SE527706C2 - Telecommunication system for providing web based single sign-on services, has authentication broker that acts as entry point to federation related to service providers having entry point agreement with mobile network operator - Google Patents

Abstract

The telecommunication system includes an authentication provider (4) belonging to a mobile network to authenticate an user towards a service provider. An authentication broker (2) belonging to another mobile network that acts as entry point to a federation of mobile network operators (MNO) related to service providers respectively having entry point agreements with an operator of the federation entry point mobile network. Independent claims are also included for the following: (1) method for providing single sign-on services; (2) authentication broker; and (3) authentication provider.

Description

527 706 2 The so-called "network-centric" approach is appropriate when confidential relationships within the domain exist between authentication providers and the service provider, while the terminal-centric approach is useful when such relationships are lacking and the terminal can seek authentication against different domains or services.

It is also possible to combine the two approaches. A network operator can issue credits such as digital certificates, short-term certificates, or temporary tickets or certificates that can be stored in the terminal or in an available read / write card. These are further used by the user in authentication or authorization procedures.

Conventional mobile operators use authentication services to grant users access to voice and data services provided by such operators. When mobile operators move up the value chain, they could increase their mutual confidential relationships with their own subscribers to play a new role of authentication providers for their respective. subscriber populations in changing business models, in which service domains and authentication services belong to different administrative units. In this regard, an operator that can provide both accesses, namely IP connectivity and services, could further offer its subscribers "an access authentication SSO" so that an authentication performed at the access level could be valid as authentication in a service domain. This is a relevant starting point for further description of the objects of the present invention.

In more detail, the relationship between a service domain and an authentication provider, as well as the services that a user may be offered, must be considered to discuss the advantages and disadvantages of the above-mentioned approaches. In general terms, an authentication provider may belong to the same administrative domain as the service provider offering the service, or could be delegated to an extremely confidential party or to a distributed association.

A primary object of the present invention is the support for single sign-on (SSO) services for subscribers in an association of mobile network operators (MNOs), subscribers who are users of different service providers (SP). )). SSO services are supported in such a way that users, associations of mobile network operators, and service providers have agreements with at least one member of such an association, and all receive additional benefits and value-added services from a given architectural and business reference model in accordance with this invention. .

In more detail, the user gets the benefit of the SSG service to access any service from any service provider (SP) within the agreement in the reference model. The mobile network operators (MNOs) can gain by offering SSO services, in particular authentication and authorization, to third parties as well as maintaining subscriber loyalty by providing added value to their resp. mobile subscribers. In a later mode, service providers may experience an increase in potential users, namely mobile subscribers, with a simpler and much more secure authentication and authorization mechanism that minimizes support for different such mechanisms depending on the different types of users. In this scenario, the authentication provider and the service provider belong to different administrative domains. At the same time, these distributed benefits allow for an increase in so-called e-commerce (mobile commerce (m-commerce)), which can be seen as a further purpose of the present invention.

RELATED ART The "network-centric" approach, described above, seems to be more suitable for scenarios involving users of service providers who are also subscribers to mobile network operators, the latter wanting to play the role of authentication providers.

However, the most well-known technology is discussed here with reference to SSO services in a generic network-centric approach depending on the type of network operating as an authentication provider.

For example, the published U.S. patent application US 2002/0010776 A1 by Lerner describes methods and systems for providing a single sign-on (SSO) distributed application service integrated for authentication and authorization services. The relevant descriptions in this application begin with a first indication from a user pointing to a browser in a first application, which indication is received at a central server connected to the user terminal. Then a so-called cookie fi l, which corresponds to the user also at the central server, is also received from the browser belonging to the first application. The central server then updates the cookie file received from the browser.

A cookie fi l is a data segment of variable length and usually includes hundreds of bytes. These cookies are written, read and modified by an application interface with libraries located in each connected web server, whether this is local to the central server or located in a remote partner's site. More specifically, the updating of a received cookie includes the comparison of the cookie with certain predetermined parameters and the possible modification of the cookie is based on this comparison.

When a second indication from the user is received at the central server indicating that the user provides a pointer for the server to a second application, the central server provides this updated cookie file to the second application.

This patent application describes that the above-mentioned library of application interfaces, which is responsible for writing, reading and modifying cookies, is configured to also authenticate users between different applications. As a result, one skilled in the art would quickly realize that authentication data and corresponding functions for all users are present in each connected web server, at local or remote partner sites, which is an additional disadvantage for administration. More specifically, different actions are taken with each application in a connected web server, which browser is pointed at by the user, with regard to the authentication of such a user even if the user has received the benefit of an SSO service. Thus, this mechanism can be seen as an example of a scenario where the authentication provider and the service provider belong to the same administrative domain. The above description does not appear to be applicable to large telecommunications systems which include an association of mobile network operators, a number of different service providers which have similarly signed agreements with at least one member of the association, and a large number of possible users who are mobile subscribers of one of the members of the association.

Furthermore, given that subscriber authentication data and algorithms are really sensitive information, the mobile network operators are very hesitant to spread this information to devices outside their own business premises.

Another significant example of single sign-on user accessibility procedures and systems is described in European patent application EP-1089516 with Grandcolas et al. as an inventor where users can access multiple web servers.

This application describes how a user is authenticated at a first web server that allows the user to select a second web server that offers a desired service. When the user efficiently selects the second web server, the first web server constructs an encrypted authentication certificate, and sends this to the second web server. The second web server authenticates the received receipt and allows the user a session at this other web server. Both of the first and second web servers share, in accordance with this application, a subdomain. This means that the scenario in this application is an example where the authentication provider, namely the first web server, and the service provider, namely the second web server, both belong to the same administrative domain.

Therefore, the description in this application cannot be used in scenarios where the authentication provider and the service provider belong to different administrative domains.

This means that the first web server in this application, the authentication provider, is the first contact for the user who wants access to the second web server where the service is offered. 10 15 20 25 30 527 706 6 As a result, this approach may not be suitable for commercial use in scenarios where the authentication provider and the service provider belong to different administrative domains. In such scenarios, the user has direct access to a service provider requesting an authentication authority to authenticate the user and, as soon as such authentication has been successfully performed, the authentication authority authorizes the service provider to offer the selected service to that user.

A known solution today, which is representative of a scenario where the authentication provider and the service provider belong to different administrative and commercial domains, is the Microsoft® .NET passport product (which is described in http: /www.passport.com and in the following will only be referred to as the ".NET Passport"). This product is intended to build a broader Internet-based confidential network with a common set of technical and operational guidelines that are open to any organization that supports the corresponding standards.

However, this approach does not solve the problem of building an association of mobile network operators who will be responsible for authenticating their own mobile subscribers who want access to service providers associated with at least one member of such an association. Furthermore, for an approach such as the .NET Passport, which is intended to be a very large Internet authentication system, a close solution based on a centralized authentication authority that offers no benefits must handle the mobile network operators and subscribers.

Therefore, it is an important object of the present invention to provide a system, means and method for building an association of mobile network operators (MNOs) which acts as an authentication authority against connected service providers (SPs) offering single sign-on (SSOs). services to subscribers to any MNO in the connection. It is another object of the present invention that the association acting as an authentication authority thus performs security and privacy related requirements at the same or higher level than those currently used by mobile network operators. It is a further object of the present invention to establish an architectural and business reference model with respect to actors, roles, relationships and common uses, so-called use cases, in accordance with the system, apparatus and method in connection with the above-described objects of the invention.

SUMMARY OF THE INVENTION The above objects, among others, are achieved in accordance with the invention by providing a system, method and apparatus for providing single sign-on services to a user having access to selected service providers, where the user has a subscription with a first mobile network operator.

The telecommunication system comprises a first mobile network belonging to a first mobile network operator, at least a second mobile network belonging to a second mobile network operator and at least one of a number of service providers to provide services to subscribers of the mobile network operators as soon as subscribers have been authenticated to the service provider. .

In accordance with one aspect of the present invention, a first mobile network operator and at least one second mobile network operator are adapted or belong to a cellular association of mobile network operators acting as authentication authority.

Furthermore, the system comprises an authentication provider belonging to the first mobile network as the only member of the association who has the right to authenticate the user against the at least one service provider; and an authentication intermediary belonging to a second mobile network and arranged to act as a gateway to the association of the service providers having an agreement with the other mobile network operator in 10 15 20 25 30 527 706 A n ä ». .. J .. t this purpose. In the following, an agreement of this kind will be referred to as an entry agreement.

This means that the telecommunication system comprises means for redirecting a user who has access to a service provider, where the user has a subscription with a first mobile network operator, against an authentication intermediary with a second mobile network operator having such an agreement with the service provider, and means for redirecting the user who has access to the authentication intermediary against an authentication provider for the user's first mobile network operator, so-called home (home network). In addition, the telecommunication system includes means for performing a user's so-called home resolution at the authentication intermediary to allow the service provider to request validation of an authentication declaration for the user from the authentication provider belonging to the first mobile network.

In particular, the telecommunication system allows direct access to the authentication provider of the first mobile network operator, without involving an authentication intermediary, from the service providers that have such agreements with the first mobile network operator. To this end, the telecommunication system further comprises means for redirecting a user having access to a service provider to an authentication provider of the user's first mobile network, i.e. home, without involving an authentication intermediary, where the service provider has such an agreement with the first mobile network operator. the so-called home (home network). Furthermore, such a service provider may request validation of an authentication declaration for that user from the authentication provider without involving an authentication intermediary.

Generally, the above system includes means for issuing a single sign-on authentication request from a user having access to a service provider against an authentication provider in the cellular association responsible for authenticating the user to the service provider, where the user is a subscriber in the cellular nu g I a 0 n n. c 10 15) 20 25 30 527 706 9 association, and means for presenting a received authentication artifact to the service provider.

A method is also proposed by the present invention for providing single sign-on services to a user having access to selected service providers, where the user has a subscription with a first mobile network operator, and each selected service provider is connected to a second mobile network operator. This method comprises the steps of: (a) establishing a confidential authentication relationship between the first and second mobile network operators, thereby creating an association of mobile network operators; (b) redirecting an access request generated by the user from the selected service provider to the cellular network of the first mobile network operator; (c) generating at an authentication provider of the first mobile network operator, where the user's access request is redirected, an authentication declaration valid for the user accessing the service provider, and returning an artifact for the declaration back to the user; (d) request verification of the authentication vendor, which is included in the artifact presented by the user, from the service provider to the authentication provider of the first mobile network operator; (e) acceptance of service access to the user upon receipt of a successful verification response from the service provider.

In both cases, i.e. the above-mentioned telecommunication system and method, a user is identified between an authentication provider and a service provider with a shared identity, independent of the authentication identity used between the user and the authentication provider in the cellular associations. regardless of the identity of the user used between the user and the service provider.

Within the telecommunication system, which also takes an active part in the above method, there is an authentication intermediary which comprises first interface means for communication with a user having a subscription with a first mobile network operator, and second interface means for communication with a service provider connected to a second mobile network operator. These first and second interface means can be seen as creating an intermediary channel to enable the authentication intermediary to redirect the user to the user's home network, respectively. to dissolve the user's home network for the service provider. Such an authentication intermediary may comprise a so-called web front end which includes the above-mentioned first and second interface bodies with users resp; service provider.

In addition, the authentication intermediary also includes storage space for all authentication providers in the cellular association according to the principle per mobile network operator, where each mobile network operator included in the cellular association, and means for retrieving the user's home address data from the storage space. Furthermore, the web front end of the authentication intermediary also includes means for providing public key infrastructure services (PKI services) to the service providers connected to the mobile network operator that owns the authentication intermediary to meet the security and confidentiality requirements of the cellular association, in order to thus fulfilling a further object of the present invention.

Also within the telecommunication system, and taking an active part in the above method, there is an authentication provider which includes a front channel and a back channel.

The front channel of the authentication provider includes a web front end that includes first interface means for enabling an authentication session between a user 10 15 20 25 30 527 706 CIO IC 'Û z g:: o 2'.: .UU- .IO- fo. sun: nu o u z g: 2: '' ° 0 'o u,,. . . . . no u o c u u n g, n,. . : c n u u q. no a; 0100 g ll and the authentication provider. This front channel further comprises a session manager and storage space for managing session status for the user, and a so-called front end authentication server for performing a specific authentication mechanism for the user.

The back channel of this authentication provider includes a protocol binding that includes other interface means for exchanging information relating to the user authentication declaration between the authentication provider and a service provider to which the user has access. This back channel further includes a security assurance in a Mark-up Language engine to generate an authentication sale for a user, and storage space for the authentication salesman. In addition, an intermediate working means is also provided between the front channel and the back channel for generating and storing an authentication declaration for a user.

As a further advantage of having the above system, method and apparatus, namely the authentication intermediary and the authentication provider, a method of conducting business is provided in which at least two mobile network operators are adapted to or otherwise form part of an association of mobile network operators, thus establishing an authentication relationship that is confidential within the association to support single sign-on services. The association acts as an authentication authority against the service providers that offer services to subscribers to mobile network operators that are included in the interconnection, where each service provider is connected to a mobile network operator within the association for access to the association. In this business conducting procedure, each mobile network operator contributes its own network and the services provided by its affiliated service providers, and each network includes an authentication provider for authentication of subscribers in such a network and an authentication intermediary for redirecting the connected service providers to a authentication provider responsible for authenticating a specific user within the association. Furthermore, each service provider in the business process is arranged to offer services to subscribers within any mobile network operator that is included in the association. The service provider may have access to the association through a well-known authentication agent in a mobile network operator which has such an agreement with the service provider and thus has a confidential authentication relationship with the association.

BRIEF DESCRIPTION OF THE DRAWINGS The features, objects and advantages of the invention will become apparent upon reading the description taken in conjunction with the accompanying drawings, in which: FIG. 1 schematically represents the architectural and business-related reference model of a cellular association for single sign-on services.

FIG. 2 shows a simplified sequence diagram representing the process followed to authenticate a user and authorize access to a service offered by a service provider in a basic scenario where the service provider has a business agreement with the mobile network operator having a subscription for such a user.

FIG. 3 shows another simplified sequence diagram representing the process followed to authenticate a user and authorize access to a service offered by a service provider in a more general scenario. In this scenario, the service provider has a business agreement with a mobile network operator that is different from the one that has the subscription for such a user, where both mobile network operators are included in a cellular association.

FIG. 4 generally presents an exemplary internal architecture and main interface involving a user, a service provider, an authentication intermediary, and an authentication provider.

FIG. 5A shows a first sequence (I) of actions when a user has access to an authentication provider (AP)) through a so-called front channel in order to be true; . 3 nu oo coon o n n o '-' e. An: O I U n, oc coon.

Q oun- I 0 coca 13 initiate a new authentication process or to activate an insurance process if a valid authentication had been performed previously.

FIG. SB shows a second sequence (II) of actions performed to authenticate a user who has not previously been authenticated through a so-called front channel at an AP, and by means of a so-called authentication back end (hereinafter referred to as "auth. B / E ").

FIG. SC shows a third sequence (HI) of actions performed to complete an assurance process when a user is previously authenticated, and therefore has an active session.

FIG. 6 presents a schematic composition which, by including the references in Fig. 5A to the SC, shows the sequence of actions performed between a user, a service provider and an authentication provider for authenticating such a user who had access to the service provider without having previously been authenticated.

FIG. Fig. 7A presents a schematic composition which, by including the references in Figs. 5A and SB, shows the sequence of actions performed between a user and an authentication provider during an isolated authentication of such a user.

FIG. 7B presents a schematic composition which, by including the references in Figs. 5A and SC, shows the sequence of actions performed between a user, a service provider and an authentication provider for the user, who has already been authenticated, and has access to the service provider.

FIG. Fig. 8 illustrates a more detailed embodiment of certain steps shown in Fig. 3 in accordance with a preferred architectural model.

FIG. Fig. 9 illustrates a more detailed embodiment of some other steps also found in Fig. 3 in accordance with a preferred architectural model. 10 15 20 25 30 527 706 14 FIG. 10 shows an exemplary relationship between SSO_auth_ID, SSO_MAIN_ID and SHARED_ID identities handled by an authentication provider.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS The following describes current preferred embodiments of bodies, procedures and systems for building an association of mobile network operators (MNOs) acting as an authentication authority, or trusted third party, vis-à-vis affiliated service providers at any MNO in the association. These preferred embodiments are described in accordance with an architectural and business reference model provided by the invention in terms of actors, roles, relationships, and basic use cases.

In accordance with one aspect of the present invention, a cellular association for single sign-on (FSSO) services is provided. Fig. 1 presents the architectural and business reference model described above in terms of actors, roles, relationships and some exemplary uses with regard to a first association (FSSO-1).

Actors in the reference model in Fig. 1 are users (User @ MNO-A, User @ MNO-C), service providers (SP-1, SP-2) and subscribers' home site, where the latter are mobile network operators (MNO-A, MNO -B, MNO-C) which holds the subscribers' subscriptions. For the purpose of the present invention, a user is a mobile subscriber who is provided with a so-called subscriber identity module or with a WAP identity module (SIM / WIM) and with a web / Wap browser; a service provider is the target where a service requested by a user is hosted; and a home site is a mobile network operator that holds the user's subscription.

Roles played within the framework of the reference model in Fig. 1 are user (User @ MNO-A, User @ MNO-C), destination site, authentication intermediary (AB 10 15 20 25 30 527 706 15 (AB)) and authentication provider ( In this context, a user is a client requesting a service from an SP, a destination site is a site that has the ability to deliver a given service to a client, generally an SP through an MNO that can also play this role for certain services; an authentication intermediary 1, 2 is a member of the association (FSSO-1) intended to act as an entry point to the association of affiliated SPs (SP-1, SP-2); and an authentication provider 4 , 5, 6 is a member of the association (FSSO-1) intended to own user data and the only one who has the opportunity to authenticate and provide user information to the destination site.In particular, always has an SP (SP-1, SP-2) access (SP-100, SP-200) to the association through its affiliated AB 1, 2. For the sake of simplicity, SPs are not considered as members of the association, but are thus referred to as affiliated entities. From a business perspective, not only does each particular MNO (MNO-A, MNO = '^ B, MNO-C) contribute to the association with its own cellular network but also with a number of connected SPs (SP-1, SP- 2) with which it has signed special agreements. These connected SPs can always have access (S-100, S-200) to the association via the authentication intermediary 1, 2 for a particular MNO (MNO-A, MNO-B) with which each SP (SP-1, SP-2 ) has entered into such an agreement. This is particularly important as cellular operators could be inclined to maintain established business agreements with SPs after entering into or creating an association (FSSO-1, FSSO-2). Furthermore, a network operator can increase the services of resp. SPs in markets where they have strong positions, which could be the case for a cellular multinational association where service providers tend to enter into service level agreements (SLAs) with local operators.

The logical basis behind this reference model from a business perspective is due to the fact that it provides equal opportunities for mobile operators when building up, or joining the association, since a member of the association always constitutes an authentication provider to its own subscribers. In addition, though not 10 15 20 25 30 527 706 than: than: E g 0 .: .aa .u- se 'n .. u o i o o n I n: li: an-.øg: nancy to oo g .. o g. . . g 0 o o o q q, 'I N nan o 16 necessarily, a member of the association may also constitute authentication intermediary vis-à-vis subscribers from other members of the association for its affiliated SPs.

More specifically, an authentication intermediary 1, 2 is responsible for resolving the user's home site. This means that AB is responsible for providing an associated SP with sufficient information to enable the exchange of user data between the MNO that holds the subscription for a user and the SP. As soon as the user's home site has been dissolved, it will be possible for AB to redirect the user to the user's home site.

In addition and optionally, an AB can offer public key infrastructure (PKI) services to its associated SPs in order to comply with the security and confidentiality requirements that are characteristic of mobile network operators. ~ ~ 0like relations in the reference model in Pig. -1 deserves special explanations, further description of architectural units and interfaces, and the rationale behind current preferred embodiments. In this regard, a user (U sees @ MNO-A) (User @ MNO-C) has a confidential relationship (R1 10, R-120) (R-320) with his home site (MNO-A) (MNO-C) ). When the user is registered with an SP (SP-1) (SP-2), there is a direct confidential relationship (R-110) (R-120, R-320) as well as between the two users (User @ MNO-A) ( User @ MNO-C) and SP (SP-1) (SP-2). In order to bring clarity and to simplify the relations between SPs and the community, it has been judged that each of SPs (SP-1) (SP-2) has a single confidential relationship (SP-100) (SP -200) with one and only one member of the association, namely an AB 1, 2, by a mobile network operator (MNO-A) (MNO-B) with which SP has an entered into business agreement.

Therefore, when a user (USER @ MNO-A, User @ MNO-C) wants to use one. cellular SSO services at a given SP (SP-1, SP-2), the SP automatically redirects the user's request via the SP's entry point to the cellular cell connection, namely an AB 1, 2, to a site within the association, namely a AP 4, 6 which can properly handle the user's request. This avoids the SP making complicated decisions about where the user should be redirected. This also substantially simplifies the interaction between an SP and the association, minimizing the impact on SPs and thus increasing their willingness to communicate with the association. In a more general and a more real-world scenario, an SP (SP-Z) may have a confidential relationship with various associations, such as a cellular association (FSSO-1) and an e-banking association (FSSO-2).

In another embodiment of the present invention, an SP (SP-1) associated with a particular MNO (MNO-A) need not pass through an AB 1 of such a MNO to access AP 4 in the MNO which has the subscription for the user (User @ MNO-A) who has requested a service in such an SP (SP-1) .. This is particularly advantageous for a confidential relationship (R-110) between an MNO (MNO-A) and a associated SP (SP-1), and in particular this optimizes network access and performance.

~ Without a direct link to this second embodiment, and in general terms, all home sites that want to play the role of authentication intermediary have a confidential relationship with all members of the association because they are also members of the association. As explained above, an SP has the ability to redirect all users to its entry point, namely a cellular operator (MNO) or a home site, within the cellular association. Therefore, the authentication intermediary (AB) needs to know about all merged home sites.

However, an AB generally does not know the users of each home site of the association, as this requires that each AB has the ability to populate all users in the association, which requires the provision of additional user capacity and accessibility management bodies. However, it is possible by reading through the presently preferred embodiments described in accordance with the invention, that it will be appreciated that a unique or reduced number of ABs 1, 2 provided with these additional means for user capacity and accessibility control, as well as with database facilities for a large number of subscribers, may be appropriate for a particular type of cellular association. For example, such a cellular association may be an association comprising a plurality of national MNOs belonging to a global company with facilities spread around the world.

Two main representative user modes could be described with reference to a scenario presented in Fig. 1 and for which more precise details are further explained in exemplary embodiments from an architectural point of view.

A first use may be a user (User @ MNO-A) having access to certain service providers (SP-1), such as a bookstore service provider, the service provider (SP-1) being connected to the SSO cellular connection (FSSO-1). ) through a specific mobile network operator such as MNO-A. As shown in Fig. 2, the process followed to authenticate such a user and authorize such services starts when a subscriber of an MNO-A (User @ MNO-A) requests access (C-21) to a bookstore service provider (SP-1). ). Given that this SP has a business agreement with MNO-A, and thereby with the cellular association to which MNO-A belongs (FSSO-1), SP-1 (C-22) redirects the request to MNO-A's home site. Upon receipt at the MNO-A home site of the user's request for access to the SP service (C-23), the user presents his own MNO-A identity, for example with a cookie. At this stage, two different embodiments, which have already been commented on, may be applicable. In more detail, either MNO-A acting as an authentication intermediary intimately states that MNO-A is also the authentication provider for that user, or AB and AP at MNO-A both involved as in a more general mode of use, which will be described in the following.

Provided that the user had not already been authenticated at MNO-A, the authentication procedure is performed. If the user was already authenticated, he presents a cookie to MNO-A to allow MNO-A to check the status of a particular user's session. The authentication is not specific to each SP unless the SP requires a specific authentication mechanism to be performed. MN O-A creates (C-24) an authentication declaration for that user specifically and addresses this to the SP. Then an artifact relating to the user's authentication transfer is sent and is likely to include other authentication information back (C-25) to the user. Artifacts are disposable for use and are only valid for the specific SP to which it was sent. The user himself presents (C-26) this artifact to SP-1. The SP then verifies that the source of the artifact is valid and requests (C-27) the user's authentication declaration relating to the home site (MNO-A). MNO-A is returned (C-28) the more complete user's declaration with the required user data which includes at least authentication information. SP-1 thus analyzes the user's declaration and trusts the authentication performed by the user's home site (MNO-A). Then the SP-1 (C-29) informs the user of the acceptance of the service corrector.

A second mode of use may be a user (User @ MNO-A) who has access to certain service providers (SP-2), such as a travel arrangement service provider. Such a service provider (SP-Z) is thus connected to the cellular SSG association (FSSO-1) by a certain cellular operator such as MNO-B, the user being a subscriber of another cellular operator (MNO-A) which is also member of the association. As shown in Fig. 3, the process of authenticating such a user and authorizing such service is followed initially when a subscriber of a MNO-A (User @ MNO-A) requests access (C-21) to a service provider as a tour operator service provider. (SP-2) as an example. This SP-2 has a business agreement with MNO-B to offer SSO services to its users and to the users belonging to the other members of the cellular association (MNO-A, MNO-C). When the SP-2 receives (C-21) the user's request for SSO, the SP-2 (C-22) redirects the request to the MNO-B site, since the MNO-B is the only entry point for this SP to the association. Thus, the MNO-B plays the role of authentication intermediary in this mode of use and receives (C-33) a user's redirection from SP-2. For the sake of simplification for the SP, the SP does not have to serve all home sites in the association and therefore no information about the user's home site is sent in the redirection message. In the next mode, MNO-B (C-34) requests the user's home site name. In this reference model, it has been considered that the user's identity is known only at his home site. An alternative is the sharing of user identities within the cellular association, however, this leads to the need for a large central register unit with corresponding tasks to handle.

In response to the request (C-34), the user responds back (C-35) with his home site name to the MNO-B site, namely to the current authentication intermediary (2). Then the authentication intermediary (AB) (C-36) redirects the user to his home site, which means MNO-A. It then follows that the user requests access (C-23) for SP-2 to his home site. As in the previous mode of use, if the user has not already been authenticated at MNO-A, the authentication procedure (C-24) is performed and the artifact relating to the user's declaration with the authentication information is sent back (C-25) to the user. At this stage, that user has the opportunity to present (C-26) this artifact to SP-2. Then the SP-2 must verify the source of the artifact and dissolve the user's home. SP-Z requests (C-37) this information from AB (2). AB (2) sends back (C-BS) the user's home, resolution response so that SP-2 can contact (C-27) the user's home site (MNO-A) to get the user's declaration referred to. MNO-A returns (C-28) the complete user's declaration with the required user data which includes at least authentication information. The SP-2 then analyzes the user's statement and trusts the authentication performed by the user's home site. Thereafter, the SP-2 (C-29) allows the user to access the service.

After presenting an overview of the architectural and business reference model in terms of actors, roles, confidential relationships, and some exemplary uses illustrated in Figs. 1-3, further detailed embodiments will be introduced with reference to a preferred architecture that is suitable. to support interconnected individual sign-on (FSSO) services at each of the mobile network operators (MNOs) that are included in an association of about fls of MNOs.

Such an architecture is described with reference to the extreme interfaces between members of the association, service providers and users. These interfaces include an interface between a user, or rather user equipment (UE), and the authentication intermediary (hereinafter UE-AB i / f); another interface between the user or UE and the authentication provider (hereinafter UE-AP i / f); another interface between the service provider and an authentication provider (hereinafter SP-AP i / f); and a further interface between the service provider and the authentication intermediary (hereinafter SP-AB i / f).

These interfaces, or combinations thereof, provide channels for communication between the various entities involved, internal and external in the association.

These channels, depicted in Fig. 4, provide the basis for a suitable architecture.

Thus, UE-AB allows i / f AB to routinely direct the user to the AP responsible for his authentication. This interface supports such a redirection, for example by the user providing the AP with the name of the AB and AB translating this to a -: entry point to the AP site. Anyone skilled in the art would readily appreciate other approaches or techniques to obtain an equivalent result. This communication interface is part of a so-called "intermediary channel (AB)" (1, 2) in the home site.

UE-AP i / f supports an authentication session between both actors, the user and the authentication provider 4, 5, 6. As soon as it is authenticated, the user is redirected to SP with some kind of proof or references. This communication interface is referred to as "front channel (AP)" 4 'in the home site.

SP-AP ilf is mainly used to exchange user information such as authentication, attributes, authorization, and assurances. This communication is transparent to the user, and is hereinafter referred to as "back channel (AP)" 4 'in the home site.

SP-AB i / f supports the establishment of the return channel, whereby, for example, AB translates the source ID found in the artifact at the entry point into the user's AP or PKI support. This interface is also part of the so-called "intermediate hand channel (AB)" 1,2 in the home site. Thus, Fig. 4 also shows functional components that an MNO can support to become an AP and an AB in an F As shown in this figure, the architecture can also be considered as including a front channel, a back channel and an intermediary channel view.

Thus, an authentication provider 4, 5, 6 can be considered as comprising a front channel 4 'and a back channel 4 ". The front channel is intended to control the authentication of a user and to handle a master session between the user and the AP. An essential part of the control logic required to make the F-SSO service work is located in the front channel units.The back channel is intended to handle a direct communication between SP and AP to exchange user information.The intermediate channel is responsible for supporting the address resolution needs of SP and the user.

Regarding the previously mentioned master session, further detailed considerations must be introduced with respect to the handling of the session. In this regard, when a user requests an F-SSO service, multiple sessions must be created and maintained as follows: - A master session between the user and the AP. As soon as AP authenticates a user, AP creates a session and leaves an encrypted cookie in the user's browser for subsequent authentication queries.

- A service session between a user and SP to be able to use the services offered at SP. Cookies could also be used to manage this session.

AP needs to keep track of the service sessions established between users and each SP. For this reason, in accordance with one aspect of the present invention and as set forth in Figs. 4, that the AP comprises an SSO session manager 41 which, preferably, is located at the front channel, and cooperates with the back channel and is connected to an AP web front end 42 which is located at the front channel as well.

Furthermore, the AP includes a session database 43 for storing and maintaining such information. 10 15 20 25 30 527 706 n o 0 Q I c n 23 information. and the session database is preferably located at the front channel and is interconnected with the SSO session manager 41.

Prior to the introduction of a more detailed description of current preferred embodiments of the uses presented above and depicted with reference to Fig. 2 and Fig. 3, the various user identifiers handled by different actors in this architectural model will be described.

In this regard, users must present unique identities to their authentication providers in order to execute an SSO service request, a so-called "single sign-on authentication identity" (hereinafter referred to as SSO_auth_ID), and which may have at least one of the following formats in object of operation of the present invention: - MSISDN / IMSI, which belongs to access to and from a mobile phone - User @ domain or user @ realm, ie user@rrmo.com - Username (string of characters) The authentication provider (AP) can administer a fl number of SSO_auth_ID for each user, but need to define a so-called "main single sign-on identity" (hereinafter referred to as SSO__MAIN_ID) for each user that correlates with a fl number of SSO_auth_ID. This SSO_auth_ID is intended for operator purposes, and more specifically for AP, and its format is ultimately determined by the operator, which means that it may or may not conform to an SSO_auth_ID belonging to the user. On the other hand, Internet-related users have a large variety of user identities with different service providers. Users may want to keep current different identities per service provider for accessing accounts at each site. For purposes of the present invention, such an identity may be referred to as "service provider user identity" (hereinafter referred to as SP_user_ID) and represents the identity of a user at a particular service provider (SP). This SP_user_ID is important between an owner user and a specific SP.

The previous paragraphs describe SSO_MAIN_lD for a user who has a correlating key to at least one SSO_auth_ID that uniquely authenticates a user at the user's home operator, namely at an AP, and describes the SP_user_ID that identifies the user at a particular service provider. In a general scenario, SSO_MAIN_ID, SSO_auth_ID, and SP_user_ID do not match, and a user does not want to be provided with any of the identities of the other actors. In this case, the user can be known for SP and for AP with an identity shared between both, the so-called SHARED_ID.

This SHAREDJD can be either permanent or temporary depending on the specific scenario in question. This identity can be considered as an opaque handling used by SP and AP to refer to the same user.

Thus, in accordance with one aspect of the present invention, an authentication provider correlates SSO_auth_ID, SSO_MAIN_ID and SHAREDJD while a service provider correlates SP_user_ID and SHARED_ID. An exemplary relationship between these identities is shown in Fig. 10 in a non-limiting manner. The manner in which these identities are administered by the various actors, as well as how these identities are linked to each other, is not further described in connection with the description of the present invention.

In accordance with the architectural model described above and illustrated in Fig. 4, further detailed embodiments are provided for particular aspects of the uses described above with reference to sequences in Figs. 3. As previously mentioned for these uses, when a user requests (C-23) an SSO authentication for his home site to access an SP, different actions may be required depending on whether or not the user had previously been authenticated.

Thus, by including three sequential sets of measures (Sequences I, II, and III) which resp. has been depicted in Fig. 5A to Fig. SC, the embodiment is described in Fig. 6 in detail in the method of use in Fig. 2 in the architectural model in Fig. 4, while the user has access to an SP which has not yet been authenticated by his home network.

The mechanism in Fig. 6 is initiated when a user accesses (C-21) an SP, and is redirected (C-22) to his home site. Then, the first sequence (I) in Fig. 5A shows that the user issues a request (C-23 ') for SSO authentication with http from his own web server. The user identification could be made by an encrypted cookie (C-23 "), if there is a stored in the user's web agent from a previous SSO session that has taken place before. The encryption of the cookie is recommended to avoid revealing the user identity, SSO_MAIN_ID, in case someone else receives such a cookie, either by physically accessing the computer used for the SSO session or by various scripts designed to steal cookies from web browsers.Because the cookie is generated and encrypted by AP, and later, is also decrypted using AP, the encryption algorithm and key management is entirely up to the AP. The user's web browser does not understand the content of the cookie. In order to secure this process and avoid theft of cookies in networks to the Web server, the connection could always be made over a secure http link, ie. The user identity to be stored in that cookie should be the one selected as SSO_MAIN_ID. It would be appropriate to use da an identity different from that of MSISDN or IMSI for the purpose of secrecy.

In more detail, the user's web browser is routed to the so-called web front end 42 (hereinafter web F / E) which is located at the AP frarn channel. The first time the user accesses it, a plug-in is automatically downloaded with the software that implements the client side of the web service for authentication, such as a simple object access protocol (SOAP) client. Next, the web F / E interface (C-500) establishes the SSO session manager 41 to determine if there is an active session associated with the relevant IMSI, or with other user identities used for similar purposes. In the present case, there will be no session active at this stage, as the user had not previously been authenticated. 10 15 20 25 30 527 706 26 The procedure in Fig. 6 continues with the second sequence (II) shown in Fig. SB whereby the SSO session manager 41 informs (C-501) web F / E that there is no active session . Thus, the user is informed that his authentication is required (C-502). When the user accesses the web F / E in the AP remote channel, he can use (C-503) to be authenticated via the SIM card, among the various authentication mechanisms available to the user, and then the SOAP client invokes such a service. Note that the SOAP client may have been downloaded after the user has selected this authentication mechanism instead of before, without affecting the scope of the invention. When the user wants to be authenticated with the SIM card, it is assumed that the identity to be presented (C-505) to the web F / E is IMSI, which is stored in the SIM card.

IMSI should preferably be sent in the SOAP request provided that the dialogue is performed on a secure connection, namely https, without risking violating the security requirements. The SSO session manager is contacted (C-506) again and, upon detection that the user "has not" established an active session, it acts as a RADIUS client and requests access (C607, C-508) to an authentication, authorization and authentication (authentication , authorization and accounting (AAA)) server 44. Provided that a SIM-based authentication has been selected, IMSI is used which applies identity and is encapsulated in an attribute value pair (AVP) of an extensible authentication protocol (AVP). EAP)) and in the user name AVP.

At this stage, and depending on the authentication mechanism to be used, the AAA server 44 may request (C-509, C-510) to be provided with an authentication query to a back end authentication server 72 (hereinafter referred to as "B / E auth"). . server "). This "B / E auth. Server" is preferably accessed via a RADIUS message whose forwarding could be done in terms of the possible part of a network access identifier (NAI). The SSO session manager thus acts as a RADIUS client and can modify such a real part of NAI. Once the "B / E auth. Server" has received the access request message that includes the user's authentication identity and information in EAP APV, "B / e auth. Server" may require additional information (C-510 to C-517), which process involves fl your EAP round trip. 10 15 20 25 30 Ice o 0 u n 0 n I n n o 0 0 en al Oost o 27 As soon as the AAA server 44 has successfully authenticated the user, it sends back an access acceptance message (C-518) to the SSO session manager. The SSO session manager 41 must now create an entry for that user in the session database, including SSO_auth_ID and SSO_MAIN_ID. If the SSO session manager does not already know SSO_MAIN_ID, it sends a request (C-519) to an identity manager in 70 by providing SSO_auth_ID as the unlock key for that user. Additional benefits can be obtained by having a common directory service (hereinafter referred to as CDS)) for storing SSO_MAIN_IDs, and for providing them (C-522) to the SSO session manager upon request via the identity manager (C -520, C-521). In this mode, the SSO session manager 41 creates an entry, namely a session, for that user in the session database 43 by including the particular SSO_auth_ID used during such user authentication and SSO_MAIN_ID.

As soon as this input has been created in the SSO session manager, additional web F / E logic not shown in Fig. SB must maintain the state of the session between subsequent http requests, for example by sending a cookie to the user's web browser.

It will be appreciated that during this authentication process, there has been no relationship with the AP feedback channel and no assurances have yet been generated. Only a new session has been created for a specific user, including SSO_MAIN_ID, SSO_auth_ID, a selected authentication mechanism, and address information such as an IP address, or an MSISDN belonging to the user.

Similar to sequence II, the process of Fig. 6 continues with the third sequence (III) shown in Fig. 5C. The SSO session manager 41, after having a valid session for a particular user (C-SSO, C-551), retrieves the identity from the identity manager 70 for the user of the corresponding service provider (SP), namely a SHAREDJD.

This SP is the one who created the initial request by redirecting the user to his home authentication provider (AP). Although not shown in Fig. SC, this SHARED_ID and the corresponding SP for which such an identity is used are stored in nu on oo Icon n 0 0 I c 0 coc ao 0 u 0 o 0 0 10 15 20 25 30 527 706 000000 0 0 0 I 00 000000 0 0 0000 000 0 0000 0 0 0 0 0000 28 session database 43 associated with the master session step for this user.

Once the above-described identity mapping has been performed, SSO session manager 41 (C-552) calls a service in a security assertion mark-up language (SAML) engine 45 to generate an authentication assurance for the given SHARED_ID and for the given service provider. The statement includes other relevant data, such as the date and time the authentication process took place, and the associated security strength of the actual authentication mechanism. The insurance is stored (C-553) in the insurance database 46, which is probably indexed with an insurance reference. Thus, the declaration is given an "insurance reference" to uniquely identify the latter.

The assurance reference is encrypted in an authentication artifact at the SAML engine, which is returned (C.-554) to the SSO session manager for further submission via AP web F / E (C-555) to the user (C-25).

Such an artifact is preferably returned to the user encrypted as part of the URL, namely a parameter. At the same time, the user's web browser is redirected back to the original URL sent to SP. In reality, this information is obtained as a parameter in the URL received at the first redirection from SP to AP.

Therefore, the original URL that comes from SP, the target source, should have been stored at AP web F / E.

The user then presents the artifact (C-26) to the originally contacted SP.

SP takes the artifact, and after decoding, the insurance reference and the identity of the AP who issued the declaration is extracted. SP uses this information to establish a SAML dialogue (C-27) with the AP feedback channel4 ", and requests the original declaration, by presenting the artifact in the SAML message which is a declaration request.

When the SAM back channel 45 in the AP return channel receives the declaration request (C-27), it retrieves the declaration (C-556, C-557) from the insurance database 46. signs it digitally and then sends it back to SP (C-28) . 10 then checks the validity of the assurance, preferably by using its own public key infrastructure (PKI) or, in a more generic case which will be explained further, by using the PKI of a confidential authentication intermediary. .

As soon as the declaration has proved valid at SP and the origin has been judged to be trustworthy, SP can continue to analyze the content of the declaration and maintain its local principles in accordance with the authentication information included in the declaration. Finally, the user (C-29) is informed of the acceptance of access to the service.

It will be appreciated that the above description with respect to Fig. 6, with preferred embodiments explained in Figs. 5A to SC, provides architectural details for uses previously presented with reference to Fig. 2.

These architectural details are intended to be understood in an explanatory way but not in a limiting way.

By including the three consecutive sets of actions (sequences I, II and III) which resp. depicted in Fig. 5A to Fig. SC, embodiments in Figs. 7A and 7B also describe details of the mode of use in Fig. 2, with particular reference to the architectural model in Fig. 4 in which the user has access to an SP which has already been authenticated by his home network. More specifically, Fig. 7A presents an independent authentication of a user vis-à-vis an authentication provider on his home network, while Fig. 7B presents actions performed when the user has access to an SP, and once he has been redirected to his home network, the user is already considered authenticated and have a valid session that is still alive.

The mechanism in Fig. 7A starts directly with the first sequence (I) shown in Fig. SA, whereby the user issues an http request (C-23 ') for SSG authentication from his own web server which is followed up, if available. of a user identification with an encrypted cookie (C-23 ") sent to the web F / E at the AP front channel as in the corresponding sequence shown with reference to the method of use in Fig. 6. Thereafter, a web F / E interface (C-500) with the SSO session manager 41 to check if there is an active session associated with that user.

The sequence continues and follows the second sequence (II) shown in Fig. 5B performing the authentication procedure, which is probably selected by the user. In particular, as soon as the SSO session manager 41 has created a session for the user in the session database 43, in reality by including the specific SSO__auth__ID used and SSO_MAIN_ID, the SSO session manager informs AP web F / E whereby additional logic not shown in Fig. The SB maintains the session state for subsequent http requests. Finally, as shown in Fig. 7A, the AP web F / E (C-70) approves a successful sign-on in the direction of the user's web browser.

This user who is already authenticated can request (C-21) a service access to a 'SP. This SP, under the conditions described * above for the mode of use in Fig. 2. «whereby an authentication intermediary is not required, redirects (C-22) the user to his home site. Then, and following the sequence of Fig. 5A, the user again accesses the particular AP web F / E 42 from which an indication is issued to the SSO session manager 41 to check whether or not a valid session is still alive. Thereafter, the SSO session manager 41, in conjunction with a session database 43, likely finds out that a session still exists for that user. Then, as shown in the third sequence (III) and shown in Fig. SC, the SSO session manager 41 (C-550, C-551) retrieves a SHARED_ID to be used for the SP command (C-552, C-553). , C-554) generating and storing a statement for SI-IAREDJD and its inclusion in an authentication artifact. This artifact is returned via web F / E (C-555) to the user (C-25) and presented (C-26) as in the mode of use against SP. SP then checks the original declaration (C-27, C-556, C-557, C-28) with the 4 "AP back channel, and finally offers (C-29) service access acceptance for that user.

Detailed embodiments of the mode of use in Fig. 2 have been described in the preceding paragraphs and distinguish a first behavior in Fig. 6, where the user has access to an SP 10 without being authenticated, from a second behavior in Fig. 2. 7A and 7B where the user is first authenticated and then accepted for a service.

In accordance with another aspect of the present invention, the mode of use previously explained with reference to Figs. 3 further with respect to the architectural model shown in Pig. In particular, distinctions are made between embodiments arising from the inclusion of an authentication intermediary and the corresponding new interfaces.

As illustrated in Pig. 3, a second mode of use occurs when a user (User @ MNO-A) has access to a particular service provider (SP-Z) associated with a cellular SSO connection (FSSO-1) through a particular cellular operator such as MNO-B , while the user is a subscriber of another cellular operator (MNO-A), which. is also a member of the association. In this second mode of use, an authentication intermediary (AB) is required in accordance with one aspect of the present invention for receiving the redirect from SP (SP-Z), which resolves the user's home site, and redirecting to the MNO where the user resides.

In this regard, Pig shows. 8 the actions to be performed between the user and AB before redirecting the user to an appropriate authentication provider (AP) at the user's home site. More specifically, Pig shows. 8 these measures with reference to the architectural model illustrated in Fig. 4 while Fig. 3 does not take into account all the special devices that an AB could include. Thus, when a user issues an authentication request for SP-2 (C-33) against the authentication intermediary (AB) as in Pig. 3, there is in reality an http redirection received in an AB web F / E 21 at an intermediate channel 2 as Fig. 8 shows. Then, a user's home site name is requested from AB web P / E (C-34, C-35).

This request can be made, for example, by presenting a website to the user with all the APs in the connection, whereby the user only needs to click on the logo for his home operator. In the next step, a URI for the user's home site (C-84, C-85) is obtained from an authentication provider (AP) database 22. Finally, (C-36) AB redirects web P / B 10 15 20 25 30 527 706 32 2l the user's http to the appropriate AP at his home site. AB may leave a cookie in the web browser of the user to avoid further requests of the user's home and related requests in subsequent iterations. The flow sequence proceeds with an SSO authentication request (C-23, C-23 ', C-23 ") to AP web F / E 42 as described above with reference to the usage illustrated in Fig. 6 or Figs. 7A and 7B.

Fig. 9 shows the measures to be taken between a service provider and an AB for a user's home resolution to find where the declaration should be validated. More specifically, Fig. 9 shows these measures with reference to the architectural model illustrated in Fig. 4, whereby Fig. 3 does not take into account all the special devices that an AB could conceivably include. After the user has presented (C-26) the artifact to SP (SP-2) illustrated in Figs. 3 and 9, (C-37) a user's home resolution is requested to AB.

Such a request is received at AB tveb 'F / E 21 at rnellanhandskanalen 2. Then requests (C-91, C-92) AB web F / E 21 from an AP database 22 for a URI for AP at the home site which is then sent back (C-38) to SP. SP, by preferably utilizing DNS techniques, resolves the home URI and finally validates (C-27, C-28) the authentication declaration previously obtained (C-23, C-24, C-25) as shown in Fig. 3 or , more specifically and as described above with reference to the uses illustrated in Fig. 6 or Figs. 7A and 7B. The validation of the authentication declaration (C-27, C-28) is issued from SP (SP-2) to the SAML engine 45 probably via a protocol binding (protocol binding 47), which is advantageously placed between the SAML engine and the SP. This protocol binding 47 with its components is arranged to link an XML instance from a transport protocol, such as httms to take an example, and forward it via the SAML engine, SP thus has the right to make any kind of request that defined in SAML standards.

With regard to the verification of the validity of the declaration in this latest use, SP does not need to implement all PK complexity, nor does it need to locally install certificates from all authentication providers in the association, but only 527 706 33 the certificate for its confidential unit in the association, namely the AP certificate that hosts this authentication intermediary.

Of course, many modifications and variations of the present invention are possible in light of the above descriptions. It is therefore obvious that the invention within the scope of protection of the described concept can be realized in other ways than as specifically described.

Claims (30)

10 20 25 30 527 706 34 Patent claims A telecommunication system providing single sign-on services to a user having access to the selected service provider where the user has a subscription with a first mobile network operator, the system comprising: - a first mobile network and at least a second mobile network; - at least one of a number of service providers which provide services to subscribers in the mobile networks when the subscribers have been authenticated against said service provider by an authentication authority; characterized in that a cellular association of mobile network operators acts as an authentication authority, the cellular association including the first mobile network and the second mobile network, and comprising: - an authentication provider belonging to the first mobile network as the only member of the co-authentication user who has the right to the service provider; and - an authentication intermediary belonging to the other mobile network and arranged to act as an entrance to the association ári- year de resp. service providers that have entry agreements with the operator of the other mobile network. The telecommunications system of claim 1, further comprising: - means for redirecting the user, when the user accesses a service provider, to an authentication intermediary for a second mobile network operator having an entry agreement with the service provider; and means for redirecting the user, when the user accesses the authentication intermediary, to the authentication provider at the user's home network. The telecommunication system of claim 2, further comprising means for performing the user's home resolution at an authentication intermediary for a second mobile network operator having an entry agreement with a service provider, to allow the service provider to request approval of an authentication declaration for the user of a first authentication provider. mobile networks. The telecommunication system of claim 3, further comprising: - means for issuing a single sign-on authentication request from the user, when the user accesses a service provider, to an authentication provider responsible for authenticating the user to the service provider, where the user is a subscriber in the cellular association; and - means for presenting the received authentication artifact to the service provider. The telecommunications system of claim 1, wherein the authentication provider belonging to the first mobile network operator can be accessed directly, without involving an authentication intermediary, from service providers having entry agreements with the first mobile network operator. The telecommunication system of claim 5, further comprising means for redirecting the user, when the user accesses a service provider, to an authentication provider against the user's home mobile network operator, without involving an authentication intermediary, when the service provider has an entry agreement with the user's home mobile network operator. The telecommunication system of claim 6, wherein a service provider having an agreement with the first mobile network operator may request approval of an authentication service for a user to an authentication provider for the first mobile network operator without involving the authentication intermediary. The telecommunications system of claim 7, further comprising: - means for issuing a single sign-on authentication request from the user, when the user accesses a service provider, to an authentication provider responsible for authenticating the user to the service provider, where the user is a subscriber in the cellular association; and - means for presenting the received authentication artifact to the service provider. The telecommunication system of claim 1, wherein the user is identified between an authentication provider and a service provider by means of a shared identity independent of the authentication identity used between the user and the authentication provider, and independent of the user identity used between the user and that service provider. The telecommunication system of claim 9 further comprising at least one of the components in a group of components including: - public key infrastructure (public key infrastructure) means for meeting security and privacy requirements for mobile networks in the cellular association; an identity manager for the maintenance and management of relationships between identities for the user under the premises of the cellular connection and the identities for the user during resp. services provided by the service provider; - common directory service for storing user identities accessible through a single sign-on master identity; and a back channel authentication server intended to generate an authentication method based on an authentication mechanism selected by the user. A method of providing single sign-on services to a user having access to the selected service provider where the user has a subscription with a first mobile network operator, and where each selected service provider is associated with a second mobile network operator, characterized in that it comprises the steps of: (a) establishing a confidential authentication relationship between the first and second mobile network operators, thereby creating an association of mobile network operators; (b) redirecting an access request generated by the user from one of the service providers to the first mobile network operator's cellular networks; (c) generating at an authentication provider of the first mobile network operator to which the user's access request is routed, an authentication declaration valid for the user having access to the service provider, and retrieving an artifact for the declaration back to the user; (d) request verification of the authentication vendor, which is included in the artifact presented by the user, from the service provider to the authentication provider for the first mobile network operator; and (e) accept service access to the user in response to receiving an approved verification response from the service provider. The method of claim 11, wherein the two first and second mobile network operators are included in the cellular association, and wherein step a) of this method further comprises one of the following steps depending on the mobile network operator with which the selected service provider is associated: (al) determining an authentication provider for the first mobile network operator responsible for the user, when the selected service provider communicates with the first mobile network operator; or (a2) redirecting the access request generated by the user än- than the selected service provider to an authentication intermediary for a second mobile network operator, when the selected service provider communicates with the other mobile network operator, where the authentication intermediary is the mobile operator responsible for is responsible for the user. The method of claim 11, wherein step b) comprises the steps of: (b1) receiving a single sign-on authentication request from the user; (b2) determine whether or not the user had previously been authenticated; (b3) perform an fi-agan / response authentication procedure in accordance with user preferences of the user who has access to the selected service provider, provided that the user had not previously been authenticated, and thus does not have a valid session active; and (b4) storing a declaration generated for the user having access to the selected service provider. 20 25 527 706 39 The flirting method according to claim 11, wherein both the first and the second mobile network operator are included in the cellular association, and step c) for this method further comprises one of the following steps depending on the mobile network operator to which the selected service provider is connected: (cl ) determining an authentication provider for the first mobile network operator responsible for approving the declaration presented by the user, when the service provider is connected to the first mobile network operator; or (c2) requesting the dissolution of the user's home site from the selected service provider against an authentication intermediary for a particular second mobile network operator, when the other service provider is in contact with the other mobile network operator, where this authentication intermediary is responsible for determining the mobile provider's who is responsible for validating the declaration presented by the user. The method of claim 11, wherein step d) further comprises the steps of (dl) retrieving a stored authentication declaration for the user having access to the selected service provider; and (d2) return the declaration with a verification response to the selected service provider. The method of claim 11, wherein the user is identified between an authentication provider and a service provider with a shared identity independent of the authentication identity used between the user and the authentication provider, and independent of the user identity used between the user and the service provider. 20 25 527 706 40 An authentication intermediary in a telecommunication system providing single sign-on services to a user having access to the selected service provider where the user has a subscription with a first mobile network operator, and each selected service provider is associated with a second mobile network provider, where authentication intermediates include: communication with a user who has a subscription with a first mobile network operator; - second interface for communication with a service provider associated with the other mobile network operator; and - intermediary channel created by the first and second interfaces to enable authentication intermediaries to routinely direct the user to the user's home network, to dissolve the user's home network for the service provider. The authentication intermediary of claim 17, wherein both the user and the authentication intermediary belong to the first mobile network operator, and a number of selected service providers communicate with the first mobile network operator. The authentication intermediary of claim 17, further comprising an authentication intermediary web front end that includes the first and second interfaces to form an interface between the user and the user, respectively. a selected service provider. The authentication intermediary of claim 19, further comprising the storage space for all authentication providers in the cellular association on a per mobile network operator basis, where each mobile network operator is included in the cellular association. 20 25 30 527 706 41 The authentication middleware of claim 20, wherein the web front end of the authentication middle hand further comprises means for retrieving the user's home-related addressing data from the memory space. The authentication intermediary according to claim 21, wherein the web front end of the authentication intermediary further comprises means for offering public key in-structure services to the service providers associated with the mobile network operator owning the authentication intermediary, for the purpose of providing cellular association. 23. Authentication provider included in a telecommunication system providing single sign-on services to a user having access to the selected service provider where the user has a subscription with a first mobile network operator, and each selected service provider is associated with a second mobile network operator, wherein the authentication provider includes: including a web fi-ont end that includes the first interface to enable an authentication session between the user and the authentication provider; and - a feedback channel that includes a protocol binding that includes other interfaces for exchanging information related to user authentication transactions between the authentication provider and a selected service provider to which the user has access. The authentication provider of claim 23, wherein the channel channel further comprises a session manager and storage space for managing session statistics for the user, and a front end authentication server for performing a mirror authentication mechanism for the user. The back channel for the authentication provider further comprises a security assertion mark-up language engine for generating an authentication resale for the user, and storage space for authentication sales. Authentication providers according to claim 2 The authentication provider of claim 25, further comprising cooperating means between the front channel and the back channel to generate and store an authentication vendor for the user. The authentication provider according to claim 26, wherein the function of the cooperating means between the front channel and the back channel is performed via the session manager resp. mark-up language engine for security assurance. An authentication provider according to claim 27, wherein the session manager comprises means for retrieving from an identity manager, with common routing star means, relationships between identities for the user under the premises of the cellular aggregation and the identities for the user under resp. premises for the service provider, where the identities are correlated by a single sign-on main identity. The authentication provider of claim 24, wherein the front end authentication server cooperates with other entities in the cellular association that act as a back channel authentication server to provide specific user data under premises relating to the mobile network operator. The authentication provider of claim 29, wherein the fi ont end authentication server is a server for authentication, authorization and calculation, normally accessible from a network access server in a cellular network.