System and method for implementing a hosted authentication service

US 10,148,630 B2
Filed: 07/31/2014
Issued: 12/04/2018
Est. Priority Date: 07/31/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more hardware platforms implementing a hosted authentication service to provide authentication services for relying parties, the hosted authentication service and the relying parties being separate parties, the hosted authentication service registering a relying party by sharing a key with the relying party, the hosted authentication service comprising an administration portal through which a relying party administrator configures the hosted authentication service to provide authentication services on behalf of the relying party;

a first program code component provided by the hosted authentication service is inserted into an application hosted by the relying party, the first program code component causing a client device accessing the application to be redirected to the hosted authentication service for user-authentication and other authentication-related functions including registering one or more new authenticators and deregistering one or more authenticators of a user'"'"'s client device; and

the hosted authentication service, based on a plurality of different authentication-related events occurring between the client device and the hosted authentication service, transmitting a plurality of assertions directly to the relying party thereby bypassing the client device, each assertion of the plurality of assertions specifying one different authentication-related event occurring between the client device and the hosted authentication service, each assertion of the plurality of assertions including at least one indication, wherein a first assertion indicates that the user has registered a new authenticator, a second assertion indicates that the user has deregistered an authenticator, and a third assertion indicates that the user has authenticated with the authentication service using an authenticator, wherein the relying party validating each one of the plurality of assertions using the key.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, apparatus, method, and machine readable medium are described for a hosted authentication service. For example, one embodiment of a system comprises: a hosted authentication service to provide authentication services for relying parties, the hosted authentication service registering a relying party by sharing a key with the relying party; a first program code component inserted into an application hosted by the relying party, the first program code component causing a client device accessing the application to be redirected to the hosted authentication service for authentication-related functions; and the hosted authentication service transmitting one or more assertions to the relying party specifying authentication-related events occurring between the client device and the hosted authentication service, the relying party validating the assertions using the key.

333 Citations

20 Claims

1. A system comprising:
- one or more hardware platforms implementing a hosted authentication service to provide authentication services for relying parties, the hosted authentication service and the relying parties being separate parties, the hosted authentication service registering a relying party by sharing a key with the relying party, the hosted authentication service comprising an administration portal through which a relying party administrator configures the hosted authentication service to provide authentication services on behalf of the relying party;
  
  a first program code component provided by the hosted authentication service is inserted into an application hosted by the relying party, the first program code component causing a client device accessing the application to be redirected to the hosted authentication service for user-authentication and other authentication-related functions including registering one or more new authenticators and deregistering one or more authenticators of a user'"'"'s client device; and
  
  the hosted authentication service, based on a plurality of different authentication-related events occurring between the client device and the hosted authentication service, transmitting a plurality of assertions directly to the relying party thereby bypassing the client device, each assertion of the plurality of assertions specifying one different authentication-related event occurring between the client device and the hosted authentication service, each assertion of the plurality of assertions including at least one indication, wherein a first assertion indicates that the user has registered a new authenticator, a second assertion indicates that the user has deregistered an authenticator, and a third assertion indicates that the user has authenticated with the authentication service using an authenticator, wherein the relying party validating each one of the plurality of assertions using the key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system as in claim 1 wherein the key comprises a symmetric assertion key.
  - 3. The system as in claim 2 wherein the hosted authentication service generates a first signature over data in one of the plurality of assertions using the symmetric assertion key, the relying party using its copy of the symmetric assertion key to generate a second signature over the data in the one of the plurality of assertions and comparing the first signature with the second signature to validate the one of the plurality of assertions.
  - 4. The system as in claim 1 wherein the first program code component comprises hypertext markup language (HTML) code and wherein the application comprises a Web application.
  - 5. The system as in claim 1 further comprising:
    - a second program code component inserted into a back-end component of the application hosted by the relying party, the second program code component securely storing the key.
  - 6. The system as in claim 5 wherein the application comprises a Web application including the back-end and a front-end comprising hypertext markup language (HTML) code.
  - 7. The system as in claim 1 wherein the administration portal generates front-end code to be applied to a front-end of the application and back-end code to be applied to a back-end of the application, the front-end code usable to redirect client devices to the hosted authentication service and the back-end code usable to securely store and access the key.
  - 8. The system as in claim 1 wherein each one of the plurality of assertions further includes an indication of an authenticator type, model, and/or strength.

9. A method comprising:
- registering a relying party at a hosted authentication service by sharing a key with the relying party, the hosted authentication service and the relying parties being separate parties, the hosted authentication service comprising an administration portal through which a relying party administrator configures the hosted authentication service to provide authentication services on behalf of the relying party;
  
  inserting a first program code component provided by the hosted authentication device into an application hosted by the relying party, the first program code component causing a client device accessing the application to be redirected to the hosted authentication service for user-authentication and other authentication-related functions including registering one or more new authenticators and deregistering one or more authenticators of a user'"'"'s client device; and
  
  transmitting, based on a plurality of authentication-related events occurring between the client device and the hosted authentication service, a plurality of assertions from the hosted authentication service directly to the relying party thereby bypassing the client device, each assertion of the plurality of assertions specifying one different authentication-related event occurring between the client device and the hosted authentication service, each assertion of the plurality of assertions including at least one indication, wherein a first assertion indicates that the user has registered a new authenticator, a second assertion indicates that the user has deregistered an authenticator, and a third assertion indicates that the user has authenticated with the authentication service using an authenticator, wherein the relying party validating each one of the plurality of assertions using the key.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method as in claim 9 wherein the key comprises a symmetric assertion key.
  - 11. The method as in claim 10 wherein the hosted authentication service generates a first signature over data in one of the plurality of assertions using the symmetric assertion key, the relying party using its copy of the symmetric assertion key to generate a second signature over the data in the one of the plurality of assertions and comparing the first signature with the second signature to validate the one of the plurality of assertions.
  - 12. The method as in claim 9 wherein the first program code component comprises hypertext markup language (HTML) code and wherein the application comprises a Web application.
  - 13. The method as in claim 9 further comprising:
    - a second program code component inserted into a back-end component of the application hosted by the relying party, the second program code component securely storing the key.
  - 14. The method as in claim 13 wherein the application comprises a Web application including the back-end and a front-end comprising hypertext markup language (HTML) code.
  - 15. The method as in claim 9 wherein the administration portal generates front-end code to be applied to a front-end of the application and back-end code to be applied to a back-end of the application, the front-end code usable to redirect client devices to the hosted authentication service and the back-end code usable to securely store and access the key.
  - 16. The method as in claim 9 wherein each one of the plurality of assertions further includes an indication of an authenticator type, model, and/or strength.

17. A non-transitory machine-readable medium having program code stored thereon which, when executed by a machine, causes the machine to perform operations of:
- registering a relying party at a hosted authentication service by sharing a key with the relying party, the hosted authentication service and the relying parties being separate parties, the hosted authentication service comprising an administration portal through which a relying party administrator configures the hosted authentication service to provide authentication services on behalf of the relying party;
  
  inserting a first program code component provided by the hosted authentication service into an application hosted by the relying party, the first program code component causing a client device accessing the application to be redirected to the hosted authentication service for user-authentication and other authentication-related functions including registering one or more new authenticators and deregistering one or more authenticators of a user'"'"'s client device; and
  
  transmitting, based on a plurality of different authentication-related-events occurring between the client device and the hosted authentication service, a plurality of assertions from the hosted authentication service directly to the relying party thereby bypassing the client device, each assertion of the plurality of assertions specifying one different authentication-related event occurring between the client device and the hosted authentication service, each assertion of the plurality of assertions including at least one indication, wherein a first assertion indicates that the user has registered a new authenticator, a second assertion indicates that the user has deregistered an authenticator, and a third assertion indicates that the user has authenticated with the authentication service using an authenticator, wherein the relying party validating each one of the plurality of assertions using the key.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory machine-readable medium as in claim 17 wherein the key comprises a symmetric assertion key.
  - 19. The non-transitory machine-readable medium as in claim 18 wherein the hosted authentication service generates a first signature over data in one of the plurality of assertions using the symmetric assertion key, the relying party using its copy of the symmetric assertion key to generate a second signature over the data in the one of the plurality of assertions and comparing the first signature with the second signature to validate the one of the plurality of assertions.
  - 20. The non-transitory machine-readable medium as in claim 17 wherein the first program code component comprises hypertext markup language (HTML) code and wherein the application comprises a Web application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nok Nok Labs Incorporated
Original Assignee
Nok Nok Labs Incorporated
Inventors
Baghdasaryan, Davit
Primary Examiner(s)
Alata, Ayoub

Application Number

US14/448,814
Publication Number

US 20160248742A1
Time in Patent Office

1,587 Days
Field of Search
US Class Current
CPC Class Codes

G06Q 20/40   Authorisation, e.g. identif...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/12   Applying verification of th...

H04W 4/80   Services using short range ...

System and method for implementing a hosted authentication service

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

333 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for implementing a hosted authentication service

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

333 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links