公开(公告)号：EP2817733A4

公开(公告)日：2015-01-07

申请号：EP13752237

申请日：2013-01-29

Applicant: IBM

Inventor： HINTON HEATHER MARIA ,  MCCARTY RICHARD JAMES ,  LOONEY CLIFTON

IPC: G06F17/00 ,  H04L29/08

CPC classification number: H04L41/00 ,  H04L63/0815 ,  H04L67/02 ,  H04L67/16 ,  H04L67/28 ,  H04L67/2814 ,  H04L67/2842

公开(公告)号：WO2006008290A3

公开(公告)日：2006-07-13

申请号：PCT/EP2005053461

申请日：2005-07-18

Applicant: IBM ,  IBM UK ,  HINTON HEATHER MARIA ,  FALOLA DOLAPO MARTIN ,  MORAN ANTHONY SCOTT ,  WARDROP PATRICK RYAN

Inventor： HINTON HEATHER MARIA ,  FALOLA DOLAPO MARTIN ,  MORAN ANTHONY SCOTT ,  WARDROP PATRICK RYAN

IPC: H04L29/06

CPC classification number: H04L63/166 ,  H04L63/0281 ,  H04L63/08 ,  H04L63/0815 ,  H04L63/0884

Abstract: A method and an apparatus are presented for providing federated functionality within a data processing system. An incoming first request is received at point-of-contact functionality. In response to a determination that information derived from the received request requires processing by federated user lifecycle management functionality, the derived information is sent from the point-of-contact functionality to the federated user lifecycle management functionality.

Abstract translation: 呈现一种用于在数据处理系统内提供联合功能的方法和装置。 接收到的第一个请求是在联络点功能。 响应于确定从接收到的请求导出的信息需要通过联合用户生命周期管理功能进行处理，则派生信息从联络点功能发送到联合用户生命周期管理功能。

公开(公告)号：WO2010020615A2

公开(公告)日：2010-02-25

申请号：PCT/EP2009060626

申请日：2009-08-17

Applicant: IBM ,  IBM UK ,  HINTON HEATHER MARIA

Inventor： HINTON HEATHER MARIA

IPC: H04L29/06 ,  H04L29/08 ,  H04W36/14

CPC classification number: H04W12/06 ,  H04L12/14 ,  H04L12/1403 ,  H04L63/0815

Abstract: A method, system, and computer usable program product for dynamic access to radio networks are provided in the illustrative embodiments. A new radio network having a characteristic more suitable than a corresponding characteristic of a present radio network is detected. A request for access to the new radio network is sent, the request including a token, which includes structured information about a user, a device, a home network, or a billing service. Access to the new radio network is received. Switching is performed from the present radio network to the new radio network for wireless communication. The request for access to a radio network is received such that the requestor is not known to a provider of the radio network. The requestor is verified using a billing service provider or a home network provider identified in a token in the request. Upon verification, access is granted to the radio network.

Abstract translation: 在说明性实施例中提供了用于动态访问无线电网络的方法，系统和计算机可用程序产品。 检测到具有比当前无线电网络的相应特性更适合的特性的新无线电网络。 发送对新无线电网络的访问请求，该请求包括令牌，其包括关于用户，设备，家庭网络或计费服务的结构化信息。 接收到新的无线电网络的接入。 从当前的无线电网络到新的无线电网络进行无线通信的切换。 接收对无线电网络的访问请求，使得请求者对于无线电网络的提供者是不知道的。 使用在请求中的令牌中标识的计费服务提供商或家庭网络提供商来验证请求者。 验证后，无线电网络将获得访问权限。

公开(公告)号：WO0239237A3

公开(公告)日：2003-10-09

申请号：PCT/EP0112361

申请日：2001-10-25

Applicant: IBM ,  IBM DEUTSCHLAND

Inventor： HINTON HEATHER MARIA ,  WINTERS DAVID JOHN

IPC: G06F21/33 ,  G06F21/41 ,  H04L29/06 ,  G06F1/00

CPC classification number: H04L63/0815 ,  G06F21/33 ,  G06F21/41 ,  G06F2221/0706 ,  G06F2221/2131 ,  G06F2221/2137 ,  G06F2221/2141 ,  G06F2221/2149 ,  G06F2221/2151 ,  H04L9/3234 ,  H04L9/3271 ,  H04L63/168

Abstract: A method, system, or computer program product is presented for cross-domain, single-sign-on, authentication functionality. The methodology uses an introductory authentication token to introduce an already authenticated user from one domain to a new domain. This token is passed from one domain to the other domain using HTTP-redirection. This token is protected by encryption with a cryptographic key shared only between the two domain in a secure manner such that an external user cannot generate a counterfeit introductory token. An introductory token is further protected by enabling it with a limited lifetime so that an unauthorized user would not be able to use or reuse the introductory token within the token s lifetime. After a user has been introduced to a new security domain, then all of the user's resource requests are authorized by the new domain.

Abstract translation: 提供了一种方法，系统或计算机程序产品，用于跨域，单点登录，认证功能。 该方法使用介绍性身份验证令牌将已验证的用户从一个域引入新域。 该令牌使用HTTP重定向从一个域传递到另一个域。 该令牌通过使用仅以两个域之间共享的加密密钥以安全方式进行加密来保护，使得外部用户不能生成伪造介绍令牌。 引入令牌进一步受到保护，使其在有限的使用寿命期内使未经授权的用户无法在令牌寿命内使用或重新使用介绍令牌。 在将用户引入新的安全域之后，所有用户的资源请求都被新域授权。

公开(公告)号：WO2008046888A3

公开(公告)日：2008-06-12

申请号：PCT/EP2007061161

申请日：2007-10-18

Applicant: IBM ,  IBM UK ,  HINTON HEATHER MARIA ,  MILMAN IVAN MATTHEW

Inventor： HINTON HEATHER MARIA ,  MILMAN IVAN MATTHEW

IPC: G06F21/24 ,  H04L29/06

CPC classification number: H04L63/20 ,  H04L63/101

Abstract: Policy controls for Web service resource objects in a hierarchical resource space are loosely coupled so that policy changes are applied and enforced across the objects. This technique ensures that different policies are not applied unintentionally to the same resource (for example, one at the Web services entry level, and the other at the resource level). By synchronizing the object in the manner described, neither the entity that deploys the applicat ion nor the security administrator need to be aware of the differences between the various types of requests that occur within a Web services environment. In a representative embodiment, resource objects are linked within a hierarchical resource space to provide synchronized policy control, where the policy is an audit policy, a quality-of-service (QoS) policy, a service level agreement (SLA) policy, a governance policy, a compliance policy, a patch management/vulnerability management policy, a user management policy, or a rights management policy.

Abstract translation: 分层资源空间中的Web服务资源对象的策略控制松散耦合，以便跨对象应用和实施策略更改。 此技术可确保不同意的策略不会无意中应用于相同的资源（例如，在Web服务入门级和资源级别）。 通过以所描述的方式同步对象，部署应用程序的实体和安全管理员都不需要知道在Web服务环境中发生的各种类型的请求之间的差异。 在代表性实施例中，资源对象在分级资源空间内链接以提供同步的策略控制，其中策略是审计策略，服务质量（QoS）策略，服务级别协议（SLA）策略，治理 策略，合规策略，修补程序管理/漏洞管理策略，用户管理策略或权限管理策略。

公开(公告)号：WO2008141947A3

公开(公告)日：2009-05-22

申请号：PCT/EP2008055690

申请日：2008-05-08

Applicant: IBM ,  ANGWIN ALASTAIR JOHN ,  HINTON HEATHER MARIA ,  POZEFSKY MARK

Inventor： ANGWIN ALASTAIR JOHN ,  HINTON HEATHER MARIA ,  POZEFSKY MARK

IPC: H04L29/06 ,  H04W8/26

CPC classification number: H04L63/0407 ,  H04L63/0414 ,  H04W8/26

Abstract: A mobile device identifier (such as an MSISDN) that typically accompanies a mobile device request is replaced with an "enriched" identifier that exposes the mobile device user's home operator but obfuscates the mobile device's (and, thus, the device user's) identity. In one embodiment, the identifier comprises a first part, and a second part. The first part comprises a data string that identifies (either directly or through a database lookup) the mobile device user's home operator. The second part, however, is an opaque data string, such as a one-time-use unique identifier (UID) or a value that is otherwise derived as a function of the MSISDN (or the like). The opaque data string encodes the mobile device's identity in a manner that preferably can be recovered only by the user's home operator. The present invention describes a method and apparatus for use in a home network to manage the generation, storage and use of the unique identifiers.

Abstract translation: 通常伴随移动设备请求的移动设备标识符（例如，MSISDN）被暴露于移动设备用户的本地操作员但是模糊移动设备（以及因此设备用户的身份）的“丰富”标识符所替代。 在一个实施例中，标识符包括第一部分和第二部分。 第一部分包括标识（直接地或通过数据库查找）移动设备用户的本地操作员的数据串。 然而，第二部分是不透明的数据串，例如一次性使用的唯一标识符（UID）或另外被导出为MSISDN（或类似的）的函数的值）。 不透明数据串以优选仅由用户的家庭运营商恢复的方式对移动设备的身份进行编码。 本发明描述了一种在家庭网络中用于管理唯一标识符的生成，存储和使用的方法和装置。

公开(公告)号：WO2008141949A3

公开(公告)日：2009-01-22

申请号：PCT/EP2008055694

申请日：2008-05-08

Applicant: IBM ,  ANGWIN ALASTAIR JOHN ,  HINTON HEATHER MARIA ,  POZEFSKY MARK

Inventor： ANGWIN ALASTAIR JOHN ,  HINTON HEATHER MARIA ,  POZEFSKY MARK

IPC: H04L29/06

CPC classification number: H04L63/0414 ,  H04W12/02 ,  H04W84/042 ,  H04W88/02 ,  H04W88/16

Abstract: A mobile device identifier (such as an MSISDN) that typically accompanies a mobile device request is replaced with an "enriched" identifier that exposes the mobile device user's home operator but obfuscates the mobile device's (and, thus, the device user's) identity. In one embodiment, the identifier comprises a first part, and a second part. The first part comprises a data string that identifies (either directly or through a database lookup) the mobile device user's home operator. The second part, however, is an opaque data string, such as a one-time-use unique identifier (UID) or a value that is otherwise derived as a function of the MSISDN (or the like). The opaque data string encodes the mobile device's identity in a manner that preferably can be recovered only by the user's home operator (or an entity authorized thereby). When the mobile device user roams into a foreign network, that network receives the enriched identifier in lieu of an MSISDN. The foreign network uses the first part to identify the mobile device user's home network, e.g., to determine whether to permit the requested access (or to provide some other value-added service). The foreign network, however, cannot decode the second part; thus, the mobile device's identity (as well as the identity of the mobile device user) remains obscured. This ensures that the user's privacy is maintained, while preventing third parties from building a profile of the device based on the requests that include the MSISDN or similar identifier.

Abstract translation: 通常伴随移动设备请求的移动设备标识符（例如，MSISDN）被暴露于移动设备用户的本地操作员但是模糊移动设备（以及因此设备用户的身份）的“丰富”标识符所替代。 在一个实施例中，标识符包括第一部分和第二部分。 第一部分包括标识（直接地或通过数据库查找）移动设备用户的本地操作员的数据串。 然而，第二部分是不透明的数据串，例如一次性使用的唯一标识符（UID）或另外被导出为MSISDN（或类似的）的函数的值）。 不透明数据串以优选仅由用户的家庭运营商（或由其授权的实体）恢复的方式对移动设备的身份进行编码。 当移动设备用户漫游到外部网络时，该网络接收到代替MSISDN的富集标识符。 外部网络使用第一部分来识别移动设备用户的家庭网络，例如，以确定是否允许所请求的访问（或提供一些其他增值服务）。 然而，外部网络无法解码第二部分; 因此，移动设备的身份（以及移动设备用户的身份）仍然被遮蔽。 这确保了用户的隐私被维护，同时防止第三方基于包括MSISDN或类似标识符的请求构建设备的配置文件。

公开(公告)号：CA2672702A1

公开(公告)日：2008-11-27

申请号：CA2672702

申请日：2008-05-08

Applicant: IBM

Inventor： ANGWIN ALASTAIR JOHN ,  HINTON HEATHER MARIA ,  POZEFSKY MARK

IPC: H04L29/06

Abstract: A mobile device identifier (such as an MSISDN) that typically accompanies a mobile device request is replaced with an "enriched" identifier that expo ses the mobile device user's home operator but obfuscates the mobile device' s (and, thus, the device user's) identity. In one embodiment, the identifier comprises a first part, and a second part. The first part comprises a data string that identifies (either directly or through a database lookup) the mo bile device user's home operator. The second part, however, is an opaque dat a string, such as a one-time-use unique identifier (UID) or a value that is otherwise derived as a function of the MSISDN (or the like). The opaque data string encodes the mobile device's identity in a manner that preferably can be recovered only by the user's home operator (or an entity authorized ther eby). When the mobile device user roams into a foreign network, that network receives the enriched identifier in lieu of an MSISDN. The foreign network uses the first part to identify the mobile device user's home network, e.g., to determine whether to permit the requested access (or to provide some oth er value-added service). The foreign network, however, cannot decode the sec ond part; thus, the mobile device's identity (as well as the identity of the mobile device user) remains obscured. This ensures that the user's privacy is maintained, while preventing third parties from building a profile of the device based on the requests that include the MSISDN or similar identifier.

公开(公告)号：CA2488881A1

公开(公告)日：2004-01-08

申请号：CA2488881

申请日：2003-06-24

Applicant: IBM

Inventor： HINTON HEATHER MARIA

IPC: G06F21/20 ,  G06Q20/38 ,  G06Q30/06 ,  H04L9/32 ,  H04L29/06

Abstract: A method, system, or computer program product is presented for cross-domain, single-sign-on, authentication functionality. A user may contract with one o r more authentication service providers ANSPs. E-commerce service providers ECSPs, such as online banks or online merchants, also maintain a relationshi p with an ANSP such that the ECSP can trust the authenticated identity of a us er that is vouched-for by the ANSP on behalf of the user. The user can visit an y e-commerce service provider in a federated environment without having to establish an a priori relationship with that particular ECSP. As long as the ECSP's domain has a relationship with at least one of the user's authentication service providers, then the user will be able to have a singl e- sign-on experience at that ECSP.

公开(公告)号：CA2918009A1

公开(公告)日：2013-08-29

申请号：CA2918009

申请日：2013-01-29

Applicant: IBM

Inventor： HINTON HEATHER MARIA ,  MCCARTY RICHARD JAMES ,  LOONEY CLIFTON

IPC: G06F17/00

Abstract: A proxy is integrated within an F-SSO environment and interacts with an external identity provider (IdP) instance discovery service. The proxy proxies IdP instance requests to the discovery service and receives responses that include the IdP instance assignments. The proxy maintains a cache of the instance assignment(s). As new instance requests are received, the cached assignment data is used to provide appropriate responses in lieu of proxying these requests to the discovery service, thereby reducing the time needed to identify the required IdP instance. The proxy dynamically maintains and manages its cache by subscribing to updates from the discovery service. The updates identify IdP instance changes (such as servers being taken offline for maintenance, new services being added, etc.) occurring within the set of geographically-distributed instances that comprise the IdP service. The updates are provided via a publication-subscription model such that the proxy receives change notifications proactively.