System integrating an identity selector and user-portable device and method of use in a user-centric identity management system

US 10,298,568 B1
Filed: 09/19/2017
Issued: 05/21/2019
Est. Priority Date: 05/27/2008
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

a host computing system determining whether any user identity among at least one of first user identities of a user satisfies identity requirements of the user;

the host computing system generating a token request with respect to one of any user identity determined to satisfy the identity requirements;

communicating, via the host system, the token request to a user computing device storing required information to support claim assertions of a security token associated with the token request; and

receiving, via the host computing system, and from the user computing device, at least one first user identity stored in the user computing device in response to the token request from the host computing system, wherein the user computing device eliminates a need for the host computing system to contact an identify provider associated with the host computing system to support the claim assertions of the security token associated with the token request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A combination includes a user-portable computing device, and an identity selector adapted for interoperable use with the user device. The user computing device includes a security token service that issues security tokens in reference to a portfolio of user identities stored as information cards on the user device. The issuance of security tokens employs user attribute information that is stored onboard the user device. The identity selector exports the information cards from the user device and determines which user identity satisfies a security policy promulgated by a relying party as part of an authentication process within the context of an online interaction. The identity selector generates a token request based on one of the eligible user identities, and forwards the token request to the user device to invoke the token issuance operation. The identity selector presents the issued security token to the relying party to comply with the security policy.

Citations

20 Claims

1. A method, comprising:
- a host computing system determining whether any user identity among at least one of first user identities of a user satisfies identity requirements of the user;
  
  the host computing system generating a token request with respect to one of any user identity determined to satisfy the identity requirements;
  
  communicating, via the host system, the token request to a user computing device storing required information to support claim assertions of a security token associated with the token request; and
  
  receiving, via the host computing system, and from the user computing device, at least one first user identity stored in the user computing device in response to the token request from the host computing system, wherein the user computing device eliminates a need for the host computing system to contact an identify provider associated with the host computing system to support the claim assertions of the security token associated with the token request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, comprising at least one of:
    - the host computing system providing a plurality of second user identities each associated with a respective identity provider;
      
      the host computing system determining further includes determining whether any user identity among the second user identities satisfies the identity requirements;
      
      the host computing system enabling the user to select one of the user identities determined to satisfy the identity requirements;
      
      upon a user selection relating to the first user identities, the host computing system generating further includes generating a token request with respect to the selected first user identity; and
      
      upon a user selection relating to the second user identities, the host computing system generating a token request with respect to the selected second user identity and communicating the token request to an identity provider environment.
  - 3. The method of claim 1, further comprising operating a security token service.
  - 4. The method of claim 3, wherein the user computing device further comprises at least one of:
    - providing at least one user attribute; and
      
      using the at least one user attribute.
  - 5. The method of claim 1, further comprising at least one of:
    - the host computing system receiving a security policy;
      
      the host computing system presenting to the user at least one of the exported first user identities determined to satisfy the security policy;
      
      the host computing system enabling the user to select one of the presented user identities; and
      
      the host computing system generating further includes generating a token request relative to the selected user identity.
  - 6. The method of claim 1, further comprising at least one of:
    - the host computing system communicating the token request to a user computing device; and
      
      the user computing device issuing a security token according to the token request.
  - 7. The method of claim 1, further comprising at least one of:
    - the user computing device communicating a security token to the host computing system;
      
      the host computing system receiving the security token from the user computing device; and
      
      the host computing system presenting the security token to a service provider environment to facilitate the interaction relative to compliance with the identity requirements.
  - 8. The method of claim 1, wherein the plurality of first identities includes at least one third-party managed information card.

9. A system, comprising:
- a user computing device including an information card storage, a security token service, and a user attribute storage, the user computing device storing required information to support claim assertions of a security token associated with a token request,wherein the user computing device is to export at least one first user identity to a host computing system in response to a token request from the host computing system, andwherein the user computing device eliminates a need for the host computing system to contact an identify provider associated with the host computing system to support the claim assertions of the security token associated with the token request.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the identity manager system is configured further to perform at least one of:
    - (i) receive identity requirements from a service provider environment including at least one identity provider (ii) identify, as an eligible identity, any user identity among the plurality of first user identities of the user that satisfies the identity requirements, (iii) generate a token request in reference to an eligible user identity, (iv) send the token request to the first means of the user computing device, and (v) receive a security token generated by the first means in response to the token request.
  - 11. The system of claim 10, wherein the identity manager system further comprises a plurality of second user identities each associated with a respective identity provider.
  - 12. The system of claim 11, wherein the identity manager system is further configured to perform at least one of:
    - (i) receive identity requirements from the service provider environment, (ii) identify, as an eligible user identity, any user identity among the plurality of first user identities and the plurality of second user identities that satisfies the identity requirements, (iii) enable a user to select an eligible user identity, (iv) generate a token request in reference to the selected user identity, (v) in the event of a user identity selection drawn from the plurality of first identities, send the token request to the user computing device and receive a security token generated by the user computing device in response to the token request, (vi) in the event of a user identity selection drawn from the plurality of second identities, send the token request to the identity provider associated with the selected user identity.
  - 13. The system of claim 9, wherein the identity manager system is configured to perform at least one of:
    - provide a plurality of second user identities including at least one managed identity;
      
      respond to a security policy, by determining whether any user identity satisfies the security policy from among the plurality of first user identities and the plurality of second user identities;
      
      enable the user to make a selection from among the user identities determined to satisfy the security policy; and
      
      respond to a user selection drawn from the plurality of first user identities, by providing a token request based on the selected user identity, communicating the token request to the user computing device, and receiving a security token generated by the user computing device in response to the token request; and
      
      respond to a user selection drawn from one of the managed identities of the plurality of second identities, by providing a token request based on the selected second identity, and communicating the token request to the identity provider associated with the selected second identity.
  - 14. The system of claim 9, wherein the user computing device further comprises a smart card configured as a personal portable security device.
  - 15. The system of claim 9, wherein the user identity storage further comprises at least one third-party managed information card.
  - 16. The system of claim 9, wherein the at least one attribute of the user attribute storage is sufficient to formulate any claim concerning any of the first user identities as part of the token generating operation.

17. A non-transitory computer-readable medium having computer-executable instructions for execution by a processor, that, when executed, cause the processor to:
- determine whether any user identity among at least one of first user identities of a user satisfies identity requirements of the user;
  
  generate a token request with respect to one of any user identity of the user determined to satisfy the identity requirements;
  
  communicate the token request to a user computing device storing required information to support claim assertions of a security token associated with the token request; and
  
  receive, from the user computing device, at least one first user identity stored in the user computing device in response to the token an import request from a host computing system, wherein the user computing device eliminates a need for the host computing system to contact an identify provider associated with the host computing system to support the claim assertions of the security token associated with the token request.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable medium of claim 17, wherein the instructions further cause the processor to perform at least one of:
    - receive a security policy from the service provider environment;
      
      import at least one first user identity to the host computing system;
      
      determine whether any user identity among the imported first user identities satisfies the security policy;
      
      enable the user to select one of the imported first user identities determined to satisfy the security policy; and
      
      generate a token request relative to the selected user identity.
  - 19. The non-transitory computer-readable medium of claim 17, wherein the instructions further cause the processor to use a security token to facilitate compliance with the identity requirements.
  - 20. The non-transitory computer-readable medium of claim 19, wherein the instructions further cause the processor to present the security token to the service provider environment within the context of an authentication process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Philips North America LLC (Koninklijke Philips N.V.)
Original Assignee
Open Invention Network LLC
Inventors
Ahn, Gail-Joon
Primary Examiner(s)
McNally, Michael S

Application Number

US15/709,050
Time in Patent Office

609 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/604   Tools and structures for ma...

G06F 21/6245   Protecting personal data, e...

G06F 21/6263   during internet communicati...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

System integrating an identity selector and user-portable device and method of use in a user-centric identity management system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System integrating an identity selector and user-portable device and method of use in a user-centric identity management system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links