The Internet is a growing network wherein services are provided by different organisations generally known as service providers. Many service providers allow users the possibility to have accounts with them. Indeed, depending on the service offered, it is often required to have an account at a given service provider. The access to a given service provider may require users to authenticate themselves towards the service provider. In other words, users must be able to prove who they are. This is most often achieved by providing an identity, namely a username, and a password. Once a user is authenticated, she or he is allowed to access a requested service as well as an account that the user may have at the service provider. In this context, a user's account is understood as personal and confidential information. At present, users may have a number of identities and passwords at different service providers, each couple identity/password being used to authenticate a user at a service provider.
The advent of Internet services has brought with them a new service that allows users to access said Internet services in an easy and convenient manner, the so-called Single Sign-On (SSO) service. The current principle behind Single Sign-On states that users shall be able to authenticate once and shall be given access to all their subscribed services that accept such level of authentication. Single Sign-On is an emerging service that enables users to access different service providers without requiring a particular user's authentication at each service provider. In other words, a user provides identity/password only once at a given service provider and the resulting authentication is valid for entrance to other service providers.
Conventional cellular operators, hereinafter referred to as Mobile Network Operator (MNO), make use of authentication services to grant subscribers accesses to voice and data services provided by such operators. As cellular operators move up in the value chain, they could leverage their mutual trust relationship with their own subscribers in order to play a new role of Authentication Providers for their respective subscriber population in emerging business models wherein service domain and authentication domain belong to different administrative entities. In this respect, an operator that is able to provide both accesses, namely IP connectivity and services, might additionally offer to its subscribers an “access authentication SSO” so that an authentication performed at the access domain may be a valid authentication in a service domain. Generally speaking, an Authentication Provider may belong to the same administrative domain as the Service Provider offering the service, or may be delegated to an external trusted party such as a cellular operator.
Single Sign-On (SSO) is thus based on trust. That is, a first service provider trusts another party, which in particular might be a second service provider carrying out a Single Sign-On (SSO) authentication, to authenticate a user who is accessing a site of said first service provider. The first service provider has no way of knowing whether or not said user already has an account with it and, if so, under which user identity. This occurs because the identity furnished by the user at an accessed site does not necessarily match the identity furnished during the Single Sign-On (SSO) authentication process. Indeed, if such user identity furnished during the SSO authentication process matches an existing user identity for the user at the accessed site of said first service provider, then direct access to related accounts may be granted, but this is merely a coincidence and can not be considered a valid mechanism within a generally applicable method.
The present invention is aimed to solve a more general case in which users are known under different identities for accounts scattered across the Internet, thus allowing a Single Sign-On (SSO) authentication provider to correlate user identities and the users making use of a user's preferred identity per each service provider as well as accessing a service provider in an anonymous manner despite performing a Single Sign-On (SSO) authentication.
A primary object of the present invention is the support of an appropriate mechanism, in terms of means and method, for handling, provisioning and correlating a plurality of user identities for a user in an automated manner between an SSO Authentication Provider, such as a Mobile Network Operator (MNO) or a first service provider capable of performing an SSO authentication, and a number of second Service Providers in order to allow each user having a personalised access to its user's accounts at said second Service Providers.