Generating and managing a composite identity token for multi-service use

US 10,505,733 B2
Filed: 09/25/2017
Issued: 12/10/2019
Est. Priority Date: 09/25/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a composite identity server comprising at least one processor, at least one memory, and at least one communication interface;

receiving, by the at least one processor and from a user agent associated with a user computing device, a request to upgrade a first authentication token triggered by a relying party server, wherein the relying party server is associated with services provided by a first relying party and services provided by a second relying party, wherein the first authentication token was issued by a first identity provider to permit the user agent access to the services provided by the first relying party;

determining, by the at least one processor, whether the user agent is currently involved in a valid identity login session associated with the relying party server;

in response to determining that the user agent is currently involved in the valid identity login session associated with the relying party server, redirecting, by the at least one processor, the user agent to an identity provider server associated with a second identity provider for authentication;

receiving, by the at least one processor and from the identity provider server associated with the second identity provider, a second authentication token, the second authentication token indicating that an authorization code associated with the identity provider server is valid, wherein the second authentication token permits the user agent access to the services provided by the second relying party;

sending, by the at least one processor and to a federated microservice server, the second authentication token for transformation, wherein the federated microservice server is specific to the second identity provider;

receiving, by the at least one processor and from the federated microservice server, one or more transformed claims of the second authentication token and one or more claims of the second authentication token designated for storage by a profile microservice server;

sending, by the at least one processor and to the profile microservice server, the one or more claims of the second authentication token designated for storage at the profile microservice server;

after receiving a storage confirmation from the profile microservice server, redirecting, by the at least one processor, the user agent to the relying party server with an authorization code associated with the composite identity server;

after redirecting the user agent to the relying party server, receiving, by the at least one processor and from the relying party server, the authorization code associated with the composite identity server;

in response to determining that the authorization code associated with the composite identity server received from the relying party server is valid, sending, by the at least one processor and to the relying party server, a composite token comprising;

the one or more transformed claims of the second authentication token; and

one or more claims of the first authentication token,wherein the composite token permits, via the relying party server, the user agent access to the services provided by the first relying party and the services provided by the second relying party.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, computer-readable media, and apparatuses may provide creation and management of composite tokens for use with services in a virtual environment without the user having to re-authenticate each time the user accesses a different service. A composite identity server may receive a request to upgrade a first authentication token for a user. The composite identity server may redirect a user agent to an identity provider for authentication and, in response, may receive a second authentication token for the user. The composite identity server may send the second authentication token to a federated microservice and, in response, may receive one or more claims of the second authentication token designated for inclusion in a composite token. The composite identity server may generate a composite token including the one or more claims of the first authentication token and one or more claims of the second authentication token.

Citations

20 Claims

1. A method comprising:
- at a composite identity server comprising at least one processor, at least one memory, and at least one communication interface;
  
  receiving, by the at least one processor and from a user agent associated with a user computing device, a request to upgrade a first authentication token triggered by a relying party server, wherein the relying party server is associated with services provided by a first relying party and services provided by a second relying party, wherein the first authentication token was issued by a first identity provider to permit the user agent access to the services provided by the first relying party;
  
  determining, by the at least one processor, whether the user agent is currently involved in a valid identity login session associated with the relying party server;
  
  in response to determining that the user agent is currently involved in the valid identity login session associated with the relying party server, redirecting, by the at least one processor, the user agent to an identity provider server associated with a second identity provider for authentication;
  
  receiving, by the at least one processor and from the identity provider server associated with the second identity provider, a second authentication token, the second authentication token indicating that an authorization code associated with the identity provider server is valid, wherein the second authentication token permits the user agent access to the services provided by the second relying party;
  
  sending, by the at least one processor and to a federated microservice server, the second authentication token for transformation, wherein the federated microservice server is specific to the second identity provider;
  
  receiving, by the at least one processor and from the federated microservice server, one or more transformed claims of the second authentication token and one or more claims of the second authentication token designated for storage by a profile microservice server;
  
  sending, by the at least one processor and to the profile microservice server, the one or more claims of the second authentication token designated for storage at the profile microservice server;
  
  after receiving a storage confirmation from the profile microservice server, redirecting, by the at least one processor, the user agent to the relying party server with an authorization code associated with the composite identity server;
  
  after redirecting the user agent to the relying party server, receiving, by the at least one processor and from the relying party server, the authorization code associated with the composite identity server;
  
  in response to determining that the authorization code associated with the composite identity server received from the relying party server is valid, sending, by the at least one processor and to the relying party server, a composite token comprising;
  
  the one or more transformed claims of the second authentication token; and
  
  one or more claims of the first authentication token,wherein the composite token permits, via the relying party server, the user agent access to the services provided by the first relying party and the services provided by the second relying party.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - at the composite identity server,after redirecting the user agent to the identity provider server, receiving, by the at least one processor and from the user agent, the authorization code associated with the identity provider server; and
      
      sending, by the at least one processor and to the identity provider server, the authorization code associated with the identity provider server for validation.
  - 3. The method of claim 1, comprising:
    - at the composite identity server,receiving, by the at least one processor and from the relying party server, the composite token and user information identifying a user associated with the user agent;
      
      sending, by the at least one processor and to the profile microservice server, the user information; and
      
      receiving, by the at least one processor and from the profile microservice server, one or more updated, transformed claims of the second authentication token.
  - 4. The method of claim 3, comprising:
    - at the composite identity server;
      
      sending, by the at least one processor and to a principal microservice, the user information;
      
      receiving, by the at least one processor and from the principal microservice, one or more updated claims of the first authentication token; and
      
      generating, by the at least one processor, an updated composite token comprising;
      
      the one or more updated claims of the first authentication token, andthe one or more updated, transformed claims of the second authentication token.
  - 5. The method of claim 3, comprising:
    - at the profile microservice server;
      
      receiving, by at least one processor of the profile microservice server and from the composite identity server, the user information and the composite token;
      
      in response to receiving the user information, sending, by the at least one processor of the profile microservice server and to the federated microservice server, the one or more transformed claims of the second authentication token;
      
      receiving, by the at least one processor of the profile microservice server and from the federated microservice server, the one or more updated, transformed claims of the second authentication token; and
      
      sending, by the at least one processor of the profile microservice server and to the composite identity server, the one or more updated, transformed claims of the second authentication token.
  - 6. The method of claim 1, comprising:
    - at the federated microservice server;
      
      receiving, by at least one processor of the federated microservice server and from the composite identity server, the second authentication token;
      
      transforming, by the at least one processor of the federated microservice server, one or more claims of the second authentication token to produce the one or more transformed claims of the second authentication token, wherein the transforming comprises one or more of;
      
      replacing a claim of the one or more claims of the second authentication token with a new claim;
      
      amending a claim of the one or more claims of the second authentication token;
      
      orappending a new claim to the second authentication token; and
      
      designating, by the at least one processor of the federated microservice server, one or more claims of the second authentication token for storage by the profile microservice server to produce the one or more claims of the second authentication token designated for storage by the profile microservice server.
  - 7. The method of claim 1, comprising:
    - at the relying party server;
      
      determining, by at least one processor of the relying party server, that the user agent is attempting to access the services provided by the second relying party and that the second relying party is associated with a two-factor authentication; and
      
      generating, by the at least one processor of the relying party server, the request to upgrade the first authentication token.
  - 8. The method of claim 1, comprising:
    - at the relying party server;
      
      determining, by at least one processor of the relying party server, that the user agent is attempting to access services provided by a third relying party associated with the relying party server; and
      
      in response to determining that the user agent is attempting to access the service associated with the third relying party, generating, by the at least one processor of the relying party server, a second request to upgrade the composite token to produce an upgraded composite token.
  - 9. The method of claim 8, comprising:
    - at the user agent;
      
      interacting, by at least one processor of the user computing device and via the relying party server, with the services provided by the first relying party using the upgraded composite token;
      
      interacting, by the at least one processor of the user computing device and via the relying party server, with the services provided by the second relying party using the upgraded composite token; and
      
      interacting, by the at least one processor of the user computing device and via the relying party server, with the services provided by the third relying party using the upgraded composite token.
  - 10. The method of claim 1, comprising:
    - in response to determining that the user agent is currently not involved in the valid identity login session associated with the relying party server, preventing, by the at least one processor, generation of the composite token.

11. A system comprising:
- a composite identity server comprising at least one processor, a memory, and at least one communication interface,wherein the composite identity server is configured to;
  
  receive, by the at least one processor and from a user agent associated with a user computing device, a request to upgrade a first authentication token triggered by a relying party server, wherein the relying party server is associated with services provided by a first relying party and services provided by a second relying party, wherein the first authentication token was issued by a first identity provider to permit the user agent access to the services provided by the first relying party;
  
  determine, by the at least one processor, whether the user agent is currently involved in a valid identity login session associated with the relying party server;
  
  in response to determining that the user agent is currently involved in the valid identity login session associated with the relying party server, redirect, by the at least one processor, the user agent to an identity provider server associated with a second identity provider for authentication;
  
  receive, by the at least one processor and from the identity provider server, a second authentication token, the second authentication token indicating that an authorization code associated with the identity provider server is valid, wherein the second authentication token permits the user agent access to the services provided by the second relying party;
  
  send, by the at least one processor and to a federated microservice server, the second authentication token for transformation, wherein the federated microservice server is specific to the second identity provider;
  
  receive, by the at least one processor and from the federated microservice server, one or more transformed claims of the second authentication token and one or more claims of the second authentication token designated for storage by a profile microservice server;
  
  send, by the at least one processor and to the profile microservice server, the one or more claims of the second authentication token designated for storage by the profile microservice server;
  
  after receiving a storage confirmation from the profile microservice server, redirect, by the at least one processor, the user agent to the relying party server with an authorization code associated with the composite identity server;
  
  after redirecting the user agent to the relying party server, receive, by the at least one processor and from the relying party server, the authorization code associated with the composite identity server;
  
  in response to determining that the authorization code associated with the composite identity server received from the relying party server is valid, send, by the at least one processor and to the relying party server, a composite token comprising;
  
  the one or more transformed claims of the second authentication token; and
  
  one or more claims of the first authentication token,wherein the composite token permits, via the relying part server, the user agent access to the services provided by the first relying party and the services provided by the second relying party.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, wherein the composite identity server is configured to:
    - after redirecting the user agent to the identity provider server, receive, by the at least one processor and from the user agent, the authorization code associated with the identity provider server; and
      
      send, by the at least one processor and to the identity provider server, the authorization code associated with the identity provider server for validation.
  - 13. The system of claim 11, wherein the composite identity server is configured to:
    - receive, by the at least one processor and from the relying party server, the composite token and user information identifying a user associated with the user agent;
      
      send, by the at least one processor and to the profile microservice server, the user information; and
      
      receive, by the at least one processor and from the profile microservice server, one or more updated, transformed claims of the second authentication token.
  - 14. The system of claim 13, wherein the composite identity server is configured to:
    - send, by the at least one processor and to a principal microservice, the user information;
      
      receive, by the at least one processor and from the principal microservice, one or more updated claims of the first authentication token; and
      
      generate, by the at least one processor, an updated composite token comprising;
      
      the one or more updated claims of the first authentication token, andthe one or more updated, transformed claims of the second authentication token.
  - 15. The system of claim 11, wherein the composite identity server is configured to:
    - update, by the at least one processor, the composite token to produce an updated composite token, wherein the updated composite token is configured to permit, via the relying party server, interactions with the services provided by the first relying party, the services provided by the second relying party, and services provided by a third relying party.

16. One or more non-transitory computer readable media storing computer-executable instructions that, when executed by at least one processor, cause a composite identity server to:
- receive, by the at least one processor and from a user agent associated with a user computing device, a request to upgrade a first authentication token triggered by a relying party server, wherein the relying party server is associated with services provided by a first relying party and services provided by a second relying party, wherein the first authentication token was issued by a first identity provider to permit the user agent access to the services provided by the first relying party;
  
  determine, by the at least one processor, whether the user agent is currently involved in a valid identity login session associated with the relying party server;
  
  in response to determining that the user agent is currently involved in the valid identity login session associated with the relying party server, redirect, by the at least one processor, the user agent to an identity provider server associated with a second identity provider for authentication;
  
  receive, by the at least one processor and from the identity provider server, a second authentication token, the second authentication token indicating that an authorization code associated with the first identity provider server is valid, wherein the second authentication token permits the user agent access to the services provided by the second relying party;
  
  send, by the at least one processor and to a federated microservice server, the second authentication token for transformation, wherein the federated microservice server is specific to the second identity provider;
  
  receive, by the at least one processor and from the federated microservice server, one or more transformed claims of the second authentication token and one or more claims of the second authentication token designated for storage by a profile microservice server;
  
  send, by the at least one processor and to the profile microservice server, the one or more claims of the second authentication token designated for storage by the profile microservice server;
  
  after receiving a storage confirmation from the profile microservice server, redirect, by the at least one processor, the user agent to the relying party server with an authorization code associated with the composite identity server;
  
  after redirecting the user agent to the relying party server, receive, by the at least one processor and from the relying party server, the authorization code associated with the composite identity server;
  
  in response to determining that the authorization code associated with the composite identity server received from the relying party server is valid, send, by the at least one processor and to the relying party server, a composite token comprising;
  
  the one or more transformed claims of the second authentication token; and
  
  one or more claims of the first authentication token,wherein the composite token permits, via the relying party server, the user agent access to the services provided by the first relying party and the services provided by the second relying party.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The one or more non-transitory computer readable media of claim 16, wherein the instructions, when executed by at least one processor, cause the composite identity server to:
    - after redirecting the user agent to the identity provider server, receive, by the at least one processor and from the user agent, the authorization code associated with the identity provider server; and
      
      send, by the at least one processor and to the identity provider server, the authorization code associated with the identity provider server for validation.
  - 18. The one or more non-transitory computer readable media of claim 16, wherein the instructions, when executed by at least one processor, cause the composite identity server to:
    - receive, by the at least one processor and from the relying party server, the composite token and user information identifying a user associated with the user agent;
      
      send, by the at least one processor and to the profile microservice server, the user information; and
      
      receive, by the at least one processor and from the profile microservice server, one or more updated, transformed claims of the second authentication token.
  - 19. The one or more non-transitory computer readable media of claim 18, wherein the instructions, when executed by at least one processor, cause the composite identity server to:
    - send, by the at least one processor and to a principal microservice, the user information;
      
      receive, by the at least one processor and from the principal microservice, one or more updated claims of the first authentication token; and
      
      generate, by the at least one processor, an updated composite token comprising;
      
      the one or more updated claims of the first authentication token, andthe one or more updated, transformed claims of the second authentication token.
  - 20. The one or more non-transitory computer readable media of claim 16, wherein the instructions, when executed by at least one processor, cause the composite identity server to:
    - update, by the at least one processor, the composite token to produce an updated composite token, wherein the updated composite token is configured to permit, via the relying party server, interactions with the services provided by the first relying party, the services provided by the second relying party, and services provided by a third relying party.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Rowe, Bradley Markus, Feijoo, Ricardo, Kludy, Tom Michael, Jain, Ayush, Haagsma, Gerald
Primary Examiner(s)
Kim, Jung W
Assistant Examiner(s)
Louie, Howard H.

Application Number

US15/714,460
Publication Number

US 20190097802A1
Time in Patent Office

806 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0884   by delegation of authentica...

H04L 9/0861   Generation of secret inform...

H04L 9/0891   Revocation or update of sec...

H04L 9/3213   using tickets or tokens, e....

Generating and managing a composite identity token for multi-service use

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Generating and managing a composite identity token for multi-service use

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links