Generating and managing a composite identity token for multi-service use
First Claim
1. A method comprising:
- at a composite identity server comprising at least one processor, at least one memory, and at least one communication interface;
receiving, by the at least one processor and from a user agent associated with a user computing device, a request to upgrade a first authentication token triggered by a relying party server, wherein the relying party server is associated with services provided by a first relying party and services provided by a second relying party, wherein the first authentication token was issued by a first identity provider to permit the user agent access to the services provided by the first relying party;
determining, by the at least one processor, whether the user agent is currently involved in a valid identity login session associated with the relying party server;
in response to determining that the user agent is currently involved in the valid identity login session associated with the relying party server, redirecting, by the at least one processor, the user agent to an identity provider server associated with a second identity provider for authentication;
receiving, by the at least one processor and from the identity provider server associated with the second identity provider, a second authentication token, the second authentication token indicating that an authorization code associated with the identity provider server is valid, wherein the second authentication token permits the user agent access to the services provided by the second relying party;
sending, by the at least one processor and to a federated microservice server, the second authentication token for transformation, wherein the federated microservice server is specific to the second identity provider;
receiving, by the at least one processor and from the federated microservice server, one or more transformed claims of the second authentication token and one or more claims of the second authentication token designated for storage by a profile microservice server;
sending, by the at least one processor and to the profile microservice server, the one or more claims of the second authentication token designated for storage at the profile microservice server;
after receiving a storage confirmation from the profile microservice server, redirecting, by the at least one processor, the user agent to the relying party server with an authorization code associated with the composite identity server;
after redirecting the user agent to the relying party server, receiving, by the at least one processor and from the relying party server, the authorization code associated with the composite identity server;
in response to determining that the authorization code associated with the composite identity server received from the relying party server is valid, sending, by the at least one processor and to the relying party server, a composite token comprising;
the one or more transformed claims of the second authentication token; and
one or more claims of the first authentication token,wherein the composite token permits, via the relying party server, the user agent access to the services provided by the first relying party and the services provided by the second relying party.
8 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, computer-readable media, and apparatuses may provide creation and management of composite tokens for use with services in a virtual environment without the user having to re-authenticate each time the user accesses a different service. A composite identity server may receive a request to upgrade a first authentication token for a user. The composite identity server may redirect a user agent to an identity provider for authentication and, in response, may receive a second authentication token for the user. The composite identity server may send the second authentication token to a federated microservice and, in response, may receive one or more claims of the second authentication token designated for inclusion in a composite token. The composite identity server may generate a composite token including the one or more claims of the first authentication token and one or more claims of the second authentication token.
-
Citations
20 Claims
-
1. A method comprising:
-
at a composite identity server comprising at least one processor, at least one memory, and at least one communication interface; receiving, by the at least one processor and from a user agent associated with a user computing device, a request to upgrade a first authentication token triggered by a relying party server, wherein the relying party server is associated with services provided by a first relying party and services provided by a second relying party, wherein the first authentication token was issued by a first identity provider to permit the user agent access to the services provided by the first relying party; determining, by the at least one processor, whether the user agent is currently involved in a valid identity login session associated with the relying party server; in response to determining that the user agent is currently involved in the valid identity login session associated with the relying party server, redirecting, by the at least one processor, the user agent to an identity provider server associated with a second identity provider for authentication; receiving, by the at least one processor and from the identity provider server associated with the second identity provider, a second authentication token, the second authentication token indicating that an authorization code associated with the identity provider server is valid, wherein the second authentication token permits the user agent access to the services provided by the second relying party; sending, by the at least one processor and to a federated microservice server, the second authentication token for transformation, wherein the federated microservice server is specific to the second identity provider; receiving, by the at least one processor and from the federated microservice server, one or more transformed claims of the second authentication token and one or more claims of the second authentication token designated for storage by a profile microservice server; sending, by the at least one processor and to the profile microservice server, the one or more claims of the second authentication token designated for storage at the profile microservice server; after receiving a storage confirmation from the profile microservice server, redirecting, by the at least one processor, the user agent to the relying party server with an authorization code associated with the composite identity server; after redirecting the user agent to the relying party server, receiving, by the at least one processor and from the relying party server, the authorization code associated with the composite identity server; in response to determining that the authorization code associated with the composite identity server received from the relying party server is valid, sending, by the at least one processor and to the relying party server, a composite token comprising; the one or more transformed claims of the second authentication token; and one or more claims of the first authentication token, wherein the composite token permits, via the relying party server, the user agent access to the services provided by the first relying party and the services provided by the second relying party. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
a composite identity server comprising at least one processor, a memory, and at least one communication interface, wherein the composite identity server is configured to; receive, by the at least one processor and from a user agent associated with a user computing device, a request to upgrade a first authentication token triggered by a relying party server, wherein the relying party server is associated with services provided by a first relying party and services provided by a second relying party, wherein the first authentication token was issued by a first identity provider to permit the user agent access to the services provided by the first relying party; determine, by the at least one processor, whether the user agent is currently involved in a valid identity login session associated with the relying party server; in response to determining that the user agent is currently involved in the valid identity login session associated with the relying party server, redirect, by the at least one processor, the user agent to an identity provider server associated with a second identity provider for authentication; receive, by the at least one processor and from the identity provider server, a second authentication token, the second authentication token indicating that an authorization code associated with the identity provider server is valid, wherein the second authentication token permits the user agent access to the services provided by the second relying party; send, by the at least one processor and to a federated microservice server, the second authentication token for transformation, wherein the federated microservice server is specific to the second identity provider; receive, by the at least one processor and from the federated microservice server, one or more transformed claims of the second authentication token and one or more claims of the second authentication token designated for storage by a profile microservice server; send, by the at least one processor and to the profile microservice server, the one or more claims of the second authentication token designated for storage by the profile microservice server; after receiving a storage confirmation from the profile microservice server, redirect, by the at least one processor, the user agent to the relying party server with an authorization code associated with the composite identity server; after redirecting the user agent to the relying party server, receive, by the at least one processor and from the relying party server, the authorization code associated with the composite identity server; in response to determining that the authorization code associated with the composite identity server received from the relying party server is valid, send, by the at least one processor and to the relying party server, a composite token comprising; the one or more transformed claims of the second authentication token; and one or more claims of the first authentication token, wherein the composite token permits, via the relying part server, the user agent access to the services provided by the first relying party and the services provided by the second relying party. - View Dependent Claims (12, 13, 14, 15)
-
-
16. One or more non-transitory computer readable media storing computer-executable instructions that, when executed by at least one processor, cause a composite identity server to:
-
receive, by the at least one processor and from a user agent associated with a user computing device, a request to upgrade a first authentication token triggered by a relying party server, wherein the relying party server is associated with services provided by a first relying party and services provided by a second relying party, wherein the first authentication token was issued by a first identity provider to permit the user agent access to the services provided by the first relying party; determine, by the at least one processor, whether the user agent is currently involved in a valid identity login session associated with the relying party server; in response to determining that the user agent is currently involved in the valid identity login session associated with the relying party server, redirect, by the at least one processor, the user agent to an identity provider server associated with a second identity provider for authentication; receive, by the at least one processor and from the identity provider server, a second authentication token, the second authentication token indicating that an authorization code associated with the first identity provider server is valid, wherein the second authentication token permits the user agent access to the services provided by the second relying party; send, by the at least one processor and to a federated microservice server, the second authentication token for transformation, wherein the federated microservice server is specific to the second identity provider; receive, by the at least one processor and from the federated microservice server, one or more transformed claims of the second authentication token and one or more claims of the second authentication token designated for storage by a profile microservice server; send, by the at least one processor and to the profile microservice server, the one or more claims of the second authentication token designated for storage by the profile microservice server; after receiving a storage confirmation from the profile microservice server, redirect, by the at least one processor, the user agent to the relying party server with an authorization code associated with the composite identity server; after redirecting the user agent to the relying party server, receive, by the at least one processor and from the relying party server, the authorization code associated with the composite identity server; in response to determining that the authorization code associated with the composite identity server received from the relying party server is valid, send, by the at least one processor and to the relying party server, a composite token comprising; the one or more transformed claims of the second authentication token; and one or more claims of the first authentication token, wherein the composite token permits, via the relying party server, the user agent access to the services provided by the first relying party and the services provided by the second relying party. - View Dependent Claims (17, 18, 19, 20)
-
Specification