Managed identity federation
First Claim
Patent Images
1. A computer-implemented method, comprising:
- at a first system of a computing resource service provider;
collecting cryptographic information from a plurality of identity verification providers, the cryptographic information including a plurality of cryptographic keys, each cryptographic key usable to analyze tokens generated by a different identity verification provider of the plurality of identity verification providers; and
providing configuration information to a plurality of systems of the computing resource service provider different from the first system, the configuration information including at least the plurality of cryptographic keys, the configuration information provided to the plurality of systems being specific to each of the plurality of systems; and
by one of the plurality of systems of the computing resource service provider different from the first system;
receiving, from a requestor that is separate from the plurality of identity verification providers and the first system, a request that includes a submitted token;
determining, using the configuration information already provided by the first system, that the submitted token includes a valid attestation by the identity verification provider associated with the one of the plurality of cryptographic keys and that the requestor is allowed to have the request fulfilled, the requestor lacking access to the plurality of cryptographic keys; and
when it is determined that the requestor is allowed to have the request fulfilled, fulfilling the request.
1 Assignment
0 Petitions
Accused Products
Abstract
Managed identity federation provides numerous options for authentication to access one or more services. A user authenticates with an identity verification provider and provides proof of authentication to a service of a service provider. The service of the service provider is configured to verify the user'"'"'s identity using a centrally managed identity provider configuration. This configuration is distributed without intervention of the service'"'"'s administrators. This centrally-managed configuration allows a variety of enterprise and third-party services to utilize the service provider'"'"'s billing, security, and other administrative services.
342 Citations
21 Claims
-
1. A computer-implemented method, comprising:
- at a first system of a computing resource service provider;
collecting cryptographic information from a plurality of identity verification providers, the cryptographic information including a plurality of cryptographic keys, each cryptographic key usable to analyze tokens generated by a different identity verification provider of the plurality of identity verification providers; and providing configuration information to a plurality of systems of the computing resource service provider different from the first system, the configuration information including at least the plurality of cryptographic keys, the configuration information provided to the plurality of systems being specific to each of the plurality of systems; and by one of the plurality of systems of the computing resource service provider different from the first system; receiving, from a requestor that is separate from the plurality of identity verification providers and the first system, a request that includes a submitted token; determining, using the configuration information already provided by the first system, that the submitted token includes a valid attestation by the identity verification provider associated with the one of the plurality of cryptographic keys and that the requestor is allowed to have the request fulfilled, the requestor lacking access to the plurality of cryptographic keys; and when it is determined that the requestor is allowed to have the request fulfilled, fulfilling the request. - View Dependent Claims (2, 3, 4, 5, 6)
- at a first system of a computing resource service provider;
-
7. A system, comprising:
-
memory to store instructions that, as a result of execution by one or more processors, cause a collection of computing devices to collectively implement one or more services, each service of the one or more services that locally; obtain, by a first system of a computing resource service provider, cryptographic information corresponding to a plurality of identity verification providers, the cryptographic information including a plurality of cryptographic keys, each cryptographic key usable to verify validity of tokens generated by a different identity verification provider of the plurality of identity verification providers; identify, by the first system, from the plurality of identity verification providers to which a client computing device has access, a second plurality of identity verification providers for which tokens will be accepted; provide, by the first system, configuration information to a plurality of systems of the computing resource service provider different from the first system, the configuration information including at least a second plurality of cryptographic keys associated with the second plurality of identity verification providers, the configuration information provided to the plurality of systems being specific to each of the plurality of systems; receive, by a second system which is one of the plurality of systems of the computing resource service provider different from the first system, from a requestor that is separate from the plurality of identity verification providers and the first system, a request, the request including a token, the requestor lacking access to the plurality of cryptographic keys; identify, by the second system, that the token is associated with an identity verification provider of the second plurality of identity verification providers; verify, by the second system and using the configuration information already provided by the first system, validity of the token based on a cryptographic key specific to the identity verification provider and usable to verify validity of tokens generated by the identity verification provider; and when the validity of the token is verified, fulfill, by the second system, the request. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable storage medium that stores executable instructions that, as a result of being executed by one or more processors of a service provider computing device, cause the service provider computing device to:
-
obtain, by a device, cryptographic information corresponding to a plurality of identity verification providers, the cryptographic information including a plurality of cryptographic keys, each cryptographic key usable to verify validity of tokens generated by a different identity verification provider of the plurality of identity verification providers; provide, by the device, configuration information to a plurality of services of the service provider, the services different from the device, the configuration information including at least the plurality of cryptographic keys, the configuration information provided to the plurality of services being specific to each of the plurality of services; receive, over a network by one of the plurality of services of the service provider, a request from a client computer system to access the service, the request being; provided with a token encrypted with a cryptographic key of the plurality of cryptographic keys, the token indicating an identity verification provider accessible to the client computer system; and received from a client computer system associated with a user of the service, the client computer system being separate from the plurality of identity verification providers and the device, and lacking access to the plurality of cryptographic keys; identify, by the service, that the token is associated with a corresponding identity verification provider in a subset of the plurality of identity verification providers, the subset of the plurality of identity verification providers being authorized to enable fulfillment of requests by the service; decrypt, by the service, the token based at least in part on the cryptographic key specific to the corresponding identity verification provider; verify, by the service and using the configuration information already provided by the device, validity of the token based at least in part on the cryptographic key specific to the corresponding identity verification provider; and when the validity of the token is verified, cause the request to be fulfilled by the service. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification