Abstract: The present invention is aimed to provide a mechanism whereby any person can have user's attributes in a web service provider for sharing with a web service consumer, even if such person is not enabled to provide user's consent to share such user's attributes, and provided that other persons at a hierarchically higher position are enabled to provide such user's consent instead of the owner of the user's attributes, whilst respecting high requirements on privacy for both. Therefore, the present invention provides for a number of cooperating entities and a new method, the cooperating entities being configurable in such manner that delegation modules comprising different relationships of user's consent may be distributed among some of the cooperating entities, and transmitted between the number of cooperating entities, depending on the required level of privacy set on a per network basis and on a per user basis.

Abstract: A Principal Referencing method is described herein which enables an inviting principal-A to have access control over their shared resources by introducing a pair of user identifiers associated with an invited principal-B which are created and delivered during an invitation process. Each identifier is shared between two parties. The first identifier is shared between the Discovery Services (DS-A and DS-B) of both principals, invited and inviting. The second identifier identifies the invited principal-B as well, but it is shared between the inviting principal's web service provider (WSP-A) and the DS-A. Thus, the DS-A is the identifier switching point which isolates both identifier planes. The purpose of these two identifiers is to enable the invited principal-B to be referenced/identified during a discovery and access process without compromising her/his privacy by allowing anyone identifier to be shared between more than two parties.

Abstract: A system, method, and AAA (Authentication, Authorization, and Accounting) server in a packet data network. The AAA server authenticates users, authorizes services for the users when the users access the network, and generates a session identity that comprises a unique random value that is opaque, unpredictable, and not simultaneously re-usable. The session identity includes a session reference and an identifier of the AAA server, such as a realm identifier assigned to the AAA server, that is usable to route queries containing the session identity to the appropriate AAA server. The queries may be routed to the appropriate AAA server by other AAA servers configured with routing tables that match realm identifiers to AAA servers. Alternatively, a specialized AAA server is configured with a routing table and routes the queries to the appropriate AAA server.

Abstract: The invention deals with sharing user's attributes among service providers wherein a service provider, the Attribute Provider, hosts a user's attribute and registers an attribute offering in a Discovery Service Framework for other service providers, the Attribute Requestors, knowing the Attribute Provider hosting the user's attribute. The problem faced is user's attributes that change very often and require a continuous withdrawal and registration of attribute offerings.

Abstract: Mobile operators presently offer services on behalf of service providers where such services are really carried out for the users. Mobile operators act as identity providers in this scenario, wherein service provider and identity provider share a unique identity to identify each particular user accessing a number of services. As the number of users accessing these services, and the number of services offered from different service providers increase, the storage required at the operator's network for such amount of user's identities becomes a problem. To overcome this and other problems, the present invention provides an identity Generator device arranged to generate a user's service indicator to identify the user between the service provider and the identity provider, the user's service indicator comprising a master user's identifier for identification of the user at the identity provider, and a service identifier indicating the services to be accessed at a given service provider.

Abstract: A system, method, and AAA (Authentication, Authorization, and Accounting) server in a packet data network. The AAA server authenticates users, authorizes services for the users when the users access the network, and generates a session identity that comprises a unique random value that is opaque, unpredictable, and not simultaneously re-usable. The session identity includes a session reference and an identifier of the AAA server, such as a realm identifier assigned to the AAA server, that is usable to route queries containing the session identity to the appropriate AAA server. The queries may be routed to the appropriate AAA server by other AAA servers configured with routing tables that match realm identifiers to AAA servers. Alternatively, a specialized AAA server is configured with a routing table and routes the queries to the appropriate AAA server.