Application identity design

US 20060075475A1
Filed: 12/14/2004
Published: 04/06/2006
Est. Priority Date: 10/01/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for providing user credentials over a network to a remote computer application, the method comprising:

storing user credentials for the remote computer application in a central repository that is accessible through the network;

sending a request to a service to perform, on behalf of a user, a particular task involving the remote computer application;

determining whether the service has been granted permission to act on behalf of the user with respect to the remote computer application; and

when the service has permission to act on behalf of the user, using the service to retrieve the user'"'"'s credentials for the remote computer application from the central repository and to supply the retrieved user credentials to the remote computer application.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus, including computer program products, implementing and using techniques for providing user credentials over a network to a remote computer application. User credentials for the remote computer application are stored in a central repository that is accessible through the network. A request is sent to a service to perform, on behalf of a user, a particular task involving the remote computer application. It is determined whether the service has been granted permission to act on behalf of the user with respect to the remote computer application. When the service has permission to act on behalf of the user, the service is used to retrieve the user'"'"'s credentials for the remote computer application from the central repository and to supply the retrieved user credentials to the remote computer application.

149 Citations

35 Claims

1. A computer-implemented method for providing user credentials over a network to a remote computer application, the method comprising:
- storing user credentials for the remote computer application in a central repository that is accessible through the network;
  
  sending a request to a service to perform, on behalf of a user, a particular task involving the remote computer application;
  
  determining whether the service has been granted permission to act on behalf of the user with respect to the remote computer application; and
  
  when the service has permission to act on behalf of the user, using the service to retrieve the user'"'"'s credentials for the remote computer application from the central repository and to supply the retrieved user credentials to the remote computer application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein storing user credentials includes:
    - storing user credentials for a user in a credential storage area of the central repository, the credential storage area being associated with a user account for the user.
  - 3. The method of claim 2, wherein the user'"'"'s credential storage area includes one or more sets of user credentials, each set of user credentials corresponding to a particular remote computer application and being of a type that is specified by the remote computer application.
  - 4. The method of claim 1, wherein the remote computer application includes a description of what type of user credentials are needed from a user in order to access and use the remote computer application.
  - 5. The method of claim 1, wherein the service is associated with a particular addressable endpoint on the network and has the same name as the remote computer application with which the service is associated.
  - 6. The method of claim 3, further comprising:
    - granting permission to a provider of the service to read one or more sets of user credentials from the user'"'"'s credential storage area of the central repository.
  - 7. The method of claim 6, wherein determining whether the service has been granted permission includes:
    - determining whether the provider of the service has been granted read access to the corresponding set of user credentials in the user'"'"'s credential storage area of the central repository.
  - 8. The method of claim 3, further comprising:
    - determining a policy for under what circumstances the service is authorized to act on behalf of the user with respect to the remote computer application; and
      
      granting permission to a provider of the service to read one or more sets of user credentials from the user'"'"'s credential storage area of the central repository only when the policy is not violated.
  - 9. The method of claim 8, wherein determining whether the service has been granted permission includes:
    - determining whether the policy is violated or not; and
      
      determining whether the provider of the service has been granted read access to the corresponding set of user credentials in the user'"'"'s credential storage area of the central repository.
  - 10. The method of claim 1, wherein the user is one or more of:
    - an individual user and an organization representing one or more users.
  - 11. The method of claim 1, wherein the network is an interoperability network including functionality for routing messages through the interoperability network and functionality for mediating differences in communication protocol formats between users, services, and computer applications associated with the interoperability network.

12. A system for providing user credentials over a network to a remote computer application, the system comprising:
- a network connecting a plurality of network nodes, each network node representing one or more of;
  
  a user, a service, and a computer application;
  
  a central repository that is accessible through the network and operable to store user credentials for the computer application;
  
  a service operable to;
  
  receive a request to perform, on behalf of a user, a particular task involving the computer application;
  
  determine whether the service has been granted permission to act on behalf of the user with respect to the computer application; and
  
  when the service has permission to act on behalf of the user, retrieve the user'"'"'s credentials for the computer application from the central repository and to supply the retrieved user credentials to the computer application.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the central repository includes:
    - a plurality of credential storage areas for storing user credentials, each credential storage area being associated with a user account for the user.
  - 14. The system of claim 13, wherein:
    - the user'"'"'s credential storage area includes one or more sets of user credentials, each set of user credentials corresponding to a particular computer application and being of a type that is specified by the computer application.
  - 15. The system of claim 12, wherein the computer application includes a description of what type of user credentials are needed from a user in order to access and use the remote computer application.
  - 16. The system of claim 12, wherein the service is associated with a particular addressable endpoint on the network and has the same as the computer application with which the service is associated.
  - 17. The system of claim 14, further comprising:
    - a read permission granted to a provider of the service to read one or more sets of user credentials from the user'"'"'s credential storage area of the central repository.
  - 18. The system of claim 17, wherein the service is operable to determine whether the service has been granted permission by:
    - determining whether the provider of the service has been granted the read permission.
  - 19. The system of claim 14, further comprising:
    - a policy stating under what circumstances the service is authorized to act on behalf of the user with respect to the remote computer application; and
      
      a read permission granted to a provider of the service to read one or more sets of user credentials from the user'"'"'s credential storage area of the central repository only when the policy is not violated.
  - 20. The system of claim 19, wherein the service is operable to determine whether the service has been granted permission by:
    - determining whether the policy is violated or not; and
      
      determining whether the provider of the service has been granted read access to the corresponding set of user credentials in the user'"'"'s credential storage area of the central repository.
  - 21. The system of claim 12, wherein the user is one or more of:
    - an individual user and an organization representing one or more users.
  - 22. The system of claim 12, wherein the network is an interoperability network including functionality for routing messages through the interoperability network and functionality for mediating differences in communication protocol formats between users, services, and computer applications associated with the interoperability network.

23. A computer program product, stored on a machine-readable medium, comprising instructions operable to cause a computer to:
- store user credentials for the remote computer application in a central repository that is accessible through the network;
  
  send a request to a service to perform, on behalf of a user, a particular task involving the remote computer application;
  
  determine whether the service has been granted permission to act on behalf of the user with respect to the remote computer application; and
  
  when the service has permission to act on behalf of the user, use the service to retrieve the user'"'"'s credentials for the remote computer application from the central repository and to supply the retrieved user credentials to the remote computer application.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The computer program product of claim 23, wherein the instructions to store user credentials include instructions to:
    - store user credentials for a user in a credential storage area of the central repository, the credential storage area being associated with a user account for the user.
  - 25. The computer program product of claim 24, wherein the user'"'"'s credential storage area includes one or more sets of user credentials, each set of user credentials corresponding to a particular remote computer application and being of a type that is specified by the remote computer application.
  - 26. The computer program product of claim 23, wherein the remote computer application includes a description of what type of user credentials are needed from a user in order to access and use the remote computer application.
  - 27. The computer program product of claim 23, wherein the service is associated with a particular addressable endpoint on the network and has the same name as the remote computer application with which the service is associated.
  - 28. The computer program product of claim 25, further comprising instructions to:
    - grant permission to a provider of the service to read one or more sets of user credentials from the user'"'"'s credential storage area of the central repository.
  - 29. The computer program product of claim 28, wherein the instructions to determine whether the service has been granted permission include instructions to:
    - determine whether the provider of the service has been granted read access to the corresponding set of user credentials in the user'"'"'s credential storage area of the central repository.
  - 30. The computer program product of claim 25, further comprising instructions to:
    - determine a policy for under what circumstances the service is authorized to act on behalf of the user with respect to the remote computer application; and
      
      grant permission to a provider of the service to read one or more sets of user credentials from the user'"'"'s credential storage area of the central repository only when the policy is not violated.
  - 31. The computer program product of claim 30, wherein the instructions to determine whether the service has been granted permission include instructions to:
    - determine whether the policy is violated or not; and
      
      determine whether the provider of the service has been granted read access to the corresponding set of user credentials in the user'"'"'s credential storage area of the central repository.
  - 32. The computer program product of claim 23, wherein the user is one or more of:
    - an individual user and an organization representing one or more users.
  - 33. The computer program product of claim 23, wherein the network is an interoperability network including functionality for routing messages through the interoperability network and functionality for mediating differences in communication protocol formats between users, services, and computer applications associated with the interoperability network.

34. A computer-implemented method for providing user credentials over a network to a plurality of remote computer applications, the method comprising:
- storing a plurality of sets of user credentials for a user in a central repository that is accessible through the network, each set of user credentials representing information that is required by a remote computer application to uniquely identify the user;
  
  performing a single sign on to the network, using a single set of user credentials for the user;
  
  sending a plurality of requests to a plurality of services, each request being a request to perform, on behalf of a user, a particular task involving a particular remote computer application associated with the service;
  
  for each service that receives a request, determining whether the service has been granted permission to act on behalf of the user with respect to the associated remote computer application; and
  
  for each service that has permission to act on behalf of the user, using the service to retrieve the user'"'"'s credentials for the associated remote computer application from the central repository and to supply the retrieved user credentials to the remote computer application.

35. A system for providing user credentials over a network to a plurality of computer applications, the system comprising:
- a network connecting a plurality of network nodes, each network node representing one or more of;
  
  a user, a service, and a computer application;
  
  a central repository that is accessible through the network and operable to store a plurality of sets of user credentials for a user, each set of user credentials representing information that is required by a remote computer application to uniquely identify the user;
  
  a login module operable to receive a single sign on to the network from the user, the single sign on using only single set of user credentials for the user;
  
  a plurality of services, each service being operable to;
  
  receive a request to perform, on behalf of a user, a particular task involving a particular computer application associated with the service;
  
  determine whether the service has been granted permission to act on behalf of the user with respect to the computer application; and
  
  when the service has permission to act on behalf of the user, retrieve the user'"'"'s credentials for the particular computer application from the central repository and to supply the retrieved user credentials to the computer application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
GrandCentral Communications Incorporated (Alphabet Inc.)
Inventors
Boulos, Thomas Nabiel, Behera, Prasanta Kumar

Granted Patent

US 7,721,328 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

G06F 21/30   Authentication, i.e. establ...

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/306   User profiles

H04L 69/329   in the application layer [O...

Application identity design

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

149 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Application identity design

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

149 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links