(19)
(11)EP 3 267 704 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
06.05.2020 Bulletin 2020/19

(21)Application number: 16771423.7

(22)Date of filing:  01.04.2016
(51)International Patent Classification (IPC): 
H04W 4/10(2009.01)
H04W 12/06(2009.01)
H04W 60/00(2009.01)
H04L 29/06(2006.01)
H04W 12/08(2009.01)
(86)International application number:
PCT/CN2016/078339
(87)International publication number:
WO 2016/155668 (06.10.2016 Gazette  2016/40)

(54)

METHOD FOR UNIFIED APPLICATION AUTHENTICATION IN TRUNKING SYSTEM, SERVER AND TERMINAL

VERFAHREN ZUR VEREINHEITLICHTEN ANWENDUNGSAUTHENTIFIZIERUNG IN EINEM BÜNDELFUNKSYSTEM, SERVER UND ENDGERÄT

PROCÉDÉ D'AUTHENTIFICATION D'APPLICATION UNIFIÉE DANS UN SYSTÈME À RESSOURCES PARTAGÉES, SERVEUR, ET TERMINAL


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(30)Priority: 02.04.2015 CN 201510154448

(43)Date of publication of application:
10.01.2018 Bulletin 2018/02

(73)Proprietor: CHENGDU TD TECH LTD.
Gaoxin District Chengdu Sichuan 610041 (CN)

(72)Inventor:
  • WEI, Jianmiao
    Chengdu Sichuan 610041 (CN)

(74)Representative: J A Kemp LLP 
14 South Square Gray's Inn
London WC1R 5JJ
London WC1R 5JJ (GB)


(56)References cited: : 
EP-A1- 2 809 042
CN-A- 102 904 895
CN-A- 103 139 168
US-A1- 2007 240 206
CA-A1- 2 571 255
CN-A- 103 051 631
CN-A- 103 188 248
  
      
    Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


    Description

    TECHNICAL FIELD



    [0001] Embodiments of the present invention relate to a trunking system and, in particular, to a unified authentication method for application in a trunking system, a server and a terminal.

    BACKGROUND



    [0002] The trunking system is a dedicated wireless communication system directed to an industry-specific application, which is developed to meet needs of commanding and dispatching by a user within the industry.

    [0003] A long-term evolution (LTE) -based broadband trunking system is gradually evolving towards user-based service management. A user account is registered with authentication authorization. In addition, the trunking system has an session initiation protocol (SIP) authentication authorization at a SIP level, which uses a traditional user name and pass word for a digest authentication, that is, a 401 or 407 authentication challenge message is performed with the user name and password, and reference may be made to a standard (Request For Comments, RFC) 3261 for details; moreover, for the purpose of security of various application services in the trunking system, it is also necessary to perform an authentication authorization to a terminal.

    [0004] In the prior art, the user has to perform the authentication authorization of the account. A trunking service and a private voice call have the SIP authentication authorization, and other application services also have their own authentication authorizations. User names and pass words for various authentication authorizations are saved respectively, but there may be information on the user names and the pass words, posing a great threat to security.

    [0005] EP 2809042 A1 discloses security and verification of identities and the authentication of a user associated to a user agent, implemented over SIP protocol, as VoIP applications.

    [0006] CA 2571255 A1 discloses authentication of wireless devices for access to different wireless networks.

    SUMMARY



    [0007] Embodiments of the present invention provide a unified authentication method for application in a trunking system, a server and a terminal. By using a User ID as a unified identifier for application services, an authentication to the application services is effectively combined with a user logon, such that a unified authentication authorization is achieved and security of the trunking system is improved.

    [0008] In a first aspect, an embodiment of the present invention provides a unified authentication method for providing different application services in a trunking system, wherein the trunking system is a dedicated wireless communication system directed to specific applications in an industry, which is developed to meet needs of commanding and dispatching by a user within the industry, wherein the trunking system includes an authorization authentication network element and multiple application service network elements of a server, and wherein the authorization authentication network element is an authentication authorization server, AAS, logic network element and the multiple application service network elements associated with the applications include a user information server, UIS, logic network element, a session initiation protocol core, SIP core, logic network element, a short data service, SDS, logic network element, including:

    [0009] receiving, by one application service network element of the server of the multiple application service network elements of the server, a registration request transmitted by a terminal, where the registration request carries a token associated with a unique identity of a user initiating the registration request and the identity of the user, User ID, and the token is assigned by the authorization authentication network element of the server to the user when the user logs onto the terminal;

    [0010] performing, by the one application service network element of the server of the multiple application service network elements of the server, a registration to the terminal according to the User ID, and transmitting the token to the authorization authentication network element of the server;

    [0011] performing, by the authorization authentication network element of the server, a token authorization to the user according to the token; and

    [0012] performing, by the one application service network element of the server of the multiple application service network elements of the server, an application service interaction with the terminal if the token authorization is passed;

    [0013] performing, by each of the other multiple application service network elements of the server, the token authorization with the authorization authentication network element according to the same token to provide respective different application services to the terminal so as to implement a unified authentication authorization of each of the multiple application service network elements of the server.

    [0014] In a first possible implementation of the first aspect, before the receiving, by the one application service network element of the server of the multiple application service network elements of the server, the registration request transmitted by the terminal, the method further includes:

    [0015] receiving, by the authorization authentication network element of the server, a logon request transmitted by the user through the terminal, where the logon request carries the User ID;

    [0016] performing, by the authorization authentication network element of the server, an authentication authorization to the user according to the User ID;

    [0017] assigning, by the authorization authentication network element of the server, the token to the user if the authentication authorization is passed; and

    [0018] transmitting, by the authorization authentication network element of the server, a logon response message to the terminal, where the logon response message carries the token.

    [0019] In a second possible implementation of the first aspect, before the receiving, by the one application service network element of the server of the multiple application service network elements of the server, the registration request transmitted by the terminal, the method further includes:

    receiving, by the authorization authentication network element of the server, a logon request transmitted by the user through the terminal, where the logon request carries the User ID;

    performing, by the authorization authentication network element of the server, an authentication authorization to the user according to the User ID;

    assigning, by the authorization authentication network element of the server, the token to the user, and configuring a token expiration time if the authentication authorization is passed; and

    transmitting, by the authorization authentication network element of the server, a logon response message to the terminal, where the logon response message carries the token and the token expiration time.



    [0020] With reference to the second possible implementation of the first aspect, in a third possible implementation of the first aspect, before the performing, by the one application service network element of the server of the multiple application service network elements of the server, the application service interaction with the terminal if the token authorization is passed, the method further includes:

    receiving, by the authorization authentication network element of the server, a refresh message transmitted by the terminal before the token expiration time expires; and

    reassigning, by the authorization authentication network element of the server, the token and the token expiration time to the terminal according to the refresh message.



    [0021] With reference to the second possible implementation of the first aspect, in a fourth possible implementation of the first aspect, before the performing, by the one application service network element of the server of the multiple application service network elements of the server, the application service interaction with the terminal if the token authorization is passed, the method further includes:
    transmitting, by the authorization authentication network element of the server, a refresh notification to the terminal to enable the terminal to obtain a new token and a token expiration time thereof.

    [0022] In a second aspect, an embodiment of the present invention provides a server, including: multiple application service network elements and an authorization authentication network element, wherein the authorization authentication network element is an authentication authorization server, AAS, logic network element and the multiple application service network elements associated with the applications include a user information server, UIS, logic network element, a session initiation protocol core, SIP core, logic network element, a short data service, SDS, logic network element;

    where one application service network element of the multiple application service network elements receives a registration request transmitted by a terminal, the registration request carries a token associated with a unique identity of a user initiating the registration request and the identity of the user, User ID, and the token is assigned by the authorization authentication network element to the user when the user logs onto the terminal;

    the one application service network element of the multiple application service network elements performs a registration to the terminal according to the User ID, and transmits the token to the authorization authentication network element;

    the authorization authentication network element performs a token authorization to the user according to the token; and

    the one application service network element of the multiple application service network elements performs an application service interaction with the terminal if the token authorization is passed;

    each of the other multiple application service network elements performs the token authorization with the authorization authentication network element according to the same token to provide respective different application services to the terminal so as to implement a unified authentication authorization of each of the multiple application service network elements of the server.



    [0023] In a first possible implementation of the second aspect, before the one application service network element of the multiple application service network elements receives the registration request transmitted by the terminal, the server further includes:

    the authorization authentication network element receives a logon request transmitted by the user through the terminal, where the logon request carries the User ID;

    the authorization authentication network element performs an authentication authorization to the user according to the identification;

    the authorization authentication network element assigns the token to the user if the authentication authorization is passed; and

    the authorization authentication network element transmits a logon response message to the terminal, where the logon response message carries the token.



    [0024] In a second possible implementation of the second aspect, before the one application service network element of the multiple application service network elements receives the registration request transmitted by the terminal, the server further includes:

    the authorization authentication network element receives a logon request transmitted by the user through the terminal, where the logon request carries the User ID;

    the authorization authentication network element performs an authentication authorization to the user according to the User ID;

    the authorization authentication network element assigns the token to the user and configures a token expiration time if the authentication authorization is passed; and

    the authorization authentication network element transmits a logon response message to the terminal, where the logon response message carries the token and the token expiration time.



    [0025] With reference to the second possible implementation of the second aspect, in a third possible implementation of the third aspect, before the one application service network element of the multiple application service network elements performs the application service interaction with the terminal if the token authorization is passed, the server further includes:

    the authorization authentication network element receives a refresh message transmitted by the terminal before the token expiration time expires; and

    the authorization authentication network element reassigns the token and the token expiration time to the terminal according to the refresh message.



    [0026] With reference to the second possible implementation of the second aspect, in a fourth possible implementation of the third aspect, before the one application service network element of the multiple application service network elements performs the application service interaction with the terminal if the token authorization is passed, the server further includes:
    the authorization authentication network element transmits a refresh notification to the terminal to enable the terminal to obtain a new token and a token expiration time thereof.

    [0027] Embodiments of the present invention provide a unified authentication method for application in a trunking system, a server and a terminal. An application service network element of a server receives a registration request transmitted by a terminal and transmits the registration request to an authorization authentication network element of the server, where the registration request carries a token indicating a unique identity of a user initiating the registration request, and the token is assigned by the authorization authentication network element of the server to the user when the user logs onto the terminal; then the authorization authentication network element of the server performs a token authorization to the user according to the token; and finally the application service network element of the server performs an application service interaction with the terminal if the token authorization is passed. During this process, an authentication to individual application service network element is performed through a successful logon of the terminal and an acquisition of the token assigned by the authorization authentication network element of the server to the user. The User ID is used as a unified identifier for application services in trunking communications, and an authentication to the application services is effectively combined with a user logon, such that a unified authentication authorization is achieved and security of the trunking system is improved.

    BRIEF DESCRIPTION OF DRAWINGS



    [0028] 

    FIG. 1 is a flow chart of a unified authentication method for application in a trunking system according to embodiment 1 of the present invention;

    FIG. 2 is a flow chart of a unified authentication method for application in a trunking system according to embodiment 2 of the present invention;

    FIG. 3 is a process diagram of a unified authentication method for application in a trunking system according to embodiment 3 of the present invention;

    FIG. 4 is a logical framework diagram of a unified authentication method for application in a trunking system according to embodiment 4 of the present invention;

    FIG. 5 is a signaling diagram of a unified authentication method for application in a trunking system according to embodiment 5 of the present invention;

    FIG. 6 is a signaling diagram of a unified authentication method for application in a trunking system according to embodiment 6 of the present invention;

    FIG. 7 is a structural diagram of a server according to embodiment 1 of the present invention;

    FIG. 8 is a structural diagram of a terminal according to embodiment 1 of the present invention; and

    FIG. 9 is a structural diagram of a terminal according to embodiment 2 of the present invention.


    DESCRIPTION OF EMBODIMENTS



    [0029] In order to make objectives, technical solutions and advantages of embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be described hereunder clearly and completely with reference to accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of embodiments of the present invention, rather than all embodiments of the present invention. All other embodiments obtained by persons of ordinary skill in the art based on the embodiments of the present invention without any creative effort shall fall into the protection scope of the present invention.

    [0030] FIG. 1 is a flow chart of a unified authentication method for application in a trunking system according to embodiment 1 of the present invention. In this embodiment, the present invention is described in detail from a perspective of a server. This embodiment is applicable to a scenario where a unified authentication is required in an LTE wideband trunking system for applications. In the embodiment of the present invention, an authorization authentication network element of the server may be, for instance, an authentication authorization service (AAS) logic network element, and an application service network element of the server may be, for instance, a user information service (UIS) logic network element, a session initiation protocol core (SIP core) logic network element, a short data service (SDS) logic network element or the like, but the present invention is not limited thereto. Specifically, this embodiment includes the following steps:

    [0031] 101, an application service network element of a server receives a registration request transmitted by a terminal, where the registration request carries a token indicating a unique identity of a user initiating the registration request and an identification of the user, and the token is assigned by an authorization authentication network element of the server to the user when the user logs onto the terminal.

    [0032] In the embodiment of the present invention, the server may be, for instance, a single sign-on server. When it needs to perform a trunking service after the user gets a successful logon through a logon interface provided by the terminal and obtains a token (Token) assigned by the authorization authentication network element of the server to the user, the user transmits a registration request to the application service network element of the server to perform an authentication authorization of an application service, and performs an application service interaction with the application service network element of the server and legally uses a service provided by the application service network element only after the authentication authorization is completed. The token is assigned by the authorization authentication network element of the server to the user when the user logs onto the terminal.

    [0033] 102, the application service network element of the server performs a registration to the terminal according to the identification, and transmits the token to the authorization authentication network element of the server.

    [0034] After receiving the registration request transmitted by the terminal, the application service network element of the server performs a registration to the terminal according to the identification and transmits the Token carried in the registration request to the authorization authentication network element of the server to enable the authorization authentication network element of the server to perform a token authorization to the user through the Token.

    [0035] 103, the authorization authentication network element of the server performs a token authorization to the user according to the token.

    [0036] After receiving the token transmitted by the application service network element of the server, the authorization authentication network element of the server performs a token authorization to the user according to the token.

    [0037] 104, the application service network element of the server performs an application service interaction with the terminal if the token authorization is passed.

    [0038] After the token authorization is completed, the user can perform an application service interaction with the application service network element of the server and can legally use a service provided by the application service network element.

    [0039] Embodiments of the present invention provide a unified authentication method for application in a trunking system. An application service network element of a server receives a registration request transmitted by a terminal and transmits the registration request to an authorization authentication network element of the server, where the registration request carries a token indicating a unique identity of a user initiating the registration request, and the token is assigned by the authorization authentication network element of the server to the user when the user logs onto the terminal; then the authorization authentication network element of the server performs a token authorization to the user according to the token; and finally the application service network element of the server performs an application service interaction with the terminal if the token authorization is passed. During this process, an authentication to individual application service network element is performed through a successful logon of the terminal and an acquisition of the token assigned by the authorization authentication network element of the server to the user, the User ID is used as a unified identifier for application services in trunking communications, and an authentication to the application services is effectively combined with a user logon, such that a unified authentication authorization is achieved and security of the trunking system is improved.

    [0040] Alternatively, in an embodiment of the present invention, before the application service network element of the server receives the registration request transmitted by the terminal, the authorization authentication network element of the server receives a logon request transmitted by the user through the terminal, where the logon request carries the identification; the authorization authentication network element of the server performs an authentication authorization to the user according to the identification; the authorization authentication network element of the server assigns the token to the user if the authentication authorization is passed; and the authorization authentication network element of the server transmits a logon response message to the terminal, where the logon response message carries the token.

    [0041] Specifically, the authorization authentication network element of the server receives a logon request transmitted by the user through the terminal, where the logon request carries the identification of the user, such as a User ID and a pass word (Pass word) for logon; then, the authorization authentication network element of the server performs an authentication authorization to the user according to the User ID and the Pass word. If the authentication authorization is passed, then a token indicating a unique identity of the user is assigned to the user and the token is transmitted to the terminal through the logon response message.

    [0042] Alternatively, in an embodiment of the present invention, before the application service network element of the server receives the registration request transmitted by the terminal, the authorization authentication network element of the server receives a logon request transmitted by the user through the terminal, where the logon request carries the identification of the user; the authorization authentication network element of the server performs an authentication authorization to the user according to the identification; if the authentication authorization is passed, the authorization authentication network element of the server assigns the token and a token expiration time to the user, and transmits the token and the token expiration time to the terminal through a logon response message.

    [0043] FIG. 2 is a flow chart of a unified authentication method for application in a trunking system according to embodiment 2 of the present invention. In this embodiment, the present invention is described in detail from a perspective of a terminal. This embodiment is applicable to a scenario where a unified authentication is required in an LTE wideband trunking system for applications. Specifically, this embodiment includes the following steps:

    [0044] 201, a terminal transmits a registration request to an application service network element of a server, where the registration request carries a token indicating a unique identity of a user initiating the registration request and an identification, enabling the application service network element of the server to perform a registration to the terminal according to the identification and transmit the token to an authorization authentication network element of the server which performs a token authorization to the user according to the token, and the token is assigned by the authorization authentication network element of the server to the user when the user logs onto the terminal.

    [0045] Reference may be made to the embodiment as shown in FIG. 1 for description about the application service network element of the server and the authorization authentication network element of the server in the present embodiment, which will not be repeated herein.

    [0046] 202, the terminal performs an application service interaction with the application service network element of the application server if the token authorization is passed.

    [0047] After the token authorization is completed, the user can perform an application service interaction with the application service network element of the server and can legally use a service provided by the application service network element.

    [0048] Embodiments of the present invention provide a unified authentication method for application in a trunking system. A terminal transmits a registration request carrying a token to an application service network element of a server to enable the application service network element of the server to transmit the registration request to an authorization authentication network element of the server which performs a token authorization to the user according to the token, and the application service network element of the server performs an application service interaction with the terminal if the token authorization is passed. During this process, an authentication to individual application service network element is performed through a successful logon of the terminal and an acquisition of the token assigned by the authorization authentication network element of the server to the terminal. The User ID is used as a unified identifier for application services in trunking communications, and an authentication to the application services is effectively combined with a user logon, such that a unified authentication authorization is achieved and security of the trunking system is improved.

    [0049] Alternatively, in the second embodiment of the present invention, before transmitting the registration request to the application service network element of the server, the terminal also transmits a logon request to the authorization authentication network element of the server to enable the authorization authentication network element of the server to perform an authentication authorization to the user according to the identification, where the logon request carries the identification; then the terminal receives a logon response message transmitted by the authorization authentication network element of the server, where the logon response message carries the token.

    [0050] Alternatively, in the second embodiment of the present invention, before transmitting the registration request to the application service network element of the server, the terminal also transmits a logon request to the authorization authentication network element of the server to enable the authorization authentication network element of the server to perform an authentication authorization to the user according to the identification, where the logon request carries the identification; then the terminal receives a logon response message transmitted by the authorization authentication network element of the server, where the logon response message carries the token and a token expiration time.

    [0051] FIG. 3 is a process diagram of a unified authentication method for application in a trunking system according to embodiment 3 of the present invention. The present invention is described in detail by taking an example in this embodiment where an authorization authentication network element of a server performs a unified authentication to application service network elements 1∼n of the server after a logon of a user. Specifically, the following steps are included:

    [0052] 301, a terminal transmits a logon request to an authorization authentication network element of a server.

    [0053] In this step, the terminal provides a logon interface. When the user needs to log on, the terminal accesses to the logon interface to transmit a logon (Logon) request to the server after a user name and a pass word are input. The authorization authentication network element of the server receives the logon request. In this process, alternatively, the logon request may carry a user identity (User ID) or the like, and the User ID is used as a unified identifier for application services in trunking communications.

    [0054] 302, the authorization authentication network element of the server transmits a token to the terminal.

    [0055] Upon receiving the logon request, the authorization authentication network element of the server assigns a token to a user and transmits the token to the terminal after an authentication to the user is passed.

    [0056] 303, the terminal transmits a registration request carrying the token to an application service network element 1.

    [0057] 304, the application service network element 1 transmits the token to the authorization authentication network element for a token authorization.

    [0058] In this step, the application service network element 1 of the server transmits the token to the authorization authentication network element of the server for a token authorization.

    [0059] 305, the terminal transmits a registration request carrying the token to an application service network element 2.

    [0060] 306, the application service network element 2 transmits the token to the authorization authentication network element for a token authorization.

    [0061] 307, the terminal transmits a registration request carrying the token to an application service network element 3.

    [0062] 308, the application service network element 3 transmits the token to the authorization authentication network element for a token authorization.

    [0063] It can be seen from FIG. 3 that, the authorization authentication network element of the server provides a single sign-on server. The user accesses to the authorization authentication network element of the server for a logon authorization, and a token is assigned by the authorization authentication network element of the server to the user after a successful logon; then, the terminal carries the same token to access to an individual application service network element of the server for a registration, the individual application service network element accesses to the authorization authentication network element for a token authorization through the token. After the authorization is completed, the user can perform an application service interaction with the individual application service network element of the server, and can legally use a service provided by the individual application service network element.

    [0064] It should be noted that, in this embodiment, Steps 303, 305 and 307 do not have a strict execution order, for instance, in other feasible implementations, the terminal may also access to the application service network element 2 or the application service network element n (n# 1) for a registration, and then access to the application service network element 1 for a registration.

    [0065] FIG. 4 is a logical framework diagram of a unified authentication method for application in a trunking system according to embodiment 4 of the present invention. Reference may be made to FIG. 4, and main logical network elements in a server include a user data center (UDC), a multimedia dispatch center (MDC), an evolved packet core (EPC), a session initiation protocol core (SIP core), etc., implementations of the subsequent process are described based on this framework.

    [0066] The UDC has functions of undertaking management and configuration of account data of a user or a group and unifying a logon service, a user information service, a policy service or a security configuration service, which may provide an authentication authorization service (AAS), the user information service (UIS), quality of service control (QoS), a security service, user management, group management and the like, where the AAS is a unified authentication authorization center, which provides a logon management service of the user, an application service access address of the user, authentication services for applications, etc., and may be docketed to a standard third-party authentication, authorization and accounting (AAA) service. The UIS may provide an address book service, a user static data configuration service, a user right Profile download service and a group list download service provided for a group.

    [0067] The MDC is service-orientated, which may provide a push to talk (PTT server), a private call service, a trunking service, a push to talk over cellular (POC), a short data service (SDS), an audio and video service, etc.

    [0068] The SIP core is an SIP access routing center that provides an SIP registration and a routing service.

    [0069] The EPC is a major component of system architecture evolution (SAE).

    [0070] As shown in FIG. 4, A1 is an interface between the UDC and the terminal, which uses a hypertext transfer protocol (HTTP)/signaling atm adaptation layer (SAAL) for communications; A2 is an interface between the UDC and the SIP core; A3 is an interface between the UDC and the MDC; B1 is an interface between the terminal and the SIP core, which uses the SIP for communications; B2 is an interface between the SIP core and the MDC, which uses the SIP for communications; B3 is an interface between the MDC and the EPC, which may be a policy and charging rules function (PCRF) interface or an Rx interface; B4 is an interface between the MDC and the EPC, which may be an MB2-C interface or an MB2-U interface; B5 is an interface between the MDC and the terminal, which may be a media-plane interface. The unified authentication method for the application in the trunking system according to the present invention will be described hereunder in detail with reference to FIG. 3. Reference may be made to FIG. 5 and FIG. 6 for details.

    [0071] FIG. 5 is a signaling diagram of a unified authentication method for application in a trunking system according to embodiment 5 of the present invention. The present invention is described in detail by taking an example in this embodiment where an authorization authentication network element of a server is the AAS and application service network elements of the server are respectively the UIS, the SIP core or the SDS. The following steps are specifically included:

    [0072] 501, a user initiates a logon request.

    [0073] A terminal accesses to a logon interface to initiate a logon process after inputting a user name and a pass word of a user, and transmits a logon (Logon) request to the AAS, where the logon request carries a user identification (User ID). Alternatively, the logon request also carries the pass word (Pass word) of the user and a position identification (Area ID) of an area to which the terminal belongs.

    [0074] 502, the AAS performs an authentication to the user and assigns a token thereto.

    [0075] The AAS performs an authorization authentication to the user and assigns a unique identity token to the user after the authentication is passed. Alternatively, after the authentication is passed, the AAS also saves a correspondence between the User ID and the Area ID.

    [0076] 503, the AAS transmits a logon response message carrying the token to the terminal.

    [0077] 504, the terminal transmits a registration request carrying the token and the user identification to the UIS.

    [0078] When the application service network element of the server is the UIS, the terminal transmits a registration request (Register) carrying the token and the user identification (User ID) to the UIS.

    [0079] 505, the UIS transmits the token to the AAS for a token authorization.

    [0080] In this step, the UIS transmits the token to the AAS for a token authorization.

    [0081] 506, the UIS transmits a registration response message to the terminal.

    [0082] When the token authorization performed by the AAS to the UIS is passed, the UIS returns a session identification (Session ID) to the terminal and transmits a registration response message to the terminal to inform the terminal that the token authorization is passed.

    [0083] 507, the terminal accesses to the UIS to get a user permission.

    [0084] 508, the terminal accesses to the UIS to get an enterprise address book.

    [0085] 509, the terminal accesses to the UIS to get a group information list.

    [0086] In Steps 507-509, the terminal requests to download information about the user permission (Profile), contents of the enterprise address book (Address Book), the group information list (Group List) and the like from the UIS, where the group information list is used by the terminal for group scanning, group joining and displaying.

    [0087] In addition, during an interaction between the terminal and the UIS in Steps 506-509, a Hypertext Transfer Protocol (HTTP) or the like may be used, but the present invention is not limited thereto.

    [0088] 510, the terminal transmits a registration request carrying the token and the user identification to the SIP core.

    [0089] After the terminal interacts with the UIS to get the user permission and the group information list, if the terminal has a trunking permission, then in this step, the terminal initiates an SIP registration to the SIP core, and carries a User ID and a unique identity token acquired after a successful logon.

    [0090] 511, the SIP core transmits the token to the AAS for a token authorization.

    [0091] After receiving the registration request transmitted by the terminal, the SIP core transmits the token and the User ID carried in the registration request to the AAS to enable the AAS to perform a token authentication to the user.

    [0092] 512, the SIP core transmits a registration response message to the terminal.

    [0093] If the token authorization is passed, the SIP core transmits a registration response message to the terminal. For instance, the SIP core returns a 200OK response to the terminal.

    [0094] 513, the terminal establishes a trunking service signaling with the SIP Core.

    [0095] After the token authorization is passed, the terminal may perform a trunking service signaling establishment process with the SIP core.

    [0096] In Steps 510-513 described above, during the interaction between the terminal and the SIP core, there isn't a specific distinction among a private call, a trunking and a short message of the SIP at an application level, and applications of the SIP core are registered in a centralized way.

    [0097] In addition, during the interaction between the terminal and the SIP core in Steps 510-513, a protocol such as a super SIP protocol or the like may be used, but the present invention is not limited thereto.

    [0098] 514, the terminal transmits a registration request carrying the token and the user identification to the SDS.

    [0099] After the terminal interacts with the UIS to get the user permission and the group information list, if the terminal has a permission of short data service, then in this step, the terminal initiates a registration to the SDS, and carries a User ID and a unique identity token acquired after a successful logon.

    [0100] 515, the SDS transmits the token to the AAS for a token authorization.

    [0101] After receiving the registration request transmitted by the terminal, the SDS transmits the token and the User ID carried in the registration request to the AAS to enable the AAS to perform a token authorization to the user.

    [0102] 516, the SDS transmits a registration response message to the terminal.

    [0103] If the token authorization is passed, the SDS transmits a registration response message to the terminal. For instance, the SIP core returns a registration command acknowledgment (ACK) to the terminal.

    [0104] 517, the terminal performs a short data service interaction with the SDS.

    [0105] After the token authorization is passed, the terminal may perform a short data service interaction with the SDS.

    [0106] During the interactions between the terminal and the SDS in Steps 514-517 described above, a protocol such as an extensible messaging and presence protocol (XMPP) may be used, but the present invention is not limited thereto.

    [0107] In addition, it should be noted that the interactions between the terminal and the SIP core described above (i.e., Steps 510-513) and the interactions between the terminal and the SDS do not have a strict order. For instance, in other feasible implementations, the terminal may first interact with the SDS and then with the SIP core; or, the terminal only interacts with the SIP core; or, the terminal only interacts with the SDS.

    [0108] FIG. 6 is a signaling diagram of a unified authentication method for application in a trunking system according to embodiment 6 of the present invention. Compared with the embodiment as shown in FIG. 5, in this embodiment, upon receiving a registration request transmitted by the terminal, the authorization authentication network element of the server assigns a token to the terminal and also assigns a token expiration time for the token after performing an authentication to the terminal, the following steps are specifically included:

    [0109] 601, a user initiates a registration request.

    [0110] 602, the AAS performs an authentication to the user and assigns a token and a token expiration time at a time T0.

    [0111] In this step, besides assigning a token to the user, the AAS also assigns a token expiration time corresponding to the token.

    [0112] 603, the AAS transmits a logon response message carrying the token and the token expiration time to the terminal.

    [0113] 604, the terminal saves the token and the token expiration time at a time T1.

    [0114] Upon receiving the logon response message, the terminal saves the token and the token expiration time at the current time T1. For instance, assuming that T0 is 12:00, T1 is 12:01, and the token expiration time is 20 minutes, then the token assigned at the time T0 will expire at 12:21.

    [0115] 605, the terminal and the UIS perform an authorization authentication and an application service interaction by using the token assigned at the time T0 for.

    [0116] The terminal executes an application registration before the token expiration time expires, for instance, the terminal accesses to the UIS for registration and performs subsequent downloading of the user permission, the contents of the enterprise address book and the group information list. Reference may be made to Steps 507-509 described above for details, which will not be repeated herein.

    [0117] 606, the terminal transmits a refresh message to the AAS at a time T2.

    [0118] Before the token expiration time expires, the terminal transmits a refresh message to the AAS to acquire a new token and a token expiration time thereof. For instance, at a time T2, when T2=T1+the token expiration time90%, following the example in Step 604, the terminal transmits a refresh message to the AAS to acquire a new token and a token expiration time thereof when T2 is 12:19.

    [0119] 607, the AAS transmits a refresh response message carrying the new token and the new token expiration time to the terminal.

    [0120] It should be noted that, in addition to a case where the terminal may actively transmit a refresh process to the AAS to acquire a new token and a token expiration time thereof, there is also a case where the AAS may actively transmit a refresh notification to the terminal to enable the terminal to initiate a token refresh process to the AAS upon receiving the refresh notification transmitted by the AAS, reference may be made to Steps 608 for details.

    [0121] 608, the AAS transmits a refresh notification to the terminal at a time T3.

    [0122] The AAS transmits a refresh notification to the terminal before the token expiration time expires to enable the terminal to acquire a new token and a token expiration time thereof. For instance, when the terminal initiates a refresh process at the time T3, where T3=T0+the token expiration time, following the example in Step 604, then when T3 is 12:20, the terminal transmits a refresh message to the AAS to obtain a new token and a token expiration time .

    [0123] 609, the terminal transmits a refresh message to the AAS.

    [0124] The terminal transmits a refresh message to the AAS to acquire a new token and a token expiration time thereof.

    [0125] 610, the AAS transmits a refresh response message carrying the new token and the new token expiration time to the terminal.

    [0126] Steps 608-610 described above may be regarded as an abnormal protection process, that is, when the terminal does not initiate a refresh process at the time T1, that is, Steps 608-610 are started only when Steps 606 and 607 described above are not executed. Of course, the terminal initiating the refresh process and the AAS informing the terminal of initiating the refresh process may be treated as parallel schemes, but the present invention is not limited thereto.

    [0127] 611, the terminal and the SIP core perform an authorization authentication and an application service interaction by using the newly assigned token.

    [0128] FIG. 7 is a structural diagram of a server according to embodiment 1 of the present invention. The server provided in this embodiment may implement steps of a server-applicable method provided by any of the embodiments of the present invention. Specifically, the server provided in this embodiment specifically includes an application service network element 11 and an authorization authentication network element 12.

    [0129] The application service network element 11 receives a registration request transmitted by a terminal, where the registration request carries a token indicating a unique identity of a user initiating the registration request and an identification of the user, and the token is assigned by the authorization authentication network element 12 to the user when the user logs onto the terminal.

    [0130] The application service network element 11 performs a registration to the terminal according to the identification, and transmits the token to the authorization authentication network element 12.

    [0131] The authorization authentication network element 12 performs a token authorization to the user according to the token.

    [0132] The application service network element 11 performs an application service interaction with the terminal if the token authorization is passed.

    [0133] Embodiments of the present invention provide a server. An application service network element of the server receives a registration request transmitted by a terminal and transmits the registration request to an authorization authentication network element of the server, where the registration request carries a token indicating a unique identity of a user initiating the registration request, and the token is assigned by the authorization authentication network element of the server to the user when the user logs onto the terminal; then the authorization authentication network element performs a token authorization to the user according to the token; and finally the application service network element performs an application service interaction with the terminal if the token authorization is passed. During this process, an authentication to individual application service network element is performed through a successful logon of the terminal and an acquisition of the token assigned by the authorization authentication network element of the server to the user. The User ID is used as a unified identifier for application services in trunking communications, and an authentication to the application services is effectively combined with a user logon, such that a unified authentication authorization is achieved and security of the trunking system is improved.

    [0134] Alternatively, in an embodiment of the present invention, before the application service network element 11 receives the registration request transmitted by the terminal, the server further includes:

    the authorization authentication network element 12 receives a logon request transmitted by the user through the terminal, where the logon request carries the identification;

    the authorization authentication network element 12 performs an authentication authorization to the user according to the identification;

    the authorization authentication network element 12 assigns the token to the user if the authentication authorization is passed; and

    the authorization authentication network element 12 transmits a logon response message to the terminal, where the logon response message carries the token.



    [0135] Alternatively, in an embodiment of the present invention, before the application service network element 11 receives the registration request transmitted by the terminal, the server further includes:

    the authorization authentication network element 12 receives a logon request transmitted by the user through the terminal, where the logon request carries the identification;

    the authorization authentication network element 12 performs an authentication authorization to the user according to the identification;

    the authorization authentication network element 12 assigns the token to the user and configures a token expiration time if the authentication authorization is passed; and

    the authorization authentication network element 12 transmits a logon response message to the terminal, where the logon response message carries the token and the token expiration time.



    [0136] Alternatively, in an embodiment of the present invention, before the application service network element 11 performs the application service interaction with the terminal if the token authorization is passed, the server further includes:

    the authorization authentication network element 12 receives a refresh message transmitted by the terminal before the token expiration time expires; and

    the authorization authentication network element 12 reassigns the token and the token expiration time to the terminal according to the refresh message.



    [0137] Alternatively, in an embodiment of the present invention, before the application service network element 11 performs the application service interaction with the terminal if the token authorization is passed, the server further includes:
    the authorization authentication network element 12 transmits a refresh notification to the terminal to enable the terminal to acquire a new token and a token expiration time thereof.

    [0138] FIG. 8 is a structural diagram of a terminal according to embodiment 1 of the present invention. The terminal provided in this embodiment may implement steps of a terminal-applicable method provided by any of the embodiments of the present invention. Specifically, the terminal provided in this embodiment specifically includes:

    a transmitting module 21, configured to transmit a registration request to an application service network element of a server, where the registration request carries a token indicating a unique identity of a user initiating the registration request and an identification, enabling the application service network element of the server to perform a registration to the terminal according to the identification and transmit the token to an authorization authentication network element of the server which performs a token authorization to the user according to the token, and the token is assigned by the authorization authentication network element of the server to the user when the user logs onto the terminal; and

    an interacting module 22, configured to perform an application service interaction with the application service network element of the application server if the token authorization is passed.



    [0139] FIG. 9 is a structural diagram of a terminal according to embodiment 2 of the present invention. As shown in FIG. 9, the terminal provided in this embodiment further includes a first receiving module 23 based on the terminal as shown in FIG. 8.

    [0140] The transmitting module 21 is configured to: before transmitting the registration request to the application service network element of the server, transmit a logon request to the authorization authentication network element of the server to enable the authorization authentication network element of the server to perform an authentication authorization to the user according to the identification, where the logon request carries the identification.

    [0141] The first receiving module 23 is configured to receive a logon response message transmitted by the authorization authentication network element of the server, where the logon response message carries the token.

    [0142] Reference may be made to FIG. 9 again, and the terminal also includes: a second receiving module 24.

    [0143] The transmitting module 21 is configured to: before transmitting the registration request to the application service network element of the server, transmit a logon request to the authorization authentication network element of the server to enable the authorization authentication network element of the server to perform an authentication authorization to the user according to the identification, where the logon request carries the identification.

    [0144] The second receiving module 24 is configured to receive a logon response message transmitted by the authorization authentication network element of the server, where the logon response message carries the token and a token expiration time.

    [0145] Alternatively, in an embodiment of the present invention, the transmitting module 21 is further configured to: before the interacting module 22 performs the application service interaction with the application service network element of the application server if the token authorization is passed, transmit a refresh message to the authorization authentication network element of the server before the token expiration time expires.

    [0146] The second receiving module 24 is configured to receive the token and the token expiration time reassigned by the authorization authentication network element of the server to the terminal according to the refresh message.

    [0147] Alternatively, before the terminal performs the application service interaction with the application service network element of the application server if the token authorization is passed, the terminal further includes:

    the second receiving module 24 is further configured to: before the interacting module 22 performs the application service interaction with the application service network element of the application server if the token authorization is passed, receive a refresh notification transmitted by the authorization authentication network element of the server after determining that the token expiration time expires;

    the transmitting module 21 is further configured to transmit a refresh message to the authorization authentication network element of the server; and

    the second receiving module 24 is further configured to receive the token and the token expiration time reassigned by the authorization authentication network element of the server to the terminal according to the refresh message.



    [0148] Persons of ordinary skill in the art may understand that, all or a part of the steps of the foregoing method embodiments may be implemented by a program instructing relevant hardware. The foregoing program may be stored in a computer readable storage medium. When the program runs, the steps of the foregoing method embodiments are performed. The foregoing storage medium includes various mediums capable of storing program codes, such as an ROM, an RAM, a magnetic disk, or an optical disc.

    [0149] Finally, it should be noted that the foregoing embodiments are merely intended for describing the technical solutions of the present invention rather than limiting the present invention. Although the present invention is described in detail with reference to the foregoing embodiments, persons of ordinary skill in the art should understand that they may still make modifications to the technical solutions described in the foregoing embodiments, or make equivalent replacements to some or all technical features therein; however, these modifications or replacements do not make the essence of corresponding technical solutions depart from the scope of the technical solutions in the embodiments of the present invention.


    Claims

    1. A unified authentication method for providing different application services in a trunking system, wherein the trunking system is a dedicated wireless communication system directed to specific applications in an industry, which is developed to meet needs of commanding and dispatching by a user within the industry, wherein the trunking system comprises an authorization authentication network of a server and multiple application service network elements of the server to provide the different application services and wherein the authorization authentication network element is an authentication authorization server, AAS, logic network element and the multiple application service network elements associated with the applications comprise a user information server, UIS, logic network element, a session initiation protocol core, SIP core, logic network element, a short data service, SDS, logic network element, comprising:

    receiving (101), by one application service network element of the server of the multiple application service network elements of the server, a registration request transmitted by a terminal, wherein the registration request carries a token associated with a unique identity of a user initiating the registration request and the identity of the user, User ID, and the token is assigned by the authorization authentication network element of the server to the user when the user logs onto the terminal;

    performing (102), by the one application service network element of the server of the multiple application service network elements of the server, a registration to the terminal according to the User ID, and transmitting the token to the authorization authentication network element of the server;

    performing (103), by the authorization authentication network element of the server, a token authorization to the user according to the token; and

    performing (104), by the one application service network element of the server of the multiple application service network elements of the server, an application service interaction with the terminal if the token authorization is passed;

    performing, by each of the other multiple application service network elements of the server, the token authorization with the authorization authentication network element according to the same token to provide respective different application services to the terminal so as to implement a unified authentication authorization of each of the multiple application service network elements of the server.


     
    2. The method according to claim 1, before the receiving, by the one application service network element of the server of the multiple application service network elements of the server, the registration request transmitted by the terminal, further comprising:

    receiving, by the authorization authentication network element of the server, a logon request transmitted by the user through the terminal, wherein the logon request carries the User ID;

    performing, by the authorization authentication network element of the server, an authentication authorization to the user according to the User ID;

    assigning, by the authorization authentication network element of the server, the token to the user if the authentication authorization is passed; and

    transmitting, by the authorization authentication network element of the server, a logon response message to the terminal, wherein the logon response message carries the token.


     
    3. The method according to claim 1, before the receiving, by the one application service network element of the server of the multiple application service network elements of the server, the registration request transmitted by the terminal, further comprising:

    receiving, by the authorization authentication network element of the server, a logon request transmitted by the user through the terminal, wherein the logon request carries the User ID;

    performing, by the authorization authentication network element of the server, an authentication authorization to the user according to the User ID;

    assigning, by the authorization authentication network element of the server, the token to the user and configuring a token expiration time if the authentication authorization is passed; and

    transmitting, by the authorization authentication network element of the server, a logon response message to the terminal, wherein the logon response message carries the token and the token expiration time.


     
    4. The method according to claim 3, before the performing, by the one application service network element of the server of the multiple application service network elements of the server, the application service interaction with the terminal if the token authorization is passed, further comprising:

    receiving, by the authorization authentication network element of the server, a refresh message transmitted by the terminal before the token expiration time expires; and

    reassigning, by the authorization authentication network element of the server, the token and the token expiration time to the terminal according to the refresh message.


     
    5. The method according to claim 3, before the performing, by the one application service network element of the server of the multiple application service network elements of the server, the application service interaction with the terminal if the token authorization is passed, further comprising:
    transmitting, by the authorization authentication network element of the server, a refresh notification to the terminal to enable the terminal to acquire a new token and a token expiration time.
     
    6. A server for unified authentication to provide different application services in a trunking system, wherein the trunking system is a dedicated wireless communication system directed to specific applications in an industry, which are developed to meet needs of commanding and dispatching by a user within the industry, the server comprises an authorization authentication network element and multiple application service network elements to provide the different application services, and wherein the authorization authentication network element is an authentication authorization server, AAS, logic network element and the multiple application service network elements associated with the applications comprise a user information server, UIS, logic network element, a session initiation protocol core, SIP core, logic network element, a short data service, SDS, logic network element,

    wherein one application service network element of the multiple application service network elements receives a registration request transmitted by a terminal, the registration request carries a token associated with a unique identity of a user initiating the registration request and the identity of the user, User ID, and the token is assigned by the authorization authentication network element (12) to the user when the user logs onto the terminal;

    the one application service network element of the multiple application service network elements performs a registration to the terminal according to the User ID, and transmits the token to the authorization authentication network element (12);

    the authorization authentication network element (12) performs a token authorization to the user according to the token; and

    the one application service network element of the multiple application service network elements performs an application service interaction with the terminal if the token authorization is passed;

    each of the other multiple application service network elements performs the token authorization with the authorization authentication network element according to the same token to provide respective different application services to the terminal so as to implement a unified authentication authorization of each of the multiple application service network elements of the server.


     
    7. The server according to claim 6, before the one application service network element of the multiple application service network elements receives the registration request transmitted by the terminal, further comprising:

    the authorization authentication network element (12) receives a logon request transmitted by the user through the terminal, wherein the logon request carries the User ID;

    the authorization authentication network element (12) performs an authentication authorization to the user according to the User ID;

    the authorization authentication network element (12) assigns the token to the user if the authentication authorization is passed; and

    the authorization authentication network element (12) transmits a logon response message to the terminal, wherein the logon response message carries the token.


     
    8. The server according to claim 6, before the one application service network element of the multiple application service network elements receives the registration request transmitted by the terminal, further comprising:

    the authorization authentication network element (12) receives a logon request transmitted by the user through the terminal, wherein the logon request carries the User ID;

    the authorization authentication network element (12) performs an authentication authorization to the user according to the User ID;

    the authorization authentication network element (12) assigns the token to the user and configures a token expiration time if the authentication authorization is passed; and

    the authorization authentication network element (12) transmits a logon response message to the terminal, wherein the logon response message carries the token and the token expiration time.


     
    9. The server according to claim 8, before one application service network element of the multiple application service network elements performs the application service interaction with the terminal if the token authorization is passed, further comprising:

    the authorization authentication network element (12) receives a refresh message transmitted by the terminal before the token expiration time expires; and

    the authorization authentication network element (12) reassigns the token and the token expiration time to the terminal according to the refresh message.


     
    10. The server according to claim 8, before one application service network element of the multiple application service network elements performs the application service interaction with the terminal if the token authorization is passed, further comprising:
    the authorization authentication network element (12) transmits a refresh notification to the terminal to enable the terminal to obtain a new token and a token expiration time.
     


    Ansprüche

    1. Vereinheitlichtes Authentifizierungsverfahren zum Bereitstellen verschiedener Anwendungsdienste in einem Bündelfunksystem, wobei das Bündelfunksystem ein dediziertes drahtloses Kommunikationssystem ist, das auf spezifische Anwendungen in einem Industriezweig ausgerichtet ist und entwickelt wurde, um die Anforderungen von Befehlsgebung und Abfertigung durch einen Benutzer innerhalb des Industriezweigs zu erfüllen, wobei das Bündelfunksystem ein Autorisierungs-Authentifizierungs-Netzwerk eines Servers und vielfache Anwendungsdienst-Netzwerkelemente des Servers umfasst, um die verschiedenen Anwendungsdienste bereitzustellen, und wobei das Autorisierungs-Authentifizierungs-Netzwerkelement ein logisches Netzwerkelement Authentifizierungs-Autorisierungs-Server (authentication authorization server, AAS) ist und die vielfachen Anwendungsdienst-Netzwerkelemente, die mit den Anwendungen assoziiert sind, ein logisches Netzwerkelement Benutzerinformationsserver (user information server, UIS), ein logisches Netzwerkelement Sitzungseinleitungsprotokollkern (session initiation protocol core, SIP-Kern), ein logisches Netzwerkelement Kurzdatendienst (short data service, SDS) umfassen, umfassend:

    Empfangen (101), durch ein Anwendungsdienst-Netzwerkelement des Servers der vielfachen Anwendungsdienst-Netzwerkelemente des Servers, einer Registrierungsanforderung, die von einem Endgerät übertragen wird, wobei die Registrierungsanforderung ein Token trägt, das mit einer eindeutigen Identität eines Benutzers, der die Registrierungsanforderung initiiert, und der Identität des Benutzers, Benutzer-ID, assoziiert ist, und das Token durch das Autorisierungs-Authentifizierungs-Netzwerkelement des Servers dem Benutzer zugewiesen wird, wenn sich der Benutzer an dem Endgerät anmeldet;

    Ausführen (102), durch das eine Anwendungsdienst-Netzwerkelement des Servers der vielfachen Anwendungsdienst-Netzwerkelemente des Servers, einer Registrierung an dem Endgerät gemäß der Benutzer-ID und Senden des Tokens an das Autorisierungs-Authentifizierungs-Netzwerkelement des Servers;

    Ausführen (103), durch das Autorisierungs-Authentifizierungs-Netzwerkelement des Servers, einer Token-Autorisierung für den Benutzer gemäß dem Token; und

    Ausführen (104), durch das eine Anwendungsdienst-Netzwerkelement des Servers der vielfachen Anwendungsdienst-Netzwerkelemente des Servers, einer Anwendungsdienstinteraktion mit dem Endgerät, wenn die Token-Autorisierung übermittelt wird;

    Ausführen, durch jedes der anderen vielfachen Anwendungsdienst-Netzwerkelemente des Servers, der Token-Autorisierung mit dem Autorisierungs-Authentifizierungs-Netzwerkelement gemäß demselben Token, um jeweils verschiedene Anwendungsdienste für das Endgerät bereitzustellen, um eine vereinheitliche Authentifizierungs-Autorisierung jedes der vielfachen Anwendungsdienst-Netzwerkelemente des Servers zu implementieren.


     
    2. Verfahren nach Anspruch 1, vor dem Empfangen, durch das eine Anwendungsdienst-Netzelement des Servers der vielfachen Anwendungsdienst-Netzwerkelemente des Servers, der Registrierungsanforderung, die durch das Endgerät gesendet wird, ferner umfassend:

    Empfangen, durch das Autorisierungs-Authentifizierungs-Netzwerkelement des Servers, einer Anmeldeanforderung, die von dem Benutzer über das Endgerät gesendet wird, wobei die Anmeldeanforderung die Benutzer-ID trägt;

    Ausführen, durch das Autorisierungs-Authentifizierungs-Netzwerkelement des Servers, einer Authentifizierungs-Autorisierung für den Benutzer gemäß der Benutzer-ID;

    Zuweisen, durch das Autorisierungs-Authentifizierungs-Netzwerkelement des Servers, des Tokens an den Benutzer, wenn die Authentifizierungs-Autorisierung übermittelt wird; und

    Senden, durch das Autorisierungs-Authentifizierungs-Netzwerkelement des Servers, einer Anmeldeantwortnachricht an das Endgerät, wobei die Anmeldeantwortnachricht das Token trägt.


     
    3. Verfahren nach Anspruch 1, vor dem Empfangen, durch das eine Anwendungsdienst-Netzelement des Servers der vielfachen Anwendungsdienst-Netzwerkelemente des Servers, der Registrierungsanforderung, die durch das Endgerät gesendet wird, ferner umfassend:

    Empfangen, durch das Autorisierungs-Authentifizierungs-Netzwerkelement des Servers, einer Anmeldeanforderung, die von dem Benutzer über das Endgerät gesendet wird, wobei die Anmeldeanforderung die Benutzer-ID trägt;

    Ausführen, durch das Autorisierungs-Authentifizierungs-Netzwerkelement des Servers, einer Authentifizierungs-Authentifizierung an den Benutzer gemäß der Benutzer-ID;

    Zuweisen, durch das Autorisierungs-Authentifizierungs-Netzwerkelement des Servers, des Tokens an den Benutzer und Konfigurieren einer Token-Ablaufzeit, wenn die Authentifizierungs-Autorisierung übermittelt wird; und

    Senden, durch das Autorisierungs-Authentifizierungs-Netzwerkelement des Servers, einer Anmeldeantwortnachricht das Token und die Token-Ablaufzeit trägt.


     
    4. Verfahren nach Anspruch 3, vor dem Ausführen, durch das eine Anwendungsdienst-Netzwerkelement des Servers der vielfachen Anwendungsdienst-Netzwerkelemente des Servers, der Anwendungsdienstinteraktion mit dem Endgerät, wenn die Token-Autorisierung übermittelt wird, ferner umfassend:

    Empfangen, durch das Autorisierungs-Authentifizierungs-Netzwerkelement des Servers, einer Aktualisierungsnachricht, die von dem Endgerät gesendet wird, bevor die Token-Ablaufzeit abläuft; und

    Neuzuweisen, durch das Autorisierungs-Authentifizierungs-Netzwerkelement des Servers, des Tokens und der Token-Ablaufzeit an das Endgerät gemäß der Aktuali sierungsnachricht.


     
    5. Verfahren nach Anspruch 3, vor dem Ausführen, durch das eine Anwendungsdienst-Netzwerkelement des Servers der vielfachen Anwendungsdienst-Netzwerkelemente des Servers, der Anwendungsdienstinteraktion mit dem Endgerät, wenn die Token-Autorisierung übermittelt wird, ferner umfassend:
    Senden, durch das Autorisierungs-Authentifizierungs-Netzwerkelement des Servers, einer Aktualisierungsnachricht an das Endgerät, um dem Endgerät zu ermöglichen, ein neues Token und eine Token-Ablaufzeit anzufordern.
     
    6. Server für eine vereinheitliche Authentifizierung zum Bereitstellen verschiedener Anwendungsdienste in einem Bündelfunksystem, wobei das Bündelfunksystem ein dediziertes drahtloses Kommunikationssystem ist, das auf spezifische Anwendungen in einem Industriezweig ausgerichtet ist, die entwickelt werden, um die Anforderungen von Befehlsgebung und Abfertigung durch einen Benutzer innerhalb des Industriezweigs zu erfüllen, wobei der Server ein Autorisierungs-Authentifizierungs-Netzwerkelement und vielfache Anwendungsdienst-Netzwerkelemente umfasst, um die verschiedenen Anwendungsdienste bereitzustellen, und wobei das Autorisierungs-Authentifizierungs-Netzwerkelement ein logisches Netzwerkelement Authentifizierungs-Autorisierungs-Server (authentication authorization server, AAS) ist und die vielfachen Anwendungsdienst-Netzwerkelemente, die mit den Anwendungen assoziiert sind, ein logisches Netzwerkelement Benutzerinformationsserver (user information server, UIS), ein logisches Netzwerkelement Sitzungseinleitungsprotokollkern (session initiation protocol core, SIP-Kern), ein logisches Netzwerkelement Kurzdatendienst (short data Service, SDS) umfassen,

    wobei ein Anwendungsdienst-Netzwerkelement der vielfachen Anwendungsdienst-Netzwerkelemente eine Registrierungsanforderung empfängt, die von einem Endgerät gesendet wird, wobei die Registrierungsanforderung ein Token trägt, das mit einer eindeutigen Identität eines Benutzers, der die Registrierungsanforderung initiiert, und der Identität des Benutzers, Benutzer-ID, assoziiert ist, und das Token durch das Autorisierungs-Authentifizierungs-Netzwerkelement (12) dem Benutzer zugewiesen wird, wenn sich der Benutzer an dem Endgerät anmeldet;

    das eine Anwendungsdienst-Netzwerkelement der vielfachen Anwendungsdienst-Netzwerkelemente eine Registrierung an dem Endgerät gemäß der Benutzer-ID ausführt und das Token an das Autorisierungs-Authentifizierungs-Netzwerkelement (12) sendet;

    das Autorisierungs-Authentifizierungs-Netzwerkelement (12) eine Token-Autorisierung für den Benutzer gemäß dem Token ausführt; und

    das eine Anwendungsdienst-Netzwerkelement der vielfachen Anwendungsdienst-Netzwerkelemente eine Anwendungsdienstinteraktion mit dem Endgerät ausführt, wenn die Token-Autorisierung übermittelt wird;

    jedes der anderen vielfachen Anwendungsdienst-Netzwerkelemente die Token-Autorisierung mit dem Autorisierungs-Authentifizierungs-Netzwerkelement gemäß demselben Token ausführt, um jeweils verschiedene Anwendungsdienste für das Endgerät bereitzustellen, um eine vereinheitliche Authentifizierungs-Autorisierung jedes der vielfachen Anwendungsdienst-Netzwerkelemente des Servers zu implementieren.


     
    7. Server nach Anspruch 6, bevor das eine Anwendungsdienst-Netzelement der vielfachen Anwendungsdienst-Netzelemente die von Endgerät gesendete Registrierungsanforderung erhält, ferner umfassend:

    das Autorisierungs-Authentifizierungs-Netzwerkelement (12) empfängt eine Anmeldeanforderung, die von dem Benutzer über das Endgerät gesendet wird, wobei die Anmeldeanforderung die Benutzer-ID trägt;

    das Autorisierungs-Authentifizierungs-Netzwerkelement (12) führt eine Authentifizierungs-Autorisierung für den Benutzer gemäß der Benutzer-ID durch;

    das Autorisierungs-Authentifizierungs-Netzwerkelement (12) weist dem Benutzer das Token zu, wenn die Authentifizierungs-Autorisierung übermittelt wird; und

    das Autorisierungs-Authentifizierungs-Netzwerkelement (12) sendet eine Anmeldungsantwortnachricht an das Endgerät, wobei die Anmeldungsantwortnachricht das Token trägt.


     
    8. Server nach Anspruch 6, bevor das eine Anwendungsdienst-Netzelement der vielfachen Anwendungsdienst-Netzelemente die von Endgerät gesendete Registrierungsanforderung erhält, ferner umfassend:

    das Autorisierungs-Authentifizierungs-Netzwerkelement (12) empfängt eine Anmeldeanforderung, die von dem Benutzer über das Endgerät gesendet wird, wobei die Anmeldeanforderung die Benutzer-ID trägt;

    das Autorisierungs-Authentifizierungs-Netzwerkelement (12) führt eine Authentifizierungs-Autorisierung für den Benutzer gemäß der Benutzer-ID durch;

    das Autorisierungs-Authentifizierungs-Netzwerkelement (12) weist dem Benutzer das Token zu und konfiguriert eine Token-Ablaufzeit, wenn die Authentifizierungs-Autorisierung übermittelt wird; und

    das Autorisierungs-Authentifizierungs-Netzwerkelement (12) sendet eine Anmeldungsantwortnachricht an das Endgerät, wobei die Anmeldungsantwortnachricht das Token und die Token-Ablaufzeit trägt.


     
    9. Server nach Anspruch 8, bevor ein Anwendungsdienst-Netzwerkelement der vielfachen Anwendungsdienst-Netzwerkelemente die Anwendungsdienstinteraktion mit dem Endgerät ausführt, wenn die Token-Autorisierung übermittelt wird, ferner umfassend:

    das Autorisierungs-Authentifizierungs-Netzwerkelement (12) empfängt eine Aktualisierungsnachricht, die von dem Endgerät gesendet wird, bevor die Token-Ablaufzeit abläuft; und

    das Autorisierungs-Authentifizierungs-Netzwerkelement (12) weist dem Endgerät das Token und die Token-Ablaufzeit gemäß der Aktualisierungsnachricht neu zu.


     
    10. Server nach Anspruch 8, bevor ein Anwendungsdienst-Netzwerkelement der vielfachen Anwendungsdienst-Netzwerkelemente die Anwendungsdienstinteraktion mit dem Endgerät ausführt, wenn die Token-Autorisierung übermittelt wird, ferner umfassend:
    das Autorisierungs-Authentifizierungs-Netzwerkelement (12) sendet eine Aktualisierungsnachricht an das Endgerät, um dem Endgerät zu ermöglichen, ein neues Token und eine Token-Ablaufzeit zu erlangen.
     


    Revendications

    1. Procédé d'authentification unifiée pour fournir différents services d'application dans un système de jonction, dans lequel le système de jonction est un système de communication sans fil dédié dirigé vers des applications spécifiques dans une industrie, qui est développé pour répondre aux besoins de commande et de répartition par un utilisateur dans l'industrie, dans lequel le système de jonction comprend un réseau d'authentification d'autorisation d'un serveur et de multiples éléments de réseau de service d'application du serveur pour fournir les différents services d'application et dans lequel l'élément de réseau d'authentification d'autorisation est un serveur d'autorisation d'authentification, AAS, un élément de réseau logique et les multiples éléments de réseau de l'application de service associés aux applications comprennent un serveur d'informations utilisateur, UIS, un élément de réseau logique, une base de protocole d'initiation de session, une base de SIP, un élément de réseau logique, un service de données courtes, SDS, un élément de réseau logique, comprenant les étapes suivantes :

    recevoir (101), par un élément de réseau de service d'application du serveur des multiples éléments du réseau de service d'application du serveur, une demande d'enregistrement transmise par un terminal, dans lequel la demande d'enregistrement porte un jeton associé à une identité unique d'un utilisateur initiant la demande d'enregistrement et à l'identité de l'utilisateur, l'ID utilisateur, et le jeton est attribué par l'élément de réseau d'authentification d'autorisation du serveur à l'utilisateur lorsque l'utilisateur se connecte au terminal ;

    effectuer (102), par l'élément de réseau de service d'application unique du serveur des multiples éléments de réseau de service d'application du serveur, un enregistrement auprès du terminal selon l'ID utilisateur, et transmettre le jeton à l'élément de réseau d'authentification d'autorisation du serveur ;

    effectuer (103), par l'élément de réseau d'authentification d'autorisation du serveur, une autorisation de jeton à l'utilisateur en fonction du jeton ; et

    effectuer (104), par le seul élément de réseau de service d'application du serveur des multiples éléments de réseau de service d'application du serveur, une interaction de service d'application avec le terminal si l'autorisation de jeton est passée ;

    effectuer, par chacun des autres éléments de réseau de services d'application multiples du serveur, l'autorisation de jeton avec l'élément de réseau d'authentification d'autorisation selon le même jeton pour fournir des services d'application différents respectifs au terminal afin de mettre en œuvre une autorisation d'authentification unifiée de chacun des multiples éléments du réseau de service d'application du serveur.


     
    2. Procédé selon la revendication 1, avant la réception, par le seul élément de réseau de service d'application du serveur des multiples éléments de réseau de service d'application du serveur, de la demande d'enregistrement transmise par le terminal, comprenant en outre les étapes suivantes :

    recevoir, par élément de réseau d'authentification d'autorisation du serveur, une demande de connexion transmise par l'utilisateur via le terminal, dans laquelle la demande de connexion porte l'ID utilisateur ;

    effectuer, par l'élément de réseau d'authentification d'autorisation du serveur, une autorisation d'authentification à l'utilisateur selon l'ID utilisateur ;

    attribuer, par l'élément de réseau d'authentification d'autorisation du serveur, le jeton à l'utilisateur si l'autorisation d'authentification est passée ; et

    transmettre, par l'élément de réseau d'authentification d'autorisation du serveur, un message de réponse de connexion au terminal, le message de réponse de connexion transportant le jeton.


     
    3. Procédé selon la revendication 1, avant la réception, par le seul élément de réseau de service d'application du serveur des multiples éléments de réseau de service d'application du serveur, de la demande d'enregistrement transmise par le terminal, comprenant en outre les étapes suivantes :

    recevoir, par élément de réseau d'authentification d'autorisation du serveur, une demande de connexion transmise par l'utilisateur via le terminal, dans laquelle la demande de connexion porte l'ID utilisateur ;

    effectuer, par l'élément de réseau d'authentification d'autorisation du serveur, une autorisation d'authentification à l'utilisateur selon l'ID utilisateur ;

    attribuer, par l'élément de réseau d'authentification d'autorisation du serveur, le jeton à l'utilisateur et configurer un temps d'expiration de jeton si l'autorisation d'authentification est passée ; et

    transmettre, par l'élément de réseau d'authentification d'autorisation du serveur, un message de réponse de connexion au terminal, dans lequel le message de réponse de connexion porte le jeton et le délai d'expiration du jeton.


     
    4. Procédé selon la revendication 3, avant d'effectuer, par l'élément de réseau de service d'application unique du serveur des multiples éléments de réseau de service d'application du serveur, l'interaction de service d'application avec le terminal si l'autorisation de jeton est passée, comprenant en outre les étapes suivantes :

    recevoir, par l'élément de réseau d'authentification d'autorisation du serveur, un message de rafraîchissement transmis par le terminal avant l'expiration du délai d'expiration du jeton ; et

    réaffecter, par l'élément de réseau d'authentification d'autorisation du serveur, le jeton et le délai d'expiration du jeton au terminal en fonction du message de rafraîchissement.


     
    5. Procédé selon la revendication 3, avant d'effectuer, par l'élément de réseau de service d'application du serveur des éléments de réseau de service d'application multiples du serveur, l'interaction de service d'application avec le terminal si l'autorisation de jeton est passée, comprenant en outre l'étape suivante :
    transmettre, par l'élément de réseau d'authentification d'autorisation du serveur, une notification de rafraîchissement au terminal pour permettre au terminal d'acquérir un nouveau jeton et un délai d'expiration du jeton.
     
    6. Serveur d'authentification unifiée pour fournir différents services d'application dans un système de jonction, dans lequel le système de jonction est un système de communication sans fil dédié dirigé vers des applications spécifiques dans une industrie, qui sont développés pour répondre aux besoins de commande et de répartition par un utilisateur dans l'industrie, le serveur comprend un élément de réseau d'authentification d'autorisation et plusieurs éléments de réseau de service d'application pour fournir les différents services d'application, et dans lequel l'élément de réseau d'authentification d'autorisation est un serveur d'autorisation d'authentification, AAS, un élément de réseau logique et les multiples éléments de réseau de service d'application associés aux applications comprennent un serveur d'informations utilisateur, UIS, un élément de réseau logique, une base de protocole d'initiation de session, une base de SIP, un élément de réseau logique, un service de données courtes, SDS, un élément de réseau logique, dans lequel un élément de réseau de service d'application des multiple éléments de réseau de service d'application reçoit une demande d'enregistrement transmise par un terminal, la demande d'enregistrement porte un jeton associé à une identité unique d'un utilisateur initiant la demande d'enregistrement et l'identité de l'utilisateur, l'ID utilisateur, et le jeton est attribué par l'élément de réseau d'authentification d'autorisation (12) à l'utilisateur lorsque l'utilisateur se connecte au terminal ;

    l'élément de réseau de service d'application des multiples éléments de réseau de service d'application effectue un enregistrement auprès du terminal conformément à l'ID utilisateur et transmet le jeton à l'élément de réseau d'authentification d'autorisation (12) ;

    l'élément de réseau d'authentification d'autorisation (12) effectue une autorisation de jeton à l'utilisateur conformément au jeton ; et

    l'élément de réseau de service d'application des multiples éléments de réseau de service d'application effectue une interaction de service d'application avec le terminal si l'autorisation de jeton est passée ;

    chacun des autres multiples éléments de réseau de service d'application exécute l'autorisation de jeton avec l'élément de réseau d'authentification d'autorisation selon le même jeton pour fournir des services d'application différents respectifs au terminal afin de mettre en œuvre une autorisation d'authentification unifiée de chacun des multiples éléments de réseau de service d'application du serveur.


     
    7. Serveur selon la revendication 6, avant que l'élément de réseau de service d'application des multiples éléments de réseau de service d'application reçoit la demande d'enregistrement transmise par le terminal, comprenant en outre les étapes suivantes :

    l'élément de réseau d'authentification d'autorisation (12) reçoit une demande de connexion transmise par l'utilisateur via le terminal, dans lequel la demande de connexion porte l'ID utilisateur ;

    l'élément de réseau d'authentification d'autorisation (12) effectue une autorisation d'authentification à l'utilisateur conformément à l'ID utilisateur ;

    l'élément de réseau d'authentification d'autorisation (12) attribue le jeton à l'utilisateur si l'autorisation d'authentification est transmise ; et

    l'élément de réseau d'authentification d'autorisation (12) transmet un message de réponse de connexion au terminal, le message de réponse de connexion portant le jeton.


     
    8. Serveur selon la revendication 6, avant que l'élément de réseau de service d'application unique des multiples éléments de réseau de service d'application ne reçoit la demande d'enregistrement transmise par le terminal, comprenant en outre les étapes suivantes :

    l'élément de réseau d'authentification d'autorisation (12) reçoit une demande de connexion transmise par l'utilisateur via le terminal, dans lequel la demande de connexion porte l'ID utilisateur ;

    l'élément de réseau d'authentification d'autorisation (12) effectue une autorisation d'authentification à l'utilisateur conformément à l'ID utilisateur ;

    l'élément de réseau d'authentification d'autorisation (12) attribue le jeton à l'utilisateur et configure un temps d'expiration du jeton si l'autorisation d'authentification est passée ; et l'élément de réseau d'authentification d'autorisation (12) transmet un message de réponse de connexion au terminal, le message de réponse de connexion portant le jeton et le délai d'expiration du jeton.


     
    9. Serveur selon la revendication 8, avant qu'un élément de réseau de service d'application des multiples éléments de réseau de service d'application effectue l'interaction de service d'application avec le terminal si l'autorisation de jeton est passée, comprenant en outre les étapes suivantes :

    l'élément de réseau d'authentification d'autorisation (12) reçoit un message de rafraîchissement transmis par le terminal avant l'expiration du délai d'expiration du jeton ; et

    l'élément de réseau d'authentification d'autorisation (12) réaffecte le jeton et le délai d'expiration du jeton au terminal en fonction du message de rafraîchissement.


     
    10. Serveur selon la revendication 8, avant qu'un élément de réseau de service d'application des multiples éléments de réseau de service d'application effectue l'interaction de service d'application avec le terminal si l'autorisation de jeton est passée, comprenant en outre l'étape suivante :
    l'élément de réseau d'authentification d'autorisation (12) transmet une notification de rafraîchissement au terminal pour permettre au terminal d'obtenir un nouveau jeton et un délai d'expiration du jeton.
     




    Drawing




















    Cited references

    REFERENCES CITED IN THE DESCRIPTION



    This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

    Patent documents cited in the description