Delegation of authority for users of sign-on service

US 10,021,086 B2
Filed: 04/19/2016
Issued: 07/10/2018
Est. Priority Date: 03/31/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, by one or more computing systems providing a first service, a credential provided by an access manager system for a user that is interacting with the first service and that has performed sign-on activities with the access manager system, wherein the credential represents authority granted from the access manager system to perform subsequent interactions with the access manager system on behalf of the user;

sending, by the one or more computing systems over one or more computer networks to a second service, instructions from the first service for the second service to provide functionality for the user, wherein the functionality is based at least in part on delegation, from the first service to the second service, of at least some of the authority granted from the access manager system for the subsequent interactions with the access manager system on behalf of the user, and wherein the sending of the instructions includes sending the credential from the first service to the second service and is initiated by one or more interactions of the user with the first service; and

performing, by the one or more computing systems, and after the second service provides the functionality for the user based at least in part on the authority delegated from the first service to the second service by using the sent credential to interact with the access manager system on behalf of the user, one or more additional interactions with the user based at least in part on the provided functionality.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for providing customizable sign-on functionality, such as via an access manager system that provides single sign-on functionality and other functionality to other services for use with those services'"'"' users. The access manager system may maintain various sign-on and other account information for various users, and provide single sign-on functionality for those users using that maintained information on behalf of multiple unrelated services with which those users interact. The access manager may allow a variety of types of customizations to single sign-on functionality and/or other functionality available from the access manager, such as on a per-service basis via configuration by an operator of the service, such as co-branding customizations, customizations of information to be gathered from users, customizations of authority that may be delegated to other services to act on behalf of users, etc., and with the customizations that are available being determined specifically for that service.

Citations

10 Claims

1. A computer-implemented method comprising:
- receiving, by one or more computing systems providing a first service, a credential provided by an access manager system for a user that is interacting with the first service and that has performed sign-on activities with the access manager system, wherein the credential represents authority granted from the access manager system to perform subsequent interactions with the access manager system on behalf of the user;
  
  sending, by the one or more computing systems over one or more computer networks to a second service, instructions from the first service for the second service to provide functionality for the user, wherein the functionality is based at least in part on delegation, from the first service to the second service, of at least some of the authority granted from the access manager system for the subsequent interactions with the access manager system on behalf of the user, and wherein the sending of the instructions includes sending the credential from the first service to the second service and is initiated by one or more interactions of the user with the first service; and
  
  performing, by the one or more computing systems, and after the second service provides the functionality for the user based at least in part on the authority delegated from the first service to the second service by using the sent credential to interact with the access manager system on behalf of the user, one or more additional interactions with the user based at least in part on the provided functionality.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1 further comprising, by the one or more computing systems, performing the one or more interactions with the user, and directing, based at least in part on the one or more interactions with the user, the user to perform further interactions with the second service to obtain the functionality from the second service.
  - 3. The computer-implemented method of claim 1 wherein the first service is a customer of the access manager system that uses sign-on services of the access manager system, and wherein the method further comprises:
    - authorizing, by at least one computing system providing the access manager system, the user based on identifying information received for the user; and
      
      sending, by the at least one computing system and based at least in part on the authorizing, the credential to the first service, to enable the first service to later use the credential to demonstrate the authority of the first service for interacting with the access manager system on behalf of the user.
  - 4. The computer-implemented method of claim 3 further comprising participating, by the at least one computing system, in one or more interactions with the second service over the one or more computer networks that include receiving from the second service the credential and a request to use stored information associated with the user, and that further include authorizing the use by the second service of the stored information associated with the user based at least in part on receiving the credential from the second service.
  - 5. The computer-implemented method of claim 1 further comprising:
    - receiving, by at least one computing system providing the second service, the instructions and the credential from the first user;
      
      providing, by the at least one computing system and based at least in part on the authority of the first service that is delegated to the second service, the functionality for the user; and
      
      sending, by the at least one computing system, response information regarding the provided functionality.
  - 6. The computer-implemented method of claim 5 wherein the providing of the functionality for the user further includes participating, by the at least one computing system, in one or more interactions with the access manager system to use the received credential to obtain access to stored information associated with the user, and that further include receiving functionality from the access manager system based on the access to the stored information associated with the user.

7. A non-transitory computer-readable medium having stored contents that cause a computing system of an access manager system to:
- authorize, by the computing system, a user based on identifying information that is received for the user;
  
  provide, by the computing system, a credential to a first service that is a customer of the access manager system, wherein the user is interacting with the first service, and wherein the credential is provided by the access manager system to represent authority granted from the access manager system to perform subsequent interactions with the access manager system on behalf of the user;
  
  receive, by the computing system and after the providing of the credential, a request from a second service to use stored information for the user accessible to the access manager system, wherein the received request includes the credential;
  
  determine, by the computing system, that the second service is authorized to receive a delegation of at least some of the authority from the first service to enable use of the stored information for the user; and
  
  send, by the computing system and based on the credential included in the received request and the delegation of the at least some authority, a response over one or more computer networks to the second service that is based on the stored information for the user.
- View Dependent Claims (8, 9, 10)
- - 8. The non-transitory computer-readable medium of claim 7 wherein the stored contents include instructions that, when executed, further cause the computing system to interact, before the receiving of the request, with the first service to determine authorization of the first service to delegate the at least some of the authority, the at least some authority providing access to one or more specified types of information associated with the user, and wherein the determining that the second service is authorized to receive the delegation of the at least some authority from the first service is based at least in part on the stored information to be used being of the one or more specified types.
  - 9. The non-transitory computer-readable medium of claim 7 wherein the stored contents further cause the computing system to determine that the first service is authorized to perform the delegation of the at least some authority to the second service, and wherein the sending of the response includes sending at least some of the stored information to the second service and is further performed based on the determining that the first service is authorized and on the determining that the second service is authorized.
  - 10. The non-transitory computer-readable medium of claim 7 wherein the stored contents include instructions that, when executed, further cause the computing system to:
    - before the authorizing of the user, register the first service as a customer of the access manager system; and
      
      after the registering of the first service, receive, by the computing system, a sign-on request for the user to the first service, wherein the received sign-on request includes the identifying information received for the user, and wherein the authorizing of the user is performed in response to the received sign-on request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Sirota, Peter
Primary Examiner(s)
Cribbs, Malcolm

Application Number

US15/133,125
Publication Number

US 20160234200A1
Time in Patent Office

812 Days
Field of Search

None
US Class Current
CPC Class Codes

G06Q 10/06315   Needs-based resource requir...

G06Q 20/40   Authorisation, e.g. identif...

G06Q 30/0201   Market modelling; Market an...

G06Q 30/0203   Market surveys; Market polls

G06Q 30/0621   Item configuration or custo...

H04L 63/06   for supporting key manageme...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Delegation of authority for users of sign-on service

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Delegation of authority for users of sign-on service

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links