Method and system for user-determined authentication in a federated environment
First Claim
1. A method for authenticating a user within a data processing system, the method comprising:
- receiving at an e-commerce service provider a request from a client for access to a controlled resource; and
allowing a specification of one of a plurality of authentication service providers to be used by the e-commerce service provider in determining access to the controlled resource for the client.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, system, or computer program product is presented for cross-domain, single-sign-on, authentication functionality. A user may contract with one or more authentication service providers (ANSPs). E-commerce service providers (ECSPs), such as online banks or online merchants, also maintain a relationship with an ANSP such that the ECSP can trust the authenticated identity of a user that is vouched-for by the ANSP on behalf of the user. The user can visit any e-commerce service provider in a federated environment without having to establish an a priori relationship with that particular ECSP. As long as the ECSP'"'"'s domain has a relationship with at least one of the user'"'"'s authentication service providers, then the user will be able to have a single-sign-on experience at that ECSP.
208 Citations
52 Claims
-
1. A method for authenticating a user within a data processing system, the method comprising:
-
receiving at an e-commerce service provider a request from a client for access to a controlled resource; and
allowing a specification of one of a plurality of authentication service providers to be used by the e-commerce service provider in determining access to the controlled resource for the client. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for authenticating a user within a data processing system, the method comprising:
-
receiving at a first server a request from a client for access to a controlled resource;
in response to a determination that the first server has an identity of a second server that supports an authentication service that was previously associated with the client, sending an authentication request to the second server from the first server;
in response to a determination that the first server does not have an identity of a second server that supports an authentication service that was previously associated with the client;
allowing a user to choose an identity for the second server; and
sending an authentication request to the second server from the first server. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. An,apparatus for authenticating a user within a data processing system, the apparatus comprising:
-
means for receiving at an e-commerce service provider a request from a client for access to a controlled resource; and
means for allowing a specification of one of a plurality of authentication service providers to be used by the e-commerce service provider in determining access to the controlled resource for the client. - View Dependent Claims (19, 20, 21, 22, 23, 24)
-
-
25. An apparatus for authenticating a user within a data processing system, the apparatus comprising:
-
means for receiving at a first server a request from a client for access to a controlled resource;
means for sending an authentication request to the second server from the first server in response to a determination that the first server has an identity of a second server that supports an authentication service that was previously associated with the client;
means for allowing a user to choose an identity for the second server in response to a determination that the first server does not have an identity of a second server that supports an authentication service that was previously associated with the client; and
means for sending an authentication request to the second server from the first server in response to a determination that the first server does not have an identity of a second server that supports an authentication service that was previously associated with the client. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. A computer program product in a computer readable medium for use in authenticating a user within a data processing system, the computer program product comprising:
-
means for receiving at an e-commerce service provider a request from a client for access to a controlled resource; and
means for allowing a specification of one of a plurality of authentication service providers to be used by the e-commerce service provider in determining access to the controlled resource for the client. - View Dependent Claims (36, 37, 38, 39, 40, 41)
-
-
42. A computer program product in a computer readable medium for use in authenticating a user within a data processing system, the computer program product comprising:
-
means for receiving at a first server a request from a client for access to a controlled resource;
means for sending an authentication request to the second server from the first server in response to a determination that the first server has an identity of a second server that supports an authentication service that was previously associated with the client;
means for allowing a user to choose an identity for the second server in response to a determination that the first server does not have an identity of a second server that supports an authentication service that was previously associated with the client; and
means for sending an authentication request to the second server from the first server in response to a determination that the first server does not have an identity of a second server that supports an authentication service that was previously associated with the client. - View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51)
-
-
52. A network data message comprising:
-
a transport protocol header;
a Uniform Resource Identifier (URI) associated with a controlled resource; and
an authentication service provider token that indicates a domain identity of an authentication service provider, wherein the authentication service provider is one of a plurality of authentication service providers in a federated environment that may be used in responding to a request to access the controlled resource.
-
Specification