Abstract: Differentiated service in a federation-based access network is provided by receiving, with a request for access to a wireless network offering at least a two different service levels based on user identities, a set of user credentials from a User Equipment (UE); forwarding, for authentication, the set of user credentials to an identity provider in an identity federation with the wireless network, wherein the identity provider is independent from the wireless network; in response to determining that the set of user credentials indicate a realm known to be associated with a given service level, providing network access to the UE according to the given service level; and in response to determining that the given service level is not a highest service level in the wireless network, transmitting a list of preferred realms to the UE that are associated with higher service levels than the given service level.

Abstract: A Third Generation Partnership Project (3GPP) based network, such as an enterprise private 3GPP network, is operative to provide a guest onboarding of a device using a realm-based discovery of an identity provider and a mutual authentication of identity federation peers. A secure connection may be established between the peers so that the device may be authenticated based on credentials associated with a Subscriber Identity Module (SIM) provided by its Mobile Network Operator (MNO). Credentials may be extended to those associated with embedded SIMs (eSIMs), digital certificates from private enterprises, login and passwords, and identities from a wide range of identity providers. After device authentication, the 3GPP-based network is operative to select and enforce access policies according to an identity or other attribute of the device.

Abstract: A method is provided that includes obtaining an access request for a device to access a visited access network, the access request including an authentication identifier for the device including an identity for the device and a realm comprising a network identifying portion; determining a re-write rule for the realm by querying a database based on an identity type of the device and the network identifying portion of the realm, the database including a plurality of re-write rules for a plurality of networks and a plurality of identity types; re-writing the realm based on the re-write rule using the identity for the device to generate a re-written realm; obtaining, based on the re-written realm, an address for an authentication server of an identity provider associated with the device; and performing an authentication with the authentication server using the authentication identifier to authenticate the device for the visited access network.

Abstract: The presently claimed disclosure is directed to methods that may be implemented at a computer. Methods and systems consistent with the present disclosure may include extending protocols associated with authenticating client (i.e. supplicant) devices and with authorizing those supplicant devices to access a wireless network. These methods may include sending data relating to the failure of an authentication and/or an authorization process to a supplicant device attempting to access a wireless network. Methods discussed within may include securely sending failure codes or reasons to a supplicant device that identify why an authentication or authorization process failed. These methods may include sending messages between a supplicant device, an authenticator device, and an authentication and authorization server. After a first failure, the supplicant device may be able to access the wireless network after a reason or code of that failure has been reported to the supplicant device.

Abstract: Roaming validation for Access Network Providers (ANPs), and particularly to protecting communications between Stations (STAs) and ANPs while providing roaming validation for ANPs may be provided. An ANP may first register a roaming federation system. The ANP may determine a roaming message based on subscription features of the network, and the ANP may request signing of the roaming message by the roaming federation system. The ANP may receive the signed roaming message from the roaming federation system and send the signed roaming message to a STA. The ANP may then receive a request to connect to the network from the STA and initiate a connection for the STA.

Abstract: Aspects of the disclosure include a method and associated network device. The method includes authenticating an identity of a user of a client device after the client device is associated with an access network provider. Authenticating the identity of the user comprises receiving, from an identity provider, a credential associated with the identity, and receiving, from the identity provider, information identifying a network-based service to be applied to network traffic with the client device. The method further includes establishing, using the credential and the received information, a secure connection between the access network provider and a service provider that is capable of providing the network-based service. The method further includes receiving network traffic from the service provider. Packets of the network traffic include an assurance value that enables the client device to determine that the network-based service is being provided by the service provider.

Abstract: Presented herein are techniques to facilitate wireless authorization based on in-line assurance and tariffing information. In one example, a method may include obtaining, by a home network, a request to authorize access of a roaming subscriber for a visited network; determining whether the request includes visited network charging information and visited network metric information; based on determining that the request includes the visited network charging information and the visited network metric information, determining whether one or more visited network metrics satisfy one or more threshold metrics for the roaming subscriber; and based on determining that the one or more visited network metrics satisfy the one or more threshold metrics for the roaming subscriber, authorizing access of the roaming subscriber for the visited network.

Abstract: Techniques and apparatus for determining quality of experience (QoE) for wireless communications are described. One technique involves transmitting a QoE support message to an access point (AP) within an access network. The QoE support message queries whether the AP supports providing key performance indicators (KPI(s)) indicative of QoE provided by the access network. An indication of whether the AP supports providing the KPI(s) is received in response to the QoE support message. The KPI(s) are received when the AP supports providing the KPI(s). A determination is made whether to communicate with the AP based at least in part on the KPI(s). Communications are then performed in accordance with the determination.

Abstract: The disclosed technology relates to a process of evaluating any number of different identity providers (IDPs) and their respective set of credentials that are used to authenticate corresponding users to assist with the onboarding of the different IDPs in connection with Wi-Fi identity federations. In particular, the process allows a person's electronic identity and attributes (stored across one or more IDPs) to be determined once using a standard. Once trust has been established for the user, that trust can then be utilized across a number of different systems (e.g., Single-sign on). The same trust determination can be used without the need for the authenticity of the user identity to be re-evaluated with each new access request.

Abstract: Techniques for dynamically negotiating a service legal agreement (SLA) between a roaming device and a visited network (VN) in an identity federation. An identity profile provided to a user device by an identity provider (IDP) is accessed by the user device. The identity profile includes a first SLA criteria. An advertisement from the VN indicating one or more SLAs supported by the VN is received at the user device. The advertisement is received before the user device has associated with the VN. The IDP and the VN are part of a same identity federation. It is determined that the SLA supported by the VN satisfies the first SLA criteria. Upon that determination, an acceptance is transmitted by the user device to the VN, and the user device is associated with the VN.

Abstract: The disclosed technology relates to a process of evaluating any number of different identity providers (IDPs) and their respective set of credentials that are used to authenticate corresponding users to assist with the onboarding of the different IDPs in connection with Wi-Fi identity federations. In particular, the process allows a person's electronic identity and attributes (stored across one or more IDPs) to be determined once using a standard. Once trust has been established for the user, that trust can then be utilized across a number of different systems (e.g., Single-sign on). The same trust determination can be used without the need for the authenticity of the user identity to be re-evaluated with each new access request.

Abstract: Various implementations disclosed herein enable controlling access to networks. In various implementations, a method of controlling access to a network is performed by a computing device including one or more processors, and a non-transitory memory. In various implementations, the method includes obtaining an indication that a mobile device having access to a first network utilizing a first radio access technology (RAT) has requested access to a second network utilizing a second RAT. In some implementations, the method includes determining whether the access to the first network satisfies an authentication criterion associated with the second network. In some implementations, the method includes granting the mobile device access to the second network in response to determining that the access to the first network satisfies the authentication criterion associated with the second network.

Abstract: In one embodiment, a method for providing access to wireless networks may include receiving, by a wireless network access provider from a user device, a request to access a wireless network. The method may include obtaining data representing a policy applicable to the access request, sending the access request, augmented with the policy, to an identity provider associated with the user and having no pre-existing relationship with the access provider, and receiving, from the identity provider, an access request response indicating whether or not the policy is met. The method may include communicating, to the wireless device, an indication that the access request has been accepted, if the policy is met, or an indication that the access request has been rejected, if the policy is not met. The access provider and identity provider may be members of an identity and access federation that communicate over a dynamically established secure connection.

Abstract: A method includes receiving, at an access node of a local network, a connection request from a device and in response to the connection request, establishing a connection with an identity provider. The device, the access node, the local network, and the identity provider are members of an identity federation. The method further includes receiving an indication that the device previously violated a network policy of a network different from the local network and after the device is authenticated with the identity provider, determining, by the access node and based on the indication, whether to allow the device to communicate over the access node.

Abstract: Techniques for trusted roaming between identity federation based networks. A first wireless access point (AP) receives a roaming request from a wireless station (STA), to roam from the first AP to a second AP. The first AP is associated with a first access network provider (ANP), the second AP is associated with a second ANP, and the first ANP is different from the second ANP. Authentication information relating to the STA is transmitted from the first ANP to the second ANP using a trusted connection. The trusted connection was previously established between the first ANP and the second ANP based on a query to an identity federation to which both the first and second ANP belong. The STA is de-associated from the first AP. The STA is re-associated at the second AP using the transmitted authentication information.

Abstract: According to one or more embodiments of the disclosure, a device receives, from a client at a first organization, a tracking identifier space allocation request for one or more physical assets. The device identifies, based on the tracking identifier space allocation request, a range of tracking identifiers that are not allocated to one or more other organizations for use. The device sends, to the client at the first organization, a tracking identifier space allocation response that indicates the range of tracking identifiers that are now allocated to the first organization, wherein the first organization, after receiving the tracking identifier space allocation response, sends the one or more physical assets tagged with tracking identifiers from the range of tracking identifiers to a second organization from the one or more other organizations.

Abstract: A method includes receiving, at an access node, a connection request from a device and in response to the connection request, establishing a connection with an identity provider. The device, the access node, the local network, and the identity provider are members of an identity federation. The method also includes, after the device is authenticated with the identity provider, sending or receiving, to or from the identity provider and by the access node, data linking the device to an item and an owner of the device.

Abstract: Techniques for trusted roaming between identity federation based networks. A first wireless access point (AP) receives a roaming request from a wireless station (STA), to roam from the first AP to a second AP. The first AP is associated with a first access network provider (ANP), the second AP is associated with a second ANP, and the first ANP is different from the second ANP. Authentication information relating to the STA is transmitted from the first ANP to the second ANP using a trusted connection. The trusted connection was previously established between the first ANP and the second ANP based on a query to an identity federation to which both the first and second ANP belong. The STA is de-associated from the first AP. The STA is re-associated at the second AP using the transmitted authentication information.

Abstract: Techniques and apparatus for determining quality of experience (QoE) for wireless communications are described. One technique involves transmitting a QoE support message to an access point (AP) within an access network. The QoE support message queries whether the AP supports providing key performance indicators (KPI(s)) indicative of QoE provided by the access network. An indication of whether the AP supports providing the KPI(s) is received in response to the QoE support message. The KPI(s) are received when the AP supports providing the KPI(s). A determination is made whether to communicate with the AP based at least in part on the KPI(s). Communications are then performed in accordance with the determination.

Abstract: Embodiments herein describe techniques for dynamically negotiating an SLA between a roaming device and a VN in an identity federation. Instead of an IDP having to individually negotiate with a VN to decide on an SLA before a user device roams to the VN, the parties can dynamically negotiate the SLA after the user device has detected the VN (but before the device is permitted to connect or associate with the VN). In one embodiment, when a roaming user device comes within wireless range of a VN, the roaming device receives an advertisement from the VN that indicates the current SLA (or SLAs) offered by the VN. The roaming device can compare this offered SLA to a stored SLA in an identity profile the device received from the IDP to determine whether to accept the offer. In another embodiment, the SLA is instead negotiated between VN and the IDP.