METHOD, APPARATUS AND COMPUTER PROGRAM PRODUCT FOR PROVISIONING MULTIPLE USER IDENTITIES IN AN IP MULTIMEDIA SUBSYSTEM

Abstract

A mechanism for an apparatus in a communication network is described. The mechanism comprises receiving provisioning from a second apparatus, wherein said provisioning comprising at least a public identity and a pre-defined range of private identity associated with the public identity, receiving a request comprising a first public identity and its associated private identity from a third apparatus, determining the first public identity already exists in the apparatus, determining the received private identity is not identical to any private identity already provisioned in the apparatus, determining the received private identity is not identical to any private identity in a temporary profile, determining the received private identity is within a pre-defined range of private identity associated with the first public identity, creating a temporary private identity identical to the received private identity and a temporary profile for the received private identity.

Claims

1. A method for a first apparatus comprising: receiving provisioning from a second apparatus, wherein said provisioning comprising at least a public identity and a pre-defined range of private identity associated with the public identity, receiving a request comprising a first public identity and its associated private identity from a third apparatus, determining the first public identity already exists in the apparatus, determining the received private identity is not identical to any private identity already provisioned in the apparatus, determining the received private identity is not identical to any private identity in a temporary profile, determining the received private identity is within a pre-defined range of private identity associated with the first public identity, creating a temporary private identity identical to the received private identity and a temporary profile for the received private identity.

2. The method according to claim 1, wherein the pre-defined range of private identity is denoted by an expression.

3. The method according to claim 1, wherein the pre-defined range of private identity is denoted by a wild-carded private identity or a template.

4. The method according to claim 1, further comprising associating the temporary private identity and the temporary profile with the first public identity.

5. A first apparatus comprising: a transceiver configured to communicate with at least another apparatus, a memory configured to store computer program code, and a processor configured to cause the apparatus to perform: receiving provisioning from a second apparatus, wherein said provisioning comprising at least a public identity and a pre-defined range of private identity associated with the public identity, receiving a request comprising a first public identity and its associated private identity from a third apparatus, determining the first public identity already exists in the apparatus, determining the received private identity is not identical to any private identity already provisioned in the apparatus, determining the received private identity is not identical to any private identity in a temporary profile, determining the received private identity is within a pre-defined range of private identity associated with the first public identity, creating a temporary private identity identical to the received private identity and a temporary profile for the received private identity.

6. The first apparatus according to claim 5, wherein the pre-defined range of private identity is denoted by an expression.

7. The first apparatus according to claim 5, wherein the pre-defined range of private identity is denoted by a wild-carded private identity or a template.

8. The first apparatus according to claim 5, wherein the processor is further configured to cause the apparatus to associate the temporary private identity and the temporary profile with the first public identity.

9. A computer program product embodied on a non-transitory computer-readable medium, said product comprising computer-executable computer program code which, when the computer program code is executed on a computer, is configured to cause the computer to carry out a method for a first apparatus comprising: receiving provisioning from a second apparatus, wherein said provisioning comprising at least a public identity and a pre-defined range of private identity associated with the public identity, receiving a request comprising a first public identity and its associated private identity from a third apparatus, determining the first public identity already exists in the apparatus, determining the received private identity is not identical to any private identity already provisioned in the apparatus, determining the received private identity is not identical to any private identity in a temporary profile, determining the received private identity is within a pre-defined range of private identity associated with the first public identity, creating a temporary private identity identical to the received private identity and a temporary profile for the received private identity.

10. (canceled)

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0040] Exemplary embodiments of the invention are described below, by way of example only, with reference to the following numbered drawings.

[0041] FIG. 1 gives an exemplary overview of network architecture according to one aspect of invention.

[0042] FIG. 2 illustrates a method according to certain embodiment of the invention.

[0043] FIG. 3 depicts a schematic block diagram illustrating an apparatus according to certain embodiment of the invention.

DESCRIPTION OF THE EMBODIMENTS OF THE INVENTION

[0044] Herein below, certain embodiments of the present invention are described in detail with reference to the accompanying drawings, wherein the features of the embodiments can be freely combined with each other unless otherwise described. However, it is to be expressly understood that the description of certain embodiments is given for by way of example only, and that it is by no way intended to be understood as limiting the invention to the disclosed details.

[0045] As a part of the solution to overcome afore-mentioned disadvantages, a private user identity with a pre-defined range may be provisioned in the network (e.g. in HSS). According to one embodiment of the invention, the pre-defined range of the IMPI may be defined by a wild-carded IMPI or a template. A user may have one or more shared IMPUs, which may be shared among as many devices as the user wants. When registering to an IMS network, each device must use its own explicit identity within the pre-defined IMPI range. Each of the devices registers independently with the combination of the IMPU and one dedicated IMPI. There is no implicit registration across devices. And each instance of the wildcarded IMPI can only be used by one device at a time.

[0046] As an exemplary example of the invention, the pre-defined range of IMPI is denoted by a wild-carded private identity. For instance, sign “*” representing a group of IMPIs is provisioned in HSS. Assuming that the IMPU SIP:+491751804512@example.com is associated with a wild-carded private identity 12345678*@example.com, then, for example, three different UEs could register the IMPU SIP: [0047] +491751804512@example.com with IMPIs 123456780@example.com, [0048] 123456789@example.com and 123456784@example.com. The interactions between HSS and I/S-CSCF would be exactly the same as if IMPIs 123456780@example.com, [0049] 123456789@example.com and 123456784@example.com had been provisioned in the HSS explicitly.

[0050] According to another embodiment of the invention, the pre-defined range of IMPI may be provided by an expression such as 12345678[4-6]@example.com or 12345678[4, 6]@example.com, which indicates that IMPIs 123456784@example.com, 123456785@example.com and 123456786@example.com may be used in registration by UEs or other devices in conjunction with the IMPU SIP:+491751804512@example.com.

[0051] In fact, any expression/logic/template and/or their combination that may describe a range of intended IMPI may be used in provisioning the network. As previously mentioned, instead of provisioning each dedicated IMPI, the invention makes it possible to provision multiple IMPIs with only one expression. Moreover, the expression only hints the maximum number of IMPI that is associated with IMPU, i.e. the maximum number of IMPI could be used by a user, without provisioning an explicit amount of IMPI for the associated IMPU, no matter if the user actually use them or not.

[0052] In the above example, when the HSS or an equivalent network element receives a request comprising the IMPI: 123456780@example.com, it may create a temporary IMPI identical to the received IMPI. The created IMPI is within the pre-defined range as it matches the wild-carded IMPI 12345678*@example.com. So it is an instance of the wild-carded IMPI. And when this IMPI is registered in HSS, it will have its own dynamical state, which may be different from other instance of the same wild-carded IMPI. Therefore the HSS may automatically provision a “temporary” IMPI and a temporary profile of IMPI for this instance in order to maintain all dynamical states. A profile may contain attributes associated to an IMS instance. They may be statically provisioned with the wild-carded IMPI template and copied to the created temporary IMPI instance, e.g. authentication method and related credential. They may also be dynamic information e.g. registration state, IMS restoration-info, etc.

[0053] FIG. 1 gives an overview of the network architecture.

[0054] Before a user can use an IMS service, IMPUs and IMPIs for the user should be provisioned in the HSS 11 by a provisioning server 15. According to one embodiment of the invention, a wild-carded IMPI (or an IMPI template) associated with one or more IMPU or IMPU template is provisioned in the HSS 11. Alternatively, a pre-defined range of IMPI associated with an IMPU may also be provisioned in HSS 11. UE 12 of the user must be provisioned with an IMPU and an IMPI by the provisioning server 15. The provisioned IMPI is supposed to be within the pre-defined IMPI range associated with the IMPU.

[0055] The HSS may also use a profile which is additionally configured or provisioned for each class IMPI as a template. During the registration process the HSS creates a normal IMPI for the requested IMPU/IMPI pair (based on the IMPI template). The HSS may control the number of IMPIs generated from certain template, if needed. During de-registration of an IMPU/IMPI pair, the related IMPI may be deleted and becomes free for reuse. Only if no IMPI is registered with an IMPU which was created from an IMPU template, the profile related to that IMPU may be deleted and becomes free for reuse. Such an IMPI template may be associated to a provisioned IMPU or a provisioned/configured IMPU template.

[0056] There may be multiple contacts (i.e. multiple WICs or browser instances) associated with the same allocated IMPU. This happens if the same user registers from two or more different WICs with a WWSF using the same credentials.

[0057] The WWSF is located either within the operator network or within a third party network and is the web server contacted by the user agent (generally after clicking on a link or entering a URL into the browser). The provisioning server 15 may be a WWSF. A WIC is an application run in a UE using the WebRTC extensions specified in WebRTC 1.0 and providing access to IMS by interoperating with the WebRTC IMS.

[0058] As depicted in FIG. 1, other devices 14 belonging to the same user may be connected to the network via I/S-CSCF 13. They should be provisioned with an IMPU and the associated IMPI respectively.

[0059] In order to be able to use the services provided by the IMS, each user terminal 12/14 needs to register at the I/S-CSCF 13 with the combination of IMPU and IMPI. The I/S-CSCF 13 may interact with the HSS 11 in the registration process.

[0060] For the I-/S-CSCF 13 and at the Cx interface, any IMPI within the pre-defined range is handled as if the identity had been provisioned in the HSS already. The advantage is that only one wild-carded IMPI or one expression of IMPI needs to be provisioned in the network but can be shared by many devices.

[0061] FIG. 2 illustrates a method according to certain embodiment. The method may be relevant to, but not limited to, an initial registration procedure and may be performed by a network element such as a HSS 11. At 20, a pre-defined range of IMPI associated with an IMPU may be provisioned to the network element beforehand by the provisioning server 11. In certain embodiments, there may be multiple pairs of an IMPU and its associated range of IMPI provisioned in the network element. At 21, a message from another network element (e.g. I/S-CSCF 13) may be received by the network element. The message may be a user authentication request and may comprise an IMPI and its associated IMPU. The received IMPI is supposed to be within the pre-defined range (e.g. an IMPI template) provisioned in the network element. The method further comprises, at 22, determining if the received IMPU already exists in the database/memory of the network element. If an IMPU or IMPU template matching the IMPU is provisioned in the network element, then the IMPU exists.

[0062] A temporary IMPU may be generated from an IMPU template, with which the IMPI template is associated. In this case the temporary IMPU is also associated with the IMPI template.

[0063] If YES, the method also comprises, at 23, checking if the received IMPI matches any IMPI already provisioned in the network element. If YES, it corresponds to a user that already exists in the network element. The request is handled with the user profile of this existing user.

[0064] If NO, the method will continue at 24 to check if the received IMPI matches any IMPI in any temporary profile created by the network element.

[0065] If YES, no new temporary profile for this IMPI will be created by the network element, rather the status of the existing temporary profile for the IMPI may be updated accordingly if necessary.

[0066] If NO, the method further comprises determining if the received IMPI is within the pre-defined IMPI range (e.g. an IMPI template) associated with the received IMPU at 25. If YES, the method comprises creating a temporary IMPI identical to the received IMPI for the associated IMPU and also a temporary profile for the IMPI at step 26. Generally speaking, when receiving the IMS identities (e.g. same IMPU, different IMPI), the HSS may have related profile templates available and create a normal user profile for the requested pair of IMPU/IMPI. The I/S-CSCF 13 may store the relation between the new contact address and the pair of IMPU/IMPI. Normal IMS registration may start afterwards.

[0067] The temporary IMPI and the temporary profile for the IMPI may be deleted by the HSS when the IMPI is de-registered. During de-registration of an IMPU/IMPI pair, the created IMPI is deleted in the HSS. During de-registration of the last IMPI of an IMPU, the created user profile is deleted in the HSS.

[0068] FIG. 3 illustrates an apparatuses according to certain embodiments of the invention. In one embodiment, the apparatus may be a HSS 30. The apparatus may comprise at least one processor (or processing means), indicated as 301. At least one memory may be provided in the device, and indicated as 302. The memory may include computer program instructions or computer code contained therein. The processors 301 and memory 302 or a subset thereof, can be configured to provide means corresponding to the various blocks of FIG. 2. The processor (or processing means) may be embodied by any computational or data processing device, such as a central processing unit (CPU), application specific integrated circuit (ASIC), or comparable device. The processor can be implemented as a single controller, or a plurality of controllers or processors.

[0069] As shown in FIG. 3, a transceiver (or transceiving means) 303 may be provided. The transceiver 303 may be a transmitter, a receiver, or both a transmitter and a receiver, or a unit or device that is configured both for transmission and reception.

[0070] Memory 302 may be any suitable storage device, such as a non-transitory computer-readable medium. In one embodiment of the invention, the memory 302 may be in the form of a database. A hard disk drive (HDD), random access memory (RAM), flash memory, or other suitable memory can be used. The memory may be combined on a single integrated circuit as the processor, or may be separate from the one or more processors. Furthermore, the computer program instructions stored in the memory and which may be processed by the processors can be any suitable form of computer program code, for example, a compiled or interpreted computer program written in any suitable programming language.

[0071] The memory and the computer program instructions can be configured, with the processor (or processing means) for the particular device, to cause a hardware apparatus such as a HSS, to perform any of the processes described herein (for example, FIG. 2). Therefore, in certain embodiments, a non-transitory computer-readable medium can be encoded with computer instructions that, when executed in hardware, perform a process such as one of the processes described herein. Alternatively, certain embodiments of the invention can be performed entirely in hardware. Furthermore, although FIG. 3 illustrates network element such as a HSS, embodiments of the invention may be applicable to other configurations, and configurations involving additional elements. For example, not shown, additional network element may be present, and additional core/radio network elements may be present.

[0072] One having ordinary skill in the art will readily understand that the invention as discussed above may be practiced with steps in a different order, and/or with hardware elements in configurations which are different than those which are disclosed. Therefore, although the invention has been described based upon these preferred embodiments, it would be apparent to those skilled in the art that certain modifications, variations, and alternative constructions would be apparent, while remaining within the scope of the invention. In order to determine the metes and bounds of the invention, therefore, reference should be made to the appended claims.

[0073] For the purpose of the present invention as described above, it should be noted that [0074] method steps likely to be implemented as software code portions and being run using a processor at one of the server entities are software code independent and can be specified using any known or future developed programming language; [0075] method steps and/or devices likely to be implemented as hardware components at one of the server entities are hardware independent and can be implemented using any known or future developed hardware technology or any hybrids of these, such as MOS, CMOS, BiCMOS, ECL, TTL, etc, using for example ASIC components or DSP components, as an example; [0076] generally, any method step is suitable to be implemented as software or by hardware without changing the idea of the present invention; [0077] devices can be implemented as individual devices, but this does not exclude that they are implemented in a distributed fashion throughout the system, as long as the functionality of the device is preserved.

[0078] It is to be understood that the above description is illustrative of the invention and is not to be construed as limiting the invention. Various modifications, applications and/or combination of the embodiments may occur to those skilled in the art without departing from the scope of the invention as defined by the appended claims.