Managed identity federation

US 10,243,945 B1
Filed: 10/28/2013
Issued: 03/26/2019
Est. Priority Date: 10/28/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

at a first system of a computing resource service provider;

collecting cryptographic information from a plurality of identity verification providers, the cryptographic information including a plurality of cryptographic keys, each cryptographic key usable to analyze tokens generated by a different identity verification provider of the plurality of identity verification providers; and

providing configuration information to a plurality of systems of the computing resource service provider different from the first system, the configuration information including at least the plurality of cryptographic keys, the configuration information provided to the plurality of systems being specific to each of the plurality of systems; and

by one of the plurality of systems of the computing resource service provider different from the first system;

receiving, from a requestor that is separate from the plurality of identity verification providers and the first system, a request that includes a submitted token;

determining, using the configuration information already provided by the first system, that the submitted token includes a valid attestation by the identity verification provider associated with the one of the plurality of cryptographic keys and that the requestor is allowed to have the request fulfilled, the requestor lacking access to the plurality of cryptographic keys; and

when it is determined that the requestor is allowed to have the request fulfilled, fulfilling the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Managed identity federation provides numerous options for authentication to access one or more services. A user authenticates with an identity verification provider and provides proof of authentication to a service of a service provider. The service of the service provider is configured to verify the user'"'"'s identity using a centrally managed identity provider configuration. This configuration is distributed without intervention of the service'"'"'s administrators. This centrally-managed configuration allows a variety of enterprise and third-party services to utilize the service provider'"'"'s billing, security, and other administrative services.

342 Citations

21 Claims

1. A computer-implemented method, comprising:
- at a first system of a computing resource service provider;
  
  collecting cryptographic information from a plurality of identity verification providers, the cryptographic information including a plurality of cryptographic keys, each cryptographic key usable to analyze tokens generated by a different identity verification provider of the plurality of identity verification providers; and
  
  providing configuration information to a plurality of systems of the computing resource service provider different from the first system, the configuration information including at least the plurality of cryptographic keys, the configuration information provided to the plurality of systems being specific to each of the plurality of systems; and
  
  by one of the plurality of systems of the computing resource service provider different from the first system;
  
  receiving, from a requestor that is separate from the plurality of identity verification providers and the first system, a request that includes a submitted token;
  
  determining, using the configuration information already provided by the first system, that the submitted token includes a valid attestation by the identity verification provider associated with the one of the plurality of cryptographic keys and that the requestor is allowed to have the request fulfilled, the requestor lacking access to the plurality of cryptographic keys; and
  
  when it is determined that the requestor is allowed to have the request fulfilled, fulfilling the request.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein the identity verification provider associated with the one of the plurality of cryptographic keys is managed by a third-party entity.
  - 3. The computer-implemented method of claim 1, further comprising:
    - selecting, from the cryptographic information, the one of the plurality of cryptographic keys corresponding to the identity verification provider associated with the one of the plurality of cryptographic keys; and
      
      using the one of the plurality of cryptographic keys to decrypt the submitted token.
  - 4. The computer-implemented method of claim 1, wherein both receiving the request and using the configuration information to analyze the submitted token are performed by a server of the different system.
  - 5. The computer-implemented method of claim 1, wherein:
    - the different system is one of a plurality of services;
      
      the configuration information includes a mapping usable to map identities of the identity verification providers to client identifiers; and
      
      each service of the plurality of services is provided a different mapping such that different services map a same client identity verification provider identity to different client identifiers.
  - 6. The computer-implemented method of claim 1, wherein:
    - the different system provides a computing resource service of a computing resource service provider utilized by a third party to provide a third-party service; and
      
      fulfilling the request includes providing the request to the different system for processing.

7. A system, comprising:
- memory to store instructions that, as a result of execution by one or more processors, cause a collection of computing devices to collectively implement one or more services, each service of the one or more services that locally;
  
  obtain, by a first system of a computing resource service provider, cryptographic information corresponding to a plurality of identity verification providers, the cryptographic information including a plurality of cryptographic keys, each cryptographic key usable to verify validity of tokens generated by a different identity verification provider of the plurality of identity verification providers;
  
  identify, by the first system, from the plurality of identity verification providers to which a client computing device has access, a second plurality of identity verification providers for which tokens will be accepted;
  
  provide, by the first system, configuration information to a plurality of systems of the computing resource service provider different from the first system, the configuration information including at least a second plurality of cryptographic keys associated with the second plurality of identity verification providers, the configuration information provided to the plurality of systems being specific to each of the plurality of systems;
  
  receive, by a second system which is one of the plurality of systems of the computing resource service provider different from the first system, from a requestor that is separate from the plurality of identity verification providers and the first system, a request, the request including a token, the requestor lacking access to the plurality of cryptographic keys;
  
  identify, by the second system, that the token is associated with an identity verification provider of the second plurality of identity verification providers;
  
  verify, by the second system and using the configuration information already provided by the first system, validity of the token based on a cryptographic key specific to the identity verification provider and usable to verify validity of tokens generated by the identity verification provider; and
  
  when the validity of the token is verified, fulfill, by the second system, the request.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The system of claim 7, wherein the service includes a server that both accesses the cryptographic information and uses the cryptographic information to verify the validity of the token.
  - 9. The system of claim 8, wherein the server is from a plurality of servers each operable to:
    - receive the request and the token;
      
      access the cryptographic information; and
      
      use the cryptographic information to verify the validity of the token.
  - 10. The system of claim 7, wherein the service further selects, based at least in part on the token, the cryptographic information from multiple instances of cryptographic information each corresponding to a different identity verification provider.
  - 11. The system of claim 7, wherein the collection of computing devices further implement a managed federation propagator that:
    - tracks updates to a set of identity verification providers that include the identity verification provider; and
      
      provides updated configuration information to the one or more services in accordance with the tracked updates, the updated configuration information including information necessary for verifying tokens generated by the identity verification providers.
  - 12. The system of claim 11, wherein the managed federation propagator further provides the updated configuration information to one or more third-party services thereby enabling the one or more third-party services to verify tokens generated by the identity verification providers.
  - 13. The system of claim 7, wherein:
    - the one or more services comprise a plurality of services; and
      
      the service, for each identity verification provider identity of a plurality of identity verification provider identities, maps the identity verification provider identity to a client identifier unique to the service and different from another client identifier to which another service maps the verification provider identity.
  - 14. The system of claim 13, wherein:
    - the service tracks usage of the service in association with a first client identifier; and
      
      the system further comprises at least one backend service that aggregates usage information from each service of the plurality of services by at least mapping different client identifiers corresponding to a same identity verification provider identity to the same verification provider identity.

15. A non-transitory computer-readable storage medium that stores executable instructions that, as a result of being executed by one or more processors of a service provider computing device, cause the service provider computing device to:
- obtain, by a device, cryptographic information corresponding to a plurality of identity verification providers, the cryptographic information including a plurality of cryptographic keys, each cryptographic key usable to verify validity of tokens generated by a different identity verification provider of the plurality of identity verification providers;
  
  provide, by the device, configuration information to a plurality of services of the service provider, the services different from the device, the configuration information including at least the plurality of cryptographic keys, the configuration information provided to the plurality of services being specific to each of the plurality of services;
  
  receive, over a network by one of the plurality of services of the service provider, a request from a client computer system to access the service, the request being;
  
  provided with a token encrypted with a cryptographic key of the plurality of cryptographic keys, the token indicating an identity verification provider accessible to the client computer system; and
  
  received from a client computer system associated with a user of the service, the client computer system being separate from the plurality of identity verification providers and the device, and lacking access to the plurality of cryptographic keys;
  
  identify, by the service, that the token is associated with a corresponding identity verification provider in a subset of the plurality of identity verification providers, the subset of the plurality of identity verification providers being authorized to enable fulfillment of requests by the service;
  
  decrypt, by the service, the token based at least in part on the cryptographic key specific to the corresponding identity verification provider;
  
  verify, by the service and using the configuration information already provided by the device, validity of the token based at least in part on the cryptographic key specific to the corresponding identity verification provider; and
  
  when the validity of the token is verified, cause the request to be fulfilled by the service.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein the executable instructions that cause the service provider computing device to cryptographically verify the token include instructions that cause the service provider computing device to identify whether the token includes an attestation that the client computer system was used to successfully authenticate with the identity verification provider.
  - 17. The non-transitory computer-readable storage medium of claim 15, wherein:
    - the service is managed by a third party to the service provider; and
      
      causing the request to be fulfilled includes providing the request to a computing device managed by the third party.
  - 18. The non-transitory computer-readable storage medium of claim 15, wherein the executable instructions further cause the service provider computing device to select, based at least in part on the token, the cryptographic information specific to the identity verification provider from among other cryptographic information specific to one or more other identity verification providers of the plurality of identity verification providers.
  - 19. The non-transitory computer-readable storage medium of claim 15, wherein the executable instructions further cause the service provider computing device to:
    - receive configuration information from another system, the configuration information necessary for validating instances of a set of identity verification providers that include the subset of the plurality of identity verification providers; and
      
      reconfigure in accordance with the configuration information.
  - 20. The non-transitory computer-readable storage medium of claim 15, wherein:
    - the service provider hosts computing resources for a plurality of customers of the service provider; and
      
      causing the request to be fulfilled includes utilizing at least one computing resource of a customer of the service provider.
  - 21. The non-transitory computer-readable storage medium of claim 15, wherein the executable instructions further cause the service provider computing device to generate, based at least in part on the token, a client identifier for the client computer system to uniquely identify the client computer system within the service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Kruse, William Frederick, Behm, Bradley Jeffery
Primary Examiner(s)
Lesniewski, Victor

Application Number

US14/065,106
Time in Patent Office

1,975 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/40   by quorum, i.e. whereby two...

G06F 21/45   Structures or tools for the...

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

H04L 63/126   the source of the received ...

Managed identity federation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

342 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Managed identity federation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

342 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links