPAN) technology.The WWAN technology generally comprises cellular technology and correlation technique, for example, and GSM, GPRS, CDPD, CDMA, TDMA, WCDMA etc.The WWAN network is high-power long-range network, the access profile that generally has thousands of meters magnitudes of as many as.On the other hand, the WLAN technology is the intermediate range network of mid power, the access profile that generally has tens of meters magnitudes, and the WPAN network is lower powered short range network, generally has about 10 meters or shorter access profile.The example of WLAN technology comprises IEEE 802.11 (a), (e) and (g) technology, and the example of WPAN technology comprises Bluetooth, HomeRF, IrDA and IEEE 802.15 technology.Should recognize that the user also can be via the network of access provider's visit except that wireless network.
Fig. 6 shows an embodiment of the computer system 600 that can realize identity supplier (perhaps identity supplier's assembly) thereon.Shown in computer system 600 comprise can be via the hardware element of bus 655 electric coupling.Hardware element can comprise one or more CPU (central processing unit) (CPU) 605; One or more input equipments 610 (for example, mouse, keyboard etc.); And one or more output devices 615 (for example, display device, printer etc.).Computer system 600 can also comprise one or more memory devices 620.As example, memory device 620 can be disk drive, compact disk equipment, solid storage device for example random access storage device (" RAM ") and/or ROM (read-only memory) (" ROM "), but its can be programmable fast updating etc.
Computer system 600 can also comprise computer-readable storage media reader 625 in addition; Communication system 630 (for example, modulator-demodular unit, network interface card (wireless or wired), infrared communication device etc.); And working storage 640, it can comprise above-mentioned RAM and ROM.In certain embodiments, computer system 600 can also comprise handles accelerator module 635, handles accelerator module 635 and can comprise DSP, application specific processor etc.
Computer-readable storage media reader 625 can also be connected to computer-readable recording medium, (and making up with memory device 620 alternatively) always represents that long-range, local, fixing and/or removable memory device adds storage medium, is used for temporarily and/or more for good and all comprising computer-readable information together.Communication system 630 can permission and network and/or any other computing machine swap data.
Computer system 600 can also comprise software element, is illustrated as to be currently located in the working storage 640, and described software element comprises operating system 645 and/or other codes 650, for example application program.Application program can realize identity supplier, identity supplier's assembly and/or method of the present invention.The alternative embodiment that should recognize computer system 600 can have and above-mentioned different countless variants.For example, can use custom hardware, and/or professional component also can be implemented in hardware, software (comprising light element, for example applet) or these two.In addition, also can adopt such as the network input-output apparatus to the connection of other computing equipments.
Fig. 7 shows the illustrative methods that can be used for covering up user ID.This method can start from receiving 720 and go to ISP's message.This message is associated with first user identifier, and can receive the access provider of the visit of network from subscriber equipment is provided.Acquisition 704 will be used to cover up second identifier of user identity.Second identifier can obtain 704 by identity supplier (for example, identity manager 204 assemblies).Second identifier may before obtain, and was mapped to first identifier or is mapped to the 3rd identifier that is mapped to first identifier, and first identifier also is associated with the user.Perhaps, new identifier can be created, and is used for second identifier.
First identifier that is associated with message is by from this message disassociation 706, and second identifier that is obtained is associated 708 in its position with this message.Thereby second identifier can be used for the message route is returned the identity supplier, and identity supplier will replace second identifier with first identifier, sends to the access provider then to be forwarded to the user.With after message is associated, this message is sent out 710 to the ISP at second identifier.
In certain embodiments, also can retrieve 712 sessions and/or customized information.Session information may be the session information of the session that is associated with second identifier that is obtained.Session information can be sent out 714 to the ISP, so that the user can continue in the original state by this session information indication is mutual with the session supplier.Customized information also can be sent out 714 to ISP, described customized information designated user preference, functions of the equipments and other user personalized informations.Perhaps, the ISP can have the access rights to the customized information (the perhaps subclass of customized information) that is associated with identifier.
Fig. 8 shows the illustrative methods that can be used to carry out Identity Management when user's handover access supplier.After receiving 702 one or more message, can receive 802 message from second access provider from first access provider.This message may be associated with the identical user identifier that uses with first access provider.When for example, this may occur in the user and roams into different networks or switch to the different equipment that uses different access providers to visit network.Perhaps, the user's who is associated with the message that receives from second access provider the 3rd identifier can be different from first identifier that is associated with the message that receives from first access provider.After receiving 802 message, determine the 3rd identifier and be mapped to first identifier that is associated with the message that receives 702 from first access provider.
The 3rd identifier is by from message disassociation 806.Obtain the identifier that the quilt of 704 the message that is associated with first identifier covers up and be associated with the message that receives from second access provider.This message is sent out 801 then and gives the ISP.Alternatively, also can send 812 sessions and/or customized information.
In the description in front, for purpose of explanation, method is described according to specific order.Should recognize, in alternative embodiment, can carry out these methods according to the order different with described order.In addition, these methods can comprise the module more less than described those modules, extra comprising, perhaps with the different module of described those modules.Should also realize that, said method can be carried out by nextport hardware component NextPort, perhaps can the machine-executable instruction sequence realize that described machine executable sequence can be used to cause such as universal or special processor or utilizes the machine the logical circuit of instruction programming to carry out these methods.These machine-executable instructions can be stored in one or more machine readable medias, for example, the CD of CD-ROM or other types, floppy disk, ROM, RAM, EPROM, EEPROM, magnetic or light-card, flash memory perhaps are suitable for the machine readable media of the other types of store electrons instruction.Perhaps, these methods can be carried out by the combination of hardware and software.
Although described illustrative currently preferred embodiments of the present invention here in detail, but should this understand inventive concept and can realize and use in various other modes, and appended claims should be interpreted as comprising except prior art limit these variants.

Claims (37)

1. method comprises:
From the message of access provider's reception at the ISP, described message relating has described access provider's user's first identifier;
Obtain second identifier;
With described first identifier from described message disassociation;
Described message is associated with described second identifier; And
The message that is associated with described second identifier is sent to described ISP.
2. the method for claim 1 also comprises:
Receive second message that is associated with described second identifier from described ISP;
With described second identifier from the described second message disassociation;
Described first identifier is associated with described second message; And
Second message that is associated with described first identifier is sent to described access provider.
3. the method for claim 1 also comprises:
Reception is associated with the customized information of described second identifier;
The subclass of described customized information is sent to described ISP.
4. method as claimed in claim 3 wherein, sends described customized information and is in response to the request that receives the described customized information of access portion from described ISP and carries out.
5. method as claimed in claim 4 wherein, receives request from described ISP and comprises the request that is used to obtain cookie from described ISP's reception, and described request is associated with second identifier.
6. method as claimed in claim 3 wherein, sends described customized information and comprises from described user's reception sending the mandate of described customized information.
7. method as claimed in claim 3 wherein, sends described customized information and comprises and determine whether and can share described customized information with described ISP.
8. method as claimed in claim 3, wherein, described customized information comprises one or more user preferences and the common user preference that is associated with described ISP.
9. method as claimed in claim 3, wherein, described customized information comprises account information.
10. method as claimed in claim 3, wherein, described customized information comprises payment information.
11. method as claimed in claim 3, wherein, described customized information comprises uses setting.
12. method as claimed in claim 3 also comprises:
From second message of described access provider's reception at second ISP, described second message relating has described first identifier;
With described first identifier from the described second message disassociation;
Described second message is associated with described second identifier;
Second message that is associated with described second identifier is sent to described second ISP; And
Second subclass of described customized information is sent to described ISP.
13. method as claimed in claim 3 also comprises:
From second message of described access provider's reception at second ISP, described second message relating has described first identifier;
With described first identifier from the described second message disassociation;
Obtain the 3rd identifier;
Described second message is associated with described the 3rd identifier;
Second message that is associated with described the 3rd identifier is sent to described second ISP; And
Second subclass of described customized information is sent to described ISP.
14. the method for claim 1 also comprises:
Receive customized information;
Described customized information is associated with described second identifier; And
The customized information that storage is associated with described second identifier.
15. method as claimed in claim 14 wherein, receives customized information and comprises from described user and receive customized information.
16. method as claimed in claim 14 wherein, receives customized information and comprises from described ISP and receive cookie.
17. method as claimed in claim 14 wherein, receives customized information and comprises and receive one or more in subscriber equipment characteristic, user device function, subscriber equipment setting and the user device address.
18. method as claimed in claim 14 wherein, receives customized information and comprises at least one user preference of reception.
19. the method for claim 1 also comprises:
Session is associated with described second identifier;
Described message relating is arrived described session;
The message of assessment session association information, described session management information comprises the data of the interaction mode between described user of representative and the described ISP;
From the one or more extra message of described access provider's reception at described ISP, described one or more extra message relatings have described first identifier;
Each additional message at described ISP for receiving from described access provider is associated with described session with described additional message, and assesses in the additional message of described session management information each; And
Store described session management information.
20. method as claimed in claim 19 also comprises:
From second message of second access provider reception at described ISP, described second message relating has described user's the 3rd identifier;
Determine that described the 3rd identifier is mapped to described first identifier;
With described the 3rd identifier from described message disassociation;
Described second message is associated with described second identifier; And
Second message that is associated with described second identifier is sent to described ISP.
21. method as claimed in claim 20 also comprises:
Determine that described second identifier is associated with described session;
The described session management information that retrieval is associated with described session; And
Described session management information is sent to described ISP.
22. the method for claim 1 also comprises:
From second message of second access provider reception at described ISP, described second message relating has user's the 3rd identifier;
Determine that described the 3rd identifier is mapped to described first identifier;
With described the 3rd identifier from described message disassociation;
Described second message is associated with described second identifier; And
Second message that is associated with described second identifier is sent to described ISP.
23. method as claimed in claim 22, wherein, reception is included in the first identity supplier at described ISP's message and locates to receive described message, and wherein receiving second message at described ISP is included in the second identity supplier and locates to receive described second message, and determine that wherein described the 3rd identifier is mapped to described first identifier and comprises from described second identity supplier visit and comprise user ID mapped data memory device that described user ID mapping will be mapped to the station address at described second access provider at described first access provider's station address.
Comprise that definite described first identifier is mapped to described second identifier 24. the method for claim 1, wherein obtain described second identifier.
Comprise the new logo that obtains described user 25. the method for claim 1, wherein obtain described second identifier.
26. the method for claim 1 also comprises:
Authenticate described second identifier; And
Wherein sending described message comprises and sends described message together and described second identifier of indication has obtained the indication that authenticates.
27. the method for claim 1, wherein receiving described message comprises from Mobile Network Operator (MNO) and receives described message.
28. method as claimed in claim 27, wherein, first identifier is MSISDN.
29. the method for claim 1, wherein receiving described message from described access provider comprises from the wireless network supplier and receives described message.
30. method as claimed in claim 29, wherein, described wireless network supplier is one of supplier of General Packet Radio Service (GPRS), WiFi, 2.5G, FOMA, UMTS, CDMA and EDGE.
31. the method for claim 1, wherein described ISP is a payment provider, described method also comprises:
Reception is to the request of payment amount mandate, and described request is associated with described second identifier;
Described mandate is offered described payment provider.
32. method as claimed in claim 31 also comprises sending described payment amount to described access provider.
33. a method comprises:
From the message of Mobile Network Operator reception at the ISP, described message relating has user's MSISDN;
Obtain identifier;
Authenticate described identifier;
With described MSISDN from described message disassociation;
Described message is associated with described identifier;
The message that is associated with described identifier is sent to described ISP with the indication that the described identifier of indication has obtained authenticating, and
To indicate the customized information of described user's preference to send to described ISP.
34. a method comprises:
From the message of ISP's reception at the user, described message relating has first identifier;
Determine that described first identifier is mapped to second identifier at access provider's user;
With described first identifier from described message disassociation;
Described second identifier is associated with described second message; And
Second message that is associated with described first identifier is sent to described access provider.
35. a system comprises:
Identity component, it is configured to first identifier with the user from being received from access provider's message disassociation, obtains described user's second identifier; And described second identifier is associated with described message;
Certified component, it is configured to authenticate described second identifier, and the indication that will indicate described second identifier to obtain authenticating is associated with described message;
Communication interface, the message and the described indication that are used for being associated with described second identifier send to described ISP together.
36. system as claimed in claim 35, wherein, described identity manager also comprises:
The personal management device is used for the track user customized information, and the subclass of described at least customized information is sent to described ISP; And
Data storage device is used to store described customized information.
37. system as claimed in claim 35 also comprises:
Session manager is used to follow the trail of session management information, and described session management information comprises the information of the interaction mode between described user of indication and the described ISP; And
Data storage device is used to store described session management information.
CNB2004800380503A 2003-12-17 2004-11-10 Method and apparatus for personalization and identity management Active CN100517162C (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US53059903P 2003-12-17 2003-12-17
US60/530,599 2003-12-17
US10/890,786 2004-07-13

Publications (2)

Publication Number Publication Date
CN1898622A true CN1898622A (en) 2007-01-17
CN100517162C CN100517162C (en) 2009-07-22

Family

ID=37610218

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2004800380503A Active CN100517162C (en) 2003-12-17 2004-11-10 Method and apparatus for personalization and identity management

Country Status (1)

Country Link
CN (1) CN100517162C (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102932162A (en) * 2011-08-11 2013-02-13 北京智诚唯科科技有限公司 Method and device for managing personalized information in network applications
CN102938757A (en) * 2011-08-15 2013-02-20 中兴通讯股份有限公司 Method for sharing user data in network and identity provider
CN103368920A (en) * 2012-04-06 2013-10-23 上海博泰悦臻电子设备制造有限公司 Information service providing method, information service system and vehicle-mounted system
CN103635862A (en) * 2011-02-09 2014-03-12 Actatek私人有限公司 A system and method for controlling electrical appliances
CN109937420A (en) * 2016-09-30 2019-06-25 生命Q全球有限公司 Go the distributed bridge joint network platform of identificationization
CN110914821A (en) * 2017-06-14 2020-03-24 金融与风险组织有限公司 System and method for identity atomization and use

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103635862A (en) * 2011-02-09 2014-03-12 Actatek私人有限公司 A system and method for controlling electrical appliances
CN102932162A (en) * 2011-08-11 2013-02-13 北京智诚唯科科技有限公司 Method and device for managing personalized information in network applications
CN102938757A (en) * 2011-08-15 2013-02-20 中兴通讯股份有限公司 Method for sharing user data in network and identity provider
CN103368920A (en) * 2012-04-06 2013-10-23 上海博泰悦臻电子设备制造有限公司 Information service providing method, information service system and vehicle-mounted system
CN109937420A (en) * 2016-09-30 2019-06-25 生命Q全球有限公司 Go the distributed bridge joint network platform of identificationization
CN109937420B (en) * 2016-09-30 2023-11-14 生命Q全球有限公司 De-identified distributed bridging network platform
CN110914821A (en) * 2017-06-14 2020-03-24 金融与风险组织有限公司 System and method for identity atomization and use
CN110914821B (en) * 2017-06-14 2024-03-12 金融与风险组织有限公司 System and method for identity atomization and use

Also Published As

Publication number Publication date
CN100517162C (en) 2009-07-22

Similar Documents

Publication Publication Date Title
JP4722056B2 (en) Method and apparatus for personalization and identity management
CN101262500B (en) Method, access controller and WEB authentication server for pushing login page
EP2224670B1 (en) Cookie verification methods and apparatus for use in providing application services to communication devices
US20090241175A1 (en) Methods and systems for user authentication
KR100596659B1 (en) Method and apparatus for efficiently delivering supplementary services to multi-technology capable wireless transmit/receive units
CN1534921A (en) Method of public authentication and authorization between independent netowrks
US20050259620A1 (en) Linkage information management system and message transfer control system
EP1805955A2 (en) System and method for allocating and distributing end user information in a network environment
CN1968115A (en) Leveraging presence service system and method for distributed web service delivery and deployment
CN1282391C (en) Communication system
CN101569216B (en) Mobile telecommunications system and method
CN1795656A (en) Secure traffic redirection in a mobile communication system
CN101115309A (en) Access zone network, home zone network, access zone service use system, method and terminal
CN100517162C (en) Method and apparatus for personalization and identity management
CN105790944B (en) A kind of method for network authorization and device based on wechat
US9112843B2 (en) Method and system for subscriber to log in internet content provider (ICP) website in identity/location separation network and login device thereof
CN1462133A (en) Method for access control of contents and system
KR100692370B1 (en) Method and System for Providing Instant Messenger Service by Using Telephone book list of Mobile Communication Terminal
CN101374044B (en) Method and system for making business engine to obtain user identification
EP1492306A2 (en) System and method for anonymous access at an Internet address, and module for the system
CN1638377A (en) Identification method for accessing global network service from radio equipment
KR101258508B1 (en) Common path accessing system based on terminal identification and method thereof
US20100198950A1 (en) Method to deliver services over existing wireless lan infrastructure
KR100863209B1 (en) Common path accessing system based on terminal identification and method thereof
KR200404228Y1 (en) Apparatus for efficiently delivering supplementary services to multi-technology capable wireless transmit/receive units

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 1101984

Country of ref document: HK

C14 Grant of patent or utility model
GR01 Patent grant
REG Reference to a national code

Ref country code: HK

Ref legal event code: WD

Ref document number: 1101984

Country of ref document: HK